[e2e-scan] Test: Add e2e scenario for virtual-cluster client_certificate authentication type

[github-actions]

Gap Summary

The event_gateway_virtual_cluster declarative resource supports five authentication types: anonymous, sasl_plain, sasl_scram, oauth_bearer, and client_certificate. The client_certificate type was added in the SDK 0.30.0 upgrade (commit 448ba68) with unit tests for buildVirtualClusterAuthentication and convertToVirtualClusterSensitiveDataAwareAuth, but no E2E scenario exercises create, plan, or update with client_certificate authentication. All existing scenarios exclusively use anonymous auth.

This matters because client_certificate flows through a distinct code path in both the planner (compareAuthentication switch-case added in 448ba68) and the executor (convertToVirtualClusterSensitiveDataAwareAuth), and a regression in either would pass unit tests while silently breaking the real apply/sync workflow.

---

Evidence

Recently added implementation without E2E coverage:

• internal/declarative/executor/event_gateway_virtual_cluster_adapter.go — buildVirtualClusterAuthentication case "client_certificate" (line 570) and convertToVirtualClusterSensitiveDataAwareAuth
• internal/declarative/planner/event_gateway_virtual_cluster_planner.go — compareAuthentication case VirtualClusterAuthenticationSensitiveDataAwareSchemeTypeClientCertificate (added in 448ba68)
• internal/declarative/executor/event_gateway_virtual_cluster_adapter_test.go — unit tests added in 448ba68 only exercise client_certificate, not E2E lifecycle

All existing E2E configs use anonymous only:

test/e2e/scenarios/event-gateway/virtual-cluster/testdata/config.yaml
test/e2e/scenarios/event-gateway/virtual-cluster/overlays/*/config.yaml
test/e2e/scenarios/event-gateway/plan/*/overlays/003-virtual-cluster/config.yaml
test/e2e/scenarios/event-gateway/dump/testdata/config.yaml

---

Proposed Scenario Work

Option A — Add a new overlay step to the existing virtual-cluster scenario

Add overlays/005-auth-client-cert/config.yaml that changes the virtual cluster authentication from the current sasl_plain (used in overlays/001-update-fields) to client_certificate, and add a corresponding step 006-auth-switch-to-client-cert in scenario.yaml:

1. Step: plan the auth change — assert plan shows UPDATE for event_gateway_virtual_cluster
2. Step: apply the change — assert applied: 1, failed: 0
3. Step: verify via get event-gateway virtual-clusters — assert authentication[0].type == "client_certificate"

Option B — New standalone scenario

Create test/e2e/scenarios/event-gateway/virtual-cluster-client-cert/ with a self-contained create → verify → delete lifecycle using client_certificate auth throughout.

Option A is lower effort and keeps the coverage expansion in the established pattern.

Important assertions to include:

• Plan output: changes[?...] | [0].fields["authentication[0].type"] == "client_certificate"
• Post-apply get: authentication[0].type == "client_certificate"
• Post-update verify that compareAuthentication in the planner treats a re-apply as a no-op (idempotency)

Prerequisites:

• KONGCTL_ENABLE_EVENT_GATEWAY env var must be set (already required by the existing scenario)

---

Acceptance Criteria

• At least one E2E step creates or updates a virtual cluster with authentication: [{type: client_certificate}]
• The get verification after apply asserts authentication[0].type == "client_certificate"
• A re-plan with no config change (idempotency) produces zero planned changes
• The scenario runs cleanly under KONGCTL_ENABLE_EVENT_GATEWAY=true

---

Reference Patterns

• test/e2e/scenarios/event-gateway/virtual-cluster/scenario.yaml — existing lifecycle pattern to extend
• test/e2e/scenarios/event-gateway/virtual-cluster/overlays/001-update-fields/config.yaml — overlay structure to copy
• internal/declarative/executor/event_gateway_virtual_cluster_adapter_test.go — unit test showing correct client_certificate input shape

Generated by E2E Coverage Scanner · ● 944.1K · ◷

• expires on May 8, 2026, 12:56 PM UTC