From ebedebb7005f899691e6c3dcbbd2ba448ab85bb5 Mon Sep 17 00:00:00 2001 From: Gabriele Fedi Date: Mon, 16 Feb 2026 09:33:25 +0100 Subject: [PATCH 01/15] feat: private registries for testing values generation Support passing credentials for testing values generation in the dagger module. Signed-off-by: Gabriele Fedi --- dagger/maintenance/image.go | 23 +++++++++++++++++++++-- dagger/maintenance/main.go | 10 ++++++++-- dagger/maintenance/testingvalues.go | 5 +++-- 3 files changed, 32 insertions(+), 6 deletions(-) diff --git a/dagger/maintenance/image.go b/dagger/maintenance/image.go index 86777e9..0dcaf2e 100644 --- a/dagger/maintenance/image.go +++ b/dagger/maintenance/image.go @@ -2,10 +2,14 @@ package main import ( "bytes" + "context" "fmt" "regexp" "strconv" + "dagger/maintenance/internal/dagger" + + "github.com/google/go-containerregistry/pkg/authn" "github.com/google/go-containerregistry/pkg/crane" "github.com/google/go-containerregistry/pkg/name" containerregistryv1 "github.com/google/go-containerregistry/pkg/v1" @@ -24,14 +28,29 @@ var SupportedDistributions = []string{ } // getImageAnnotations returns the OCI annotations given an image ref. -func getImageAnnotations(imageRef string) (map[string]string, error) { +// If username and password are provided, they will be used for registry authentication. +func getImageAnnotations(ctx context.Context, imageRef string, username string, password *dagger.Secret) (map[string]string, error) { // Setting Insecure option to allow fetching images from local registries with no TLS ref, err := name.ParseReference(imageRef, name.Insecure) if err != nil { return nil, err } - head, err := remote.Get(ref) + var opts []remote.Option + if password != nil { + plainPassword, err := password.Plaintext(ctx) + if err != nil { + return nil, fmt.Errorf("failed to read registry password: %w", err) + } + + auth := authn.FromConfig(authn.AuthConfig{ + Username: username, + Password: plainPassword, + }) + opts = append(opts, remote.WithAuth(auth)) + } + + head, err := remote.Get(ref, opts...) if err != nil { return nil, err } diff --git a/dagger/maintenance/main.go b/dagger/maintenance/main.go index 6ef5b9b..22b2774 100644 --- a/dagger/maintenance/main.go +++ b/dagger/maintenance/main.go @@ -147,6 +147,12 @@ func (m *Maintenance) GenerateTestingValues( // URL reference to the extension image to test [REPOSITORY[:TAG]] // +optional extensionImage string, + // Registry username for authentication (optional) + // +optional + registryUsername string, + // Registry password or token for authentication (optional) + // +optional + registryPassword *dagger.Secret, ) (*dagger.File, error) { metadata, err := parseExtensionMetadata(ctx, target) if err != nil { @@ -161,7 +167,7 @@ func (m *Maintenance) GenerateTestingValues( } } - annotations, err := getImageAnnotations(targetExtensionImage) + annotations, err := getImageAnnotations(ctx, targetExtensionImage, registryUsername, registryPassword) if err != nil { return nil, err } @@ -180,7 +186,7 @@ func (m *Maintenance) GenerateTestingValues( targetExtensionImage) } - extensionInfos, err := generateTestingValuesExtensions(ctx, source, metadata, targetExtensionImage, version) + extensionInfos, err := generateTestingValuesExtensions(ctx, source, metadata, targetExtensionImage, version, registryUsername, registryPassword) if err != nil { return nil, err } diff --git a/dagger/maintenance/testingvalues.go b/dagger/maintenance/testingvalues.go index 0ff3065..4fa9994 100644 --- a/dagger/maintenance/testingvalues.go +++ b/dagger/maintenance/testingvalues.go @@ -36,7 +36,8 @@ type testingExtensionInfo struct { CreateExtension bool } -func generateTestingValuesExtensions(ctx context.Context, source *dagger.Directory, metadata *extensionMetadata, extensionImage string, version string) ([]*testingExtensionInfo, error) { +func generateTestingValuesExtensions(ctx context.Context, source *dagger.Directory, metadata *extensionMetadata, + extensionImage string, version string, registryUsername string, registryPassword *dagger.Secret) ([]*testingExtensionInfo, error) { var out []*testingExtensionInfo configuration, err := generateExtensionConfiguration(metadata, extensionImage) if err != nil { @@ -67,7 +68,7 @@ func generateTestingValuesExtensions(ctx context.Context, source *dagger.Directo return nil, err } - depAnnotations, err := getImageAnnotations(depConfiguration.ImageVolumeSource.Reference) + depAnnotations, err := getImageAnnotations(ctx, depConfiguration.ImageVolumeSource.Reference, registryUsername, registryPassword) if err != nil { return nil, err } From 3c3ca58aebdb0aa527e87bf557d1371d69b91a33 Mon Sep 17 00:00:00 2001 From: Gabriele Fedi Date: Mon, 16 Feb 2026 11:06:47 +0100 Subject: [PATCH 02/15] feat: chainsaw extra arguments for dagger test cmd Support passing extra arguments to Chainsaw test execution. This way the test cmd can be customised by external callers and it can support more complex use-cases Signed-off-by: Gabriele Fedi --- Taskfile.yml | 3 ++- dagger/maintenance/main.go | 22 ++++++++++++++++++++-- 2 files changed, 22 insertions(+), 3 deletions(-) diff --git a/Taskfile.yml b/Taskfile.yml index 79b3dba..bd7a49f 100644 --- a/Taskfile.yml +++ b/Taskfile.yml @@ -347,11 +347,12 @@ tasks: silent: true vars: KUBECONFIG_PATH: '{{ .KUBECONFIG_PATH | default "~/.kube/config" }}' + EXTRA_ARGS: '{{ .EXTRA_ARGS | default "" }}' env: _EXPERIMENTAL_DAGGER_RUNNER_HOST: container://{{ .DAGGER_ENGINE_NAME }} cmds: - echo -e "{{ .BLUE }}Testing {{ .TARGET }}...{{ .NC }}" - - dagger call -m ./dagger/maintenance/ test --source . --target {{ .TARGET }} --kubeconfig {{ .KUBECONFIG_PATH }} + - dagger call -m ./dagger/maintenance/ test --source . --target {{ .TARGET }} --kubeconfig {{ .KUBECONFIG_PATH }} --extra-args "{{ .EXTRA_ARGS }}" requires: vars: - name: TARGET diff --git a/dagger/maintenance/main.go b/dagger/maintenance/main.go index 22b2774..f56be3c 100644 --- a/dagger/maintenance/main.go +++ b/dagger/maintenance/main.go @@ -354,6 +354,9 @@ func (m *Maintenance) Test( // renovate: datasource=docker depName=kyverno/chainsaw packageName=ghcr.io/kyverno/chainsaw versioning=docker // +default="ghcr.io/kyverno/chainsaw:v0.2.14@sha256:c703e4d4ce7b89c5121fe957ab89b6e2d33f91fd15f8274a9f79ca1b2ba8ecef" chainsawImage string, + // Additional arguments to pass to Chainsaw test command + // +optional + extraArgs []string, ) error { extDir := source if target != "all" { @@ -398,8 +401,15 @@ func (m *Maintenance) Test( WithFile("/etc/kubeconfig/config", kubeconfig). WithEnvVariable("KUBECONFIG", "/etc/kubeconfig/config") + chainsawTestArgs := []string{ + "test", + "./test", + "--values", path.Join(extName, valuesFile), + } + chainsawTestArgs = append(chainsawTestArgs, extraArgs...) + _, err = ctr.WithExec( - []string{"test", "./test", "--values", path.Join(extName, valuesFile)}, + chainsawTestArgs, dagger.ContainerWithExecOpts{ UseEntrypoint: true, }). @@ -416,8 +426,16 @@ func (m *Maintenance) Test( if !hasIndividualTests { continue } + + chainsawTestArgs = []string{ + "test", + path.Join(extName, "test"), + "--values", path.Join(extName, valuesFile), + } + chainsawTestArgs = append(chainsawTestArgs, extraArgs...) + _, err = ctr.WithExec( - []string{"test", path.Join(extName, "test"), "--values", path.Join(extName, valuesFile)}, + chainsawTestArgs, dagger.ContainerWithExecOpts{ UseEntrypoint: true, }). From e351ede90263a94f574d43f6d56efb8be3dcfa04 Mon Sep 17 00:00:00 2001 From: Gabriele Fedi Date: Mon, 16 Feb 2026 12:12:44 +0100 Subject: [PATCH 03/15] feat: reference a pull secret in Cluster Signed-off-by: Gabriele Fedi --- postgis/test/cluster.yaml | 3 +++ test/cluster.yaml | 3 +++ 2 files changed, 6 insertions(+) diff --git a/postgis/test/cluster.yaml b/postgis/test/cluster.yaml index 1a06cd3..51f3258 100644 --- a/postgis/test/cluster.yaml +++ b/postgis/test/cluster.yaml @@ -6,6 +6,9 @@ spec: imageName: ($values.pg_image) instances: 1 + imagePullSecrets: + - name: ($values.pull_secret) + storage: size: 1Gi diff --git a/test/cluster.yaml b/test/cluster.yaml index 1a06cd3..72ca5e2 100644 --- a/test/cluster.yaml +++ b/test/cluster.yaml @@ -9,6 +9,9 @@ spec: storage: size: 1Gi + imagePullSecrets: + - name: ($values.pull_secret) + postgresql: shared_preload_libraries: ($values.shared_preload_libraries) extensions: ($values.extensions) From 8f410136a14d536c6b0b56097731eb95c6ce1832 Mon Sep 17 00:00:00 2001 From: Gabriele Fedi Date: Mon, 16 Feb 2026 15:44:08 +0100 Subject: [PATCH 04/15] feat: add taskfile changes Signed-off-by: Gabriele Fedi --- Taskfile.yml | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/Taskfile.yml b/Taskfile.yml index bd7a49f..0fc2d72 100644 --- a/Taskfile.yml +++ b/Taskfile.yml @@ -157,13 +157,17 @@ tasks: prefix: 'generate-values-{{.TARGET}}' vars: EXTENSION_IMAGE: '{{ .EXTENSION_IMAGE| default "" }}' + REGISTRY_USERNAME: '{{ .REGISTRY_USERNAME| default "" }}' env: _EXPERIMENTAL_DAGGER_RUNNER_HOST: '{{ ._EXPERIMENTAL_DAGGER_RUNNER_HOST | default "" }}' + REGISTRY_PASSWORD: '{{ .REGISTRY_PASSWORD | default "" }}' cmds: - echo -e "{{.BLUE}}Generating values for target {{.TARGET}}...{{.NC}}" - > dagger call -sm ./dagger/maintenance/ generate-testing-values - --target {{ .TARGET }} --extension-image="{{ .EXTENSION_IMAGE }}" export --path {{.TARGET}}/values.yaml + --target {{ .TARGET }} --extension-image="{{ .EXTENSION_IMAGE }}" + --registry-username="{{ .REGISTRY_USERNAME }}" --registry-password="env://REGISTRY_PASSWORD" + export --path {{.TARGET}}/values.yaml requires: vars: - name: TARGET From 79d8ceaa90d0770cd96973fbec3b6da40649269c Mon Sep 17 00:00:00 2001 From: Gabriele Fedi Date: Mon, 16 Feb 2026 15:44:25 +0100 Subject: [PATCH 05/15] docs: e2e