diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index a98983ef..57980a30 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -11,6 +11,20 @@ on: - "*" jobs: + test: + runs-on: ubuntu-latest + steps: + # Adapted from https://github.com/d3adb5/helm-unittest-action/ + - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + - name: Install Helm + uses: azure/setup-helm@5119fcb9089d432beecbf79bb2c7915207344b78 # v3.5 + - name: Install helm-unittest + run: helm plugin install https://github.com/helm-unittest/helm-unittest + - name: Set chart directories to test as environment variable + run: | + echo "CHARTS_TO_TEST=$(find . -type f -name 'Chart.yaml' -exec dirname {} \; | tr '\n' ' ')" >> $GITHUB_ENV + - name: Run unit tests + run: helm unittest --color ${{ env.CHARTS_TO_TEST }} verify: runs-on: ubuntu-latest steps: diff --git a/charts/kubewarden-controller/tests/webhooks_existing_certifcates_test.yaml b/charts/kubewarden-controller/tests/webhooks_existing_certifcates_test.yaml new file mode 100644 index 00000000..9a25899b --- /dev/null +++ b/charts/kubewarden-controller/tests/webhooks_existing_certifcates_test.yaml @@ -0,0 +1,72 @@ +suite: existing certificates are not overwritten +templates: + - webhooks.yaml +release: + namespace: "kubewarden" +kubernetesProvider: + # Simulate the presence of the kubewarden-ca and kubewarden-webhook-server-cert secrets + scheme: + "v1/Secret": + gvr: + version: "v1" + resource: "secrets" + namespaced: true + objects: + - kind: Secret + apiVersion: v1 + metadata: + name: kubewarden-ca + namespace: kubewarden + data: + ca.crt: "Y2EuY3J0" # "ca.crt" in base64 + ca.key: "Y2Eua2V5" # "ca.key" in base64 + old-ca.crt: "b2xkLWNhLmNydA==" # the string "old-ca.crt" in base64 + - kind: Secret + apiVersion: v1 + metadata: + name: kubewarden-webhook-server-cert + namespace: kubewarden + data: + tls.crt: "dGxzLmNydA==" # "tls.crt" in base64 + tls.key: "dGxzLmtleQ==" # "tls.key" in base64 +tests: + - it: "should reuse the existing CA certificate" + documentSelector: + path: metadata.name + value: kubewarden-ca + asserts: + - equal: + path: data["ca.crt"] + value: "ca.crt" + decodeBase64: true + - equal: + path: data["ca.key"] + value: "ca.key" + decodeBase64: true + - equal: + path: data["old-ca.crt"] + value: "old-ca.crt" + decodeBase64: true + - it: "should reuse the existing leaf certificate" + documentSelector: + path: metadata.name + value: kubewarden-webhook-server-cert + asserts: + - equal: + path: data["tls.crt"] + value: "tls.crt" + decodeBase64: true + - equal: + path: data["tls.key"] + value: "tls.key" + decodeBase64: true + - it: "should inject the caBundle (ca + old ca) into the webhook configurations" + documentSelector: + path: apiVersion + value: admissionregistration.k8s.io/v1 + matchMany: true + asserts: + - equal: + path: webhooks[*].clientConfig.caBundle + value: "ca.crtold-ca.crt" + decodeBase64: true diff --git a/charts/kubewarden-controller/tests/webhooks_test.yaml b/charts/kubewarden-controller/tests/webhooks_test.yaml new file mode 100644 index 00000000..42d96dad --- /dev/null +++ b/charts/kubewarden-controller/tests/webhooks_test.yaml @@ -0,0 +1,32 @@ +suite: certificates generation +templates: + - webhooks.yaml +tests: + - it: "should generate a CA certificate and store it in the kubewarden-ca secret" + documentSelector: + path: metadata.name + value: kubewarden-ca + asserts: + - isNotNullOrEmpty: + path: data["ca.crt"] + - isNotNullOrEmpty: + path: data["ca.key"] + - isNullOrEmpty: + path: data["old-ca.crt"] + - it: "should generate a leaf certificate and store it in the kubewarden-webhook-server-cert secret" + documentSelector: + path: metadata.name + value: kubewarden-webhook-server-cert + asserts: + - isNotNullOrEmpty: + path: data["tls.crt"] + - isNotNullOrEmpty: + path: data["tls.key"] + - it: "should inject the caBundle into the webhook configurations" + documentSelector: + path: apiVersion + value: admissionregistration.k8s.io/v1 + matchMany: true + asserts: + - isNotNullOrEmpty: + path: webhooks[*].clientConfig.caBundle