From 4871288771636be06b43f03c094bf25513f7dd8d Mon Sep 17 00:00:00 2001 From: Yi Chen Date: Mon, 14 Apr 2025 14:49:33 +0800 Subject: [PATCH 1/2] Add helm unit tests to chart flink-kubernetes-operator Signed-off-by: Yi Chen --- .../tests/cert-manager/certificate_test.yaml | 42 +++ .../tests/cert-manager/issuer_test.yaml | 34 ++ .../tests/controller/configmap_test.yaml | 38 +++ .../tests/controller/deployment_test.yaml | 305 ++++++++++++++++++ .../tests/flink/role_binding_test.yaml | 69 ++++ .../tests/flink/role_test.yaml | 69 ++++ .../tests/rbac/cluster_role_binding_test.yaml | 59 ++++ .../tests/rbac/cluster_role_test.yaml | 47 +++ .../tests/rbac/role_binding_test.yaml | 69 ++++ .../tests/rbac/role_test.yaml | 88 +++++ .../mutating_webhook_configuration_test.yaml | 68 ++++ .../tests/webhook/secret_test.yaml | 48 +++ .../tests/webhook/service_test.yaml | 68 ++++ ...alidating_webhook_configuratioin_test.yaml | 68 ++++ 14 files changed, 1072 insertions(+) create mode 100644 helm/flink-kubernetes-operator/tests/cert-manager/certificate_test.yaml create mode 100644 helm/flink-kubernetes-operator/tests/cert-manager/issuer_test.yaml create mode 100644 helm/flink-kubernetes-operator/tests/controller/configmap_test.yaml create mode 100644 helm/flink-kubernetes-operator/tests/controller/deployment_test.yaml create mode 100644 helm/flink-kubernetes-operator/tests/flink/role_binding_test.yaml create mode 100644 helm/flink-kubernetes-operator/tests/flink/role_test.yaml create mode 100644 helm/flink-kubernetes-operator/tests/rbac/cluster_role_binding_test.yaml create mode 100644 helm/flink-kubernetes-operator/tests/rbac/cluster_role_test.yaml create mode 100644 helm/flink-kubernetes-operator/tests/rbac/role_binding_test.yaml create mode 100644 helm/flink-kubernetes-operator/tests/rbac/role_test.yaml create mode 100644 helm/flink-kubernetes-operator/tests/webhook/mutating_webhook_configuration_test.yaml create mode 100644 helm/flink-kubernetes-operator/tests/webhook/secret_test.yaml create mode 100644 helm/flink-kubernetes-operator/tests/webhook/service_test.yaml create mode 100644 helm/flink-kubernetes-operator/tests/webhook/validating_webhook_configuratioin_test.yaml diff --git a/helm/flink-kubernetes-operator/tests/cert-manager/certificate_test.yaml b/helm/flink-kubernetes-operator/tests/cert-manager/certificate_test.yaml new file mode 100644 index 0000000000..2882579484 --- /dev/null +++ b/helm/flink-kubernetes-operator/tests/cert-manager/certificate_test.yaml @@ -0,0 +1,42 @@ +################################################################################ +# Licensed to the Apache Software Foundation (ASF) under one +# or more contributor license agreements. See the NOTICE file +# distributed with this work for additional information +# regarding copyright ownership. The ASF licenses this file +# to you under the Apache License, Version 2.0 (the +# "License"); you may not use this file except in compliance +# with the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +################################################################################ + +suite: Test Cert Manager Certificate + +templates: +- cert-manager/certificate.yaml + +release: + name: flink-operator + namespace: flink-operator + +tests: +- it: Should create certificate + asserts: + - containsDocument: + apiVersion: cert-manager.io/v1 + kind: Certificate + name: flink-operator-serving-cert + +- it: Should use self signed issuer + asserts: + - equal: + path: spec.issuerRef + value: + kind: Issuer + name: flink-operator-selfsigned-issuer diff --git a/helm/flink-kubernetes-operator/tests/cert-manager/issuer_test.yaml b/helm/flink-kubernetes-operator/tests/cert-manager/issuer_test.yaml new file mode 100644 index 0000000000..73a582cdec --- /dev/null +++ b/helm/flink-kubernetes-operator/tests/cert-manager/issuer_test.yaml @@ -0,0 +1,34 @@ +################################################################################ +# Licensed to the Apache Software Foundation (ASF) under one +# or more contributor license agreements. See the NOTICE file +# distributed with this work for additional information +# regarding copyright ownership. The ASF licenses this file +# to you under the Apache License, Version 2.0 (the +# "License"); you may not use this file except in compliance +# with the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +################################################################################ + +suite: Test Cert Manager Issuer + +templates: +- cert-manager/issuer.yaml + +release: + name: flink-operator + namespace: flink-operator + +tests: +- it: Should create self signed Issuer + asserts: + - containsDocument: + apiVersion: cert-manager.io/v1 + kind: Issuer + name: flink-operator-selfsigned-issuer diff --git a/helm/flink-kubernetes-operator/tests/controller/configmap_test.yaml b/helm/flink-kubernetes-operator/tests/controller/configmap_test.yaml new file mode 100644 index 0000000000..b9dc12777a --- /dev/null +++ b/helm/flink-kubernetes-operator/tests/controller/configmap_test.yaml @@ -0,0 +1,38 @@ +################################################################################ +# Licensed to the Apache Software Foundation (ASF) under one +# or more contributor license agreements. See the NOTICE file +# distributed with this work for additional information +# regarding copyright ownership. The ASF licenses this file +# to you under the Apache License, Version 2.0 (the +# "License"); you may not use this file except in compliance +# with the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +################################################################################ + +suite: Test ConfigMap + +templates: + - controller/configmap.yaml + +release: + name: flink-operator + namespace: flink-operator + +tests: + - it: Should create a configmap with default configuration if `defaultConfiguration.create` is `true` + set: + defaultConfiguration: + create: true + asserts: + - containsDocument: + apiVersion: v1 + kind: ConfigMap + name: flink-operator-config + namespace: flink-operator diff --git a/helm/flink-kubernetes-operator/tests/controller/deployment_test.yaml b/helm/flink-kubernetes-operator/tests/controller/deployment_test.yaml new file mode 100644 index 0000000000..8769721e93 --- /dev/null +++ b/helm/flink-kubernetes-operator/tests/controller/deployment_test.yaml @@ -0,0 +1,305 @@ +################################################################################ +# Licensed to the Apache Software Foundation (ASF) under one +# or more contributor license agreements. See the NOTICE file +# distributed with this work for additional information +# regarding copyright ownership. The ASF licenses this file +# to you under the Apache License, Version 2.0 (the +# "License"); you may not use this file except in compliance +# with the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +################################################################################ + +suite: Test Deployment + +templates: +- controller/deployment.yaml + +release: + name: flink-operator + namespace: flink-operator + +tests: +- it: Should create a deployment + asserts: + - containsDocument: + apiVersion: apps/v1 + kind: Deployment + name: flink-kubernetes-operator + namespace: flink-operator + +- it: Should use the specified image if `image.repository` and `image.tag` are set + set: + image: + repository: test-repository/flink-kubernetes-operator + tag: test-tag + asserts: + - equal: + path: spec.template.spec.containers[*].image + value: test-repository/flink-kubernetes-operator:test-tag + +- it: Should use the specified image pull policy if `image.pullPolicy` is set + set: + image: + pullPolicy: Always + asserts: + - equal: + path: spec.template.spec.containers[*].imagePullPolicy + value: Always + +- it: Should use the specified image pull secrets if `imagePullsecrets` is set + set: + imagePullSecrets: + - name: test-secret1 + - name: test-secret2 + asserts: + - contains: + path: spec.template.spec.imagePullSecrets + content: + name: test-secret1 + - contains: + path: spec.template.spec.imagePullSecrets + content: + name: test-secret2 + +- it: Should use the specified replicas if `replicas` is set + set: + replicas: 0 + asserts: + - equal: + path: spec.replicas + value: 0 + +- it: Should use the specified strategy if `strategy` is set + set: + strategy: + type: RollingUpdate + rollingUpdate: + maxSurge: 1 + maxUnavailable: 1 + asserts: + - equal: + path: spec.strategy + value: + type: RollingUpdate + rollingUpdate: + maxSurge: 1 + maxUnavailable: 1 + +- it: Should use the specified