From be2afb01fceeae3c669537bb5e8ac5b0633aa118 Mon Sep 17 00:00:00 2001 From: Nam Nguyen Date: Mon, 1 Sep 2025 20:46:27 +0200 Subject: [PATCH 1/5] add unit test --- helm_chart/templates/operator-roles-webhook.yaml | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/helm_chart/templates/operator-roles-webhook.yaml b/helm_chart/templates/operator-roles-webhook.yaml index 96f6b0e65..befa2f131 100644 --- a/helm_chart/templates/operator-roles-webhook.yaml +++ b/helm_chart/templates/operator-roles-webhook.yaml @@ -1,12 +1,13 @@ {{/* This cluster role and binding is necessary to allow the operator to automatically register ValidatingWebhookConfiguration. */}} {{- if and .Values.operator.webhook.registerConfiguration .Values.operator.webhook.installClusterRole }} -{{- if not (lookup "rbac.authorization.k8s.io/v1" "ClusterRole" "" "mongodb-kubernetes-operator-mongodb-webhook") }} +{{- $webhookClusterRoleName := printf "%s-%s-webhook" .Values.operator.name (include "mongodb-kubernetes-operator.namespace" .) }} +{{- if not (lookup "rbac.authorization.k8s.io/v1" "ClusterRole" "" $webhookClusterRoleName) }} --- kind: ClusterRole apiVersion: rbac.authorization.k8s.io/v1 metadata: - name: {{.Values.operator.baseName}}-operator-mongodb-webhook + name: {{ $webhookClusterRoleName }} rules: - apiGroups: - "admissionregistration.k8s.io" @@ -38,7 +39,7 @@ metadata: roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole - name: {{.Values.operator.baseName}}-operator-mongodb-webhook + name: {{ $webhookClusterRoleName }} subjects: - kind: ServiceAccount name: {{ .Values.operator.name }} From dcc2ec2a3e0ca8f5ced2078f2559fbddc48c9fb1 Mon Sep 17 00:00:00 2001 From: Nam Nguyen Date: Mon, 1 Sep 2025 20:48:34 +0200 Subject: [PATCH 2/5] add unit test --- .evergreen-functions.yml | 10 ++++ .evergreen.yml | 6 +++ Makefile | 13 +++++- .../tests/webhook_clusterrole_test.yaml | 46 +++++++++++++++++++ 4 files changed, 73 insertions(+), 2 deletions(-) create mode 100644 helm_chart/tests/webhook_clusterrole_test.yaml diff --git a/.evergreen-functions.yml b/.evergreen-functions.yml index 5c7636210..9e5178213 100644 --- a/.evergreen-functions.yml +++ b/.evergreen-functions.yml @@ -725,6 +725,16 @@ functions: make test-race - command: gotest.parse_files params: + + test_helm_unit: + - command: shell.exec + type: test + params: + shell: bash + working_dir: src/github.com/mongodb/mongodb-kubernetes + script: | + source .generated/context.export.env + make helm-tests files: [ "src/github.com/mongodb/mongodb-kubernetes/*.suite", "src/github.com/mongodb/mongodb-kubernetes/docker/mongodb-kubernetes-init-ops-manager/mmsconfiguration/*.suite" ] test_python_unit: diff --git a/.evergreen.yml b/.evergreen.yml index b1ab8a9bf..a5596eb2d 100644 --- a/.evergreen.yml +++ b/.evergreen.yml @@ -275,6 +275,11 @@ tasks: commands: - func: "test_python_unit" + - name: unit_tests_helm + tags: [ "unit_tests" ] + commands: + - func: "test_helm_unit" + - name: sbom_tests tags: [ "unit_tests" ] # The SBOM tests run only on commit builds. Running this on patches might cause false-positive failures @@ -665,6 +670,7 @@ task_groups: - lint_repo - unit_tests_golang - unit_tests_python + - unit_tests_helm - sbom_tests - name: gke_code_snippets_task_group diff --git a/Makefile b/Makefile index 3f93a611e..cecfd6c5a 100644 --- a/Makefile +++ b/Makefile @@ -300,8 +300,17 @@ test-race: generate fmt vet manifests golang-tests-race test: generate fmt vet manifests golang-tests -# all-tests will run golang and python