Fix pdp-tester CI job for K8s-based refactor (PER-13630) (#307)

* Fix pdp-tester CI job for K8s-based refactor

The pdp-tester was refactored from Docker-based to Kubernetes-based
(permitio/pdp-tester#80). The old CI used Docker directly to run PDP
containers, but the new code requires a Kubernetes cluster.

Changes:
- Add k3d cluster setup (same approach as pdp-tester's own CI)
- Import both PDP image and pdp-tester image into k3d
- Deploy via Helm chart in job mode with tag 'next' (the PR's PDP build)
- Wait for Job completion and check test results from logs
- Teardown k3d cluster on completion

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* Fix: tag PDP image as 'latest' for k3d so pdp-tester discovers it

The pdp-tester discovers PDP tags via Docker Hub. The 'next' tag only
exists locally, so tag discovery fails. Fix: tag the PDP image as
'latest' before importing into k3d, which matches pdp-tester's default
includeTags config.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* Use pdp.localTags for local PDP image (bypass Docker Hub discovery)

Use LOCAL_TAGS=["next"] to tell pdp-tester to use the locally built
PDP image without querying Docker Hub for tag discovery. Clear
includeTags to avoid pulling anything from Docker Hub.

Requires permitio/pdp-tester to have LOCAL_TAGS support in the Helm
chart (permitio/pdp-tester PR pending).

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* Temporarily set skipGenerate=false to populate new Permit environment

Will revert to skipGenerate=true after first successful run.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* Revert skipGenerate back to true (environment now populated)

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* Fix: clear includeTags properly to avoid Docker Hub timeout

--set 'pdp.includeTags={}' rendered as [""] (non-empty list), causing
Docker Hub tag discovery to run and timeout. Use --set 'pdp.includeTags='
which makes the value falsy, skipping INCLUDE_TAGS env var entirely.
Only LOCAL_TAGS=["next"] is used.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

Author: EliMoshkovich

.github/workflows/tests.yml

@@ -104,43 +104,81 @@ jobs:
           token: ${{ secrets.CLONE_REPO_TOKEN }}
           path: './pdp-tester'
 
-      # Setup Python environment
-      - name: Setup Python
-        uses: actions/setup-python@v5
+      # Start k3d cluster for Kubernetes-based pdp-tester
+      - name: Start k3d cluster
+        uses: AbsaOSS/k3d-action@v2.4.0
         with:
-          python-version: "3.12"
+          cluster-name: pdp-tester
+          args: --k3s-arg "--disable=traefik@server:0"
+
+      # Import PDP image into k3d with 'next' tag (locally built)
+      - name: Import PDP image into k3d
+        run: k3d image import permitio/pdp-v2:next -c pdp-tester
 
-      # Install dependencies for pdp-tester
-      - name: Install pdp-tester dependencies
+      # Build pdp-tester image and import into k3d
+      - name: Build and import pdp-tester image
         working-directory: ./pdp-tester
         run: |
-          pip install -r requirements.txt
+          docker build -t pdp-tester:ci .
+          k3d image import pdp-tester:ci -c pdp-tester
 
-      # Run pdp-tester
-      - name: Run pdp-tester
-        working-directory: ./pdp-tester
+      # Create namespace and secrets
+      - name: Create secrets
         env:
-          TOKEN: ${{ secrets.PDP_TESTER_API_KEY }}
-          LOCAL_TAGS: '["next"]'
-          INCLUDE_TAGS: '[]'
-          AUTO_REMOVE: "False"
-          SKIP_GENERATE: "True"
-          ENABLE_APM: "False"
+          PERMIT_TOKEN: ${{ secrets.PDP_TESTER_API_KEY }}
+        run: |
+          kubectl create namespace pdp-tester || true
+          kubectl create secret generic pdp-tester-credentials \
+            -n pdp-tester \
+            --from-literal=token="${PERMIT_TOKEN}" \
+            --dry-run=client -o yaml | kubectl apply -f -
+
+      # Deploy pdp-tester via Helm with the "next" PDP image
+      - name: Deploy pdp-tester via Helm
+        working-directory: ./pdp-tester
+        run: |
+          helm install pdp-tester ./deploy/helm/pdp-tester \
+            --set mode=job \
+            --set permit.existingSecret=pdp-tester-credentials \
+            --set permit.apiUrl=https://permitio.api.stg.permit.io \
+            --set image.repository=pdp-tester \
+            --set image.tag=ci \
+            --set image.pullPolicy=Never \
+            --set pdp.image=permitio/pdp-v2 \
+            --set 'pdp.localTags[0]=next' \
+            --set 'pdp.includeTags=' \
+            --set tests.skipGenerate=true \
+            --set tests.startTimeout=180 \
+            --set namespace.create=false \
+            --set logJson=false
+
+      - name: Wait for Job completion
         run: |
-          python -m pdp_tester.main
+          kubectl wait --for=condition=complete job/pdp-tester \
+            -n pdp-tester --timeout=600s
 
-      - name: Print Docker container logs
+      - name: Check test results
+        run: |
+          LOGS=$(kubectl logs job/pdp-tester -n pdp-tester)
+          echo "$LOGS" | tail -30
+          if echo "$LOGS" | grep -q "test cases failed"; then
+            echo "::error::Some test cases failed!"
+            exit 1
+          fi
+
+      - name: Print tester logs
         if: always()
         run: |
-          echo "Fetching logs for all Docker containers..."
-          for container in $(docker ps -aq); do
-            echo "========================================"
-            echo "Logs for container: $container"
-            echo "----------------------------------------"
-            docker logs "$container" || true
-            echo "========================================"
-            echo ""
-          done
+          echo "=== PDP Tester logs ==="
+          kubectl logs job/pdp-tester -n pdp-tester --tail=200 || true
+          echo ""
+          echo "=== PDP Pod logs ==="
+          kubectl logs -l pdp-tester.permit.io/managed-by=pdp-tester \
+            -n pdp-tester --tail=50 || true
+
+      - name: Teardown k3d cluster
+        if: always()
+        run: k3d cluster delete pdp-tester || true
 
   docker-scout:
     runs-on: ubuntu-latest