test: add e2e test infrastructure using CAPI test framework

.github/actions/e2e-setup/action.yml

@@ -0,0 +1,25 @@
+name: Setup E2E environment
+description: Sets up Go, tool cache, and SSH for e2e tests
+
+runs:
+  using: composite
+  steps:
+    - name: Setup Go
+      uses: actions/setup-go@40f1582b2485089dde7abd97c1529aa768e1baff # v5.6.0
+      with:
+        go-version-file: go.mod
+
+    - name: Cache tool binaries
+      uses: actions/cache@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5.0.4
+      with:
+        path: bin/
+        key: e2e-tools-${{ runner.os }}-${{ hashFiles('Makefile') }}
+
+    - name: Setup SSH for log collection
+      shell: bash
+      run: | # zizmor: ignore[github-env]
+        ssh-keygen -t ed25519 -f /tmp/e2e-ssh-key -N "" -q
+        eval $(ssh-agent -s)
+        ssh-add /tmp/e2e-ssh-key
+        echo "SSH_AUTH_SOCK=${SSH_AUTH_SOCK}" >> "$GITHUB_ENV"
+        echo "CLOUDSCALE_SSH_PUBLIC_KEY=$(cat /tmp/e2e-ssh-key.pub)" >> "$GITHUB_ENV"

.github/workflows/cleanup-e2e-images.yml

@@ -0,0 +1,25 @@
+name: Cleanup E2E Images
+
+permissions:
+  contents: read
+
+on:
+  schedule:
+    - cron: "0 4 * * 0" # Weekly, Sunday 4 AM UTC
+  workflow_dispatch:
+
+jobs:
+  cleanup:
+    name: Delete old e2e image tags
+    runs-on: ubuntu-latest
+    environment: e2e
+    steps:
+      - name: Checkout
+        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
+        with:
+          persist-credentials: false
+
+      - name: Clean up e2e-* tags from capcs-staging
+        env:
+          QUAY_E2E_TOKEN: ${{ secrets.QUAY_E2E_TOKEN }}
+        run: make clean-e2e-images

.github/workflows/e2e-biweekly.yml

@@ -0,0 +1,42 @@
+name: E2E Tests (Biweekly Conformance)
+
+permissions:
+  contents: read
+
+on:
+  schedule:
+    - cron: "0 3 1,15 * *" # 3 AM UTC on 1st and 15th of each month
+  workflow_dispatch:
+
+concurrency:
+  group: e2e-tests
+  cancel-in-progress: false
+
+jobs:
+  e2e-conformance:
+    name: Full K8s Conformance
+    runs-on: ubuntu-latest
+    environment: e2e
+    steps:
+      - name: Checkout
+        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
+        with:
+          fetch-depth: 0
+          persist-credentials: false
+
+      - name: Setup e2e environment
+        uses: ./.github/actions/e2e-setup
+
+      - name: Run full conformance e2e tests
+        env:
+          CLOUDSCALE_API_TOKEN: ${{ secrets.CLOUDSCALE_API_TOKEN }}
+          TAG: e2e-conformance-${{ github.sha }}
+        run: make test-e2e-conformance
+
+      - name: Upload test artifacts
+        if: always()
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
+        with:
+          name: e2e-artifacts-conformance-${{ github.run_id }}
+          path: _artifacts/
+          retention-days: 30

.github/workflows/e2e-nightly.yml

@@ -0,0 +1,42 @@
+name: E2E Tests (Nightly)
+
+permissions:
+  contents: read
+
+on:
+  schedule:
+    - cron: "0 2 * * *" # 2 AM UTC daily
+  workflow_dispatch:
+
+concurrency:
+  group: e2e-tests
+  cancel-in-progress: false
+
+jobs:
+  e2e-lifecycle:
+    name: Nightly Lifecycle Tests
+    runs-on: ubuntu-latest
+    environment: e2e
+    steps:
+      - name: Checkout
+        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
+        with:
+          fetch-depth: 0
+          persist-credentials: false
+
+      - name: Setup e2e environment
+        uses: ./.github/actions/e2e-setup
+
+      - name: Run lifecycle e2e tests
+        env:
+          CLOUDSCALE_API_TOKEN: ${{ secrets.CLOUDSCALE_API_TOKEN }}
+          TAG: e2e-nightly-${{ github.sha }}
+        run: make test-e2e-lifecycle
+
+      - name: Upload test artifacts
+        if: always()
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
+        with:
+          name: e2e-artifacts-nightly-${{ github.run_id }}
+          path: _artifacts/
+          retention-days: 7