tests without race (used locally) -all-tests: test python-tests +# helm-tests will run helm chart unit tests +helm-tests: ## Run helm chart unit tests + @echo "Running helm chart unit tests..." + @if ! helm plugin list | grep -q unittest; then \ + echo "Installing helm-unittest plugin..."; \ + helm plugin install https://github.com/helm-unittest/helm-unittest; \ + fi + helm unittest helm_chart --color + +# all-tests will run golang, python, and helm tests without race (used locally) +all-tests: test python-tests helm-tests # Build manager binary manager: generate fmt vet diff --git a/helm_chart/tests/webhook_clusterrole_test.yaml b/helm_chart/tests/webhook_clusterrole_test.yaml new file mode 100644 index 000000000..b95e5298c --- /dev/null +++ b/helm_chart/tests/webhook_clusterrole_test.yaml @@ -0,0 +1,46 @@ +suite: test webhook consistent clusterrole and binding namecomm +templates: + - operator-roles-webhook.yaml +tests: + - it: should have consistent ClusterRole and ClusterRoleBinding names + set: + operator.webhook.registerConfiguration: true + operator.webhook.installClusterRole: true + asserts: + - hasDocuments: + count: 2 + - isKind: + of: ClusterRole + documentIndex: 0 + - isKind: + of: ClusterRoleBinding + documentIndex: 1 + # The key fix: both should use the same dynamic name + - equal: + path: metadata.name + value: mongodb-kubernetes-operator-NAMESPACE-webhook + documentIndex: 0 + - equal: + path: roleRef.name + value: mongodb-kubernetes-operator-NAMESPACE-webhook + documentIndex: 1 + + # Test that different installations get unique names (prevents conflicts) + - it: should create unique names per installation + set: + operator.name: my-operator + operator.namespace: custom-ns + operator.webhook.registerConfiguration: true + operator.webhook.installClusterRole: true + release: + namespace: custom-ns + asserts: + # Verify the naming pattern: {operator.name}-{namespace}-webhook + - equal: + path: metadata.name + value: my-operator-custom-ns-webhook + documentIndex: 0 + - equal: + path: roleRef.name + value: my-operator-custom-ns-webhook + documentIndex: 1 From c51782a2ea93050c6411c95310811b4e68d8627d Mon Sep 17 00:00:00 2001 From: Nam Nguyen Date: Mon, 1 Sep 2025 20:54:19 +0200 Subject: [PATCH 3/5] add unit test --- .evergreen-functions.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.evergreen-functions.yml b/.evergreen-functions.yml index 9e5178213..f5eb2094e 100644 --- a/.evergreen-functions.yml +++ b/.evergreen-functions.yml @@ -725,6 +725,7 @@ functions: make test-race - command: gotest.parse_files params: + files: [ "src/github.com/mongodb/mongodb-kubernetes/*.suite", "src/github.com/mongodb/mongodb-kubernetes/docker/mongodb-kubernetes-init-ops-manager/mmsconfiguration/*.suite" ] test_helm_unit: - command: shell.exec @@ -735,7 +736,6 @@ functions: script: | source .generated/context.export.env make helm-tests - files: [ "src/github.com/mongodb/mongodb-kubernetes/*.suite", "src/github.com/mongodb/mongodb-kubernetes/docker/mongodb-kubernetes-init-ops-manager/mmsconfiguration/*.suite" ] test_python_unit: - command: shell.exec From b13fdd0776c5ba31d0198facd94a5e3bcac103ac Mon Sep 17 00:00:00 2001 From: Nam Nguyen Date: Tue, 2 Sep 2025 11:44:18 +0200 Subject: [PATCH 4/5] add explicit cr and crb --- .../templates/operator-roles-webhook.yaml | 5 +++-- .../tests/webhook_clusterrole_test.yaml | 20 ++++++++++++------- 2 files changed, 16 insertions(+), 9 deletions(-) diff --git a/helm_chart/templates/operator-roles-webhook.yaml b/helm_chart/templates/operator-roles-webhook.yaml index befa2f131..3bd95ffd1 100644 --- a/helm_chart/templates/operator-roles-webhook.yaml +++ b/helm_chart/templates/operator-roles-webhook.yaml @@ -1,7 +1,8 @@ {{/* This cluster role and binding is necessary to allow the operator to automatically register ValidatingWebhookConfiguration. */}} {{- if and .Values.operator.webhook.registerConfiguration .Values.operator.webhook.installClusterRole }} -{{- $webhookClusterRoleName := printf "%s-%s-webhook" .Values.operator.name (include "mongodb-kubernetes-operator.namespace" .) }} +{{- $webhookClusterRoleName := printf "%s-%s-webhook-cr" .Values.operator.name (include "mongodb-kubernetes-operator.namespace" .) }} +{{- $webhookClusterRoleBindingName := printf "%s-%s-webhook-crb" .Values.operator.name (include "mongodb-kubernetes-operator.namespace" .) }} {{- if not (lookup "rbac.authorization.k8s.io/v1" "ClusterRole" "" $webhookClusterRoleName) }} --- kind: ClusterRole @@ -35,7 +36,7 @@ rules: kind: ClusterRoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: - name: {{ .Values.operator.name }}-{{ include "mongodb-kubernetes-operator.namespace" . }}-webhook-binding + name: {{ $webhookClusterRoleBindingName }} roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole diff --git a/helm_chart/tests/webhook_clusterrole_test.yaml b/helm_chart/tests/webhook_clusterrole_test.yaml index b95e5298c..62b8ce46a 100644 --- a/helm_chart/tests/webhook_clusterrole_test.yaml +++ b/helm_chart/tests/webhook_clusterrole_test.yaml @@ -1,4 +1,4 @@ -suite: test webhook consistent clusterrole and binding namecomm +suite: test webhook consistent clusterrole and binding templates: - operator-roles-webhook.yaml tests: @@ -15,14 +15,17 @@ tests: - isKind: of: ClusterRoleBinding documentIndex: 1 - # The key fix: both should use the same dynamic name - equal: path: metadata.name - value: mongodb-kubernetes-operator-NAMESPACE-webhook + value: mongodb-kubernetes-operator-NAMESPACE-webhook-cr documentIndex: 0 + - equal: + path: metadata.name + value: mongodb-kubernetes-operator-NAMESPACE-webhook-crb + documentIndex: 1 - equal: path: roleRef.name - value: mongodb-kubernetes-operator-NAMESPACE-webhook + value: mongodb-kubernetes-operator-NAMESPACE-webhook-cr documentIndex: 1 # Test that different installations get unique names (prevents conflicts) @@ -35,12 +38,15 @@ tests: release: namespace: custom-ns asserts: - # Verify the naming pattern: {operator.name}-{namespace}-webhook - equal: path: metadata.name - value: my-operator-custom-ns-webhook + value: my-operator-custom-ns-webhook-cr documentIndex: 0 + - equal: + path: metadata.name + value: my-operator-custom-ns-webhook-crb + documentIndex: 1 - equal: path: roleRef.name - value: my-operator-custom-ns-webhook + value: my-operator-custom-ns-webhook-cr documentIndex: 1 From 26431a5e0474209b7e8d633b8f04607a602069bd Mon Sep 17 00:00:00 2001 From: Nam Nguyen Date: Tue, 2 Sep 2025 11:48:44 +0200 Subject: [PATCH 5/5] add explicit cr and crb --- helm_chart/templates/operator-roles-webhook.yaml | 2 -- public/mongodb-kubernetes-multi-cluster.yaml | 6 +++--- public/mongodb-kubernetes-openshift.yaml | 6 +++--- public/mongodb-kubernetes.yaml | 6 +++--- 4 files changed, 9 insertions(+), 11 deletions(-) diff --git a/helm_chart/templates/operator-roles-webhook.yaml b/helm_chart/templates/operator-roles-webhook.yaml index 3bd95ffd1..1809846a9 100644 --- a/helm_chart/templates/operator-roles-webhook.yaml +++ b/helm_chart/templates/operator-roles-webhook.yaml @@ -3,7 +3,6 @@ {{- if and .Values.operator.webhook.registerConfiguration .Values.operator.webhook.installClusterRole }} {{- $webhookClusterRoleName := printf "%s-%s-webhook-cr" .Values.operator.name (include "mongodb-kubernetes-operator.namespace" .) }} {{- $webhookClusterRoleBindingName := printf "%s-%s-webhook-crb" .Values.operator.name (include "mongodb-kubernetes-operator.namespace" .) }} -{{- if not (lookup "rbac.authorization.k8s.io/v1" "ClusterRole" "" $webhookClusterRoleName) }} --- kind: ClusterRole apiVersion: rbac.authorization.k8s.io/v1 @@ -30,7 +29,6 @@ rules: - create - update - delete -{{- end }} --- kind: ClusterRoleBinding diff --git a/public/mongodb-kubernetes-multi-cluster.yaml b/public/mongodb-kubernetes-multi-cluster.yaml index c28306670..74bf8af0f 100644 --- a/public/mongodb-kubernetes-multi-cluster.yaml +++ b/public/mongodb-kubernetes-multi-cluster.yaml @@ -203,7 +203,7 @@ subjects: kind: ClusterRole apiVersion: rbac.authorization.k8s.io/v1 metadata: - name: mongodb-kubernetes-operator-mongodb-webhook + name: mongodb-kubernetes-operator-multi-cluster-mongodb-webhook-cr rules: - apiGroups: - "admissionregistration.k8s.io" @@ -230,11 +230,11 @@ rules: kind: ClusterRoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: - name: mongodb-kubernetes-operator-multi-cluster-mongodb-webhook-binding + name: mongodb-kubernetes-operator-multi-cluster-mongodb-webhook-crb roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole - name: mongodb-kubernetes-operator-mongodb-webhook + name: mongodb-kubernetes-operator-multi-cluster-mongodb-webhook-cr subjects: - kind: ServiceAccount name: mongodb-kubernetes-operator-multi-cluster diff --git a/public/mongodb-kubernetes-openshift.yaml b/public/mongodb-kubernetes-openshift.yaml index 54fa8b396..e557f73c9 100644 --- a/public/mongodb-kubernetes-openshift.yaml +++ b/public/mongodb-kubernetes-openshift.yaml @@ -203,7 +203,7 @@ subjects: kind: ClusterRole apiVersion: rbac.authorization.k8s.io/v1 metadata: - name: mongodb-kubernetes-operator-mongodb-webhook + name: mongodb-kubernetes-operator-mongodb-webhook-cr rules: - apiGroups: - "admissionregistration.k8s.io" @@ -230,11 +230,11 @@ rules: kind: ClusterRoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: - name: mongodb-kubernetes-operator-mongodb-webhook-binding + name: mongodb-kubernetes-operator-mongodb-webhook-crb roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole - name: mongodb-kubernetes-operator-mongodb-webhook + name: mongodb-kubernetes-operator-mongodb-webhook-cr subjects: - kind: ServiceAccount name: mongodb-kubernetes-operator diff --git a/public/mongodb-kubernetes.yaml b/public/mongodb-kubernetes.yaml index f3c727ad6..73baa2fa9 100644 --- a/public/mongodb-kubernetes.yaml +++ b/public/mongodb-kubernetes.yaml @@ -203,7 +203,7 @@ subjects: kind: ClusterRole apiVersion: rbac.authorization.k8s.io/v1 metadata: - name: mongodb-kubernetes-operator-mongodb-webhook + name: mongodb-kubernetes-operator-mongodb-webhook-cr rules: - apiGroups: - "admissionregistration.k8s.io" @@ -230,11 +230,11 @@ rules: kind: ClusterRoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: - name: mongodb-kubernetes-operator-mongodb-webhook-binding + name: mongodb-kubernetes-operator-mongodb-webhook-crb roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole - name: mongodb-kubernetes-operator-mongodb-webhook + name: mongodb-kubernetes-operator-mongodb-webhook-cr subjects: - kind: ServiceAccount name: mongodb-kubernetes-operator