From 63c29a88786e7b2390f28ab93cb4781ab2e58a7d Mon Sep 17 00:00:00 2001
From: treagitlab <trea@gitlab.com>
Date: Fri, 5 Dec 2025 13:41:28 -0800
Subject: [PATCH] Add group-saml scenario to CNG pipeline

---
 .gitlab/ci/test-on-cng/main.gitlab-ci.yml     | 74 ++++++++++++-------
 .../lib/deployment/configurations/kind.rb     | 47 ++++++++++--
 .../scenario/test/integration/group_saml.rb   |  2 +-
 3 files changed, 92 insertions(+), 31 deletions(-)

diff --git a/.gitlab/ci/test-on-cng/main.gitlab-ci.yml b/.gitlab/ci/test-on-cng/main.gitlab-ci.yml
index 0d91074ac3b876..e584c92f193ffe 100644
--- a/.gitlab/ci/test-on-cng/main.gitlab-ci.yml
+++ b/.gitlab/ci/test-on-cng/main.gitlab-ci.yml
@@ -100,6 +100,40 @@ workflow:
   variables:
     EXTRA_DEPLOY_VALUES: --env COVERBAND_ENABLED=${COVERBAND_ENABLED}
 
+.cng-omniauth-setup:
+  before_script:
+    # Install 1Password CLI for GitHub 2FA authentication
+    - |
+      curl -sSfO https://downloads.1password.com/linux/debian/amd64/stable/1password-cli-amd64-latest.deb
+      dpkg -i 1password-cli-amd64-latest.deb || apt-get install -f -y
+      rm 1password-cli-amd64-latest.deb
+      op --version
+    - !reference [.qa-install, before_script]
+    # Set up gitlab.test domain with hosts file
+    - export CLUSTER_IP="$(getent hosts docker | awk '{ print $1 }' | head -n1)"
+    - echo "${CLUSTER_IP} gitlab.test" >> /etc/hosts
+    - export GITLAB_DOMAIN="test"
+    # Set SAML flags if GroupSAML scenario
+    - |
+      if [ "$QA_SCENARIO" = "QA::EE::Scenario::Test::Integration::GroupSAML" ]; then
+        export HELM_SAML_FLAGS="--set global.appConfig.omniauth.enabled=true --set global.appConfig.omniauth.providers[0].secret=gitlab-saml-config --set global.appConfig.omniauth.providers[0].key=saml_settings"
+      else
+        export HELM_SAML_FLAGS=""
+      fi
+    # Deploy with test domain
+    - echo "${EXTRA_DEPLOY_VALUES}" > $CI_PROJECT_DIR/EXTRA_DEPLOY_VALUES
+    - |
+      bundle exec orchestrator create deployment "${DEPLOYMENT_TYPE:-kind}" \
+        --gitlab-domain "${GITLAB_DOMAIN}" \
+        --timeout 10m \
+        --chart-sha "${GITLAB_HELM_CHART_REF}" \
+        --admin-token "${GITLAB_QA_ADMIN_ACCESS_TOKEN}" \
+        --retry 1 \
+        --resource-preset high \
+        $HELM_SAML_FLAGS
+    - export QA_GITLAB_URL="http://gitlab.${GITLAB_DOMAIN}${QA_RELATIVE_URL_ROOT}"
+    - bundle exec orchestrator metrics start --interval 1
+
 # ==========================================
 # Pre stage
 # ==========================================
@@ -189,35 +223,25 @@ cng-oauth:
     - .cng-test
   variables:
     QA_SCENARIO: Test::Integration::OAuth
-    QA_RSPEC_TAGS: --tag oauth
     QA_RUN_IN_PARALLEL: "false"
     QA_GITHUB_OAUTH_APP_ID: $QA_GITHUB_OAUTH_APP_ID
     QA_GITHUB_OAUTH_APP_SECRET: $QA_GITHUB_OAUTH_APP_SECRET
   before_script:
-    # Install 1Password CLI for GitHub 2FA authentication
-    - |
-      curl -sSfO https://downloads.1password.com/linux/debian/amd64/stable/1password-cli-amd64-latest.deb
-      dpkg -i 1password-cli-amd64-latest.deb || apt-get install -f -y
-      rm 1password-cli-amd64-latest.deb
-      op --version
-    - !reference [.qa-install, before_script]
-    # Set up gitlab.test domain with hosts file
-    - export CLUSTER_IP="$(getent hosts docker | awk '{ print $1 }' | head -n1)"
-    - echo "${CLUSTER_IP} gitlab.test" >> /etc/hosts
-    - export GITLAB_DOMAIN="test"
-    # Deploy with test domain (don't use reference to avoid override)
-    - echo "${EXTRA_DEPLOY_VALUES}" > $CI_PROJECT_DIR/EXTRA_DEPLOY_VALUES
-    - |
-      bundle exec orchestrator create deployment "${DEPLOYMENT_TYPE:-kind}" \
-        --gitlab-domain "${GITLAB_DOMAIN}" \
-        --timeout 5m \
-        --chart-sha "${GITLAB_HELM_CHART_REF}" \
-        --admin-token "${GITLAB_QA_ADMIN_ACCESS_TOKEN}" \
-        --retry 1 \
-        --resource-preset high \
-        --ci ${EXTRA_DEPLOY_VALUES}
-    - export QA_GITLAB_URL="http://gitlab.${GITLAB_DOMAIN}${QA_RELATIVE_URL_ROOT}"
-    - bundle exec orchestrator metrics start --interval 1
+    - !reference [.cng-omniauth-setup, before_script]
+
+cng-group-saml:
+  extends:
+    - .cng-test
+  variables:
+    QA_SCENARIO: QA::EE::Scenario::Test::Integration::GroupSAML
+    QA_RUN_IN_PARALLEL: "false"
+    QA_SAML_IDP_SSO_URL: $QA_SAML_IDP_SSO_URL
+    QA_SAML_IDP_CERTIFICATE_FINGERPRINT: $QA_SAML_IDP_CERTIFICATE_FINGERPRINT
+  before_script:
+    - !reference [.cng-omniauth-setup, before_script]
+  rules:
+    - !reference [.rules:test:ee-only, rules]
+    - if: $QA_SUITES =~ /Test::Integration::GroupSAML/
 
