test(egress): prove data-plane secret injection

.github/actions/run-tests/action.yml

@@ -17,14 +17,21 @@ inputs:
   provider-binary:
     description: Optional path to a Terraform provider binary in the caller workspace.
     required: false
+  e2e-ref:
+    description: Git ref for the e2e repository checkout.
+    required: false
+    default: main
+  artifact-name:
+    description: Optional artifact name override for uploaded E2E artifacts.
+    required: false
 runs:
   using: composite
   steps:
     - name: Checkout e2e repository
       uses: actions/checkout@v4
       with:
         repository: agynio/e2e
-        ref: main
+        ref: ${{ inputs.e2e-ref }}
         path: e2e
 
     - name: Stage provider binary
@@ -91,6 +98,7 @@ runs:
         k8s_stack="$bootstrap_dir/stacks/k8s"
         platform_stack="$bootstrap_dir/stacks/platform"
         apps_stack="$bootstrap_dir/stacks/apps"
+        platform_stack_outputs_available="false"
 
         if [ -d "$k8s_stack" ]; then
           if ! domain=$(terraform -chdir="$k8s_stack" output -raw domain); then
@@ -131,6 +139,22 @@ runs:
           exit 1
         fi
 
+        if [ -d "$platform_stack" ]; then
+          platform_stack_outputs_available="true"
+        fi
+
+        if [ -z "${WORKLOAD_DNS_UPSTREAM:-}" ] && [ "$platform_stack_outputs_available" = "true" ]; then
+          if ! WORKLOAD_DNS_UPSTREAM=$(terraform -chdir="$platform_stack" output -raw ziti_workload_dns_service_ip); then
+            echo "Failed to read ziti_workload_dns_service_ip output from ${platform_stack}." >&2
+            exit 1
+          fi
+          if [ -z "$WORKLOAD_DNS_UPSTREAM" ]; then
+            echo "ziti_workload_dns_service_ip output was empty." >&2
+            exit 1
+          fi
+          echo "WORKLOAD_DNS_UPSTREAM=$WORKLOAD_DNS_UPSTREAM" >> "$GITHUB_ENV"
+        fi
+
         if [ -z "${AGYN_API_TOKEN:-}" ]; then
           if [ ! -d "$platform_stack" ]; then
             echo "AGYN_API_TOKEN not set and platform stack missing." >&2
@@ -437,7 +461,7 @@ runs:
       if: ${{ always() }}
       uses: actions/upload-artifact@v4
       with:
-        name: ${{ inputs.service != '' && format('e2e-artifacts-{0}', inputs.service) || 'e2e-artifacts' }}
+        name: ${{ inputs.artifact-name != '' && inputs.artifact-name || (inputs.service != '' && format('e2e-artifacts-{0}', inputs.service) || 'e2e-artifacts') }}
         path: |
           e2e/.artifacts/
           e2e/.diagnostics/

.github/workflows/e2e.yml

@@ -23,14 +23,62 @@ jobs:
       AGN_EXPOSE_INIT_IMAGE: ghcr.io/agynio/agent-init-agn:0.5.5
       TF_VAR_threads_chart_version: 0.4.12
       TF_VAR_threads_image_tag: 0.4.12
+      TF_VAR_egress_image_tag: pr-14-471fd0cff8d7aa2e49c1a6ecbe296cc7afe3ecdd
+      TF_VAR_egress_gateway_image_tag: pr-10-0b4a11ac2d3ecc123d05b331acfd0336d3bcdb5b
+      TF_VAR_ziti_management_image_tag: pr-61-4f5cd681b9887dc397d24dd7cd796ab062cbe6c2
     steps:
       - name: Checkout
         uses: actions/checkout@v4
 
