Enable OLM tests in CI with cluster resource dump on failure (#146)

Co-authored-by: Moritz Clasmeier <mclasmeier@redhat.com>
Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>

Author: 3 people

.github/workflows/create-dev-cluster.yml

@@ -6,6 +6,13 @@ on:
       cluster-name:
         required: true
         type: string
+      flavor:
+        required: true
+        type: string
+      args:
+        required: false
+        type: string
+        default: ''
     outputs:
       cluster-name:
         description: "Name of the created cluster"
@@ -19,9 +26,9 @@ jobs:
     steps:
       - uses: stackrox/actions/infra/create-cluster@v1
         with:
-          flavor: gke-default
+          flavor: ${{ inputs.flavor }}
           name: ${{ inputs.cluster-name }}
-          args: machine-type=e2-standard-4,nodes=3,gcp-image-type=ubuntu_containerd
+          args: ${{ inputs.args }}
           lifespan: "2h"
           wait: true
           token: ${{ secrets.INFRA_CI_TOKEN }}

.github/workflows/e2e-tests.yml

@@ -9,6 +9,14 @@ on:
       image:
         required: true
         type: string
+      cluster-type:
+        required: false
+        type: string
+        default: 'gke'
+      skip-olm-tests:
+        required: false
+        type: string
+        default: 'true'
 env:
   REGISTRY: quay.io
   IMAGE_NAME: rhacs-eng/roxie
@@ -23,7 +31,6 @@ jobs:
       KUBECONFIG: /github/home/artifacts/kubeconfig
       INFRA_TOKEN: ${{ secrets.INFRA_CI_TOKEN }}
       INFRACTL: bin/infractl -k -e localhost:8443
-      USE_GKE_GCLOUD_AUTH_PLUGIN: "True"
     steps:
       - name: Checkout
         uses: actions/checkout@v6
@@ -65,15 +72,21 @@ jobs:
           roxctl version
 
       - name: Authenticate to GCloud
+        if: inputs.cluster-type == 'gke'
         uses: google-github-actions/auth@v3
         with:
           credentials_json: ${{ secrets.ROXIE_CI_AUTOMATION_GCP_SA }}
 
       - name: Set up Cloud SDK
+        if: inputs.cluster-type == 'gke'
         uses: "google-github-actions/setup-gcloud@v3"
         with:
           install_components: "gke-gcloud-auth-plugin"
 
+      - name: Configure GKE auth plugin
+        if: inputs.cluster-type == 'gke'
+        run: echo "USE_GKE_GCLOUD_AUTH_PLUGIN=True" >> "$GITHUB_ENV"
+
       - name: Download production infractl
         uses: stackrox/actions/infra/install-infractl@v1
 
@@ -89,7 +102,7 @@ jobs:
         env:
           REGISTRY_USERNAME: ${{ secrets.QUAY_RHACS_ENG_RO_USERNAME }}
           REGISTRY_PASSWORD: ${{ secrets.QUAY_RHACS_ENG_RO_PASSWORD }}
-          SKIP_OLM_TESTS: "true"
+          SKIP_OLM_TESTS: ${{ inputs.skip-olm-tests == 'true' && 'true' || '' }}
         run: |
           make run-test-e2e
 

.github/workflows/main-push.yml

@@ -15,7 +15,9 @@ jobs:
   create-dev-cluster:
     uses: ./.github/workflows/create-dev-cluster.yml
     with:
-      cluster-name: infra-roxie-main-${{ github.run_number }}
+      cluster-name: infra-roxie-main-${{ github.run_number }}-gke
+      flavor: gke-default
+      args: machine-type=e2-standard-4,nodes=3,gcp-image-type=ubuntu_containerd
     secrets: inherit
 
   build-roxie-image:

.github/workflows/pr.yml

@@ -12,10 +12,38 @@ jobs:
   unit-tests:
     uses: ./.github/workflows/unit-tests.yml
 
