cmd/k8s-operator/e2e: run self-contained e2e tests with devcontrol (#17415)

* cmd/k8s-operator/e2e: run self-contained e2e tests with devcontrol

Adds orchestration for more of the e2e testing setup requirements to
make it easier to run them in CI, but also run them locally in a way
that's consistent with CI. Requires running devcontrol, but otherwise
supports creating all the scaffolding required to exercise the operator
and proxies.

Updates tailscale/corp#32085

Change-Id: Ia7bff38af3801fd141ad17452aa5a68b7e724ca6
Signed-off-by: Tom Proctor <tomhjp@users.noreply.github.com>

* cmd/k8s-operator/e2e: being more specific on tmp dir cleanup

Signed-off-by: chaosinthecrd <tom@tmlabs.co.uk>

---------

Signed-off-by: Tom Proctor <tomhjp@users.noreply.github.com>
Signed-off-by: chaosinthecrd <tom@tmlabs.co.uk>
Co-authored-by: chaosinthecrd <tom@tmlabs.co.uk>

cmd/k8s-operator/e2e/main_test.go

@@ -5,34 +5,22 @@ package e2e
 
 import (
 	"context"
-	"errors"
+	"flag"
 	"log"
 	"os"
-	"strings"
 	"testing"
-	"time"
 
-	"golang.org/x/oauth2/clientcredentials"
 	apierrors "k8s.io/apimachinery/pkg/api/errors"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"sigs.k8s.io/controller-runtime/pkg/client"
-	"tailscale.com/internal/client/tailscale"
-	"tailscale.com/ipn/store/mem"
-	"tailscale.com/tsnet"
-)
-
-// This test suite is currently not run in CI.
-// It requires some setup not handled by this code:
-// - Kubernetes cluster with local kubeconfig for it (direct connection, no API server proxy)
-// - Tailscale operator installed with --set apiServerProxyConfig.mode="true"
-// - ACLs from acl.hujson
-// - OAuth client secret in TS_API_CLIENT_SECRET env, with at least auth_keys write scope and tag:k8s tag
-var (
-	apiClient     *tailscale.Client // For API calls to control.
-	tailnetClient *tsnet.Server     // For testing real tailnet traffic.
 )
 
 func TestMain(m *testing.M) {
+	flag.Parse()
+	if !*fDevcontrol && os.Getenv("TS_API_CLIENT_SECRET") == "" {
+		log.Printf("Skipping setup: devcontrol is false and TS_API_CLIENT_SECRET is not set")
+		os.Exit(m.Run())
+	}
 	code, err := runTests(m)
 	if err != nil {
 		log.Printf("Error: %v", err)
@@ -41,56 +29,6 @@ func TestMain(m *testing.M) {
 	os.Exit(code)
 }
 
-func runTests(m *testing.M) (int, error) {
-	secret := os.Getenv("TS_API_CLIENT_SECRET")
-	if secret != "" {
-		secretParts := strings.Split(secret, "-")
-		if len(secretParts) != 4 {
-			return 0, errors.New("TS_API_CLIENT_SECRET is not valid")
-		}
-		ctx := context.Background()
-		credentials := clientcredentials.Config{
-			ClientID:     secretParts[2],
-			ClientSecret: secret,
-			TokenURL:     "https://login.tailscale.com/api/v2/oauth/token",
-			Scopes:       []string{"auth_keys"},
-		}
-		apiClient = tailscale.NewClient("-", nil)
-		apiClient.HTTPClient = credentials.Client(ctx)
-
-		caps := tailscale.KeyCapabilities{
-			Devices: tailscale.KeyDeviceCapabilities{
-				Create: tailscale.KeyDeviceCreateCapabilities{
-					Reusable:      false,
-					Preauthorized: true,
-					Ephemeral:     true,
-					Tags:          []string{"tag:k8s"},
-				},
-			},
-		}
-
-		authKey, authKeyMeta, err := apiClient.CreateKeyWithExpiry(ctx, caps, 10*time.Minute)
-		if err != nil {
-			return 0, err
-		}
-		defer apiClient.DeleteKey(context.Background(), authKeyMeta.ID)
-
-		tailnetClient = &tsnet.Server{
-			Hostname:  "test-proxy",
-			Ephemeral: true,
-			Store:     &mem.Store{},
-			AuthKey:   authKey,
-		}
-		_, err = tailnetClient.Up(ctx)
-		if err != nil {
-			return 0, err
-		}
-		defer tailnetClient.Close()
-	}
-
-	return m.Run(), nil
-}
-
 func objectMeta(namespace, name string) metav1.ObjectMeta {
 	return metav1.ObjectMeta{
 		Namespace: namespace,