+      - name: Wait for egress PR image
+        run: |
+          set -euo pipefail
+          image_ref="ghcr.io/agynio/egress:${TF_VAR_egress_image_tag}"
+          for attempt in {1..60}; do
+            if docker buildx imagetools inspect "${image_ref}" >/dev/null 2>&1; then
+              echo "Found ${image_ref}"
+              exit 0
+            fi
+            echo "Waiting for ${image_ref} (${attempt}/60)"
+            sleep 10
+          done
+          echo "Timed out waiting for ${image_ref}" >&2
+          exit 1
+
+      - name: Wait for egress-gateway PR image
+        run: |
+          set -euo pipefail
+          image_ref="ghcr.io/agynio/egress-gateway:${TF_VAR_egress_gateway_image_tag}"
+          for attempt in {1..60}; do
+            if docker buildx imagetools inspect "${image_ref}" >/dev/null 2>&1; then
+              echo "Found ${image_ref}"
+              exit 0
+            fi
+            echo "Waiting for ${image_ref} (${attempt}/60)"
+            sleep 10
+          done
+          echo "Timed out waiting for ${image_ref}" >&2
+          exit 1
+
+      - name: Wait for ziti-management PR image
+        run: |
+          set -euo pipefail
+          image_ref="ghcr.io/agynio/ziti-management:${TF_VAR_ziti_management_image_tag}"
+          for attempt in {1..60}; do
+            if docker buildx imagetools inspect "${image_ref}" >/dev/null 2>&1; then
+              echo "Found ${image_ref}"
+              exit 0
+            fi
+            echo "Waiting for ${image_ref} (${attempt}/60)"
+            sleep 10
+          done
+          echo "Timed out waiting for ${image_ref}" >&2
+          exit 1
+
       - name: Provision cluster
-        uses: agynio/bootstrap/.github/actions/provision@main
+        uses: agynio/bootstrap/.github/actions/provision@noa/issue-153-bootstrap-enrollment
         with:
-          ref: main
+          ref: noa/issue-153-bootstrap-enrollment
 
       - name: Run platform usage E2E test
         uses: ./.github/actions/run-tests
@@ -40,3 +88,13 @@ jobs:
         with:
           tag: svc_metering
           include_smoke: false
+
+      - name: Run egress data-plane E2E test
+        uses: ./.github/actions/run-tests
+        env:
+          E2E_GO_TEST_RUN: TestEgressGatewayDataPlaneSecretInjection
+        with:
+          tag: svc_egress,svc_egress_gateway
+          include_smoke: false
+          e2e-ref: ${{ github.event_name == 'pull_request' && github.event.pull_request.head.sha || github.sha }}
+          artifact-name: e2e-artifacts-egress-dataplane

docs/e2e/suites/go-core.md

@@ -13,7 +13,7 @@ Validates core platform services through Go E2E tests: gateway authentication, a
 
 - Source directory: `suites/go-core`
 - Test inventory pattern: `tests/*_test.go`
-- Included case count: 92
+- Included case count: 93
 
 ## Actors
 
@@ -146,6 +146,7 @@ Validates core platform services through Go E2E tests: gateway authentication, a
 | [E2E-GO-CORE-098](#e2e-go-core-098) | `TestEgressGatewayFeaturePath` | @svc_egress |
 | [E2E-GO-CORE-099](#e2e-go-core-099) | `TestEgressGatewayDenyAndNoRulePaths` | @svc_egress |
 | [E2E-GO-CORE-100](#e2e-go-core-100) | `TestEgressGatewayDeploymentWiring` | @svc_egress_gateway |
+| [E2E-GO-CORE-101](#e2e-go-core-101) | `TestEgressGatewayDataPlaneSecretInjection` | @svc_egress, @svc_egress_gateway |
 
 ## Scenarios
 
@@ -1263,4 +1264,16 @@ Validates core platform services through Go E2E tests: gateway authentication, a
 - **And** The public internet egress rule allows `0.0.0.0/0` with blocked CIDR exceptions for `10.0.0.0/8`, `172.16.0.0/12`, `192.168.0.0/16`, `169.254.0.0/16`, and `127.0.0.0/8`.
 - **And** A k8s-runner workload can receive and use the egress CA via inline file/env contract.
 
-**Current framework limitation:** full outbound HTTP forwarding through Egress Gateway is not covered here because the current `egress-gateway` service process exposes only its admin health listener; the pure request-processing runtime exists in source but is not wired to an OpenZiti data-plane listener yet. These cases cover the highest-value feasible path: Egress control-plane rule lookup, Secrets referential integrity, deny/no-rule state, Egress Gateway CA/Ziti wiring, and workload NetworkPolicy defaults.
+### E2E-GO-CORE-101
+
+- **Source:** `suites/go-core/tests/egress_dataplane_test.go`
+- **Test:** `TestEgressGatewayDataPlaneSecretInjection`
+- **Tags:** @svc_egress, @svc_egress_gateway
+
+**Scenario:** TestEgressGatewayDataPlaneSecretInjection
+
+- **Given** An authorized agent workload has no authorization token in its command or environment and an allow EgressRule references a platform Secret for `postman-echo.com:443`.
+- **When** The workload sends an HTTPS request to Postman Echo without an Authorization header.
+- **Then** The request is routed through Egress Gateway.
+- **And** Postman Echo reports that the upstream destination received `Authorization: Bearer <secret-value>`.
+- **And** The echoed query marker matches the test request.

docs/e2e/traceability/README.md

@@ -10,7 +10,7 @@ Traceability files map architecture/product anchors and service tags to document
 | Suite | Cases | Tags |
 | --- | ---: | --- |
 | [Go AGN CLI](../suites/go-agn-cli.md) | 6 | @svc_agn_cli |
-| [Go Core](../suites/go-core.md) | 92 | @svc_agents_orchestrator, @svc_runners, @svc_metering, @svc_k8s_runner, @svc_organizations, @svc_files, @svc_gateway, @svc_egress, @svc_egress_gateway, @svc_media_proxy, @svc_llm, @svc_llm_proxy, @smoke |
+| [Go Core](../suites/go-core.md) | 93 | @svc_agents_orchestrator, @svc_runners, @svc_metering, @svc_k8s_runner, @svc_organizations, @svc_files, @svc_gateway, @svc_egress, @svc_egress_gateway, @svc_media_proxy, @svc_llm, @svc_llm_proxy, @smoke |
 | [Go Terraform Provider](../suites/go-terraform.md) | 47 | @svc_gateway, @tf_provider_agyn |
 | [Playwright Console App](../suites/playwright.md) | 41 | @svc_console, @svc_gateway, @svc_threads, @svc_metering, @svc_identity, @smoke |
 | [Playwright Chat App](../suites/playwright-chat-app.md) | 27 | @svc_chat_app, @svc_gateway, @svc_agents_orchestrator, @svc_organizations, @svc_files, @svc_media_proxy, @svc_tracing_app |

