Migrate e2e tests from Buildkite to GitHub Actions

.github/workflows/e2e-test.yaml

@@ -0,0 +1,105 @@
+name: e2e-test
+on:
+  push:
+    branches:
+    - main
+    - release-**
+  pull_request:
+    branches:
+    - main
+    - release-**
+
+jobs:
+  e2e:
+    name: ${{ matrix.test.name }}
+    runs-on: vitess-operator-runner
+    timeout-minutes: 40
+    strategy:
+      fail-fast: false
+      matrix:
+        test:
+          - name: "Upgrade Test"
+            target: upgrade-test
+          - name: "Backup Restore Test"
+            target: backup-restore-test
+          - name: "Backup Schedule Cluster/Keyspace Scope Test"
+            target: backup-schedule-keyspace-test
+          - name: "Backup Schedule Test"
+            target: backup-schedule-test
+          - name: "Backup Schedule vtctldclient Method Test"
+            target: backup-schedule-vtctldclient-test
+          - name: "VTOrc and VTAdmin Test"
+            target: vtorc-vtadmin-test
+          - name: "Unmanaged Tablet Test"
+            target: unmanaged-tablet-test
+          - name: "HPA Test"
+            target: hpa-test
+    env:
+      # Kept short because kind sets the control-plane container hostname to
+      # "kind-<CI_JOB_ID>-control-plane", and Linux HOST_NAME_MAX is 64.
+      CI_JOB_ID: ${{ matrix.test.target }}
+    steps:
+    - name: Prepare runner for kind (Ubuntu 24.04)
+      run: |
+        # Ubuntu 24.04 ships with several kernel-level restrictions on
+        # unprivileged user namespaces that break mysqld when it runs inside
+        # a nested container (vttablet pod → kind → docker → runner VM).
+        # Buildkite's older-kernel agents don't hit these.
+        #
+        # Only sysctls here — do NOT stop apparmor.service or run
+        # aa-teardown, because Docker/BuildKit applies the docker-default
+        # AppArmor profile to build containers and will fail with
+        # "unable to apply apparmor profile" if the profile is unloaded.
+        sudo sysctl -w kernel.apparmor_restrict_unprivileged_userns=0 || true
+        sudo sysctl -w kernel.apparmor_restrict_unprivileged_unconfined=0 || true
+        sudo sysctl -w kernel.unprivileged_userns_clone=1 || true
+        sudo sysctl -w user.max_user_namespaces=65536 || true
+        # kind needs generous inotify limits once pod count grows.
+        sudo sysctl -w fs.inotify.max_user_watches=524288
+        sudo sysctl -w fs.inotify.max_user_instances=512
+
+    - name: Check out code
+      uses: actions/checkout@v6
+
+    - name: Set up Go
+      uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
+      with:
+        go-version-file: go.mod
+
+    - name: Install test dependencies
+      run: |
+        sudo apt-get update
+        sudo apt-get install -y mysql-client
+
+    - name: Install chromium (vtorc-vtadmin only)
+      if: matrix.test.target == 'vtorc-vtadmin-test'
+      uses: browser-actions/setup-chrome@v2
+      with:
+        chrome-version: stable
+
+    - name: Alias chrome as chromium-browser
+      if: matrix.test.target == 'vtorc-vtadmin-test'
+      run: |
+        CHROME_BIN="$(command -v chrome || command -v google-chrome)"
+        sudo ln -sf "$CHROME_BIN" /usr/local/bin/chromium-browser
+
+    - name: Build operator image
+      # Build before we tear down AppArmor. BuildKit refuses to start build
+      # containers once the docker-default AppArmor profile is unloaded.
+      # The image is tagged vitess-operator-pr:latest, which the test's
+      # setupBuildContainerImage will detect and skip rebuilding.
+      run: docker build --progress plain --file build/Dockerfile.release --tag vitess-operator-pr:latest .
+
+    - name: Disable AppArmor before kind
+      # Now tear down AppArmor so the kind container and the pods it runs
+      # (in particular mysqld inside vttablet pods) aren't subject to Ubuntu
+      # 24.04's docker-default profile, which appears to be what's killing
+      # mysqld on startup ("Failed to open required defaults file" within
+      # ~17ms of spawn even though mysqlctld just wrote the file).
+      run: |
+        sudo systemctl stop apparmor.service || true
+        sudo systemctl disable apparmor.service || true
+        sudo aa-teardown || true
+
+    - name: Run ${{ matrix.test.name }}
+      run: make ${{ matrix.test.target }}

docs/release-process.md

@@ -112,7 +112,7 @@ The `upgrade_test.sh`, `backup_restore_test.sh`, `vtorc_vtadmin_test.sh` and `un
 ##### CI Failures
 
