From 70aa964a7280209459c8db8bdc0ce28ecf7bd254 Mon Sep 17 00:00:00 2001 From: eli Date: Mon, 13 Apr 2026 10:44:59 -0500 Subject: [PATCH 1/6] Fix pdp-tester CI job for K8s-based refactor The pdp-tester was refactored from Docker-based to Kubernetes-based (permitio/pdp-tester#80). The old CI used Docker directly to run PDP containers, but the new code requires a Kubernetes cluster. Changes: - Add k3d cluster setup (same approach as pdp-tester's own CI) - Import both PDP image and pdp-tester image into k3d - Deploy via Helm chart in job mode with tag 'next' (the PR's PDP build) - Wait for Job completion and check test results from logs - Teardown k3d cluster on completion Co-Authored-By: Claude Opus 4.6 (1M context) --- .github/workflows/tests.yml | 90 ++++++++++++++++++++++++++----------- 1 file changed, 63 insertions(+), 27 deletions(-) diff --git a/.github/workflows/tests.yml b/.github/workflows/tests.yml index f2e4398b..258d59e2 100644 --- a/.github/workflows/tests.yml +++ b/.github/workflows/tests.yml @@ -104,43 +104,79 @@ jobs: token: ${{ secrets.CLONE_REPO_TOKEN }} path: './pdp-tester' - # Setup Python environment - - name: Setup Python - uses: actions/setup-python@v5 + # Start k3d cluster for Kubernetes-based pdp-tester + - name: Start k3d cluster + uses: AbsaOSS/k3d-action@v2.4.0 with: - python-version: "3.12" + cluster-name: pdp-tester + args: --k3s-arg "--disable=traefik@server:0" + + # Import PDP image into k3d (instead of Docker) + - name: Import PDP image into k3d + run: k3d image import permitio/pdp-v2:next -c pdp-tester - # Install dependencies for pdp-tester - - name: Install pdp-tester dependencies + # Build pdp-tester image and import into k3d + - name: Build and import pdp-tester image working-directory: ./pdp-tester run: | - pip install -r requirements.txt + docker build -t pdp-tester:ci . + k3d image import pdp-tester:ci -c pdp-tester - # Run pdp-tester - - name: Run pdp-tester - working-directory: ./pdp-tester + # Create namespace and secrets + - name: Create secrets env: - TOKEN: ${{ secrets.PDP_TESTER_API_KEY }} - LOCAL_TAGS: '["next"]' - INCLUDE_TAGS: '[]' - AUTO_REMOVE: "False" - SKIP_GENERATE: "True" - ENABLE_APM: "False" + PERMIT_TOKEN: ${{ secrets.PDP_TESTER_API_KEY }} + run: | + kubectl create namespace pdp-tester || true + kubectl create secret generic pdp-tester-credentials \ + -n pdp-tester \ + --from-literal=token="${PERMIT_TOKEN}" \ + --dry-run=client -o yaml | kubectl apply -f - + + # Deploy pdp-tester via Helm with the "next" PDP image + - name: Deploy pdp-tester via Helm + working-directory: ./pdp-tester + run: | + helm install pdp-tester ./deploy/helm/pdp-tester \ + --set mode=job \ + --set permit.existingSecret=pdp-tester-credentials \ + --set permit.apiUrl=https://permitio.api.stg.permit.io \ + --set image.repository=pdp-tester \ + --set image.tag=ci \ + --set image.pullPolicy=Never \ + --set pdp.image=permitio/pdp-v2 \ + --set 'pdp.includeTags[0]=next' \ + --set tests.skipGenerate=true \ + --set namespace.create=false \ + --set logJson=false + + - name: Wait for Job completion run: | - python -m pdp_tester.main + kubectl wait --for=condition=complete job/pdp-tester \ + -n pdp-tester --timeout=600s - - name: Print Docker container logs + - name: Check test results + run: | + LOGS=$(kubectl logs job/pdp-tester -n pdp-tester) + echo "$LOGS" | tail -30 + if echo "$LOGS" | grep -q "test cases failed"; then + echo "::error::Some test cases failed!" + exit 1 + fi + + - name: Print tester logs if: always() run: | - echo "Fetching logs for all Docker containers..." - for container in $(docker ps -aq); do - echo "========================================" - echo "Logs for container: $container" - echo "----------------------------------------" - docker logs "$container" || true - echo "========================================" - echo "" - done + echo "=== PDP Tester logs ===" + kubectl logs job/pdp-tester -n pdp-tester --tail=200 || true + echo "" + echo "=== PDP Pod logs ===" + kubectl logs -l pdp-tester.permit.io/managed-by=pdp-tester \ + -n pdp-tester --tail=50 || true + + - name: Teardown k3d cluster + if: always() + run: k3d cluster delete pdp-tester || true docker-scout: runs-on: ubuntu-latest From ff7fbd993f336efa658636794758bf548c9ad26a Mon Sep 17 00:00:00 2001 From: eli Date: Mon, 13 Apr 2026 11:45:49 -0500 Subject: [PATCH 2/6] Fix: tag PDP image as 'latest' for k3d so pdp-tester discovers it The pdp-tester discovers PDP tags via Docker Hub. The 'next' tag only exists locally, so tag discovery fails. Fix: tag the PDP image as 'latest' before importing into k3d, which matches pdp-tester's default includeTags config. Co-Authored-By: Claude Opus 4.6 (1M context) --- .github/workflows/tests.yml | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/.github/workflows/tests.yml b/.github/workflows/tests.yml index 258d59e2..f704e881 100644 --- a/.github/workflows/tests.yml +++ b/.github/workflows/tests.yml @@ -111,9 +111,12 @@ jobs: cluster-name: pdp-tester args: --k3s-arg "--disable=traefik@server:0" - # Import PDP image into k3d (instead of Docker) + # Tag and import PDP image into k3d + # Tag as 'latest' so pdp-tester's default includeTags picks it up - name: Import PDP image into k3d - run: k3d image import permitio/pdp-v2:next -c pdp-tester + run: | + docker tag permitio/pdp-v2:next permitio/pdp-v2:latest + k3d image import permitio/pdp-v2:latest -c pdp-tester # Build pdp-tester image and import into k3d - name: Build and import pdp-tester image @@ -145,7 +148,6 @@ jobs: --set image.tag=ci \ --set image.pullPolicy=Never \ --set pdp.image=permitio/pdp-v2 \ - --set 'pdp.includeTags[0]=next' \ --set tests.skipGenerate=true \ --set namespace.create=false \ --set logJson=false From a230628052dae0a73f46d89d4d277c9008ae85f2 Mon Sep 17 00:00:00 2001 From: eli Date: Mon, 13 Apr 2026 11:51:59 -0500 Subject: [PATCH 3/6] Use pdp.localTags for local PDP image (bypass Docker Hub discovery) Use LOCAL_TAGS=["next"] to tell pdp-tester to use the locally built PDP image without querying Docker Hub for tag discovery. Clear includeTags to avoid pulling anything from Docker Hub. Requires permitio/pdp-tester to have LOCAL_TAGS support in the Helm chart (permitio/pdp-tester PR pending). Co-Authored-By: Claude Opus 4.6 (1M context) --- .github/workflows/tests.yml | 9 ++++----- 1 file changed, 4 insertions(+), 5 deletions(-) diff --git a/.github/workflows/tests.yml b/.github/workflows/tests.yml index f704e881..23a92980 100644 --- a/.github/workflows/tests.yml +++ b/.github/workflows/tests.yml @@ -111,12 +111,9 @@ jobs: cluster-name: pdp-tester args: --k3s-arg "--disable=traefik@server:0" - # Tag and import PDP image into k3d - # Tag as 'latest' so pdp-tester's default includeTags picks it up + # Import PDP image into k3d with 'next' tag (locally built) - name: Import PDP image into k3d - run: | - docker tag permitio/pdp-v2:next permitio/pdp-v2:latest - k3d image import permitio/pdp-v2:latest -c pdp-tester + run: k3d image import permitio/pdp-v2:next -c pdp-tester # Build pdp-tester image and import into k3d - name: Build and import pdp-tester image @@ -148,6 +145,8 @@ jobs: --set image.tag=ci \ --set image.pullPolicy=Never \ --set pdp.image=permitio/pdp-v2 \ + --set 'pdp.localTags[0]=next' \ + --set 'pdp.includeTags={}' \ --set tests.skipGenerate=true \ --set namespace.create=false \ --set logJson=false From 63591be52febfbe13743987e7f89389fb7d2cd01 Mon Sep 17 00:00:00 2001 From: eli Date: Mon, 13 Apr 2026 12:35:23 -0500 Subject: [PATCH 4/6] Temporarily set skipGenerate=false to populate new Permit environment Will revert to skipGenerate=true after first successful run. Co-Authored-By: Claude Opus 4.6 (1M context) --- .github/workflows/tests.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/.github/workflows/tests.yml b/.github/workflows/tests.yml index 23a92980..4fe2055a 100644 --- a/.github/workflows/tests.yml +++ b/.github/workflows/tests.yml @@ -147,7 +147,8 @@ jobs: --set pdp.image=permitio/pdp-v2 \ --set 'pdp.localTags[0]=next' \ --set 'pdp.includeTags={}' \ - --set tests.skipGenerate=true \ + --set tests.skipGenerate=false \ + --set tests.startTimeout=180 \ --set namespace.create=false \ --set logJson=false From d7544c7ddb21e63f768af1d428338b7b474d76c5 Mon Sep 17 00:00:00 2001 From: eli Date: Mon, 13 Apr 2026 12:53:06 -0500 Subject: [PATCH 5/6] Revert skipGenerate back to true (environment now populated) Co-Authored-By: Claude Opus 4.6 (1M context) --- .github/workflows/tests.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/tests.yml b/.github/workflows/tests.yml index 4fe2055a..630f93bc 100644 --- a/.github/workflows/tests.yml +++ b/.github/workflows/tests.yml @@ -147,7 +147,7 @@ jobs: --set pdp.image=permitio/pdp-v2 \ --set 'pdp.localTags[0]=next' \ --set 'pdp.includeTags={}' \ - --set tests.skipGenerate=false \ + --set tests.skipGenerate=true \ --set tests.startTimeout=180 \ --set namespace.create=false \ --set logJson=false From a0bf4a0b154a82f6f721815fe85016135790a2af Mon Sep 17 00:00:00 2001 From: eli Date: Mon, 13 Apr 2026 13:22:43 -0500 Subject: [PATCH 6/6] Fix: clear includeTags properly to avoid Docker Hub timeout --set 'pdp.includeTags={}' rendered as [""] (non-empty list), causing Docker Hub tag discovery to run and timeout. Use --set 'pdp.includeTags=' which makes the value falsy, skipping INCLUDE_TAGS env var entirely. Only LOCAL_TAGS=["next"] is used. Co-Authored-By: Claude Opus 4.6 (1M context) --- .github/workflows/tests.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/tests.yml b/.github/workflows/tests.yml index 630f93bc..26d56b13 100644 --- a/.github/workflows/tests.yml +++ b/.github/workflows/tests.yml @@ -146,7 +146,7 @@ jobs: --set image.pullPolicy=Never \ --set pdp.image=permitio/pdp-v2 \ --set 'pdp.localTags[0]=next' \ - --set 'pdp.includeTags={}' \ + --set 'pdp.includeTags=' \ --set tests.skipGenerate=true \ --set tests.startTimeout=180 \ --set namespace.create=false \