.github/workflows/e2e-weekly.yml

@@ -0,0 +1,62 @@
+name: E2E Tests (Weekly)
+
+permissions:
+  contents: read
+
+on:
+  schedule:
+    - cron: "0 3 * * 0" # 3 AM UTC Sunday
+  workflow_dispatch:
+
+concurrency:
+  group: e2e-tests
+  cancel-in-progress: false
+
+jobs:
+  e2e-weekly:
+    name: Weekly Test Suite
+    runs-on: ubuntu-latest
+    environment: e2e
+    steps:
+      - name: Checkout
+        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
+        with:
+          fetch-depth: 0
+          persist-credentials: false
+
+      - name: Setup e2e environment
+        uses: ./.github/actions/e2e-setup
+
+      - name: Login to quay.io
+        uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0
+        with:
+          registry: quay.io
+          username: ${{ secrets.QUAY_E2E_USERNAME }}
+          password: ${{ secrets.QUAY_E2E_PASSWORD }}
+
+      - name: Run weekly e2e tests
+        env:
+          CLOUDSCALE_API_TOKEN: ${{ secrets.CLOUDSCALE_API_TOKEN }}
+          TAG: e2e-weekly-${{ github.sha }}
+        run: |
+          make test-e2e \
+            GINKGO_LABEL_FILTER="ha || upgrade || self-hosted || kcp-remediation || conformance" \
+            KUBETEST_CONFIGURATION=./data/kubetest/conformance-fast.yaml
+
+      - name: Clean up e2e image
+        if: always()
+        env:
+          QUAY_E2E_TOKEN: ${{ secrets.QUAY_E2E_TOKEN }}
+          TAG: e2e-weekly-${{ github.sha }}
+        run: |
+          curl -s -X DELETE \
+            -H "Authorization: Bearer ${QUAY_E2E_TOKEN}" \
+            "https://quay.io/api/v1/repository/cloudscalech/capcs-staging/tag/${TAG}"
+
+      - name: Upload test artifacts
+        if: always()
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
+        with:
+          name: e2e-artifacts-weekly-${{ github.run_id }}
+          path: _artifacts/
+          retention-days: 30

.github/workflows/test-e2e.yml

@@ -1,45 +1,78 @@
-name: E2E Tests
+name: E2E Tests (Manual)
 
 permissions:
   contents: read
 
 on:
   workflow_dispatch:
-
-  # TODO: Re-enable automatic triggers once e2e tests are working
-  # push:
-  #   branches: [main]
+    inputs:
+      test_target:
+        description: 'Make target to run'
+        required: true
+        default: 'test-e2e-lifecycle'
+        type: choice
+        options:
+          - test-e2e-lifecycle
+          - test-e2e
+          - test-e2e-ha
+          - test-e2e-upgrade
+          - test-e2e-self-hosted
+          - test-e2e-md-remediation
+          - test-e2e-conformance
+          - test-e2e-conformance-fast
 
 concurrency:
-  group: e2e-tests-${{ github.ref }}
-  cancel-in-progress: true
+  group: e2e-tests
+  cancel-in-progress: false
 
 jobs:
   test-e2e:
-    name: Run on Ubuntu
+    name: ${{ github.event.inputs.test_target }}
     runs-on: ubuntu-latest
+    environment: e2e
     steps:
-      - name: Clone the code
+      - name: Checkout
         uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
         with:
           fetch-depth: 0
           persist-credentials: false
 
-      - name: Setup Go
-        uses: actions/setup-go@40f1582b2485089dde7abd97c1529aa768e1baff # v5.6.0
-        with:
-          go-version-file: go.mod
+      - name: Setup e2e environment
+        uses: ./.github/actions/e2e-setup
 
-      - name: Install the latest version of kind
-        run: |
-          curl -Lo ./kind https://kind.sigs.k8s.io/dl/latest/kind-linux-$(go env GOARCH)
-          chmod +x ./kind
-          sudo mv ./kind /usr/local/bin/kind
+      - name: Login to quay.io
+        if: >-
+          github.event.inputs.test_target == 'test-e2e-self-hosted' ||
+          github.event.inputs.test_target == 'test-e2e'
+        uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0
+        with:
+          registry: quay.io
+          username: ${{ secrets.QUAY_E2E_USERNAME }}
+          password: ${{ secrets.QUAY_E2E_PASSWORD }}
 
-      - name: Verify kind installation
-        run: kind version
+      - name: Run e2e tests
+        env:
+          CLOUDSCALE_API_TOKEN: ${{ secrets.CLOUDSCALE_API_TOKEN }}
+          TAG: e2e-manual-${{ github.sha }}
+          TEST_TARGET: ${{ github.event.inputs.test_target }}
+        run: make $TEST_TARGET
 
-      - name: Running Test e2e
+      - name: Clean up e2e image
+        if: >-
+          github.event.inputs.test_target == 'test-e2e-self-hosted' ||
+          github.event.inputs.test_target == 'test-e2e'
+        env:
+          QUAY_E2E_TOKEN: ${{ secrets.QUAY_E2E_TOKEN }}
+          TAG: e2e-manual-${{ github.sha }}
         run: |
-          go mod tidy
-          make test-e2e
+          curl -s -X DELETE \
+            -H "Authorization: Bearer ${QUAY_E2E_TOKEN}" \
+            "https://quay.io/api/v1/repository/cloudscalech/capcs-staging/tag/${TAG}"
+
+      - name: Upload test artifacts
+        if: always()
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
+        with:
+          name: e2e-artifacts-manual-${{ github.run_id }}
+          path: _artifacts/
+          retention-days: 14

.github/workflows/zizmor.yml

@@ -0,0 +1,26 @@
+name: Workflow Security Lint
+
+permissions:
+  actions: read
+  contents: read
+  security-events: write
+
+on:
+  push:
+    branches: [main]
+    paths: ['.github/**']
+  pull_request:
+    paths: ['.github/**']
+
+jobs:
+  zizmor:
+    name: zizmor
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
+        with:
+          persist-credentials: false
+
+      - name: Run zizmor
+        uses: zizmorcore/zizmor-action@71321a20a9ded102f6e9ce5718a2fcec2c4f70d8 # v0.5.2

.gitignore

@@ -34,3 +34,5 @@ go.work
 
 # e2e
 _artifacts/
+test/e2e/config/*.generated.yaml
+test/e2e/data/infrastructure-cloudscale/main/cluster-template*.yaml