Merge pull request #27 from FNNDSC/dev

Add helm-unittest and auto-set value of `pman.setSecurityContext` depending on whether OpenShift is detected

.github/workflows/test-chris.yml

@@ -1,4 +1,4 @@
-name: Test ChRIS and pfcon
+name: Integration tests
 
 on:
   pull_request:
@@ -12,7 +12,7 @@ on:
 jobs:
   test:
     name: Test chris
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-24.04
     strategy:
       fail-fast: false
       matrix:
@@ -74,86 +74,9 @@ jobs:
         kubectl describe pod -n ghactions
         kubectl exec -n ghactions $(kubectl get statefulset -n ghactions -l app.kubernetes.io/name=postgresql -o name) -i -- sh -c 'psql "postgresql://$POSTGRES_USER:$POSTGRES_PASSWORD@localhost:$POSTGRESQL_PORT_NUMBER/$POSTGRES_DATABASE"' <<< 'select * from plugininstances_plugininstance'
         exit $status
-    - name: Run upgrade and set new admin password
-      run: helm upgrade -n ghactions khris-test ./charts/chris --reuse-values --set chris_admin.password="newpassword1234"
-    - name: Assert secret was changed
-      run: |
-        actual="$(kubectl get secret -n ghactions khris-test-chris-superuser -o jsonpath='{.data.password}' | base64 --decode)"
-        expected="newpassword1234"
-        if [[ "$actual" != *"$expected"* ]]; then
-          echo "::error ::Expected: >>>$expected<<<    Actual: >>>$actual<<<"
-          exit 1
-        fi
-    - name: Restart heart
-      id: restart
-      continue-on-error: true
-      run: |
-        set -x
-        kubectl rollout restart deployment -n ghactions -l app.kubernetes.io/name=chris-heart
-        kubectl rollout status deployment -n ghactions -l app.kubernetes.io/name=chris-heart --timeout=300s
-        most_recent_pod=$(kubectl get pods -n ghactions --sort-by=.metadata.creationTimestamp -l app.kubernetes.io/name=chris-heart -o custom-columns=:metadata.name | tail -n 1)
-        echo "new_pod=$most_recent_pod" >> "$GITHUB_OUTPUT"
-        kubectl wait -n ghactions pod $most_recent_pod --for=condition=ready --timeout=60s
-    - name: Why did the restart fail?
-      if: steps.restart.outcome == 'failure'
-      run: |
-        kubectl get pods -n ghactions
-        kubectl describe pod -n ghactions
-        exit 1
-    - name: Assert superuser password changed
-      run: |
-        actual="$(kubectl logs -n ghactions ${{ steps.restart.outputs.new_pod }} -c set-config)"
-        expected='Updated password for user "khris"'
-        if [[ "$actual" != *"$expected"* ]]; then
-          echo "::error ::Expected: >>>$expected<<<    Actual: >>>$actual<<<"
-          exit 1
-        fi
-    - name: Wait for RabbitMQ to finish restarting
-      run: kubectl rollout status statefulset -n ghactions -l app.kubernetes.io/name=rabbitmq
-    - name: What are my pods doing?
-      run: kubectl get pods -n ghactions
-    - name: Run helm test again
-      run: |
-        set +ex
-        helm test -n ghactions khris-test
-        status=$?
-        kubectl logs -n ghactions khris-test-test-cube-works
-        kubectl get pod -n ghactions
-        kubectl describe pod -n ghactions
-        exit $status
     - name: Test NodePort access
       run: curl --fail-with-body http://localhost:32000/api/v1/
-    - name: Disabling pfcon should not be allowed
-      if: matrix.pfconEnabled == 'pfcon-enabled'
-      run: |
-        set +e
-        expected='CUBE currently depends on pfcon configured in "innetwork" mode for its storage, volume, so you cannot set .pfcon.enabled=false or .pfcon.pfcon.config.innetwork=false'
-        output="$(helm upgrade -n ghactions khris-test ./charts/chris --reuse-values --set pfcon.enabled=false 2>&1)"
-        rc=$?
-        echo "$output"
-        if [ "$rc" = '0' ]; then
-          echo "::error ::Expected command to fail but it didn't"
-          exit $rc
-        elif ! [[ "$output" = *"$expected"* ]]; then
-          echo "::error ::Unexpected output"
-          exit 1
-        fi
-    - name: Enabling pfcon should not be allowed
-      if: matrix.pfconEnabled == 'pfcon-disabled'
-      run: |
-          set +e
-          expected='CUBE is currently using its own volume, so you cannot set .pfcon.enabled=true or .pfcon.pfcon.config.innetwork=true'
-          output="$(helm upgrade -n ghactions khris-test ./charts/chris --reuse-values --set pfcon.enabled=true 2>&1)"
-          rc=$?
-          echo "$output"
-          if [ "$rc" = '0' ]; then
-            echo "::error ::Expected command to fail but it didn't"
-            exit $rc
-          elif ! [[ "$output" = *"$expected"* ]]; then
-            echo "::error ::Unexpected output"
-            exit 1
-          fi
     - name: Uninstall chart
-      run: helm uninstall -n ghactions khris-test
+      run: helm uninstall --wait -n ghactions khris-test
     - name: Delete namespace
       run: kubectl delete namespace ghactions