strategy if `strategy` is set + set: + strategy: + type: Recreate + asserts: + - equal: + path: spec.strategy + value: + type: Recreate + +- it: Should add deployment labels if `operatorPod.labels` is set + set: + operatorPod: + labels: + KEY1: VALUE1 + KEY2: VALUE2 + asserts: + - equal: + path: metadata.labels.KEY1 + value: VALUE1 + - equal: + path: metadata.labels.KEY2 + value: VALUE2 + +- it: Should add pod template labels if `operatorPod.labels` is set + set: + operatorPod: + labels: + KEY1: VALUE1 + KEY2: VALUE2 + asserts: + - equal: + path: spec.template.metadata.labels.KEY1 + value: VALUE1 + - equal: + path: spec.template.metadata.labels.KEY2 + value: VALUE2 + +- it: Should add pod template annotations if `operatorPod.annotations` is set + set: + operatorPod: + annotations: + KEY1: VALUE1 + KEY2: VALUE2 + asserts: + - equal: + path: spec.template.metadata.annotations.KEY1 + value: VALUE1 + - equal: + path: spec.template.metadata.annotations.KEY2 + value: VALUE2 + +- it: Should use the specified DNS policy if `operatorPod.dnsPolicy` is set + set: + operatorPod: + dnsPolicy: ClusterFirstWithHostNet + asserts: + - equal: + path: spec.template.spec.dnsPolicy + value: ClusterFirstWithHostNet + +- it: Should use the specified DNS config if `operatorPod.dnsConfig` is set + set: + operatorPod: + dnsConfig: + nameservers: + - 1.1.1.1 + - 8.8.8.8 + searches: + - ns1.svc.cluster-domain.example + - my.dns.search.suffix + options: + - name: ndots + value: "2" + - name: edns0 + asserts: + - equal: + path: spec.template.spec.dnsConfig + value: + nameservers: + - 1.1.1.1 + - 8.8.8.8 + searches: + - ns1.svc.cluster-domain.example + - my.dns.search.suffix + options: + - name: ndots + value: "2" + - name: edns0 + +- it: Should add nodeSelector if `operatorPod.nodeSelector` is set + set: + operatorPod: + nodeSelector: + key1: value1 + key2: value2 + asserts: + - equal: + path: spec.template.spec.nodeSelector.key1 + value: value1 + - equal: + path: spec.template.spec.nodeSelector.key2 + value: value2 + +- it: Should add affinity if `operatorPod.affinity` is set + set: + operatorPod: + affinity: + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: topology.kubernetes.io/zone + operator: In + values: + - antarctica-east1 + - antarctica-west1 + preferredDuringSchedulingIgnoredDuringExecution: + - weight: 1 + preference: + matchExpressions: + - key: another-node-label-key + operator: In + values: + - another-node-label-value + asserts: + - equal: + path: spec.template.spec.affinity + value: + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: topology.kubernetes.io/zone + operator: In + values: + - antarctica-east1 + - antarctica-west1 + preferredDuringSchedulingIgnoredDuringExecution: + - weight: 1 + preference: + matchExpressions: + - key: another-node-label-key + operator: In + values: + - another-node-label-value + +- it: Should add tolerations if `operatorPod.tolerations` is set + set: + operatorPod: + tolerations: + - key: key1 + operator: Equal + value: value1 + effect: NoSchedule + - key: key2 + operator: Exists + effect: NoSchedule + asserts: + - equal: + path: spec.template.spec.tolerations + value: + - key: key1 + operator: Equal + value: value1 + effect: NoSchedule + - key: key2 + operator: Exists + effect: NoSchedule + +- it: Should use the specified priority class name if `operatorPod.priorityClassName` is set + set: + operatorPod: + priorityClassName: test-priority + asserts: + - equal: + path: spec.template.spec.priorityClassName + value: test-priority + +- it: Should use the specified topology spread constraints if `operatorPod.topologySpreadConstraints` is set + set: + operatorPod: + topologySpreadConstraints: + - maxSkew: 1 + topologyKey: topology.kubernetes.io/zone + whenUnsatisfiable: ScheduleAnyway + - maxSkew: 1 + topologyKey: kubernetes.io/hostname + whenUnsatisfiable: DoNotSchedule + asserts: + - contains: + path: spec.template.spec.topologySpreadConstraints + content: + maxSkew: 1 + topologyKey: topology.kubernetes.io/zone + whenUnsatisfiable: ScheduleAnyway + - contains: + path: spec.template.spec.topologySpreadConstraints + content: + maxSkew: 1 + topologyKey: kubernetes.io/hostname + whenUnsatisfiable: DoNotSchedule + +- it: Should use the specified service account name if `operatorServiceAccount.name` is set + set: + operatorServiceAccount: + name: test-service-account + asserts: + - equal: + path: spec.template.spec.serviceAccountName + value: test-service-account diff --git a/helm/flink-kubernetes-operator/tests/flink/role_binding_test.yaml b/helm/flink-kubernetes-operator/tests/flink/role_binding_test.yaml new file mode 100644 index 0000000000..311ec450c2 --- /dev/null +++ b/helm/flink-kubernetes-operator/tests/flink/role_binding_test.yaml @@ -0,0 +1,69 @@ +################################################################################ +# Licensed to the Apache Software Foundation (ASF) under one +# or more contributor license agreements. See the NOTICE file +# distributed with this work for additional information +# regarding copyright ownership. The ASF licenses this file +# to you under the Apache License, Version 2.0 (the +# "License"); you may not use this file except in compliance +# with the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +################################################################################ + +suite: Test Flink Job RoleBinding + +templates: +- flink/role_binding.yaml + +release: + name: flink-operator + namespace: flink-operator + +tests: +- it: Should not create any role if `rbac.create` is `false` + set: + rbac: + create: false + asserts: + - hasDocuments: + count: 0 + +- it: Should create role binding in each of the namespaces which should be watched + set: + rbac: + create: true + jobRole: + create: true + watchNamespaces: + - ns1 + - ns2 + documentIndex: 0 + asserts: + - containsDocument: + apiVersion: rbac.authorization.k8s.io/v1 + kind: RoleBinding + name: flink-role-binding + namespace: ns1 + +- it: Should create role binding in each of the namespaces which should be watched + set: + rbac: + create: true + jobRole: + create: true + watchNamespaces: + - ns1 + - ns2 + documentIndex: 1 + asserts: + - containsDocument: + apiVersion: rbac.authorization.k8s.io/v1 + kind: RoleBinding + name: flink-role-binding + namespace: ns2 diff --git a/helm/flink-kubernetes-operator/tests/flink/role_test.yaml b/helm/flink-kubernetes-operator/tests/flink/role_test.yaml new file mode 100644 index 0000000000..b07c5e6edb --- /dev/null +++ b/helm/flink-kubernetes-operator/tests/flink/role_test.yaml @@ -0,0 +1,69 @@ +################################################################################ +# Licensed to the Apache Software Foundation (ASF) under one +# or more contributor license agreements. See the NOTICE file +# distributed with this work for additional information +# regarding copyright ownership. The ASF licenses this file +# to you under the Apache License, Version 2.0 (the +# "License"); you may not use this file except in compliance +# with the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +################################################################################ + +suite: Test Flink Job Role + +templates: +- flink/role.yaml + +release: + name: flink-operator + namespace: flink-operator + +tests: +- it: Should not create any role if `rbac.create` is `false` + set: + rbac: + create: false + asserts: + - hasDocuments: + count: 0 + +- it: Should create role in each of the namespaces which should be watched + set: + rbac: + create: true + jobRole: + create: true + watchNamespaces: + - ns1 + - ns2 + documentIndex: 0 + asserts: + - containsDocument: + apiVersion: rbac.authorization.k8s.io/v1 + kind: Role + name: flink + namespace: ns1 + +- it: Should create role in each of the namespaces which should be watched + set: + rbac: + create: true + jobRole: + create: true + watchNamespaces: + - ns1 + - ns2 + documentIndex: 1 + asserts: + - containsDocument: + apiVersion: rbac.authorization.k8s.io/v1 + kind: Role + name: flink + namespace: ns2 diff --git a/helm/flink-kubernetes-operator/tests/rbac/cluster_role_binding_test.yaml b/helm/flink-kubernetes-operator/tests/rbac/cluster_role_binding_test.yaml new file mode 100644 index 0000000000..ef9bfe50f8 --- /dev/null +++ b/helm/flink-kubernetes-operator/tests/rbac/cluster_role_binding_test.yaml @@ -0,0 +1,59 @@ +################################################################################ +# Licensed to the Apache Software Foundation (ASF) under one +# or more contributor license agreements. See the NOTICE file +# distributed with this work for additional information +# regarding copyright ownership. The ASF licenses this file +# to you under the Apache License, Version 2.0 (the +# "License"); you may not use this file except in compliance +# with the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +################################################################################ + +suite: Test Operator ClusterRoleBinding + +templates: +- rbac/cluster_role_binding.yaml + +release: + name: flink-operator + namespace: flink-operator + +tests: +- it: Should not create ClusterRoleBinding if `rbac.operatorRoleBinding.create` is `false` + set: + rbac: + operatorRoleBinding: + create: false + asserts: + - hasDocuments: + count: 0 + +- it: Should create ClusterRoleBinding if `rbac.operatorRoleBinding.create` is `true` + set: + rbac: + operatorRoleBinding: + create: true + asserts: + - containsDocument: + apiVersion: rbac.authorization.k8s.io/v1 + kind: ClusterRoleBinding + name: flink-operator-role-binding + - equal: + path: roleRef + value: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: flink-operator + - contains: + path: subjects + content: + kind: ServiceAccount + name: flink-operator + namespace: flink-operator diff --git a/helm/flink-kubernetes-operator/tests/rbac/cluster_role_test.yaml b/helm/flink-kubernetes-operator/tests/rbac/cluster_role_test.yaml new file mode 100644 index 0000000000..6ccf831161 --- /dev/null +++ b/helm/flink-kubernetes-operator/tests/rbac/cluster_role_test.yaml @@ -0,0 +1,47 @@ +################################################################################ +# Licensed to the Apache Software Foundation (ASF) under one +# or more contributor license agreements. See the NOTICE file +# distributed with this work for additional information +# regarding copyright ownership. The ASF licenses this file +# to you under the Apache License, Version 2.0 (the +# "License"); you may not use this file except in compliance +# with the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +################################################################################ + +suite: Test Operator ClusterRole + +templates: +- rbac/cluster_role.yaml + +release: + name: flink-operator + namespace: flink-operator + +tests: +- it: Should not create ClusterRole if `rbac.operatorRole.create` is `false` + set: + rbac: + operatorRole: + create: false + asserts: + - hasDocuments: + count: 0 + +- it: Should create ClusterRole if `rbac.operatorRole.create` is `true` + set: + rbac: + operatorRole: + create: true + asserts: + - containsDocument: + apiVersion: rbac.authorization.k8s.io/v1 + kind: ClusterRole + name: flink-operator diff --git a/helm/flink-kubernetes-operator/tests/rbac/role_binding_test.yaml b/helm/flink-kubernetes-operator/tests/rbac/role_binding_test.yaml new file mode 100644 index 0000000000..c24aa775ce --- /dev/null +++ b/helm/flink-kubernetes-operator/tests/rbac/role_binding_test.yaml @@ -0,0 +1,69 @@ +################################################################################ +# Licensed to the Apache Software Foundation (ASF) under one +# or more contributor license agreements. See the NOTICE file +# distributed with this work for additional information +# regarding copyright ownership. The ASF licenses this file +# to you under the Apache License, Version 2.0 (the +# "License"); you may not use this file except in compliance +# with the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +################################################################################ + +suite: Test Operator RoleBinding + +templates: +- rbac/role_binding.yaml + +release: + name: flink-operator + namespace: flink-operator + +tests: +- it: Should not create any role if `rbac.create` is `false` + set: + rbac: + create: false + asserts: + - hasDocuments: + count: 0 + +- it: Should create role binding in each of the namespaces which should be watched + set: + rbac: + create: true + operatorRole: + create: true + watchNamespaces: + - ns1 + - ns2 + documentIndex: 0 + asserts: + - containsDocument: + apiVersion: rbac.authorization.k8s.io/v1 + kind: RoleBinding + name: flink-operator-role-binding + namespace: ns1 + +- it: Should create role binding in each of the namespaces which should be watched + set: + rbac: + create: true + operatorRole: + create: true + watchNamespaces: + - ns1 + - ns2 + documentIndex: 1 + asserts: + - containsDocument: + apiVersion: rbac.authorization.k8s.io/v1 + kind: RoleBinding + name: flink-operator-role-binding + namespace: ns2 diff --git a/helm/flink-kubernetes-operator/tests/rbac/role_test.yaml b/helm/flink-kubernetes-operator/tests/rbac/role_test.yaml new file mode 100644 index 0000000000..70c21da78f --- /dev/null +++ b/helm/flink-kubernetes-operator/tests/rbac/role_test.yaml @@ -0,0 +1,88 @@ +################################################################################ +# Licensed to the Apache Software Foundation (ASF) under one +# or more contributor license agreements. See the NOTICE file +# distributed with this work for additional information +# regarding copyright ownership. The ASF licenses this file +# to you under the Apache License, Version 2.0 (the +# "License"); you may not use this file except in compliance +# with the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +################################################################################ + +suite: Test Operator Role + +templates: +- rbac/role.yaml + +release: + name: flink-operator + namespace: flink-operator + +tests: +- it: Should not create any role if `rbac.create` is `false` + set: + rbac: + create: false + asserts: + - hasDocuments: + count: 0 + +- it: Should create operator role in each of the namespaces which should be watched + set: + rbac: + create: true + operatorRole: + create: true + watchNamespaces: + - ns1 + - ns2 + documentIndex: 0 + asserts: + - containsDocument: + apiVersion: rbac.authorization.k8s.io/v1 + kind: Role + name: flink-operator + namespace: ns1 + +- it: Should create operator role in each of the namespaces which should be watched + set: + rbac: + create: true + operatorRole: + create: true + watchNamespaces: + - ns1 + - ns2 + documentIndex: 1 + asserts: + - containsDocument: + apiVersion: rbac.authorization.k8s.io/v1 + kind: Role + name: flink-operator + namespace: ns2 + +- it: Should create operator role in the release namespace if not watched + set: + rbac: + create: true + operatorRole: + create: true + jobRole: + create: true + watchNamespaces: + - ns1 + - ns2 + documentIndex: 2 + asserts: + - containsDocument: + apiVersion: rbac.authorization.k8s.io/v1 + kind: Role + name: flink-operator + namespace: flink-operator diff --git a/helm/flink-kubernetes-operator/tests/webhook/mutating_webhook_configuration_test.yaml b/helm/flink-kubernetes-operator/tests/webhook/mutating_webhook_configuration_test.yaml new file mode 100644 index 0000000000..628225c3f9 --- /dev/null +++ b/helm/flink-kubernetes-operator/tests/webhook/mutating_webhook_configuration_test.yaml @@ -0,0 +1,68 @@ +################################################################################ +# Licensed to the Apache Software Foundation (ASF) under one +# or more contributor license agreements. See the NOTICE file +# distributed with this work for additional information +# regarding copyright ownership. The ASF licenses this file +# to you under the Apache License, Version 2.0 (the +# "License"); you may not use this file except in compliance +# with the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +################################################################################ + +suite: Test MutatingWebhookConfiguration + +templates: +- webhook/mutating_webhook_configuration.yaml + +release: + name: flink-operator + namespace: flink-operator + +tests: +- it: Should not create mutating webhook configuration if `webhook.mutator.create` is `false` + set: + webhook: + create: true + mutator: + create: false + asserts: + - hasDocuments: + count: 0 + +- it: Should create mutating webhook configuration if both `webhook.create` and `webhook.mutator.create` are `true` + set: + webhook: + create: true + mutator: + create: true + asserts: + - containsDocument: + apiVersion: admissionregistration.k8s.io/v1 + kind: MutatingWebhookConfiguration + name: flink-operator-flink-operator-webhook-configuration + +- it: Should add namespace selector if `watchNamespaces` is set + set: + watchNamespaces: + - ns1 + - ns2 + webhook: + create: true + mutator: + create: true + asserts: + - contains: + path: webhooks[?(@.name=="mutationwebhook.flink.apache.org")].namespaceSelector.matchExpressions + content: + key: kubernetes.io/metadata.name + operator: In + values: + - ns1 + - ns2 diff --git a/helm/flink-kubernetes-operator/tests/webhook/secret_test.yaml b/helm/flink-kubernetes-operator/tests/webhook/secret_test.yaml new file mode 100644 index 0000000000..ab013be16a --- /dev/null +++ b/helm/flink-kubernetes-operator/tests/webhook/secret_test.yaml @@ -0,0 +1,48 @@ +################################################################################ +# Licensed to the Apache Software Foundation (ASF) under one +# or more contributor license agreements. See the NOTICE file +# distributed with this work for additional information +# regarding copyright ownership. The ASF licenses this file +# to you under the Apache License, Version 2.0 (the +# "License"); you may not use this file except in compliance +# with the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +################################################################################ + +suite: Test Webhook Secret + +templates: +- webhook/secret.yaml + +release: + name: flink-operator + namespace: flink-operator + +tests: +- it: Should not create Secret if `webhook.keystore.useDefaultPassword` is `false` + set: + webhook: + keystore: + useDefaultPassword: false + asserts: + - hasDocuments: + count: 0 + +- it: Should create Secret if `webhook.keystore.useDefaultPassword` is `true` + set: + webhook: + keystore: + useDefaultPassword: true + asserts: + - containsDocument: + apiVersion: v1 + kind: Secret + name: flink-operator-webhook-secret + namespace: flink-operator diff --git a/helm/flink-kubernetes-operator/tests/webhook/service_test.yaml b/helm/flink-kubernetes-operator/tests/webhook/service_test.yaml new file mode 100644 index 0000000000..5407beb296 --- /dev/null +++ b/helm/flink-kubernetes-operator/tests/webhook/service_test.yaml @@ -0,0 +1,68 @@ +################################################################################ +# Licensed to the Apache Software Foundation (ASF) under one +# or more contributor license agreements. See the NOTICE file +# distributed with this work for additional information +# regarding copyright ownership. The ASF licenses this file +# to you under the Apache License, Version 2.0 (the +# "License"); you may not use this file except in compliance +# with the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +################################################################################ + +suite: Test Webhook Service + +templates: +- webhook/service.yaml + +release: + name: flink-operator + namespace: flink-operator + +tests: +- it: Should create webhook service if `webhook.validator.create` is `true` + set: + webhook: + validator: + create: true + asserts: + - containsDocument: + apiVersion: v1 + kind: Service + name: flink-operator-webhook-service + namespace: flink-operator + +- it: Should create webhook service if `webhook.create` is `true` + set: + webhook: + validator: + create: false + create: true + asserts: + - containsDocument: + apiVersion: v1 + kind: Service + name: flink-operator-webhook-service + namespace: flink-operator + +- it: Should add labels to webhook service if `webhook.serviceLabels` is set + set: + webhook: + create: true + serviceLabels: + key1: value1 + key2: value2 + asserts: + - equal: + path: metadata.labels.key1 + value: value1 + - equal: + path: metadata.labels.key2 + value: value2 + \ No newline at end of file diff --git a/helm/flink-kubernetes-operator/tests/webhook/validating_webhook_configuratioin_test.yaml b/helm/flink-kubernetes-operator/tests/webhook/validating_webhook_configuratioin_test.yaml new file mode 100644 index 0000000000..8b81e74e52 --- /dev/null +++ b/helm/flink-kubernetes-operator/tests/webhook/validating_webhook_configuratioin_test.yaml @@ -0,0 +1,68 @@ +################################################################################ +# Licensed to the Apache Software Foundation (ASF) under one +# or more contributor license agreements. See the NOTICE file +# distributed with this work for additional information +# regarding copyright ownership. The ASF licenses this file +# to you under the Apache License, Version 2.0 (the +# "License"); you may not use this file except in compliance +# with