kcp-dev · SimonTheLeg · Feb 8, 2025 · Feb 10, 2025 · Feb 10, 2025 · Feb 17, 2025
diff --git a/README.md b/README.md
@@ -72,3 +72,12 @@ graph TB
     classDef ca color:#F77
     classDef cert color:orange
 ```
+
+### Running E2E tests locally
+
+In order to run the E2E tests locally, you will need to setup cert-manager with the sample clusterissuer:
+
+```sh
+helm upgrade --install --namespace cert-manager --create-namespace --version v1.16.2 --set crds.enabled=true cert-manager jetstack/cert-manager
+kubectl apply -n cert-manager --filename hack/ci/testdata/clusterissuer.yaml
+```
diff --git a/internal/controller/kubeconfig_controller.go b/internal/controller/kubeconfig_controller.go
@@ -127,8 +127,8 @@ func (r *KubeconfigReconciler) Reconcile(ctx context.Context, req ctrl.Request)
 
 		clientCertIssuer = resources.GetRootShardCAName(&rootShard, operatorv1alpha1.FrontProxyClientCA)
 		serverCA = resources.GetRootShardCAName(&rootShard, operatorv1alpha1.ServerCA)
-		serverURL = fmt.Sprintf("https://%s:6443", rootShard.Spec.External.Hostname)
-		serverName = rootShard.Spec.External.Hostname
+		serverURL = fmt.Sprintf("https://%s:6443", frontProxy.Spec.ExternalHostname)
+		serverName = frontProxy.Spec.ExternalHostname
 
 	default:
 		return ctrl.Result{}, fmt.Errorf("no valid target for kubeconfig found")

diff --git a/internal/controller/suite_test.go b/internal/controller/suite_test.go
@@ -70,7 +70,7 @@ var _ = BeforeSuite(func() {
 		// default path defined in controller-runtime which is /usr/local/kubebuilder/.
 		// Note that you must have the required binaries setup under the bin directory to perform
 		// the tests directly. When we run make test it will be setup and used automatically.
-		BinaryAssetsDirectory: filepath.Join("..", "..", "bin", "k8s",
+		BinaryAssetsDirectory: filepath.Join("..", "..", "_tools", "k8s",
 			fmt.Sprintf("1.31.0-%s-%s", runtime.GOOS, runtime.GOARCH)),
 	}
 

diff --git a/test/e2e/frontproxies/frontproxies_test.go b/test/e2e/frontproxies/frontproxies_test.go
@@ -0,0 +1,90 @@
+//go:build e2e
+
+/*
+Copyright 2025 The KCP Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package frontproxies
+
+import (
+	"context"
+	"fmt"
+	"testing"
+	"time"
+
+	"github.com/go-logr/logr"
+
+	corev1 "k8s.io/api/core/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/types"
+	ctrlruntime "sigs.k8s.io/controller-runtime"
+
+	operatorv1alpha1 "github.com/kcp-dev/kcp-operator/sdk/apis/operator/v1alpha1"
+	"github.com/kcp-dev/kcp-operator/test/utils"
+)
+
+func TestCreateFrontProxy(t *testing.T) {
+	fmt.Println()
+
+	ctrlruntime.SetLogger(logr.Discard())
+
+	client := utils.GetKubeClient(t)
+	ctx := context.Background()
+	namespace := "create-frontproxy"
+
+	utils.CreateSelfDestructingNamespace(t, ctx, client, namespace)
+
+	// deploy rootshard
+	rootShard := utils.DeployRootShard(ctx, t, client, namespace)
+
+	// deploy front-proxy
+	frontProxy := utils.DeployFrontProxy(ctx, t, client, namespace, rootShard.Name)
+
+	// create front-proxy kubeconfig
+	configSecretName := "kubeconfig-front-proxy-e2e"
+
+	fpConfig := operatorv1alpha1.Kubeconfig{}
+	fpConfig.Name = "front-proxy"
+	fpConfig.Namespace = namespace
+	fpConfig.Spec = operatorv1alpha1.KubeconfigSpec{
+		Target: operatorv1alpha1.KubeconfigTarget{
+			FrontProxyRef: &corev1.LocalObjectReference{
+				Name: frontProxy.Name,
+			},
+		},
+		Username: "e2e",
+		Validity: metav1.Duration{Duration: 2 * time.Hour},
+		SecretRef: corev1.LocalObjectReference{
+			Name: configSecretName,
+		},
+		Groups: []string{"system:masters"},
+	}
+
+	t.Log("Creating kubeconfig for FrontProxy…")
+	if err := client.Create(ctx, &fpConfig); err != nil {
+		t.Fatal(err)
+	}
+	utils.WaitForObject(t, ctx, client, &corev1.Secret{}, types.NamespacedName{Namespace: fpConfig.Namespace, Name: fpConfig.Spec.SecretRef.Name})
+
+	// verify that we can use frontproxy kubeconfig to access rootshard workspaces
+	t.Log("Connecting to FrontProxy…")
+	kcpClient := utils.ConnectWithKubeconfig(t, ctx, client, namespace, fpConfig.Name)
+	// proof of life: list something every logicalcluster in kcp has
+	t.Log("Should be able to list Secrets.")