-  create-dev-cluster:
+  check-olm-label:
+    runs-on: ubuntu-latest
+    outputs:
+      has-label: ${{ steps.check.outputs.has-label }}
+    steps:
+      - name: Check for olm-tests label
+        id: check
+        run: |
+          has_label="${{ contains(github.event.pull_request.labels.*.name, 'olm-tests') }}"
+          echo "has-label=${has_label}" >> "$GITHUB_OUTPUT"
+          if [ "$has_label" = "true" ]; then
+            echo "::notice::olm-tests label is set — OpenShift cluster will be created"
+          else
+            echo "::notice::olm-tests label is not set — skipping OpenShift cluster"
+          fi
+
+  create-gke-cluster:
     uses: ./.github/workflows/create-dev-cluster.yml
     with:
-      cluster-name: infra-roxie-pr-${{ github.event.pull_request.number }}
+      cluster-name: infra-roxie-pr-${{ github.event.pull_request.number }}-gke
+      flavor: gke-default
+      args: machine-type=e2-standard-4,nodes=3,gcp-image-type=ubuntu_containerd
+    secrets: inherit
+
+  create-openshift-cluster:
+    needs: check-olm-label
+    if: needs.check-olm-label.outputs.has-label == 'true'
+    uses: ./.github/workflows/create-dev-cluster.yml
+    with:
+      cluster-name: infra-roxie-pr-${{ github.event.pull_request.number }}-openshift
+      flavor: ocp-4
+      args: master-node-type=e2-standard-4,worker-node-type=e2-standard-8,master-node-count=3,worker-node-count=3
     secrets: inherit
 
   build-roxie-image:
@@ -26,17 +54,35 @@ jobs:
     secrets: inherit
 
   e2e-tests:
-    needs: [ create-dev-cluster, build-roxie-image ]
+    needs: [ create-gke-cluster, build-roxie-image ]
+    uses: ./.github/workflows/e2e-tests.yml
+    with:
+      cluster-name: ${{ needs.create-gke-cluster.outputs.cluster-name }}
+      image: ${{ needs.build-roxie-image.outputs.image }}
+    secrets: inherit
+
+  e2e-tests-openshift:
+    needs: [ create-openshift-cluster, build-roxie-image ]
     uses: ./.github/workflows/e2e-tests.yml
     with:
-      cluster-name: ${{ needs.create-dev-cluster.outputs.cluster-name }}
+      cluster-name: ${{ needs.create-openshift-cluster.outputs.cluster-name }}
       image: ${{ needs.build-roxie-image.outputs.image }}
+      cluster-type: openshift
+      skip-olm-tests: 'false'
+    secrets: inherit
+
+  delete-gke-cluster:
+    if: ${{ always() && needs.create-gke-cluster.result == 'success' }}
+    needs: [ create-gke-cluster, e2e-tests ]
+    uses: ./.github/workflows/delete-dev-cluster.yml
+    with:
+      cluster-name: ${{ needs.create-gke-cluster.outputs.cluster-name }}
     secrets: inherit
 
-  delete-dev-cluster:
-    if: ${{ always() && needs.create-dev-cluster.result == 'success' }}
-    needs: [ create-dev-cluster, e2e-tests ]
+  delete-openshift-cluster:
+    if: ${{ always() && needs.create-openshift-cluster.result == 'success' }}
+    needs: [ create-openshift-cluster, e2e-tests-openshift ]
     uses: ./.github/workflows/delete-dev-cluster.yml
     with:
-      cluster-name: ${{ needs.create-dev-cluster.outputs.cluster-name }}
+      cluster-name: ${{ needs.create-openshift-cluster.outputs.cluster-name }}
     secrets: inherit

internal/deployer/deployer.go

@@ -132,6 +132,9 @@ func (d *Deployer) deleteCentralResources(ctx context.Context) error {
 	} else {
 		d.logger.Info("Deletion of Central resources requested, but Central CR is not present anymore")
 	}
+	if d.verbose {
+		d.logger.Dim("Deleted Central CR")
+	}
 
 	for _, resource := range []ResourceToDelete{
 		{Name: "central-db", Kind: "pvc"},

tests/e2e/basic_test.go

@@ -11,6 +11,8 @@ import (
 
 // TestDeployBothSimple tests deploying both components together (simplest scenario)
 func TestDeployBothSimple(t *testing.T) {
+	dumpClusterStateOnFailure(t)
+
 	// Create temporary envrc file
 	envrcFile, err := os.CreateTemp(t.TempDir(), ".envrc.roxie-test-*")
 	if err != nil {

