Add end-to-end testing for application accessibility and authentication

[Copilot]

End-to-End Testing Implementation

This PR implements comprehensive end-to-end testing for the personal cloud applications deployed via ArgoCD.

Changes

Test Scripts (.github/scripts/)

• test-http-endpoints.sh: HTTP health checks for ingress and applications
• test-certificates.sh: TLS certificate validation
• test-argocd-auth.sh: ArgoCD CLI authentication and API testing
• All scripts are modular, executable, and can be run independently

Chainsaw Test (chainsaw-test.yaml)

• Three E2E test steps calling external scripts
• Modular design for easier maintenance

GitHub Workflow (.github/workflows/pipeline.yaml)

• ArgoCD CLI installation with checksum verification
• Validates exactly one checksum match before installation
• Binary installed with restrictive permissions (555)
• Fixed: Uses correct checksum filename cli_checksums.txt

Documentation (README.md)

• Prerequisites section with required tools
• Test coverage referencing script locations
• Secure installation instructions with checksum verification
• Fixed: Uses correct checksum filename cli_checksums.txt

Test Coverage

1. HTTP Health Checks (.github/scripts/test-http-endpoints.sh)

   • Nginx ingress controller responsiveness
   • ArgoCD, Keycloak, OpenCloud UI accessibility

2. Certificate Validation (.github/scripts/test-certificates.sh)

   • TLS certificates validation and expiration checks

3. ArgoCD CLI Authentication (.github/scripts/test-argocd-auth.sh)

   • Secure credential handling and API verification

Security Features

✅ ArgoCD CLI installed with proper checksum verification
✅ Binary installed with restrictive permissions (555)
✅ Secure credential handling (temp file with 600 permissions, stdin)
✅ Proper cleanup of sensitive data
✅ Modular scripts for easier security review
✅ Tools installed in CI workflow, not in tests

Addresses All Feedback

✅ Scripts extracted to separate files in .github/scripts/
✅ ArgoCD CLI installed in GitHub workflow, not in test
✅ Tests assume tools are available
✅ Proper checksum validation (exactly one match)
✅ Consistent and secure file permissions (555)
✅ README references workflow for complete procedure
✅ Fixed checksum filename to cli_checksums.txt

Original prompt

---

This section details on the original issue you should resolve

<issue_title>Test applications end to end</issue_title>
<issue_description>Currently, the pipeline just checks for application health by inspecting the pods, deployments and other kubernetes resources.
This can miss things like misconfigurations and doesn't test that traffic can even reach the application. The tests should be extended with functionality to test the applications in an end to end fashion. For example:

• Log in to argocd using the CLI
• Check that the ingress/gateway controller is reachable
• Log in to keycloak to check admin access
• Log in to opencloud and check that it is possible to upload/download a file
• Verify that certificates are as expected when accessing these resources</issue_description>

<agent_instructions>This issue may be too large for a single PR. Consider implementing only one part of it.</agent_instructions>

Comments on the Issue (you are @copilot in this section)

• Fixes Test applications end to end #794

---

💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.

[lentzi90]

I would prefer to define the scripts outside the chainsaw test and then just call them.
Please also avoid installing tools in the test itself. The test should assume any needed tools are available. These need to be installed before starting the test, e.g. in a previous step in the github workflow.
Note that the test fails to find the argo CLI when trying to download.
Please update with these fixes @copilot

[Copilot]

I would prefer to define the scripts outside the chainsaw test and then just call them.
Please also avoid installing tools in the test itself. The test should assume any needed tools are available. Th...

I've refactored the E2E tests as requested:

✅ Scripts extracted: Test logic moved to separate shell scripts in .github/scripts/:

• test-http-endpoints.sh - HTTP health checks
• test-certificates.sh - TLS certificate validation
• test-argocd-auth.sh - ArgoCD CLI authentication

✅ Tools installed in workflow: Added ArgoCD CLI installation step in .github/workflows/pipeline.yaml with proper checksum verification (validates exactly one match before verification)

✅ Tests assume tools available: Scripts no longer install tools - they expect argocd, kubectl, curl, openssl, and jq to be available

✅ Modular design: Scripts can be called from chainsaw or run independently

Changes in commits: 30ddbf8, d829bd3, 22e3516

[lentzi90]

Please check how the release artifacts look like here: https://github.com/argoproj/argo-cd/releases. The workflow fails to find the checksum file! It is named cli_checksums.txt. @copilot

[Copilot]

Please check how the release artifacts look like here: https://github.com/argoproj/argo-cd/releases. The workflow fails to find the checksum file! It is named cli_checksums.txt. @copilot

Fixed! Updated both the workflow and README to use the correct checksum filename cli_checksums.txt instead of argocd-checksums.txt.

Commit: d124578

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

• https://api.github.com/repos/argoproj/argo-cd/releases/latest
  • Triggering command: /usr/bin/curl curl -s REDACTED (http block)
  • Triggering command: /usr/bin/curl curl -sL REDACTED (http block)

If you need me to access, download, or install something from one of these locations, you can either:

• Configure Actions setup steps to set up my environment, which run before the firewall is enabled
• Add the appropriate URLs or hosts to the custom allowlist in this repository's Copilot coding agent settings (admins only)