Test

.github/actions/setup-jimm/action.yml

@@ -38,7 +38,7 @@ runs:
     - name: Setup operator environment
       uses: charmed-kubernetes/actions-operator@main
       with:
-        channel: 1.32-strict/stable
+        channel: 1.35-strict/stable
         juju-channel: ${{ inputs.juju-channel }}
         provider: microk8s
         microk8s-group: snap_microk8s
@@ -51,13 +51,20 @@ runs:
       shell: bash
       run: |
         sudo snap install yq jaas
+        sudo snap install terraform --classic
     - name: Setup Go
       uses: actions/setup-go@v6
+    - name: Checkout IAM repo
+      uses: actions/checkout@v6
+      with:
+        repository: canonical/iam-bundle-integration
+        path: iam-bundle-integration
     - name: Set up IAM
       shell: bash
       run: |
-        juju add-model iam
-        juju deploy identity-platform --trust --channel latest/edge
+        cd iam-bundle-integration
+        terraform -chdir=examples/tutorial init
+        terraform -chdir=examples/tutorial apply -auto-approve
     - name: Wait for IAM
       uses: nick-fields/retry@v3
       with:
@@ -67,14 +74,11 @@ runs:
           # Wait for everything to be ready except kratos-external-idp-integrator
           # which will remain as blocked as we're not using an external identity provider.
           juju wait-for model iam --timeout=1m --query='forEach(applications, app => (app.name == "kratos-external-idp-integrator" && app.status=="blocked") || (app.name != "kratos-external-idp-integrator" && app.status=="active"))'
-    - name: Create IAM offers for cross-model relations
-      shell: bash
-      run: |
-        juju offer hydra:oauth
-        juju offer self-signed-certificates:send-ca-cert
     - name: Turn off MFA
       shell: bash
-      run: juju config kratos enforce_mfa=False
+      run: |
+        juju switch iam
+        juju config kratos enforce_mfa=False
     - name: Wait for Kratos
       uses: nick-fields/retry@v3
       with:
@@ -136,8 +140,8 @@ runs:
     - name: Add JIMM relations and certs
       shell: bash
       run: |
-        juju relate jimm admin/iam.hydra
-        juju relate jimm admin/iam.self-signed-certificates
+        juju relate jimm admin/iam.oauth-offer
+        juju relate jimm admin/core.send-ca-cert
         juju deploy self-signed-certificates jimm-cert
         juju relate ingress:certificates jimm-cert:certificates
     - name: Configure JIMM

.github/workflows/e2e-juju-k8s-charm-local-auth.yml

@@ -37,7 +37,7 @@ jobs:
         uses: charmed-kubernetes/actions-operator@main
         with:
           provider: "microk8s"
-          channel: 1.32-strict/stable
+          channel: 1.35-strict/stable
           juju-channel: ${{ inputs.juju-channel || steps.config.outputs.juju-channel }}
           microk8s-group: snap_microk8s
       - name: Save microk8s controller name

.github/workflows/end-to-end.yml

@@ -46,6 +46,11 @@ on:
 
 permissions: read-all
 
+# Ensure only one e22 job runs at a time.
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
 jobs:
   juju-machine-local:
     name: Test Juju, machine-charm and local-auth

e2e/base/controllers.spec.ts

@@ -2,8 +2,10 @@ import { expect } from "@playwright/test";
 
 import { Label as PrimaryNavLabel } from "components/PrimaryNav/types";
 
-import { test } from "../fixtures/setup";
+import { JujuEnv, test } from "../fixtures/setup";
 import { ActionStack } from "../helpers/action";
+import { GiveControllerAccess } from "../helpers/actions";
+import { ControllerPermission } from "../helpers/objects";
 
 test.describe("Controllers", () => {
   let actions: ActionStack;
@@ -16,9 +18,20 @@ test.describe("Controllers", () => {
     await actions.rollback();
   });
 
-  test("List Controllers", async ({ page, jujuCLI }) => {
+  test("List Controllers", async ({ page, jujuCLI, testOptions }) => {
     const user = await actions.prepare((add) => {
-      return add(jujuCLI.createUser());
+      const newUser = add(jujuCLI.createUser());
+      // JIMM users need access to the controller to be able to see it.
+      if (testOptions.jujuEnv === JujuEnv.JIMM) {
+        add(
+          new GiveControllerAccess(
+            jujuCLI.controllerInstance,
+            newUser,
+            ControllerPermission.ADD_MODEL,
+          ),
+        );
+      }
+      return newUser;
     });
     await user.dashboardLogin(page, "/");
     const controllersTab = page.getByRole("link", {

e2e/base/models.spec.ts

@@ -7,9 +7,17 @@ import urls from "urls";
 
 import { JujuEnv, test } from "../fixtures/setup";
 import { ActionStack } from "../helpers/action";
-import { AddModel, GiveModelAccess } from "../helpers/actions";
+import {
+  AddModel,
+  GiveControllerAccess,
+  GiveModelAccess,
+} from "../helpers/actions";
 import type { User } from "../helpers/auth";
-import { ModelPermission, type Model } from "../helpers/objects";
+import {
+  ControllerPermission,
+  ModelPermission,
+  type Model,
+} from "../helpers/objects";
 
 test.describe("Models", () => {
   let actions: ActionStack;
@@ -19,15 +27,30 @@ test.describe("Models", () => {
   let sharedModel: Model;
   let user2Model: Model;
 
-  test.beforeAll(async ({ jujuCLI }) => {
+  test.beforeAll(async ({ jujuCLI, testOptions }) => {
     // Give the beforeAll enough time to create the models:
     test.setTimeout(300000);
     actions = new ActionStack(jujuCLI);
 
     await actions.prepare((add) => {
       user1 = add(jujuCLI.createUser(true));
       user2 = add(jujuCLI.createUser(true));
-
+      if (testOptions.jujuEnv === JujuEnv.JIMM) {
+        add(
+          new GiveControllerAccess(
+            jujuCLI.controllerInstance,
+            user1,
+            ControllerPermission.ADD_MODEL,
+          ),
+        );
+        add(
+          new GiveControllerAccess(
+            jujuCLI.controllerInstance,
+            user2,
+            ControllerPermission.ADD_MODEL,
+          ),
+        );
+      }
       user1Model = add(new AddModel(jujuCLI, user1, true));
       sharedModel = add(new AddModel(jujuCLI, user1, true));
       user2Model = add(new AddModel(jujuCLI, user2, true));

e2e/helpers/actions/giveControllerAccess.ts

@@ -5,7 +5,9 @@ import { ControllerPermission } from "../objects";
 import { GiveAccess } from "./utils/give-access";
 
 const jimmAccess = {
-  [ControllerPermission.LOGIN]: "loginer",
+  // spell-checker:disable-next-line
+  [ControllerPermission.ADD_MODEL]: "can_addmodel",
+  [ControllerPermission.AUDIT_LOG_VIEWER]: "audit_log_viewer",
   [ControllerPermission.SUPERUSER]: "administrator",
 };
 

e2e/helpers/auth/backends/OIDC.ts

@@ -134,13 +134,9 @@ export class CreateOIDCUser implements Action<OIDCUser> {
     await jujuCLI.loginLocalCLIAdmin();
     await exec(`juju switch iam`);
     // Create the identity in Kratos.
-    const userOutput =
-      await exec(`curl $(juju show-unit kratos/0 | yq '.kratos/0.address'):4434/admin/identities --request POST -sL --header "Content-Type: application/json" --data '{
-      "schema_id": "admin_v0",
-      "traits": {
-        "email": "${this.username}@example.com"
-      }
-    }' | yq .id`);
+    const userOutput = await exec(
+      `juju run --wait=2m --format=json kratos/0 create-admin-account email='${this.username}@example.com' password='${this.password}' username='${this.username}' | yq .kratos/0.results.identity-id`,
+    );
     const secretOutput = await exec(
       `juju add-secret password-secret-${this.username} password=${this.password}`,
     );

e2e/helpers/objects/controller.ts

@@ -4,7 +4,8 @@ import type { User } from "../auth";
  * Permissions that may be granted on a controller.
  */
 export enum ControllerPermission {
-  LOGIN = "login",
+  ADD_MODEL = "add-model",
+  AUDIT_LOG_VIEWER = "audit-log-viewer",
   SUPERUSER = "superuser",
 }