From 730178a0296af55a06751fb5e0128bc64db57b3d Mon Sep 17 00:00:00 2001 From: Thomas Flament Date: Wed, 18 Mar 2026 09:09:25 +0100 Subject: [PATCH 01/11] setup: replace docker image prune -af with targeted rmi Instead of pruning all unused images (which destroys unrelated local images), remove only the CTST image after loading it into kind. The e2e image was already cleaned up with docker rmi. --- .devcontainer/setup.sh | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.devcontainer/setup.sh b/.devcontainer/setup.sh index 915d00c66..b306e6c6d 100755 --- a/.devcontainer/setup.sh +++ b/.devcontainer/setup.sh @@ -1,6 +1,6 @@ #!/usr/bin/env bash -set -e +set -ex # Persist workflow env vars so they survive across terminal sessions ZENKO_ENV_FILE="$HOME/.zenko.env" @@ -49,6 +49,7 @@ for i in $(seq 0 $array_length); do eval "$run_command"; fi ) + exit done ( @@ -59,11 +60,10 @@ done bash configure-e2e-ctst.sh ) -docker image prune -af - -# Build CTST image from current branch +# Build CTST image from current branch SORBET_TAG=$(yq eval '.sorbet.tag' solution/deps.yaml) DRCTL_TAG=$(yq eval '.drctl.tag' solution/deps.yaml) TAG_NAME=ctst_codespace_setup GIT_AUTH_TOKEN=$GITHUB_TOKEN docker build --secret id=GIT_AUTH_TOKEN --build-arg SORBET_TAG=$SORBET_TAG --build-arg DRCTL_TAG=$DRCTL_TAG -t $E2E_CTST_IMAGE_NAME:$TAG_NAME ./tests/ctst kind load docker-image ${E2E_CTST_IMAGE_NAME}:$TAG_NAME +docker rmi ${E2E_CTST_IMAGE_NAME}:$TAG_NAME From 82e1a4f994f262c97288e12bf242db271ba6d18e Mon Sep 17 00:00:00 2001 From: Thomas Flament Date: Wed, 18 Mar 2026 09:52:46 +0100 Subject: [PATCH 02/11] scripts: make kubectl create calls idempotent for re-runs Replace kubectl create with create --dry-run=client | kubectl apply or kubectl apply -f so that re-running the setup scripts updates existing resources instead of failing. --- .github/scripts/end2end/deploy-metadata.sh | 2 +- .github/scripts/end2end/deploy-zenko.sh | 3 ++- .github/scripts/end2end/install-kind-dependencies.sh | 2 +- .github/scripts/end2end/install-mocks.sh | 5 +++-- .github/scripts/end2end/run-e2e-ctst.sh | 3 ++- 5 files changed, 9 insertions(+), 6 deletions(-) diff --git a/.github/scripts/end2end/deploy-metadata.sh b/.github/scripts/end2end/deploy-metadata.sh index 04d56af8a..08a996490 100755 --- a/.github/scripts/end2end/deploy-metadata.sh +++ b/.github/scripts/end2end/deploy-metadata.sh @@ -5,7 +5,7 @@ set -exu . "$(dirname $0)/common.sh" # create a separate namespace for metadata -kubectl create namespace metadata +kubectl create namespace metadata --dry-run=client -o yaml | kubectl apply -f - # clone the metadata repository git init metadata diff --git a/.github/scripts/end2end/deploy-zenko.sh b/.github/scripts/end2end/deploy-zenko.sh index 99544cbb1..3ae652022 100755 --- a/.github/scripts/end2end/deploy-zenko.sh +++ b/.github/scripts/end2end/deploy-zenko.sh @@ -127,7 +127,8 @@ create_encryption_secret() kubectl create secret generic ${ZENKO_NAME}-keypair.v0 \ --namespace ${NAMESPACE} \ --from-file=publicKey="$PUBLIC" \ - --from-file=privateKey="$PRIVATE" + --from-file=privateKey="$PRIVATE" \ + --dry-run=client -o yaml | kubectl apply -f - export AZURE_SECRET_KEY_ENCRYPTED } diff --git a/.github/scripts/end2end/install-kind-dependencies.sh