kubewarden · fabriziosestito · Sep 18, 2024 · Sep 12, 2024 · Sep 18, 2024
@@ -11,6 +11,20 @@ on:
       - "*"
 
 jobs:
+  test:
+    runs-on: ubuntu-latest
+    steps:
+      # Adapted from https://github.com/d3adb5/helm-unittest-action/
+      - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+      - name: Install Helm
+        uses: azure/setup-helm@5119fcb9089d432beecbf79bb2c7915207344b78 # v3.5
+      - name: Install helm-unittest
+        run: helm plugin install https://github.com/helm-unittest/helm-unittest
+      - name: Set chart directories to test as environment variable
+        run: |
+          echo "CHARTS_TO_TEST=$(find . -type f -name 'Chart.yaml' -exec dirname {} \; | tr '\n' ' ')" >> $GITHUB_ENV
+      - name: Run unit tests
+        run: helm unittest --color ${{ env.CHARTS_TO_TEST }}
   verify:
     runs-on: ubuntu-latest
     steps:

@@ -0,0 +1,72 @@
+suite: existing certificates are not overwritten
+templates:
+  - webhooks.yaml
+release:
+  namespace: "kubewarden"
+kubernetesProvider:
+  # Simulate the presence of the kubewarden-ca and kubewarden-webhook-server-cert secrets
+  scheme:
+    "v1/Secret":
+      gvr:
+        version: "v1"
+        resource: "secrets"
+      namespaced: true
+  objects:
+    - kind: Secret
+      apiVersion: v1
+      metadata:
+        name: kubewarden-ca
+        namespace: kubewarden
+      data:
+        ca.crt: "Y2EuY3J0" # "ca.crt" in base64
+        ca.key: "Y2Eua2V5" # "ca.key" in base64
+        old-ca.crt: "b2xkLWNhLmNydA==" # the string "old-ca.crt" in base64
+    - kind: Secret
+      apiVersion: v1
+      metadata:
+        name: kubewarden-webhook-server-cert
+        namespace: kubewarden
+      data:
+        tls.crt: "dGxzLmNydA==" # "tls.crt" in base64
+        tls.key: "dGxzLmtleQ==" # "tls.key" in base64
+tests:
+  - it: "should reuse the existing CA certificate"
+    documentSelector:
+      path: metadata.name
+      value: kubewarden-ca
+    asserts:
+      - equal:
+          path: data["ca.crt"]
+          value: "ca.crt"
+          decodeBase64: true
+      - equal:
+          path: data["ca.key"]
+          value: "ca.key"
+          decodeBase64: true
+      - equal:
+          path: data["old-ca.crt"]
+          value: "old-ca.crt"
+          decodeBase64: true
+  - it: "should reuse the existing leaf certificate"
+    documentSelector:
+      path: metadata.name
+      value: kubewarden-webhook-server-cert
+    asserts:
+      - equal:
+          path: data["tls.crt"]
+          value: "tls.crt"
+          decodeBase64: true
+      - equal:
+          path: data["tls.key"]
+          value: "tls.key"
+          decodeBase64: true
+  - it: "should inject the caBundle (ca + old ca) into the webhook configurations"
+    documentSelector:
+      path: apiVersion
+      value: admissionregistration.k8s.io/v1
+      matchMany: true
+    asserts:
+      - equal:
+          path: webhooks[*].clientConfig.caBundle
+          value: "ca.crtold-ca.crt"
+          decodeBase64: true
@@ -0,0 +1,32 @@
+suite: certificates generation
+templates:
+  - webhooks.yaml
+tests:
+  - it: "should generate a CA certificate and store it in the kubewarden-ca secret"
+    documentSelector:
+      path: metadata.name
+      value: kubewarden-ca
+    asserts:
+      - isNotNullOrEmpty:
+          path: data["ca.crt"]
+      - isNotNullOrEmpty:
+          path: data["ca.key"]
+      - isNullOrEmpty:
+          path: data["old-ca.crt"]
+  - it: "should generate a leaf certificate and store it in the kubewarden-webhook-server-cert secret"
+    documentSelector:
+      path: metadata.name
+      value: kubewarden-webhook-server-cert
+    asserts:
+      - isNotNullOrEmpty:
+          path: data["tls.crt"]
+      - isNotNullOrEmpty:
+          path: data["tls.key"]
+  - it: "should inject the caBundle into the webhook configurations"
+    documentSelector:
+      path: apiVersion
+      value: admissionregistration.k8s.io/v1
+      matchMany: true
+    asserts:
+      - isNotNullOrEmpty:
+          path: webhooks[*].clientConfig.caBundle