From a47efe31b0901c98134e8103e32f6c515d34cb75 Mon Sep 17 00:00:00 2001
From: Xe Iaso <me@xeiaso.net>
Date: Sat, 16 May 2026 02:38:30 -0400
Subject: [PATCH] test: add tekton specific test scripts that point to the k3k
 cluster

Signed-off-by: Xe Iaso <me@xeiaso.net>
---
 .tekton/anubis-pipelinerun.yaml     |  2 +-
 .tekton/anubis-test.yaml            | 88 ++++++++++++++++++++++++++---
 .tekton/kustomization.yaml          |  1 +
 .tekton/rbac.yaml                   | 32 +++++++++++
 test/default-config-macro/tekton.sh |  7 +++
 test/ssh-ci/Dockerfile              |  2 +-
 6 files changed, 121 insertions(+), 11 deletions(-)
 create mode 100644 .tekton/rbac.yaml
 create mode 100755 test/default-config-macro/tekton.sh

diff --git a/.tekton/anubis-pipelinerun.yaml b/.tekton/anubis-pipelinerun.yaml
index 9ff53b4b..b3964534 100644
--- a/.tekton/anubis-pipelinerun.yaml
+++ b/.tekton/anubis-pipelinerun.yaml
@@ -13,7 +13,7 @@ spec:
   pipelineRef:
     name: anubis-build-test
   taskRunTemplate:
-    serviceAccountName: xe-site-ci
+    serviceAccountName: anubis-k3k
   timeouts:
     pipeline: 1h0m0s
   workspaces:
diff --git a/.tekton/anubis-test.yaml b/.tekton/anubis-test.yaml
index 0138c563..e8638a85 100644
--- a/.tekton/anubis-test.yaml
+++ b/.tekton/anubis-test.yaml
@@ -25,7 +25,7 @@ spec:
     - name: docker-image-base
       type: string
       description: string prefix for production docker images
-      default: "registry.int.xeserv.us/techarohq/anubis"
+      default: "registry.int.xeserv.us/techarohq"
     - name: docker-cache
       type: string
       description: docker repo to store cache files
@@ -103,9 +103,13 @@ spec:
             script: |
               CLUSTER_NAME=`kubectl create -f test/k3k/test-cluster.yaml -ojson | jq -r '.metadata.name'`
               echo -n "${CLUSTER_NAME}" | tee "$(results.cluster-name.path)"
-              kubectl wait --for=condition-Ready clusters.k3k.io/"${CLUSTER_NAME}" -n ci --timout 5m
-              kubectl wait --for=create "secret/k3k-${CLUSTER_NAME}-kubeconfig" -n ci --timeout 5m
-    - name: go-test
+              echo
+              kubectl label -n $(context.pipelineRun.namespace) clusters.k3k.io/"${CLUSTER_NAME}" tekton.dev/memberOf=tasks tekton.dev/pipeline="$(context.pipeline.name)" tekton.dev/pipelineRun=$(context.pipelineRun.name) tekton.dev/pipelineRunUID=$(context.pipelineRun.uid)
+              kubectl wait --for=condition=Ready clusters.k3k.io/"${CLUSTER_NAME}" -n $(context.pipelineRun.namespace) --timeout 5m
+              kubectl wait --for=create "secret/k3k-${CLUSTER_NAME}-kubeconfig" -n $(context.pipelineRun.namespace) --timeout 5m
+              mkdir -p $(workspaces.repo.path)/kube
+              kubectl get -ojson -n $(context.pipelineRun.namespace) "secret/k3k-${CLUSTER_NAME}-kubeconfig" | jq '.data["kubeconfig.yaml"]' -r | base64 -d > $(workspaces.repo.path)/kube/config
+    - name: build-assets
       runAfter: ["docker-build-ci"]
       taskSpec:
         workspaces:
@@ -117,12 +121,78 @@ spec:
             workingDir: $(workspaces.repo.path)/repo
             script: |
               npm ci
-              npm run test
+              npm run assets
       workspaces:
         - name: repo
           workspace: repo
+    - name: go-test
+      runAfter: ["build-assets"]
+      taskSpec:
+        workspaces:
+          - name: repo
+            mountPath: /src
+        steps:
+          - name: test
+            image: $(tasks.docker-build-ci.results.IMAGE_URL)@$(tasks.docker-build-ci.results.IMAGE_DIGEST)
+            workingDir: $(workspaces.repo.path)/repo
+            script: |
+              SKIP_INTEGRATION=1 go test ./...
+      workspaces:
+        - name: repo
+          workspace: repo
+    - name: test-anubis
+      runAfter: ["build-assets"]
+      taskRef:
+        name: ko
