Merge pull request #36 from bouskaJ/setup_envtest

test: Add setup envtest

Author: miyunari

.gitignore

@@ -2,6 +2,7 @@
 
 /bin
 
+cover.out
 # editor and IDE paraphernalia
 .idea
 .vscode

Makefile

@@ -53,6 +53,7 @@ OPERATOR_SDK_VERSION ?= v1.39.2
 IMG ?= controller:latest
 # ENVTEST_K8S_VERSION refers to the version of kubebuilder assets to be downloaded by envtest binary.
 ENVTEST_K8S_VERSION = 1.31.0
+ENVTEST_VERSION ?= release-0.17
 
 # Get the currently used golang install path (in GOPATH/bin, unless GOBIN is set)
 ifeq (,$(shell go env GOBIN))
@@ -141,7 +142,7 @@ run: manifests generate fmt vet ## Run a controller from your host.
 # (i.e. docker build --platform linux/arm64). However, you must enable docker buildKit for it.
 # More info: https://docs.docker.com/develop/develop-images/build_enhancements/
 .PHONY: docker-build
-docker-build: ## Build docker image with the manager.
+docker-build: test ## Build docker image with the manager.
 	$(CONTAINER_TOOL) build -t ${IMG} .
 
 .PHONY: docker-push

go.mod

@@ -6,10 +6,12 @@ toolchain go1.23.4
 
 require (
 	github.com/go-logr/logr v1.4.2
-	github.com/stretchr/testify v1.9.0
+	github.com/onsi/ginkgo/v2 v2.21.0
+	github.com/onsi/gomega v1.35.1
 	k8s.io/api v0.31.0
 	k8s.io/apimachinery v0.32.0
 	k8s.io/client-go v0.31.0
+	k8s.io/klog/v2 v2.130.1
 	sigs.k8s.io/controller-runtime v0.19.4
 )
 
@@ -31,13 +33,15 @@ require (
 	github.com/go-openapi/jsonpointer v0.21.0 // indirect
 	github.com/go-openapi/jsonreference v0.20.2 // indirect
 	github.com/go-openapi/swag v0.23.0 // indirect
+	github.com/go-task/slim-sprig/v3 v3.0.0 // indirect
 	github.com/gogo/protobuf v1.3.2 // indirect
 	github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da // indirect
 	github.com/golang/protobuf v1.5.4 // indirect
 	github.com/google/cel-go v0.20.1 // indirect
 	github.com/google/gnostic-models v0.6.8 // indirect
 	github.com/google/go-cmp v0.6.0 // indirect
 	github.com/google/gofuzz v1.2.0 // indirect
+	github.com/google/pprof v0.0.0-20241029153458-d1b30febd7db // indirect
 	github.com/google/uuid v1.6.0 // indirect
 	github.com/grpc-ecosystem/grpc-gateway/v2 v2.20.0 // indirect
 	github.com/imdario/mergo v0.3.6 // indirect
@@ -49,7 +53,6 @@ require (
 	github.com/modern-go/reflect2 v1.0.2 // indirect
 	github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect
 	github.com/pkg/errors v0.9.1 // indirect
-	github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 // indirect
 	github.com/prometheus/client_golang v1.19.1 // indirect
 	github.com/prometheus/client_model v0.6.1 // indirect
 	github.com/prometheus/common v0.55.0 // indirect
@@ -76,19 +79,18 @@ require (
 	golang.org/x/term v0.30.0 // indirect
 	golang.org/x/text v0.23.0 // indirect
 	golang.org/x/time v0.7.0 // indirect
+	golang.org/x/tools v0.26.0 // indirect
 	gomodules.xyz/jsonpatch/v2 v2.4.0 // indirect
 	google.golang.org/genproto/googleapis/api v0.0.0-20240528184218-531527333157 // indirect
 	google.golang.org/genproto/googleapis/rpc v0.0.0-20240701130421-f6361c86f094 // indirect
 	google.golang.org/grpc v1.65.0 // indirect
 	google.golang.org/protobuf v1.35.1 // indirect
-	gopkg.in/evanphx/json-patch.v4 v4.12.0 // indirect
 	gopkg.in/inf.v0 v0.9.1 // indirect
 	gopkg.in/yaml.v2 v2.4.0 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
 	k8s.io/apiextensions-apiserver v0.31.0 // indirect
 	k8s.io/apiserver v0.31.0 // indirect
 	k8s.io/component-base v0.31.0 // indirect
-	k8s.io/klog/v2 v2.130.1 // indirect
 	k8s.io/kube-openapi v0.0.0-20241105132330-32ad38e42d3f // indirect
 	k8s.io/utils v0.0.0-20241210054802-24370beab758 // indirect
 	sigs.k8s.io/apiserver-network-proxy/konnectivity-client v0.30.3 // indirect

internal/webhooks/pod_webhook_test.go

@@ -2,31 +2,103 @@ package webhooks
 
 import (
 	"context"
-	"encoding/json"
-	"testing"
 