 # ==========================================
 # Post test stage
diff --git a/qa/gems/gitlab-orchestrator/lib/gitlab/orchestrator/lib/deployment/configurations/kind.rb b/qa/gems/gitlab-orchestrator/lib/gitlab/orchestrator/lib/deployment/configurations/kind.rb
index b4ee2e9c08802e..7691669afd1714 100644
--- a/qa/gems/gitlab-orchestrator/lib/gitlab/orchestrator/lib/deployment/configurations/kind.rb
+++ b/qa/gems/gitlab-orchestrator/lib/gitlab/orchestrator/lib/deployment/configurations/kind.rb
@@ -53,6 +53,7 @@ def run_pre_deployment_setup
             create_initial_root_password
             create_pre_receive_hook
             create_oauth_secret if oauth_enabled?
+            create_saml_secret if saml_enabled?
           end
 
           # Run post-deployment setup
@@ -199,6 +200,13 @@ def patch_registry_svc_port
             puts kubeclient.patch('svc', 'gitlab-registry', patch_data)
           end
 
+          # Check if OAuth is enabled
+          #
+          # @return [Boolean]
+          def oauth_enabled?
+            ENV['QA_SCENARIO']&.include?('OAuth')
+          end
+
           # Create OAuth provider secret
           #
           # @return [void]
@@ -223,11 +231,40 @@ def create_oauth_secret
             puts mask_secrets(kubeclient.create_resource(secret), secrets_to_mask)
           end
 
-          # Check if OAuth is enabled
-          #
-          # @return [Boolean]
-          def oauth_enabled?
-            ENV['QA_RSPEC_TAGS']&.include?('oauth')
+          def saml_enabled?
+            ENV['QA_SCENARIO']&.include?('GroupSAML')
+          end
+
+          def oauth_provider_config
+            {
+              name: 'github',
+              app_id: ENV['QA_GITHUB_OAUTH_APP_ID'],
+              app_secret: ENV['QA_GITHUB_OAUTH_APP_SECRET']
+            }
+          end
+
+          def saml_provider_config
+            {
+              name: 'saml',
+              secret: 'gitlab-saml-config',
+              key: 'saml_settings'
+            }
+          end
+
+          def create_saml_secret
+            log("Creating SAML provider secret", :info)
+
+            saml_config = {
+              assertion_consumer_service_url: 'http://gitlab.test/users/auth/saml/acs',
+              issuer: 'http://gitlab.test',
+              idp_sso_target_url: ENV['QA_SAML_IDP_SSO_URL'],
+              idp_cert_fingerprint: ENV['QA_SAML_IDP_CERTIFICATE_FINGERPRINT'],
+              name_identifier_format: 'urn:oasis:names:tc:SAML:2.0:nameid-format:persistent'
+            }.to_yaml
+
+            # Create secret with proper structure
+            secret = Kubectl::Resources::Secret.new('gitlab-saml-config', 'saml_settings', saml_config)
+            puts kubeclient.create_resource(secret)
           end
         end
       end
diff --git a/qa/qa/ee/scenario/test/integration/group_saml.rb b/qa/qa/ee/scenario/test/integration/group_saml.rb
index f071ee044db6e2..4651ec09b8da19 100644
--- a/qa/qa/ee/scenario/test/integration/group_saml.rb
+++ b/qa/qa/ee/scenario/test/integration/group_saml.rb
@@ -11,7 +11,7 @@ class GroupSAML < QA::Scenario::Template
 
             tags :group_saml
 
-            pipeline_mappings test_on_omnibus: %w[group-saml]
+            pipeline_mappings test_on_cng: %w[cng-group-saml]
           end
         end
       end
-- 
GitLab