From f4f8531ce1fe8dc02a2b5330edf8aef44d2c3620 Mon Sep 17 00:00:00 2001 From: Atif Ali Date: Wed, 26 Jun 2024 17:24:12 -0400 Subject: [PATCH 01/18] add tests --- charts/cryostat/templates/test_helpers.yaml | 31 +++ charts/cryostat/tests/alpha_config_test.yaml | 28 +++ .../tests/clusterrolebinding_test.yaml | 56 ++++++ charts/cryostat/tests/deployment_test.yaml | 23 +++ .../tests/openshiftOauthProxy_test.yaml | 52 +++++ charts/cryostat/tests/test_helpers_test.yaml | 186 ++++++++++++++++++ 6 files changed, 376 insertions(+) create mode 100644 charts/cryostat/templates/test_helpers.yaml create mode 100644 charts/cryostat/tests/alpha_config_test.yaml create mode 100644 charts/cryostat/tests/clusterrolebinding_test.yaml create mode 100644 charts/cryostat/tests/deployment_test.yaml create mode 100644 charts/cryostat/tests/openshiftOauthProxy_test.yaml create mode 100644 charts/cryostat/tests/test_helpers_test.yaml diff --git a/charts/cryostat/templates/test_helpers.yaml b/charts/cryostat/templates/test_helpers.yaml new file mode 100644 index 00000000..8c12dfd2 --- /dev/null +++ b/charts/cryostat/templates/test_helpers.yaml @@ -0,0 +1,31 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: test-helpers +data: + chartName: |- + {{ include "cryostat.name" . }} + fullname: |- + {{ include "cryostat.fullname" . }} + chartLabel: |- + {{ include "cryostat.chart" . }} + commonLabels: |- + {{ include "cryostat.labels" . | indent 4 }} + selectorLabels: |- + {{ include "cryostat.selectorLabels" . | indent 4 }} + serviceAccountName: |- + {{ include "cryostat.serviceAccountName" . }} + databaseConnectionKey: |- + {{ include "cryostat.databaseConnectionKey" . }} + databaseEncryptionKey: |- + {{ include "cryostat.databaseEncryptionKey" . }} + objectStorageSecretKey: |- + {{ include "cryostat.objectStorageSecretKey" . }} + cookieSecret: |- + {{ include "cryostat.cookieSecret" . }} + commaSepListWithDefaults: |- + {{ include "cryostat.commaSepList" (list (list "") "default" false) }} + commaSepListWithoutDefaults: |- + {{ include "cryostat.commaSepList" (list (list "") "default" true) }} + commaSepListWithValues: |- + {{ include "cryostat.commaSepList" (list (list "value1" "value2") "default" true) }} diff --git a/charts/cryostat/tests/alpha_config_test.yaml b/charts/cryostat/tests/alpha_config_test.yaml new file mode 100644 index 00000000..b599d8c9 --- /dev/null +++ b/charts/cryostat/tests/alpha_config_test.yaml @@ -0,0 +1,28 @@ +suite: test alpha_config +templates: + - templates/alpha_config.yaml + +tests: + - it: should contain server configuration in alpha_config.yaml + asserts: + - matchRegex: + path: data['alpha_config.yaml'] + pattern: "server:\\s*BindAddress: http://0.0.0.0:4180" + + - it: should contain upstream configurations in alpha_config.yaml + asserts: + - matchRegex: + path: data['alpha_config.yaml'] + pattern: "upstreamConfig:\\s*proxyRawPath: true\\s*upstreams:\\s*- id: cryostat\\s*path: /\\s*uri: http://localhost:8181" + - matchRegex: + path: data['alpha_config.yaml'] + pattern: "- id: grafana\\s*path: /grafana/\\s*uri: http://localhost:3000" + - matchRegex: + path: data['alpha_config.yaml'] + pattern: "- id: storage\\s*path: \\^/storage/\\(\\.\\*\\)\\$\\s*rewriteTarget: /\\$1\\s*uri: http://localhost:8333\\s*passHostHeader: false\\s*proxyWebSockets: false" + + - it: should contain provider configuration in alpha_config.yaml + asserts: + - matchRegex: + path: data['alpha_config.yaml'] + pattern: "providers:\\s*- id: dummy\\s*name: Unused - Sign In Below\\s*clientId: CLIENT_ID\\s*clientSecret: CLIENT_SECRET\\s*provider: google" diff --git a/charts/cryostat/tests/clusterrolebinding_test.yaml b/charts/cryostat/tests/clusterrolebinding_test.yaml new file mode 100644 index 00000000..69144412 --- /dev/null +++ b/charts/cryostat/tests/clusterrolebinding_test.yaml @@ -0,0 +1,56 @@ +suite: test ClusterRoleBinding +release: + name: release-name + namespace: default + +templates: + - clusterrolebinding.yaml + +tests: + - it: should create a ClusterRoleBinding when RBAC and OpenShift authentication are enabled + set: + rbac.create: true + authentication.openshift.enabled: true + authentication.openshift.clusterRole.name: system:auth-delegator + asserts: + - hasDocuments: + count: 1 + - equal: + path: metadata.name + value: release-name-cryostat + - equal: + path: roleRef.apiGroup + value: rbac.authorization.k8s.io + - equal: + path: roleRef.kind + value: ClusterRole + - equal: + path: roleRef.name + value: system:auth-delegator + - equal: + path: subjects[0].kind + value: ServiceAccount + - equal: + path: subjects[0].name + value: release-name-cryostat + - equal: + path: subjects[0].namespace + value: default + + - it: should not create a ClusterRoleBinding when RBAC is disabled + set: + rbac.create: false + authentication.openshift.enabled: true + authentication.openshift.clusterRole.name: system:auth-delegator + asserts: + - hasDocuments: + count: 0 + + - it: should not create a ClusterRoleBinding when OpenShift authentication is disabled + set: + rbac.create: true + authentication.openshift.enabled: false + authentication.openshift.clusterRole.name: system:auth-delegator + asserts: + - hasDocuments: + count: 0 diff --git a/charts/cryostat/tests/deployment_test.yaml b/charts/cryostat/tests/deployment_test.yaml new file mode 100644 index 00000000..c0964c7c --- /dev/null +++ b/charts/cryostat/tests/deployment_test.yaml @@ -0,0 +1,23 @@ +suite: Test Cryostat Deployment +templates: + - templates/deployment.yaml + +tests: + - it: should use correct image for the authproxy container + asserts: + - equal: + path: spec.template.spec.containers[0].image + value: quay.io/oauth2-proxy/oauth2-proxy:latest + + - it: should use correct image for the core container + asserts: + - equal: + path: spec.template.spec.containers[1].image + value: quay.io/cryostat/cryostat:4.0.0-snapshot + + - it: should create single replica by default + asserts: + - equal: + path: spec.replicas + value: 1 + diff --git a/charts/cryostat/tests/openshiftOauthProxy_test.yaml b/charts/cryostat/tests/openshiftOauthProxy_test.yaml new file mode 100644 index 00000000..32bf2911 --- /dev/null +++ b/charts/cryostat/tests/openshiftOauthProxy_test.yaml @@ -0,0 +1,52 @@ +suite: test openshiftOauthProxy +templates: + - deployment.yaml + +tests: + - it: should correctly configure the openshift oauth proxy + set: + authentication: + openshift: + enabled: true + openshiftOauthProxy: + image: + repository: example/openshift-oauth-proxy + tag: "v3.11" + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + global: + cookieSecret: cookieSecretValue + asserts: + - hasDocuments: + count: 1 + - contains: + path: "spec.template.spec.containers[?(@.name == 'cryostat-authproxy')]" + content: | + name: cryostat-authproxy + image: "example/openshift-oauth-proxy:v3.11" + args: + - --skip-provider-button=true + - --pass-access-token=false + - --pass-user-bearer-token=false + - --pass-basic-auth=false + - --upstream=http://localhost:8181/ + - --upstream=http://localhost:3000/grafana/ + - --upstream=http://localhost:8333/storage/ + - --cookie-secret=cookieSecretValue + - --openshift-service-account=default + - --proxy-websockets=true + - --http-address=0.0.0.0:4180 + - --https-address=:8443 + - --tls-cert=/etc/tls/private/tls.crt + - --tls-key=/etc/tls/private/tls.key + - --proxy-prefix=/oauth2 + - --bypass-auth-for=^/health(/liveness)?$ + ports: + - containerPort: 4180 + protocol: TCP + volumeMounts: + - name: alpha-config + mountPath: /etc/oauth2_proxy/alpha_config diff --git a/charts/cryostat/tests/test_helpers_test.yaml b/charts/cryostat/tests/test_helpers_test.yaml new file mode 100644 index 00000000..3961beeb --- /dev/null +++ b/charts/cryostat/tests/test_helpers_test.yaml @@ -0,0 +1,186 @@ +suite: test helpers +templates: + - test_helpers.yaml + +tests: + - it: should expand the chart name correctly + set: + Chart: + Name: cryostat + asserts: + - equal: + path: data.chartName + value: cryostat + + - it: should create a default fully qualified app name when no override is provided + set: + Chart: + Name: cryostat + Release: + Name: release-name + asserts: + - equal: + path: data.fullname + value: release-name-cryostat + + - it: should create a default fully qualified app name when override is provided + set: + Values: + fullnameOverride: custom-fullname + asserts: + - equal: + path: data.fullname + value: custom-fullname + + - it: should create chart name and version label correctly + set: + Chart: + Name: cryostat + Version: "0.5.0+dev" + asserts: + - equal: + path: data.chartLabel + value: cryostat-0.5.0_dev + + - it: should create common labels correctly + set: + Chart: + Name: cryostat + Version: "0.5.0+dev" + AppVersion: "4.0.0-dev" + Release: + Service: Helm + asserts: + - contains: + path: data.commonLabels + content: | + helm.sh/chart: cryostat-0.5.0_dev + app.kubernetes.io/name: cryostat + app.kubernetes.io/instance: release-name + app.kubernetes.io/version: "4.0.0-dev" + app.kubernetes.io/managed-by: Helm + + - it: should create selector labels correctly + set: + Chart: + Name: cryostat + Release: + Name: release-name + asserts: + - contains: + path: data.selectorLabels + content: | + app.kubernetes.io/name: cryostat + app.kubernetes.io/instance: release-name + + - it: should create service account name correctly when creation is enabled + set: + Values: + serviceAccount: + create: true + Release: + Name: release-name + asserts: + - equal: + path: data.serviceAccountName + value: release-name-cryostat + + - it: should create service account name correctly when creation is disabled + set: + Values: + serviceAccount: + create: false + asserts: + - equal: + path: data.serviceAccountName + value: default + + - it: should generate a new database connection key if not present + asserts: + - exists: + path: data.databaseConnectionKey + + - it: should use existing database connection key if present + set: + Release: + Namespace: default + Secret: + release-name-db: + data: + CONNECTION_KEY: existing-connection-key + asserts: + - equal: + path: data.databaseConnectionKey + value: existing-connection-key + + - it: should generate a new database encryption key if not present + asserts: + - exists: + path: data.databaseEncryptionKey + + - it: should use existing database encryption key if present + set: + Release: + Namespace: default + Secret: + release-name-db: + data: + ENCRYPTION_KEY: existing-encryption-key + asserts: + - equal: + path: data.databaseEncryptionKey + value: existing-encryption-key + + - it: should generate a new object storage secret key if not present + asserts: + - exists: + path: data.objectStorageSecretKey + + - it: should use existing object storage secret key if present + set: + Release: + Namespace: default + Secret: + release-name-storage: + data: + SECRET_KEY: existing-secret-key + asserts: + - equal: + path: data.objectStorageSecretKey + value: existing-secret-key + + - it: should generate a new cookie secret if not present + asserts: + - exists: + path: data.cookieSecret + + - it: should use existing cookie secret if present + set: + Release: + Namespace: default + Secret: + release-name-cookie-secret: + data: + COOKIE_SECRET: existing-cookie-secret + asserts: + - equal: + path: data.cookieSecret + value: existing-cookie-secret + + - it: should get comma separated list with defaults if not disabled + asserts: + - equal: + path: data.commaSepListWithDefaults + value: "default" + + - it: should get comma separated list without defaults if disabled + asserts: + - equal: + path: data.commaSepListWithoutDefaults + value: "" + + - it: should get comma separated list with provided values + asserts: + - equal: + path: data.commaSepListWithValues + value: "value1,value2" From 1ce2b4f4ce6a9e46be965c6c8380af4e9b4e0b33 Mon Sep 17 00:00:00 2001 From: Atif Ali Date: Thu, 27 Jun 2024 11:38:05 -0400 Subject: [PATCH 02/18] remove test_helpers.yaml --- charts/cryostat/templates/test_helpers.yaml | 31 --------------------- 1 file changed, 31 deletions(-) delete mode 100644 charts/cryostat/templates/test_helpers.yaml diff --git a/charts/cryostat/templates/test_helpers.yaml b/charts/cryostat/templates/test_helpers.yaml deleted file mode 100644 index 8c12dfd2..00000000 --- a/charts/cryostat/templates/test_helpers.yaml +++ /dev/null @@ -1,31 +0,0 @@ -apiVersion: v1 -kind: ConfigMap -metadata: - name: test-helpers -data: - chartName: |- - {{ include "cryostat.name" . }} - fullname: |- - {{ include "cryostat.fullname" . }} - chartLabel: |- - {{ include "cryostat.chart" . }} - commonLabels: |- - {{ include "cryostat.labels" . | indent 4 }} - selectorLabels: |- - {{ include "cryostat.selectorLabels" . | indent 4 }} - serviceAccountName: |- - {{ include "cryostat.serviceAccountName" . }} - databaseConnectionKey: |- - {{ include "cryostat.databaseConnectionKey" . }} - databaseEncryptionKey: |- - {{ include "cryostat.databaseEncryptionKey" . }} - objectStorageSecretKey: |- - {{ include "cryostat.objectStorageSecretKey" . }} - cookieSecret: |- - {{ include "cryostat.cookieSecret" . }} - commaSepListWithDefaults: |- - {{ include "cryostat.commaSepList" (list (list "") "default" false) }} - commaSepListWithoutDefaults: |- - {{ include "cryostat.commaSepList" (list (list "") "default" true) }} - commaSepListWithValues: |- - {{ include "cryostat.commaSepList" (list (list "value1" "value2") "default" true) }} From 