test(scorecard): scorecard tests for recording management (backport #698)

.github/workflows/test-ci-reusable.yml

@@ -118,11 +118,29 @@ jobs:
         username: ${{ github.repository_owner }}
         password: ${{ secrets.GITHUB_TOKEN }}
     - name: Set up Kind cluster
+      uses: helm/[email protected]
+      with:
+        config: .github/kind-config.yaml
+        cluster_name: ci-${{ github.run_id }}
+        wait: 1m
+        ignore_failed_clean: true
+    - name: Set up Ingress Controller
       run: |
-        kind create cluster --config=".github/kind-config.yaml" -n ci-${{ github.run_id }}
-        # Enabling Ingress
+        # Install nginx ingress controller
         kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/main/deploy/static/provider/kind/deploy.yaml
-        kubectl rollout status -w deployment/ingress-nginx-controller -n ingress-nginx --timeout 5m
+        kubectl rollout status -w \
+          deployment/ingress-nginx-controller \
+          -n ingress-nginx --timeout 5m
+
+        # Lower the number of worker processes
+        kubectl patch cm/ingress-nginx-controller \
+          --type merge \
+          -p '{"data":{"worker-processes":"1"}}' \
+          -n ingress-nginx
+
+        # Modify /etc/hosts to resolve hostnames
+        ip_address=$(docker inspect -f '{{range.NetworkSettings.Networks}}{{.IPAddress}}{{end}}' ci-${{ github.run_id }}-control-plane)
+        echo "$ip_address testing.cryostat" | sudo tee -a /etc/hosts
     - name: Install Operator Lifecycle Manager
       run: curl -sL https://github.com/operator-framework/operator-lifecycle-manager/releases/download/v0.24.0/install.sh | bash -s v0.24.0
     - name: Install Cert Manager
@@ -140,8 +158,6 @@ jobs:
         SCORECARD_REGISTRY_PASSWORD="${{ secrets.GITHUB_TOKEN }}" \
         BUNDLE_IMG="${{ steps.push-bundle-to-ghcr.outputs.registry-path }}" \
         make test-scorecard
-    - name: Clean up Kind cluster
-      run: kind delete cluster -n ci-${{ github.run_id }}
     - name: Set latest commit status as ${{ job.status }}
       uses: myrotvorets/set-commit-status-action@master
       if: always()

bundle/manifests/cryostat-operator.clusterserviceversion.yaml

@@ -54,7 +54,7 @@ metadata:
     capabilities: Seamless Upgrades
     categories: Monitoring, Developer Tools
     containerImage: quay.io/cryostat/cryostat-operator:2.5.0-dev
-    createdAt: "2024-02-15T20:45:48Z"
+    createdAt: "2024-03-06T21:13:39Z"
     description: JVM monitoring and profiling tool
     operatorframework.io/initialization-resource: |-
       {
@@ -182,6 +182,12 @@ spec:
         path: jmxCredentialsDatabaseOptions.databaseSecretName
         x-descriptors:
         - urn:alm:descriptor:io.kubernetes:Secret
+      - description: The maximum number of WebSocket client connections allowed (minimum
+          1, default unlimited).
+        displayName: Max WebSocket Connections
+        path: maxWsConnections
+        x-descriptors:
+        - urn:alm:descriptor:com.tectonic.ui:number
       - description: Options to control how the operator exposes the application outside
           of the cluster, such as using an Ingress or Route.
         displayName: Network Options

bundle/manifests/operator.cryostat.io_cryostats.yaml

@@ -127,6 +127,12 @@ spec:
                       credentials database.
                     type: string
                 type: object
+              maxWsConnections:
+                description: The maximum number of WebSocket client connections allowed
+                  (minimum 1, default unlimited).
+                format: int32
+                minimum: 1
+                type: integer
               minimal:
                 description: Deploy a pared-down Cryostat instance with no Grafana
                   Dashboard or JFR Data Source.

bundle/tests/scorecard/config.yaml

@@ -66,10 +66,11 @@ stages:
     storage:
       spec:
         mountPath: {}
+- tests:
   - entrypoint:
     - cryostat-scorecard-tests
     - operator-install
-    image: quay.io/cryostat/cryostat-operator-scorecard:2.5.0-20231011144522
+    image: quay.io/cryostat/cryostat-operator-scorecard:2.5.0-20240305020416
     labels:
       suite: cryostat
       test: operator-install
@@ -79,13 +80,23 @@ stages:
   - entrypoint:
     - cryostat-scorecard-tests
     - cryostat-cr
-    image: quay.io/cryostat/cryostat-operator-scorecard:2.5.0-20231011144522
+    image: quay.io/cryostat/cryostat-operator-scorecard:2.5.0-20240305020416
     labels:
       suite: cryostat
       test: cryostat-cr
     storage:
       spec:
         mountPath: {}
+  - entrypoint:
+    - cryostat-scorecard-tests
+    - cryostat-recording
+    image: quay.io/cryostat/cryostat-operator-scorecard:2.5.0-20240305020416
+    labels:
+      suite: cryostat
+      test: cryostat-recording
+    storage:
+      spec:
+        mountPath: {}
 storage:
   spec:
     mountPath: {}

config/crd/bases/operator.cryostat.io_cryostats.yaml

@@ -117,6 +117,12 @@ spec:
                       credentials database.
                     type: string
                 type: object
+              maxWsConnections:
+                description: The maximum number of WebSocket client connections allowed
+                  (minimum 1, default unlimited).
+                format: int32
+                minimum: 1
+                type: integer
               minimal:
                 description: Deploy a pared-down Cryostat instance with no Grafana
                   Dashboard or JFR Data Source.

config/manifests/bases/cryostat-operator.clusterserviceversion.yaml

@@ -536,6 +536,12 @@ spec:
         path: jmxCredentialsDatabaseOptions.databaseSecretName
         x-descriptors:
         - urn:alm:descriptor:io.kubernetes:Secret
+      - description: The maximum number of WebSocket client connections allowed (minimum
+          1, default unlimited).
+        displayName: Max WebSocket Connections
+        path: maxWsConnections
+        x-descriptors:
+        - urn:alm:descriptor:com.tectonic.ui:number
       - description: Options to control how the operator exposes the application outside
           of the cluster, such as using an Ingress or Route.
         displayName: Network Options

config/rbac/oauth_client.yaml

@@ -3,7 +3,6 @@
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
-  creationTimestamp: null
   name: oauth-client
 rules:
 - apiGroups:

config/scorecard/bases/config.yaml

@@ -3,5 +3,7 @@ kind: Configuration
 metadata:
   name: config
 stages:
-- parallel: true
+- parallel: true # Build-in Tests
+  tests: []
+- parallel: false # Cryostat Custom Tests
   tests: []

config/scorecard/patches/custom.config.yaml

@@ -3,22 +3,32 @@
   path: /serviceaccount
   value: cryostat-scorecard
 - op: add
-  path: /stages/0/tests/-
+  path: /stages/1/tests/-
   value:
     entrypoint:
     - cryostat-scorecard-tests
     - operator-install
-    image: "quay.io/cryostat/cryostat-operator-scorecard:2.5.0-20231011144522"
+    image: "quay.io/cryostat/cryostat-operator-scorecard:2.5.0-20240305020416"
     labels:
       suite: cryostat
       test: operator-install
 - op: add
-  path: /stages/0/tests/-
+  path: /stages/1/tests/-
   value:
     entrypoint:
     - cryostat-scorecard-tests
     - cryostat-cr
-    image: "quay.io/cryostat/cryostat-operator-scorecard:2.5.0-20231011144522"
+    image: "quay.io/cryostat/cryostat-operator-scorecard:2.5.0-20240305020416"
     labels:
       suite: cryostat
       test: cryostat-cr
+- op: add
+  path: /stages/1/tests/-
+  value:
+    entrypoint:
+    - cryostat-scorecard-tests
+    - cryostat-recording
+    image: "quay.io/cryostat/cryostat-operator-scorecard:2.5.0-20240305020416"
+    labels:
+      suite: cryostat
+      test: cryostat-recording

hack/custom.config.yaml.in

@@ -2,7 +2,7 @@
   path: /serviceaccount
   value: cryostat-scorecard
 - op: add
-  path: /stages/0/tests/-
+  path: /stages/1/tests/-
   value:
     entrypoint:
     - cryostat-scorecard-tests
@@ -12,7 +12,7 @@
       suite: cryostat
       test: operator-install
 - op: add
-  path: /stages/0/tests/-
+  path: /stages/1/tests/-
   value:
     entrypoint:
     - cryostat-scorecard-tests
@@ -21,3 +21,13 @@
     labels:
       suite: cryostat
       test: cryostat-cr
+- op: add
+  path: /stages/1/tests/-
+  value:
+    entrypoint:
+    - cryostat-scorecard-tests
+    - cryostat-recording
+    image: "${CUSTOM_SCORECARD_IMG}"
+    labels:
+      suite: cryostat
+      test: cryostat-recording

internal/images/custom-scorecard-tests/main.go

@@ -79,6 +79,7 @@ func printValidTests() []scapiv1alpha3.TestResult {
 	str := fmt.Sprintf("valid tests for this image include: %s", strings.Join([]string{
 		tests.OperatorInstallTestName,
 		tests.CryostatCRTestName,
+		tests.CryostatRecordingTestName,
 	}, ","))
 	result.Errors = append(result.Errors, str)
 
@@ -90,6 +91,7 @@ func validateTests(testNames []string) bool {
 		switch testName {
 		case tests.OperatorInstallTestName:
 		case tests.CryostatCRTestName:
+		case tests.CryostatRecordingTestName:
 		default:
 			return false
 		}
@@ -108,6 +110,8 @@ func runTests(testNames []string, bundle *apimanifests.Bundle, namespace string,
 			results = append(results, tests.OperatorInstallTest(bundle, namespace))
 		case tests.CryostatCRTestName:
 			results = append(results, tests.CryostatCRTest(bundle, namespace, openShiftCertManager))
+		case tests.CryostatRecordingTestName:
+			results = append(results, tests.CryostatRecordingTest(bundle, namespace, openShiftCertManager))
 		default:
 			log.Fatalf("unknown test found: %s", testName)
 		}

internal/images/custom-scorecard-tests/rbac/scorecard_role.yaml

@@ -53,6 +53,55 @@ rules:
   - cryostats/status
   verbs:
   - get
+- apiGroups:
+  - ""
+  resources:
+  - secrets
+  verbs:
+  - get
+# Permissions for default OAuth configurations
+- apiGroups:
+  - operator.cryostat.io
+  resources:
+  - cryostats
+  verbs:
+  - create
+  - patch
+  - delete
+  - get
+- apiGroups:
+  - ""
+  resources:
+  - pods
+  - pods/exec
+  - services
+  verbs:
+  - create
+  - patch
+  - delete
+  - get
+- apiGroups:
+  - ""
+  resources:
+  - replicationcontrollers
+  - endpoints
+  verbs:
+  - get
+- apiGroups:
+  - apps
+  resources:
+  - deployments
+  verbs:
+  - create
+  - get
+- apiGroups:
+  - apps
+  resources:
+  - daemonsets
+  - replicasets
+  - statefulsets
+  verbs:
+  - get
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole