Convert acceptance matrix from KIND-binary to Kubernetes-version, parallelize in CI

.github/workflows/test.yml

@@ -8,10 +8,10 @@ on:
     types: [opened, synchronize, reopened]
   workflow_dispatch:
     inputs:
-      run_acceptance:
-        description: "Run acceptance tests"
-        type: boolean
-        default: false
+      k8s_versions:
+        description: "Optional explicit Kubernetes versions (comma-separated, e.g. v1.31.0,v1.30.0). Leave blank to use the K8S_MATRIX_VERSIONS repository variable."
+        required: false
+        default: ""
 
 permissions:
   contents: read
@@ -129,32 +129,89 @@ jobs:
           echo "✅ All tests completed successfully!"
           echo "================================"
 
+  # ---------------------------------------------------------------------------
+  # Resolve the Kubernetes versions to test into a JSON array consumed by the
+  # acceptance-test matrix below. The workflow_dispatch input takes precedence,
+  # otherwise the repository variable K8S_MATRIX_VERSIONS (ordered kindest/node
+  # tags) is used. Fails if neither is set.
+  # ---------------------------------------------------------------------------
+  acceptance-matrix:
+    name: Acceptance Matrix
+    if: |
+      github.event_name == 'workflow_dispatch' ||
+      (github.event_name == 'pull_request' &&
+       github.base_ref == 'main' &&
+       github.event.pull_request.draft == false)
+    runs-on: ubuntu-latest
+    needs: [unit-test, security]
+    outputs:
+      versions: ${{ steps.resolve.outputs.versions }}
+    steps:
+      - name: Resolve configured Kubernetes versions
+        id: resolve
+        env:
+          INPUT_K8S_VERSIONS: ${{ github.event.inputs.k8s_versions || '' }}
+          REPO_K8S_MATRIX_VERSIONS: ${{ vars.K8S_MATRIX_VERSIONS }}
+        run: |
+          # Configure the K8S_MATRIX_VERSIONS repository variable with ordered
+          # kindest/node tags. Available tags: https://hub.docker.com/r/kindest/node
+          raw_versions="${INPUT_K8S_VERSIONS:-${REPO_K8S_MATRIX_VERSIONS:-}}"
+          normalized_versions="$(echo "${raw_versions}" | tr ',' ' ' | xargs)"
+          if [ -z "${normalized_versions}" ]; then
+            echo "K8S_MATRIX_VERSIONS repository variable is required when workflow_dispatch input k8s_versions is empty." >&2
+            exit 1
+          fi
+
+          read -ra versions <<< "${normalized_versions}"
+
+          json="["
+          for version in "${versions[@]}"; do
+            printf -v json '%s"%s",' "${json}" "${version}"
+          done
+          json="${json%,}]"
+
+          echo "versions=${json}" >> "${GITHUB_OUTPUT}"
+          echo "Resolved acceptance matrix: ${json}"
+
+  # ---------------------------------------------------------------------------
+  # One isolated runner per Kubernetes version. fail-fast: false so a failure in
+  # one version does not cancel the others. make k8s-matrix-test (driven by
+  # K8S_VERSIONS) creates a cluster pinned to kindest/node:<version>, generates
+  # worker.hcl, installs the chart, runs the session test, then tears down
+  # (including ID-scoped Boundary worker cleanup).
+  # ---------------------------------------------------------------------------
   acceptance-test:
-    name: Acceptance Test
+    name: Acceptance Test (${{ matrix.k8s_version }})
+    if: |
+      github.event_name == 'workflow_dispatch' ||
+      (github.event_name == 'pull_request' &&
+       github.base_ref == 'main' &&
+       github.event.pull_request.draft == false)
     runs-on: ubuntu-latest
-    needs: unit-test
+    needs: acceptance-matrix
+    strategy:
+      fail-fast: false
+      matrix:
+        k8s_version: ${{ fromJSON(needs.acceptance-matrix.outputs.versions) }}
     env:
       BOUNDARY_ADDR: ${{ secrets.BOUNDARY_ADDR }}
       BOUNDARY_AUTH_METHOD_ID: ${{ secrets.BOUNDARY_AUTH_METHOD_ID }}
       BOUNDARY_CLUSTER_ID: ${{ secrets.BOUNDARY_CLUSTER_ID }}
       BOUNDARY_LOGIN_NAME: ${{ secrets.BOUNDARY_LOGIN_NAME }}
       BOUNDARY_PASSWORD: ${{ secrets.BOUNDARY_PASSWORD }}
       BOUNDARY_TARGET_ID: ${{ secrets.BOUNDARY_TARGET_ID }}
+      BOUNDARY_BYOW_IMAGE: ${{ secrets.BOUNDARY_BYOW_IMAGE }}
+      # Selects the kindest/node image the matrix script pins the cluster to.
+      K8S_VERSIONS: ${{ matrix.k8s_version }}
     steps:
       - name: Checkout code
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
 
       - name: Setup acceptance environment
         run: make acceptance-setup
 
-      - name: Generate worker config
-        run: make worker-config
-
-      - name: Install Helm chart and run Helm tests
-        run: make acceptance-helm
-
-      - name: Run acceptance tests
-        run: make acceptance-test
+      - name: Run Kubernetes acceptance test for selected version
+        run: make k8s-matrix-test
 
       - name: Cleanup
         if: always()

Makefile

@@ -7,13 +7,17 @@ ifneq (,$(wildcard .env))
   export
 endif
 
+# Always export the Kubernetes version matrix selection to recipe sub-shells,
+# even when no .env file is present (e.g. `make k8s-matrix-test K8S_MATRIX_VERSIONS=...`).
+export K8S_MATRIX_VERSIONS
+
 # ================================
 # PHONY Declarations
 # ================================
 .PHONY: help format deps clean lint test unit-test worker-config
 .PHONY: setup-helm setup-kubeconform setup-trivy setup-kubescape setup-helm-unittest lint-helm-k8s trivy-scan kubescape-scan
 .PHONY: acceptance-setup acceptance-cluster acceptance-helm acceptance-test acceptance-full acceptance-cleanup
-.PHONY: kind-matrix-test kind-matrix-cleanup
+.PHONY: k8s-matrix-test k8s-matrix-cleanup
 .PHONY: eks-setup eks-helm eks-test eks-full eks-cleanup
 .PHONY: tf-setup tf-destroy tf-output tf-plan
 .PHONY: aks-setup aks-helm aks-test aks-full aks-cleanup
@@ -53,8 +57,8 @@ help:
 	@echo "  make acceptance-test    - Run acceptance tests"
 	@echo "  make acceptance-full    - Run full acceptance workflow (setup + worker-config + helm + tests)"
 	@echo "  make acceptance-cleanup    - Delete acceptance cluster"
-	@echo "  make kind-matrix-test      - Run tcp-target-conn-test.sh across the 2 KIND versions prior to latest (auto-resolved)"
-	@echo "  make kind-matrix-cleanup   - Delete the acceptance cluster and cached KIND binaries"
+	@echo "  make k8s-matrix-test       - Run tcp-target-conn-test.sh across kindest/node K8s versions (set K8S_MATRIX_VERSIONS or K8S_VERSIONS)"
+	@echo "  make k8s-matrix-cleanup    - Delete the acceptance cluster and generated worker config"
 	@echo ""
 	@echo "AWS EKS Acceptance Testing targets (shell-based, legacy):"
 	@echo "  make eks-setup             - Provision EKS cluster via Terraform (tf-setup)"
@@ -464,7 +468,8 @@ worker-config:
 	fi; \
 	export ACTIVATION_TOKEN; \
 	if [ -n "$$WORKER_ID" ]; then \
-		echo "✅ Created worker $$WORKER_ID"; \
+		echo "$$WORKER_ID" > "$${BOUNDARY_WORKER_ID_FILE:-/tmp/boundary-worker-id.txt}"; \
+		echo "✅ Created worker $$WORKER_ID (id saved for ID-scoped verification & cleanup)"; \
 	fi; \
 	echo ""; \
 	echo "Generating worker configuration from template..."; \
@@ -539,11 +544,14 @@ acceptance-test:
 	@bash tests/acceptance/cluster-smoke-test.sh
 	@bash tests/acceptance/tcp-target-conn-test.sh
 	@bash tests/acceptance/cleanup-worker.sh
-	@bash tests/acceptance/kind-version-matrix-test.sh
 	@echo "✅ All acceptance tests passed!"
 	@echo ""
 
 
+# Note: acceptance-full does NOT run the Kubernetes version matrix test.
+# The matrix manages its own cluster lifecycle (it deletes/recreates the
+# 'acceptance' cluster per version), so it is kept separate. Run it on its own:
+#   make k8s-matrix-test K8S_MATRIX_VERSIONS="v1.36.1 v1.35.5"
 acceptance-full:
 	@echo "================================"
 	@echo "Running Full Acceptance Workflow"
@@ -562,32 +570,35 @@ acceptance-full:
 	@echo ""
 