65828c89e67ab5e988315b4bb2e01cfece7d3afa Mon Sep 17 00:00:00 2001 From: Atif Ali Date: Thu, 27 Jun 2024 19:36:42 -0400 Subject: [PATCH 03/18] added all tests --- charts/cryostat/templates/pvc.yaml | 2 +- charts/cryostat/tests/db_secret_test.yaml | 31 +++ charts/cryostat/tests/deployment_test.yaml | 84 ++++++-- charts/cryostat/tests/ingress_test.yaml | 57 ++++++ .../tests/openshiftOauthProxy_test.yaml | 52 ----- charts/cryostat/tests/pvc_test.yaml | 57 ++++++ charts/cryostat/tests/role_test.yaml | 75 +++++++ charts/cryostat/tests/rolebinding_test.yaml | 85 ++++++++ charts/cryostat/tests/route_test.yaml | 74 +++++++ charts/cryostat/tests/service_test.yaml | 76 +++++++ .../cryostat/tests/serviceaccount_test.yaml | 37 ++++ .../tests/storage_access_secret_test.yaml | 20 ++ charts/cryostat/tests/test_helpers_test.yaml | 186 ------------------ 13 files changed, 586 insertions(+), 250 deletions(-) create mode 100644 charts/cryostat/tests/db_secret_test.yaml create mode 100644 charts/cryostat/tests/ingress_test.yaml delete mode 100644 charts/cryostat/tests/openshiftOauthProxy_test.yaml create mode 100644 charts/cryostat/tests/pvc_test.yaml create mode 100644 charts/cryostat/tests/role_test.yaml create mode 100644 charts/cryostat/tests/rolebinding_test.yaml create mode 100644 charts/cryostat/tests/route_test.yaml create mode 100644 charts/cryostat/tests/service_test.yaml create mode 100644 charts/cryostat/tests/serviceaccount_test.yaml create mode 100644 charts/cryostat/tests/storage_access_secret_test.yaml delete mode 100644 charts/cryostat/tests/test_helpers_test.yaml diff --git a/charts/cryostat/templates/pvc.yaml b/charts/cryostat/templates/pvc.yaml index 9e453623..84667be1 100644 --- a/charts/cryostat/templates/pvc.yaml +++ b/charts/cryostat/templates/pvc.yaml @@ -11,7 +11,7 @@ metadata: {{- end }} spec: {{- with .Values.pvc.accessModes }} - accessModes: + accessModes: {{- toYaml . | nindent 4 }} {{- end }} resources: diff --git a/charts/cryostat/tests/db_secret_test.yaml b/charts/cryostat/tests/db_secret_test.yaml new file mode 100644 index 00000000..25f47233 --- /dev/null +++ b/charts/cryostat/tests/db_secret_test.yaml @@ -0,0 +1,31 @@ +suite: Database Secret Creation +templates: + - db_secret.yaml + +tests: + - it: should create a database secret if core.databaseSecretName is not set + set: + core.databaseSecretName: "" + asserts: + - hasDocuments: + count: 1 + - equal: + path: kind + value: Secret + - equal: + path: metadata.name + value: RELEASE-NAME-db + - equal: + path: type + value: Opaque + - exists: + path: data.ENCRYPTION_KEY + - exists: + path: data.CONNECTION_KEY + + - it: should not create a database secret if core.databaseSecretName is set + set: + core.databaseSecretName: "custom-db-secret" + asserts: + - hasDocuments: + count: 0 diff --git a/charts/cryostat/tests/deployment_test.yaml b/charts/cryostat/tests/deployment_test.yaml index c0964c7c..248d74bd 100644 --- a/charts/cryostat/tests/deployment_test.yaml +++ b/charts/cryostat/tests/deployment_test.yaml @@ -1,23 +1,85 @@ -suite: Test Cryostat Deployment +suite: Complete Deployment Validation templates: - - templates/deployment.yaml + - deployment.yaml tests: - - it: should use correct image for the authproxy container + - it: should verify general deployment settings asserts: - equal: - path: spec.template.spec.containers[0].image - value: quay.io/oauth2-proxy/oauth2-proxy:latest + path: metadata.name + value: RELEASE-NAME-cryostat + - equal: + path: spec.replicas + value: 1 + - equal: + path: spec.strategy.type + value: Recreate - - it: should use correct image for the core container + - it: should validate main application container settings asserts: - equal: - path: spec.template.spec.containers[1].image - value: quay.io/cryostat/cryostat:4.0.0-snapshot + path: spec.template.spec.containers[?(@.name=='cryostat')].image + value: "quay.io/cryostat/cryostat:4.0.0-snapshot" + - equal: + path: spec.template.spec.containers[?(@.name=='cryostat')].ports[0].containerPort + value: 8181 + - equal: + path: spec.template.spec.containers[?(@.name=='cryostat')].livenessProbe.httpGet.path + value: "/health/liveness" + - equal: + path: spec.template.spec.containers[?(@.name=='cryostat')].startupProbe.httpGet.path + value: "/health/liveness" - - it: should create single replica by default + - it: should configure the OpenShift OAuth Proxy when authentication.openshift is enabled + set: + authentication.openshift.enabled: true + asserts: + - matchRegex: + path: spec.template.spec.containers[?(@.name=='cryostat-authproxy')].image + pattern: "quay.io/cryostat/openshift-oauth-proxy:.*" + + - it: should configure the OAuth2 Proxy when OpenShift OAuth is disabled and OAuth2 is enabled + set: + authentication.openshift.enabled: false + authentication.oauth2.enabled: true + asserts: + - exists: + path: spec.template.spec.containers[?(@.name=='cryostat-authproxy')] + - matchRegex: + path: spec.template.spec.containers[?(@.name=='cryostat-authproxy')].image + pattern: "quay.io/oauth2-proxy/oauth2-proxy:.*" + + - it: should apply Kubernetes specific settings when configured + set: + nodeSelector: + disktype: ssd + affinity: + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: disktype + operator: In + values: + - ssd + tolerations: + - key: "key" + operator: "Equal" + value: "value" + effect: "NoSchedule" + asserts: + - exists: + path: spec.template.spec.nodeSelector + - exists: + path: spec.template.spec.affinity + - exists: + path: spec.template.spec.tolerations + + - it: should ensure the datasource container has correct environment variables and resources asserts: - equal: - path: spec.replicas - value: 1 + path: spec.template.spec.containers[?(@.name=='cryostat-jfr-datasource')].env[?(@.name=='QUARKUS_HTTP_PORT')].value + value: "8800" + - exists: + path: spec.template.spec.containers[?(@.name=='cryostat-jfr-datasource')].resources diff --git a/charts/cryostat/tests/ingress_test.yaml b/charts/cryostat/tests/ingress_test.yaml new file mode 100644 index 00000000..f02a3909 --- /dev/null +++ b/charts/cryostat/tests/ingress_test.yaml @@ -0,0 +1,57 @@ +suite: Ingress Configuration +templates: + - ingress.yaml + +tests: + - it: should create an Ingress with default settings + set: + core.ingress.enabled: true + core.service.httpPort: 8080 + core: + ingress: + className: nginx + annotations: + nginx.ingress.kubernetes.io/rewrite-target: / + hosts: + - host: example.com + paths: + - path: / + pathType: Prefix + tls: + - hosts: + - example.com + secretName: example-tls + asserts: + - hasDocuments: + count: 1 + - equal: + path: kind + value: Ingress + - matchRegex: + path: metadata.name + pattern: "^.+-cryostat$" + - equal: + path: spec.rules[0].host + value: "example.com" + - equal: + path: spec.rules[0].http.paths[0].path + value: "/" + - equal: + path: spec.rules[0].http.paths[0].backend.service.name + value: "RELEASE-NAME-cryostat" + - equal: + path: spec.rules[0].http.paths[0].backend.service.port.number + value: 8080 + - equal: + path: spec.ingressClassName + value: "nginx" + - equal: + path: spec.tls[0].secretName + value: "example-tls" + + - it: should not create an Ingress when ingress is disabled + set: + core.ingress.enabled: false + asserts: + - hasDocuments: + count: 0 diff --git a/charts/cryostat/tests/openshiftOauthProxy_test.yaml b/charts/cryostat/tests/openshiftOauthProxy_test.yaml deleted file mode 100644 index 32bf2911..00000000 --- a/charts/cryostat/tests/openshiftOauthProxy_test.yaml +++ /dev/null @@ -1,52 +0,0 @@ -suite: test openshiftOauthProxy -templates: - - deployment.yaml - -tests: - - it: should correctly configure the openshift oauth proxy - set: - authentication: - openshift: - enabled: true - openshiftOauthProxy: - image: - repository: example/openshift-oauth-proxy - tag: "v3.11" - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - global: - cookieSecret: cookieSecretValue - asserts: - - hasDocuments: - count: 1 - - contains: - path: "spec.template.spec.containers[?(@.name == 'cryostat-authproxy')]" - content: | - name: cryostat-authproxy - image: "example/openshift-oauth-proxy:v3.11" - args: - - --skip-provider-button=true - - --pass-access-token=false - - --pass-user-bearer-token=false - - --pass-basic-auth=false - - --upstream=http://localhost:8181/ - - --upstream=http://localhost:3000/grafana/ - - --upstream=http://localhost:8333/storage/ - - --cookie-secret=cookieSecretValue - - --openshift-service-account=default - - --proxy-websockets=true - - --http-address=0.0.0.0:4180 - - --https-address=:8443 - - --tls-cert=/etc/tls/private/tls.crt - - --tls-key=/etc/tls/private/tls.key - - --proxy-prefix=/oauth2 - - --bypass-auth-for=^/health(/liveness)?$ - ports: - - containerPort: 4180 - protocol: TCP - volumeMounts: - - name: alpha-config - mountPath: /etc/oauth2_proxy/alpha_config diff --git a/charts/cryostat/tests/pvc_test.yaml b/charts/cryostat/tests/pvc_test.yaml new file mode 100644 index 00000000..6528c77c --- /dev/null +++ b/charts/cryostat/tests/pvc_test.yaml @@ -0,0 +1,57 @@ +suite: PVC Configuration +templates: + - pvc.yaml + +tests: + - it: should create a PersistentVolumeClaim with correct settings + set: + pvc: + enabled: true + storage: "10Gi" + accessModes: + - "ReadWriteOnce" + storageClassName: "standard" + annotations: + "volume.beta.kubernetes.io/storage-class": "standard" + selector: + matchLabels: + app: cryostat + asserts: + - hasDocuments: + count: 1 + - equal: + path: kind + value: PersistentVolumeClaim + - equal: + path: metadata.name + value: "RELEASE-NAME-cryostat" + - equal: + path: metadata.labels + value: + app.kubernetes.io/instance: RELEASE-NAME + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: cryostat + app.kubernetes.io/version: "4.0.0-dev" + helm.sh/chart: cryostat-0.5.0-dev + - equal: + path: spec.accessModes + value: + - "ReadWriteOnce" + - equal: + path: spec.resources.requests.storage + value: "10Gi" + - equal: + path: spec.storageClassName + value: "standard" + - equal: + path: spec.selector.matchLabels.app + value: "cryostat" + + # Test to ensure no PVC is created when it is disabled + - it: should not create a PersistentVolumeClaim when PVC is disabled + set: + pvc: + enabled: false + asserts: + - hasDocuments: + count: 0 diff --git a/charts/cryostat/tests/role_test.yaml b/charts/cryostat/tests/role_test.yaml new file mode 100644 index 00000000..c9ef0628 --- /dev/null +++ b/charts/cryostat/tests/role_test.yaml @@ -0,0 +1,75 @@ +suite: Role Configuration +templates: + - role.yaml + +tests: + - it: should create a Role for the default namespace + set: + rbac.create: true + core.discovery.kubernetes.enabled: true + core.discovery.kubernetes.namespaces: + - "default" + asserts: + - hasDocuments: + count: 1 + - equal: + path: kind + value: Role + - equal: + path: metadata.namespace + value: "default" + - matchRegex: + path: metadata.name + pattern: "RELEASE-NAME-cryostat" + + - it: should create a Role for the test namespace + set: + rbac.create: true + core.discovery.kubernetes.enabled: true + core.discovery.kubernetes.namespaces: + - "test-ns" + asserts: + - hasDocuments: + count: 1 + - equal: + path: kind + value: Role + - equal: + path: metadata.namespace + value: "test-ns" + - matchRegex: + path: metadata.name + pattern: "RELEASE-NAME-cryostat" + + - it: should have correct permissions for endpoints, pods, and other resources + set: + rbac.create: true + core.discovery.kubernetes.enabled: true + core.discovery.kubernetes.namespaces: + - "default" + asserts: + - equal: + path: rules[0].apiGroups[0] + value: "" + - equal: + path: rules[0].resources + value: ["endpoints"] + - equal: + path: rules[0].verbs + value: ["get", "list", "watch"] + - equal: + path: rules[1].apiGroups[0] + value: "" + - equal: + path: rules[1].resources + value: ["pods", "replicationcontrollers"] + - equal: + path: rules[1].verbs + value: ["get"] + + - it: should not create any Role if RBAC is disabled + set: + rbac.create: false + asserts: + - hasDocuments: + count: 0 diff --git a/charts/cryostat/tests/rolebinding_test.yaml b/charts/cryostat/tests/rolebinding_test.yaml new file mode 100644 index 00000000..a06e786f --- /dev/null +++ b/charts/cryostat/tests/rolebinding_test.yaml @@ -0,0 +1,85 @@ +suite: RoleBinding Configuration +templates: + - rolebinding.yaml + +tests: + - it: should create a RoleBinding in the default namespace + set: + rbac.create: true + core.discovery.kubernetes.enabled: true + core.discovery.kubernetes.namespaces: + - "default" + asserts: + - hasDocuments: + count: 1 + - equal: + path: kind + value: RoleBinding + - equal: + path: metadata.namespace + value: "default" + - matchRegex: + path: metadata.name + pattern: "RELEASE-NAME-cryostat" + - equal: + path: roleRef.apiGroup + value: "rbac.authorization.k8s.io" + - equal: + path: roleRef.kind + value: "Role" + - matchRegex: + path: roleRef.name + pattern: "RELEASE-NAME-cryostat" + - equal: + path: subjects[0].kind + value: "ServiceAccount" + - matchRegex: + path: subjects[0].name + pattern: "RELEASE-NAME-cryostat" + - equal: + path: subjects[0].namespace + value: "NAMESPACE" + + - it: should create a RoleBinding in the test namespace + set: + rbac.create: true + core.discovery.kubernetes.enabled: true + core.discovery.kubernetes.namespaces: + - "test-ns" + asserts: + - hasDocuments: + count: 1 + - equal: + path: kind + value: RoleBinding + - equal: + path: metadata.namespace + value: "test-ns" + - matchRegex: + path: metadata.name + pattern: "RELEASE-NAME-cryostat" + - equal: + path: roleRef.apiGroup + value: "rbac.authorization.k8s.io" + - equal: + path: roleRef.kind + value: "Role" + - matchRegex: + path: roleRef.name + pattern: "RELEASE-NAME-cryostat" + - equal: + path: subjects[0].kind + value: "ServiceAccount" + - matchRegex: + path: subjects[0].name + pattern: "RELEASE-NAME-cryostat" + - equal: + path: subjects[0].namespace + value: "NAMESPACE" + + - it: should not create any RoleBinding if RBAC is disabled + set: + rbac.create: false + asserts: + - hasDocuments: + count: 0 diff --git a/charts/cryostat/tests/route_test.yaml b/charts/cryostat/tests/route_test.yaml new file mode 100644 index 00000000..d771dc7d --- /dev/null +++ b/charts/cryostat/tests/route_test.yaml @@ -0,0 +1,74 @@ +suite: Route Configuration +templates: + - route.yaml + +tests: + - it: should create a Route when routing is enabled + set: + core.route.enabled: true + core: + route: + annotations: + hello: world + tls: + enabled: true + termination: edge + insecureEdgeTerminationPolicy: Redirect + key: "RSA PRIVATE KEY" + destinationCACertificate: "DESTINATION CA" + caCertificate: "CA CERT" + certificate: "CERT" + asserts: + - hasDocuments: + count: 1 + - equal: + path: kind + value: Route + - equal: + path: metadata.name + value: "RELEASE-NAME-cryostat" + - equal: + path: metadata.labels + value: + app.kubernetes.io/instance: RELEASE-NAME + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: cryostat + app.kubernetes.io/version: "4.0.0-dev" + helm.sh/chart: cryostat-0.5.0-dev + - equal: + path: metadata.annotations.hello + value: "world" + - equal: + path: spec.to.kind + value: "Service" + - equal: + path: spec.to.name + value: "RELEASE-NAME-cryostat" + - equal: + path: spec.port.targetPort + value: 4180 + - equal: + path: spec.tls.termination + value: "edge" + - equal: + path: spec.tls.insecureEdgeTerminationPolicy + value: "Redirect" + - matchRegex: + path: spec.tls.key + pattern: ".*RSA PRIVATE KEY.*" + - matchRegex: + path: spec.tls.destinationCACertificate + pattern: ".*DESTINATION CA.*" + - matchRegex: + path: spec.tls.caCertificate + pattern: ".*CA CERT.*" + - matchRegex: + path: spec.tls.certificate + pattern: ".*CERT.*" + + - it: should not create a Route when routing is disabled + set: + core.route.enabled: false + asserts: + - hasDocuments: + count: 0 diff --git a/charts/cryostat/tests/service_test.yaml b/charts/cryostat/tests/service_test.yaml new file mode 100644 index 00000000..45763b25 --- /dev/null +++ b/charts/cryostat/tests/service_test.yaml @@ -0,0 +1,76 @@ +suite: Service Configuration +templates: + - service.yaml + +tests: + - it: should create a Service with the correct settings + set: + core.service.type: ClusterIP + core.service.httpPort: 8080 + authentication.openshift.enabled: true + asserts: + - hasDocuments: + count: 1 + - equal: + path: kind + value: Service + - equal: + path: metadata.name + value: RELEASE-NAME-cryostat + - equal: + path: spec.type + value: ClusterIP + - equal: + path: spec.ports[0].port + value: 8080 + - equal: + path: spec.ports[0].targetPort + value: 4180 + - equal: + path: spec.ports[0].protocol + value: TCP + - equal: + path: spec.ports[0].name + value: cryostat-http + - equal: + path: spec.ports[1].port + value: 443 + - equal: + path: spec.ports[1].targetPort + value: 8443 + - equal: + path: spec.ports[1].protocol + value: TCP + - equal: + path: spec.ports[1].name + value: cryostat-https + - equal: + path: metadata.labels + value: + app.kubernetes.io/instance: RELEASE-NAME + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: cryostat + app.kubernetes.io/version: "4.0.0-dev" + helm.sh/chart: cryostat-0.5.0-dev + - equal: + path: metadata.annotations + value: + service.alpha.openshift.io/serving-cert-secret-name: RELEASE-NAME-proxy-tls + + - it: should include OpenShift specific annotations when enabled + set: + authentication.openshift.enabled: true + asserts: + - exists: + path: metadata.annotations + - equal: + path: metadata.annotations + value: + service.alpha.openshift.io/serving-cert-secret-name: RELEASE-NAME-proxy-tls + + - it: should not include OpenShift specific annotations when disabled + set: + authentication.openshift.enabled: false + asserts: + - notExists: + path: metadata.annotations diff --git a/charts/cryostat/tests/serviceaccount_test.yaml b/charts/cryostat/tests/serviceaccount_test.yaml new file mode 100644 index 00000000..892e13bb --- /dev/null +++ b/charts/cryostat/tests/serviceaccount_test.yaml @@ -0,0 +1,37 @@ +suite: ServiceAccount Configuration +templates: + - serviceaccount.yaml + +tests: + - it: should create a ServiceAccount with OpenShift redirect annotations when enabled + set: + authentication.openshift.enabled: true + serviceAccount.create: true + asserts: + - hasDocuments: + count: 1 + - equal: + path: kind + value: ServiceAccount + - equal: + path: metadata.name + value: "RELEASE-NAME-cryostat" + - equal: + path: metadata.annotations + value: + serviceaccounts.openshift.io/oauth-redirectreference.primary: '{"kind":"OAuthRedirectReference","apiVersion":"v1","reference":{"kind":"Route","name":"RELEASE-NAME-cryostat"}}' + + - it: should not include OpenShift specific annotations when disabled + set: + authentication.openshift.enabled: false + serviceAccount.create: true + asserts: + - notExists: + path: metadata.annotations + + - it: should not create a ServiceAccount when serviceAccount.create is disabled + set: + serviceAccount.create: false + asserts: + - hasDocuments: + count: 0 diff --git a/charts/cryostat/tests/storage_access_secret_test.yaml b/charts/cryostat/tests/storage_access_secret_test.yaml new file mode 100644 index 00000000..7007b97b --- /dev/null +++ b/charts/cryostat/tests/storage_access_secret_test.yaml @@ -0,0 +1,20 @@ +suite: Storage Access Secret Configuration +templates: + - storage_access_secret.yaml + +tests: + - it: should create a Storage Access Secret with correct settings + asserts: + - hasDocuments: + count: 1 + - equal: + path: kind + value: Secret + - equal: + path: metadata.name + value: RELEASE-NAME-storage + - equal: + path: type + value: Opaque + - exists: + path: data.SECRET_KEY diff --git a/charts/cryostat/tests/test_helpers_test.yaml b/charts/cryostat/tests/test_helpers_test.yaml deleted file mode 100644 index 3961beeb..00000000 --- a/charts/cryostat/tests/test_helpers_test.yaml +++ /dev/null @@ -1,186 +0,0 @@ -suite: test helpers -templates: - - test_helpers.yaml - -tests: - - it: should expand the chart name correctly - set: - Chart: - Name: cryostat - asserts: - - equal: - path: data.chartName - value: cryostat - - - it: should create a default fully qualified app name when no override is provided - set: - Chart: - Name: cryostat - Release: - Name: release-name - asserts: - - equal: - path: data.fullname - value: release-name-cryostat - - - it: should create a default fully qualified app name when override is provided - set: - Values: - fullnameOverride: custom-fullname - asserts: - - equal: - path: data.fullname - value: custom-fullname - - - it: should create chart name and version label correctly - set: - Chart: - Name: cryostat - Version: "0.5.0+dev" - asserts: - - equal: - path: data.chartLabel - value: cryostat-0.5.0_dev - - - it: should create common labels correctly - set: - Chart: - Name: cryostat - Version: "0.5.0+dev" - AppVersion: "4.0.0-dev" - Release: - Service: Helm - asserts: - - contains: - path: data.commonLabels - content: | - helm.sh/chart: cryostat-0.5.0_dev - app.kubernetes.io/name: cryostat - app.kubernetes.io/instance: release-name - app.kubernetes.io/version: "4.0.0-dev" - app.kubernetes.io/managed-by: Helm - - - it: should create selector labels correctly - set: - Chart: - Name: cryostat - Release: - Name: release-name - asserts: - - contains: - path: data.selectorLabels - content: | - app.kubernetes.io/name: cryostat - app.kubernetes.io/instance: release-name - - - it: should create service account name correctly when creation is enabled - set: - Values: - serviceAccount: - create: true - Release: - Name: release-name - asserts: - - equal: - path: data.serviceAccountName - value: release-name-cryostat - - - it: should create service account name correctly when creation is disabled - set: - Values: - serviceAccount: - create: false - asserts: - - equal: - path: data.serviceAccountName - value: default - - - it: should generate a new database connection key if not present - asserts: - - exists: - path: data.databaseConnectionKey - - - it: should use existing database connection key if present - set: - Release: - Namespace: default - Secret: - release-name-db: - data: - CONNECTION_KEY: existing-connection-key - asserts: - - equal: - path: data.databaseConnectionKey - value: existing-connection-key - - - it: should generate a new database encryption key if not present - asserts: - - exists: - path: data.databaseEncryptionKey - - - it: should use existing database encryption key if present - set: - Release: - Namespace: default - Secret: - release-name-db: - data: - ENCRYPTION_KEY: existing-encryption-key - asserts: - - equal: - path: data.databaseEncryptionKey - value: existing-encryption-key - - - it: should generate a new object storage secret key if not present - asserts: - - exists: - path: data.objectStorageSecretKey - - - it: should use existing object storage secret key if present - set: - Release: - Namespace: default - Secret: - release-name-storage: - data: - SECRET_KEY: existing-secret-key - asserts: - - equal: - path: data.objectStorageSecretKey - value: existing-secret-key - - - it: should generate a new cookie secret if not present - asserts: - - exists: - path: data.cookieSecret - - - it: should use existing cookie secret if present - set: - Release: - Namespace: default - Secret: - release-name-cookie-secret: - data: - COOKIE_SECRET: existing-cookie-secret - asserts: - - equal: - path: data.cookieSecret - value: existing-cookie-secret - - - it: should get comma separated list with defaults if not disabled - asserts: - - equal: - path: data.commaSepListWithDefaults - value: "default" - - - it: should get comma separated list without defaults if disabled - asserts: - - equal: - path: data.commaSepListWithoutDefaults - value: "" - - - it: should get comma separated list with provided values - asserts: - - equal: - path: data.commaSepListWithValues - value: "value1,value2" From d072978377354fb63fd36f2bc6459313cafbb86b Mon Sep 17 00:00:00 2001 From: Atif Ali Date: Tue, 2 Jul 2024 14:19:55 -0400 Subject: [PATCH 04/18] added TESTING.md --- charts/cryostat/TESTING.md | 135 +++++++++++++++++++++++++++++++++++++ 1 file changed, 135 insertions(+) create mode 100644 charts/cryostat/TESTING.md diff --git a/charts/cryostat/TESTING.md b/charts/cryostat/TESTING.md new file mode 100644 index 00000000..584c68aa --- /dev/null +++ b/charts/cryostat/TESTING.md @@ -0,0 +1,135 @@ +# Testing Guide for Cryostat Helm Chart + +This guide outlines the conventions and practices for writing and executing tests in the Cryostat Helm chart project using the Helm Unittest plugin. + +## Overview + +Helm Unittest is a Helm plugin that allows to write declarative tests for Helm charts. It enables testing the rendered templates of a Helm chart with specified values without the need for any running Kubernetes cluster. + +# Testing Guide for Cryostat Helm Chart + +## Dependencies + +Before running tests, you need to have the following tools installed: + +- **Helm 3:** Helm is a package manager for Kubernetes needed to manage the charts. +- **Helm Unittest Plugin:** This plugin enables unit testing for Helm charts. + +## Installation + +##### Installing Helm + +Helm can be installed on a variety of platforms. [Official Helm installation documentation](https://helm.sh/docs/intro/install/) provides detailed instructions. + +##### Installing Helm Unittest Plugin + +Once Helm is installed, you can install the Helm Unittest plugin. +First, verify whether the Helm Unittest plugin has been successfully installed, you can use the following command to list all installed Helm plugins: +```bash +helm plugin list +``` +This command will display a list of all plugins currently installed in your Helm environment, including the Helm Unittest plugin if it's already installed. Look for an entry named unittest in the output. If it's listed, then the Helm Unittest plugin is installed correctly. For example: +``` +❯ helm plugin list + +NAME VERSION DESCRIPTION +unittest 0.5.1 Unit test for helm chart in YAML with ease +to keep your chart functional and robust. +``` +If the Helm Unittest plugin is not listed, you can install it using the following command: +```bash +$ helm plugin install https://github.com/helm-unittest/helm-unittest.git +``` +This will install the latest version of binary into helm plugin directory. + +## Writing Tests + +Each test is associated with a specific Helm template and is structured to validate specific aspects of that template. Here's a general structure for writing tests: + +1. **Test Suite:** A collection of tests related to a particular aspect of the chart, usually corresponding to a specific template file. +2. **Test Cases:** Each test case should focus on a single aspect or feature of the chart. Test cases can have different configurations