test(kuttl): Install cert-manager (#505)

NickLarsenNZ · web-flow · commit 09c36f1e2818 · 2024-09-30T06:41:53.000Z
* test(kuttl): try to install cert-manager and remove it if installed. Supports concurrent test runs.

* chore(kuttl): set script width to 80 characters for easier diffing in future

* chore(kuttl): improve output

* chore: fix lint

* chore: update changelog

* chore(kuttl): fix typo
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -13,6 +13,7 @@ All notable changes to this project will be documented in this file.
 
 - Fixed Kerberos keytab provisioning reusing its credential cache ([#490]).
 - Fixed listener volumes missing a required permission to inspect manually provisioned listeners ([#497]).
+- test: Fixed cert-manager tests by installing cert-manager if it doesn't exist ([#505]).
 
 ### Changed
 
@@ -23,6 +24,7 @@ All notable changes to this project will be documented in this file.
 [#490]: https://github.com/stackabletech/secret-operator/pull/490
 [#495]: https://github.com/stackabletech/secret-operator/pull/495
 [#497]: https://github.com/stackabletech/secret-operator/pull/497
+[#505]: https://github.com/stackabletech/secret-operator/pull/505
 
 ## [24.7.0] - 2024-07-24
 
@@ -35,9 +37,9 @@ All notable changes to this project will be documented in this file.
 
 - [BREAKING] The TLS CA Secret is now installed into the Namespace of the operator (typically `stackable-operators`), rather than `default` ([#397]).
   - Existing users can either migrate by either:
-      - (Recommended) Copying the CA into the new location
-        (`kubectl -n default get secret/secret-provisioner-tls-ca -o json | jq '.metadata.namespace = "stackable-operators"' | kubectl create -f-`)
-      - Setting the `secretClasses.tls.caSecretNamespace` Helm flag (`--set secretClasses.tls.caSecretNamespace=default`)
+    - (Recommended) Copying the CA into the new location
+      (`kubectl -n default get secret/secret-provisioner-tls-ca -o json | jq '.metadata.namespace = "stackable-operators"' | kubectl create -f-`)
+    - Setting the `secretClasses.tls.caSecretNamespace` Helm flag (`--set secretClasses.tls.caSecretNamespace=default`)
 - Reduce CA default lifetime to one year ([#403])
 - Update the image docker.stackable.tech/k8s/sig-storage/csi-provisioner
   in the Helm values to v4.0.1 ([#440]).
@@ -80,7 +82,6 @@ All notable changes to this project will be documented in this file.
 [#357]: https://github.com/stackabletech/secret-operator/pull/357
 [#361]: https://github.com/stackabletech/secret-operator/pull/361
 
-
 ## [23.11.0] - 2023-11-24
 
 ### Added
diff --git a/tests/templates/kuttl/cert-manager-tls/00-maybe-install-cert-manager.yaml b/tests/templates/kuttl/cert-manager-tls/00-maybe-install-cert-manager.yaml
@@ -0,0 +1,90 @@
+---
+apiVersion: kuttl.dev/v1beta1
+kind: TestStep
+commands:
+  - script: |
+      #!/usr/bin/env sh
+      set -eu
+
+      CERT_MANAGER_NAMESPACE="cert-manager-beku"
+      CERT_MANAGER_CHART_VERSION="v1.15.3"
+
+      MARKER_CONFIG_MAP_NAME="beku-install-marker"
+      MARKER_FINALIZER_NAME="tech.stackable.beku/$NAMESPACE"
+
+      MAX_SLEEP_SECONDS=10
+      RANDOM_SLEEP_SECONDS="$((RANDOM % MAX_SLEEP_SECONDS))"
+      echo "Sleeping for $RANDOM_SLEEP_SECONDS seconds to reduce the chance " \
+           "of concurrent cert-manager installations"
+      sleep "$RANDOM_SLEEP_SECONDS"
+
+      # If cert-manager already appears to be installed, or is still installing
+      # in another concurrent test, then add ourselves as a finalizer so it
+      # doesn't get deleted while we are using it.
+      if kubectl --namespace "$CERT_MANAGER_NAMESPACE" get configmap \
+        "$MARKER_CONFIG_MAP_NAME" 2>/dev/null >/dev/null;
+      then
+        echo "Skipping cert-manager install, it appears to have been done or " \
+             "is in progress."
+        echo "Adding finalizer ${MARKER_FINALIZER_NAME} to marker ConfigMap" \
+             "${CERT_MANAGER_NAMESPACE}/${MARKER_CONFIG_MAP_NAME}."
+
+        kubectl --namespace "$CERT_MANAGER_NAMESPACE" patch configmap \
+          "$MARKER_CONFIG_MAP_NAME" --type=json --patch-file=/dev/stdin <<EOF
+      [{
+        "op": "add",
+        "path": "/metadata/finalizers/-",
+        "value": "$MARKER_FINALIZER_NAME"
+      }]
+      EOF
+
+        # Now wait until the deployment has finished
+        while ! helm list --namespace "$CERT_MANAGER_NAMESPACE" \
+          | grep cert-manager >/dev/null
+        do
+          echo "Waiting for another instance to finish installing cert-manager"
+          sleep 5
+        done
+        echo "Finished waiting for another installation of cert-manager"
+        exit 0
+      else
+        # If cert-manager appears to be installed, but we didn't do it, skip
+        # install
+        if kubectl get crds -o name | grep 'cert-manager.io'; then
+          echo "Cert Manager appears to already be installed outside of " \
+               "testing. Skipping install."
+          exit 0
+        fi
+      fi
+
+      # Otherwise, we need to install cert-manager
+
+      # Create the namespace, and add finalizer for this test (keyed with
+      # $NAMESPACE)
+      kubectl create namespace "$CERT_MANAGER_NAMESPACE"
+
+      # Create a marker CM and add ourselves as the first and only finalizer
+      echo "Creating marker ConfigMap ${CERT_MANAGER_NAMESPACE}/" \
+           "${MARKER_CONFIG_MAP_NAME}."
+      kubectl --namespace "$CERT_MANAGER_NAMESPACE" create configmap \
+        "$MARKER_CONFIG_MAP_NAME"
+      echo "Adding finalizer ${MARKER_FINALIZER_NAME} to marker ConfigMap" \
+           "${CERT_MANAGER_NAMESPACE}/${MARKER_CONFIG_MAP_NAME}."
+      kubectl --namespace "$CERT_MANAGER_NAMESPACE" patch configmap \
+        "$MARKER_CONFIG_MAP_NAME" --type=json --patch-file=/dev/stdin <<EOF
+      [{
+        "op": "add",
+        "path": "/metadata/finalizers",
+        "value": ["$MARKER_FINALIZER_NAME"]
+      }]
+      EOF
+
+      helm repo add jetstack https://charts.jetstack.io --force-update
+
+      helm install cert-manager jetstack/cert-manager \
+        --wait \
+        --namespace "$CERT_MANAGER_NAMESPACE" \
+        --version "$CERT_MANAGER_CHART_VERSION" \
+        --set crds.enabled=true \
+        --set prometheus.enabled=false
+    timeout: 120
diff --git a/tests/templates/kuttl/cert-manager-tls/99-maybe-uninstall-cert-manager.yaml b/tests/templates/kuttl/cert-manager-tls/99-maybe-uninstall-cert-manager.yaml
@@ -0,0 +1,81 @@
+---
+apiVersion: kuttl.dev/v1beta1
+kind: TestStep
+commands:
+  - script: |
+      #!/usr/bin/env sh
+      set -eu
+
+      CERT_MANAGER_NAMESPACE="cert-manager-beku"
+
+      MARKER_CONFIG_MAP_NAME="beku-install-marker"
+      MARKER_FINALIZER_NAME="tech.stackable.beku/$NAMESPACE"
+
+      # If a marker CM doesn't exist, skip cleanup
+      echo "Checking if marker ConfigMap exists"
+      if ! kubectl --namespace "$CERT_MANAGER_NAMESPACE" get configmap \
+        "$MARKER_CONFIG_MAP_NAME" 2>/dev/null >/dev/null
+      then
+        echo "Cert-manager appears to have been installed outside of testing" \
+             "Skipping clean up for it"
+        exit 0
+      fi
+
+      # Otherwise, clean up
+
+      # Get our finalizer index, so we can delete it.
+      echo -n "Getting the index of the finalizer... "
+      IDX=$(
+        kubectl --namespace "$CERT_MANAGER_NAMESPACE" get configmap \
+          "$MARKER_CONFIG_MAP_NAME" --output 'jsonpath={.metadata.finalizers}' \
+          | jq -re --arg finalizer "$MARKER_FINALIZER_NAME" '
+            map(. == $finalizer) | index(true)
+          '
+      )
+      echo "$IDX"
+
+      # TODO: move delete to here
+      # Try to delete the CM. If there are other finalizers, then it won't
+      # delete immediately
+      echo "Trying to delete the marker ConfigMap"
+      kubectl --namespace "$CERT_MANAGER_NAMESPACE" delete configmap \
+        "$MARKER_CONFIG_MAP_NAME" --timeout 1s 2>/dev/null || true
+
+      # Check if we are the last finalizer. If we are, then we need to cleanup \
+      # helm, crds, namespace
+      FINALIZERS_REMAINING_COUNT=$(
+        kubectl --namespace cert-manager-beku get configmap \
+          beku-install-marker --output 'jsonpath={$.metadata.finalizers}' \
+          | jq length
+      )
+
+      # Remove ourselves as a finalizer, hopefully...
+      # Unfortunately this is non-atomic because of JSON Patch (RFC 6902)
+      # limitations where we can only delete by index.
+      echo "Removing self as a finalizer"
+      kubectl --namespace "$CERT_MANAGER_NAMESPACE" patch configmap \
+        "$MARKER_CONFIG_MAP_NAME" --type=json --patch-file=/dev/stdin <<EOF
+      [{
+        "op": "remove",
+        "path": "/metadata/finalizers/$IDX",
+      }]
+      EOF
+
+      if [ "$FINALIZERS_REMAINING_COUNT" -gt 1 ]; then
+        # Todo, print other finalizers. Or, maybe we can check if their
+        # namespaces still exist.
+        echo "Other instances are using cert-manager. Skipping cleanup"
+        exit 0
+      fi
+
+      echo "uninstalling helm chart"
+      helm uninstall cert-manager \
+        --wait \
+        --namespace "$CERT_MANAGER_NAMESPACE"
+
+      echo "Removing CRDs"
+      kubectl get crds -o name | grep 'cert-manager.io' | xargs kubectl delete
+
+      echo "Deleting cert-manager namespace"
+      kubectl delete namespace "$CERT_MANAGER_NAMESPACE"
+    timeout: 120
