testing(ui): set up cypress

Makefile

@@ -253,6 +253,31 @@ helm-deploy: pre-check helm-dependency-update create-namespaces
 helm-diff: pre-check helm-dependency-update create-namespaces
 	@./scripts/deploy/helm.sh diff $(VERSION) $(ENVIRONMENT) $(SECRET_VERSION)
 
+## Deploy to local cluster (e.g., Colima) without GCP Secret Manager
+.PHONY: deploy-local
+deploy-local: helm-dependency-update create-namespaces
+	@TEST_MODE=true ./scripts/deploy/helm.sh deploy-local $(shell make tag) local
+
+## Run UI E2E tests against local deployment
+.PHONY: test-e2e
+test-e2e: image deploy-local
+	@echo "Waiting for infra-server to be ready..." >&2
+	@kubectl wait --for=condition=ready pod -l app=infra-server -n infra --timeout=3m >&2 || \
+		(echo "ERROR: infra-server pods did not become ready" >&2 && exit 1)
+	@echo "" >&2
+	@echo "Starting port-forward and running E2E tests..." >&2
+	@kubectl port-forward -n infra svc/infra-server-service 8443:8443 >/dev/null 2>&1 & \
+	PF_PID=$$!; \
+	cleanup() { \
+		echo "" >&2; \
+		echo "Cleaning up port-forward (PID: $$PF_PID)..." >&2; \
+		kill $$PF_PID 2>/dev/null || true; \
+	}; \
+	trap cleanup EXIT; \
+	sleep 3; \
+	echo "Running Cypress E2E tests..." >&2; \
+	cd ui && INFRA_API_ENDPOINT=http://localhost:8443 npm run test:e2e
+
 ## Bounce pods
 .PHONY: bounce-infra-pods
 bounce-infra-pods:

chart/infra-server/configuration/local-values-from-files.yaml

@@ -0,0 +1,76 @@
+# Override OIDC configuration with minimal dummy values for local development
+# The flavor endpoints are marked as Anonymous in the code, so this won't actually be used
+# Base64 encoding of a minimal valid OIDC config (using Google as a dummy issuer that won't be called)
+# issuer: "https://accounts.google.com"
+# clientID: "dummy"
+# clientSecret: "dummy"
+# sessionSecret: "dummy-session-secret-for-local-dev"
+# endpoint: "localhost:8443"
+# tokenLifetime: "1h"
+oidc_yaml: aXNzdWVyOiAiaHR0cHM6Ly9hY2NvdW50cy5nb29nbGUuY29tIgpjbGllbnRJRDogImR1bW15IgpjbGllbnRTZWNyZXQ6ICJkdW1teSIKc2Vzc2lvblNlY3JldDogImR1bW15LXNlc3Npb24tc2VjcmV0LWZvci1sb2NhbC1kZXYiCmVuZHBvaW50OiAibG9jYWxob3N0Ojg0NDMiCnRva2VuTGlmZXRpbWU6ICIxaCIK
+
+# Core secrets - base64 encoded empty JSON object {}
+google_credentials_json: e30K
+bigquery_sa_json: e30K
+
+# TLS certificates - dummy values for local development
+tls__cert_pem: |-
+  -----BEGIN CERTIFICATE-----
+  DUMMY
+  -----END CERTIFICATE-----
+tls__key_pem: |-
+  -----BEGIN PRIVATE KEY-----
+  DUMMY
+  -----END PRIVATE KEY-----
+
+infra_yaml: e30K
+
+# Cloud provider provisioner credentials
+gke__gke_provisioner_json: e30K
+openshift__google_credentials_json: e30K
+openshift_4__gcp_service_account_key_json: e30K
+openshift_4__google_credentials_json: e30K
+openshift_4__redhat_pull_secret_json: e30K
+
+# Demo environment credentials
+demo__gke_demo_provisioner_json: e30K
+demo__gke_demo_scanner_json: e30K
+demo__demo_provisioner_json: e30K
+demo__demo_cert_bot_json: e30K
+
+# OSD cluster manager credentials
+osdClusterManager:
+  awsAccessKeyId: ZHVtbXk=
+  awsSecretAccessKey: ZHVtbXk=
+  redHatPullSecretBase64: ZHVtbXk=
+  openshiftClusterManagerApiToken: ZHVtbXk=
+  gcpSaCredsJsonBase64: ZHVtbXk=
+  gcpServiceAccountKeyBase64: ZHVtbXk=
+
+# AWS credentials
+aws:
+  accessKeyId: ZHVtbXk=
+  secretAccessKey: ZHVtbXk=
+
+# Azure credentials
+azure:
+  sp_username: ZHVtbXk=
+  sp_password: ZHVtbXk=
+  sp_tenant: ZHVtbXk=
+  aks_attached_acr: ZHVtbXk=
+
+# IBM Cloud credentials
+ibmCloudSecrets:
+  ibmRoksApiKey: ZHVtbXk=
+
+# ARO cluster manager credentials
+aroClusterManager:
+  azureSubscriptionId: ZHVtbXk=
+  azureSPClientId: ZHVtbXk=
+  azureSPTenantId: ZHVtbXk=
+  azureSPSecretVal: ZHVtbXk=
+  redHatPullSecretBase64: ZHVtbXk=
+
+# Monitoring/alerting webhooks
+alertmanagerSlackWebhook: ZHVtbXk=
+slackWebhook: ZHVtbXk=