set through the `set` directive to simulate different environments or scenarios. +3. **Assertions:** Test cases contain assertions that specify the expected output of the rendered templates. Assertions can check for the existence of objects, equality of values, matching patterns, and more. + +##### Naming Conventions for Test Files +The naming convention for test files typically mirrors the name of the template they are testing with a `_test` suffix. For example: + +- service.yaml ➔ service_test.yaml +- deployment.yaml ➔ deployment_test.yaml + +## Directory Structure + +Tests are organized under the `tests/` directory, with each test file corresponding to a template in the `templates/` directory: + +```plaintext +cryostat-helm/ +├── templates/ +│ ├── deployment.yaml +│ ├── service.yaml +│ └── ... +└── tests/ + ├── deployment_test.yaml + ├── service_test.yaml + └── ... +``` + +## Test File Structure + +Here's an example of what a test file looks like: + +```yaml +suite: +templates: + - +tests: + - it: + set: + + asserts: + - : + path: + value: +``` +## Common Assertions +- `equal`: Checks if the actual value at path equals the expected value. +- `matchRegex`: Validates if the actual string matches the given regex pattern. +- `exists`: Checks if the specified path exists in the document. +- `notExists`: Ensures the specified path does not exist in the document. + +Visit [ for more Assertion Types](https://github.com/helm-unittest/helm-unittest/blob/main/DOCUMENT.md#assertion-types). +## Running Tests + +Once Unittest plugin has been installed, tests can be executed by running the following command: +```bash +$ helm unittest +``` +In the case of `cryostat-helm`, the command would be: + +```bash +$ helm unittest ./charts/cryostat +``` +To run test for a specific test file, use the `-f` flag with helm unittest to specify the test file to be executed. Here's the command format: + +```bash +$ helm unittest -f tests/.yaml ./charts/ +``` +This command will run the test for `service_test.yaml` file: + +```bash +$ helm unittest -f tests/service_test.yaml ./charts/cryostat +``` +## Additional Resources and Documentation + +For more infomation on Helm and writing tests for Helm charts, the following resources can be invaluable: + +### Helm Documentation + +- **Helm Official Documentation:** Provides comprehensive guides, tutorials, and reference material for working with Helm. + [Helm Documentation](https://helm.sh/docs/) + +- **Helm Chart Best Practices:** A guide by the Helm community outlining best practices for creating and managing Helm charts. + [Helm Chart Best Practices](https://helm.sh/docs/chart_best_practices/) + +### Helm Unittest Plugin + +- **Helm Unittest GitHub Repository:** Contains the source code, installation instructions, and detailed usage examples of the Helm Unittest plugin. + [Helm Unittest on GitHub](https://github.com/helm-unittest/helm-unittest) From 5b1ea9dce420e992130a4c21366ea0682ef3508b Mon Sep 17 00:00:00 2001 From: Atif Ali Date: Wed, 3 Jul 2024 17:33:57 -0400 Subject: [PATCH 05/18] add unittest in workflow --- .github/workflows/unittest.yml | 41 ++++++++++++++++++++++++++++++++++ 1 file changed, 41 insertions(+) create mode 100644 .github/workflows/unittest.yml diff --git a/.github/workflows/unittest.yml b/.github/workflows/unittest.yml new file mode 100644 index 00000000..6cbb2bfa --- /dev/null +++ b/.github/workflows/unittest.yml @@ -0,0 +1,41 @@ +name: Helm unit tests + +on: + push: + branches: + - main + - v[0-9]+ + - v[0-9]+.[0-9]+ + - cryostat-v[0-9]+.[0-9]+ + + pull_request: + types: + - opened + - reopened + - synchronize + - labeled + - unlabeled + branches: + - main + - v[0-9]+ + - v[0-9]+.[0-9]+ + - cryostat-v[0-9]+.[0-9]+ + +jobs: + helm-unittests: + runs-on: ubuntu-latest + steps: + - name: fail if safe-to-test label NOT applied + if: ${{ github.event_name == 'pull_request' && !contains(github.event.pull_request.labels.*.name, 'safe-to-test') }} + run: exit 1 + - uses: actions/checkout@v4 + with: + fetch-depth: 0 + - name: Set up Helm + uses: azure/setup-helm@v4 + with: + version: v3.15.2 + - name: Install unit test plugin + run: helm plugin install https://github.com/helm-unittest/helm-unittest.git + - name: Run Helm unit tests + run: helm unittest --debug ./charts/cryostat From 6d32215d2ff43a5b236298deea1be36cd9523e70 Mon Sep 17 00:00:00 2001 From: Atif Ali Date: Wed, 3 Jul 2024 17:35:07 -0400 Subject: [PATCH 06/18] match helm versions --- .github/workflows/unittest.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/unittest.yml b/.github/workflows/unittest.yml index 6cbb2bfa..da841347 100644 --- a/.github/workflows/unittest.yml +++ b/.github/workflows/unittest.yml @@ -34,7 +34,7 @@ jobs: - name: Set up Helm uses: azure/setup-helm@v4 with: - version: v3.15.2 + version: v3.14.4 - name: Install unit test plugin run: helm plugin install https://github.com/helm-unittest/helm-unittest.git - name: Run Helm unit tests From 88ce5e1ccf944fe050802182c401c54aff92c116 Mon Sep 17 00:00:00 2001 From: Atif Ali Date: Thu, 4 Jul 2024 17:29:31 -0400 Subject: [PATCH 07/18] added notes_test file && more assertions && cleanup --- charts/cryostat/TESTING.md | 28 +++--- .../tests/clusterrolebinding_test.yaml | 23 +++-- charts/cryostat/tests/ingress_test.yaml | 5 +- charts/cryostat/tests/notes_test.yaml | 90 +++++++++++++++++++ charts/cryostat/tests/pvc_test.yaml | 1 - charts/cryostat/tests/role_test.yaml | 75 ++++++++++++---- charts/cryostat/tests/rolebinding_test.yaml | 79 ++++++++-------- charts/cryostat/tests/service_test.yaml | 14 ++- .../cryostat/tests/serviceaccount_test.yaml | 4 +- 9 files changed, 237 insertions(+), 82 deletions(-) create mode 100644 charts/cryostat/tests/notes_test.yaml diff --git a/charts/cryostat/TESTING.md b/charts/cryostat/TESTING.md index 584c68aa..97843852 100644 --- a/charts/cryostat/TESTING.md +++ b/charts/cryostat/TESTING.md @@ -8,12 +8,14 @@ Helm Unittest is a Helm plugin that allows to write declarative tests for Helm c # Testing Guide for Cryostat Helm Chart -## Dependencies +## Requirements Before running tests, you need to have the following tools installed: -- **Helm 3:** Helm is a package manager for Kubernetes needed to manage the charts. +- **Helm:** Helm is a package manager for Kubernetes needed to manage the charts. + `Required version: >= v3.14.4` - **Helm Unittest Plugin:** This plugin enables unit testing for Helm charts. + `Required version: >= v0.5.1` ## Installation @@ -62,14 +64,20 @@ Tests are organized under the `tests/` directory, with each test file correspond ```plaintext cryostat-helm/ -├── templates/ -│ ├── deployment.yaml -│ ├── service.yaml -│ └── ... -└── tests/ - ├── deployment_test.yaml - ├── service_test.yaml - └── ... +├── charts +│   └── cryostat +│   ├── Chart.yaml +│   ├── templates +│   │   ├── alpha_config.yaml +│   │   ├── ... +│   ├── TESTING.md +│   ├── tests +│   │   ├── alpha_config_test.yaml +│   │   ├── ... +│   │   ├── __snapshot__ +│   │   └── storage_access_secret_test.yaml +│   ├── values.schema.json +│   └── values.yaml ``` ## Test File Structure diff --git a/charts/cryostat/tests/clusterrolebinding_test.yaml b/charts/cryostat/tests/clusterrolebinding_test.yaml index 69144412..3ff9f375 100644 --- a/charts/cryostat/tests/clusterrolebinding_test.yaml +++ b/charts/cryostat/tests/clusterrolebinding_test.yaml @@ -1,8 +1,4 @@ suite: test ClusterRoleBinding -release: - name: release-name - namespace: default - templates: - clusterrolebinding.yaml @@ -17,7 +13,7 @@ tests: count: 1 - equal: path: metadata.name - value: release-name-cryostat + value: RELEASE-NAME-cryostat - equal: path: roleRef.apiGroup value: rbac.authorization.k8s.io @@ -32,10 +28,23 @@ tests: value: ServiceAccount - equal: path: subjects[0].name - value: release-name-cryostat + value: RELEASE-NAME-cryostat - equal: path: subjects[0].namespace - value: default + value: NAMESPACE + + - it: should create a ClusterRoleBinding with a custom OpenShift cluster role + set: + rbac.create: true + authentication.openshift.enabled: true + authentication.openshift.clusterRole.name: custom-clusterrole + asserts: + - hasDocuments: + count: 1 + - equal: + path: roleRef.name + value: custom-clusterrole + - it: should not create a ClusterRoleBinding when RBAC is disabled set: diff --git a/charts/cryostat/tests/ingress_test.yaml b/charts/cryostat/tests/ingress_test.yaml index f02a3909..d21ef901 100644 --- a/charts/cryostat/tests/ingress_test.yaml +++ b/charts/cryostat/tests/ingress_test.yaml @@ -29,7 +29,10 @@ tests: value: Ingress - matchRegex: path: metadata.name - pattern: "^.+-cryostat$" + pattern: "RELEASE-NAME-cryostat" + - equal: + path: metadata.annotations['nginx.ingress.kubernetes.io/rewrite-target'] + value: "/" - equal: path: spec.rules[0].host value: "example.com" diff --git a/charts/cryostat/tests/notes_test.yaml b/charts/cryostat/tests/notes_test.yaml new file mode 100644 index 00000000..724a1e42 --- /dev/null +++ b/charts/cryostat/tests/notes_test.yaml @@ -0,0 +1,90 @@ +suite: Test NOTES.txt +templates: + - NOTES.txt + +tests: + - it: should be render correct notes for enabled ingress + set: + core.ingress.enabled: true + core: + ingress: + className: nginx + hosts: + - host: example.com + paths: + - path: / + pathType: Prefix + tls: + - hosts: + - example.com + secretName: example-tls + asserts: + - equalRaw: + value: | + + + 1. Visit the Cryostat application at: + ``` + https://example.com/ + ``` + + - it: should render notes for enabled route without TLS + set: + core.route.enabled: true + core.route.tls.enabled: false + asserts: + - equalRaw: + value: | + + 1. Tell Cryostat how to serve external traffic: + ``` + No actions required with this configuration. + ``` + + 2. Visit the Cryostat application at: + ``` + echo http://$(oc get route -n NAMESPACE RELEASE-NAME-cryostat -o jsonpath="{.status.ingress[0].host}") + ``` + + - it: should render notes for NodePort service without ingress or route + set: + core.service.type: "NodePort" + core.ingress.enabled: false + core.route.enabled: false + asserts: + - equalRaw: + value: | + + 1. Tell Cryostat how to serve external traffic: + ``` + export NODE_IP=$(kubectl get nodes -n NAMESPACE -o jsonpath="{.items[0].status.addresses[0].address}") + export NODE_PORT=$(kubectl get -n NAMESPACE -o jsonpath="{.spec.ports[0].nodePort}" services RELEASE-NAME-cryostat) + kubectl -n NAMESPACE set env deploy --containers=cryostat RELEASE-NAME-cryostat QUARKUS_HTTP_HOST=$NODE_IP + ``` + + 2. Visit the Cryostat application at: + ``` + echo http://$NODE_IP:$NODE_PORT + ``` + + - it: should render notes for LoadBalancer service without ingress or route + set: + core.service.type: "LoadBalancer" + core.ingress.enabled: false + core.route.enabled: false + asserts: + - equalRaw: + value: | + + 1. Tell Cryostat how to serve external traffic: + ``` + NOTE: It may take a few minutes for the LoadBalancer IP to be available. + You can watch the status by running 'kubectl get -n NAMESPACE -w svc/RELEASE-NAME-cryostat' + export SERVICE_IP=$(kubectl get svc -n NAMESPACE RELEASE-NAME-cryostat --template "{{ range (index .status.loadBalancer.ingress 0) }}{{.}}{{ end }}") + kubectl -n NAMESPACE set env deploy --containers=cryostat RELEASE-NAME-cryostat QUARKUS_HTTP_HOST=$SERVICE_IP + ``` + + 2. Visit the Cryostat application at: + ``` + echo http://$SERVICE_IP:8181 + ``` diff --git a/charts/cryostat/tests/pvc_test.yaml b/charts/cryostat/tests/pvc_test.yaml index 6528c77c..1feecb2d 100644 --- a/charts/cryostat/tests/pvc_test.yaml +++ b/charts/cryostat/tests/pvc_test.yaml @@ -47,7 +47,6 @@ tests: path: spec.selector.matchLabels.app value: "cryostat" - # Test to ensure no PVC is created when it is disabled - it: should not create a PersistentVolumeClaim when PVC is disabled set: pvc: diff --git a/charts/cryostat/tests/role_test.yaml b/charts/cryostat/tests/role_test.yaml index c9ef0628..a8ef23ce 100644 --- a/charts/cryostat/tests/role_test.yaml +++ b/charts/cryostat/tests/role_test.yaml @@ -3,43 +3,53 @@ templates: - role.yaml tests: - - it: should create a Role for the default namespace + - it: should create a Roles in target namespace set: rbac.create: true core.discovery.kubernetes.enabled: true core.discovery.kubernetes.namespaces: - "default" + - "test-ns" asserts: - hasDocuments: - count: 1 + count: 2 - equal: path: kind value: Role - equal: path: metadata.namespace value: "default" - - matchRegex: - path: metadata.name - pattern: "RELEASE-NAME-cryostat" - - - it: should create a Role for the test namespace - set: - rbac.create: true - core.discovery.kubernetes.enabled: true - core.discovery.kubernetes.namespaces: - - "test-ns" - asserts: - - hasDocuments: - count: 1 - - equal: - path: kind - value: Role + documentIndex: 0 - equal: path: metadata.namespace value: "test-ns" + documentIndex: 1 - matchRegex: path: metadata.name pattern: "RELEASE-NAME-cryostat" + documentIndex: 0 + - matchRegex: + path: metadata.name + pattern: "RELEASE-NAME-cryostat" + documentIndex: 1 + - equal: + path: metadata.labels + value: + app.kubernetes.io/instance: RELEASE-NAME + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: cryostat + app.kubernetes.io/version: "4.0.0-dev" + helm.sh/chart: cryostat-0.5.0-dev + documentIndex: 0 + - equal: + path: metadata.labels + value: + app.kubernetes.io/instance: RELEASE-NAME + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: cryostat + app.kubernetes.io/version: "4.0.0-dev" + helm.sh/chart: cryostat-0.5.0-dev + documentIndex: 1 - it: should have correct permissions for endpoints, pods, and other resources set: @@ -73,3 +83,32 @@ tests: asserts: - hasDocuments: count: 0 + + - it: should not create any Roles when Kubernetes discovery is disabled + set: + rbac.create: true + core.discovery.kubernetes.enabled: false + asserts: + - hasDocuments: + count: 0 + + - it: should not specify a namespace if installNamespaceDisabled is true + set: + rbac.create: true + core.discovery.kubernetes.enabled: true + core.discovery.kubernetes.installNamespaceDisabled: true + asserts: + - hasDocuments: + count: 0 + + - it: should specify the default namespace if installNamespaceDisabled is false + set: + rbac.create: true + core.discovery.kubernetes.enabled: true + core.discovery.kubernetes.installNamespaceDisabled: false + asserts: + - hasDocuments: + count: 1 + - equal: + path: metadata.namespace + value: "NAMESPACE" diff --git a/charts/cryostat/tests/rolebinding_test.yaml b/charts/cryostat/tests/rolebinding_test.yaml index a06e786f..415b1b80 100644 --- a/charts/cryostat/tests/rolebinding_test.yaml +++ b/charts/cryostat/tests/rolebinding_test.yaml @@ -9,73 +9,82 @@ tests: core.discovery.kubernetes.enabled: true core.discovery.kubernetes.namespaces: - "default" + - "test-ns" asserts: - hasDocuments: - count: 1 + count: 2 - equal: path: kind value: RoleBinding - - equal: - path: metadata.namespace - value: "default" - - matchRegex: - path: metadata.name - pattern: "RELEASE-NAME-cryostat" - - equal: - path: roleRef.apiGroup - value: "rbac.authorization.k8s.io" - - equal: - path: roleRef.kind - value: "Role" - - matchRegex: - path: roleRef.name - pattern: "RELEASE-NAME-cryostat" - - equal: - path: subjects[0].kind - value: "ServiceAccount" - - matchRegex: - path: subjects[0].name - pattern: "RELEASE-NAME-cryostat" - - equal: - path: subjects[0].namespace - value: "NAMESPACE" - - - it: should create a RoleBinding in the test namespace - set: - rbac.create: true - core.discovery.kubernetes.enabled: true - core.discovery.kubernetes.namespaces: - - "test-ns" - asserts: - - hasDocuments: - count: 1 + documentIndex: 0 - equal: path: kind value: RoleBinding + documentIndex: 1 + - equal: + path: metadata.namespace + value: "default" + documentIndex: 0 - equal: path: metadata.namespace value: "test-ns" + documentIndex: 1 - matchRegex: path: metadata.name pattern: "RELEASE-NAME-cryostat" + documentIndex: 0 + - matchRegex: + path: metadata.name + pattern: "RELEASE-NAME-cryostat" + documentIndex: 1 - equal: path: roleRef.apiGroup value: "rbac.authorization.k8s.io" + documentIndex: 0 + - equal: + path: roleRef.apiGroup + value: "rbac.authorization.k8s.io" + documentIndex: 1 + - equal: + path: roleRef.kind + value: "Role" + documentIndex: 0 - equal: path: roleRef.kind value: "Role" + documentIndex: 1 - matchRegex: path: roleRef.name pattern: "RELEASE-NAME-cryostat" + documentIndex: 0 + - matchRegex: + path: roleRef.name + pattern: "RELEASE-NAME-cryostat" + documentIndex: 1 + - equal: + path: subjects[0].kind + value: "ServiceAccount" + documentIndex: 0 - equal: path: subjects[0].kind value: "ServiceAccount" + documentIndex: 1 + - matchRegex: + path: subjects[0].name + pattern: "RELEASE-NAME-cryostat" + documentIndex: 0 - matchRegex: path: subjects[0].name pattern: "RELEASE-NAME-cryostat" + documentIndex: 1 + - equal: + path: subjects[0].namespace + value: "NAMESPACE" + documentIndex: 0 - equal: path: subjects[0].namespace value: "NAMESPACE" + documentIndex: 1 - it: should not create any RoleBinding if RBAC is disabled set: diff --git a/charts/cryostat/tests/service_test.yaml b/charts/cryostat/tests/service_test.yaml index 45763b25..089c2693 100644 --- a/charts/cryostat/tests/service_test.yaml +++ b/charts/cryostat/tests/service_test.yaml @@ -7,7 +7,7 @@ tests: set: core.service.type: ClusterIP core.service.httpPort: 8080 - authentication.openshift.enabled: true + authentication.openshift.enabled: false asserts: - hasDocuments: count: 1 @@ -52,12 +52,8 @@ tests: app.kubernetes.io/name: cryostat app.kubernetes.io/version: "4.0.0-dev" helm.sh/chart: cryostat-0.5.0-dev - - equal: - path: metadata.annotations - value: - service.alpha.openshift.io/serving-cert-secret-name: RELEASE-NAME-proxy-tls - - it: should include OpenShift specific annotations when enabled + - it: should include OpenShift specific annotations when OpenShift auth is enabled set: authentication.openshift.enabled: true asserts: @@ -68,9 +64,11 @@ tests: value: service.alpha.openshift.io/serving-cert-secret-name: RELEASE-NAME-proxy-tls - - it: should not include OpenShift specific annotations when disabled + - it: should not include OpenShift specific annotations when OpenShift auth is disabled set: authentication.openshift.enabled: false asserts: - notExists: - path: metadata.annotations + path: metadata.annotations.`service.alpha.openshift.io/serving-cert-secret-name` + + diff --git a/charts/cryostat/tests/serviceaccount_test.yaml b/charts/cryostat/tests/serviceaccount_test.yaml index 892e13bb..4a1cb552 100644 --- a/charts/cryostat/tests/serviceaccount_test.yaml +++ b/charts/cryostat/tests/serviceaccount_test.yaml @@ -3,7 +3,7 @@ templates: - serviceaccount.yaml tests: - - it: should create a ServiceAccount with OpenShift redirect annotations when enabled + - it: should create a ServiceAccount with OpenShift redirect annotations when OpenShift auth is enabled set: authentication.openshift.enabled: true serviceAccount.create: true @@ -21,7 +21,7 @@ tests: value: serviceaccounts.openshift.io/oauth-redirectreference.primary: '{"kind":"OAuthRedirectReference","apiVersion":"v1","reference":{"kind":"Route","name":"RELEASE-NAME-cryostat"}}' - - it: should not include OpenShift specific annotations when disabled + - it: should not include OpenShift specific annotations when OpenShift auth is disabled set: authentication.openshift.enabled: false serviceAccount.create: true From 6236859212b4cfa3bee03770f8663132f35075ef Mon Sep 17 00:00:00 2001 From: Atif Ali Date: Fri, 5 Jul 2024 11:01:36 -0400 Subject: [PATCH 08/18] update TESTING.md and role_test --- charts/cryostat/TESTING.md | 5 ++++ charts/cryostat/tests/role_test.yaml | 35 ++++++++++++++++++++++++---- 2 files changed, 36 insertions(+), 4 deletions(-) diff --git a/charts/cryostat/TESTING.md b/charts/cryostat/TESTING.md index 97843852..9194b109 100644 --- a/charts/cryostat/TESTING.md +++ b/charts/cryostat/TESTING.md @@ -70,6 +70,9 @@ cryostat-helm/ │   ├── templates │   │   ├── alpha_config.yaml │   │   ├── ... +│   │   └── tests +│   │   ├── test-core-connection.yaml +│   │   └── ... │   ├── TESTING.md │   ├── tests │   │   ├── alpha_config_test.yaml @@ -78,7 +81,9 @@ cryostat-helm/ │   │   └── storage_access_secret_test.yaml │   ├── values.schema.json │   └── values.yaml + ``` +In addition, Cryostat Helm chart includes integration tests located in the `templates/tests` directory and are executed using `helm test`. These tests are different from unit tests in that they involve actual deployment of resources to a Kubernetes cluster to validate the integrated operation of those resources. ## Test File Structure diff --git a/charts/cryostat/tests/role_test.yaml b/charts/cryostat/tests/role_test.yaml index a8ef23ce..bb5dd7ef 100644 --- a/charts/cryostat/tests/role_test.yaml +++ b/charts/cryostat/tests/role_test.yaml @@ -59,8 +59,8 @@ tests: - "default" asserts: - equal: - path: rules[0].apiGroups[0] - value: "" + path: rules[0].apiGroups + value: [""] - equal: path: rules[0].resources value: ["endpoints"] @@ -68,14 +68,41 @@ tests: path: rules[0].verbs value: ["get", "list", "watch"] - equal: - path: rules[1].apiGroups[0] - value: "" + path: rules[1].apiGroups + value: [""] - equal: path: rules[1].resources value: ["pods", "replicationcontrollers"] - equal: path: rules[1].verbs value: ["get"] + - equal: + path: rules[2].apiGroups + value: ["apps"] + - equal: + path: rules[2].resources + value: ["replicasets", "deployments", "daemonsets", "statefulsets"] + - equal: + path: rules[2].verbs + value: ["get"] + - equal: + path: rules[3].apiGroups + value: ["apps.openshift.io"] + - equal: + path: rules[3].resources + value: ["deploymentconfigs"] + - equal: + path: rules[3].verbs + value: ["get"] + - equal: + path: rules[4].apiGroups + value: ["route.openshift.io"] + - equal: + path: rules[4].verbs + value: ["get", "list"] + - equal: + path: rules[4].resources + value: ["routes"] - it: should not create any Role if RBAC is disabled set: From a1314d5907ecda93bd2f36f75690ca933a344b11 Mon Sep 17 00:00:00 2001 From: Atif Ali Date: Fri, 5 Jul 2024 14:02:35 -0400 Subject: [PATCH 09/18] add more test cases --- charts/cryostat/tests/alpha_config_test.yaml | 2 +- .../tests/clusterrolebinding_test.yaml | 2 +- charts/cryostat/tests/db_secret_test.yaml | 2 +- charts/cryostat/tests/deployment_test.yaml | 87 ++++++++++++++++++- charts/cryostat/tests/ingress_test.yaml | 2 +- charts/cryostat/tests/notes_test.yaml | 4 +- charts/cryostat/tests/pvc_test.yaml | 2 +- charts/cryostat/tests/role_test.yaml | 4 +- charts/cryostat/tests/rolebinding_test.yaml | 2 +- charts/cryostat/tests/route_test.yaml | 2 +- charts/cryostat/tests/service_test.yaml | 2 +- .../cryostat/tests/serviceaccount_test.yaml | 2 +- .../tests/storage_access_secret_test.yaml | 2 +- 13 files changed, 97 insertions(+), 18 deletions(-) diff --git a/charts/cryostat/tests/alpha_config_test.yaml b/charts/cryostat/tests/alpha_config_test.yaml index b599d8c9..cced5bcd 100644 --- a/charts/cryostat/tests/alpha_config_test.yaml +++ b/charts/cryostat/tests/alpha_config_test.yaml @@ -1,4 +1,4 @@ -suite: test alpha_config +suite: test alpha_config.yaml templates: - templates/alpha_config.yaml diff --git a/charts/cryostat/tests/clusterrolebinding_test.yaml b/charts/cryostat/tests/clusterrolebinding_test.yaml index 3ff9f375..0d867408 100644 --- a/charts/cryostat/tests/clusterrolebinding_test.yaml +++ b/charts/cryostat/tests/clusterrolebinding_test.yaml @@ -1,4 +1,4 @@ -suite: test ClusterRoleBinding +suite: test clusterrolebinding.yaml templates: - clusterrolebinding.yaml diff --git a/charts/cryostat/tests/db_secret_test.yaml b/charts/cryostat/tests/db_secret_test.yaml index 25f47233..3f3fbab9 100644 --- a/charts/cryostat/tests/db_secret_test.yaml +++ b/charts/cryostat/tests/db_secret_test.yaml @@ -1,4 +1,4 @@ -suite: Database Secret Creation +suite: test db_secret.yaml templates: - db_secret.yaml diff --git a/charts/cryostat/tests/deployment_test.yaml b/charts/cryostat/tests/deployment_test.yaml index 248d74bd..2dde41fd 100644 --- a/charts/cryostat/tests/deployment_test.yaml +++ b/charts/cryostat/tests/deployment_test.yaml @@ -1,10 +1,13 @@ -suite: Complete Deployment Validation +suite: test deployment.yaml templates: - deployment.yaml tests: - it: should verify general deployment settings asserts: + - equal: + path: kind + value: Deployment - equal: path: metadata.name value: RELEASE-NAME-cryostat @@ -14,15 +17,31 @@ tests: - equal: path: spec.strategy.type value: Recreate + - equal: + path: metadata.labels + value: + helm.sh/chart: cryostat-0.5.0-dev + app.kubernetes.io/name: cryostat + app.kubernetes.io/instance: RELEASE-NAME + app.kubernetes.io/version: "4.0.0-dev" + app.kubernetes.io/managed-by: Helm - - it: should validate main application container settings + - it: should validate all container settings including environment variables and security contexts asserts: + - exists: + path: spec.template.spec.containers[?(@.name=='cryostat')] - equal: path: spec.template.spec.containers[?(@.name=='cryostat')].image value: "quay.io/cryostat/cryostat:4.0.0-snapshot" - equal: - path: spec.template.spec.containers[?(@.name=='cryostat')].ports[0].containerPort - value: 8181 + path: spec.template.spec.containers[?(@.name=='cryostat-authproxy')].image + value: "quay.io/oauth2-proxy/oauth2-proxy:latest" + - equal: + path: spec.template.spec.containers[?(@.name=='cryostat')].env[?(@.name=='QUARKUS_HTTP_PORT')].value + value: "8181" + - equal: + path: spec.template.spec.containers[?(@.name=='cryostat')].env[?(@.name=='STORAGE_BUCKETS_ARCHIVES_NAME')].value + value: "archivedrecordings" - equal: path: spec.template.spec.containers[?(@.name=='cryostat')].livenessProbe.httpGet.path value: "/health/liveness" @@ -30,6 +49,31 @@ tests: path: spec.template.spec.containers[?(@.name=='cryostat')].startupProbe.httpGet.path value: "/health/liveness" + - it: should validate volumes and volume mounts + asserts: + - exists: + path: spec.template.spec.volumes[?(@.name=='alpha-config')] + - exists: + path: spec.template.spec.containers[?(@.name=='cryostat-authproxy')].volumeMounts[?(@.mountPath=='/etc/oauth2_proxy/alpha_config')] + + - it: should validate container ports and network settings + asserts: + - equal: + path: spec.template.spec.containers[?(@.name=='cryostat')].ports[0].containerPort + value: 8181 + - equal: + path: spec.template.spec.containers[?(@.name=='cryostat-storage')].ports[0].containerPort + value: 8333 + + - it: should set image pull secrets if specified + set: + imagePullSecrets: + - name: myregistrykey + asserts: + - equal: + path: spec.template.spec.imagePullSecrets[0].name + value: "myregistrykey" + - it: should configure the OpenShift OAuth Proxy when authentication.openshift is enabled set: authentication.openshift.enabled: true @@ -83,3 +127,38 @@ tests: - exists: path: spec.template.spec.containers[?