+	secrets := &corev1.SecretList{}
+	if err := kcpClient.List(ctx, secrets); err != nil {
+		t.Fatalf("Failed to list secrets in kcp: %v", err)
+	}
+}
diff --git a/test/utils/deploy.go b/test/utils/deploy.go
@@ -155,3 +155,44 @@ func DeployRootShard(ctx context.Context, t *testing.T, client ctrlruntimeclient
 
 	return rootShard
 }
+
+func DeployFrontProxy(ctx context.Context, t *testing.T, client ctrlruntimeclient.Client, namespace string, rootShardName string, patches ...func(*operatorv1alpha1.FrontProxy)) operatorv1alpha1.FrontProxy {
+	t.Helper()
+
+	frontProxy := operatorv1alpha1.FrontProxy{}
+	frontProxy.Name = "front-proxy"
+	frontProxy.Namespace = namespace
+
+	frontProxy.Spec = operatorv1alpha1.FrontProxySpec{
+		RootShard: operatorv1alpha1.RootShardConfig{
+			Reference: &corev1.LocalObjectReference{
+				Name: rootShardName,
+			},
+		},
+		ExternalHostname: fmt.Sprintf("%s.%s.svc.cluster.local", frontProxy.Name, frontProxy.Namespace),
+		Auth: &operatorv1alpha1.AuthSpec{
+			// we need to remove the default system:masters group in order to do our testing
+			DropGroups: []string{""},
+		},
+	}
+
+	for _, patch := range patches {
+		patch(&frontProxy)
+	}
+
+	t.Logf("Creating FrontProxy %s…", frontProxy.Name)
+	if err := client.Create(ctx, &frontProxy); err != nil {
+		t.Fatal(err)
+	}
+
+	opts := []ctrlruntimeclient.ListOption{
+		ctrlruntimeclient.InNamespace(frontProxy.Namespace),
+		ctrlruntimeclient.MatchingLabels{
+			"app.kubernetes.io/component": "front-proxy",
+			"app.kubernetes.io/instance":  frontProxy.Name,
+		},
+	}
+	WaitForPods(t, ctx, client, opts...)
+
+	return frontProxy
+}
diff --git a/test/utils/utils.go b/test/utils/utils.go
@@ -182,6 +182,11 @@ func ConnectWithKubeconfig(
 	parts := strings.Split(hostname, ".")
 	serviceName := parts[0]
 
+	// for frontproxies add required suffix
+	if config.Spec.Target.FrontProxyRef != nil {
+		serviceName += "-front-proxy"
+	}
+
 	portNum, err := strconv.ParseInt(portString, 10, 32)
 	if err != nil {
 		t.Fatalf("Failed to parse kubeconfig's port %q: %v", portString, err)

diff --git a/test/utils/wait.go b/test/utils/wait.go
@@ -32,7 +32,7 @@ func WaitForPods(t *testing.T, ctx context.Context, client ctrlruntimeclient.Cli
 
 	t.Log("Waiting for pods to be available…")
 
-	err := wait.PollUntilContextTimeout(ctx, 500*time.Millisecond, 3*time.Minute, false, func(ctx context.Context) (done bool, err error) {
+	err := wait.PollUntilContextTimeout(ctx, 500*time.Millisecond, 5*time.Minute, false, func(ctx context.Context) (done bool, err error) {
 		pods := corev1.PodList{}
 		if err := client.List(ctx, &pods, listOpts...); err != nil {
 			return false, err