Skip to content

ci: add integration tests on GHA#38

Merged
robbycochran merged 11 commits into
mainfrom
rc-gha-integration
Jun 5, 2026
Merged

ci: add integration tests on GHA#38
robbycochran merged 11 commits into
mainfrom
rc-gha-integration

Conversation

@robbycochran

@robbycochran robbycochran commented Jun 5, 2026

Copy link
Copy Markdown
Collaborator

Summary

Integration tests on GHA

  • Local integration workflow — installs openshell, starts gateway, runs full sandbox lifecycle on every PR
  • CI profile (profiles/ci.toml) — no providers, public base image, no auth needed
  • --no-providers and --profile flags for test-flow.sh — gates provider-dependent checks
  • Gateway log export — captures journalctl + openshell status/gateway-list as CI artifacts for debugging

Gateway config system

  • gateways/ directory — each gateway is a directory with consistent structure: gateway.toml, helm/values.yaml, and optional addons/
  • Three gateways: local (podman/docker), kind (NodePort, no auth), ocp (Route, SCCs)
  • Moved deploy artifacts: values-ocp.yaml → gateways/ocp/helm/values.yaml, deploy/{rbac,route}.yaml → gateways/ocp/addons/
  • Code references updated in cmd/deploy.go

Profile improvements

  • startup field — controls whether startup.sh runs (configurable per-profile instead of hardcoded)
  • from field — renamed from image, accepts Dockerfile path or image ref (matches openshell --from flag)
  • LAUNCHER_IMAGE env var — override launcher image in Job spec for local testing without waiting for ghcr.io push

Security

  • Launcher mTLS validation — checks all 3 cert files (ca.crt, tls.crt, tls.key), prints WARNING to stderr with specific missing files on insecure fallback
  • Verified in OCP cluster logs: ✓ mTLS certs found — using encrypted connection

Naming

  • Renamed podman → local throughout (test-flow.sh targets, workflow jobs, Makefile targets)
  • podman kept as backward-compat alias in test-flow.sh

Design doc updates (docs/design.md)

  • Gateway config schema and deploy behavior table
  • OCP vs vanilla k8s: 5 OCP-specific steps documented with vanilla equivalents
  • Three TLS network paths (laptop→gateway, launcher→gateway, gateway→sandbox)
  • Auth roadmap: mTLS-as-auth (now) → oauth-proxy + OCP OAuth (next) → OIDC (future)
  • Container runtime: driver detection from gateway logs, OPENSHELL_DRIVERS override

Verified

  • go test ./... — all pass
  • go vet ./... — clean
  • Local integration: 20/20
  • CI integration (GHA): 11/11 with CI profile
  • OCP: gateway deployed, launcher mTLS validated in cluster logs
  • All 5 CI checks green: test, lint, local, sandbox, launcher

🤖 Generated with Claude Code

robbycochran and others added 11 commits June 5, 2026 12:10
- Add profiles/ci.toml — minimal profile with no providers, uses
  public community base image (no registry auth needed)
- Add startup field to profile Config — controls whether startup.sh
  runs (default profile sets it, CI profile omits it)
- Add --no-providers and --profile flags to test-flow.sh
- sandbox_verify skips provider-dependent checks with --no-providers
- Add .github/workflows/integration.yml — runs podman integration
  tests on every PR and push to main

Tested locally: 11/11 CI profile, 20/20 default profile.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
The harness doesn't manage the container runtime — openshell auto-detects
the driver (podman/docker). Rename test targets, workflow jobs, and
Makefile from 'podman' to 'local' since the runtime is an openshell
concern. Keep 'podman' as a test-flow.sh alias for backward compat.

Add container runtime section to design.md documenting OPENSHELL_DRIVERS
env var and gateway --config for driver override.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
The openshell gateway logs 'Using compute driver driver=podman' at
startup but doesn't expose it via gRPC API (by design). Document
the log location and how harness status can extract it.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Move OCP deploy artifacts from deploy/ and values-ocp.yaml into
gateways/ocp/ with addons subdirectory. Add gateway config stubs
for local, ocp, and kind targets.

Structure:
  gateways/local.toml              — local podman/docker gateway
  gateways/ocp/gateway.toml        — OpenShift deployment config
  gateways/ocp/values.yaml         — Helm values (was values-ocp.yaml)
  gateways/ocp/addons/rbac.yaml    — launcher RBAC (was deploy/rbac.yaml)
  gateways/ocp/addons/route.yaml   — OCP Route (was deploy/route.yaml)
  gateways/kind/gateway.toml       — kind cluster config (NodePort, no auth)

Code references updated in cmd/deploy.go.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Each remote gateway now has a consistent structure:
  gateway.toml      — gateway config (type, platform, service)
  helm/values.yaml  — Helm values for this gateway
  addons/           — post-install manifests (OCP only for now)

kind gateway gets minimal values (NodePort, no auth).

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Document the gateway config schema, deploy behavior by config field,
sandbox-vs-gateway orthogonality, and custom gateway instructions.

Add gateway log export step to local integration CI workflow —
captures journalctl logs, openshell status, and gateway list as
artifacts for debugging failures.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
- Document the 5 OCP-specific steps vs vanilla k8s (SCCs, Helm values,
  Route, appsDomain, PKI)
- Document three network paths (laptop→gateway, launcher→gateway,
  gateway→sandbox) and that all use mTLS
- Auth roadmap: mTLS-as-auth (now) → oauth-proxy + OCP OAuth (next)
  → OIDC (future)
- Detail oauth-proxy approach: uses existing OCP OAuth server, no
  external IdP, standard OCP pattern

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Check all three cert files (ca.crt, tls.crt, tls.key) instead of just
tls.crt. Print WARNING to stderr with specific missing files when
falling back to insecure mode. Log success when mTLS is configured.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Matches existing SANDBOX_IMAGE pattern. Allows testing launcher
changes locally without waiting for ghcr.io image push:
  LAUNCHER_IMAGE=quay.io/rcochran/openshell:launcher harness new --remote

Verified: launcher mTLS cert validation working in OCP cluster logs:
  ✓ mTLS certs found — using encrypted connection

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@robbycochran robbycochran merged commit 0620f61 into main Jun 5, 2026
5 checks passed
@robbycochran robbycochran deleted the rc-gha-integration branch June 13, 2026 14:02
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant