use vind for multicluster tests instead of k3s

Taskfile.yml

@@ -359,7 +359,8 @@ tasks:
       DEFAULT_TEST_UPGRADE_REDPANDA_REPO: redpandadata/redpanda
       DEFAULT_TEST_UPGRADE_REDPANDA_VERSION: v24.3.11
       DEFAULT_TEST_UPGRADE_OPERATOR_VERSION: v2.3.9-24.3.11
-      DEFAULT_TEST_VCLUSTER_VERSION: 0.31.2
+      DEFAULT_TEST_VCLUSTER_VERSION: 0.33.1
+      DEFAULT_TEST_VCLUSTER_KUBE_VERSION: v1.35.0
       DEFAULT_TEST_KUBE_VERSION: v1.32.13
       DEFAULT_TEST_COREDNS_VERSION: 1.11.1
       TEST_CERTMANAGER_VERSION: '{{ .TEST_CERTMANAGER_VERSION | default .DEFAULT_TEST_CERTMANAGER_VERSION }}'
@@ -370,6 +371,7 @@ tasks:
       TEST_UPGRADE_REDPANDA_VERSION: '{{ .TEST_UPGRADE_REDPANDA_VERSION | default .DEFAULT_TEST_UPGRADE_REDPANDA_VERSION }}'
       TEST_UPGRADE_OPERATOR_VERSION: '{{ .TEST_UPGRADE_OPERATOR_VERSION | default .DEFAULT_TEST_UPGRADE_OPERATOR_VERSION }}'
       TEST_VCLUSTER_VERSION: '{{ .TEST_VCLUSTER_VERSION | default .DEFAULT_TEST_VCLUSTER_VERSION }}'
+      TEST_VCLUSTER_KUBE_VERSION: '{{ .TEST_VCLUSTER_KUBE_VERSION | default .DEFAULT_TEST_VCLUSTER_KUBE_VERSION }}'
       TEST_KUBE_VERSION: '{{ .TEST_KUBE_VERSION | default .DEFAULT_TEST_KUBE_VERSION }}'
       TEST_COREDNS_VERSION: '{{ .TEST_COREDNS_VERSION | default .DEFAULT_TEST_COREDNS_VERSION }}'
       IMAGES:
@@ -396,9 +398,8 @@ tasks:
       - redpandadata/redpanda-operator:v25.3.1
       - redpandadata/redpanda-operator:{{.TEST_UPGRADE_OPERATOR_VERSION}}
       - ghcr.io/loft-sh/vcluster-pro:{{.TEST_VCLUSTER_VERSION}}
-      # vcluster's embedded k8s distro — the tag is hardcoded in
-      # pkg/vcluster/vcluster.go's DefaultValues.
-      - ghcr.io/loft-sh/kubernetes:v1.33.4
+      - ghcr.io/loft-sh/kubernetes:{{.TEST_VCLUSTER_KUBE_VERSION}}
+      - ghcr.io/loft-sh/vm-container:latest
       - registry.k8s.io/kube-controller-manager:{{.TEST_KUBE_VERSION}}
       - registry.k8s.io/kube-apiserver:{{.TEST_KUBE_VERSION}}
       - coredns/coredns:{{.TEST_COREDNS_VERSION}}

ci/scripts/run-in-nix-docker.sh

@@ -32,6 +32,9 @@ fi
 # Spray and pray work is done, now we want to fail on errors.
 set -e
 
+VCLUSTER_STATE="${VCLUSTER_STATE:-/tmp/vcluster-ctl-config-vol}"
+mkdir -p "$VCLUSTER_STATE"
+
 # BUILDKITE environment variables are used by `buildkite-agent` cli to upload artifact
 printenv | { grep '^BUILDKITE.*=' || true; } > env-file-for-buildkite
 
@@ -67,10 +70,12 @@ docker run --rm -it \
 	-e ACCEPTANCE_ARTIFACTS_DIR \
 	-e INTEGRATION_ARTIFACTS_DIR \
 	-e REDPANDA_SAMPLE_LICENSE \
+	-e VCLUSTER_STATE="$VCLUSTER_STATE" \
 	--user 0:$(id -g) \
 	--privileged \
 	--net=host \
 	--ipc=host \
 	--volume ${DOCKER_SOCKET:7}:/var/run/docker.sock \
 	--volume $(pwd):/work \
+	--volume "$VCLUSTER_STATE:$VCLUSTER_STATE" \
 	$IMAGE_SHA "$@"

ci/vcluster.nix

@@ -5,16 +5,16 @@
 }:
 let
   pname = "vcluster";
-  version = "0.23.0";
+  version = "0.33.1";
   src = {
     # Update hashes with: nix hash to-sri --type sha256 (nix-prefetch-url $URL)
     aarch64-darwin = fetchurl {
       url = "https://github.com/loft-sh/vcluster/releases/download/v${version}/vcluster-darwin-arm64";
-      hash = "sha256-3NWvQramcxvZaewc3hMvYGhSOIIsnWD3mqU/WNA723c=";
+      hash = "sha256-eWzsLSSUXwca3R/DAxqUz5nyL+ihwJdcO+2qg+2Lt8U=";
     };
     x86_64-linux = fetchurl {
       url = "https://github.com/loft-sh/vcluster/releases/download/v${version}/vcluster-linux-amd64";
-      hash = "sha256-4b/UKWj/1hef0A2tKlluiWVhi94FQL1qAmmTc5Q0DMc=";
+      hash = "sha256-vtDpEiOZbORptgGH2eyRkZh9K36kt4W7qfpqznYW3+g=";
     };
   }.${stdenv.system} or (throw "${pname}-${version}: ${stdenv.system} is unsupported.");
 in

operator/internal/controller/redpanda/multicluster_controller_test.go

@@ -15,6 +15,7 @@ import (
 	"fmt"
 	"os"
 	"slices"
+	"strings"
 	"testing"
 	"time"
 
@@ -28,6 +29,7 @@ import (
 	apimeta "k8s.io/apimachinery/pkg/api/meta"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/types"
+	"k8s.io/client-go/util/retry"
 	"k8s.io/utils/ptr"
 	"sigs.k8s.io/controller-runtime/pkg/client"
 
@@ -91,7 +93,7 @@ func (s *MulticlusterControllerSuite) SetupSuite() {
 		Tag:        "dev",
 	}
 
-	s.mc = testenv.NewMulticluster(t, s.ctx, testenv.MulticlusterOptions{
+	s.mc = testenv.NewMulticlusterVind(t, s.ctx, testenv.MulticlusterOptions{
 		Name:               "multicluster",
 		ClusterSize:        3,
 		Scheme:             controller.MulticlusterScheme,
@@ -115,6 +117,9 @@ func (s *MulticlusterControllerSuite) TestManagesFinalizers() {
 		ObjectMeta: metav1.ObjectMeta{
 			Name: nn.Name,
 		},
+		Spec: redpandav1alpha2.StretchClusterSpec{
+			External: &redpandav1alpha2.External{Enabled: ptr.To(false)},
+		},
 	})
 
 	for i, env := range s.mc.Envs {
@@ -155,6 +160,7 @@ func (s *MulticlusterControllerSuite) TestSpecConsistencyConditionSetOnDrift() {
 		},
 		Spec: redpandav1alpha2.StretchClusterSpec{
 			CommonLabels: map[string]string{"env": "prod"},
+			External:     &redpandav1alpha2.External{Enabled: ptr.To(false)},
 		},
 	})
 
@@ -188,9 +194,13 @@ func (s *MulticlusterControllerSuite) TestSpecConsistencyConditionSetOnDrift() {
 	// Introduce drift: patch the spec on one cluster only.
 	driftedEnv := s.mc.Envs[0]
 	var sc redpandav1alpha2.StretchCluster
-	require.NoError(t, driftedEnv.Client().Get(ctx, nn, &sc))
-	sc.Spec.CommonLabels = map[string]string{"env": "staging"}
-	require.NoError(t, driftedEnv.Client().Update(ctx, &sc))
+	require.NoError(t, retry.RetryOnConflict(retry.DefaultRetry, func() error {
+		if err := driftedEnv.Client().Get(ctx, nn, &sc); err != nil {
+			return err
+		}
+		sc.Spec.CommonLabels = map[string]string{"env": "staging"}
+		return driftedEnv.Client().Update(ctx, &sc)
+	}))
 
 	// The reconciler should detect drift and set the condition.
 	require.Eventually(t, func() bool {
@@ -220,9 +230,13 @@ func (s *MulticlusterControllerSuite) TestSpecConsistencyConditionSetOnDrift() {
 	}
 
 	// Fix the drift: align the spec back.
-	require.NoError(t, driftedEnv.Client().Get(ctx, nn, &sc))
-	sc.Spec.CommonLabels = map[string]string{"env": "prod"}
-	require.NoError(t, driftedEnv.Client().Update(ctx, &sc))
+	require.NoError(t, retry.RetryOnConflict(retry.DefaultRetry, func() error {
+		if err := driftedEnv.Client().Get(ctx, nn, &sc); err != nil {
+			return err
+		}
+		sc.Spec.CommonLabels = map[string]string{"env": "prod"}
+		return driftedEnv.Client().Update(ctx, &sc)
+	}))
 
 	// The condition should go back to True.
 	require.Eventually(t, func() bool {
@@ -293,7 +307,11 @@ func (s *MulticlusterControllerSuite) TestIssuerRef() {
 				},
 			},
 		}
-		require.NoError(t, cl.Create(ctx, issuer), "creating Issuer in cluster %d", i)
+		require.NoError(t, retry.OnError(retry.DefaultBackoff, func(err error) bool {
+			return strings.Contains(err.Error(), "failed to call webhook")
+		}, func() error {
+			return cl.Create(ctx, issuer)
+		}), "creating Issuer in cluster %d", i)
 	}
 
 	// Step 3: Create a StretchCluster with IssuerRef pointing to the user's Issuer.
@@ -304,6 +322,7 @@ func (s *MulticlusterControllerSuite) TestIssuerRef() {
 			Name: scName,
 		},
 		Spec: redpandav1alpha2.StretchClusterSpec{
+			External: &redpandav1alpha2.External{Enabled: ptr.To(false)},
 			TLS: &redpandav1alpha2.TLS{
 				Enabled: ptr.To(true),
 				Certs: map[string]*redpandav1alpha2.Certificate{
@@ -453,6 +472,7 @@ func (s *MulticlusterControllerSuite) TestUserProvidedCA() {
 			Name: scName,
 		},
 		Spec: redpandav1alpha2.StretchClusterSpec{
+			External: &redpandav1alpha2.External{Enabled: ptr.To(false)},
 			TLS: &redpandav1alpha2.TLS{
 				Enabled: ptr.To(true),
 				Certs: map[string]*redpandav1alpha2.Certificate{