Add Secrets Manager E2E tests to e2e:test-on-cng pipeline
Problen to solve
E2E tests for the GitLab Secrets Manager need to be executed automatically on the CI.
Since the feature is available on Cloud Native GitLab (CNG),
these tests need to be executed as part of the e2e:test-on-cng pipeline.
Proposal
- Add new
cng-secrets-managerjob toe2e:test-on-cng. -
cng-secrets-managerruns in parallel with other test jobs likecng-qa-min-redis-version. - All jobs share the same CNG images built in the
.prestage - The Secrets Manager job uses Orchestrator configuration with OpenBao enabled
Testing pipelines diagram
graph TD
A[GitLab Project Pipeline] --> B[e2e:test-on-cng]
B --> C[.pre stage]
C --> D[build-cng: Trigger CNG to build Debian images]
D --> E[test stage]
E --> F[cng-instance<br/>Full E2E suite]
E --> G[cng-qa-min-redis-version<br/>Min Redis validation]
E --> H[cng-secrets-manager<br/>Secrets Manager E2E]
H --> I[Deploy via Orchestrator<br/>with OpenBao enabled]
I --> J[Run QA:<br/>--tag secrets_manager<br/>--tag orchestrated]
J --> K{Test Scenarios}
K --> L[Enable feature in project]
K --> M[Create/read/update secrets]
K --> N[Use secrets in CI/CD]
style B fill:#e8f4f8
style D fill:#fef3e8
style H fill:#e8f8f0
style J fill:#e8f8f0Implementation Plan
See #573410 (comment 2871971833)
1. Update GitLab Orchestrator Configuration for OpenBao
Owner: grouptest governance (via RFH)
Blocker: Depends on gitlab-org/quality/quality-engineering&163 (enabling orchestrated testing with CNG)
- Add OpenBao configuration to test orchestrator deployment configurations
- Update
qa/gems/gitlab-orchestrator/lib/gitlab/orchestrator/lib/deployment/default_values.rbto include OpenBao chart values - Update
qa/gems/gitlab-orchestrator/lib/gitlab/orchestrator/lib/deployment/configurations/kind.rbto enable OpenBao duringkinddeployment (where the orchestrator spins up the new GitLab cluster) - Enable the OpenBao subchart with appropriate configuration values (the chart's self-initialization will handle setting up authentication mounts, policies, and roles)
This MR illustrates what needs to change: Add Oauth to test-on-cng pipeline (!211795 - merged)
See #573410 (comment 2900989982)
2. Create Custom e2e:test-on-cng Job for Secrets Manager
Owner: grouptest governance (via RFH) + grouppipeline security
- Define new job in
.gitlab/ci/test-on-cng/main.gitlab-ci.yml(used to generated pipeline via.gitlab/ci/qa.gitlab-ci.yml) - Job configuration:
- Deploy CNG with OpenBao enabled via orchestrator
- Run Secrets Manager E2E specs:
--tag secrets_manager --tag orchestrated - Execute for:
- Scheduled pipelines against
master - Changes to Secrets Manager-related code paths
- Scheduled pipelines against
Dependencies
- Blocker: RFH (Request for Help) with grouptest governance to discuss timeline, design recommendations, resource requirements, and selective testing strategy. See Reduce pipeline runtime by moving orchestrated ... (gitlab-org/quality/quality-engineering&163)
-
Prerequisite: E2E test specs for Secrets Manager (covered by parent epic) - specs must be tagged with both
:secrets_managerand:orchestrated
Success Criteria
- E2E tests for Secrets Manager run automatically in
e2e:test-on-cngpipeline - Tests validate end-to-end functionality: enable feature → create secret → use in CI/CD
- Tests run on Debian-based CNG images (UBI/FIPS testing covered separately in GitLab Chart)
- Pipeline failures surface Secrets Manager regressions before merge
Links
- Testing guide: https://docs.gitlab.com/development/testing_guide/end_to_end/test_pipelines/#e2etest-on-cng
- CI config: https://gitlab.com/gitlab-org/gitlab/-/blob/master/.gitlab/ci/test-on-cng/main.gitlab-ci.yml
- gitlab-orchestrator gem: https://gitlab.com/gitlab-org/gitlab/-/tree/master/qa/gems/gitlab-orchestrator
- Epic on enabling orchestrated testing with CNG: gitlab-org/quality/quality-engineering&163
- Related: #580642 (GitLab Chart integration testing - separate track)
- Related: #579781 (closed) (Automated tests for gitlab-openbao CNG images)
Edited by 🤖 GitLab Bot 🤖