Add smoke tests #5
Conversation
|
Yay, the tests seem to be finally running! They fail... but at least I got them running! Issues:
|
|
The solutions I thought about so far:
|
|
I tried implementing solution (1) i.e., using a fixed namespace and release name with
|
|
Ooook I think I'll just skip the google-cas-issuer testing for now since (2) and (3) are equally painful and I think it is better to have at least cert-manager tested alone than not having any smoke tests at all |
maelvls
force-pushed
the
add-smoke-tests
branch
from
a7fe4c2 to
c4252aa
Compare
|
After a discussion with James W, I decided to just drop the smoke test for We will do the google-cas-issuer tests later 😅 tbd: create an issue that reminds us to do those google-cas-issuer smoke tests |
maelvls
force-pushed
the
add-smoke-tests
branch
from
f371301 to
68b99e0
Compare
maelvls
force-pushed
the
add-smoke-tests
branch
from
68b99e0 to
a0d038a
Compare
|
Btw, do you know how we could be running that in GitHub Actions? Not sure which jsonkey we should be storing in a GitHub Actions secret: would it be a service account on the jetstack-public project? |
Add smoke tests Signed-off-by: Maël Valais <mael@vls.dev> Co-authored-by: Richard Wall <richard.wall@jetstack.io>
Signed-off-by: Maël Valais <mael@vls.dev> Co-authored-by: Richard Wall <richard.wall@jetstack.io>
helm does not like dashs in yaml keys
With:
{{ .Values.google-cas-issuer.serviceAccount.name }}
I would get the error:
Error: parse error at googlecasissuer.yaml:40: bad character U+002D '-'
The trick is to use the "index" function from the Go templates language:
{{ index .Values "google-cas-issuer" "serviceAccount" "name" }}
See: helm/helm#2192 (comment)
Signed-off-by: Maël Valais <mael@vls.dev>
Co-authored-by: Richard Wall <richard.wall@jetstack.io>
tar xf the data-test/chart too Signed-off-by: Maël Valais <mael@vls.dev> Co-authored-by: Richard Wall <richard.wall@jetstack.io>
maelvls
force-pushed
the
add-smoke-tests
branch
from
a0d038a to
ef9fbf0
Compare
Signed-off-by: Maël Valais <mael@vls.dev>
Signed-off-by: Maël Valais <mael@vls.dev>
maelvls
force-pushed
the
add-smoke-tests
branch
from
17bd9c3 to
6be10ae
Compare
This is a Google Marketplace requirement, c.f. schema.md: > Note that the images share a common prefix gcr.io/project/company/app, > which is set externally to the schema.yaml file, when you onboard your > app for publishing. If your app contains a primary image, its repository > must exactly match the common prefix of the images. In our case, the "primary" image is cert-manager-controller and is tagged as: gcr.io/jetstack-public.jetstack-secure-for-cert-manager:1.0.0 For all the other images, it looks like: gcr.io/jetstack-public/jetstack-secure-for-cert-manager/cert-manager-webhook:1.0.0 Signed-off-by: Maël Valais <mael@vls.dev>
Signed-off-by: Maël Valais <mael@vls.dev> Co-authored-by: Richard Wall <wallrj@users.noreply.github.com>
Signed-off-by: Maël Valais <mael@vls.dev> Co-authored-by: Richard Wall <richard.wall@jetstack.io>
|
|
||
| ```sh | ||
| # The primary image "cert-manager-controller": | ||
| gcr.io/jetstack-public/jetstack-secure-for-cert-manager:1.0.0 |
There was a problem hiding this comment.
In https://github.com/GoogleCloudPlatform/marketplace-k8s-app-tools/blob/master/docs/schema.md#image-declaration-and-parameterization I noticed that it says:
x-google-marketplace:
images:
'': # Primary image has no name.
Perhaps we should do the same.
There was a problem hiding this comment.
Done 👍
images:
# The Marketplace requires us to use a "primary image". In our case,
# this is cert-manager-controller. See "primary image" in
# https://github.com/GoogleCloudPlatform/marketplace-k8s-app-tools/blob/d9d3a6/docs/schema.md
"": # This is cert-manager-controller.
properties:
cert-manager.image.repository:
type: REPO_WITH_REGISTRY
cert-manager.image.tag:
type: TAG
chart/jetstacksecure-mp/charts/preflight/templates/deployment.yaml
Outdated
Show resolved
Hide resolved
| - tag | ||
| - quay.io/jetstack/cert-manager-controller:v${_CERT_MANAGER_VERSION} | ||
| - gcr.io/$PROJECT_ID/${_SOLUTION_NAME}/cert-manager-controller:${_APP_VERSION} | ||
| - gcr.io/$PROJECT_ID/${_SOLUTION_NAME}:${_APP_VERSION} |
There was a problem hiding this comment.