b/.github/scripts/end2end/install-kind-dependencies.sh index e4048bc74..7aa94a8b2 100755 --- a/.github/scripts/end2end/install-kind-dependencies.sh +++ b/.github/scripts/end2end/install-kind-dependencies.sh @@ -144,7 +144,7 @@ helm upgrade --install --version ${KAFKA_OPERATOR_VERSION} -n default kafka-oper # keycloak envsubst < $DIR/configs/keycloak_config.json > $DIR/configs/keycloak-realm.json -kubectl create configmap keycloak-realm --from-file=$DIR/configs/keycloak-realm.json +kubectl create configmap keycloak-realm --from-file=$DIR/configs/keycloak-realm.json --dry-run=client -o yaml | kubectl apply -f - helm upgrade --install --version ${KEYCLOAK_VERSION} keycloak codecentric/keycloak -f "$DIR/configs/keycloak_options.yaml" -f "${KEYCLOAK_INGRESS_OPTIONS}" kubectl rollout status sts/keycloak --timeout=10m diff --git a/.github/scripts/end2end/install-mocks.sh b/.github/scripts/end2end/install-mocks.sh index 12321cc14..7bf6c7820 100644 --- a/.github/scripts/end2end/install-mocks.sh +++ b/.github/scripts/end2end/install-mocks.sh @@ -7,9 +7,10 @@ NAMESPACE=${1:-default} kubectl create \ configmap aws-mock \ --from-file=../mocks/aws/mock-metadata.tar.gz \ - --namespace ${NAMESPACE} + --namespace ${NAMESPACE} \ + --dry-run=client -o yaml | kubectl apply -f - -kubectl create \ +kubectl apply \ -f ../mocks/azure-mock.yaml \ -f ../mocks/aws-mock.yaml \ --namespace ${NAMESPACE} && \ diff --git a/.github/scripts/end2end/run-e2e-ctst.sh b/.github/scripts/end2end/run-e2e-ctst.sh index a692057dc..751460dff 100755 --- a/.github/scripts/end2end/run-e2e-ctst.sh +++ b/.github/scripts/end2end/run-e2e-ctst.sh @@ -159,7 +159,8 @@ CTST_VERSION=$(sed 's/.*"cli-testing": ".*#\(.*\)".*/\1/;t;d' ../../../tests/cts # Grant access to Kube API (insecure, only for testing) kubectl create clusterrolebinding serviceaccounts-cluster-admin \ --clusterrole=cluster-admin \ - --group=system:serviceaccounts + --group=system:serviceaccounts \ + --dry-run=client -o yaml | kubectl apply -f - # Running end2end ctst tests # Using overrides as we need to attach a local folder to the pod From fc74394ece2866465ef039402dfb7c61413809d2 Mon Sep 17 00:00:00 2001 From: Thomas Flament Date: Wed, 18 Mar 2026 15:13:44 +0100 Subject: [PATCH 03/11] ci(deploy): use PVC_NAME env var instead of sed hack for miria deploy Replace the `sed -i 's/sorbet-data/miria-data/g'` workaround with the new PVC_NAME env var from zenko-operator's deploy-sorbet-resources.sh. Both deploys now explicitly specify their PVC_NAME, making the coupling with run-e2e-ctst.sh's claimName visible at a glance. See: https://github.com/scality/zenko-operator/pull/599 Issue: ZKOP-530 --- .github/actions/deploy/action.yaml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/actions/deploy/action.yaml b/.github/actions/deploy/action.yaml index abc9b7509..af2cb37d3 100644 --- a/.github/actions/deploy/action.yaml +++ b/.github/actions/deploy/action.yaml @@ -71,14 +71,14 @@ runs: run: sh tests/smoke/deploy-sorbet-resources.sh end2end env: SORBETD_NAME: mock-sorbet + PVC_NAME: sorbet-data working-directory: ./.github/scripts/end2end/operator - name: Start mock miria service shell: bash - run: | - sed -i 's/sorbet-data/miria-data/g' tests/smoke/deploy-sorbet-resources.sh - tests/smoke/deploy-sorbet-resources.sh end2end + run: tests/smoke/deploy-sorbet-resources.sh end2end env: SORBETD_NAME: mock-miria + PVC_NAME: miria-data working-directory: ./.github/scripts/end2end/operator - name: Deploy metadata shell: bash From 653f5028a6a7b4a9b93c1075fdc5bca9877957d7 Mon Sep 17 00:00:00 2001 From: Thomas Flament Date: Wed, 18 Mar 2026 15:16:43 +0100 Subject: [PATCH 04/11] setup: use stable MongoDB database name for local and codespace runs Preserve ZENKO_MONGODB_DATABASE if already set instead of always generating a UUID, ensuring re-runs reuse the same database. --- .devcontainer/setup.sh | 5 +++++ .github/actions/deploy/action.yaml | 4 +++- 2 files changed, 8 insertions(+), 1 deletion(-) diff --git a/.devcontainer/setup.sh b/.devcontainer/setup.sh index b306e6c6d..556a3fe8f 100755 --- a/.devcontainer/setup.sh +++ b/.devcontainer/setup.sh @@ -7,6 +7,11 @@ ZENKO_ENV_FILE="$HOME/.zenko.env" yq eval '.env | to_entries | .[] | "export " + .key + "=" + (.value | tostring | @sh)' .github/workflows/end2end.yaml \ | sed 's/\${{[^}]*}}//g' > "$ZENKO_ENV_FILE" echo 'export GIT_ACCESS_TOKEN="${GITHUB_TOKEN}"' >> "$ZENKO_ENV_FILE" + +echo 'export VOLUME_ROOT=$PWD/artifacts' >> "$ZENKO_ENV_FILE" +echo 'export ZENKO_MONGODB_DATABASE=${ZENKO_MONGODB_DATABASE:-zenko-database}' >> "$ZENKO_ENV_FILE" +echo "export HOST_DNS=$(awk '/^nameserver/{print \$2; exit}' /etc/resolv.conf)" >> "$ZENKO_ENV_FILE" +mkdir -p "$PWD/artifacts/data" # Disable GCP tests as we don't have credentials setup in devcontainer echo 'export GCP_BACKEND_DESTINATION_LOCATION=' >> "$ZENKO_ENV_FILE" diff --git a/.github/actions/deploy/action.yaml b/.github/actions/deploy/action.yaml index af2cb37d3..fdea275ac 100644 --- a/.github/actions/deploy/action.yaml +++ b/.github/actions/deploy/action.yaml @@ -40,7 +40,9 @@ runs: ${{ runner.os }}-helm- - name: Generate MongoDB database name shell: bash - run: echo "ZENKO_MONGODB_DATABASE=$(cat /proc/sys/kernel/random/uuid)" >> "$GITHUB_ENV" + run: | + [ -z "$ZENKO_MONGODB_DATABASE" ] && ZENKO_MONGODB_DATABASE=$(cat /proc/sys/kernel/random/uuid) + echo "ZENKO_MONGODB_DATABASE=$ZENKO_MONGODB_DATABASE" >> "$GITHUB_ENV" - name: Install kind cluster dependencies shell: bash run: bash install-kind-dependencies.sh From 3586a40b908e1069a8cfc96303636287b96c6ad6 Mon Sep 17 00:00:00 2001 From: Thomas Flament Date: Wed, 18 Mar 2026 15:16:56 +0100 Subject: [PATCH 05/11] deploy-zkop: remove unnecessary operator image pull Tilt rebuilds the operator image from source, so pre-pulling the release image is redundant. --- .github/scripts/end2end/deploy-zkop.sh | 4 ---- 1 file changed, 4 deletions(-) diff --git a/.github/scripts/end2end/deploy-zkop.sh b/.github/scripts/end2end/deploy-zkop.sh index 697f2f04b..7676e8222 100755 --- a/.github/scripts/end2end/deploy-zkop.sh +++ b/.github/scripts/end2end/deploy-zkop.sh @@ -2,12 +2,8 @@ set -ex -[ -z "${OPERATOR_IMAGE_NAME}" ] && OPERATOR_IMAGE_NAME="$(yq eval '."zenko-operator" | .sourceRegistry + "/" + .image' solution/deps.yaml)" [ -z "${OPERATOR_IMAGE_TAG}" ] && OPERATOR_IMAGE_TAG="$(yq eval '."zenko-operator".tag' solution/deps.yaml)" -docker pull "${OPERATOR_IMAGE_NAME}:${OPERATOR_IMAGE_TAG}" -kind load docker-image "${OPERATOR_IMAGE_NAME}:${OPERATOR_IMAGE_TAG}" - OPERATOR_PATH=./.github/scripts/end2end/operator git init $OPERATOR_PATH cd $OPERATOR_PATH From b66c9b1ef1177357846e7b2b8f9094a7c1cb456a Mon Sep 17 00:00:00 2001 From: Thomas Flament Date: Wed, 18 Mar 2026 15:17:24 +0100 Subject: [PATCH 06/11] install-kind-deps: skip helm repo add if exists, persist kafka clone Skip network round-trip for helm repos already registered. Clone kafka-operator to a persistent directory to avoid re-cloning on every run. --- .../end2end/install-kind-dependencies.sh | 20 ++++++++++++------- 1 file changed, 13 insertions(+), 7 deletions(-) diff --git a/.github/scripts/end2end/install-kind-dependencies.sh b/.github/scripts/end2end/install-kind-dependencies.sh index 7aa94a8b2..0294f0ad6 100755 --- a/.github/scripts/end2end/install-kind-dependencies.sh +++ b/.github/scripts/end2end/install-kind-dependencies.sh @@ -43,17 +43,23 @@ else KEYCLOAK_INGRESS_OPTIONS="$DIR/configs/keycloak_ingress_http.yaml" fi -helm repo add --force-update bitnami https://charts.bitnami.com/bitnami -helm repo add --force-update pravega https://charts.pravega.io -helm repo add --force-update codecentric https://codecentric.github.io/helm-charts/ +helm_repo_add() { + helm repo list -o json 2>/dev/null | jq -e --arg n "$1" '.[] | select(.name == $n)' >/dev/null 2>&1 || helm repo add "$1" "$2" +} + +helm_repo_add bitnami https://charts.bitnami.com/bitnami +helm_repo_add pravega https://charts.pravega.io +helm_repo_add codecentric https://codecentric.github.io/helm-charts/ # BanzaiCloud repo may not work, c.f. https://scality.atlassian.net/browse/AN-225 -helm repo add --force-update banzaicloud-stable https://kubernetes-charts.banzaicloud.com || { +helm_repo_add banzaicloud-stable https://kubernetes-charts.banzaicloud.com || { echo -n "::notice file=$(basename $0),line=$LINENO,title=Banzaicloud Charts not available::" echo "Failed to add banzaicloud-stable repo, using local checkout" - kafka_operator="$(mktemp -d)" - git -c advice.detachedHead=false clone -q --depth 1 -b "v${KAFKA_OPERATOR_VERSION}" \ - https://github.com/banzaicloud/koperator "${kafka_operator}" + kafka_operator="${DIR}/kafka-operator" + if [ ! -d "${kafka_operator}" ]; then + git -c advice.detachedHead=false clone -q --depth 1 -b "v${KAFKA_OPERATOR_VERSION}" \ + https://github.com/banzaicloud/koperator "${kafka_operator}" + fi KAFKA_CHART="${kafka_operator}/charts/kafka-operator" } From 7ef35348c3306e3c7f33da761c67be6a3855b311 Mon Sep 17 00:00:00 2001 From: Thomas Flament Date: Wed, 18 Mar 2026 15:18:18 +0100 Subject: [PATCH 07/11] install-kind-deps: fix re-run failures for root-ca, prometheus, kafka CRDs Strip stale metadata when copying root-ca secret to avoid resourceVersion conflict. Use kubectl apply --server-side for prometheus and kafka CRDs instead of create-or-replace pattern. --- .github/scripts/end2end/install-kind-dependencies.sh | 10 ++++------ 1 file changed, 4 insertions(+), 6 deletions(-) diff --git a/.github/scripts/end2end/install-kind-dependencies.sh b/.github/scripts/end2end/install-kind-dependencies.sh index 0294f0ad6..667aa6bcd 100755 --- a/.github/scripts/end2end/install-kind-dependencies.sh +++ b/.github/scripts/end2end/install-kind-dependencies.sh @@ -125,15 +125,13 @@ kubectl wait --for=condition=Ready --timeout=240s clusterissuer/artesca-root-ca- # Copy root CA secret to default namespace for applications to use echo "Copying root CA certificate to default namespace..." -kubectl get secret root-ca -n cert-manager -o json | - jq '.metadata.namespace="default" | .metadata.name="zenko-root-ca"' | +kubectl get secret root-ca -n cert-manager -o json | + jq '.metadata = {namespace: "default", name: "zenko-root-ca"}' | kubectl apply -f - # prometheus -# last-applied-configuration can end up larger than 256kB which is too large for an annotation -# so if apply fails, replace can work prom_url=https://raw.githubusercontent.com/coreos/prometheus-operator/${PROMETHEUS_VERSION}/bundle.yaml -kubectl create -f $prom_url || kubectl replace -f $prom_url --wait +kubectl apply --server-side -f $prom_url # wait for the resource to exist kubectl wait --for=condition=established --timeout=10m crd/alertmanagers.monitoring.coreos.com envsubst < configs/prometheus.yaml | kubectl apply -f - @@ -143,7 +141,7 @@ helm upgrade --install --version ${ZK_OPERATOR_VERSION} -n default zk-operator p # kafka kafka_crd_url=https://github.com/banzaicloud/koperator/releases/download/v${KAFKA_OPERATOR_VERSION}/kafka-operator.crds.yaml -kubectl create -f $kafka_crd_url || kubectl replace -f $kafka_crd_url +kubectl apply --server-side -f $kafka_crd_url helm upgrade --install --version ${KAFKA_OPERATOR_VERSION} -n default kafka-operator ${KAFKA_CHART} \ --set prometheusMetrics.authProxy.image.repository=quay.io/brancz/kube-rbac-proxy \ --set prometheusMetrics.authProxy.image.tag=v0.21.0 From e2a08ab242a4f87ab15abb575212125f4ef4e8ac Mon Sep 17 00:00:00 2001 From: Thomas Flament Date: Wed, 18 Mar 2026 16:33:48 +0100 Subject: [PATCH 08/11] setup: refactor step loop to early exits, skip metadata deploy Refactor the action.yaml step loop from a big if block to early exit guards for clarity. Skip deploy-metadata.sh when ring tests are disabled. --- .devcontainer/setup.sh | 44 ++++++++++++++++++++++-------------------- 1 file changed, 23 insertions(+), 21 deletions(-) diff --git a/.devcontainer/setup.sh b/.devcontainer/setup.sh index 556a3fe8f..e8b292f41 100755 --- a/.devcontainer/setup.sh +++ b/.devcontainer/setup.sh @@ -31,30 +31,32 @@ for i in $(seq 0 $array_length); do working_dir=$(yq ".runs.steps[$i].working-directory" .github/actions/deploy/action.yaml) run_command=$(yq ".runs.steps[$i].run" .github/actions/deploy/action.yaml) - # We can't run `configure-e2e.sh` here because it needs services to be ready first, will be run after - # User will run tests manually after deployment ( - if [[ "$run_command" != "null" && "$run_command" != *"configure-e2e.sh"* ]]; then - # Inject env 'generated' from previous steps - source "$GITHUB_ENV" - - # Inject variables - # We use `sed` to replace github variable references and avoid bad substitution error from bash - env_variables=$(yq '.runs.steps['$i'].env | to_entries | .[] | .key + "=" + .value' .github/actions/deploy/action.yaml \ - | sed -e 's/${{ *inputs.\([[:graph:]]*\) *}}/$GITHUB_INPUTS_\1/' -e 's/\${{.*}}//' \ - | envsubst ) - [ -n "$env_variables" ] && export $env_variables - - if [ "$working_dir" != "null" ]; then - echo "Changing working dir: $working_dir" - cd $working_dir - fi - - echo "Run command: $run_command" - eval "$run_command"; + [[ "$run_command" == "null" ]] && exit 0 + # We can't run `configure-e2e.sh` here because it needs services to be ready first, will be run after + [[ "$run_command" == *"configure-e2e.sh"* ]] && exit 0 + # We don't want to run `run-e2e-test.sh` because it is used for linting here, user will run it manually if needed after deployment + [[ "$run_command" == *"run-e2e-test.sh"* ]] && exit 0 + [[ "$run_command" == *"deploy-metadata.sh"* && "${ENABLE_RING_TESTS}" == "false" ]] && exit 0 + + # Inject env 'generated' from previous steps + source "$GITHUB_ENV" + + # Inject variables + # We use `sed` to replace github variable references and avoid bad substitution error from bash + env_variables=$(yq '.runs.steps['$i'].env | to_entries | .[] | .key + "=" + .value' .github/actions/deploy/action.yaml \ + | sed -e 's/${{ *inputs.\([[:graph:]]*\) *}}/$GITHUB_INPUTS_\1/' -e 's/\${{.*}}//' \ + | envsubst ) + [ -n "$env_variables" ] && export $env_variables + + if [ "$working_dir" != "null" ]; then + echo "Changing working dir: $working_dir" + cd $working_dir fi + + echo "Run command: $run_command" + eval "$run_command"; ) - exit done ( From 5693c28254c460f6982a6cbff912c38597af9e9d Mon Sep 17 00:00:00 2001 From: Thomas Flament Date: Thu, 19 Mar 2026 14:52:29 +0100 Subject: [PATCH 09/11] deploy-zenko: reuse existing keypair on re-runs Instead of regenerating the keypair secret on every run, check if it already exists and extract the public key from it. This prevents OAEP decryption errors caused by location configs encrypted with a previous keypair. --- .github/scripts/end2end/deploy-zenko.sh | 42 ++++++++++++++----------- 1 file changed, 23 insertions(+), 19 deletions(-) diff --git a/.github/scripts/end2end/deploy-zenko.sh b/.github/scripts/end2end/deploy-zenko.sh index 3ae652022..8515f842b 100755 --- a/.github/scripts/end2end/deploy-zenko.sh +++ b/.github/scripts/end2end/deploy-zenko.sh @@ -101,19 +101,32 @@ create_encryption_secret() PRIVATE=$(mktemp zenko-key.XXXXXX) trap 'rm -f "$PUBLIC" "$PRIVATE"' EXIT INT HUP TERM - # Get the OpenSSL version - OPENSSL_VERSION=$(openssl version | awk '{print $2}') - - # Check if OpenSSL 3.x is being used - if [[ $OPENSSL_VERSION =~ ^3\..* ]]; then - # Use the "-traditional" flag for OpenSSL 3.x - openssl genrsa -out "$PRIVATE" -traditional + if kubectl get secret ${ZENKO_NAME}-keypair.v0 --namespace ${NAMESPACE} >/dev/null 2>/dev/null; then + kubectl get secret ${ZENKO_NAME}-keypair.v0 --namespace ${NAMESPACE} \ + -o jsonpath='{.data.publicKey}' | base64 -d > "$PUBLIC" else - openssl genrsa -out "$PRIVATE" + # Get the OpenSSL version + OPENSSL_VERSION=$(openssl version | awk '{print $2}') + + # Check if OpenSSL 3.x is being used + if [[ $OPENSSL_VERSION =~ ^3\..