 # ================================
-# KIND Version Matrix Testing
+# Kubernetes Version Matrix Testing
 # ================================
 
-kind-matrix-test:
+k8s-matrix-test:
 	@echo "================================"
-	@echo "KIND Version Matrix Test"
-	@echo "Versions: resolved dynamically from GitHub Releases"
+	@echo "Kubernetes Version Matrix Test"
 	@echo "================================"
-	@chmod +x tests/acceptance/kind-version-matrix-test.sh
-	@bash tests/acceptance/kind-version-matrix-test.sh
+	@if [ -z "$(K8S_MATRIX_VERSIONS)" ] && [ -z "$(K8S_VERSIONS)" ]; then \
+		echo "❌ Set K8S_MATRIX_VERSIONS (ordered kindest/node tags) or K8S_VERSIONS (one-off override)."; \
+		echo "   Example: make k8s-matrix-test K8S_MATRIX_VERSIONS=\"v1.31.0 v1.30.0\""; \
+		echo "   Available tags: https://hub.docker.com/r/kindest/node"; \
+		exit 1; \
+	fi
+	@chmod +x tests/acceptance/k8s-version-matrix-test.sh
+	@K8S_MATRIX_VERSIONS="$(K8S_MATRIX_VERSIONS)" K8S_VERSIONS="$(K8S_VERSIONS)" bash tests/acceptance/k8s-version-matrix-test.sh
 
-kind-matrix-cleanup:
+k8s-matrix-cleanup:
 	@echo "================================"
-	@echo "KIND Matrix Cleanup"
+	@echo "K8s Matrix Cleanup"
 	@echo "================================"
-	@find "$${TMPDIR:-/tmp}" -maxdepth 1 -name 'kind-v[0-9]*' 2>/dev/null | while read -r BIN; do \
-		if [ -x "$$BIN" ] && "$$BIN" get clusters 2>/dev/null | grep -q "^acceptance$$"; then \
-			echo "Deleting cluster using $$(basename $$BIN) binary..."; \
-			"$$BIN" delete cluster --name acceptance; \
-		fi; \
-		rm -f "$$BIN"; \
-		echo "✅ Removed cached $$(basename $$BIN) binary"; \
-	done
+	@if kind get clusters 2>/dev/null | grep -q "^acceptance$$"; then \
+		echo "Deleting acceptance cluster..."; \
+		kind delete cluster --name acceptance; \
+	else \
+		echo "⚠️  Acceptance cluster does not exist"; \
+	fi
 	@rm -f worker.hcl
 	@rm -f /tmp/boundary-worker-id.txt
-	@echo "✅ KIND matrix cleanup complete"
+	@echo "✅ K8s matrix cleanup complete"
 
 acceptance-cleanup:
 	@echo "================================"

docs/OPERATIONS.md

@@ -736,8 +736,9 @@ Operational implications:
 └── tests/
 		├── acceptance/
 		│   ├── cluster-smoke-test.sh
+		│   ├── k8s-matrix-config.yaml.tpl
+		│   ├── k8s-version-matrix-test.sh
 		│   ├── kind-acceptance-config.yaml
-		│   ├── kind-version-matrix-test.sh
 		│   └── tcp-target-conn-test.sh
 		├── integration/
 		│   ├── aks-integration-test.sh
@@ -762,7 +763,8 @@ Key files:
 - `tests/unit/*_test.yaml`: Helm unit tests run with `helm-unittest`
 - `tests/acceptance/cluster-smoke-test.sh`: validates a KIND cluster is up and accessible
 - `tests/acceptance/tcp-target-conn-test.sh`: end-to-end session and TCP connection test
-- `tests/acceptance/kind-version-matrix-test.sh`: runs `tcp-target-conn-test.sh` across multiple KIND versions
+- `tests/acceptance/k8s-version-matrix-test.sh`: runs `tcp-target-conn-test.sh` across multiple Kubernetes versions
+- `tests/acceptance/k8s-matrix-config.yaml.tpl`: KIND cluster template rendered per Kubernetes version by the matrix test
 - `tests/integration/`: EKS and AKS integration tests
 - `docs/TESTING.md`: full testing guide
 - `docs/FAQ.md`: frequently asked questions