-	admissionv1 "k8s.io/api/admission/v1"
-	"k8s.io/client-go/kubernetes/scheme"
-	"sigs.k8s.io/controller-runtime/pkg/client/fake"
-	"sigs.k8s.io/controller-runtime/pkg/webhook/admission"
-
-	"github.com/stretchr/testify/assert"
+	"github.com/miyunari/model-validation-controller/api/v1alpha1"
+	. "github.com/onsi/ginkgo/v2"
+	. "github.com/onsi/gomega"
+	corev1 "k8s.io/api/core/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/types"
 )
 
-func Test_PodInterceptor_Handle(t *testing.T) {
-	const req = `{"kind":"AdmissionReview","apiVersion":"admission.k8s.io/v1","request":{"uid":"c33e1334-1a38-4684-aff8-e8c366ea89b9","kind":{"group":"","version":"v1","kind":"Pod"},"resource":{"group":"","version":"v1","resource":"pods"},"requestKind":{"group":"","version":"v1","kind":"Pod"},"requestResource":{"group":"","version":"v1","resource":"pods"},"name":"ollama","namespace":"model-validation-controller","operation":"CREATE","userInfo":{"username":"admin","groups":["system:masters","system:authenticated"],"extra":{"authentication.kubernetes.io/credential-id":["X509SHA256=acb312b9049f7fbeb8788001d7e61e145f10df1e4a752d1ef2caa3097d233246"]}},"object":{"kind":"Pod","apiVersion":"v1","metadata":{"name":"ollama","namespace":"model-validation-controller","creationTimestamp":null,"annotations":{"kubectl.kubernetes.io/last-applied-configuration":"{\"apiVersion\":\"v1\",\"kind\":\"Pod\",\"metadata\":{\"annotations\":{\"validation.rhtas.redhat.com/ml\":\"true\"},\"name\":\"ollama\",\"namespace\":\"model-validation-controller\"},\"spec\":{\"containers\":[{\"image\":\"ollama/ollama\",\"name\":\"ollama\",\"ports\":[{\"containerPort\":11434}]}]}}\n","validation.rhtas.redhat.com/ml":"true"},"managedFields":[{"manager":"kubectl-client-side-apply","operation":"Update","apiVersion":"v1","time":"2025-01-18T20:43:09Z","fieldsType":"FieldsV1","fieldsV1":{"f:metadata":{"f:annotations":{".":{},"f:kubectl.kubernetes.io/last-applied-configuration":{},"f:validation.rhtas.redhat.com/ml":{}}},"f:spec":{"f:containers":{"k:{\"name\":\"ollama\"}":{".":{},"f:image":{},"f:imagePullPolicy":{},"f:name":{},"f:ports":{".":{},"k:{\"containerPort\":11434,\"protocol\":\"TCP\"}":{".":{},"f:containerPort":{},"f:protocol":{}}},"f:resources":{},"f:terminationMessagePath":{},"f:terminationMessagePolicy":{}}},"f:dnsPolicy":{},"f:enableServiceLinks":{},"f:restartPolicy":{},"f:schedulerName":{},"f:securityContext":{},"f:terminationGracePeriodSeconds":{}}}}]},"spec":{"volumes":[{"name":"kube-api-access-v9hhf","projected":{"sources":[{"serviceAccountToken":{"expirationSeconds":3607,"path":"token"}},{"configMap":{"name":"kube-root-ca.crt","items":[{"key":"ca.crt","path":"ca.crt"}]}},{"downwardAPI":{"items":[{"path":"namespace","fieldRef":{"apiVersion":"v1","fieldPath":"metadata.namespace"}}]}}],"defaultMode":420}}],"containers":[{"name":"ollama","image":"ollama/ollama","ports":[{"containerPort":11434,"protocol":"TCP"}],"resources":{},"volumeMounts":[{"name":"kube-api-access-v9hhf","readOnly":true,"mountPath":"/var/run/secrets/kubernetes.io/serviceaccount"}],"terminationMessagePath":"/dev/termination-log","terminationMessagePolicy":"File","imagePullPolicy":"Always"}],"restartPolicy":"Always","terminationGracePeriodSeconds":30,"dnsPolicy":"ClusterFirst","serviceAccountName":"default","serviceAccount":"default","securityContext":{},"schedulerName":"default-scheduler","tolerations":[{"key":"node.kubernetes.io/not-ready","operator":"Exists","effect":"NoExecute","tolerationSeconds":300},{"key":"node.kubernetes.io/unreachable","operator":"Exists","effect":"NoExecute","tolerationSeconds":300}],"priority":0,"enableServiceLinks":true,"preemptionPolicy":"PreemptLowerPriority"},"status":{}},"oldObject":null,"dryRun":false,"options":{"kind":"CreateOptions","apiVersion":"meta.k8s.io/v1","fieldManager":"kubectl-client-side-apply"}}}`
+var _ = Describe("Pod webhook", func() {
+	Context("Pod webhook test", func() {
 
