cloud-pi-native · Falltrades · Jan 28, 2026 · Jan 19, 2026
diff --git a/README.md b/README.md
@@ -50,6 +50,7 @@
 - [Utilisation de credentials Docker Hub pour le pull des images](#utilisation-de-credentials-docker-hub-pour-le-pull-des-images)
 - [Gestion des users Keycloak](#gestion-des-users-keycloak)
 - [MFA pour les utilisateurs Keycloak](#mfa-pour-les-utilisateurs-keycloak)
+- [Tests d'intégration](#tests-dintégration)
 - [Contributions](#contributions)
   - [Les commandes de l'application](#les-commandes-de-lapplication)
   - [Conventions](#conventions)
@@ -1810,6 +1811,14 @@ Il sera nécessaire pour activer le MFA sur les utilisateurs existants, de lance
 ansible-playbook admin-tools/keycloak-enforce-mfa.yml
 ```
 
+## Tests d'intégration 
+
+Il est possible d'activer les tests d'intégration sur un environnement en spécifiant le paramètre `dsc.tests.installEnabled` à `true`.  
+Les notifications étant pour l'instant uniquement supporté sur Mattermost dans le code, il faudra alors récupérer l'id du channel et le token du bot pour les insérer dans le Vault d'infrastructure.  
+Pour ce qui concerne les comptes de tests `testuser@example.com` et `secondtestuser@example.com`, il faudra s'assurer que :
+- leurs mots de passe correspondent à ceux qui sont insérés dans le Vault d'infrastructure.
+- le MFA n'est pas appliqué.
+
 ## Contributions
 
 ### Les commandes de l'application

diff --git a/admin-tools/templates/my-credentials-example.yaml b/admin-tools/templates/my-credentials-example.yaml
@@ -28,3 +28,12 @@
                 endpointUrl: https://hub.docker.com
                 insecure: false
                 provider: docker-hub
+    - argocd_app: tests
+      vault_values:
+        mattermost:
+          url: ""
+          botToken: ""
+          channelId: ""
+        dsoRealmAdminPassword: ""
+        dsoRealmTestUserPassword: ""
+        dsoRealmSecondTestUserPassword: ""
diff --git a/roles/gitops/dso-app/tasks/main.yaml b/roles/gitops/dso-app/tasks/main.yaml
@@ -17,9 +17,22 @@
     - "{{ dsc.global.gitOps.repo.path }}"
     - applicationSets
 
+- name: Get install-enabled ArgoCD apps
+  ansible.builtin.set_fact:
+    enabled_apps: >-
+      {{ dsc | dict2items | selectattr('value.installEnabled','defined')
+         | selectattr('value.installEnabled','truthy')
+         | map(attribute='key') | reject('equalto','observability') | list
+         + (['observability'] if dsc.observatorium.installEnabled | default(false) else []) }}
+
 - name: Calculate all distinct configured sync waves
   ansible.builtin.set_fact:
-    distinct_waves: "{{ envs | map(attribute='apps') | flatten | map(attribute='syncWave') | unique | sort }}"
+    distinct_waves: >-
+      {{ envs | map(attribute='apps') | flatten
+         | selectattr('syncWave','defined')
+         | selectattr('argocd_app','in',enabled_apps)
+         | map(attribute='syncWave')
+         | unique | sort }}
 
 - name: Render dso-appset template for each sync-waves and write yaml files to destination dir
   vars:

diff --git a/roles/gitops/rendering-apps-files/templates/keycloak/Chart.yaml.j2 b/roles/gitops/rendering-apps-files/templates/keycloak/Chart.yaml.j2
@@ -16,9 +16,3 @@ dependencies:
   alias: cpn-ansible-job
   version: {{ dsc.cpnAnsibleJob.chartVersion | quote }}
   repository: {{ dsc.cpnAnsibleJob.helmRepoUrl }}
-{% if dsc.global.playwright.enabled %}
-- name: cpn-job
-  alias: playwright
-  version: {{ dsc.cpnAnsibleJob.chartVersion | quote }}
-  repository: {{ dsc.cpnAnsibleJob.helmRepoUrl }}
-{% endif %}
diff --git a/roles/gitops/rendering-apps-files/templates/keycloak/templates/secret-playwright.yaml.j2 b/roles/gitops/rendering-apps-files/templates/keycloak/templates/secret-playwright.yaml.j2
