Merge remote-tracking branch 'upstream/main' into ENGCP-593-cert-rotation

* upstream/main:
  chore(e2e-next): Migrate e2e_cli tests (loft-sh#3797)
  fix(cli): respect admin override for requireTemplate in vcluster platform create (loft-sh#3725)
  chore(e2e-next): Fix custom linters for fork PRs (loft-sh#3784)
  chore(e2e-next): Test refactor
  ENGPLAT-399 Add --secure flag for TLS verification (loft-sh#3781)

Author: rlmcpherson

.github/workflows/e2e.yaml

@@ -403,10 +403,6 @@ jobs:
           echo "======================================================================================================================"
           kubectl logs -l app=${{ env.VCLUSTER_SUFFIX }} -n ${{ env.VCLUSTER_NAMESPACE }} -c syncer --tail=-1 -p || kubectl logs -l app=${{ env.VCLUSTER_SUFFIX }} -n ${{ env.VCLUSTER_NAMESPACE }} -c syncer --tail=-1
           echo "======================================================================================================================"
-          if [[ "${{ matrix.test-suite-path }}" = "./test/e2e_plugin" ]]; then
-            kubectl logs -l app=${{ env.VCLUSTER_SUFFIX }} -n ${{ env.VCLUSTER_NAMESPACE }} -c bootstrap-with-deployment --tail=-1 -p || kubectl logs -l app=${{ env.VCLUSTER_SUFFIX }} -n ${{ env.VCLUSTER_NAMESPACE }} -c bootstrap-with-deployment --tail=-1
-            echo "======================================================================================================================"
-          fi
           kubectl describe pods -n ${{ env.VCLUSTER_NAMESPACE }}
           exit 1
 

.github/workflows/lint.yaml

@@ -98,6 +98,19 @@ jobs:
         if: github.event.pull_request.head.repo.full_name == github.repository
         run: ./tools/golangci-lint run --timeout 15m -- ./...
 
+      - name: Generate config without custom linters (fork PRs)
+        if: github.event.pull_request.head.repo.full_name != github.repository
+        run: |
+          # Remove custom plugin definitions and their enable/exclusion entries
+          # so stock golangci-lint can run without the compiled plugin binary.
+          CUSTOM_LINTERS=$(yq '.linters.settings.custom | keys | .[]' .golangci.yml)
+          cp .golangci.yml .golangci-fork.yml
+          for linter in $CUSTOM_LINTERS; do
+            yq -i "del(.linters.settings.custom.\"$linter\")" .golangci-fork.yml
+            yq -i ".linters.enable -= [\"$linter\"]" .golangci-fork.yml
+            yq -i "del(.linters.exclusions.rules[] | select(.linters[] == \"$linter\"))" .golangci-fork.yml
+          done
+
       - name: Run golangci-lint (fork PRs, without custom linters)
         if: github.event.pull_request.head.repo.full_name != github.repository
-        run: golangci-lint run --timeout 15m -- ./...
+        run: golangci-lint run --timeout 15m --config .golangci-fork.yml -- ./...

Justfile

@@ -134,7 +134,7 @@ setup-csi-volume-snapshots:
 #e2e-next tests
 @dev-e2e label-filter="core" image="ghcr.io/loft-sh/vcluster:dev-next" *ARGS='': \
   (setup label-filter image) \
-  (run-e2e label-filter image) \
+  (run-e2e label-filter image "false") \
   (teardown label-filter)
 
 @run-e2e label-filter="core" image="ghcr.io/loft-sh/vcluster:dev-next" teardown="true":

cmd/vclusterctl/cmd/platform/start.go

@@ -82,13 +82,21 @@ before running this command:
 	startCmd.Flags().StringVar(&cmd.ChartRepo, "chart-repo", "https://charts.loft.sh/", "The chart repo to deploy vCluster platform")
 	startCmd.Flags().StringVar(&cmd.ChartName, "chart-name", "vcluster-platform", "The chart name to deploy vCluster platform")
 	startCmd.Flags().BoolVar(&cmd.Docker, "docker", false, "If true, vCluster platform will be installed in Docker")
+	startCmd.Flags().BoolVar(&cmd.Secure, "secure", false, "If true, verify TLS certificates when connecting to the platform (by default, TLS verification is skipped during bootstrap because the platform starts with a self-signed certificate)")
 
 	return startCmd
 }
 
 func (cmd *StartCmd) Run(ctx context.Context) error {
-	// automatically use docker mode if the driver is set to docker
 	cfg := cmd.LoadedConfig(cmd.Log)
+
+	// Bootstrap defaults to insecure because the platform starts with a
+	// self-signed certificate. Pass --secure to enforce TLS verification.
+	if !cmd.Secure {
+		cfg.Platform.Insecure = true
+	}
+
+	// automatically use docker mode if the driver is set to docker
 	if cfg.Driver.Type == config.DockerDriver && !cmd.Docker {
 		cmd.Log.Info("Automatically using --docker flag because driver is set to 'docker'")
 		cmd.Docker = true

cmd/vclusterctl/cmd/platform/start_test.go

@@ -8,6 +8,28 @@ import (
 	"github.com/loft-sh/vcluster/pkg/cli/start"
 )
 
+func TestNewStartCmd_SecureFlag(t *testing.T) {
+	globalFlags := &flags.GlobalFlags{}
+	cmd := NewStartCmd(globalFlags)
+
+	// Verify --secure flag exists and defaults to false (insecure by default).
+	f := cmd.Flags().Lookup("secure")
+	if f == nil {
+		t.Fatal("--secure flag not registered on start command")
+	}
+	if f.DefValue != "false" {
+		t.Errorf("expected --secure default to be 'false', got %q", f.DefValue)
+	}
+
+	// Simulate passing --secure on the command line.
+	if err := cmd.Flags().Set("secure", "true"); err != nil {
+		t.Fatalf("failed to set --secure flag: %v", err)
+	}
+	if f.Value.String() != "true" {
+		t.Errorf("expected --secure value to be 'true' after set, got %q", f.Value.String())
+	}
+}
+
 func TestPlatformUsesNewActivationFlow(t *testing.T) {
 	testCases := []struct {
 		version  string

e2e-next/clusters/cli.go

@@ -0,0 +1,15 @@
+package clusters
+
+import _ "embed"
+
+// CLIVCluster is a dedicated vCluster for CLI connect tests.
+// Separate from CommonVCluster because connect operations create port-forward
+// processes that can disrupt the shared background proxy used by sync tests.
+
+//go:embed vcluster-cli.yaml
+var cliVClusterYAML string
+
+var (
+	CLIVClusterName = "cli-vcluster"
+	CLIVCluster     = register(CLIVClusterName, cliVClusterYAML)
+)

e2e-next/clusters/default.go

@@ -13,7 +13,9 @@ var (
 	CommonVCluster     = register(CommonVClusterName, defaultVClusterYAML)
 )
 
-// Aliases for backward compatibility - all point to CommonVCluster.
+// Aliases for backward compatibility.
+// These existed as separate cluster definitions before consolidation into CommonVCluster.
+// Tests in other repos (vcluster-pro) may reference them by name.
 var (
 	K8sDefaultEndpointVCluster     = CommonVCluster
 	K8sDefaultEndpointVClusterName = CommonVClusterName

e2e-next/clusters/plugin.go

@@ -0,0 +1,15 @@
+package clusters
+
+import _ "embed"
+
+// PluginVCluster runs legacy v1/v2 plugin tests (bootstrap-with-deployment, hooks, import-secrets).
+// Plugin example images must be multi-arch (amd64 + arm64) for local testing on macOS ARM.
+// If a plugin image is amd64-only, Kind on Apple Silicon will fail with "exec format error".
+
+//go:embed vcluster-plugin.yaml
+var pluginVClusterYAML string
+
+var (
+	PluginVClusterName = "plugin-vcluster"
+	PluginVCluster     = register(PluginVClusterName, pluginVClusterYAML)
+)

e2e-next/clusters/vcluster-cli.yaml

@@ -0,0 +1,6 @@
+controlPlane:
+  statefulSet:
+    image:
+      registry: ""
+      repository: {{.Repository}}
+      tag: {{.Tag}}

test/e2e_plugin/values.yaml e2e-next/clusters/vcluster-plugin.yamltest/e2e_plugin/values.yaml renamed to e2e-next/clusters/vcluster-plugin.yaml

@@ -1,7 +1,14 @@
-# Plugin Definition below. This is essentially a valid helm values file that will be merged
-# with the other vcluster values during vcluster create or helm install.
+controlPlane:
+  statefulSet:
+    image:
+      registry: ""
+      repository: {{.Repository}}
+      tag: {{.Tag}}
+
 plugin:
   bootstrap-with-deployment:
+    # NOTE: v2 is amd64-only; plugin tests require Linux CI or amd64 Kind cluster.
+    # v4 is multi-arch but uses a newer plugin protocol incompatible with the current syncer.
     image: ghcr.io/loft-sh/vcluster-example-bootstrap-with-deployment:v2
     imagePullPolicy: IfNotPresent
   import-secrets:
@@ -13,4 +20,3 @@ plugins:
   hooks:
     image: ghcr.io/loft-sh/vcluster-example-hooks:v1
     imagePullPolicy: IfNotPresent
-