jetstack · mladen-rusev-cyberark · Sep 30, 2025 · Sep 30, 2025 · Sep 30, 2025 · Sep 30, 2025
diff --git a/.github/workflows/tests.yaml b/.github/workflows/tests.yaml
@@ -64,6 +64,12 @@ jobs:
 
       - run: make -j test-unit test-helm
 
+      - name: Upload test artifacts
+        uses: actions/upload-artifact@v4
+        with:
+          name: unit-artifacts
+          path: _bin/artifacts
+
   test-e2e:
     if: contains(github.event.pull_request.labels.*.name, 'test-e2e')
     runs-on: ubuntu-latest
@@ -136,3 +142,16 @@ jobs:
             --project=machineidentitysecurity-jsci-e \
             --zone=europe-west1-b \
             --quiet
+
+#          TODO: REMOVE THIS DEBUGGING!
+      - name: Setup upterm session
+        if: always()
+        uses: owenthereal/action-upterm@v1
+        with:
+          limit-access-to-actor: true
+
+      - name: Upload test artifacts
+        uses: actions/upload-artifact@v4
+        with:
+          name: e2e-artifacts
+          path: _bin/artifacts
diff --git a/coverage_server.go b/coverage_server.go
@@ -0,0 +1,70 @@
+package main
+
+import (
+	"bytes"
+	"log"
+	"net/http"
+	"runtime/coverage"
+)
+
+func startCoverageServer() {
+	adminMux := http.NewServeMux()
+
+	adminMux.HandleFunc("/_debug/coverage/download", func(w http.ResponseWriter, r *http.Request) {
+		var buffer bytes.Buffer
+
+		// Attempt to write the coverage counters to the buffer.
+		if err := coverage.WriteCounters(&buffer); err != nil {
+			log.Printf("Error writing coverage counters to buffer: %v", err)
+			// Inform the client that an internal error occurred.
+			http.Error(w, "Failed to generate coverage report", http.StatusInternalServerError)
+			return
+		}
+
+		// Check if any data was written to the buffer.
+		if buffer.Len() == 0 {
+			log.Println("Coverage data is empty. No counters were written.")
+		} else {
+			log.Printf("Successfully wrote %d bytes of coverage data to the buffer.", buffer.Len())
+		}
+
+		// If successful, proceed to write the buffer's content to the actual HTTP response.
+		w.Header().Set("Content-Type", "application/octet-stream")
+		w.Header().Set("Content-Disposition", `attachment; filename="coverage.out"`)
+
+		// Write the captured coverage data from the buffer to the response writer.
+		if _, err := w.Write(buffer.Bytes()); err != nil {
+			log.Printf("Error writing coverage data from buffer to response: %v", err)
+		}
+	})
+
+	adminMux.HandleFunc("/_debug/coverage/meta/download", func(w http.ResponseWriter, r *http.Request) {
+		log.Println("Received request to download coverage metadata...")
+
+		var buffer bytes.Buffer
+		if err := coverage.WriteMeta(&buffer); err != nil {
+			log.Printf("Error writing coverage meta to buffer: %v", err)
+			// Inform the client that an internal error occurred.
+			http.Error(w, "Failed to generate coverage meta", http.StatusInternalServerError)
+			return
+		}
+		// Check if any data was written to the buffer.
+		if buffer.Len() == 0 {
+			log.Println("Coverage meta is empty.")
+		} else {
+			log.Printf("Successfully wrote %d bytes of coverage meta to the buffer.", buffer.Len())
+		}
+
+		w.Header().Set("Content-Type", "application/octet-stream")
+		w.Header().Set("Content-Disposition", `attachment; filename="coverage.meta"`)
+		if _, err := w.Write(buffer.Bytes()); err != nil {
+			log.Printf("Error writing coverage meta from buffer to response: %v", err)
+		}
+	})
+
+	go func() {
+		if err := http.ListenAndServe("localhost:8089", adminMux); err != nil {
+			log.Printf("Admin server failed: %v", err)
+		}
+	}()
+}
diff --git a/hack/e2e/test.sh b/hack/e2e/test.sh
@@ -83,6 +83,19 @@ if ! gcloud container clusters get-credentials "${CLUSTER_NAME}"; then
 fi
 kubectl create ns venafi || true
 
+kubectl apply -n venafi -f - <<EOF
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: coverage-pvc
+spec:
+  accessModes:
+    - ReadWriteOnce
+  resources:
+    requests:
+      storage: 1Gi
+EOF
+
 # Pull secret for Venafi OCI registry
 # IMPORTANT: we pick the first team as the owning team for the registry and
 # workload identity service account as it doesn't matter.
@@ -127,6 +140,8 @@ venctl components kubernetes apply \
   --venafi-kubernetes-agent-custom-chart-repository "oci://${OCI_BASE}/charts"
 
 kubectl apply -n venafi -f venafi-components.yaml
+kubectl set env deployments/venafi-kubernetes-agent -n venafi GOCOVERDIR=/coverage
+kubectl rollout status deployment/venafi-kubernetes-agent -n venafi --timeout=2m
 
 subject="system:serviceaccount:venafi:venafi-components"
 audience="https://${VEN_API_HOST}"
@@ -233,3 +248,57 @@ getCertificate() {
 
 # Wait 5 minutes for the certificate to appear.
 for ((i=0;;i++)); do if getCertificate; then exit 0; fi; sleep 30; done | timeout -v -- 5m cat
+
+export AGENT_POD_NAME=$(kubectl get pods -n venafi -l app.kubernetes.io/name=venafi-kubernetes-agent -o jsonpath="{.items[0].metadata.name}")
+
+echo "Sending SIGQUIT to agent pod '${AGENT_POD_NAME}' to trigger graceful shutdown and flush coverage..."
+# Use kubectl debug to attach a busybox container to the running pod.
+# --target specifies the container to share the process space with.
+# --share-processes allows our new container to see and signal the agent process.
+# We then run 'kill -s QUIT 1' to signal PID 1 (the agent) to quit gracefully.
+kubectl debug -q -n venafi "${AGENT_POD_NAME}" \
+    --image=busybox:1.36 \
+    --target=venafi-kubernetes-agent \
+    --share-processes \
+    -- sh -c 'kill -s QUIT 1'
+
+echo "Waiting for agent pod '${AGENT_POD_NAME}' to terminate gracefully..."
+# The pod will now terminate because its main process is exiting.
+# We wait for Kubernetes to recognize this and delete the pod object.
+kubectl wait --for=delete pod/${AGENT_POD_NAME} -n venafi --timeout=90s
+
+echo "Scaling down deployment to prevent pod from restarting..."
+# Now that the pod is gone and coverage is flushed, we scale the deployment
+# to ensure the ReplicaSet controller doesn't create a new one.
+kubectl scale deployment venafi-kubernetes-agent -n venafi --replicas=0
+echo "Waiting for agent pod '${AGENT_POD_NAME}' to terminate as a result of the scale-down..."
+kubectl wait --for=delete pod/${AGENT_POD_NAME} -n venafi --timeout=90s
+echo "Starting helper pod to retrieve coverage files from the PVC..."
+
+kubectl apply -n venafi -f - <<EOF
+apiVersion: v1
+kind: Pod
+metadata:
+  name: coverage-helper-pod
+spec:
+  containers:
+  - name: helper
+    image: alpine:latest
+    command: ["sleep", "infinity"]
+    volumeMounts:
+    - name: coverage-storage
+      mountPath: /coverage-data
+  volumes:
+  - name: coverage-storage
+    persistentVolumeClaim:
+      claimName: coverage-pvc
+EOF
+
+echo "Waiting for the helper pod to be ready..."
+kubectl wait --for=condition=Ready pod/coverage-helper-pod -n venafi --timeout=2m
+
+echo "Copying coverage files from the helper pod..."
+mkdir -p $COVERAGE_HOST_PATH
+kubectl cp -n venafi "coverage-helper-pod:/coverage-data/." $COVERAGE_HOST_PATH
+echo "Coverage files retrieved. Listing contents:"
+ls -la $COVERAGE_HOST_PATH