diff --git a/roles/gitops/rendering-apps-files/templates/keycloak/templates/users.yaml.j2 b/roles/gitops/rendering-apps-files/templates/keycloak/templates/users.yaml.j2
@@ -7,3 +7,5 @@ data:
   users.csv: |
     username,surname,name,email,status
     admin@example.com,Admin,Admin,admin@example.com,active
+    testuser@example.com,Test,User,testuser@example.com,active
+    secondtestuser@example.com,SecondTest,User,secondtestuser@example.com,active
diff --git a/roles/gitops/rendering-apps-files/templates/keycloak/values/210-playwright-job.j2 b/roles/gitops/rendering-apps-files/templates/keycloak/values/210-playwright-job.j2
diff --git a/roles/gitops/rendering-apps-files/templates/tests/Chart.yaml.j2 b/roles/gitops/rendering-apps-files/templates/tests/Chart.yaml.j2
@@ -0,0 +1,14 @@
+---
+apiVersion: v2
+name: tests 
+type: application
+version: 1.0.0
+dependencies:
+- name: cpn-job
+  alias: console-integration-test
+  version: {{ dsc.cpnAnsibleJob.chartVersion | quote }}
+  repository: {{ dsc.cpnAnsibleJob.helmRepoUrl }}
+- name: cpn-job
+  alias: keycloak-integration-test
+  version: {{ dsc.cpnAnsibleJob.chartVersion | quote }}
+  repository: {{ dsc.cpnAnsibleJob.helmRepoUrl }}
diff --git a/roles/gitops/rendering-apps-files/templates/tests/templates/secret-playwright.yaml.j2 b/roles/gitops/rendering-apps-files/templates/tests/templates/secret-playwright.yaml.j2
@@ -0,0 +1,60 @@
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: console-playwright-secret
+  annotations:
+    avp.kubernetes.io/remove-missing: "true"
+type: Opaque
+stringData:
+  KEYCLOAK_DOMAIN: <path:{{ vaultinfra_kv_name }}/data/env/{{ dsc_name }}/apps/global/values#domain| jsonPath {.keycloak}>
+  KEYCLOAK_REDIRECT_URI: https://<path:{{ vaultinfra_kv_name }}/data/env/{{ dsc_name }}/apps/global/values#domain| jsonPath {.console}>
+  KEYCLOAK_PROTOCOL: https
+  CONSOLE_ADMIN_USERNAME: 'admin@example.com'
+  CONSOLE_ADMIN_PASSWORD: <path:{{ vaultinfra_kv_name }}/data/env/{{ dsc_name }}/apps/tests/values#dsoRealmAdminPassword>
+  CONSOLE_ADMIN_EMAIL: 'admin@example.com'
+  CONSOLE_TEST_USERNAME: 'testuser@example.com'
+  CONSOLE_TEST_PASSWORD: <path:{{ vaultinfra_kv_name }}/data/env/{{ dsc_name }}/apps/tests/values#dsoRealmTestUserPassword>
+  CONSOLE_TEST_EMAIL: 'testuser@example.com'
+  CONSOLE_SECOND_TEST_USERNAME: 'secondtestuser@example.com'
+  CONSOLE_SECOND_TEST_PASSWORD: <path:{{ vaultinfra_kv_name }}/data/env/{{ dsc_name }}/apps/tests/values#dsoRealmSecondTestUserPassword>
+  CONSOLE_SECOND_TEST_EMAIL: 'secondtestuser@example.com'
+  CONSOLE_GLOBAL_TIMEOUT: '300000'
+  CONSOLE_EXPECT_TIMEOUT: '300000'
+  CONSOLE_DESTINATION_CLUSTER: "{{ dsc.tests.playwright.consoleDestinationCluster }}"
+  CONSOLE_VALUES_FILE: "{{ dsc.tests.playwright.consoleValuesFile }}"
+{% if dsc.proxy.enabled %}
+  HTTP_PROXY: <path:{{ vaultinfra_kv_name }}/data/env/{{ dsc_name }}/apps/global/values#proxy | jsonPath {.httpProxy}>
+  HTTPS_PROXY: <path:{{ vaultinfra_kv_name }}/data/env/{{ dsc_name }}/apps/global/values#proxy | jsonPath {.httpsProxy}>
+  NO_PROXY: <path:{{ vaultinfra_kv_name }}/data/env/{{ dsc_name }}/apps/global/values#proxy | jsonPath {.noProxy}>
+{% endif %}
+  MATTERMOST_URL: <path:{{ vaultinfra_kv_name }}/data/env/{{ dsc_name }}/apps/tests/values#playwright | jsonPath {.mattermost.url}>
+  MATTERMOST_CHANNEL_ID: <path:{{ vaultinfra_kv_name }}/data/env/{{ dsc_name }}/apps/tests/values#playwright | jsonPath {.mattermost.channelId}>
+  MATTERMOST_TOKEN: <path:{{ vaultinfra_kv_name }}/data/env/{{ dsc_name }}/apps/tests/values#playwright | jsonPath {.mattermost.botToken}>
+  PLAYWRIGHT_TEST: "playwright/integration-tests/user-flow.spec.ts -c playwright.config.integration.ts"
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: keycloak-playwright-secret
+  annotations:
+    avp.kubernetes.io/remove-missing: "true"