chart/infra-server/configuration/local-values.yaml

@@ -0,0 +1,30 @@
+environment: local
+
+# Disable Auth0 for local development - allow anonymous access
+auth0:
+  clientID: ""
+  tenant: ""
+
+# Set test mode to true for local development
+testMode: true
+
+# Use local Docker images instead of pulling from registry
+imagePullPolicy: Never
+
+# Pull secrets for container registries - dummy values for local development
+pullSecrets:
+  docker:
+    registry: "docker.io"
+    username: "dummy"
+    password: "dummy"
+  quay:
+    registry: "quay.io"
+    username: "dummy"
+    password: "dummy"
+  stackrox:
+    registry: "stackrox.io"
+    username: "dummy"
+    password: "dummy"
+
+# Alertmanager configuration
+alertmanagerSlackTeam: "dummy-team"

chart/infra-server/templates/_helpers.tpl

@@ -1,3 +1,9 @@
+{{/*
+Validate that TEST_MODE is not enabled in production
+*/}}
+{{- if and .Values.testMode (eq .Values.environment "production") }}
+  {{- fail "ERROR: TEST_MODE cannot be enabled in production environment. This would disable authentication and security features." }}
+{{- end }}
 
 {{- define "docker-io-pull-secret" }}
   {{- printf "{\"auths\": {\"%s\": {\"auth\": \"%s\"}}}" .Values.pullSecrets.docker.registry (printf "%s:%s" .Values.pullSecrets.docker.username .Values.pullSecrets.docker.password | b64enc) | b64enc }}

chart/infra-server/templates/certificate.yaml

@@ -1,4 +1,4 @@
-{{- if eq .Values.testMode false -}}
+{{- if ne .Values.environment "local" -}}
 ---
 
 apiVersion: networking.gke.io/v1

chart/infra-server/templates/deployment.yaml

@@ -1,3 +1,6 @@
+{{- if and .Values.testMode (eq .Values.environment "production") }}
+{{- fail "ERROR: TEST_MODE cannot be enabled in production environment. This would disable authentication and security features." }}
+{{- end }}
 apiVersion: apps/v1
 kind: Deployment
 
@@ -35,7 +38,7 @@ spec:
             httpGet:
               path: /
               port: 8443
-              scheme: HTTPS
+              scheme: {{ if .Values.testMode }}HTTP{{ else }}HTTPS{{ end }}
             initialDelaySeconds: 5
             periodSeconds: 5
           command:
@@ -47,7 +50,7 @@ spec:
               containerPort: 8443
             - name: metrics
               containerPort: 9101
-          imagePullPolicy: Always
+          imagePullPolicy: {{ .Values.imagePullPolicy | default "Always" }}
           volumeMounts:
             - mountPath: /configuration
               name: configuration

chart/infra-server/templates/ingress.yaml

@@ -1,4 +1,4 @@
-{{- if eq .Values.testMode false -}}
+{{- if ne .Values.environment "local" -}}
 apiVersion: networking.k8s.io/v1
 kind: Ingress
 

chart/infra-server/templates/secrets.yaml

@@ -17,13 +17,11 @@ data:
     {{ required ".Values.bigquery_sa_json is undefined" .Values.bigquery_sa_json }}
 
   oidc.yaml: |-
-    {{- tpl (required ".Values.oidc_yaml | b64dec) . | b64enc | nindent 4 is undefined" .Values.oidc_yaml | b64dec) . | b64enc | nindent 4 }}
+    {{- tpl (.Values.oidc_yaml | b64dec) . | b64enc | nindent 4 }}
 