the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +################################################################################ + +suite: Test ValidatingWebhookConfiguration + +templates: +- webhook/validating_webhook_configuration.yaml + +release: + name: flink-operator + namespace: flink-operator + +tests: +- it: Should not create validating webhook configuration if `webhook.validator.create` is `false` + set: + webhook: + create: true + validator: + create: false + asserts: + - hasDocuments: + count: 0 + +- it: Should create validating webhook configuration if both `webhook.create` and `webhook.validator.create` are `true` + set: + webhook: + create: true + validator: + create: true + asserts: + - containsDocument: + apiVersion: admissionregistration.k8s.io/v1 + kind: ValidatingWebhookConfiguration + name: flink-operator-flink-operator-webhook-configuration + +- it: Should add namespace selector if `watchNamespaces` is set + set: + watchNamespaces: + - ns1 + - ns2 + webhook: + create: true + validator: + create: true + asserts: + - contains: + path: webhooks[?(@.name=="validationwebhook.flink.apache.org")].namespaceSelector.matchExpressions + content: + key: kubernetes.io/metadata.name + operator: In + values: + - ns1 + - ns2 From 3f21e0eff2752ff3d0850f9d9700772431d53c53 Mon Sep 17 00:00:00 2001 From: Yi Chen Date: Mon, 28 Apr 2025 20:49:13 +0800 Subject: [PATCH 2/2] Add GitHub action workflow for Helm chart lint and test Signed-off-by: Yi Chen --- .github/workflows/ci.yml | 67 +++++++++++++++++++++++++++++++++++++--- 1 file changed, 63 insertions(+), 4 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 9285f96ff3..189ad6b012 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -16,22 +16,84 @@ # limitations under the License. ################################################################################ - # We need to specify repo related information here since Apache INFRA doesn't differentiate # between several workflows with the same names while preparing a report for GHA usage # https://infra-reports.apache.org/#ghactions name: Flink Kubernetes Operator CI + on: push: branches: - main - release-* pull_request: + concurrency: group: ${{ github.workflow }}-${{ github.ref_name }} cancel-in-progress: true +env: + HELM_CHART_DIR: helm + FLINK_OPERATOR_CHART: flink-kubernetes-operator + jobs: + helm_lint_test: + runs-on: ubuntu-latest + + name: Helm Lint Test + + steps: + - name: Determine branch name + id: get_branch + run: | + BRANCH="" + if [ "${{ github.event_name }}" == "push" ]; then + BRANCH=${{ github.ref_name }} + elif [ "${{ github.event_name }}" == "pull_request" ]; then + BRANCH=${{ github.base_ref }} + fi + echo "BRANCH=$BRANCH" >> "$GITHUB_OUTPUT" + + - name: Checkout source code + uses: actions/checkout@v4 + with: + fetch-depth: 0 + + - name: Set up Helm + uses: azure/setup-helm@v4.3.0 + with: + version: v3.17.3 + + - name: Install Helm unittest plugin + run: helm plugin install https://github.com/helm-unittest/helm-unittest.git --version 0.8.1 + + - name: Run Helm unittest + run: helm unittest ${{ env.HELM_CHART_DIR }}/${{ env.FLINK_OPERATOR_CHART }} --file "tests/**/*_test.yaml" --strict --debug + + - name: Set up chart-testing + uses: helm/chart-testing-action@v2.7.0 + + - name: Run chart-testing (list-changed) + id: list-changed + env: + BRANCH: ${{ steps.get_branch.outputs.BRANCH }} + run: | + changed=$(ct list-changed --target-branch $BRANCH --chart-dirs ${{ env.HELM_CHART_DIR }}) + if [[ -n "$changed" ]]; then + echo "changed=true" >> "$GITHUB_OUTPUT" + fi + + - name: Run Helm lint + if: steps.list-changed.outputs.changed == 'true' + run: | + helm lint ${{ env.HELM_CHART_DIR }}/${{ env.FLINK_OPERATOR_CHART }} --strict --debug + + - name: Run chart-testing (lint) + if: steps.list-changed.outputs.changed == 'true' + env: + BRANCH: ${{ steps.get_branch.outputs.BRANCH }} + run: ct lint --target-branch $BRANCH --chart-dirs ${{ env.HELM_CHART_DIR }} --check-version-increment=false --validate-maintainers=false + test_ci: runs-on: ubuntu-latest name: maven build @@ -53,9 +115,6 @@ jobs: echo "Please generate the java doc via 'mvn clean install -DskipTests -Pgenerate-docs' again" exit 1 fi - - name: Validate helm chart linting - run: | - helm lint helm/flink-kubernetes-operator - name: Tests in flink-kubernetes-operator run: | cd flink-kubernetes-operator