* ]]; then + # Use the "-traditional" flag for OpenSSL 3.x + openssl genrsa -out "$PRIVATE" -traditional + else + openssl genrsa -out "$PRIVATE" + fi + + openssl rsa -in "$PRIVATE" -pubout -out "$PUBLIC" + + # Zkop expects PKCS#1 format, but with a type of 'PRIVATE KEY' as generated with older openssl + sed -i 's/RSA PRIVATE KEY/PRIVATE KEY/' "$PRIVATE" + + kubectl create secret generic ${ZENKO_NAME}-keypair.v0 \ + --namespace ${NAMESPACE} \ + --from-file=publicKey="$PUBLIC" \ + --from-file=privateKey="$PRIVATE" fi - openssl rsa -in "$PRIVATE" -pubout -out "$PUBLIC" - AZURE_SECRET_KEY_ENCRYPTED="$( printf '%s' "${AZURE_SECRET_KEY}" \ | openssl pkeyutl -encrypt -pubin -inkey "$PUBLIC" \ @@ -121,15 +134,6 @@ create_encryption_secret() | base64 -w 0 )" - # Zkop expects PKCS#1 format, but with a type of 'PRIVATE KEY' as generated with older openssl - sed -i 's/RSA PRIVATE KEY/PRIVATE KEY/' "$PRIVATE" - - kubectl create secret generic ${ZENKO_NAME}-keypair.v0 \ - --namespace ${NAMESPACE} \ - --from-file=publicKey="$PUBLIC" \ - --from-file=privateKey="$PRIVATE" \ - --dry-run=client -o yaml | kubectl apply -f - - export AZURE_SECRET_KEY_ENCRYPTED } From 7b13891a5b5fe0b1a97195f4815429fbec3d1b69 Mon Sep 17 00:00:00 2001 From: Thomas Flament Date: Tue, 24 Mar 2026 09:09:55 +0100 Subject: [PATCH 10/11] configure-e2e-ctst: persist auth zookeeper storage for SCRAM credentials SCRAM-SHA-512 user registrations are stored in ZooKeeper. The auth ZooKeeper clone was using ephemeral storage, so credentials were lost on pod restart, causing notification-processor-destination4 to fail with SASL authentication errors. --- .github/scripts/end2end/configure-e2e-ctst.sh | 2 -- 1 file changed, 2 deletions(-) diff --git a/.github/scripts/end2end/configure-e2e-ctst.sh b/.github/scripts/end2end/configure-e2e-ctst.sh index b856a2028..5acaa1331 100755 --- a/.github/scripts/end2end/configure-e2e-ctst.sh +++ b/.github/scripts/end2end/configure-e2e-ctst.sh @@ -32,8 +32,6 @@ export NOTIF_KAFKA_SCRAM_PORT=9095 kubectl get zookeepercluster "${ZENKO_NAME}-base-quorum" -o json | jq '. | .metadata |= {namespace, name: "\(.name)-auth" } | del(.spec.labels) -| del(.spec.persistence) -| .spec.storageType |= "ephemeral" | del(.spec.pod.affinity) | del(.spec.pod.labels) | del(.status) From 031bfc91d113e46368a2647d5499e72348dd237b Mon Sep 17 00:00:00 2001 From: Thomas Flament Date: Wed, 25 Mar 2026 17:10:29 +0100 Subject: [PATCH 11/11] run-ctst-locally: read admin credentials from cluster secrets Hardcoded credentials don't survive vault restarts. Read the vault admin key from the management-vault-admin-creds secret instead, matching how the CI run-e2e-ctst.sh script works. Also fix the account name to zenko-ctst to match CI. --- tests/ctst/run-ctst-locally.sh | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/tests/ctst/run-ctst-locally.sh b/tests/ctst/run-ctst-locally.sh index c3b86264b..da2f1bf27 100755 --- a/tests/ctst/run-ctst-locally.sh +++ b/tests/ctst/run-ctst-locally.sh @@ -14,14 +14,17 @@ IMAGE_NAME="${2:-ghcr.io/scality/zenko/zenko-e2e-ctst:ctst_codespace_setup}" # certain tests based on their @version tag. VERSION=$(cat ../../VERSION | grep -Po 'VERSION="\K[^"]*') POD_NAME="ctst-end2end" +ZENKO_NAME="${ZENKO_NAME:-end2end}" +ADMIN_ACCESS_KEY=$(kubectl get secret "${ZENKO_NAME}-management-vault-admin-creds.v1" -o jsonpath='{.data.accessKey}' | base64 -d) +ADMIN_SECRET_KEY=$(kubectl get secret "${ZENKO_NAME}-management-vault-admin-creds.v1" -o jsonpath='{.data.secretKey}' | base64 -d) WORLD_PARAMETERS="$(jq -c <