ROX-27073: add cluster migration e2e test

[johannes94]

Description

• Adds a ginkgo e2e test suite for multicluster test
• First test verifies cluster migration between multiple clusters
• Adds a make target to run the tests test/multicluster/e2e
• Moved common logic with other e2e tests to a testutils package
• Change admin CentralRequest presenter to actually set the ClusterId, which is required for the test
• See test manual on how to execute this agains 2 infra clusters
• Extends our k8s client pkg to allow loading config for multiple cluster

Checklist (Definition of Done)

• Unit and integration tests added
• Added test description under Test manual
• Documentation added if necessary (i.e. changes to dev setup, test execution, ...)
• CI and all relevant tests are passing
• Add the ticket number to the PR title if available, i.e. ROX-12345: ...
• Discussed security and business related topics privately. Will move any security and business related topics that arise to private communication channel.
• Add secret to app-interface Vault or Secrets Manager if necessary
• RDS changes were e2e tested manually
• Check AWS limits are reasonable for changes provisioning new resources
• (If applicable) Changes to the dp-terraform Helm values have been reflected in the addon on integration environment

Test manual

# Start 2 infractl clusters OSD on AWS
# Login to kerberos for secret access
kinit jmalsam

export CLUSTER_TYPE="infra-openshift"
export CLUSTER_1_KUBECONFIG=/Users/johannes/kubes/cluster1
export CLUSTER_2_KUBECONFIG=/Users/johannes/kubes/cluster2
export QUAY_USER=<your user>
export QUAY_TOKEN=<your token>
export ENABLE_CENTRAL_EXTERNAL_CERTIFICATE="true"
export ROUTE53_ACCESS_KEY=<route53-key-id>
export ROUTE53_SECRET_ACCESS_KEY=<route53-secret>
export STATIC_TOKEN=<static-token-from-ci>
export STATIC_TOKEN_ADMIN=<static-admin-token-from-ci>

export INFRA_TOKEN=<your-infra-token>

url=$(infractl artifacts jm-migration-1 --json | jq '.Artifacts[] | select(.Name=="kubeconfig") | .URL' -r)
wget -O $CLUSTER_1_KUBECONFIG $url

url=$(infractl artifacts jm-migration-2 --json | jq '.Artifacts[] | select(.Name=="kubeconfig") | .URL' -r)
wget -O $CLUSTER_2_KUBECONFIG $url

bash scripts/ci/multicluster_tests/deploy.sh

# Verify all services are running like expected
KUBECONFIG=$CLUSTER_1_KUBECONFIG k get pods -n rhacs # fleet-manager and fleetshard-sync must be healthy
KUBECONFIG=$CLUSTER_2_KUBECONFIG k get pods -n rhacs # fleetshard-sync must be healthy, fleet-manager does not exist

make test/multicluster/e2e

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: johannes94

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [johannes94]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[ebensh]

Several nits, nothing major - the flow of the e2e test makes sense and is easy enough to read with the comments you provided throughout

[ebensh]

Where do these come from / why can we not clean them up after the test?

[ebensh]

Found them in deploy.sh - is there no way to have a cleanup.sh equivalent? Or better to leave the artifacts in case debugging is necessary?

[johannes94]

Those files would be created and not cleaned up. So you can use them for debugging already, this is just the .gitignore to prevent those files from being commited and pushed to the repo.

[ebensh]

Would waiting for "deleting" state instead of "deprovisioning" rely on the FM's cleanup of the routes instead of manually cleaning them up here? (sorry if missing something, not used to looking at the e2e tests as much)

[johannes94]

I'm not 100% sure about this. But I think FM would only start deleting the route records on deleting state.

We trigger a deletion and wait for deletion at the end of this test, which usually cleans up the records.

This logic is intended as an additional measure on test failures. Because on failures we might be stuck somewhere in the usual reconciliation loop which can lead to a situation where the deletion lifecycle logic doesn't get executed. In a case like this we don't want to leak those resources.

[ebensh]

Just a meta-comment - adding the testutil. in a separate PR if possible would've made reviewing just the cluster migration part easier. It's fast enough to skim by but next time would recommend splitting into 2 PRs

[johannes94]

Yes, I thought about splitting PRs as well along the way, decided to not do it since I only wanted very few changes. Then it grew over time to what you see now :) . I'll split it next time.

[ebensh]

👍

[ebensh]

nit - a unique value from dpCloudProvider

[johannes94]

Do you mean dpCloudProvider should have a different value than dpRegion?

Unfortunately that's not so easy, because that's what we have for the cluster configurations all other tests do it like this as well.

[ebensh]

Is this necessary? https://onsi.github.io/gomega/#eventually

Eventually checks that an assertion eventually passes. Eventually blocks when called and attempts an assertion periodically until it passes or a timeout occurs.
It shouldn't keep polling once the condition passes

[ebensh]

Ah unless the comments means "Once you get a value it will not change, so then do the assert" - instead of e.g. checking the value and, if the value is there but wrong, then getting stuck in polling loop even though you know it will not change?

[johannes94]

Yes, exactly this is what the comment means, I will try to express this more clearly.

[ebensh]

break?

[ebensh]

Nit - would use Get or Fetch instead of Obtain, if possible. Just a bit more consistent

[johannes94]

You're right. Its called that way because the private function I copied to testuitl was called like that before.

I changed it.

[openshift-ci]

@johannes94: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/e2e	86a3959	link	true	/test e2e
ci/prow/images	86a3959	link	true	/test images

Full PR test history. Your PR dashboard.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.