-	var review admissionv1.AdmissionReview
-	err := json.Unmarshal([]byte(req), &review)
-	assert.NoError(t, err)
+		const (
+			Name      = "test"
+			Namespace = "default"
+		)
 
-	decoder := admission.NewDecoder(scheme.Scheme)
-	handler := NewPodInterceptor(fake.NewClientBuilder().Build(), decoder)
+		ctx := context.Background()
 
-	resp := handler.Handle(context.Background(), admission.Request{
-		AdmissionRequest: *review.Request,
-	})
+		namespace := &corev1.Namespace{
+			ObjectMeta: metav1.ObjectMeta{
+				Name:      Name,
+				Namespace: Namespace,
+			},
+		}
+
+		typeNamespaceName := types.NamespacedName{Name: Name, Namespace: Namespace}
+
+		BeforeEach(func() {
+			By("Creating the Namespace to perform the tests")
+			err := k8sClient.Create(ctx, namespace)
+			Expect(err).To(Not(HaveOccurred()))
+
+			By("Create ModelValidation resource")
+			err = k8sClient.Create(ctx, &v1alpha1.ModelValidation{
+				ObjectMeta: metav1.ObjectMeta{
+					Name:      Name,
+					Namespace: Namespace,
+				},
+				Spec: v1alpha1.ModelValidationSpec{
+					Model: v1alpha1.Model{
+						Path:          "test",
+						SignaturePath: "test",
+					},
+					Config: v1alpha1.ValidationConfig{
+						SigstoreConfig:   nil,
+						PkiConfig:        nil,
+						PrivateKeyConfig: nil,
+					},
+				},
+			})
+			Expect(err).To(Not(HaveOccurred()))
+		})
 
-	assert.NotNil(t, resp)
-	assert.True(t, resp.Allowed)
-}
+		AfterEach(func() {
+			// TODO(user): Attention if you improve this code by adding other context test you MUST
+			// be aware of the current delete namespace limitations.
+			// More info: https://book.kubebuilder.io/reference/envtest.html#testing-considerations
+			By("Deleting the Namespace to perform the tests")
+			_ = k8sClient.Delete(ctx, namespace)
+		})
+
+		It("Should create sidecar container", func() {
+			By("create labeled pod")
+			instance := &corev1.Pod{
+				ObjectMeta: metav1.ObjectMeta{
+					Name:      Name,
+					Namespace: Namespace,
+					Labels:    map[string]string{"validation.rhtas.redhat.com/ml": "true"},
+				},
+				Spec: corev1.PodSpec{
+					Containers: []corev1.Container{
+						{
+							Name:  "test",
+							Image: "test",
+						},
+					},
+				},
+			}
+			err := k8sClient.Create(ctx, instance)
+			Expect(err).To(Not(HaveOccurred()))
+
+			By("Checking that validation sidecar was created")
+			found := &corev1.Pod{}
+			Eventually(func() error {
+				return k8sClient.Get(ctx, typeNamespaceName, found)
+			}).Should(Succeed())
+
+			Eventually(
+				func(g Gomega) []corev1.Container {
+					Expect(k8sClient.Get(ctx, typeNamespaceName, found)).To(Succeed())
+					return found.Spec.InitContainers
+				},
+			).Should(And(
+				WithTransform(func(containers []corev1.Container) int { return len(containers) }, Equal(1)),
+				WithTransform(func(containers []corev1.Container) string { return containers[0].Image }, Equal("ghcr.io/sigstore/model-transparency-cli:v1.0.1")),
+			))
+		})
+	})
+})