for private registries Signed-off-by: Gabriele Fedi --- BUILD.md | 42 ++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 42 insertions(+) diff --git a/BUILD.md b/BUILD.md index e01c514..f166703 100644 --- a/BUILD.md +++ b/BUILD.md @@ -228,6 +228,48 @@ generic tests (global `/test` folder) and extension-specific tests (target task e2e:test TARGET="" KUBECONFIG_PATH="./kubeconfig" ``` +### Testing with Private Registries + +When testing extensions hosted in private container registries, you need to +configure both Kubernetes authentication and provide credentials when creating testing values. + +#### Step 1: Create a pull secret in your cluster + +First, create a Kubernetes pull secret in the namespace where tests will run: + +```bash +kubectl create secret docker-registry my-registry-secret \ + --docker-server= \ + --docker-username= \ + --docker-password= \ + --namespace= +``` + +#### Step 2: Generate test values with registry credentials + +Use the `generate-values` task with registry credentials so required image information can +be fetched from the registry and included in the generated values file: + +```bash +export REGISTRY_PASSWORD="" +task generate-values \ + TARGET="" \ + EXTENSION_IMAGE="" \ + REGISTRY_USERNAME="" +``` + +#### Step 3: Run tests with namespace and pull secret reference + +Pass the namespace and pull secret name to the test execution using extra +Chainsaw arguments: + +```bash +task e2e:test \ + TARGET="" \ + KUBECONFIG_PATH="./kubeconfig" \ + EXTRA_ARGS="--namespace,,--set,pull_secret=my-registry-secret" +``` + --- ### Tear down the local test environment From e99fcda0478528b1b3176f122f5b74e8babebb17 Mon Sep 17 00:00:00 2001 From: Gabriele Fedi Date: Wed, 18 Feb 2026 10:46:30 +0100 Subject: [PATCH 06/15] feat: configure registry credential for kubelet Signed-off-by: Gabriele Fedi --- Taskfile.yml | 25 ++++++++++++++++++++++++- 1 file changed, 24 insertions(+), 1 deletion(-) diff --git a/Taskfile.yml b/Taskfile.yml index 0fc2d72..a69e3c7 100644 --- a/Taskfile.yml +++ b/Taskfile.yml @@ -222,6 +222,8 @@ tasks: run: once vars: REGISTRY_DIR: /etc/containerd/certs.d/{{ .REGISTRY_NAME }}:{{ .REGISTRY_INTERNAL_PORT }} + REGISTRY_HOST: '{{ .REGISTRY_HOST | default "" }}' + REGISTRY_USERNAME: '{{ .REGISTRY_USERNAME | default "" }}' DOCKER_SOCKET: sh: docker context inspect -f {{`'{{json .Endpoints.docker.Host}}'`}} $(docker context show) env: @@ -237,6 +239,20 @@ tasks: cat < test "$(dagger call -m github.com/aweris/daggerverse/kind@{{ .DAGGER_KIND_SHA }} @@ -314,11 +330,18 @@ tasks: e2e:setup-env: desc: Setup E2E environment silent: true + vars: + REGISTRY_HOST: '{{ .REGISTRY_HOST | default "" }}' + REGISTRY_USERNAME: '{{ .REGISTRY_USERNAME | default "" }}' deps: - e2e:start-container-registry - e2e:start-dagger-engine - - e2e:install-cnpg cmds: + - task: e2e:setup-kind + vars: + REGISTRY_HOST: '{{ .REGISTRY_HOST }}' + REGISTRY_USERNAME: '{{ .REGISTRY_USERNAME }}' + - task: e2e:install-cnpg - echo -e "{{.GREEN}}--- E2E environment setup complete ---{{.NC}}" e2e:generate-values: From 5642df1d3bd32d0bee0356b50ff9a9a1152e86d5 Mon Sep 17 00:00:00 2001 From: Gabriele Fedi Date: Wed, 18 Feb 2026 11:44:55 +0100 Subject: [PATCH 07/15] docs: updated docs Signed-off-by: Gabriele Fedi --- BUILD.md | 66 +++++++++++++++++++++----------------------------------- 1 file changed, 25 insertions(+), 41 deletions(-) diff --git a/BUILD.md b/BUILD.md index f166703..b43e7b3 100644 --- a/BUILD.md +++ b/BUILD.md @@ -172,6 +172,20 @@ task e2e:setup-env > If changed, you must pass this variable to all subsequent tasks that interact > with the registry to ensure connectivity. +#### Configuring credentials for private registries + +If you need to pull images from a private registry during testing, you can +configure authentication credentials when setting up the environment: + +```bash +REGISTRY_PASSWORD="your-password" task e2e:setup-env \ + REGISTRY_HOST="registry.example.com" \ + REGISTRY_USERNAME="your-username" +``` + +These credentials are configured at the kubelet level, allowing pods to pull +images from the private registry without requiring ImagePullSecrets. + ### Get access to the cluster To interact with the cluster via `kubectl` from your local terminal: @@ -218,56 +232,26 @@ the E2E tests: task e2e:generate-values TARGET="" EXTENSION_IMAGE="" ``` -### Execute End-to-End tests +#### Using private registries -Run the test suite using the internal Kubeconfig. This executes both the -generic tests (global `/test` folder) and extension-specific tests (target -`/test` folder). +If your extension image is hosted in a private registry, you can provide authentication +credentials when generating test values: ```bash -task e2e:test TARGET="" KUBECONFIG_PATH="./kubeconfig" -``` - -### Testing with Private Registries - -When testing extensions hosted in private container registries, you need to -configure both Kubernetes authentication and provide credentials when creating testing values. - -#### Step 1: Create a pull secret in your cluster - -First, create a Kubernetes pull secret in the namespace where tests will run: - -```bash -kubectl create secret docker-registry my-registry-secret \ - --docker-server= \ - --docker-username= \ - --docker-password= \ - --namespace= -``` - -#### Step 2: Generate test values with registry credentials - -Use the `generate-values` task with registry credentials so required image information can -be fetched from the registry and included in the generated values file: - -```bash -export REGISTRY_PASSWORD="" -task generate-values \ +REGISTRY_PASSWORD="your-password" task generate-values \ TARGET="" \ - EXTENSION_IMAGE="" \ - REGISTRY_USERNAME="" + EXTENSION_IMAGE="/image:tag" \ + REGISTRY_USERNAME="your-username" ``` -#### Step 3: Run tests with namespace and pull secret reference +### Execute End-to-End tests -Pass the namespace and pull secret name to the test execution using extra -Chainsaw arguments: +Run the test suite using the internal Kubeconfig. This executes both the +generic tests (global `/test` folder) and extension-specific tests (target +`/test` folder). ```bash -task e2e:test \ - TARGET="" \ - KUBECONFIG_PATH="./kubeconfig" \ - EXTRA_ARGS="--namespace,,--set,pull_secret=my-registry-secret" +task e2e:test TARGET="" KUBECONFIG_PATH="./kubeconfig" ``` --- From 496c52f9a40340fe6c49e894bd333afaf548de2a Mon Sep 17 00:00:00 2001 From: Matteo Date: Mon, 23 Feb 2026 11:04:35 +0100 Subject: [PATCH 08/15] docs: Add documentation for EXTRA_ARGS field in E2E task command Signed-off-by: Matteo --- BUILD.md | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/BUILD.md b/BUILD.md index b43e7b3..81c440e 100644 --- a/BUILD.md +++ b/BUILD.md @@ -254,6 +254,21 @@ generic tests (global `/test` folder) and extension-specific tests (target task e2e:test TARGET="" KUBECONFIG_PATH="./kubeconfig" ``` +#### Pass arguments to chainsaw test + +Is possible to pass arguments to the [Chainsaw test command](https://kyverno.github.io/chainsaw/latest/reference/commands/chainsaw_test/) by using the `EXTRA_ARGS` +argument, like: + +```bash +task e2e:test TARGET="pgvector" KUBECONFIG_PATH="./kubeconfig" EXTRA_ARGS="--skip-delete" +``` + +or multiple arguments separated by commas, like: + +```bash +task e2e:test TARGET="pgvector" KUBECONFIG_PATH="./kubeconfig" EXTRA_ARGS="--skip-delete,--values=pgvector/extra_args.yaml" +``` + --- ### Tear down the local test environment From fae2267f364eaf5286858286ee572a864c3c0ced Mon Sep 17 00:00:00 2001 From: Marco Nenciarini Date: Tue, 24 Feb 2026 17:20:56 +0100 Subject: [PATCH 09/15] fix(e2e): remove unused imagePullSecrets from cluster templates The cluster.yaml templates referenced a pull_secret value that was never generated, breaking all test runs. Kubelet-level credentials configured during e2e:setup-env are sufficient for private registry access. Also remove misleading --values example from EXTRA_ARGS docs. Signed-off-by: Marco Nenciarini --- BUILD.md | 2 +- postgis/test/cluster.yaml | 3 --- test/cluster.yaml | 3 --- 3 files changed, 1 insertion(+), 7 deletions(-) diff --git a/BUILD.md b/BUILD.md index 81c440e..fb830cd 100644 --- a/BUILD.md +++ b/BUILD.md @@ -266,7 +266,7 @@ task e2e:test TARGET="pgvector" KUBECONFIG_PATH="./kubeconfig" EXTRA_ARGS="--ski or multiple arguments separated by commas, like: ```bash -task e2e:test TARGET="pgvector" KUBECONFIG_PATH="./kubeconfig" EXTRA_ARGS="--skip-delete,--values=pgvector/extra_args.yaml" +task e2e:test TARGET="pgvector" KUBECONFIG_PATH="./kubeconfig" EXTRA_ARGS="--skip-delete" ``` --- diff --git a/postgis/test/cluster.yaml b/postgis/test/cluster.yaml index 51f3258..1a06cd3 100644 --- a/postgis/test/cluster.yaml +++ b/postgis/test/cluster.yaml @@ -6,9 +6,6 @@ spec: imageName: ($values.pg_image) instances: 1 - imagePullSecrets: - - name: ($values.pull_secret) - storage: size: 1Gi diff --git a/test/cluster.yaml b/test/cluster.yaml index 72ca5e2..1a06cd3 100644 --- a/test/cluster.yaml +++ b/test/cluster.yaml @@ -9,9 +9,6 @@ spec: storage: size: 1Gi - imagePullSecrets: - - name: ($values.pull_secret) - postgresql: shared_preload_libraries: ($values.shared_preload_libraries) extensions: ($values.extensions) From 4e2d952977a7be06e1613e98646d515642a124df Mon Sep 17 00:00:00 2001 From: Marco Nenciarini Date: Tue, 24 Feb 2026 17:46:44 +0100 Subject: [PATCH 10/15] fix(e2e): guard registry auth against empty credentials Only apply registry authentication when both username and password are non-empty. Prevents sending empty-credentials auth headers to public registries when no credentials are configured. Signed-off-by: Marco Nenciarini --- dagger/maintenance/image.go | 14 ++++++++------ 1 file changed, 8 insertions(+), 6 deletions(-) diff --git a/dagger/maintenance/image.go b/dagger/maintenance/image.go index 0dcaf2e..26b633a 100644 --- a/dagger/maintenance/image.go +++ b/dagger/maintenance/image.go @@ -37,17 +37,19 @@ func getImageAnnotations(ctx context.Context, imageRef string, username string, } var opts []remote.Option - if password != nil { + if password != nil && username != "" { plainPassword, err := password.Plaintext(ctx) if err != nil { return nil, fmt.Errorf("failed to read registry password: %w", err) } - auth := authn.FromConfig(authn.AuthConfig{ - Username: username, - Password: plainPassword, - }) - opts = append(opts, remote.WithAuth(auth)) + if plainPassword != "" { + auth := authn.FromConfig(authn.AuthConfig{ + Username: username, + Password: plainPassword, + }) + opts = append(opts, remote.WithAuth(auth)) + } } head, err := remote.Get(ref, opts...) From 7cb1b6a98019548419bd40a38504631cef18d991 Mon Sep 17 00:00:00 2001 From: Gabriele Fedi Date: Tue, 24 Feb 2026 17:53:21 +0100 Subject: [PATCH 11/15] docs: use one example for extra-args Signed-off-by: Gabriele Fedi --- BUILD.md | 8 +------- 1 file changed, 1 insertion(+), 7 deletions(-) diff --git a/BUILD.md b/BUILD.md index fb830cd..475ded7 100644 --- a/BUILD.md +++ b/BUILD.md @@ -260,13 +260,7 @@ Is possible to pass arguments to the [Chainsaw test command](https://kyverno.git argument, like: ```bash -task e2e:test TARGET="pgvector" KUBECONFIG_PATH="./kubeconfig" EXTRA_ARGS="--skip-delete" -``` - -or multiple arguments separated by commas, like: - -```bash -task e2e:test TARGET="pgvector" KUBECONFIG_PATH="./kubeconfig" EXTRA_ARGS="--skip-delete" +task e2e:test TARGET="pgvector" KUBECONFIG_PATH="./kubeconfig" EXTRA_ARGS="--skip-delete,--fail-fast" ``` --- From 69c14d2d5e7d7e8c7ce96b9eb79a029d158d16b1 Mon Sep 17 00:00:00 2001 From: Marco Nenciarini Date: Tue, 24 Feb 2026 18:19:22 +0100 Subject: [PATCH 12/15] refactor(e2e): forward registry vars through dependency chain Pass REGISTRY_HOST and REGISTRY_USERNAME through deps instead of using sequential cmds, restoring parallel execution in e2e:setup-env and giving every task a consistent view of the variables. Signed-off-by: Marco Nenciarini --- Taskfile.yml | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/Taskfile.yml b/Taskfile.yml index a69e3c7..fc85a9d 100644 --- a/Taskfile.yml +++ b/Taskfile.yml @@ -261,7 +261,10 @@ tasks: e2e:install-cnpg: desc: Install CloudNativePG operator in the Kind cluster deps: - - e2e:setup-kind + - task: e2e:setup-kind + vars: + REGISTRY_HOST: '{{ .REGISTRY_HOST }}' + REGISTRY_USERNAME: '{{ .REGISTRY_USERNAME }}' internal: true vars: # renovate: datasource=github-tags depName=cloudnative-pg/cloudnative-pg versioning=semver extractVersion=^v(?\d+\.\d+)\.\d+$ @@ -336,12 +339,11 @@ tasks: deps: - e2e:start-container-registry - e2e:start-dagger-engine - cmds: - - task: e2e:setup-kind + - task: e2e:install-cnpg vars: REGISTRY_HOST: '{{ .REGISTRY_HOST }}' REGISTRY_USERNAME: '{{ .REGISTRY_USERNAME }}' - - task: e2e:install-cnpg + cmds: - echo -e "{{.GREEN}}--- E2E environment setup complete ---{{.NC}}" e2e:generate-values: From cc8dea68243d71291eaedf24c461150c23cf0cce Mon Sep 17 00:00:00 2001 From: Marco Nenciarini Date: Tue, 24 Feb 2026 21:46:46 +0100 Subject: [PATCH 13/15] fix(e2e): use base64 -w0 for registry auth encoding Prevent line wrapping in base64 output that would produce invalid JSON in /var/lib/kubelet/config.json with long credentials. Signed-off-by: Marco Nenciarini --- Taskfile.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Taskfile.yml b/Taskfile.yml index fc85a9d..186f819 100644 --- a/Taskfile.yml +++ b/Taskfile.yml @@ -241,7 +241,7 @@ tasks: EOF - | if [ -n "{{ .REGISTRY_HOST }}" ] && [ -n "{{ .REGISTRY_USERNAME }}" ] && [ -n "${REGISTRY_PASSWORD}" ]; then - AUTH=$(echo -n "{{ .REGISTRY_USERNAME }}:${REGISTRY_PASSWORD}" | base64) + AUTH=$(echo -n "{{ .REGISTRY_USERNAME }}:${REGISTRY_PASSWORD}" | base64 -w0) docker exec "{{ .KIND_CLUSTER_NAME }}-control-plane" mkdir -p /var/lib/kubelet cat < Date: Tue, 24 Feb 2026 21:59:28 +0100 Subject: [PATCH 14/15] docs: fix typo in extra-args documentation Signed-off-by: Marco Nenciarini --- BUILD.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/BUILD.md b/BUILD.md index 475ded7..f317228 100644 --- a/BUILD.md +++ b/BUILD.md @@ -256,7 +256,7 @@ task e2e:test TARGET="" KUBECONFIG_PATH="./kubeconfig" #### Pass arguments to chainsaw test -Is possible to pass arguments to the [Chainsaw test command](https://kyverno.github.io/chainsaw/latest/reference/commands/chainsaw_test/) by using the `EXTRA_ARGS` +It is possible to pass arguments to the [Chainsaw test command](https://kyverno.github.io/chainsaw/latest/reference/commands/chainsaw_test/) by using the `EXTRA_ARGS` argument, like: ```bash From e2d58f7f7435f847a6c3985c5a9e046903b3e0a5 Mon Sep 17 00:00:00 2001 From: Marco Nenciarini Date: Tue, 24 Feb 2026 21:59:42 +0100 Subject: [PATCH 15/15] fix: forward registry vars through e2e task chain Forward REGISTRY_USERNAME through e2e:generate-values and REGISTRY_HOST/REGISTRY_USERNAME through e2e:test:full so private registry authentication works end-to-end. Signed-off-by: Marco Nenciarini --- Taskfile.yml | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/Taskfile.yml b/Taskfile.yml index 186f819..41a56e7 100644 --- a/Taskfile.yml +++ b/Taskfile.yml @@ -355,11 +355,15 @@ tasks: silent: true vars: EXTENSION_IMAGE: '{{ .EXTENSION_IMAGE| default "" }}' + REGISTRY_USERNAME: '{{ .REGISTRY_USERNAME| default "" }}' + env: + REGISTRY_PASSWORD: '{{ .REGISTRY_PASSWORD | default "" }}' cmds: - task: generate-values vars: _EXPERIMENTAL_DAGGER_RUNNER_HOST: container://{{ .DAGGER_ENGINE_NAME }} TARGET: '{{ .TARGET }}' + REGISTRY_USERNAME: '{{ .REGISTRY_USERNAME }}' EXTENSION_IMAGE: # Rewrite host:port to the internal registry name and port used # within the Docker network. @@ -404,8 +408,13 @@ tasks: METADATA_FILE: "{{ .TARGET }}/bake-metadata.json" KUBECONFIG_PATH: "./kubeconfig" DISTRO: '{{ .DISTRO | default "trixie" }}' + REGISTRY_HOST: '{{ .REGISTRY_HOST | default "" }}' + REGISTRY_USERNAME: '{{ .REGISTRY_USERNAME | default "" }}' cmds: - task: e2e:setup-env + vars: + REGISTRY_HOST: '{{ .REGISTRY_HOST }}' + REGISTRY_USERNAME: '{{ .REGISTRY_USERNAME }}' - task: bake vars: PUSH: "true" @@ -415,6 +424,7 @@ tasks: - task: e2e:generate-values vars: TARGET: "{{ .TARGET }}" + REGISTRY_USERNAME: '{{ .REGISTRY_USERNAME }}' EXTENSION_IMAGE: sh: > jq -r --arg distro "{{ .DISTRO }}"