tests/e2e/e2e_test.go

@@ -39,6 +39,8 @@ func TestMain(m *testing.M) {
 }
 
 func TestDeployBothComponentsTogetherInSingleNamespace(t *testing.T) {
+	dumpClusterStateOnFailure(t)
+
 	// Create temporary envrc file.
 	envrcFile, err := os.CreateTemp(t.TempDir(), ".envrc.roxie-test-*")
 	if err != nil {

tests/e2e/helpers.go

@@ -239,6 +239,115 @@ func verifySecuredClusterNotInstalled(t *testing.T, namespace string) {
 	}
 }
 
+var clusterDumpNamespaces = []string{
+	"rhacs-operator-system",
+	"acs-central",
+	"acs-sensor",
+	"stackrox",
+}
+
+func dumpClusterStateOnFailure(t *testing.T) {
+	t.Helper()
+	t.Cleanup(func() {
+		if !t.Failed() {
+			return
+		}
+		dumpClusterResources(t)
+	})
+}
+
+func dumpClusterResources(t *testing.T) {
+	t.Helper()
+	fmt.Fprintf(os.Stderr, "=== CLUSTER RESOURCE DUMP (test %s failed) ===\n", t.Name())
+
+	runKubectlDump("get", "namespaces")
+
+	for _, ns := range clusterDumpNamespaces {
+		fmt.Fprintf(os.Stderr, "--- Namespace: %s ---\n", ns)
+		runKubectlDump("get", "pods", "-n", ns, "-o", "wide")
+		runKubectlDump("describe", "pods", "-n", ns)
+		runKubectlDump("get", "deployments", "-n", ns, "-o", "wide")
+		runKubectlDump("describe", "deployments", "-n", ns)
+		runKubectlDump("get", "daemonsets", "-n", ns, "-o", "wide")
+		runKubectlDump("describe", "daemonsets", "-n", ns)
+		runKubectlDump("get", "events", "-n", ns, "--sort-by=.lastTimestamp")
+		dumpLogsForFailingPods(ns)
+	}
+
+	dumpACSCustomResources()
+	dumpOLMResources()
+
+	fmt.Fprintln(os.Stderr, "=== END CLUSTER RESOURCE DUMP ===")
+}
+
+func dumpACSCustomResources() {
+	fmt.Fprintln(os.Stderr, "--- ACS Custom Resources ---")
+	for _, ns := range clusterDumpNamespaces {
+		runKubectlDump("get", "centrals.platform.stackrox.io", "-n", ns, "-o", "yaml")
+		runKubectlDump("get", "securedclusters.platform.stackrox.io", "-n", ns, "-o", "yaml")
+	}
+}
+
+func dumpOLMResources() {
+	cmd := exec.Command("kubectl", "api-resources", "--api-group=operators.coreos.com", "-o", "name")
+	output, err := cmd.Output()
+	if err != nil || strings.TrimSpace(string(output)) == "" {
+		fmt.Fprintln(os.Stderr, "[dump] OLM not installed, skipping OLM resource dump")
+		return
+	}
+
+	fmt.Fprintln(os.Stderr, "--- OLM Resources ---")
+	operatorNamespace := "rhacs-operator-system"
+	runKubectlDump("get", "subscriptions.operators.coreos.com", "-n", operatorNamespace, "-o", "wide")
+	runKubectlDump("describe", "subscriptions.operators.coreos.com", "-n", operatorNamespace)
+	runKubectlDump("get", "installplans.operators.coreos.com", "-n", operatorNamespace, "-o", "wide")
+	runKubectlDump("describe", "installplans.operators.coreos.com", "-n", operatorNamespace)
+	runKubectlDump("get", "catalogsources.operators.coreos.com", "-n", operatorNamespace, "-o", "wide")
+	runKubectlDump("describe", "catalogsources.operators.coreos.com", "-n", operatorNamespace)
+	runKubectlDump("get", "clusterserviceversions.operators.coreos.com", "-n", operatorNamespace, "-o", "wide")
+	runKubectlDump("describe", "clusterserviceversions.operators.coreos.com", "-n", operatorNamespace)
+	runKubectlDump("get", "operatorgroups.operators.coreos.com", "-n", operatorNamespace, "-o", "wide")
+	runKubectlDump("describe", "operatorgroups.operators.coreos.com", "-n", operatorNamespace)
+}
+
+func runKubectlDump(args ...string) {
+	fmt.Fprintf(os.Stderr, "## kubectl %s\n", strings.Join(args, " "))
+	cmd := exec.Command("kubectl", args...)
+	cmd.Stdout = os.Stderr
+	cmd.Stderr = os.Stderr
+	if err := cmd.Run(); err != nil {
+		fmt.Fprintf(os.Stderr, "kubectl failed: %v\n", err)
+	}
+	fmt.Fprintln(os.Stderr)
+}
+
+func dumpLogsForFailingPods(namespace string) {
+	cmd := exec.Command("kubectl", "get", "pods", "-n", namespace,
+		"-o", "jsonpath={range .items[*]}{.metadata.name}{\"\\t\"}{.status.phase}{\"\\n\"}{end}")
+	output, err := cmd.Output()
+	if err != nil {
+		fmt.Fprintf(os.Stderr, "[dump] failed to list pods in %s: %v\n", namespace, err)
+		return
+	}
+
+	for line := range strings.SplitSeq(strings.TrimSpace(string(output)), "\n") {
+		if line == "" {
+			continue
+		}
+		parts := strings.SplitN(line, "\t", 2)
+		if len(parts) != 2 {
+			continue
+		}
+		podName, phase := parts[0], parts[1]
+		if phase == "Running" || phase == "Succeeded" {
+			continue
+		}
+		fmt.Fprintf(os.Stderr, "[dump] logs for pod %s/%s (phase=%s):\n", namespace, podName, phase)
+		runKubectlDump("logs", "-n", namespace, podName, "--all-containers", "--tail=100")
+		runKubectlDump("logs", "-n", namespace, podName, "--all-containers", "--previous", "--tail=50")
+	}
+}
+
 func verifyAnnotation(t *testing.T, resourceType, resourceName, namespace, annotationKey, expectedValue string) {
 	t.Helper()
 