+type: Opaque
+stringData:
+  KEYCLOAK_DOMAIN: <path:{{ vaultinfra_kv_name }}/data/env/{{ dsc_name }}/apps/global/values#domain| jsonPath {.keycloak}>
+  KEYCLOAK_REDIRECT_URI: https://<path:{{ vaultinfra_kv_name }}/data/env/{{ dsc_name }}/apps/global/values#domain| jsonPath {.console}>
+  KEYCLOAK_PROTOCOL: https
+  KEYCLOAK_ADMIN_USERNAME: dsoadmin
+  KEYCLOAK_ADMIN_PASSWORD: <path:{{ vaultinfra_kv_name }}/data/env/{{ dsc_name }}/apps/keycloak/values#auth| jsonPath {.adminPassword}>
+  KEYCLOAK_REALM: {{ dsc.keycloak.applicationRealm }}
+  KEYCLOAK_CLIENT_FRONTEND: console-frontend
+  KEYCLOAK_CLIENT_BACKEND: console-backend
+{% if dsc.proxy.enabled %}
+  HTTP_PROXY: <path:{{ vaultinfra_kv_name }}/data/env/{{ dsc_name }}/apps/global/values#proxy | jsonPath {.httpProxy}>
+  HTTPS_PROXY: <path:{{ vaultinfra_kv_name }}/data/env/{{ dsc_name }}/apps/global/values#proxy | jsonPath {.httpsProxy}>
+  NO_PROXY: <path:{{ vaultinfra_kv_name }}/data/env/{{ dsc_name }}/apps/global/values#proxy | jsonPath {.noProxy}>
+{% endif %}
+  MATTERMOST_URL: <path:{{ vaultinfra_kv_name }}/data/env/{{ dsc_name }}/apps/tests/values#playwright | jsonPath {.mattermost.url}>
+  MATTERMOST_CHANNEL_ID: <path:{{ vaultinfra_kv_name }}/data/env/{{ dsc_name }}/apps/tests/values#playwright | jsonPath {.mattermost.channelId}>
+  MATTERMOST_TOKEN: <path:{{ vaultinfra_kv_name }}/data/env/{{ dsc_name }}/apps/tests/values#playwright | jsonPath {.mattermost.botToken}>
+  PLAYWRIGHT_TEST: playwright/e2e-tests/keycloak.spec.ts
diff --git a/roles/gitops/rendering-apps-files/templates/tests/values/00-main.j2 b/roles/gitops/rendering-apps-files/templates/tests/values/00-main.j2
@@ -0,0 +1,26 @@
+console-integration-test:
+  job:
+    image:
+      repository: "<path:{{ vaultinfra_kv_name }}/data/env/{{ dsc_name }}/apps/global/values#image | jsonPath {.repository.ghcr}>/cloud-pi-native/playwright"
+      tag: "1"
+    command:
+    - /bin/bash
+    - -c
+    - ./playwright.sh
+    extraEnvFrom:
+    - secretRef: 
+        name: console-playwright-secret
+    backoffLimit: 1
+keycloak-integration-test:
+  job:
+    image:
+      repository: "<path:{{ vaultinfra_kv_name }}/data/env/{{ dsc_name }}/apps/global/values#image | jsonPath {.repository.ghcr}>/cloud-pi-native/playwright"
+      tag: "1"
+    command:
+    - /bin/bash
+    - -c
+    - ./playwright.sh
+    extraEnvFrom:
+    - secretRef: 
+        name: keycloak-playwright-secret
+    backoffLimit: 1
diff --git a/roles/socle-config/files/config.yaml b/roles/socle-config/files/config.yaml
@@ -105,8 +105,6 @@ spec:
       watchpointEnabled: true
     dockerAccount:
       enabled: false
-    playwright:
-      enabled: false
     smtp:
       enabled: false
       authentication:
@@ -195,6 +193,9 @@ spec:
     cnpg:
       imageName: cloudnative-pg/postgresql:16.2
     values: {}
+  tests:
+    installEnabled: false
+    values: {}
   vault:
     installEnabled: true
     namespace: dso-vault

diff --git a/roles/socle-config/files/cr-conf-dso-default.yaml b/roles/socle-config/files/cr-conf-dso-default.yaml
@@ -104,5 +104,6 @@ spec:
   #  no_proxy: .cluster.local,.svc,10.0.0.0/8,127.0.0.1,192.168.0.0/16,api.example.com,api-int.example.com,canary-openshift-ingress-canary.apps.example.com,console-openshift-console.apps.example.com,localhost,oauth-openshift.apps.example.com,svc.cluster.local,localdomain
   #  port: "3128"
   sonarqube: {}
+  tests: {}
   vault: {}
   vaultInfra: {}
diff --git a/roles/socle-config/tasks/envs.yaml b/roles/socle-config/tasks/envs.yaml
@@ -73,11 +73,6 @@
                   mcExtraArgs: "{{ dsc.global.backup.gitlab.mcExtraArgs | default('') }}"
                   pathPrefix: "{{ dsc.global.backup.gitlab.pathPrefix | default('') }}"
                   retentionPolicy: "{{ dsc.global.backup.gitlab.retentionPolicy | default('') }}"
