feat: make vault e2e tests run locally

[moolen]

towards #5213

Summary of changes:

• reduces run time of our e2e tests by about 15m (see run vs this run) with potential to safe even more.
  • (1) by installing vault globally and reusing it across tests - the vault config/auth/roles do not differ between test runs.
    • similar issue with conjur - reduced test duration from ~60s down to 2-3 seconds per test case
  • (2) by reducing the interval from 10s to 1s in which the resulting secret gets compared against the test expectation.
  • (3) by installing only the required SecretStores which reduces noise in logs as well as increasing the reconciliation speed because less cpu cycles are wasted (11 stores x 65 test cases = 650 unneeded SecretStores)
• lets an user run e2e tests locally against:
  • vault with ginkgo run --label-filter "vault" ./e2e/suites/provider
  • conjur with ginkgo run --label-filter "vault" ./e2e/suites/provider

As for now, i do not want people to execute the e2e tests locally, as there are a few extra steps missing, such as:

• building + sideloading ESO image (or setting up a tunnel so we can run it on the host)
• building/sideloading helm charts for flux/argocd test suites

I think once those are covered, it is ready to be used by contributors. It's not 100% there as there are still some minor differences. We need to have a look at the other test suites, e.g. AWS one depends on AWS_* env vars to be present, which we need to account for in the test suite when ran locally.

[jakobmoellerdev]

Will go for a review over the weekend to give it the attention it deserves. Sorry its taking a bit longer than usual!

[jakobmoellerdev]

nicely done, mostly questions around test framework lifecycle and such but generally looking okay. Also confused why you decided to no longer use central configs, happy to get some insights!

[moolen]

Great comments @jakobmoellerdev, thank you for the review 🙇 I've addressed the minor issues and
I'm looking into proper context handling, i'll give the CI a few spins to see if everything passes. I just sed my way through to replace the contexts.

[moolen]

I ran the e2e suite 22 times, with 3 failures. all failed runs had issues with scaleway. one failure had an issue where a helm uninstall ran into a deadline 🤷

Dunno, seems stable enough for me. Though i don't have evidence of the e2e tests before this PR - i guess they did flake occasionally - i'd say with a similar probability.

[jakobmoellerdev]

For me this is LGTM but I will say its a big PR so I think another pair of eyes is needed before this should go in. Cool stuff! ❤️

[Skarlso]

Okay, stuff ran. The only test that failed was TLS. But I guess I would have to need to do something with that?

deleting test namespace e2e-tests-vault-rpvpk
  << Timeline

  [FAILED] Expected
      <string>: ValidationFailed
  to equal
      <string>: InvalidProviderConfig
  In [It] at: /Users/skarlso/goprojects/kubernetes/external-secrets/e2e/suites/provider/cases/vault/vault.go:334 @ 09/13/25 
SSSSSSSSSSSSSSSSSSSSSSSSSSSSSS••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••E0913 10:44:43.066489   96970 core_dsl.go:447] "Observed a panic" panic=<
        Your Test Panicked
        Expect(ss.Status.Conditions[0].Reason).Should(Equal("InvalidProviderConfig"))
        /Users/skarlso/goprojects/kubernetes/external-secrets/e2e/suites/provider/cases/vault/vault.go:334
          When you, or your assertion library, calls Ginkgo's Fail(),
          Ginkgo panics to prevent subsequent assertions from running.

          Normally Ginkgo rescues this panic so you shouldn't see it.

          However, if you make an assertion in a goroutine, Ginkgo can't capture the
          panic.
          To circumvent this, you should call

                defer GinkgoRecover()

          at the top of the goroutine that caused this panic.

          Alternatively, you may have made an assertion outside of a Ginkgo
          leaf node (e.g. in a container node or some out-of-band function) - please
          move your assertion to
          an appropriate Ginkgo node (e.g. a BeforeSuite, BeforeEach, It, etc...).

          Learn more at:

• [FAILED] [10.052 seconds]
[vault] sync secrets [It] store without clientTLS configuration should not be valid [vault, vault-invalid-store]
/Users/skarlso/goprojects/kubernetes/external-secrets/e2e/suites/provider/cases/vault/vault.go:133

  Timeline >>
  created test namespace e2e-tests-vault-rpvpk

Ran 65 of 333 Specs in 249.455 seconds
FAIL! -- 64 Passed | 1 Failed | 0 Pending | 268 Skipped
--- FAIL: TestE2E (249.52s)
FAIL

[Skarlso]

Couple of remarks. I haven't figured out yet what's going on with the Certificate.

[Skarlso]

You will need to fix the licenses... :D :D :D

[Skarlso]

I think the failure might be for me because it's running an older version somehow.

[Skarlso]

• [SLOW TEST] [36.507 seconds]

It passed!!!!! It's worth noting that I had to run make e2e.test the ginkgo target wasn't enough. And of course, define the ginkgo label for it. So maybe adjust the running guide?

Otherwise this LGTM now. Fantastic work, Mortiz! :) 🙇

[moolen]

Running e2e tests is documented here, is there anything missing? After all i think the ginkgo run approach to trigger tests is a bad idea, because it depends on images being sideloaded, a cluster being available etc.

[Skarlso]

Ah no, you're right, I think that's fine. Yah, that guide still works indeed. That's what I did.

[Skarlso]

Brilliant stuff man! Thanks so much for this cleanup.

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud