test: add e2e test infrastructure using CAPI test framework

Introduce end-to-end tests for the cloudscale infrastructure provider
using the Cluster API e2e test framework (Ginkgo-based). This sets up
the full test infrastructure and implements the following specs:

- Lifecycle (single CP): Basic smoke test — creates a 1 CP + 1 worker
  cluster and validates all cloudscale resources (network, subnet, LB,
  servers) are provisioned correctly. Runs nightly.
- Lifecycle (HA): 3 CP + 2 worker cluster with server groups for
  anti-affinity. Runs weekly.
- Cluster upgrade: In-place K8s version upgrade (v1.34 → v1.35) with
  rolling CP and worker nodes. Conformance skipped. Runs weekly.
- Self-hosted: Tests clusterctl move (pivot) from bootstrap kind cluster
  into the workload cluster. Runs weekly.
- KCP remediation: MachineHealthCheck-driven replacement of unhealthy
  control plane machines. Runs weekly.
- K8s conformance: Full conformance suite runs biweekly, fast variant
  (skip Serial) runs weekly.

MD remediation was intentionally left out — KCP remediation already
covers MachineHealthCheck integration for the more critical CP case.

Infrastructure additions:
- GitHub Actions workflows: manual (test-e2e.yml), nightly, weekly,
  biweekly schedules with concurrency control
- Kustomize-based cluster template generation (base + overlays for HA,
  upgrades, kcp-remediation)
- Cilium CNI and cloudscale CCM manifest generation scripts
- SSH-based log collector for VM diagnostics on failure
- cloudscale API resource leak detection (pre/post-test snapshots)

Also upgrades k8s dependencies to 0.35.0 and cluster-api to 1.13.0-beta
to resolve incompatibilities with the e2e test framework.

Author: mweibel

.github/actions/e2e-setup/action.yml

@@ -0,0 +1,32 @@
+name: Setup E2E environment
+description: Sets up Go, kind, tool cache, and SSH for e2e tests
+
+runs:
+  using: composite
+  steps:
+    - name: Setup Go
+      uses: actions/setup-go@40f1582b2485089dde7abd97c1529aa768e1baff # v5.6.0
+      with:
+        go-version-file: go.mod
+
+    - name: Cache tool binaries
+      uses: actions/cache@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5.0.4
+      with:
+        path: bin/
+        key: e2e-tools-${{ runner.os }}-${{ hashFiles('Makefile') }}
+
+    - name: Install kind
+      shell: bash
+      run: |
+        curl -Lo ./kind https://kind.sigs.k8s.io/dl/latest/kind-linux-$(go env GOARCH)
+        chmod +x ./kind
+        sudo mv ./kind /usr/local/bin/kind
+
+    - name: Setup SSH for log collection
+      shell: bash
+      run: | # zizmor: ignore[github-env]
+        ssh-keygen -t ed25519 -f /tmp/e2e-ssh-key -N "" -q
+        eval $(ssh-agent -s)
+        ssh-add /tmp/e2e-ssh-key
+        echo "SSH_AUTH_SOCK=${SSH_AUTH_SOCK}" >> "$GITHUB_ENV"
+        echo "CLOUDSCALE_SSH_PUBLIC_KEY=$(cat /tmp/e2e-ssh-key.pub)" >> "$GITHUB_ENV"

.github/workflows/e2e-biweekly.yml

@@ -0,0 +1,42 @@
+name: E2E Tests (Biweekly Conformance)
+
+permissions:
+  contents: read
+
+on:
+  schedule:
+    - cron: "0 3 1,15 * *" # 3 AM UTC on 1st and 15th of each month
+  workflow_dispatch:
+
+concurrency:
+  group: e2e-tests
+  cancel-in-progress: false
+
+jobs:
+  e2e-conformance:
+    name: Full K8s Conformance
+    runs-on: ubuntu-latest
+    environment: e2e
+    steps:
+      - name: Checkout
+        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
+        with:
+          fetch-depth: 0
+          persist-credentials: false
+
+      - name: Setup e2e environment
+        uses: ./.github/actions/e2e-setup
+
+      - name: Run full conformance e2e tests
+        env:
+          CLOUDSCALE_API_TOKEN: ${{ secrets.CLOUDSCALE_API_TOKEN }}
+          TAG: conformance-${{ github.sha }}
+        run: make test-e2e-conformance
+
+      - name: Upload test artifacts
+        if: always()
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
+        with:
+          name: e2e-artifacts-conformance-${{ github.run_id }}
+          path: _artifacts/
+          retention-days: 30

.github/workflows/e2e-nightly.yml

@@ -0,0 +1,42 @@
+name: E2E Tests (Nightly)
+
+permissions:
+  contents: read
+
+on:
+  schedule:
+    - cron: "0 2 * * *" # 2 AM UTC daily
+  workflow_dispatch:
+
+concurrency:
+  group: e2e-tests
+  cancel-in-progress: false
+
+jobs:
+  e2e-lifecycle:
+    name: Nightly Lifecycle Tests
+    runs-on: ubuntu-latest
+    environment: e2e
+    steps:
+      - name: Checkout
+        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
+        with:
+          fetch-depth: 0
+          persist-credentials: false
+
+      - name: Setup e2e environment
+        uses: ./.github/actions/e2e-setup
+
+      - name: Run lifecycle e2e tests
+        env:
+          CLOUDSCALE_API_TOKEN: ${{ secrets.CLOUDSCALE_API_TOKEN }}
+          TAG: nightly-${{ github.sha }}
+        run: make test-e2e-lifecycle
+
+      - name: Upload test artifacts
+        if: always()
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
+        with:
+          name: e2e-artifacts-nightly-${{ github.run_id }}
+          path: _artifacts/
+          retention-days: 7

.github/workflows/e2e-weekly.yml

@@ -0,0 +1,45 @@
+name: E2E Tests (Weekly)
+
+permissions:
+  contents: read
+
+on:
+  schedule:
+    - cron: "0 3 * * 0" # 3 AM UTC Sunday
+  workflow_dispatch:
+
+concurrency:
+  group: e2e-tests
+  cancel-in-progress: false
+
+jobs:
+  e2e-weekly:
+    name: Weekly Test Suite
+    runs-on: ubuntu-latest
+    environment: e2e
+    steps:
+      - name: Checkout
+        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
+        with:
+          fetch-depth: 0
+          persist-credentials: false
+
+      - name: Setup e2e environment
+        uses: ./.github/actions/e2e-setup
+
+      - name: Run weekly e2e tests
+        env:
+          CLOUDSCALE_API_TOKEN: ${{ secrets.CLOUDSCALE_API_TOKEN }}
+          TAG: weekly-${{ github.sha }}
+        run: |
+          make test-e2e \
+            GINKGO_LABEL_FILTER="ha || upgrade || self-hosted || kcp-remediation || conformance" \
+            KUBETEST_CONFIGURATION=./data/kubetest/conformance-fast.yaml
+
+      - name: Upload test artifacts
+        if: always()
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
+        with:
+          name: e2e-artifacts-weekly-${{ github.run_id }}
+          path: _artifacts/
+          retention-days: 30

.github/workflows/test-e2e.yml

@@ -1,45 +1,56 @@
-name: E2E Tests
+name: E2E Tests (Manual)
 
 permissions:
   contents: read
 
 on:
   workflow_dispatch:
-
-  # TODO: Re-enable automatic triggers once e2e tests are working
-  # push:
-  #   branches: [main]
+    inputs:
+      test_target:
+        description: 'Make target to run'
+        required: true
+        default: 'test-e2e-lifecycle'
+        type: choice
+        options:
+          - test-e2e-lifecycle
+          - test-e2e
+          - test-e2e-ha
+          - test-e2e-upgrade
+          - test-e2e-self-hosted
+          - test-e2e-kcp-remediation
+          - test-e2e-conformance
+          - test-e2e-conformance-fast
 
 concurrency:
-  group: e2e-tests-${{ github.ref }}
-  cancel-in-progress: true
+  group: e2e-tests
+  cancel-in-progress: false
 
 jobs:
   test-e2e:
-    name: Run on Ubuntu
+    name: ${{ github.event.inputs.test_target }}
     runs-on: ubuntu-latest
+    environment: e2e
     steps:
-      - name: Clone the code
+      - name: Checkout
         uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
         with:
           fetch-depth: 0
           persist-credentials: false
 
-      - name: Setup Go
-        uses: actions/setup-go@40f1582b2485089dde7abd97c1529aa768e1baff # v5.6.0
-        with:
-          go-version-file: go.mod
-
-      - name: Install the latest version of kind
-        run: |
-          curl -Lo ./kind https://kind.sigs.k8s.io/dl/latest/kind-linux-$(go env GOARCH)
-          chmod +x ./kind
-          sudo mv ./kind /usr/local/bin/kind
+      - name: Setup e2e environment
+        uses: ./.github/actions/e2e-setup
 
-      - name: Verify kind installation
-        run: kind version
+      - name: Run e2e tests
+        env:
+          CLOUDSCALE_API_TOKEN: ${{ secrets.CLOUDSCALE_API_TOKEN }}
+          TAG: manual-${{ github.sha }}
+          TEST_TARGET: ${{ github.event.inputs.test_target }}
+        run: make $TEST_TARGET
 
-      - name: Running Test e2e
-        run: |
-          go mod tidy
-          make test-e2e
+      - name: Upload test artifacts
+        if: always()
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
+        with:
+          name: e2e-artifacts-manual-${{ github.run_id }}
+          path: _artifacts/
+          retention-days: 14

.github/workflows/zizmor.yml

@@ -0,0 +1,26 @@
+name: Workflow Security Lint
+
+permissions:
+  actions: read
+  contents: read
+  security-events: write
+
+on:
+  push:
+    branches: [main]
+    paths: ['.github/**']
+  pull_request:
+    paths: ['.github/**']
+
+jobs:
+  zizmor:
+    name: zizmor
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
+        with:
+          persist-credentials: false
+
+      - name: Run zizmor
+        uses: zizmorcore/zizmor-action@71321a20a9ded102f6e9ce5718a2fcec2c4f70d8 # v0.5.2

.gitignore

@@ -34,3 +34,5 @@ go.work
 
 # e2e
 _artifacts/
+test/e2e/config/*.generated.yaml
+test/e2e/data/infrastructure-cloudscale/main/cluster-template*.yaml