Enable UI E2E tests to run on GitHub Actions with PR cluster

This commit enables UI E2E tests to run against ephemeral GKE clusters
in GitHub Actions, similar to how Go E2E tests work.

Changes:

1. **TEST_MODE deployment support**:
   - Fix Helm template conditional in secrets.yaml to prevent duplicate
     secret creation when testMode=true
   - Generate self-signed certificates at deployment time for TEST_MODE
   - Delete and recreate secrets to force correct template application
   - Add test-mode-values.yaml to explicitly set testMode=true

2. **Session secret handling**:
   - Generate random session secrets for PR cluster deployments
   - Pass session secret from deploy job to UI E2E test job via outputs
   - Update Cypress commands to read SESSION_SECRET from environment
   - Update Makefile to generate and display session secret for local dev

3. **Runtime fixes**:
   - Handle invalid GCS credentials gracefully in TEST_MODE
   - Add wait for cluster readiness before deployment

4. **Test improvements**:
   - Add API error logging to Cypress tests for debugging
   - Use dynamic session secrets instead of hardcoded local-dev secret
   - Run UI E2E tests before Go E2E tests (UI tests are faster)
   - Go E2E tests use port-forward approach like PR 1735

This allows UI E2E tests to authenticate and run against PR clusters
that don't have production secrets, enabling automated UI testing in CI.

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>

Author: davdhacs

.github/workflows/PR.yaml

@@ -66,6 +66,8 @@ jobs:
     runs-on: ubuntu-latest
     container:
       image: quay.io/stackrox-io/apollo-ci:stackrox-test-0.4.9
+    outputs:
+      session-secret: ${{ steps.deploy.outputs.session-secret }}
     env:
       KUBECONFIG: /github/home/artifacts/kubeconfig
       INFRA_TOKEN: ${{ secrets.INFRA_TOKEN }}
@@ -100,10 +102,26 @@ jobs:
       - name: Download artifacts
         run: |
           /github/home/.local/bin/infractl artifacts "$CLUSTER_NAME" -d /github/home/artifacts >> "$GITHUB_STEP_SUMMARY"
-          kubectl get nodes -o wide || true
+
+      - name: Wait for cluster to be ready
+        run: |
+          echo "Waiting for cluster API server to be ready..."
+          timeout 300 sh -c 'until kubectl get nodes >/dev/null 2>&1; do
+            echo "Waiting for cluster..."
+            sleep 5
+          done'
+          echo "Cluster is ready"
+          kubectl get nodes -o wide
 
       - name: Deploy infra to dev cluster
+        id: deploy
         run: |
+          # Generate random session secret for JWT signing
+          # This secret is used by both the server (for verification) and Cypress (for JWT generation)
+          SESSION_SECRET=$(openssl rand -base64 32 | tr -d '\n')
+          export SESSION_SECRET
+          echo "Generated random session secret for this PR cluster deployment"
+
           ENVIRONMENT=development TEST_MODE=true make helm-deploy
           sleep 10 # wait for old pods to disappear so the svc port-forward doesn't connect to them
           kubectl -n infra port-forward svc/infra-server-service 8443:8443 > /dev/null 2>&1 &
@@ -115,6 +133,11 @@ jobs:
 
           kill %1
 
+          # Save session secret for UI E2E tests (job output for next job)
+          echo "session-secret=$SESSION_SECRET" >> "$GITHUB_OUTPUT"
+          # Also set as env var for steps in this job
+          echo "SESSION_SECRET=$SESSION_SECRET" >> "$GITHUB_ENV"
+
       - name: Check the deployment
         run: |
           kubectl -n infra port-forward svc/infra-server-service 8443:8443 > /dev/null 2>&1 &
@@ -155,9 +178,194 @@ jobs:
         run: |
           make argo-workflow-lint
 
-      - name: Run Go e2e tests
+  ui-e2e-test-pr-cluster:
+    needs:
+      - deploy-and-test
+    runs-on: ubuntu-latest
+    # Note: This job does NOT use the apollo-ci container to avoid path issues
+    env:
+      KUBECONFIG: /tmp/kubeconfig
+      INFRA_TOKEN: ${{ secrets.INFRA_TOKEN }}
+      USE_GKE_GCLOUD_AUTH_PLUGIN: "True"
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v6
+        with:
+          fetch-depth: 0
+          ref: ${{ github.event.pull_request.head.sha }}
+          path: go/src/github.com/stackrox/infra
+
+      - name: Authenticate to GCloud
+        uses: google-github-actions/auth@v3
+        with:
+          credentials_json: ${{ secrets.INFRA_CI_AUTOMATION_GCP_SA }}
+
+      - name: Set up Cloud SDK
+        uses: google-github-actions/setup-gcloud@v3
+        with:
+          install_components: "gke-gcloud-auth-plugin"
+
+      - name: Download production infractl
+        uses: stackrox/actions/infra/install-infractl@v1
+
+      - name: Get kubeconfig for PR cluster
+        run: |
+          echo "Downloading kubeconfig for $CLUSTER_NAME..."
+          /home/runner/.local/bin/infractl artifacts "$CLUSTER_NAME" -d /tmp/artifacts
+          cp /tmp/artifacts/kubeconfig "$KUBECONFIG"
+
+          echo "Verifying cluster access..."
+          kubectl get nodes -o wide
+
+      - name: Wait for infra-server deployment
+        run: |
+          echo "Checking infra-server pods..."
+          kubectl get pods -n infra
+          kubectl wait --for=condition=ready pod -l app=infra-server -n infra --timeout=5m
+
+      - name: Setup Node.js
+        uses: actions/setup-node@v4
+        with:
+          node-version: '20'
+
+      - name: Install UI dependencies
+        run: |
+          cd ui
+          npm install --legacy-peer-deps
+
+      - name: Start port-forward to PR cluster
+        run: |
+          kubectl -n infra port-forward svc/infra-server-service 8443:8443 >/dev/null 2>&1 &
+          PORT_FORWARD_PID=$!
+          echo "PORT_FORWARD_PID=$PORT_FORWARD_PID" >> "$GITHUB_ENV"
+          echo "Started port-forward with PID: $PORT_FORWARD_PID"
+          sleep 10
+
+          # Verify port-forward is working
+          echo "Verifying port-forward connectivity..."
+          timeout 30 sh -c 'until curl -k -f https://localhost:8443/v1/whoami 2>/dev/null; do
+            echo "Waiting for port-forward..."
+            sleep 2
+          done' || {
+            echo "Port-forward verification failed"
+            pgrep -a port-forward || true
+            exit 1
+          }
+          echo "Port-forward is working"
+
+      - name: Debug - Check flavors API
+        run: |
+          echo "Checking if flavors are available..."
+
+          # First try without auth (should fail with access denied)
+          echo "1. Testing without authentication:"
+          UNAUTH_RESPONSE=$(curl -k -s https://localhost:8443/v1/flavor/list || echo "API call failed")
+          echo "$UNAUTH_RESPONSE" | jq . || echo "$UNAUTH_RESPONSE"
+
+          # Check whoami endpoint
+          echo ""
+          echo "2. Testing /v1/whoami:"
+          WHOAMI=$(curl -k -s https://localhost:8443/v1/whoami || echo "whoami failed")
+          echo "$WHOAMI" | jq . || echo "$WHOAMI"
+
+          # The real issue is the UI itself - let's check if the flavors endpoint
+          # works at all. The UI must be getting an error from somewhere.
+          echo ""
+          echo "3. Checking flavors API (unauthenticated count):"
+          FLAVOR_COUNT=$(echo "$UNAUTH_RESPONSE" | jq '.flavors | length' 2>/dev/null || echo "0")
+          echo "Number of flavors available: $FLAVOR_COUNT"
+
+          if [ "$FLAVOR_COUNT" = "0" ]; then
+            echo "NOTE: Flavors API requires authentication"
+            echo "This is expected - Cypress tests use JWT authentication with randomly generated secret"
+          fi
+
+      - name: Run UI E2E tests
+        uses: cypress-io/github-action@v6
+        with:
+          working-directory: go/src/github.com/stackrox/infra/ui
+          install: false
+          start: npm run start
+          wait-on: 'http://localhost:3001'
+          wait-on-timeout: 60
+          command: npm run cypress:run:e2e
         env:
-          INFRA_TOKEN: ${{ secrets.INFRA_TOKEN_DEV }}
+          BROWSER: none
+          PORT: 3001
+          # Backend is the PR cluster deployment accessed via port-forward
+          # This deployment uses ENVIRONMENT=development with real OIDC (NOT localDeploy=true)
+          INFRA_API_ENDPOINT: https://localhost:8443
+          # Session secret for JWT generation (matches what the server uses)
+          # Retrieved from deploy-and-test job output
+          CYPRESS_SESSION_SECRET: ${{ needs.deploy-and-test.outputs.session-secret }}
+
+      - name: Upload test artifacts
+        if: failure()
+        uses: actions/upload-artifact@v4
+        with:
+          name: cypress-artifacts-pr-cluster-${{ github.event.pull_request.number }}
+          path: |
+            go/src/github.com/stackrox/infra/ui/cypress/videos
+            go/src/github.com/stackrox/infra/ui/cypress/screenshots
+          retention-days: 7
+
+      - name: Cleanup port-forward
+        if: always()
+        run: |
+          if [ -n "${{ env.PORT_FORWARD_PID }}" ]; then
+            echo "Cleaning up port-forward (PID: ${{ env.PORT_FORWARD_PID }})..."
+            kill ${{ env.PORT_FORWARD_PID }} 2>/dev/null || true
+          fi
+          pkill -f "kubectl port-forward.*8443:8443" 2>/dev/null || true
+
+  go-e2e-test:
+    needs:
+      - ui-e2e-test-pr-cluster
+    runs-on: ubuntu-latest
+    container:
+      image: quay.io/stackrox-io/apollo-ci:stackrox-test-0.4.9
+    env:
+      KUBECONFIG: /github/home/artifacts/kubeconfig
+      INFRA_TOKEN: ${{ secrets.INFRA_TOKEN_DEV }}
+      INFRACTL: bin/infractl -k -e localhost:8443
+      USE_GKE_GCLOUD_AUTH_PLUGIN: "True"
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v6
+        with:
+          fetch-depth: 0
+          ref: ${{ github.event.pull_request.head.sha }}
+          path: go/src/github.com/stackrox/infra
+
+      - uses: actions/setup-go@v6
+        with:
+          go-version-file: go/src/github.com/stackrox/infra/go.mod
+
+      - name: Authenticate to GCloud
+        uses: google-github-actions/auth@v3
+        with:
+          credentials_json: ${{ secrets.INFRA_CI_AUTOMATION_GCP_SA }}
+
+      - name: Set up Cloud SDK
+        uses: "google-github-actions/setup-gcloud@v3"
+        with:
+          install_components: "gke-gcloud-auth-plugin"
+
+      - name: Download production infractl
+        uses: stackrox/actions/infra/install-infractl@v1
+
+      - name: Download artifacts
+        run: |
+          /github/home/.local/bin/infractl artifacts "$CLUSTER_NAME" -d /github/home/artifacts >> "$GITHUB_STEP_SUMMARY"
+
+      - name: Verify cluster connectivity
+        run: |
+          echo "Verifying cluster is accessible..."
+          kubectl get nodes -o wide
+
+      - name: Run Go e2e tests
         run: |
           kubectl -n infra port-forward svc/infra-server-service 8443:8443 > /dev/null 2>&1 &
           sleep 5

Makefile

@@ -256,7 +256,15 @@ helm-diff: pre-check helm-dependency-update create-namespaces
 ## Deploy to local cluster (e.g., Colima) without GCP Secret Manager
 .PHONY: deploy-local
 deploy-local: helm-dependency-update create-namespaces
-	TEST_MODE=true ./scripts/deploy/helm.sh deploy-local $(shell make tag) local
+	@echo "Generating random session secret for local deployment..."
+	$(eval SESSION_SECRET := $(shell openssl rand -base64 32 | tr -d '\n'))
+	@echo "SESSION_SECRET generated (use 'export SESSION_SECRET=<value>' for Cypress tests)"
+	@SESSION_SECRET="$(SESSION_SECRET)" TEST_MODE=true ./scripts/deploy/helm.sh deploy-local $(shell make tag) local
+	@echo ""
+	@echo "Deployment complete!"
+	@echo "To run E2E tests, export the session secret:"
+	@echo "  export SESSION_SECRET='$(SESSION_SECRET)'"
+	@echo "  make test-e2e"
 
 ## Run UI E2E tests against local deployment
 .PHONY: test-e2e
@@ -276,7 +284,11 @@ test-e2e:
 	trap cleanup EXIT; \
 	sleep 5; \
 	echo "Running Cypress E2E tests..." >&2; \
-	cd ui && BROWSER=none PORT=3001 INFRA_API_ENDPOINT=http://localhost:8443 npm run test:e2e
+	if [ -z "$$SESSION_SECRET" ]; then \
+		echo "WARNING: SESSION_SECRET not set. Using default for local laptop development." >&2; \
+		echo "If tests fail, make sure you exported SESSION_SECRET from deploy-local output." >&2; \
+	fi; \
+	cd ui && BROWSER=none PORT=3001 INFRA_API_ENDPOINT=http://localhost:8443 CYPRESS_SESSION_SECRET="$$SESSION_SECRET" npm run test:e2e
 
 ## Bounce pods
 .PHONY: bounce-infra-pods

chart/infra-server/templates/secrets.yaml

@@ -1,4 +1,19 @@
-{{- if not .Values.localDeploy }}
+{{- if not (or .Values.localDeploy .Values.testMode) }}
+---
+apiVersion: v1
+kind: Secret
+type: kubernetes.io/dockerconfigjson
+
+metadata:
+  name: infra-image-registry-pull-secret
+  namespace: infra
+
+data:
+  .dockerconfigjson: {{ template "pull-secret" .Values.pullSecrets.quay }}
+
+---
+{{- end }}
+{{- if not (or .Values.localDeploy .Values.testMode) }}
 apiVersion: v1
 kind: Secret
 
@@ -101,21 +116,9 @@ data:
   test-janitor-delete.yaml: |-
     {{- tpl (.Files.Get "static/test-janitor-delete.yaml" ) . | b64enc | nindent 4 }}
 {{ end }}
-
----
-apiVersion: v1
-kind: Secret
-type: kubernetes.io/dockerconfigjson
-
-metadata:
-  name: infra-image-registry-pull-secret
-  namespace: infra
-
-data:
-  .dockerconfigjson: {{ template "pull-secret" .Values.pullSecrets.quay }}
 {{- end }}
 
-{{- if .Values.localDeploy }}
+{{- if or .Values.localDeploy .Values.testMode }}
 ---
 apiVersion: v1
 kind: Secret
@@ -127,16 +130,17 @@ metadata:
     app.kubernetes.io/name: infra-server
 
 data:
-  # Minimal config for localDeploy mode
+  # Minimal config for localDeploy and testMode
   infra.yaml: {{ printf "server:\n  port: 8443\n  cert: /configuration/cert.pem\n  key: /configuration/key.pem\n  static: /etc/infra/static\n  metricsPort: 9101" | b64enc }}
 
   # Minimal OIDC config - uses Google as a valid issuer for initialization
-  oidc.yaml: {{ printf "issuer: https://accounts.google.com\nclientID: dummy\nclientSecret: dummy\nendpoint: localhost:8443\nsessionSecret: local-dev-secret-min-32-chars-long\ntokenLifetime: 24h" | b64enc }}
+  # sessionSecret is randomly generated at deployment time for security
+  oidc.yaml: {{ printf "issuer: https://accounts.google.com\nclientID: dummy\nclientSecret: dummy\nendpoint: localhost:8443\nsessionSecret: %s\ntokenLifetime: 24h" (required ".Values.sessionSecret is required for localDeploy and testMode" .Values.sessionSecret) | b64enc }}
 
-  # Empty Google credentials - not used in localDeploy mode
+  # Empty Google credentials - not used in localDeploy or testMode
   google-credentials.json: {{ "{}" | b64enc }}
 
-  # Empty BigQuery credentials - not used in localDeploy mode
+  # Empty BigQuery credentials - not used in localDeploy or testMode
   bigquery-sa.json: {{ "{}" | b64enc }}
 
   # Self-signed TLS certificate for local development

chart/infra-server/test-mode-values.yaml

@@ -0,0 +1,4 @@
+# Values for TEST_MODE deployments (PR clusters, CI testing)
+# This file explicitly sets testMode to true, overriding any values from GCloud secrets
+
+testMode: true

cmd/infra-server/main.go

@@ -69,13 +69,19 @@ func mainCmd() error {
 
 	// Initialize GCS signer for signed URLs and artifact downloads.
 	// Only create signer if GOOGLE_APPLICATION_CREDENTIALS is set (production/development).
-	// Local deployments skip GCS signing entirely.
+	// Local deployments and test mode skip GCS signing entirely.
 	var gcsSigner *signer.Signer
+	testMode := os.Getenv("TEST_MODE") == "true"
 	if _, hasGCSCredentials := os.LookupEnv("GOOGLE_APPLICATION_CREDENTIALS"); hasGCSCredentials {
 		var err error
 		gcsSigner, err = signer.NewFromEnv()
 		if err != nil {
-			return errors.Wrapf(err, "failed to load GCS signing credentials")
+			if testMode {
+				log.Log(logging.WARN, "GCS signing disabled in TEST_MODE: invalid credentials", "error", err.Error())
+				gcsSigner = &signer.Signer{} // Empty signer for test mode with invalid credentials
+			} else {
+				return errors.Wrapf(err, "failed to load GCS signing credentials")
+			}
 		}
 	} else {
 		log.Log(logging.INFO, "GCS signing disabled: GOOGLE_APPLICATION_CREDENTIALS not set")