Ah, this explains the comment that I hightlighed above, in schema.md
| pod=$(kubectl -n "$ns" get pods -oname | grep "apptest-.*-deployer" | cut -d/ -f2) | ||
| kubectl wait -n "$ns" --for=condition=ready pod $pod | ||
| kubectl logs -n "$ns" $pod -f --tail=-1 |
There was a problem hiding this comment.
You could do kubectl logs deploy/my-deployment, assuming that the code above is to get the name of a Deployment controlled Pod.
A suggestion only. Leave it as is if you prefer to get this merged.
There was a problem hiding this comment.
🤯 I wansnt aware that we could request logs for a given deployment!! Thank you for the tip!!
There was a problem hiding this comment.
Unfortunately the deployer is running as a job... but I could also very well use
kubectl logs job/apptest-1aef45-deployer-job
smoke-test.yaml
Outdated
| bashTest: | ||
| script: | | ||
| kubectl apply --namespace ${NAMESPACE} -f - <<EOF | ||
| apiVersion: cert-manager.io/v1alpha2 |
There was a problem hiding this comment.
Maybe use cert-manager v1 API here.
smoke-test.yaml
Outdated
| -o=jsonpath='{.status.conditions[0].status}' \ | ||
| | grep -qz True); | ||
| do sleep 2; | ||
| done' |
There was a problem hiding this comment.
Maybe use kubectl wait --for condition=Ready certificate selfsigned-cert
There was a problem hiding this comment.
I might have copy-pasted this test case from click-to-deploy... looks like they forgot about kubectl wait 😅
smoke-test.yaml
Outdated
| # the two together using the "workload identity" feature. | ||
| # | ||
| # Right now, the above GoogleCASIssuer does nothing, and the certificate | ||
| # will never be created. |
This is due to a Docker limitation. Signed-off-by: Maël Valais <mael@vls.dev>
Signed-off-by: Maël Valais <mael@vls.dev>
Signed-off-by: Maël Valais <mael@vls.dev> Co-authored-by: Richard Wall <richard.wall@jetstack.io>
Signed-off-by: Maël Valais <mael@vls.dev> Co-authored-by: Richard Wall <richard.wall@jetstack.io>
Signed-off-by: Maël Valais <mael@vls.dev> Co-authored-by: Richard Wall <richard.wall@jetstack.io>
|
/unhold |
smoke-test.yaml
Outdated
| | grep -qz True); | ||
| do sleep 2; | ||
| done' | ||
| kubectl wait -n ${NAMESPACE} --for=condition=ready certificate selfsigned-cert |
There was a problem hiding this comment.
I thought the condition name was case-sensitive, but I might be wrong.
See https://manpages.debian.org/testing/kubernetes-client/kubectl-wait.1.en.html#EXAMPLE
| kubectl wait -n ${NAMESPACE} --for=condition=ready certificate selfsigned-cert | |
| kubectl wait -n ${NAMESPACE} --for=condition=Ready certificate selfsigned-cert |
There was a problem hiding this comment.
I think you are right 😅
The lower-case version also seems to work though; digging into the kubectl codebase, it seems like the comparison between the condition types (e.g. Ready) is done in here using string.EqualFold:
EqualFold reports whether s and t, interpreted as UTF-8 strings, are equal under Unicode case-folding, which is a more general form of case-insensitivity.
Signed-off-by: Maël Valais <mael@vls.dev> Co-authored-by: Richard Wall <wallrj@users.noreply.github.com>
|
/unhold |
3 participants
The smoke tests can be seen in ./test-suite.yaml.
TODO:
locationandprojectIdhardcodedMake the google-cas-issuer test work→ will do that in next milestone
Find a workaround for the issue with the Kubernetes → Google serviceaccount binding→ will do that in next milestone
Find a workaround for the issue with the Google → Kubernetes serviceaccount binding→ will do that in next milestone