tests/e2e/olm_switch_test.go

@@ -65,6 +65,8 @@ func verifyOperatorDeploymentExists(t *testing.T) {
 
 // TestOLMToNonOLMSwitch tests switching from OLM operator to non-OLM operator
 func TestOLMToNonOLMSwitch(t *testing.T) {
+	dumpClusterStateOnFailure(t)
+
 	if os.Getenv("SKIP_OLM_TESTS") != "" {
 		t.Skip("SKIP_OLM_TESTS is set")
 	}
@@ -113,6 +115,8 @@ func TestOLMToNonOLMSwitch(t *testing.T) {
 
 // TestNonOLMToOLMSwitch tests switching from non-OLM operator to OLM operator
 func TestNonOLMToOLMSwitch(t *testing.T) {
+	dumpClusterStateOnFailure(t)
+
 	if os.Getenv("SKIP_OLM_TESTS") != "" {
 		t.Skip("SKIP_OLM_TESTS is set")
 	}
@@ -161,6 +165,8 @@ func TestNonOLMToOLMSwitch(t *testing.T) {
 
 // TestOLMOperatorVersionUpgrade tests that OLM operator version mismatches trigger teardown and redeploy
 func TestOLMOperatorVersionUpgrade(t *testing.T) {
+	dumpClusterStateOnFailure(t)
+
 	if os.Getenv("SKIP_OLM_TESTS") != "" {
 		t.Skip("SKIP_OLM_TESTS is set")
 	}
@@ -223,6 +229,8 @@ func TestOLMOperatorVersionUpgrade(t *testing.T) {
 
 // TestSecuredClusterWithOLMSwitch tests that secured-cluster deployment also respects OLM mode switches
 func TestSecuredClusterWithOLMSwitch(t *testing.T) {
+	dumpClusterStateOnFailure(t)
+
 	if os.Getenv("SKIP_OLM_TESTS") != "" {
 		t.Skip("SKIP_OLM_TESTS is set")
 	}