internal/webhooks/suite_test.go

@@ -0,0 +1,112 @@
+package webhooks
+
+import (
+	"context"
+	"fmt"
+	"path/filepath"
+	"runtime"
+	"testing"
+
+	"github.com/miyunari/model-validation-controller/api/v1alpha1"
+	"k8s.io/klog/v2"
+	"k8s.io/klog/v2/test"
+	"sigs.k8s.io/controller-runtime/pkg/webhook"
+	"sigs.k8s.io/controller-runtime/pkg/webhook/admission"
+
+	. "github.com/onsi/ginkgo/v2"
+	. "github.com/onsi/gomega"
+	"k8s.io/client-go/kubernetes/scheme"
+	"k8s.io/client-go/rest"
+	ctrl "sigs.k8s.io/controller-runtime"
+	"sigs.k8s.io/controller-runtime/pkg/client"
+	"sigs.k8s.io/controller-runtime/pkg/envtest"
+	//+kubebuilder:scaffold:imports
+)
+
+// These tests use Ginkgo (BDD-style Go testing framework). Refer to
+// http://onsi.github.io/ginkgo/ to learn more about Ginkgo.
+
+var (
+	cfg       *rest.Config
+	k8sClient client.Client // You'll be using this client in your tests.
+	testEnv   *envtest.Environment
+	ctx       context.Context
+	cancel    context.CancelFunc
+)
+
+func TestAPIs(t *testing.T) {
+	fs := test.InitKlog(t)
+	_ = fs.Set("v", "5")
+	klog.SetOutput(GinkgoWriter)
+	ctrl.SetLogger(klog.NewKlogr())
+
+	RegisterFailHandler(Fail)
+	RunSpecs(t, "Webhook Suite")
+}
+
+var _ = BeforeSuite(func() {
+	ctx, cancel = context.WithCancel(context.TODO())
+
+	By("bootstrapping test environment")
+	testEnv = &envtest.Environment{
+		CRDDirectoryPaths:     []string{filepath.Join("..", "..", "config", "crd", "bases")},
+		ErrorIfCRDPathMissing: true,
+
+		// The BinaryAssetsDirectory is only required if you want to run the tests directly
+		// without call the makefile target test. If not informed it will look for the
+		// default path defined in controller-runtime which is /usr/local/kubebuilder/.
+		// Note that you must have the required binaries setup under the bin directory to perform
+		// the tests directly. When we run make test it will be setup and used automatically.
+		BinaryAssetsDirectory: filepath.Join("..", "..", "bin", "k8s",
+			fmt.Sprintf("1.31.0-%s-%s", runtime.GOOS, runtime.GOARCH)),
+		WebhookInstallOptions: envtest.WebhookInstallOptions{Paths: []string{filepath.Join("..", "..", "config", "webhook")}},
+	}
+
+	var err error
+	// cfg is defined in this file globally.
+	cfg, err = testEnv.Start()
+	Expect(err).NotTo(HaveOccurred())
+	Expect(cfg).NotTo(BeNil())
+
+	err = v1alpha1.AddToScheme(scheme.Scheme)
+	Expect(err).NotTo(HaveOccurred())
+
+	//+kubebuilder:scaffold:scheme
+
+	k8sClient, err = client.New(cfg, client.Options{Scheme: scheme.Scheme})
+	Expect(err).NotTo(HaveOccurred())
+	Expect(k8sClient).NotTo(BeNil())
+
+	webhookServer := webhook.NewServer(webhook.Options{
+		Host:    testEnv.WebhookInstallOptions.LocalServingHost,
+		Port:    testEnv.WebhookInstallOptions.LocalServingPort,
+		CertDir: testEnv.WebhookInstallOptions.LocalServingCertDir,
+	})
+
+	mgr, err := ctrl.NewManager(cfg, ctrl.Options{
+		Scheme:        scheme.Scheme,
+		WebhookServer: webhookServer,
+	})
+	Expect(err).ToNot(HaveOccurred())
+	Expect(k8sClient).NotTo(BeNil())
+
+	// Create a decoder for your webhook
+	decoder := admission.NewDecoder(scheme.Scheme)
+	podWebhookHandler := NewPodInterceptor(mgr.GetClient(), decoder)
+	mgr.GetWebhookServer().Register("/mutate-v1-pod", &admission.Webhook{
+		Handler: podWebhookHandler,
+	})
+
+	go func() {
+		defer GinkgoRecover()
+		err = mgr.Start(ctx)
+		Expect(err).ToNot(HaveOccurred(), "failed to run manager")
+	}()
+})
+
+var _ = AfterSuite(func() {
+	cancel()
+	By("tearing down the test environment")
+	err := testEnv.Stop()
+	Expect(err).NotTo(HaveOccurred())
+})