+      workspaces:
+        - name: source
+          workspace: repo
       params:
-        - name: url
-          value: $(params.repo-url)
-        - name: revision
-          value: $(params.commit)
+        - name: VERSION
+          value: $(tasks.clone-repo.results.version)
+        - name: SOURCE_DATE_EPOCH
+          value: $(tasks.clone-repo.results.source-date-epoch)
+        - name: KO_DOCKER_REPO
+          value: $(params.docker-image-base)
+        - name: extra-args
+          value:
+            [
+              "--platform=all",
+              "--base-import-paths",
+              "--tags=$(tasks.clone-repo.results.version)",
+              "--image-label=org.tangled.actor=$(params.actor)",
+            ]
+        - name: packages
+          value:
+            - ./cmd/anubis
+    - name: integration
+      runAfter: ["provision-test-cluster", "go-test"]
+      matrix:
+        params:
+          - name: test-case
+            value:
+              - default-config-macro
+      taskSpec:
+        workspaces:
+          - name: repo
+            mountPath: /src
+        env:
+          - name: KUBECONFIG
+            value: "$(workspaces.repo.path)/kube/config"
+        steps:
+          - name: default-config-macro
+            image: $(tasks.docker-build-ci.results.IMAGE_URL)@$(tasks.docker-build-ci.results.IMAGE_DIGEST)
+            workingDir: $(workspaces.repo.path)/repo/test/$(params.test-case)
+            script: ./tekton.sh
+    - name: teardown-cluster
+      runAfter: ["provision-test-cluster", "go-test", "integration"]
+      taskSpec:
+        workspaces:
+          - name: repo
+            mountPath: /src
+        steps:
+          - name: delete
+            image: $(tasks.docker-build-ci.results.IMAGE_URL)@$(tasks.docker-build-ci.results.IMAGE_DIGEST)
+            workingDir: $(workspaces.repo.path)/repo
+            script: |
+              kubectl delete -n $(context.pipelineRun.namespace) clusters.k3k.io/"$(tasks.provision-test-cluster.results.cluster-name)"
diff --git a/.tekton/kustomization.yaml b/.tekton/kustomization.yaml
index 68c2a21d..c576cc38 100644
--- a/.tekton/kustomization.yaml
+++ b/.tekton/kustomization.yaml
@@ -1,3 +1,4 @@
 namespace: ci
 resources:
   - anubis-test.yaml
+  - rbac.yaml
diff --git a/.tekton/rbac.yaml b/.tekton/rbac.yaml
new file mode 100644
index 00000000..0f89505a
--- /dev/null
+++ b/.tekton/rbac.yaml
@@ -0,0 +1,32 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: anubis-k3k
+  namespace: ci
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: anubis-k3k
+  namespace: ci
+rules:
+  - apiGroups: ["k3k.io"]
+    resources: ["clusters"]
+    verbs: ["*"]
+  - apiGroups: [""]
+    resources: ["secrets"]
+    verbs: ["get", "list", "watch"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: anubis-k3k
+  namespace: ci
+subjects:
+  - kind: ServiceAccount
+    name: anubis-k3k
+    namespace: ci
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: anubis-k3k
diff --git a/test/default-config-macro/tekton.sh b/test/default-config-macro/tekton.sh
new file mode 100755
index 00000000..31eb4f34
--- /dev/null
+++ b/test/default-config-macro/tekton.sh
@@ -0,0 +1,7 @@
+#!/usr/bin/env bash
+
+set -euo pipefail
+
+cd "$(dirname "$0")"
+
+exec ./test.sh
diff --git a/test/ssh-ci/Dockerfile b/test/ssh-ci/Dockerfile
index d69ba485..000dc292 100644
--- a/test/ssh-ci/Dockerfile
+++ b/test/ssh-ci/Dockerfile
@@ -11,5 +11,5 @@ RUN CGO_ENABLED=0 go install golang.org/dl/go1.23.6@latest \
 FROM alpine:${ALPINE_VERSION}
 COPY --from=go /app/bin/go /usr/local/bin/go
 
-RUN apk add -U nodejs git build-base git npm bash zstd brotli gzip jq kubectl \
+RUN apk add -U nodejs git build-base git npm bash zstd brotli gzip jq kubectl python3 py3-pip py3-virtualenv \
   && go download
\ No newline at end of file