(@.name=='cryostat-jfr-datasource')].resources + - it: should validate security contexts for each container + asserts: + - equal: + path: spec.template.spec.securityContext.runAsNonRoot + value: true + - exists: + path: spec.template.spec.containers[?(@.name=='cryostat')].securityContext.capabilities.drop + - equal: + path: spec.template.spec.containers[?(@.name=='cryostat')].securityContext.capabilities.drop[0] + value: "ALL" + + - it: should verify image pull policies for each container + asserts: + - equal: + path: spec.template.spec.containers[?(@.name=='cryostat')].imagePullPolicy + value: Always + - equal: + path: spec.template.spec.containers[?(@.name=='cryostat-authproxy')].imagePullPolicy + value: Always + - equal: + path: spec.template.spec.containers[?(@.name=='cryostat-storage')].imagePullPolicy + value: Always + + - it: should verify pod selector labels and pod labels + asserts: + - equal: + path: spec.selector.matchLabels + value: + app.kubernetes.io/instance: RELEASE-NAME + app.kubernetes.io/name: cryostat + - equal: + path: spec.template.metadata.labels + value: + app.kubernetes.io/instance: RELEASE-NAME + app.kubernetes.io/name: cryostat diff --git a/charts/cryostat/tests/ingress_test.yaml b/charts/cryostat/tests/ingress_test.yaml index d21ef901..f822dd15 100644 --- a/charts/cryostat/tests/ingress_test.yaml +++ b/charts/cryostat/tests/ingress_test.yaml @@ -1,4 +1,4 @@ -suite: Ingress Configuration +suite: test ingress.yaml templates: - ingress.yaml diff --git a/charts/cryostat/tests/notes_test.yaml b/charts/cryostat/tests/notes_test.yaml index 724a1e42..f253103c 100644 --- a/charts/cryostat/tests/notes_test.yaml +++ b/charts/cryostat/tests/notes_test.yaml @@ -1,9 +1,9 @@ -suite: Test NOTES.txt +suite: test NOTES.txt templates: - NOTES.txt tests: - - it: should be render correct notes for enabled ingress + - it: should render correct notes for enabled ingress set: core.ingress.enabled: true core: diff --git a/charts/cryostat/tests/pvc_test.yaml b/charts/cryostat/tests/pvc_test.yaml index 1feecb2d..44e19cf7 100644 --- a/charts/cryostat/tests/pvc_test.yaml +++ b/charts/cryostat/tests/pvc_test.yaml @@ -1,4 +1,4 @@ -suite: PVC Configuration +suite: test pvc.yaml templates: - pvc.yaml diff --git a/charts/cryostat/tests/role_test.yaml b/charts/cryostat/tests/role_test.yaml index bb5dd7ef..b8db0feb 100644 --- a/charts/cryostat/tests/role_test.yaml +++ b/charts/cryostat/tests/role_test.yaml @@ -1,9 +1,9 @@ -suite: Role Configuration +suite: test role.yaml templates: - role.yaml tests: - - it: should create a Roles in target namespace + - it: should create Roles in target namespace set: rbac.create: true core.discovery.kubernetes.enabled: true diff --git a/charts/cryostat/tests/rolebinding_test.yaml b/charts/cryostat/tests/rolebinding_test.yaml index 415b1b80..34e654f3 100644 --- a/charts/cryostat/tests/rolebinding_test.yaml +++ b/charts/cryostat/tests/rolebinding_test.yaml @@ -1,4 +1,4 @@ -suite: RoleBinding Configuration +suite: test rolebinding.yaml templates: - rolebinding.yaml diff --git a/charts/cryostat/tests/route_test.yaml b/charts/cryostat/tests/route_test.yaml index d771dc7d..3c020281 100644 --- a/charts/cryostat/tests/route_test.yaml +++ b/charts/cryostat/tests/route_test.yaml @@ -1,4 +1,4 @@ -suite: Route Configuration +suite: test route.yaml templates: - route.yaml diff --git a/charts/cryostat/tests/service_test.yaml b/charts/cryostat/tests/service_test.yaml index 089c2693..56a40ede 100644 --- a/charts/cryostat/tests/service_test.yaml +++ b/charts/cryostat/tests/service_test.yaml @@ -1,4 +1,4 @@ -suite: Service Configuration +suite: test service.yaml templates: - service.yaml diff --git a/charts/cryostat/tests/serviceaccount_test.yaml b/charts/cryostat/tests/serviceaccount_test.yaml index 4a1cb552..211aa9b3 100644 --- a/charts/cryostat/tests/serviceaccount_test.yaml +++ b/charts/cryostat/tests/serviceaccount_test.yaml @@ -1,4 +1,4 @@ -suite: ServiceAccount Configuration +suite: test serviceaccount.yaml templates: - serviceaccount.yaml diff --git a/charts/cryostat/tests/storage_access_secret_test.yaml b/charts/cryostat/tests/storage_access_secret_test.yaml index 7007b97b..f5e0ab7b 100644 --- a/charts/cryostat/tests/storage_access_secret_test.yaml +++ b/charts/cryostat/tests/storage_access_secret_test.yaml @@ -1,4 +1,4 @@ -suite: Storage Access Secret Configuration +suite: test storage_access_secret.yaml templates: - storage_access_secret.yaml From 4b1323040c020057d593535763e1843da5c32269 Mon Sep 17 00:00:00 2001 From: Atif Ali Date: Wed, 10 Jul 2024 12:01:04 -0400 Subject: [PATCH 10/18] fix service_test.yaml test failure after Thuan's PR --- charts/cryostat/tests/service_test.yaml | 12 ------------ 1 file changed, 12 deletions(-) diff --git a/charts/cryostat/tests/service_test.yaml b/charts/cryostat/tests/service_test.yaml index 56a40ede..7a93a15a 100644 --- a/charts/cryostat/tests/service_test.yaml +++ b/charts/cryostat/tests/service_test.yaml @@ -32,18 +32,6 @@ tests: - equal: path: spec.ports[0].name value: cryostat-http - - equal: - path: spec.ports[1].port - value: 443 - - equal: - path: spec.ports[1].targetPort - value: 8443 - - equal: - path: spec.ports[1].protocol - value: TCP - - equal: - path: spec.ports[1].name - value: cryostat-https - equal: path: metadata.labels value: From d924c161dd5a28484854d8ef0beae28e5f7ca8dc Mon Sep 17 00:00:00 2001 From: Atif Ali Date: Wed, 10 Jul 2024 13:54:25 -0400 Subject: [PATCH 11/18] add test cases for pull policies --- charts/cryostat/tests/deployment_test.yaml | 31 ++++++++++++++++++++++ 1 file changed, 31 insertions(+) diff --git a/charts/cryostat/tests/deployment_test.yaml b/charts/cryostat/tests/deployment_test.yaml index 2dde41fd..f3b624f4 100644 --- a/charts/cryostat/tests/deployment_test.yaml +++ b/charts/cryostat/tests/deployment_test.yaml @@ -149,6 +149,37 @@ tests: - equal: path: spec.template.spec.containers[?(@.name=='cryostat-storage')].imagePullPolicy value: Always + + - it: should verify image pull policies for development snapshots + set: + core.image.tag: "4.0.0-snapshot" + asserts: + - equal: + path: spec.template.spec.containers[?(@.name=='cryostat')].imagePullPolicy + value: Always + - equal: + path: spec.template.spec.containers[?(@.name=='cryostat-authproxy')].imagePullPolicy + value: Always + - equal: + path: spec.template.spec.containers[?(@.name=='cryostat-storage')].imagePullPolicy + value: Always + + - it: should verify image pull policies for release versions + set: + core.image.tag: "4.1.0" + core.image.pullPolicy: "IfNotPresent" + oauth2Proxy.image.pullPolicy: "IfNotPresent" + storage.image.pullPolicy: "IfNotPresent" + asserts: + - equal: + path: spec.template.spec.containers[?(@.name=='cryostat')].imagePullPolicy + value: "IfNotPresent" + - equal: + path: spec.template.spec.containers[?(@.name=='cryostat-authproxy')].imagePullPolicy + value: "IfNotPresent" + - equal: + path: spec.template.spec.containers[?(@.name=='cryostat-storage')].imagePullPolicy + value: "IfNotPresent" - it: should verify pod selector labels and pod labels asserts: From 8f225b25b96d51546d8bada7b35aa1e2beb8fda4 Mon Sep 17 00:00:00 2001 From: Atif Ali Date: Thu, 11 Jul 2024 10:30:09 -0400 Subject: [PATCH 12/18] more test cases on deployment --- charts/cryostat/tests/deployment_test.yaml | 118 +++++++++++++++++++-- 1 file changed, 109 insertions(+), 9 deletions(-) diff --git a/charts/cryostat/tests/deployment_test.yaml b/charts/cryostat/tests/deployment_test.yaml index f3b624f4..7108581e 100644 --- a/charts/cryostat/tests/deployment_test.yaml +++ b/charts/cryostat/tests/deployment_test.yaml @@ -39,32 +39,132 @@ tests: - equal: path: spec.template.spec.containers[?(@.name=='cryostat')].env[?(@.name=='QUARKUS_HTTP_PORT')].value value: "8181" + - equal: + path: spec.template.spec.containers[?(@.name=='cryostat')].env[?(@.name=='QUARKUS_HTTP_HOST')].value + value: "localhost" + - equal: + path: spec.template.spec.containers[?(@.name=='cryostat')].env[?(@.name=='QUARKUS_HTTP_PROXY_PROXY_ADDRESS_FORWARDING')].value + value: "true" + - equal: + path: spec.template.spec.containers[?(@.name=='cryostat')].env[?(@.name=='QUARKUS_HTTP_PROXY_ALLOW_X_FORWARDED')].value + value: "true" + - equal: + path: spec.template.spec.containers[?(@.name=='cryostat')].env[?(@.name=='QUARKUS_HTTP_PROXY_ENABLE_FORWARDED_HOST')].value + value: "true" + - equal: + path: spec.template.spec.containers[?(@.name=='cryostat')].env[?(@.name=='QUARKUS_HTTP_PROXY_ENABLE_FORWARDED_PREFIX')].value + value: "true" + - equal: + path: spec.template.spec.containers[?(@.name=='cryostat')].env[?(@.name=='QUARKUS_HIBERNATE_ORM_DATABASE_GENERATION')].value + value: "drop-and-create" + - equal: + path: spec.template.spec.containers[?(@.name=='cryostat')].env[?(@.name=='QUARKUS_DATASOURCE_USERNAME')].value + value: "cryostat3" + - equal: + path: spec.template.spec.containers[?(@.name=='cryostat')].env[?(@.name=='QUARKUS_DATASOURCE_PASSWORD')].valueFrom.secretKeyRef + value: + key: "CONNECTION_KEY" + name: "RELEASE-NAME-db" + optional: false + - equal: + path: spec.template.spec.containers[?(@.name=='cryostat')].env[?(@.name=='QUARKUS_DATASOURCE_JDBC_URL')].value + value: "jdbc:postgresql://localhost:5432/cryostat3" - equal: path: spec.template.spec.containers[?(@.name=='cryostat')].env[?(@.name=='STORAGE_BUCKETS_ARCHIVES_NAME')].value value: "archivedrecordings" + - equal: + path: spec.template.spec.containers[?(@.name=='cryostat')].env[?(@.name=='QUARKUS_S3_ENDPOINT_OVERRIDE')].value + value: "http://localhost:8333" + - equal: + path: spec.template.spec.containers[?(@.name=='cryostat')].env[?(@.name=='QUARKUS_S3_PATH_STYLE_ACCESS')].value + value: "true" + - equal: + path: spec.template.spec.containers[?(@.name=='cryostat')].env[?(@.name=='QUARKUS_S3_AWS_REGION')].value + value: "us-east-1" + - equal: + path: spec.template.spec.containers[?(@.name=='cryostat')].env[?(@.name=='QUARKUS_S3_AWS_CREDENTIALS_TYPE')].value + value: "static" + - equal: + path: spec.template.spec.containers[?(@.name=='cryostat')].env[?(@.name=='QUARKUS_S3_AWS_CREDENTIALS_STATIC_PROVIDER_ACCESS_KEY_ID')].value + value: "cryostat" + - equal: + path: spec.template.spec.containers[?(@.name=='cryostat')].env[?(@.name=='AWS_ACCESS_KEY_ID')].value + value: $(QUARKUS_S3_AWS_CREDENTIALS_STATIC_PROVIDER_ACCESS_KEY_ID) + - equal: + path: spec.template.spec.containers[?(@.name=='cryostat')].env[?(@.name=='QUARKUS_S3_AWS_CREDENTIALS_STATIC_PROVIDER_SECRET_ACCESS_KEY')].valueFrom.secretKeyRef + value: + key: "SECRET_KEY" + name: "RELEASE-NAME-storage" + optional: false + - equal: + path: spec.template.spec.containers[?(@.name=='cryostat')].env[?(@.name=='AWS_SECRET_ACCESS_KEY')].value + value: $(QUARKUS_S3_AWS_CREDENTIALS_STATIC_PROVIDER_SECRET_ACCESS_KEY) + - equal: + path: spec.template.spec.containers[?(@.name=='cryostat')].env[?(@.name=='GRAFANA_DATASOURCE_URL')].value + value: "http://localhost:8800" + - equal: + path: spec.template.spec.containers[?(@.name=='cryostat')].env[?(@.name=='GRAFANA_DASHBOARD_URL')].value + value: "http://localhost:3000" + - equal: + path: spec.template.spec.containers[?(@.name=='cryostat')].env[?(@.name=='GRAFANA_DASHBOARD_EXT_URL')].value + value: "/grafana/" + - equal: + path: spec.template.spec.containers[?(@.name=='cryostat')].env[?(@.name=='CRYOSTAT_DISCOVERY_KUBERNETES_ENABLED')].value + value: "true" + - equal: + path: spec.template.spec.containers[?(@.name=='cryostat')].env[?(@.name=='CRYOSTAT_DISCOVERY_KUBERNETES_NAMESPACES')].value + value: "NAMESPACE" + - equal: + path: spec.template.spec.containers[?(@.name=='cryostat')].env[?(@.name=='CRYOSTAT_DISCOVERY_KUBERNETES_PORT_NAMES')].value + value: "jfr-jmx" + - equal: + path: spec.template.spec.containers[?(@.name=='cryostat')].env[?(@.name=='CRYOSTAT_DISCOVERY_KUBERNETES_PORT_NUMBERS')].value + value: "9091" + - equal: + path: spec.template.spec.containers[?(@.name=='cryostat')].ports[0].containerPort + value: 8181 + - equal: + path: spec.template.spec.containers[?(@.name=='cryostat')].ports[0].protocol + value: "TCP" - equal: path: spec.template.spec.containers[?(@.name=='cryostat')].livenessProbe.httpGet.path value: "/health/liveness" + - equal: + path: spec.template.spec.containers[?(@.name=='cryostat')].livenessProbe.httpGet.port + value: 8181 - equal: path: spec.template.spec.containers[?(@.name=='cryostat')].startupProbe.httpGet.path value: "/health/liveness" + - equal: + path: spec.template.spec.containers[?(@.name=='cryostat')].startupProbe.httpGet.port + value: 8181 + - equal: + path: spec.template.spec.containers[?(@.name=='cryostat')].startupProbe.failureThreshold + value: 18 - - it: should validate volumes and volume mounts + - it: should validate cryostat-db settings asserts: - - exists: - path: spec.template.spec.volumes[?(@.name=='alpha-config')] - - exists: - path: spec.template.spec.containers[?(@.name=='cryostat-authproxy')].volumeMounts[?(@.mountPath=='/etc/oauth2_proxy/alpha_config')] + - equal: + path: spec.template.spec.containers[?(@.name=='cryostat-db')].securityContext.allowPrivilegeEscalation + value: false + - equal: + path: spec.template.spec.containers[?(@.name=='cryostat-db')].securityContext.capabilities.drop + value: + - ALL - - it: should validate container ports and network settings + - it: should validate cryostat-storage settings asserts: - - equal: - path: spec.template.spec.containers[?(@.name=='cryostat')].ports[0].containerPort - value: 8181 - equal: path: spec.template.spec.containers[?(@.name=='cryostat-storage')].ports[0].containerPort value: 8333 + - it: should validate volumes and volume mounts + asserts: + - exists: + path: spec.template.spec.volumes[?(@.name=='alpha-config')] + - exists: + path: spec.template.spec.containers[?(@.name=='cryostat-authproxy')].volumeMounts[?(@.mountPath=='/etc/oauth2_proxy/alpha_config')] + - it: should set image pull secrets if specified set: imagePullSecrets: From b0a534928f79c0ee75b7ccbb43123e2c88062a83 Mon Sep 17 00:00:00 2001 From: Atif Ali Date: Fri, 12 Jul 2024 00:45:06 -0400 Subject: [PATCH 13/18] more test cases on deployment && cleanup deployment --- charts/cryostat/tests/deployment_test.yaml | 288 ++++++++++++++++++--- 1 file changed, 246 insertions(+), 42 deletions(-) diff --git a/charts/cryostat/tests/deployment_test.yaml b/charts/cryostat/tests/deployment_test.yaml index 7108581e..fcc239e1 100644 --- a/charts/cryostat/tests/deployment_test.yaml +++ b/charts/cryostat/tests/deployment_test.yaml @@ -17,6 +17,25 @@ tests: - equal: path: spec.strategy.type value: Recreate + - equal: + path: spec.selector.matchLabels + value: + app.kubernetes.io/instance: RELEASE-NAME + app.kubernetes.io/name: cryostat + - equal: + path: spec.template.metadata.labels + value: + app.kubernetes.io/instance: RELEASE-NAME + app.kubernetes.io/name: cryostat + - equal: + path: spec.template.spec.serviceAccountName + value: RELEASE-NAME-cryostat + - equal: + path: spec.template.spec.securityContext.runAsNonRoot + value: true + - equal: + path: spec.template.spec.securityContext.seccompProfile.type + value: RuntimeDefault - equal: path: metadata.labels value: @@ -141,9 +160,13 @@ tests: - equal: path: spec.template.spec.containers[?(@.name=='cryostat')].startupProbe.failureThreshold value: 18 + - exists: + path: spec.template.spec.containers[?(@.name=='cryostat')].resources - it: should validate cryostat-db settings asserts: + - exists: + path: spec.template.spec.containers[?(@.name=='cryostat-db')] - equal: path: spec.template.spec.containers[?(@.name=='cryostat-db')].securityContext.allowPrivilegeEscalation value: false @@ -151,12 +174,215 @@ tests: path: spec.template.spec.containers[?(@.name=='cryostat-db')].securityContext.capabilities.drop value: - ALL + - equal: + path: spec.template.spec.containers[?(@.name=='cryostat-db')].image + value: "quay.io/cryostat/cryostat-db:latest" + - equal: + path: spec.template.spec.containers[?(@.name=='cryostat-db')].imagePullPolicy + value: "Always" + - equal: + path: spec.template.spec.containers[?(@.name=='cryostat-db')].env[?(@.name=='POSTGRESQL_USER')].value + value: "cryostat3" + - equal: + path: spec.template.spec.containers[?(@.name=='cryostat-db')].env[?(@.name=='POSTGRESQL_PASSWORD')].valueFrom.secretKeyRef + value: + name: "RELEASE-NAME-db" + key: "CONNECTION_KEY" + optional: false + - equal: + path: spec.template.spec.containers[?(@.name=='cryostat-db')].env[?(@.name=='POSTGRESQL_DATABASE')].value + value: "cryostat3" + - equal: + path: spec.template.spec.containers[?(@.name=='cryostat-db')].env[?(@.name=='PG_ENCRYPT_KEY')].valueFrom.secretKeyRef + value: + name: "RELEASE-NAME-db" + key: "ENCRYPTION_KEY" + optional: false + - equal: + path: spec.template.spec.containers[?(@.name=='cryostat-db')].ports[0].containerPort + value: 5432 + - equal: + path: spec.template.spec.containers[?(@.name=='cryostat-db')].ports[0].protocol + value: "TCP" + - equal: + path: spec.template.spec.containers[?(@.name=='cryostat-db')].volumeMounts[0].mountPath + value: "/var/lib/pgsql/data" + - equal: + path: spec.template.spec.containers[?(@.name=='cryostat-db')].volumeMounts[0].name + value: "cryostat" + - equal: + path: spec.template.spec.containers[?(@.name=='cryostat-db')].volumeMounts[0].subPath + value: "postgres" + - equal: + path: spec.template.spec.containers[?(@.name=='cryostat-db')].readinessProbe.exec.command + value: + - pg_isready + - -U + - cryostat3 + - -d + - cryostat3 - it: should validate cryostat-storage settings asserts: + - exists: + path: spec.template.spec.containers[?(@.name=='cryostat-storage')] + - equal: + path: spec.template.spec.containers[?(@.name=='cryostat-storage')].securityContext.allowPrivilegeEscalation + value: false + - equal: + path: spec.template.spec.containers[?(@.name=='cryostat-storage')].securityContext.capabilities.drop + value: + - ALL + - equal: + path: spec.template.spec.containers[?(@.name=='cryostat-storage')].image + value: "quay.io/cryostat/cryostat-storage:latest" + - equal: + path: spec.template.spec.containers[?(@.name=='cryostat-storage')].imagePullPolicy + value: "Always" + - equal: + path: spec.template.spec.containers[?(@.name=='cryostat-storage')].env[?(@.name=='CRYOSTAT_BUCKETS')].value + value: "archivedrecordings,archivedreports,eventtemplates,probes" + - equal: + path: spec.template.spec.containers[?(@.name=='cryostat-storage')].env[?(@.name=='CRYOSTAT_ACCESS_KEY')].value + value: "cryostat" + - equal: + path: spec.template.spec.containers[?(@.name=='cryostat-storage')].env[?(@.name=='CRYOSTAT_SECRET_KEY')].valueFrom.secretKeyRef + value: + name: "RELEASE-NAME-storage" + key: "SECRET_KEY" + optional: false + - equal: + path: spec.template.spec.containers[?(@.name=='cryostat-storage')].env[?(@.name=='DATA_DIR')].value + value: "/data" + - equal: + path: spec.template.spec.containers[?(@.name=='cryostat-storage')].env[?(@.name=='IP_BIND')].value + value: 0.0.0.0 - equal: path: spec.template.spec.containers[?(@.name=='cryostat-storage')].ports[0].containerPort value: 8333 + - equal: + path: spec.template.spec.containers[?(@.name=='cryostat-storage')].ports[0].protocol + value: "TCP" + - equal: + path: spec.template.spec.containers[?(@.name=='cryostat-storage')].volumeMounts[0].mountPath + value: "/data" + - equal: + path: spec.template.spec.containers[?(@.name=='cryostat-storage')].volumeMounts[0].name + value: "cryostat" + - equal: + path: spec.template.spec.containers[?(@.name=='cryostat-storage')].volumeMounts[0].subPath + value: "seaweed" + - equal: + path: spec.template.spec.containers[?(@.name=='cryostat-storage')].livenessProbe.httpGet.path + value: "/status" + - equal: + path: spec.template.spec.containers[?(@.name=='cryostat-storage')].livenessProbe.httpGet.port + value: 8333 + - equal: + path: spec.template.spec.containers[?(@.name=='cryostat-storage')].livenessProbe.periodSeconds + value: 10 + - equal: + path: spec.template.spec.containers[?(@.name=='cryostat-storage')].livenessProbe.failureThreshold + value: 2 + - equal: + path: spec.template.spec.containers[?(@.name=='cryostat-storage')].startupProbe.httpGet.path + value: "/status" + - equal: + path: spec.template.spec.containers[?(@.name=='cryostat-storage')].startupProbe.httpGet.port + value: 8333 + - equal: + path: spec.template.spec.containers[?(@.name=='cryostat-storage')].startupProbe.periodSeconds + value: 10 + - equal: + path: spec.template.spec.containers[?(@.name=='cryostat-storage')].startupProbe.failureThreshold + value: 9 + - exists: + path: spec.template.spec.containers[?(@.name=='cryostat-storage')].resources + + - it: should validate cryostat-grafana settings + asserts: + - exists: + path: spec.template.spec.containers[?(@.name=='cryostat-grafana')] + - equal: + path: spec.template.spec.containers[?(@.name=='cryostat-grafana')].securityContext.allowPrivilegeEscalation + value: false + - equal: + path: spec.template.spec.containers[?(@.name=='cryostat-grafana')].securityContext.capabilities.drop + value: + - ALL + - equal: + path: spec.template.spec.containers[?(@.name=='cryostat-grafana')].image + value: "quay.io/cryostat/cryostat-grafana-dashboard:latest" + - equal: + path: spec.template.spec.containers[?(@.name=='cryostat-grafana')].imagePullPolicy + value: "Always" + - equal: + path: spec.template.spec.containers[?(@.name=='cryostat-grafana')].env[?(@.name=='GF_AUTH_ANONYMOUS_ENABLED')].value + value: "true" + - equal: + path: spec.template.spec.containers[?(@.name=='cryostat-grafana')].env[?(@.name=='GF_SERVER_DOMAIN')].value + value: "localhost" + - equal: + path: spec.template.spec.containers[?(@.name=='cryostat-grafana')].env[?(@.name=='GF_SERVER_ROOT_URL')].value + value: "http://localhost:4180/grafana/" + - equal: + path: spec.template.spec.containers[?(@.name=='cryostat-grafana')].env[?(@.name=='GF_SERVER_SERVE_FROM_SUB_PATH')].value + value: "true" + - equal: + path: spec.template.spec.containers[?(@.name=='cryostat-grafana')].env[?(@.name=='JFR_DATASOURCE_URL')].value + value: "http://localhost:8800" + - equal: + path: spec.template.spec.containers[?(@.name=='cryostat-grafana')].ports[0].containerPort + value: 3000 + - equal: + path: spec.template.spec.containers[?(@.name=='cryostat-grafana')].ports[0].protocol + value: "TCP" + - equal: + path: spec.template.spec.containers[?(@.name=='cryostat-grafana')].livenessProbe.httpGet.path + value: "/api/health" + - equal: + path: spec.template.spec.containers[?(@.name=='cryostat-grafana')].livenessProbe.httpGet.port + value: 3000 + - exists: + path: spec.template.spec.containers[?(@.name=='cryostat-grafana')].resources + + - it: should validate cryostat-jfr-datasource settings + asserts: + - exists: + path: spec.template.spec.containers[?(@.name=='cryostat-jfr-datasource')] + - equal: + path: spec.template.spec.containers[?(@.name=='cryostat-jfr-datasource')].securityContext.allowPrivilegeEscalation + value: false + - equal: + path: spec.template.spec.containers[?(@.name=='cryostat-jfr-datasource')].securityContext.capabilities.drop + value: + - ALL + - equal: + path: spec.template.spec.containers[?(@.name=='cryostat-jfr-datasource')].image + value: "quay.io/cryostat/jfr-datasource:latest" + - equal: + path: spec.template.spec.containers[?(@.name=='cryostat-jfr-datasource')].imagePullPolicy + value: "Always" + - equal: + path: spec.template.spec.containers[?(@.name=='cryostat-jfr-datasource')].env[?(@.name=='LISTEN_HOST')].value + value: "localhost" + - equal: + path: spec.template.spec.containers[?(@.name=='cryostat-jfr-datasource')].env[?(@.name=='QUARKUS_HTTP_PORT')].value + value: "8800" + - equal: + path: spec.template.spec.containers[?(@.name=='cryostat-jfr-datasource')].ports[0].containerPort + value: 8800 + - equal: + path: spec.template.spec.containers[?(@.name=='cryostat-jfr-datasource')].ports[0].protocol + value: "TCP" + - equal: + path: spec.template.spec.containers[?(@.name=='cryostat-jfr-datasource')].livenessProbe.exec.command + value: + - curl + - --fail + - http://localhost:8800 + - exists: + path: spec.template.spec.containers[?(@.name=='cryostat-jfr-datasource')].resources - it: should validate volumes and volume mounts asserts: @@ -218,37 +444,6 @@ tests: path: spec.template.spec.affinity - exists: path: spec.template.spec.tolerations - - - it: should ensure the datasource container has correct environment variables and resources - asserts: - - equal: - path: spec.template.spec.containers[?(@.name=='cryostat-jfr-datasource')].env[?(@.name=='QUARKUS_HTTP_PORT')].value - value: "8800" - - exists: - path: spec.template.spec.containers[?(@.name=='cryostat-jfr-datasource')].resources - - - it: should validate security contexts for each container - asserts: - - equal: - path: spec.template.spec.securityContext.runAsNonRoot - value: true - - exists: - path: spec.template.spec.containers[?(@.name=='cryostat')].securityContext.capabilities.drop - - equal: - path: spec.template.spec.containers[?(@.name=='cryostat')].securityContext.capabilities.drop[0] - value: "ALL" - - - it: should verify image pull policies for each container - asserts: - - equal: - path: spec.template.spec.containers[?(@.name=='cryostat')].imagePullPolicy - value: Always - - equal: - path: spec.template.spec.containers[?(@.name=='cryostat-authproxy')].imagePullPolicy - value: Always - - equal: - path: spec.template.spec.containers[?(@.name=='cryostat-storage')].imagePullPolicy - value: Always - it: should verify image pull policies for development snapshots set: @@ -263,6 +458,15 @@ tests: - equal: path: spec.template.spec.containers[?(@.name=='cryostat-storage')].imagePullPolicy value: Always + - equal: + path: spec.template.spec.containers[?(@.name=='cryostat-grafana')].imagePullPolicy + value: "Always" + - equal: + path: spec.template.spec.containers[?(@.name=='cryostat-db')].imagePullPolicy + value: "Always" + - equal: + path: spec.template.spec.containers[?(@.name=='cryostat-jfr-datasource')].imagePullPolicy + value: "Always" - it: should verify image pull policies for release versions set: @@ -270,6 +474,9 @@ tests: core.image.pullPolicy: "IfNotPresent" oauth2Proxy.image.pullPolicy: "IfNotPresent" storage.image.pullPolicy: "IfNotPresent" + grafana.image.pullPolicy: "IfNotPresent" + db.image.pullPolicy: "IfNotPresent" + datasource.image.pullPolicy: "IfNotPresent" asserts: - equal: path: spec.template.spec.containers[?(@.name=='cryostat')].imagePullPolicy @@ -280,16 +487,13 @@ tests: - equal: path: spec.template.spec.containers[?(@.name=='cryostat-storage')].imagePullPolicy value: "IfNotPresent" - - - it: should verify pod selector labels and pod labels - asserts: - equal: - path: spec.selector.matchLabels - value: - app.kubernetes.io/instance: RELEASE-NAME - app.kubernetes.io/name: cryostat + path: spec.template.spec.containers[?