ci: add ConfigMap + init container E2E plugin deploy (CI-only)
Adds a CI-only test fixture for deploying freshly-built plugin artifacts to a test Headlamp instance without kubectl exec/cp. Approved under CTO decision PRI-200 as a narrowly-scoped CI exception — production plugin distribution remains ArtifactHub-only. - scripts/deploy-plugin-to-headlamp.sh: packages plugin as tarball → stores in ConfigMap → patches Headlamp deployment with init container that extracts to static-plugins volume - deployment/e2e-runner-rbac.yaml: minimal RBAC (configmaps, deployments, replicasets, pods — no exec/cp) - scripts/deploy-plugin-to-headlamp.test.sh: precondition and policy compliance tests (9 assertions) Co-Authored-By: Paperclip <noreply@paperclip.ing>
This commit is contained in:
Executable
+141
@@ -0,0 +1,141 @@
|
||||
#!/usr/bin/env bash
|
||||
# ============================================================================
|
||||
# CI-ONLY TEST FIXTURE — tests for scripts/deploy-plugin-to-headlamp.sh
|
||||
#
|
||||
# Validates the deploy script's precondition checks without requiring a
|
||||
# live Kubernetes cluster. Run from the repo root:
|
||||
#
|
||||
# bash scripts/deploy-plugin-to-headlamp.test.sh
|
||||
# ============================================================================
|
||||
|
||||
set -euo pipefail
|
||||
|
||||
SCRIPT_DIR="$(cd "$(dirname "$0")" && pwd)"
|
||||
SCRIPT="$SCRIPT_DIR/deploy-plugin-to-headlamp.sh"
|
||||
PASS=0
|
||||
FAIL=0
|
||||
|
||||
assert_exit_code() {
|
||||
local description="$1"
|
||||
local expected="$2"
|
||||
local actual="$3"
|
||||
if [ "$actual" -eq "$expected" ]; then
|
||||
echo " PASS: $description"
|
||||
PASS=$((PASS + 1))
|
||||
else
|
||||
echo " FAIL: $description (expected exit $expected, got $actual)"
|
||||
FAIL=$((FAIL + 1))
|
||||
fi
|
||||
}
|
||||
|
||||
echo "=== Deploy script precondition tests ==="
|
||||
|
||||
# Test 1: Script fails when dist/ does not exist
|
||||
echo ""
|
||||
echo "Test 1: Should fail when dist/ directory is missing"
|
||||
TMPDIR=$(mktemp -d)
|
||||
cd "$TMPDIR"
|
||||
set +e
|
||||
bash "$SCRIPT" >/dev/null 2>&1
|
||||
EXIT_CODE=$?
|
||||
set -e
|
||||
assert_exit_code "Exits with error when dist/ is missing" 1 "$EXIT_CODE"
|
||||
rm -rf "$TMPDIR"
|
||||
|
||||
# Test 2: Script is executable
|
||||
echo ""
|
||||
echo "Test 2: Script should be executable"
|
||||
if [ -x "$SCRIPT" ]; then
|
||||
echo " PASS: Script is executable"
|
||||
PASS=$((PASS + 1))
|
||||
else
|
||||
echo " FAIL: Script is not executable"
|
||||
FAIL=$((FAIL + 1))
|
||||
fi
|
||||
|
||||
# Test 3: Script has CI-only header comment
|
||||
echo ""
|
||||
echo "Test 3: Script should have CI-only fixture header"
|
||||
if grep -q "CI-ONLY TEST FIXTURE" "$SCRIPT"; then
|
||||
echo " PASS: CI-only header present"
|
||||
PASS=$((PASS + 1))
|
||||
else
|
||||
echo " FAIL: Missing CI-only header"
|
||||
FAIL=$((FAIL + 1))
|
||||
fi
|
||||
|
||||
# Test 4: Script does NOT use kubectl exec or kubectl cp
|
||||
echo ""
|
||||
echo "Test 4: Script must not use kubectl exec or kubectl cp"
|
||||
if grep -v '^\s*#' "$SCRIPT" | grep -qE 'kubectl\s+(exec|cp)'; then
|
||||
echo " FAIL: Script contains kubectl exec/cp"
|
||||
FAIL=$((FAIL + 1))
|
||||
else
|
||||
echo " PASS: No kubectl exec/cp found"
|
||||
PASS=$((PASS + 1))
|
||||
fi
|
||||
|
||||
# Test 5: Script uses kubectl create configmap
|
||||
echo ""
|
||||
echo "Test 5: Script should use kubectl create configmap"
|
||||
if grep -q 'kubectl create configmap' "$SCRIPT"; then
|
||||
echo " PASS: Uses kubectl create configmap"
|
||||
PASS=$((PASS + 1))
|
||||
else
|
||||
echo " FAIL: Missing kubectl create configmap"
|
||||
FAIL=$((FAIL + 1))
|
||||
fi
|
||||
|
||||
# Test 6: Script uses kubectl patch deployment
|
||||
echo ""
|
||||
echo "Test 6: Script should use kubectl patch deployment"
|
||||
if grep -q 'kubectl patch deployment' "$SCRIPT"; then
|
||||
echo " PASS: Uses kubectl patch deployment"
|
||||
PASS=$((PASS + 1))
|
||||
else
|
||||
echo " FAIL: Missing kubectl patch deployment"
|
||||
FAIL=$((FAIL + 1))
|
||||
fi
|
||||
|
||||
# Test 7: ConfigMap size guard exists
|
||||
echo ""
|
||||
echo "Test 7: Script should guard against ConfigMap size limit"
|
||||
if grep -q '1000000' "$SCRIPT"; then
|
||||
echo " PASS: ConfigMap size guard present"
|
||||
PASS=$((PASS + 1))
|
||||
else
|
||||
echo " FAIL: Missing ConfigMap size guard"
|
||||
FAIL=$((FAIL + 1))
|
||||
fi
|
||||
|
||||
# Test 8: RBAC manifest does not grant exec access
|
||||
echo ""
|
||||
echo "Test 8: RBAC manifest must not grant exec access"
|
||||
RBAC_FILE="$SCRIPT_DIR/../deployment/e2e-runner-rbac.yaml"
|
||||
if [ -f "$RBAC_FILE" ]; then
|
||||
if grep -qE '"(exec|cp)"' "$RBAC_FILE" || grep -qE "'(exec|cp)'" "$RBAC_FILE"; then
|
||||
echo " FAIL: RBAC manifest grants exec/cp access"
|
||||
FAIL=$((FAIL + 1))
|
||||
else
|
||||
echo " PASS: No exec/cp in RBAC manifest"
|
||||
PASS=$((PASS + 1))
|
||||
fi
|
||||
|
||||
# Also check the verbs explicitly
|
||||
if grep -q 'pods/exec' "$RBAC_FILE"; then
|
||||
echo " FAIL: RBAC manifest grants pods/exec"
|
||||
FAIL=$((FAIL + 1))
|
||||
else
|
||||
echo " PASS: No pods/exec in RBAC manifest"
|
||||
PASS=$((PASS + 1))
|
||||
fi
|
||||
else
|
||||
echo " SKIP: RBAC manifest not found at $RBAC_FILE"
|
||||
fi
|
||||
|
||||
echo ""
|
||||
echo "=== Results: $PASS passed, $FAIL failed ==="
|
||||
|
||||
if [ "$FAIL" -gt 0 ]; then
|
||||
exit 1
|
||||
fi
|
||||
Reference in New Issue
Block a user