-  cert.pem: |-
-    {{ required ".Values.tls__cert_pem is undefined" .Values.tls__cert_pem | nindent 4 }}
+  cert.pem: {{ required ".Values.tls__cert_pem is undefined" .Values.tls__cert_pem | b64enc }}
 
-  key.pem: |-
-    {{ required ".Values.tls__key_pem is undefined" .Values.tls__key_pem | nindent 4 }}
+  key.pem: {{ required ".Values.tls__key_pem is undefined" .Values.tls__key_pem | b64enc }}
 
   infra.yaml: |-
     {{ required ".Values.infra_yaml is undefined" .Values.infra_yaml }}

cmd/infra-server/main.go

@@ -67,19 +67,32 @@ func mainCmd() error {
 		return errors.Wrapf(err, "failed to load oidc config file %q", oidcConfigFile)
 	}
 
-	signer, err := signer.NewFromEnv()
-	if err != nil {
-		return errors.Wrapf(err, "failed to load GCS signing credentials")
-	}
-
-	slackClient, err := slack.New(cfg.Slack)
-	if err != nil {
-		return errors.Wrapf(err, "failed to create Slack client")
-	}
-
-	bqClient, err := bqutil.NewClient(cfg.BigQuery)
-	if err != nil {
-		return errors.Wrapf(err, "failed to create bqClient")
+	var signerClient *signer.Signer
+	var slackClient slack.Slacker
+	var bqClient bqutil.BigQueryClient
+
+	if cfg.TestMode {
+		// In test mode, skip loading external service credentials
+		log.Log(logging.INFO, "TEST_MODE: Skipping GCS, Slack, and BigQuery initialization")
+		signerClient = nil
+		slackClient = nil
+		bqClient = nil
+	} else {
+		var err error
+		signerClient, err = signer.NewFromEnv()
+		if err != nil {
+			return errors.Wrapf(err, "failed to load GCS signing credentials")
+		}
+
+		slackClient, err = slack.New(cfg.Slack)
+		if err != nil {
+			return errors.Wrapf(err, "failed to create Slack client")
+		}
+
+		bqClient, err = bqutil.NewClient(cfg.BigQuery)
+		if err != nil {
+			return errors.Wrapf(err, "failed to create bqClient")
+		}
 	}
 
 	// Construct each individual service.
@@ -96,7 +109,7 @@ func mainCmd() error {
 		service.NewStatusService,
 		service.NewVersionService,
 		func() (middleware.APIService, error) {
-			return cluster.NewClusterService(registry, signer, slackClient, bqClient)
+			return cluster.NewClusterService(registry, signerClient, slackClient, bqClient)
 		},
 	)
 	if err != nil {

pkg/config/config.go

@@ -2,6 +2,7 @@
 package config
 
 import (
+	"log"
 	"os"
 
 	"github.com/ghodss/yaml"
@@ -22,6 +23,9 @@ type Config struct {
 
 	// Slack notification configuration.
 	Slack *SlackConfig `json:"slack"`
+
+	// TestMode disables authentication when set to true.
+	TestMode bool `json:"testMode"`
 }
 
 // BigQueryConfig represents the configuration for integrating with Google BigQuery
@@ -169,5 +173,22 @@ func Load(filename string) (*Config, error) {
 		return nil, err
 	}
 
+	// Override with TEST_MODE environment variable if set
+	if os.Getenv("TEST_MODE") == "true" {
+		cfg.TestMode = true
+		log.Printf("TEST_MODE enabled - authentication will be bypassed")
+
+		// Set default values for test mode if not configured
+		if cfg.Server.Port == 0 {
+			cfg.Server.Port = 8443
+		}
+		if cfg.Server.MetricsPort == 0 {
+			cfg.Server.MetricsPort = 9101
+		}
+		if cfg.Server.StaticDir == "" {
+			cfg.Server.StaticDir = "/etc/infra/static"
+		}
+	}
+
 	return &cfg, nil
 }