 > **Note**
-> It is likely that the buildkite tests will fail on the release PR initially because of the unavailability of the latest vitess and vitess-operator docker images. This however doesn't block the release. The tests should be restarted after the said images are built and available.
+> It is likely that the end-to-end tests will fail on the release PR initially because of the unavailability of the latest vitess and vitess-operator docker images. This however doesn't block the release. The tests should be restarted after the said images are built and available.
 
 -------------------
 

test/endtoend/utils.sh

@@ -6,7 +6,7 @@
 # set -x
 shopt -s expand_aliases
 alias vtctldclient="vtctldclient --server=localhost:15999"
-BUILDKITE_JOB_ID="${BUILDKITE_JOB_ID:-0}"
+CI_JOB_ID="${CI_JOB_ID:-0}"
 
 # Suppress warnings when using MariaDB Client
 mysql_version="$(mysql --version 2>/dev/null)"
@@ -521,11 +521,19 @@ function assertSelect() {
 }
 
 function setupBuildContainerImage() {
+  # Skip the build if the image is already present. This lets CI build the
+  # image in a dedicated step before disabling AppArmor (BuildKit refuses to
+  # run if the docker-default AppArmor profile is unloaded).
+  if docker image inspect vitess-operator-pr:latest >/dev/null 2>&1; then
+    echo "vitess-operator-pr:latest already present, skipping build"
+    return
+  fi
+
   echo "Building the container image"
 
-  # Clean up build output in CI
+  # Use plain progress output in CI so logs are line-buffered and readable.
   local progress="auto"
-  if [[ "${BUILDKITE_JOB_ID}" != "0" ]]; then
+  if [[ -n "${CI:-}" ]]; then
     progress="plain"
   fi
 
@@ -535,25 +543,9 @@ function setupBuildContainerImage() {
 function setupKindCluster() {
   setupBuildContainerImage
   createKindCluster
-  setupKubectlAccessForCI
   createExampleNamespace
 }
 
-function setupKubectlAccessForCI() {
-  if [[ "${BUILDKITE_JOB_ID}" != "0" ]]; then
-    # The script is being run from buildkite, so we need to do stuff
-    # https://github.com/kubernetes-sigs/kind/issues/1846#issuecomment-691565834
-    # Since kind is running in a sibling container, communicating with it through kubectl is not trivial.
-    # To accomplish we need to add the current docker container in the same network as the kind container
-    # and change the kubectl configuration to use the port listed in the internal endpoint instead of the one
-    # that is exported to the localhost by kind.
-    local docker_container_name
-    docker_container_name="$(hostname -s)"
-    docker network connect kind "${docker_container_name}"
-    kind get kubeconfig --internal --name "kind-${BUILDKITE_JOB_ID}" > "${HOME}/.kube/config"
-  fi
-}
-
 # shellcheck disable=SC2120 # function has an optional argument
 function setupPortForwarding() {
   local with_vtadmin="${1:-}" # Pass `with_vtadmin` to also enable port forwarding to VTAdmin
@@ -590,14 +582,14 @@ function setupPortForwarding() {
 
 function teardownKindCluster() {
   echo "Deleting the Kind cluster. This also deletes the volume associated with it."
-  kind delete cluster --name "kind-${BUILDKITE_JOB_ID}"
+  kind delete cluster --name "kind-${CI_JOB_ID}"
 }
 
 function createKindCluster() {
   echo "Creating Kind cluster"
-  kind create cluster --wait 30s --name "kind-${BUILDKITE_JOB_ID}" --image "${KIND_VERSION}"
+  kind create cluster --wait 30s --name "kind-${CI_JOB_ID}" --image "${KIND_VERSION}"
   echo "Loading docker image into Kind cluster"
-  kind load docker-image vitess-operator-pr:latest --name "kind-${BUILDKITE_JOB_ID}"
+  kind load docker-image vitess-operator-pr:latest --name "kind-${CI_JOB_ID}"
 }
 
 function createExampleNamespace() {