feat: add helm unit tests (#2113)

* feat: add helm unit tests

Signed-off-by: Moritz Johner <beller.moritz@googlemail.com>

* docs: add install instructions for helm-unittest

Signed-off-by: Moritz Johner <beller.moritz@googlemail.com>

---------

Signed-off-by: Moritz Johner <beller.moritz@googlemail.com>

.github/workflows/helm.yml

@@ -43,9 +43,25 @@ jobs:
           if [[ -n "$changed" ]]; then
             echo "::set-output name=changed::true"
           fi
+      - name: Install chart unittest
+        run: |
+          helm env
+          helm plugin install https://github.com/helm-unittest/helm-unittest
       - name: Run chart-testing (lint)
         run: ct lint --config=.github/ci/ct.yaml
 
+      - name: Create kind cluster
+        uses: helm/kind-action@v1.2.0
+        if: steps.list-changed.outputs.changed == 'true'
+
+      - name: Run chart-testing (install)
+        run: ct install --config=.github/ci/ct.yaml --charts deploy/charts/external-secrets
+        if: steps.list-changed.outputs.changed == 'true'
+
+      - name: Run unitests
+        if: steps.list-changed.outputs.changed == 'true'
+        run: make helm.test
+
   release:
     runs-on: ubuntu-latest
     steps:

Makefile

@@ -185,6 +185,18 @@ helm.generate:
 	./hack/helm.generate.sh $(BUNDLE_DIR) $(HELM_DIR)
 	@$(OK) Finished generating helm chart files
 
+helm.test: helm.generate
+	@helm unittest --file tests/*.yaml --file 'tests/**/*.yaml' deploy/charts/external-secrets/
+
+helm.update.appversion:
+	@chartversion=$$(yq .version ./deploy/charts/external-secrets/Chart.yaml) ; \
+	chartappversion=$$(yq .appVersion ./deploy/charts/external-secrets/Chart.yaml) ; \
+	chartname=$$(yq .name ./deploy/charts/external-secrets/Chart.yaml) ; \
+	$(INFO) Update chartname and chartversion string in test snapshots.; \
+	sed -s -i "s/^\([[:space:]]\+helm\.sh\/chart:\).*/\1 $${chartname}-$${chartversion}/" ./deploy/charts/external-secrets/tests/__snapshot__/*.yaml.snap ; \
+	sed -s -i "s/^\([[:space:]]\+app\.kubernetes\.io\/version:\).*/\1 $${chartappversion}/" ./deploy/charts/external-secrets/tests/__snapshot__/*.yaml.snap ; \
+	$(OK) "Version strings updated"
+
 # ====================================================================================
 # Documentation
 .PHONY: docs

deploy/charts/external-secrets/README.md

@@ -77,6 +77,8 @@ The command removes all the Kubernetes components associated with the chart and
 | certController.tolerations | list | `[]` |  |
 | concurrent | int | `1` | Specifies the number of concurrent ExternalSecret Reconciles external-secret executes at a time. |
 | controllerClass | string | `""` | If set external secrets will filter matching Secret Stores with the appropriate controller values. |
+| crds.annotations | object | `{}` |  |
+| crds.conversion.enabled | bool | `true` |  |
 | crds.createClusterExternalSecret | bool | `true` | If true, create CRDs for Cluster External Secret. |
 | crds.createClusterSecretStore | bool | `true` | If true, create CRDs for Cluster Secret Store. |
 | crds.createPushSecret | bool | `true` | If true, create CRDs for Push Secret. |

deploy/charts/external-secrets/tests/__snapshot__/controller_test.yaml.snap

@@ -0,0 +1,38 @@
+should match snapshot of default values:
+  1: |
+    apiVersion: apps/v1
+    kind: Deployment
+    metadata:
+      labels:
+        app.kubernetes.io/instance: RELEASE-NAME
+        app.kubernetes.io/managed-by: Helm
+        app.kubernetes.io/name: external-secrets
+        app.kubernetes.io/version: v0.7.2
+        helm.sh/chart: external-secrets-0.7.2
+      name: RELEASE-NAME-external-secrets
+      namespace: NAMESPACE
+    spec:
+      replicas: 1
+      revisionHistoryLimit: 10
+      selector:
+        matchLabels:
+          app.kubernetes.io/instance: RELEASE-NAME
+          app.kubernetes.io/name: external-secrets
+      template:
+        metadata:
+          labels:
+            app.kubernetes.io/instance: RELEASE-NAME
+            app.kubernetes.io/name: external-secrets
+        spec:
+          automountServiceAccountToken: true
+          containers:
+            - args:
+                - --concurrent=1
+              image: ghcr.io/external-secrets/external-secrets:v0.7.2
+              imagePullPolicy: IfNotPresent
+              name: external-secrets
+              ports:
+                - containerPort: 8080
+                  name: metrics
+                  protocol: TCP
+          serviceAccountName: RELEASE-NAME-external-secrets

deploy/charts/external-secrets/tests/controller_test.yaml

@@ -0,0 +1,34 @@
+suite: test controller deployment
+templates:
+  - deployment.yaml
+tests:
+  - it: should match snapshot of default values
+    asserts:
+      - matchSnapshot: {}
+  - it: should set imagePullPolicy to Always
+    set:
+      image.pullPolicy: Always
+    asserts:
+      - equal:
+          path: spec.template.spec.containers[0].imagePullPolicy
+          value: Always
+  - it: should imagePullPolicy to be default value IfNotPresent
+    asserts:
+      - equal:
+          path: spec.template.spec.containers[0].imagePullPolicy
+          value: IfNotPresent
+  - it: should override securityContext
+    set:
+      podSecurityContext:
+        runAsUser: 2000
+      securityContext:
+        runAsUser: 3000
+    asserts:
+      - equal:
+          path: spec.template.spec.securityContext
+          value:
+            runAsUser: 2000
+      - equal:
+          path: spec.template.spec.containers[0].securityContext
+          value:
+            runAsUser: 3000

deploy/charts/external-secrets/tests/crds_test.yaml

@@ -0,0 +1,27 @@
+suite: test crds
+templates:
+  - crds/secretstore.yaml
+tests:
+  - it: should match snapshot of default values
+    asserts:
+      - matchSnapshot: {}
+  - it: should disable conversion webhook
+    set:
+      crds.conversion.enabled: false
+    asserts:
+      - isNull:
+          path: spec.conversion
+
+  - it: should add annotations
+    set:
+      crds:
+        annotations:
+          foo: bar
+          baz: bang
+    asserts:
+      - equal:
+          path: metadata.annotations.foo
+          value: bar
+      - equal:
+          path: metadata.annotations.baz
+          value: bang

deploy/charts/external-secrets/values.yaml

@@ -22,6 +22,9 @@ crds:
   createClusterSecretStore: true
   # -- If true, create CRDs for Push Secret.
   createPushSecret: true
+  annotations: {}
+  conversion:
+    enabled: true
 
 imagePullSecrets: []
 nameOverride: ""

docs/contributing/devguide.md

@@ -32,6 +32,12 @@ source <(setup-envtest use 1.20.2 -p env --os $(go env GOOS) --arch $(go env GOA
 
 for more information, please see [setup-envtest docs](https://github.com/kubernetes-sigs/controller-runtime/tree/master/tools/setup-envtest)
 
+Our helm chart is tested using `helm-unittest`. You will need it to run tests locally if you modify the helm chart. Install it with the following command:
+
+```
+$ helm plugin install https://github.com/helm-unittest/helm-unittest
+```
+
 ## Building & Testing
 
 The project uses the `make` build system. It'll run code generators, tests and

docs/contributing/release.md

@@ -12,7 +12,7 @@ The external-secrets project is released on a as-needed basis. Feel free to open
 
 ## Release Helm Chart
 
-1. Update `version` and/or `appVersion` in `Chart.yaml` and run `make helm.docs`
+1. Update `version` and/or `appVersion` in `Chart.yaml` and run `make helm.docs helm.update.appversion`
 1. push to branch and open pr
 1. run `/ok-to-test-managed` commands for all cloud providers
 1. merge PR if everyhing is green

hack/helm.generate.sh

@@ -31,5 +31,9 @@ for i in "${HELM_DIR}"/templates/crds/*.yml; do
   rm "$i.bkp"
   $SEDPRG -i 's/name: kubernetes/name: {{ include "external-secrets.fullname" . }}-webhook/g' "$i"
   $SEDPRG -i 's/namespace: default/namespace: {{ .Release.Namespace | quote }}/g' "$i"
+  $SEDPRG -i '0,/annotations/!b;//a\    {{- with .Values.crds.annotations }}\n    {{- toYaml . | nindent 4}}\n    {{- end }}' "$i"
+
+  sed -i '/  conversion:/i{{- if .Values.crds.conversion.enabled }}' "$i"
+  echo "{{- end }}" >> "$i"
   mv "$i" "${i%.yml}.yaml"
 done