feat: add e2e-minishift Makefile target and workflow job

.github/workflows/e2e.yml

@@ -65,3 +65,19 @@ jobs:
 
       - name: e2e (Enterprise)
         run: sudo KUBERNETES_SUPPORTED_VERSION=${{ matrix.k8s-version }} make e2e
+  e2e-openshift:
+    name: E2E Testing (MINC)
+    runs-on: ubuntu-latest-8-cores
+    steps:
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          fetch-depth: 0
+
+      - uses: actions/setup-go@7a3fe6cf4cb3a834922a1244abfce67bcef6a0c5 # v6.2.0
+        with:
+          go-version-file: 'go.mod'
+
+      - uses: azure/setup-helm@1a275c3b69536ee54be43f2070a358922e12c8d4 # v4
+
+      - name: e2e
+        run: sudo make e2e-openshift

Makefile

@@ -113,7 +113,7 @@ dev-destroy: kind
 	$(KIND) delete cluster --name capsule
 
 dev-install-deps: dev-setup-fluxcd dev-setup-cert-manager dev-install-gw-api-crds  wait-for-helmreleases
-
+dev-install-deps-openshift: dev-setup-fluxcd-openshift dev-setup-cert-manager dev-install-gw-api-crds  wait-for-helmreleases
 API_GW         := none
 API_GW_VERSION := v1.3.0
 API_GW_LOOKUP  := kubernetes-sigs/gateway-api
@@ -189,6 +189,7 @@ dev-setup:
 		./charts/capsule || true
 
 setup-monitoring: dev-setup-fluxcd
+
 	@$(KUBECTL) kustomize --load-restrictor='LoadRestrictionsNone' hack/distro/monitoring | envsubst | kubectl apply -f -
 	@$(KUBECTL) kustomize --load-restrictor='LoadRestrictionsNone' hack/distro/monitoring/dashboards | kubectl apply -f -
 	@$(MAKE) wait-for-helmreleases
@@ -210,7 +211,14 @@ dev-setup-cert-manager:
 	@$(KUBECTL) kustomize --load-restrictor='LoadRestrictionsNone' hack/distro/cert-manager | envsubst | kubectl apply -f -
 
 dev-setup-fluxcd:
-	@$(KUBECTL) kustomize --load-restrictor='LoadRestrictionsNone' hack/distro/fluxcd | envsubst | kubectl apply -f -
+	@$(KUBECTL) kustomize --load-restrictor='LoadRestrictionsNone' hack/distro/fluxcd | envsubst | kubectl apply -f -; \
+
+dev-setup-cert-manager-openshift:
+	@$(KUBECTL) kustomize --load-restrictor='LoadRestrictionsNone' hack/distro/cert-manager | envsubst | kubectl apply -f -
+
+dev-setup-fluxcd-openshift:
+	@$(KUBECTL) kustomize --load-restrictor='LoadRestrictionsNone' hack/distro/overlays/openshift | envsubst | kubectl apply -f -; \
+
 
 
 # Here to setup the current capsule version
@@ -345,6 +353,18 @@ golint: golangci-lint
 golint-fix: golangci-lint
 	$(GOLANGCI_LINT) run -c .golangci.yaml --verbose --fix
 
+.PHONY: e2e-openshift
+e2e-openshift: ginkgo
+	$(MAKE) e2e-build-openshift && $(MAKE) e2e-exec && $(MAKE) e2e-destroy-openshift
+e2e-build-openshift: minc
+	$(MINC) config set provider docker
+	$(MINC) create --disable-overlay-cache true
+	$(MINC) status
+	$(MAKE) dev-install-deps-openshift
+	$(MAKE) e2e-install-openshift
+
+e2e-destroy-openshift: minc
+	$(MINC) delete
 
 # Running e2e tests in a KinD instance
 .PHONY: e2e
@@ -375,6 +395,28 @@ e2e-install: helm-controller-version ko-build-all
 		capsule \
 		./charts/capsule
 
+.PHONY: e2e-install-openshift
+e2e-install-openshift: helm-controller-version ko-build-all
+	$(MAKE) e2e-load-image-openshift IMAGE=$(CAPSULE_IMG) VERSION=$(VERSION)
+	$(HELM) upgrade \
+	    --dependency-update \
+		--debug \
+		--install \
+		--namespace capsule-system \
+		--create-namespace \
+		--set 'replicaCount=2'\
+		--set 'manager.image.pullPolicy=Never' \
+		--set 'manager.resources=null'\
+		--set "manager.image.tag=$(VERSION)" \
+		--set 'manager.livenessProbe.failureThreshold=10' \
+		--set 'webhooks.hooks.nodes.enabled=true' \
+		--set "webhooks.exclusive=true"\
+		--set "manager.options.logLevel=debug"\
+		--set "jobs.podSecurityContext.enabled=false"\
+		--set "jobs.securityContext.enabled=false"\
+		capsule \
+		./charts/capsule
+
 .PHONY: trace-install
 trace-install:
 	helm upgrade \
@@ -413,6 +455,12 @@ seccomp:
 e2e-load-image: kind
 	$(KIND) load docker-image $(IMAGE):$(VERSION) --name $(CLUSTER_NAME)
 
+.PHONY: e2e-load-image-openshift
+e2e-load-image-openshift: minc
+	docker save $(IMAGE):$(VERSION) > capsule.tar
+	docker cp capsule.tar microshift:/tmp/
+	docker exec microshift sh -c 'podman load -i /tmp/capsule.tar'
+
 .PHONY: e2e-exec
 e2e-exec: ginkgo
 	$(GINKGO) -v -tags e2e ./e2e
@@ -472,6 +520,13 @@ ct:
 	@test -s $(CT) && $(CT) version | grep -q $(CT_VERSION) || \
 	$(call go-install-tool,$(CT),github.com/$(CT_LOOKUP)/v3/ct@$(CT_VERSION))
 
+MINC:= $(LOCALBIN)/minc
+MINC_VERSION := 573415ebe9bb0dcb24f682763f5d8c238e62d694 # https://github.com/minc-org/minc/pull/57
+MINC_LOOKUP  := minc-org/minc
+minc:
+	echo "Installing minc to $(MINC)" && \
+	$(call go-install-tool,$(MINC),github.com/$(MINC_LOOKUP)/cmd/minc@$(MINC_VERSION))
+
 KIND         := $(LOCALBIN)/kind
 KIND_VERSION := v0.31.0
 KIND_LOOKUP  := kubernetes-sigs/kind

hack/distro/overlays/openshift/kustomization.yaml

@@ -0,0 +1,34 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+resources:
+  - ../../fluxcd
+  - https://raw.githubusercontent.com/fluxcd/flux2/main/manifests/openshift/scc.yaml
+patches:
+  - target:
+      kind: Deployment
+      labelSelector: app.kubernetes.io/part-of=flux
+    patch: |
+      apiVersion: apps/v1
+      kind: Deployment
+      metadata:
+        name: all
+      spec:
+        template:
+          spec:
+            securityContext:
+              $patch: delete
+            containers:
+              - name: manager
+                securityContext:
+                  seccompProfile:
+                    $patch: delete
+
+  - target:
+      kind: Namespace
+      labelSelector: app.kubernetes.io/part-of=flux
+    patch: |-
+      - op: remove
+        path: /metadata/labels/pod-security.kubernetes.io~1warn
+      - op: remove
+        path: /metadata/labels/pod-security.kubernetes.io~1warn-version