(@.name=='cryostat-grafana')].imagePullPolicy + value: "IfNotPresent" - equal: - path: spec.template.metadata.labels - value: - app.kubernetes.io/instance: RELEASE-NAME - app.kubernetes.io/name: cryostat + path: spec.template.spec.containers[?(@.name=='cryostat-db')].imagePullPolicy + value: "IfNotPresent" + - equal: + path: spec.template.spec.containers[?(@.name=='cryostat-jfr-datasource')].imagePullPolicy + value: "IfNotPresent" + From c92b9fa84ae70cfa57261dab79f5bda49506c284 Mon Sep 17 00:00:00 2001 From: Atif Ali Date: Fri, 12 Jul 2024 01:32:51 -0400 Subject: [PATCH 14/18] resolved all pending conflicts --- charts/cryostat/tests/notes_test.yaml | 18 +++++++++++++ charts/cryostat/tests/rolebinding_test.yaml | 30 +++++++++++++++++++++ 2 files changed, 48 insertions(+) diff --git a/charts/cryostat/tests/notes_test.yaml b/charts/cryostat/tests/notes_test.yaml index f253103c..533a37bf 100644 --- a/charts/cryostat/tests/notes_test.yaml +++ b/charts/cryostat/tests/notes_test.yaml @@ -45,6 +45,24 @@ tests: ``` echo http://$(oc get route -n NAMESPACE RELEASE-NAME-cryostat -o jsonpath="{.status.ingress[0].host}") ``` + + - it: should render notes for enabled route with TLS + set: + core.route.enabled: true + core.route.tls.enabled: true + asserts: + - equalRaw: + value: | + + 1. Tell Cryostat how to serve external traffic: + ``` + No actions required with this configuration. + ``` + + 2. Visit the Cryostat application at: + ``` + echo https://$(oc get route -n NAMESPACE RELEASE-NAME-cryostat -o jsonpath="{.status.ingress[0].host}") + ``` - it: should render notes for NodePort service without ingress or route set: diff --git a/charts/cryostat/tests/rolebinding_test.yaml b/charts/cryostat/tests/rolebinding_test.yaml index 34e654f3..05d36845 100644 --- a/charts/cryostat/tests/rolebinding_test.yaml +++ b/charts/cryostat/tests/rolebinding_test.yaml @@ -92,3 +92,33 @@ tests: asserts: - hasDocuments: count: 0 + + - it: should not create any RoleBinding when Kubernetes discovery is disabled + set: + rbac.create: true + core.discovery.kubernetes.enabled: false + asserts: + - hasDocuments: + count: 0 + + - it: should not create any RoleBinding if installNamespaceDisabled is true + set: + rbac.create: true + core.discovery.kubernetes.enabled: true + core.discovery.kubernetes.installNamespaceDisabled: true + asserts: + - hasDocuments: + count: 0 + + - it: should create a RoleBinding in the default namespace if installNamespaceDisabled is false + set: + rbac.create: true + core.discovery.kubernetes.enabled: true + core.discovery.kubernetes.namespaces: [] + core.discovery.kubernetes.installNamespaceDisabled: false + asserts: + - hasDocuments: + count: 1 + - equal: + path: metadata.namespace + value: "NAMESPACE" From 514ba4565d6c852f9cbdaa8a8730381176e56730 Mon Sep 17 00:00:00 2001 From: Atif Ali Date: Mon, 15 Jul 2024 12:12:49 -0400 Subject: [PATCH 15/18] rename cryostat3 -> crysostat --- charts/cryostat/Chart.yaml | 2 +- charts/cryostat/templates/deployment.yaml | 12 ++++++------ charts/cryostat/tests/deployment_test.yaml | 12 ++++++------ 3 files changed, 13 insertions(+), 13 deletions(-) diff --git a/charts/cryostat/Chart.yaml b/charts/cryostat/Chart.yaml index 8d950046..872f83cf 100644 --- a/charts/cryostat/Chart.yaml +++ b/charts/cryostat/Chart.yaml @@ -26,7 +26,7 @@ keywords: - diagnostic sources: -- https://github.com/cryostatio/cryostat3 +- https://github.com/cryostatio/cryostat - https://github.com/cryostatio/cryostat-core - https://github.com/cryostatio/cryostat-web - https://github.com/cryostatio/jfr-datasource diff --git a/charts/cryostat/templates/deployment.yaml b/charts/cryostat/templates/deployment.yaml index 1307ebcf..a0c84150 100644 --- a/charts/cryostat/templates/deployment.yaml +++ b/charts/cryostat/templates/deployment.yaml @@ -56,7 +56,7 @@ spec: - name: QUARKUS_HIBERNATE_ORM_DATABASE_GENERATION value: drop-and-create - name: QUARKUS_DATASOURCE_USERNAME - value: cryostat3 + value: cryostat - name: QUARKUS_DATASOURCE_PASSWORD valueFrom: secretKeyRef: @@ -64,7 +64,7 @@ spec: key: CONNECTION_KEY optional: false - name: QUARKUS_DATASOURCE_JDBC_URL - value: jdbc:postgresql://localhost:5432/cryostat3 + value: jdbc:postgresql://localhost:5432/cryostat - name: STORAGE_BUCKETS_ARCHIVES_NAME value: archivedrecordings - name: QUARKUS_S3_ENDPOINT_OVERRIDE @@ -126,7 +126,7 @@ spec: imagePullPolicy: {{ (.Values.db).image.pullPolicy }} env: - name: POSTGRESQL_USER - value: cryostat3 + value: cryostat - name: POSTGRESQL_PASSWORD valueFrom: secretKeyRef: @@ -134,7 +134,7 @@ spec: key: CONNECTION_KEY optional: false - name: POSTGRESQL_DATABASE - value: cryostat3 + value: cryostat - name: PG_ENCRYPT_KEY valueFrom: secretKeyRef: @@ -153,9 +153,9 @@ spec: command: - pg_isready - -U - - cryostat3 + - cryostat - -d - - cryostat3 + - cryostat - name: {{ printf "%s-%s" .Chart.Name "storage" }} securityContext: {{- toYaml (.Values.storage).securityContext | nindent 12 }} diff --git a/charts/cryostat/tests/deployment_test.yaml b/charts/cryostat/tests/deployment_test.yaml index fcc239e1..e5b32105 100644 --- a/charts/cryostat/tests/deployment_test.yaml +++ b/charts/cryostat/tests/deployment_test.yaml @@ -78,7 +78,7 @@ tests: value: "drop-and-create" - equal: path: spec.template.spec.containers[?(@.name=='cryostat')].env[?(@.name=='QUARKUS_DATASOURCE_USERNAME')].value - value: "cryostat3" + value: "cryostat" - equal: path: spec.template.spec.containers[?(@.name=='cryostat')].env[?(@.name=='QUARKUS_DATASOURCE_PASSWORD')].valueFrom.secretKeyRef value: @@ -87,7 +87,7 @@ tests: optional: false - equal: path: spec.template.spec.containers[?(@.name=='cryostat')].env[?(@.name=='QUARKUS_DATASOURCE_JDBC_URL')].value - value: "jdbc:postgresql://localhost:5432/cryostat3" + value: "jdbc:postgresql://localhost:5432/cryostat" - equal: path: spec.template.spec.containers[?(@.name=='cryostat')].env[?(@.name=='STORAGE_BUCKETS_ARCHIVES_NAME')].value value: "archivedrecordings" @@ -182,7 +182,7 @@ tests: value: "Always" - equal: path: spec.template.spec.containers[?(@.name=='cryostat-db')].env[?(@.name=='POSTGRESQL_USER')].value - value: "cryostat3" + value: "cryostat" - equal: path: spec.template.spec.containers[?(@.name=='cryostat-db')].env[?(@.name=='POSTGRESQL_PASSWORD')].valueFrom.secretKeyRef value: @@ -191,7 +191,7 @@ tests: optional: false - equal: path: spec.template.spec.containers[?(@.name=='cryostat-db')].env[?(@.name=='POSTGRESQL_DATABASE')].value - value: "cryostat3" + value: "cryostat" - equal: path: spec.template.spec.containers[?(@.name=='cryostat-db')].env[?(@.name=='PG_ENCRYPT_KEY')].valueFrom.secretKeyRef value: @@ -218,9 +218,9 @@ tests: value: - pg_isready - -U - - cryostat3 + - cryostat - -d - - cryostat3 + - cryostat - it: should validate cryostat-storage settings asserts: From 7f7185ceeb60398e9473eb9bcfbea80ccf73caa4 Mon Sep 17 00:00:00 2001 From: Atif Ali Date: Tue, 16 Jul 2024 14:38:14 -0400 Subject: [PATCH 16/18] resolve more issues --- .github/workflows/unittest.yml | 2 +- charts/cryostat/TESTING.md | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/unittest.yml b/.github/workflows/unittest.yml index da841347..b89d990f 100644 --- a/.github/workflows/unittest.yml +++ b/.github/workflows/unittest.yml @@ -36,6 +36,6 @@ jobs: with: version: v3.14.4 - name: Install unit test plugin - run: helm plugin install https://github.com/helm-unittest/helm-unittest.git + run: helm plugin install https://github.com/helm-unittest/helm-unittest.git --version v0.5.1 - name: Run Helm unit tests run: helm unittest --debug ./charts/cryostat diff --git a/charts/cryostat/TESTING.md b/charts/cryostat/TESTING.md index 9194b109..ff9fb3be 100644 --- a/charts/cryostat/TESTING.md +++ b/charts/cryostat/TESTING.md @@ -108,7 +108,7 @@ tests: - `exists`: Checks if the specified path exists in the document. - `notExists`: Ensures the specified path does not exist in the document. -Visit [ for more Assertion Types](https://github.com/helm-unittest/helm-unittest/blob/main/DOCUMENT.md#assertion-types). +Visit [this document](https://github.com/helm-unittest/helm-unittest/blob/main/DOCUMENT.md#assertion-types) for more assertion types. ## Running Tests Once Unittest plugin has been installed, tests can be executed by running the following command: From 0873ef472efb1bd54c8a00bb6d4674928d8e57c6 Mon Sep 17 00:00:00 2001 From: Atif Ali Date: Tue, 16 Jul 2024 14:41:59 -0400 Subject: [PATCH 17/18] fix chart version --- charts/cryostat/tests/service_test.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/charts/cryostat/tests/service_test.yaml b/charts/cryostat/tests/service_test.yaml index 7a93a15a..55154c7a 100644 --- a/charts/cryostat/tests/service_test.yaml +++ b/charts/cryostat/tests/service_test.yaml @@ -39,7 +39,7 @@ tests: app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: cryostat app.kubernetes.io/version: "4.0.0-dev" - helm.sh/chart: cryostat-0.5.0-dev + helm.sh/chart: cryostat-2.0.0-dev - it: should include OpenShift specific annotations when OpenShift auth is enabled set: From 6d54439cb7cc78edcd89ad02c7a23c6a94c75d9e Mon Sep 17 00:00:00 2001 From: Atif Ali Date: Tue, 16 Jul 2024 16:36:31 -0400 Subject: [PATCH 18/18] resolve issues && add test case --- charts/cryostat/tests/deployment_test.yaml | 2 +- charts/cryostat/tests/pvc_test.yaml | 2 +- charts/cryostat/tests/role_test.yaml | 4 +- charts/cryostat/tests/route_test.yaml | 2 +- charts/cryostat/tests/service_test.yaml | 58 ++++++++++++++++++++++ 5 files changed, 63 insertions(+), 5 deletions(-) diff --git a/charts/cryostat/tests/deployment_test.yaml b/charts/cryostat/tests/deployment_test.yaml index e5b32105..67971fe1 100644 --- a/charts/cryostat/tests/deployment_test.yaml +++ b/charts/cryostat/tests/deployment_test.yaml @@ -39,7 +39,7 @@ tests: - equal: path: metadata.labels value: - helm.sh/chart: cryostat-0.5.0-dev + helm.sh/chart: cryostat-2.0.0-dev app.kubernetes.io/name: cryostat app.kubernetes.io/instance: RELEASE-NAME app.kubernetes.io/version: "4.0.0-dev" diff --git a/charts/cryostat/tests/pvc_test.yaml b/charts/cryostat/tests/pvc_test.yaml index 44e19cf7..6484d50b 100644 --- a/charts/cryostat/tests/pvc_test.yaml +++ b/charts/cryostat/tests/pvc_test.yaml @@ -32,7 +32,7 @@ tests: app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: cryostat app.kubernetes.io/version: "4.0.0-dev" - helm.sh/chart: cryostat-0.5.0-dev + helm.sh/chart: cryostat-2.0.0-dev - equal: path: spec.accessModes value: diff --git a/charts/cryostat/tests/role_test.yaml b/charts/cryostat/tests/role_test.yaml index b8db0feb..75723b13 100644 --- a/charts/cryostat/tests/role_test.yaml +++ b/charts/cryostat/tests/role_test.yaml @@ -39,7 +39,7 @@ tests: app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: cryostat app.kubernetes.io/version: "4.0.0-dev" - helm.sh/chart: cryostat-0.5.0-dev + helm.sh/chart: cryostat-2.0.0-dev documentIndex: 0 - equal: path: metadata.labels @@ -48,7 +48,7 @@ tests: app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: cryostat app.kubernetes.io/version: "4.0.0-dev" - helm.sh/chart: cryostat-0.5.0-dev + helm.sh/chart: cryostat-2.0.0-dev documentIndex: 1 - it: should have correct permissions for endpoints, pods, and other resources diff --git a/charts/cryostat/tests/route_test.yaml b/charts/cryostat/tests/route_test.yaml index 3c020281..b29cabb7 100644 --- a/charts/cryostat/tests/route_test.yaml +++ b/charts/cryostat/tests/route_test.yaml @@ -34,7 +34,7 @@ tests: app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: cryostat app.kubernetes.io/version: "4.0.0-dev" - helm.sh/chart: cryostat-0.5.0-dev + helm.sh/chart: cryostat-2.0.0-dev - equal: path: metadata.annotations.hello value: "world" diff --git a/charts/cryostat/tests/service_test.yaml b/charts/cryostat/tests/service_test.yaml index 55154c7a..5fa3dd0e 100644 --- a/charts/cryostat/tests/service_test.yaml +++ b/charts/cryostat/tests/service_test.yaml @@ -41,6 +41,64 @@ tests: app.kubernetes.io/version: "4.0.0-dev" helm.sh/chart: cryostat-2.0.0-dev + - it: should create a Service with the correct settings when OpenShift authentication is enabled + set: + authentication.openshift.enabled: true + asserts: + - hasDocuments: + count: 1 + - equal: + path: kind + value: Service + - equal: + path: metadata.name + value: RELEASE-NAME-cryostat + - equal: + path: spec.type + value: ClusterIP + - equal: + path: spec.ports[0].port + value: 8181 + - equal: + path: spec.ports[0].targetPort + value: 4180 + - equal: + path: spec.ports[0].protocol + value: TCP + - equal: + path: spec.ports[0].name + value: cryostat-http + - equal: + path: spec.ports[1].port + value: 443 + - equal: + path: spec.ports[1].targetPort + value: 8443 + - equal: + path: spec.ports[1].protocol + value: TCP + - equal: + path: spec.ports[1].name + value: cryostat-https + - equal: + path: spec.selector + value: + app.kubernetes.io/name: cryostat + app.kubernetes.io/instance: RELEASE-NAME + - equal: + path: metadata.labels + value: + app.kubernetes.io/instance: RELEASE-NAME + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: cryostat + app.kubernetes.io/version: "4.0.0-dev" + helm.sh/chart: cryostat-2.0.0-dev + - equal: + path: metadata.annotations + value: + service.alpha.openshift.io/serving-cert-secret-name: RELEASE-NAME-proxy-tls + + - it: should include OpenShift specific annotations when OpenShift auth is enabled set: authentication.openshift.enabled: true