-              playwright:
-                mattermost:
-                  url: "{{ dsc.global.playwright.mattermost.url | default('') }}"
-                  channelId: "{{ dsc.global.playwright.mattermost.channelId | default('') }}"
-                  botToken: "{{ dsc.global.playwright.mattermost.botToken | default('') }}"
               smtp:
                 authentication:
                   user: ""
@@ -241,3 +236,14 @@
             nameSpace: "grafana"
             customNamespacePrefix: ""
             syncWave: 70
+          - argocd_app: tests
+            clusterName: ""
+            nameSpace: "tests"
+            customNamespacePrefix: ""
+            syncWave: 80
+            vault_values:
+              playwright:
+                mattermost:
+                  url: ""
+                  channelId: ""
+                  botToken: ""
diff --git a/roles/socle-config/templates/crd-conf-dso.yaml b/roles/socle-config/templates/crd-conf-dso.yaml
@@ -1017,25 +1017,6 @@ spec:
                           description: Specifies whether we should enable the use of a Docker account for Argo CD.
                           type: boolean
                       type: object
-                    playwright:
-                      type: object
-                      properties:
-                        enabled:
-                          default: false
-                          description: Specifies whether Playwright integration tests should be executed.
-                          type: boolean
-                        mattermost:
-                          type: object
-                          properties:
-                            url:
-                              description: The base URL of the Mattermost server (e.g., https://mattermost.example.com).
-                              type: string
-                            channelId:
-                              description: The ID of the Mattermost channel where test reports will be posted.
-                              type: string
-                            botToken:
-                              description: The Mattermost bot user token used to authenticate API requests.
-                              type: string
                     smtp:
                       properties:
                         enabled:
@@ -1650,6 +1631,31 @@ spec:
                   required:
                     - installEnabled
                   type: object
+                tests:
+                  description: Configuration for Socle dashboards.
+                  required:
+                    - installEnabled
+                  type: object
+                  properties:
+                    installEnabled:
+                      default: false
+                      description: |
+                        Specifies whether we should run integration tests on cluster.
+                      type: boolean
+                    playwright:
+                      type: object
+                      properties:
+                        consoleDestinationCluster:
+                          description: Cluster name where ArgoCD deploys applications.
+                          type: string
+                        consoleValuesFile:
+                          description: Values file for ArgoCD.
+                          type: string
+                    values:
+                      description: |
+                        You can add custom values for tests, they will be merged with roles/gitops/rendering-apps-files/templates/tests/values/
+                      type: object
+                      x-kubernetes-preserve-unknown-fields: true
                 vault:
                   description: Configuration for Vault.
                   properties: