[test] Fix workspace integration tests (#17222)

* [tests] unique ContextURL for commit only

* [tests] include std output in the error message for commit

Sometimes commit fails with status 1 w/o error output...so it's helpful to look at StdOut

* [tests] Fix TestGitActions by using the test case context

Prior to this, createWorkspace was working, but getWorkspace could not find the created workspace.

* [test] bypass exit code 1 on `git commit` with `--allow-empty`

* [test] Fix gcloud auth, do setup before auth

* Show all output

Might remove later...

* [test] avoid using deleted user, identity, and token

* [test] add organizationId to CreateWorkspaceOptions

It's expected on the Typescript side:
https://github.com/gitpod-io/gitpod/blob/90b7d658589fd6e9fb239ff239591b9f1218fc83/components/server/src/workspace/gitpod-server-impl.ts#L1227-L1235

* [test] orgId is required on createWorkspace

But sometimes there's no team 🤷

* [test] fix git context tests

We use UBP now, there is no more unleashed.

Also, remove the "ff" feature flag code (which was for PVC). It was mutating the username, resulting in Code 460 errors on createWorkspace

* [test] Use example test as the example

* [test] fix context tests when run as gitpod-integration-test user

* [test] clean-up

* [test] wait for workspaces to stop

Tests intermittently fail with  to avoid intermittent failures

* [test] add code owners

This way, we can assert tests are passing for all teams prior to merging

* [test] limit # of tests that can run in parallel

* [test] no parallel tests

Test to see if flakeyness goes away...
...and bump the timeout because we reduced parallel runs

* [preview] update the VM image to have parity with production

This:
1. updates from K3s 1.23 to 1.26
2. requires that we remove PodSecurityPolicy changes (as it's no longer supported)
3. resolves intermittent disk pressure issues

* [preview] no PSP in support of VM image update

* We were getting PSP from rook/ceph, which I think was for PVC
* We were getting PSP from the monitoring-satellite

* [test] don't wait for workspace stop with git_test.go, we're testing git actions.

Why? We miss state transitions, it's not guaranteed each one will be returned, and there are other tests waiting.

For example, in the below log, we miss INITIALIZING, RUNNING, and STOPPING.

 workspace.go:369: attempt to create the workspace as user 0565bb3c-e724-4da9-84fb-22e2a7b23b8c, with context github.com/gitpod-io/gitpod-test-repo/tree/integration-test/commit
    workspace.go:411: attempt to get the workspace information: gitpodio-gitpodtestrepo-nscsowy1njb
    workspace.go:423: not preparing
    workspace.go:432: got the workspace information: gitpodio-gitpodtestrepo-nscsowy1njb
    workspace.go:460: wait for workspace to be fully up and running
    workspace.go:569: prepare for a connection with ws-manager
    workspace.go:590: established for a connection with ws-manager
    workspace.go:598: check if the status of workspace is in the running phase: 462f1325-3019-4547-8666-508e8353335e
    workspace.go:631: status: 462f1325-3019-4547-8666-508e8353335e, PENDING
    workspace.go:598: check if the status of workspace is in the running phase: 462f1325-3019-4547-8666-508e8353335e
    workspace.go:631: status: 462f1325-3019-4547-8666-508e8353335e, PENDING
    workspace.go:598: check if the status of workspace is in the running phase: 462f1325-3019-4547-8666-508e8353335e
    workspace.go:631: status: 462f1325-3019-4547-8666-508e8353335e, CREATING
    workspace.go:598: check if the status of workspace is in the running phase: 462f1325-3019-4547-8666-508e8353335e
    workspace.go:631: status: 462f1325-3019-4547-8666-508e8353335e, CREATING
    workspace.go:598: check if the status of workspace is in the running phase: 462f1325-3019-4547-8666-508e8353335e
    workspace.go:631: status: 462f1325-3019-4547-8666-508e8353335e, CREATING
    workspace.go:598: check if the status of workspace is in the running phase: 462f1325-3019-4547-8666-508e8353335e
    workspace.go:504: waiting for stopping the workspace: 462f1325-3019-4547-8666-508e8353335e
    workspace.go:514: attemp to delete the workspace: 462f1325-3019-4547-8666-508e8353335e
    workspace.go:797: confirmed the worksapce is stopped: 462f1325-3019-4547-8666-508e8353335e, STOPPED
    workspace.go:538: successfully terminated workspace
    git_test.go:172: failed to wait for the workspace to start up: cannot wait for workspace: context deadline exceeded

* [preview] retry installing trust-manager

And use trust-manager from the packer image

* [test] clarify USER_TOKEN value for preview environments

* Cleanup

* [preview] remove commented out yaml related to PodSecurityPolicy

Author: kylos101

.github/CODEOWNERS

@@ -128,3 +128,18 @@
 /CHANGELOG.md
 /components/ide/jetbrains/backend-plugin/gradle-latest.properties
 /components/ide/jetbrains/gateway-plugin/gradle-latest.properties
+
+#
+# Add so that teams assert we're not breaking each other's integration tests
+/test/pkg/agent @gitpod-io/engineering-workspace
+/test/pkg/integration @gitpod-io/engineering-ide @gitpod-io/engineering-workspace
+/test/pkg/report @gitpod-io/engineering-workspace
+/test/tests/workspace @gitpod-io/engineering-workspace
+/test/tests/smoke-test @gitpod-io/engineering-ide @gitpod-io/engineering-workspace
+/test/tests/ide @gitpod-io/engineering-ide
+/test/tests/components/content-service @gitpod-io/engineering-workspace
+/test/tests/components/database @gitpod-io/engineering-webapp
+/test/tests/components/image-builder @gitpod-io/engineering-workspace
+/test/tests/components/server @gitpod-io/engineering-webapp
+/test/tests/components/ws-daemon @gitpod-io/engineering-workspace
+/test/tests/components/ws-manager @gitpod-io/engineering-workspace

.github/workflows/workspace-integration-tests.yml

@@ -38,21 +38,14 @@ jobs:
         steps:
             # sometimes auth fails with:
             # google-github-actions/setup-gcloud failed with: EACCES: permission denied, mkdir '/__t/gcloud'
+            - name: Set up Cloud SDK
+              uses: google-github-actions/setup-gcloud@v1
             - id: auth
               uses: google-github-actions/auth@v1
               continue-on-error: true
               with:
                   token_format: access_token
                   credentials_json: "${{ secrets.GCP_CREDENTIALS }}"
-            # so we retry on failure
-            - id: auth-retry
-              uses: google-github-actions/auth@v1
-              if: steps.auth.outcome == 'failure'
-              with:
-                  token_format: access_token
-                  credentials_json: "${{ secrets.GCP_CREDENTIALS }}"
-            - name: Set up Cloud SDK
-              uses: google-github-actions/setup-gcloud@v1
             # do this step as early as possible, so that Slack Notify failure has the secret
             - name: Get Secrets from GCP
               id: "secrets"
@@ -193,7 +186,7 @@ jobs:
                   args+=( "-kubeconfig=/home/gitpod/.kube/config" )
                   args+=( "-namespace=default" )
                   [[ "$USERNAME" != "" ]] && args+=( "-username=$USERNAME" )
-                  args+=( "-timeout=60m" )
+                  args+=( "-timeout=90m" )
 
                   BASE_TESTS_DIR="$GITHUB_WORKSPACE/test/tests"
                   CONTENT_SERVICE_TESTS="$BASE_TESTS_DIR/components/content-service"
@@ -225,7 +218,8 @@ jobs:
                       fi
 
                       set +e
-                      go test -p 2 -v ./... "${args[@]}" -run '.*[^.SerialOnly]$' 2>&1 | go-junit-report -subtest-mode=exclude-parents -set-exit-code -out "TEST-${TEST_NAME}-PARALLEL.xml" -iocopy
+                      # running tests in parallel saves time, but is flakey.
+                      go test -p 1 --parallel 1 -v ./... "${args[@]}" -run '.*[^.SerialOnly]$' 2>&1 | go-junit-report -subtest-mode=exclude-parents -set-exit-code -out "TEST-${TEST_NAME}-PARALLEL.xml" -iocopy
                       RC=${PIPESTATUS[0]}
                       set -e
 
@@ -240,6 +234,7 @@ jobs:
               uses: test-summary/action@v2
               with:
                   paths: "test/tests/**/TEST-*.xml"
+                  show: "all"
               if: always()
             - name: Slack Notification
               uses: rtCamp/action-slack-notify@v2

.werft/vm/manifests/rook-ceph/common.yaml

@@ -80,24 +80,6 @@ rules:
     resources: ["volumesnapshots/status"]
     verbs: ["update", "patch"]
 ---
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
-  name: 'psp:rook'
-  labels:
-    operator: rook
-    storage-backend: ceph
-    app.kubernetes.io/part-of: rook-ceph-operator
-rules:
-  - apiGroups:
-      - policy
-    resources:
-      - podsecuritypolicies
-    resourceNames:
-      - 00-rook-privileged
-    verbs:
-      - use
----
 kind: ClusterRole
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
@@ -701,156 +683,6 @@ subjects:
     name: rook-ceph-system
     namespace: rook-ceph # namespace:operator
 ---
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
-  name: rook-ceph-system-psp
-  labels:
-    operator: rook
-    storage-backend: ceph
-    app.kubernetes.io/part-of: rook-ceph-operator
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: ClusterRole
-  name: 'psp:rook'
-subjects:
-  - kind: ServiceAccount
-    name: rook-ceph-system
-    namespace: rook-ceph # namespace:operator
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
-  name: rook-csi-cephfs-plugin-sa-psp
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: ClusterRole
-  name: 'psp:rook'
-subjects:
-  - kind: ServiceAccount
-    name: rook-csi-cephfs-plugin-sa
-    namespace: rook-ceph # namespace:operator
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
-  name: rook-csi-cephfs-provisioner-sa-psp
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: ClusterRole
-  name: 'psp:rook'
-subjects:
-  - kind: ServiceAccount
-    name: rook-csi-cephfs-provisioner-sa
-    namespace: rook-ceph # namespace:operator
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
-  name: rook-csi-rbd-plugin-sa-psp
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: ClusterRole
-  name: 'psp:rook'
-subjects:
-  - kind: ServiceAccount
-    name: rook-csi-rbd-plugin-sa
-    namespace: rook-ceph # namespace:operator
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
-  name: rook-csi-rbd-provisioner-sa-psp
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: ClusterRole
-  name: 'psp:rook'
-subjects:
-  - kind: ServiceAccount
-    name: rook-csi-rbd-provisioner-sa
-    namespace: rook-ceph # namespace:operator
----
-# We expect most Kubernetes teams to follow the Kubernetes docs and have these PSPs.
-# * privileged (for kube-system namespace)
-# * restricted (for all logged in users)
-#
-# PSPs are applied based on the first match alphabetically. `rook-ceph-operator` comes after
-# `restricted` alphabetically, so we name this `00-rook-privileged`, so it stays somewhere
-# close to the top and so `rook-system` gets the intended PSP. This may need to be renamed in
-# environments with other `00`-prefixed PSPs.
-#
-# More on PSP ordering: https://kubernetes.io/docs/concepts/policy/pod-security-policy/#policy-order
-apiVersion: policy/v1beta1
-kind: PodSecurityPolicy
-metadata:
-  name: 00-rook-privileged
-  annotations:
-    seccomp.security.alpha.kubernetes.io/allowedProfileNames: 'runtime/default'
-    seccomp.security.alpha.kubernetes.io/defaultProfileName: 'runtime/default'
-spec:
-  privileged: true
-  allowedCapabilities:
-    # required by CSI
-    - SYS_ADMIN
-    - MKNOD
-  fsGroup:
-    rule: RunAsAny
-  # runAsUser, supplementalGroups - Rook needs to run some pods as root
-  # Ceph pods could be run as the Ceph user, but that user isn't always known ahead of time
-  runAsUser:
-    rule: RunAsAny
-  supplementalGroups:
-    rule: RunAsAny
-  # seLinux - seLinux context is unknown ahead of time; set if this is well-known
-  seLinux:
-    rule: RunAsAny
-  volumes:
-    # recommended minimum set
-    - configMap
-    - downwardAPI
-    - emptyDir
-    - persistentVolumeClaim
-    - secret
-    - projected
-    # required for Rook
-    - hostPath
-  # allowedHostPaths can be set to Rook's known host volume mount points when they are fully-known
-  # allowedHostPaths:
-  #   - pathPrefix: "/run/udev"  # for OSD prep
-  #     readOnly: false
-  #   - pathPrefix: "/dev"  # for OSD prep
-  #     readOnly: false
-  #   - pathPrefix: "/var/lib/rook"  # or whatever the dataDirHostPath value is set to
-  #     readOnly: false
-  # Ceph requires host IPC for setting up encrypted devices
-  hostIPC: true
-  # Ceph OSDs need to share the same PID namespace
-  hostPID: true
-  # hostNetwork can be set to 'false' if host networking isn't used
-  hostNetwork: true
-  hostPorts:
-    # Ceph messenger protocol v1
-    - min: 6789
-      max: 6790 # <- support old default port
-    # Ceph messenger protocol v2
-    - min: 3300
-      max: 3300
-    # Ceph RADOS ports for OSDs, MDSes
-    - min: 6800
-      max: 7300
-    # # Ceph dashboard port HTTP (not recommended)
-    # - min: 7000
-    #   max: 7000
-    # Ceph dashboard port HTTPS
-    - min: 8443
-      max: 8443
-    # Ceph mgr Prometheus Metrics
-    - min: 9283
-      max: 9283
-    # port for CSIAddons
-    - min: 9070
-      max: 9070
----
 kind: Role
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
@@ -1147,38 +979,6 @@ subjects:
     name: rook-ceph-cmd-reporter
     namespace: rook-ceph # namespace:cluster
 ---
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
-  name: rook-ceph-cmd-reporter-psp
-  namespace: rook-ceph # namespace:cluster
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: ClusterRole
-  name: psp:rook
-subjects:
-  - kind: ServiceAccount
-    name: rook-ceph-cmd-reporter
-    namespace: rook-ceph # namespace:cluster
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
-  name: rook-ceph-default-psp
-  namespace: rook-ceph # namespace:cluster
-  labels:
-    operator: rook
-    storage-backend: ceph
-    app.kubernetes.io/part-of: rook-ceph-operator
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: ClusterRole
-  name: psp:rook
-subjects:
-  - kind: ServiceAccount
-    name: default
-    namespace: rook-ceph # namespace:cluster
----
 # Allow the ceph mgr to access resources scoped to the CephCluster namespace necessary for mgr modules
 kind: RoleBinding
 apiVersion: rbac.authorization.k8s.io/v1
@@ -1194,20 +994,6 @@ subjects:
     name: rook-ceph-mgr
     namespace: rook-ceph # namespace:cluster
 ---
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
-  name: rook-ceph-mgr-psp
-  namespace: rook-ceph # namespace:cluster
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: ClusterRole
-  name: psp:rook
-subjects:
-  - kind: ServiceAccount
-    name: rook-ceph-mgr
-    namespace: rook-ceph # namespace:cluster
----
 # Allow the ceph mgr to access resources in the Rook operator namespace necessary for mgr modules
 kind: RoleBinding
 apiVersion: rbac.authorization.k8s.io/v1
@@ -1238,20 +1024,6 @@ subjects:
     name: rook-ceph-osd
     namespace: rook-ceph # namespace:cluster
 ---
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
-  name: rook-ceph-osd-psp
-  namespace: rook-ceph # namespace:cluster
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: ClusterRole
-  name: psp:rook
-subjects:
-  - kind: ServiceAccount
-    name: rook-ceph-osd
-    namespace: rook-ceph # namespace:cluster
----
 # Allow the osd purge job to run in this namespace
 kind: RoleBinding
 apiVersion: rbac.authorization.k8s.io/v1
@@ -1267,20 +1039,6 @@ subjects:
     name: rook-ceph-purge-osd
     namespace: rook-ceph # namespace:cluster
 ---
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
-  name: rook-ceph-purge-osd-psp
-  namespace: rook-ceph # namespace:cluster
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: ClusterRole
-  name: psp:rook
-subjects:
-  - kind: ServiceAccount
-    name: rook-ceph-purge-osd
-    namespace: rook-ceph # namespace:cluster
----
 # Allow the rgw pods in this namespace to work with configmaps
 kind: RoleBinding
 apiVersion: rbac.authorization.k8s.io/v1
@@ -1296,20 +1054,6 @@ subjects:
     name: rook-ceph-rgw
     namespace: rook-ceph # namespace:cluster
 ---
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
-  name: rook-ceph-rgw-psp
-  namespace: rook-ceph # namespace:cluster
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: ClusterRole
-  name: psp:rook
-subjects:
-  - kind: ServiceAccount
-    name: rook-ceph-rgw
-    namespace: rook-ceph # namespace:cluster
----
 # Grant the operator, agent, and discovery agents access to resources in the rook-ceph-system namespace
 kind: RoleBinding
 apiVersion: rbac.authorization.k8s.io/v1

components/gitpod-protocol/go/gitpod-service.go

@@ -2053,6 +2053,7 @@ type UpdateOwnAuthProviderParams struct {
 type CreateWorkspaceOptions struct {
 	StartWorkspaceOptions
 	ContextURL                         string `json:"contextUrl,omitempty"`
+	OrganizationId                     string `json:"organizationId,omitempty"`
 	IgnoreRunningWorkspaceOnSameCommit bool   `json:"ignoreRunningWorkspaceOnSameCommit,omitemopty"`
 	IgnoreRunningPrebuild              bool   `json:"ignoreRunningPrebuild,omitemopty"`
 	AllowUsingPreviousPrebuilds        bool   `json:"allowUsingPreviousPrebuilds,omitemopty"`

dev/preview/BUILD.yaml

@@ -33,7 +33,7 @@ scripts:
       export TF_VAR_preview_name="${TF_VAR_preview_name:-$(previewctl get name)}"
       export TF_VAR_vm_cpu="${TF_VAR_vm_cpu:-6}"
       export TF_VAR_vm_memory="${TF_VAR_vm_memory:-12Gi}"
-      export TF_VAR_vm_storage_class="${TF_VAR_vm_storage_class:-longhorn-gitpod-k3s-202209251218-onereplica}"
+      export TF_VAR_vm_storage_class="${TF_VAR_vm_storage_class:-longhorn-gitpod-k3s-202304191605-onereplica}"
       ./workflow/preview/deploy-harvester.sh
 
   - name: delete-preview