docs/e2e/traceability/architecture-product-anchors.md

@@ -12,7 +12,7 @@ These anchors use current E2E tag taxonomy. Replace anchor labels with deep link
 | Architecture: Agents orchestration | `@svc_agents_orchestrator` | [E2E-GO-CORE-001](../suites/go-core.md#e2e-go-core-001), [E2E-GO-CORE-002](../suites/go-core.md#e2e-go-core-002), [E2E-GO-CORE-003](../suites/go-core.md#e2e-go-core-003), [E2E-GO-CORE-004](../suites/go-core.md#e2e-go-core-004), [E2E-GO-CORE-005](../suites/go-core.md#e2e-go-core-005), [E2E-GO-CORE-006](../suites/go-core.md#e2e-go-core-006), [E2E-GO-CORE-011](../suites/go-core.md#e2e-go-core-011), [E2E-GO-CORE-012](../suites/go-core.md#e2e-go-core-012), [E2E-GO-CORE-013](../suites/go-core.md#e2e-go-core-013), [E2E-GO-CORE-058](../suites/go-core.md#e2e-go-core-058), [E2E-GO-CORE-059](../suites/go-core.md#e2e-go-core-059), [E2E-GO-CORE-072](../suites/go-core.md#e2e-go-core-072), [E2E-GO-CORE-073](../suites/go-core.md#e2e-go-core-073), [E2E-GO-CORE-075](../suites/go-core.md#e2e-go-core-075), [E2E-GO-CORE-082](../suites/go-core.md#e2e-go-core-082), [E2E-GO-CORE-083](../suites/go-core.md#e2e-go-core-083), [E2E-GO-CORE-084](../suites/go-core.md#e2e-go-core-084), [E2E-GO-CORE-087](../suites/go-core.md#e2e-go-core-087), [E2E-GO-CORE-088](../suites/go-core.md#e2e-go-core-088), [E2E-GO-CORE-096](../suites/go-core.md#e2e-go-core-096), [E2E-GO-CORE-097](../suites/go-core.md#e2e-go-core-097), [E2E-PLAYWRIGHT-CHAT-APP-001](../suites/playwright-chat-app.md#e2e-playwright-chat-app-001), [E2E-PLAYWRIGHT-CHAT-APP-012](../suites/playwright-chat-app.md#e2e-playwright-chat-app-012), [E2E-PLAYWRIGHT-CHAT-APP-013](../suites/playwright-chat-app.md#e2e-playwright-chat-app-013), [E2E-PLAYWRIGHT-CHAT-APP-014](../suites/playwright-chat-app.md#e2e-playwright-chat-app-014), [E2E-PLAYWRIGHT-TRACING-APP-005](../suites/playwright-tracing-app.md#e2e-playwright-tracing-app-005), [E2E-PLAYWRIGHT-TRACING-APP-006](../suites/playwright-tracing-app.md#e2e-playwright-tracing-app-006) |
 | Architecture: Threads and messages | `@svc_threads` | [E2E-PLAYWRIGHT-023](../suites/playwright.md#e2e-playwright-023), [E2E-PLAYWRIGHT-024](../suites/playwright.md#e2e-playwright-024) |
 | Architecture: Runners and workloads | `@svc_runners`, `@svc_k8s_runner` | [E2E-GO-CORE-002](../suites/go-core.md#e2e-go-core-002), [E2E-GO-CORE-027](../suites/go-core.md#e2e-go-core-027), [E2E-GO-CORE-028](../suites/go-core.md#e2e-go-core-028), [E2E-GO-CORE-029](../suites/go-core.md#e2e-go-core-029), [E2E-GO-CORE-030](../suites/go-core.md#e2e-go-core-030), [E2E-GO-CORE-031](../suites/go-core.md#e2e-go-core-031), [E2E-GO-CORE-032](../suites/go-core.md#e2e-go-core-032), [E2E-GO-CORE-033](../suites/go-core.md#e2e-go-core-033), [E2E-GO-CORE-034](../suites/go-core.md#e2e-go-core-034), [E2E-GO-CORE-035](../suites/go-core.md#e2e-go-core-035), [E2E-GO-CORE-036](../suites/go-core.md#e2e-go-core-036), [E2E-GO-CORE-037](../suites/go-core.md#e2e-go-core-037), [E2E-GO-CORE-038](../suites/go-core.md#e2e-go-core-038), [E2E-GO-CORE-039](../suites/go-core.md#e2e-go-core-039), [E2E-GO-CORE-040](../suites/go-core.md#e2e-go-core-040), [E2E-GO-CORE-041](../suites/go-core.md#e2e-go-core-041), [E2E-GO-CORE-042](../suites/go-core.md#e2e-go-core-042), [E2E-GO-CORE-043](../suites/go-core.md#e2e-go-core-043), [E2E-GO-CORE-044](../suites/go-core.md#e2e-go-core-044), [E2E-GO-CORE-045](../suites/go-core.md#e2e-go-core-045), [E2E-GO-CORE-046](../suites/go-core.md#e2e-go-core-046), [E2E-GO-CORE-047](../suites/go-core.md#e2e-go-core-047), [E2E-GO-CORE-048](../suites/go-core.md#e2e-go-core-048), [E2E-GO-CORE-049](../suites/go-core.md#e2e-go-core-049), [E2E-GO-CORE-050](../suites/go-core.md#e2e-go-core-050), [E2E-GO-CORE-051](../suites/go-core.md#e2e-go-core-051), [E2E-GO-CORE-052](../suites/go-core.md#e2e-go-core-052), [E2E-GO-CORE-053](../suites/go-core.md#e2e-go-core-053), [E2E-GO-CORE-084](../suites/go-core.md#e2e-go-core-084), [E2E-GO-CORE-089](../suites/go-core.md#e2e-go-core-089), [E2E-GO-CORE-090](../suites/go-core.md#e2e-go-core-090), [E2E-GO-CORE-091](../suites/go-core.md#e2e-go-core-091), [E2E-GO-CORE-092](../suites/go-core.md#e2e-go-core-092), [E2E-GO-CORE-093](../suites/go-core.md#e2e-go-core-093), [E2E-GO-CORE-094](../suites/go-core.md#e2e-go-core-094), [E2E-GO-CORE-095](../suites/go-core.md#e2e-go-core-095), [E2E-GO-CORE-096](../suites/go-core.md#e2e-go-core-096) |
-| Architecture: Egress Gateway | `@svc_egress`, `@svc_egress_gateway` | [E2E-GO-CORE-098](../suites/go-core.md#e2e-go-core-098), [E2E-GO-CORE-099](../suites/go-core.md#e2e-go-core-099), [E2E-GO-CORE-100](../suites/go-core.md#e2e-go-core-100) |
+| Architecture: Egress Gateway | `@svc_egress`, `@svc_egress_gateway` | [E2E-GO-CORE-098](../suites/go-core.md#e2e-go-core-098), [E2E-GO-CORE-099](../suites/go-core.md#e2e-go-core-099), [E2E-GO-CORE-100](../suites/go-core.md#e2e-go-core-100), [E2E-GO-CORE-101](../suites/go-core.md#e2e-go-core-101) |
 | Architecture: Files and media | `@svc_files`, `@svc_media_proxy` | [E2E-GO-CORE-007](../suites/go-core.md#e2e-go-core-007), [E2E-GO-CORE-008](../suites/go-core.md#e2e-go-core-008), [E2E-GO-CORE-009](../suites/go-core.md#e2e-go-core-009), [E2E-GO-CORE-010](../suites/go-core.md#e2e-go-core-010), [E2E-GO-CORE-060](../suites/go-core.md#e2e-go-core-060), [E2E-GO-CORE-061](../suites/go-core.md#e2e-go-core-061), [E2E-GO-CORE-062](../suites/go-core.md#e2e-go-core-062), [E2E-GO-CORE-063](../suites/go-core.md#e2e-go-core-063), [E2E-GO-CORE-064](../suites/go-core.md#e2e-go-core-064), [E2E-GO-CORE-065](../suites/go-core.md#e2e-go-core-065), [E2E-GO-CORE-066](../suites/go-core.md#e2e-go-core-066), [E2E-GO-CORE-067](../suites/go-core.md#e2e-go-core-067), [E2E-GO-CORE-068](../suites/go-core.md#e2e-go-core-068), [E2E-GO-CORE-069](../suites/go-core.md#e2e-go-core-069), [E2E-GO-CORE-070](../suites/go-core.md#e2e-go-core-070), [E2E-PLAYWRIGHT-CHAT-APP-019](../suites/playwright-chat-app.md#e2e-playwright-chat-app-019), [E2E-PLAYWRIGHT-CHAT-APP-020](../suites/playwright-chat-app.md#e2e-playwright-chat-app-020), [E2E-PLAYWRIGHT-CHAT-APP-021](../suites/playwright-chat-app.md#e2e-playwright-chat-app-021), [E2E-PLAYWRIGHT-CHAT-APP-022](../suites/playwright-chat-app.md#e2e-playwright-chat-app-022), [E2E-PLAYWRIGHT-CHAT-APP-023](../suites/playwright-chat-app.md#e2e-playwright-chat-app-023), [E2E-PLAYWRIGHT-CHAT-APP-024](../suites/playwright-chat-app.md#e2e-playwright-chat-app-024) |
 | Architecture: LLM services | `@svc_llm`, `@svc_llm_proxy` | [E2E-GO-CORE-054](../suites/go-core.md#e2e-go-core-054), [E2E-GO-CORE-055](../suites/go-core.md#e2e-go-core-055), [E2E-GO-CORE-056](../suites/go-core.md#e2e-go-core-056), [E2E-GO-CORE-057](../suites/go-core.md#e2e-go-core-057), [E2E-GO-CORE-075](../suites/go-core.md#e2e-go-core-075), [E2E-GO-CORE-087](../suites/go-core.md#e2e-go-core-087), [E2E-GO-CORE-088](../suites/go-core.md#e2e-go-core-088) |
 | Architecture: Metering | `@svc_metering` | [E2E-GO-CORE-071](../suites/go-core.md#e2e-go-core-071), [E2E-PLAYWRIGHT-020](../suites/playwright.md#e2e-playwright-020) |