.github/workflows/test-unit.yml

@@ -0,0 +1,35 @@
+name: Unit Tests
+
+on:
+  push:
+
+jobs:
+  test:
+    name: Unit Tests
+    runs-on: ubuntu-24.04
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+      - name: Discover tests
+        id: find
+        run: |
+          test_dirs="$(find -mindepth 3 -maxdepth 3 -type d -name tests)"
+          if [ -z "$test_dirs" ]; then
+            echo "::error ::No test directories found."
+            exit 1
+          fi
+          chart_dirs="$(echo "$test_dirs" | xargs dirname | tr '[:space:]' ',' | sed 's/,*$//')"
+          echo "chart_dirs=$chart_dirs" >> "$GITHUB_OUTPUT"
+      - name: Update Helm dependencies
+        run: |
+          printf '%s' '${{ steps.find.outputs.chart_dirs }}' \
+            | xargs -d , -L 1 helm dependency update \
+            2> >(grep -v 'found symbolic link' >&2)
+      - name: Install helm-unittest
+        run: helm plugin install https://github.com/helm-unittest/helm-unittest.git --version v0.6.3
+      - name: Run unit tests
+        run: |
+          printf '%s' '${{ steps.find.outputs.chart_dirs }}' \
+            | xargs -d , -L 1 helm unittest --color \
+            2> >(grep -v 'found symbolic link' >&2)
+

README.md

@@ -3,7 +3,7 @@
 [![MIT License](https://img.shields.io/github/license/fnndsc/charts)](https://github.com/FNNDSC/charts/blob/main/LICENSE)
 [![Release](https://github.com/FNNDSC/charts/actions/workflows/release.yml/badge.svg)](https://github.com/FNNDSC/charts/actions/workflows/release.yml)
 [![Test ChRIS and pfcon](https://github.com/FNNDSC/charts/actions/workflows/test-chris.yml/badge.svg)](https://github.com/FNNDSC/charts/actions/workflows/test-chris.yml)
-[![Test Orthanc](https://github.com/FNNDSC/charts/actions/workflows/test-orthanc.yml/badge.svg)](https://github.com/FNNDSC/charts/actions/workflows/test-orthanc.yml)
+[![Unit Tests](https://github.com/FNNDSC/charts/actions/workflows/test-unit.yml/badge.svg)](https://github.com/FNNDSC/charts/actions/workflows/test-unit.yml)
 
 Helm charts for the [FNNDSC](https://fnndsc.org) and the [_ChRIS_ Project](https://chrisproject.org).
 

charts/pfcon/.helmignore

@@ -21,3 +21,6 @@
 .idea/
 *.tmproj
 .vscode/
+
+/tests
+

charts/pfcon/Chart.yaml

@@ -7,8 +7,8 @@ sources:
 - https://github.com/FNNDSC/pfcon
 
 type: application
-version: "0.2.2"
-appVersion: "5.2.2"
+version: "0.2.3"
+appVersion: "5.2.3"
 
 maintainers:
 - name: The FNNDSC Dev Team

charts/pfcon/templates/pman-config.yml

@@ -11,9 +11,18 @@ data:
   JOB_NAMESPACE: {{ .Release.Namespace }}
   VOLUME_NAME: {{ include "pfcon.storebase" . }}
   {{- toYaml .Values.pman.config | nindent 2 }}
-  {{- if .Values.pman.setSecurityContext }}
+  {{- $setSecurityContextIsSome := kindIs "bool" .Values.pman.setSecurityContext }}
+  {{- if (and (hasKey .Values.pman.config "CONTAINER_USER") $setSecurityContextIsSome (not .Values.pman.setSecurityContext)) }}
+  {{- fail "Cannot set value for .Values.pman.config.CONTAINER_USER because .Values.pman.setSecurityContext=false." }}
+  {{- end }}
+  {{- $setSecurityContextIsNone := not $setSecurityContextIsSome }}
+  {{- $isOpenShift := .Capabilities.APIVersions.Has "security.openshift.io/v1/SecurityContextConstraints" }}
+  {{- if (and (not (hasKey .Values.pman.config "CONTAINER_USER"))
+         (or (and $setSecurityContextIsSome .Values.pman.setSecurityContext)
+             (and $setSecurityContextIsNone (not $isOpenShift)))) }}
   {{- if .Values.global.podSecurityContext }}
-  CONTAINER_USER: {{ printf "%d:%d" (int64 .Values.global.podSecurityContext.runAsUser) (int64 .Values.global.podSecurityContext.runAsGroup) | quote }}
+  CONTAINER_USER: {{ printf "%d:%d" (int64 (.Values.global.podSecurityContext.runAsUser | default "1001"))
+                                    (int64 (.Values.global.podSecurityContext.runAsGroup | default "0")) | quote }}
   {{- else }}
   CONTAINER_USER: "1001:0"  # default user of fnndsc/cube's base image
   {{- end }}

charts/pfcon/tests/set_security_context_in_openshift_test.yaml

@@ -0,0 +1,20 @@
+suite: pman-config.yml setSecurityContext (OpenShift)
+capabilities:
+  apiVersions:
+    - security.openshift.io/v1/SecurityContextConstraints
+templates:
+  - pman-config.yml
+tests:
+  - it: should not set CONTAINER_USER in OpenShift
+    asserts:
+      - notExists:
+          path: data.CONTAINER_USER
+  - it: should set CONTAINER_USER to the value of global.podSecurityContext when setSecurityContext=true
+    set:
+      global.podSecurityContext.runAsUser: 50505
+      global.podSecurityContext.runAsGroup: 303
+      pman.setSecurityContext: true
+    asserts:
+      - equal:
+          path: data.CONTAINER_USER
+          value: '50505:303'

charts/pfcon/tests/set_security_context_test.yaml

@@ -0,0 +1,47 @@
+suite: pman-config.yml setSecurityContext
+templates:
+  - pman-config.yml
+tests:
+  - it: should set CONTAINER_USER to '1001:0' by default (non-OpenShift)
+    asserts:
+      - equal:
+          path: data.CONTAINER_USER
+          value: '1001:0'
+  - it: should set CONTAINER_USER to '1001:0' when setSecurityContext=true and global.podSecurityContext is undefined
+    set:
+      pman.setSecurityContext: true
+    asserts:
+      - equal:
+          path: data.CONTAINER_USER
+          value: '1001:0'
+  - it: should set CONTAINER_USER to the value of global.podSecurityContext when setSecurityContext=true
+    set:
+      global.podSecurityContext.runAsUser: 50505
+      global.podSecurityContext.runAsGroup: 303
+      pman.setSecurityContext: true
+    asserts:
+      - equal:
+          path: data.CONTAINER_USER
+          value: '50505:303'
+  - it: should allow CONTAINER_USER to be set when setSecurityContext is unset
+    set:
+      pman.config.CONTAINER_USER: '20202:0'
+    asserts:
+      - equal:
+          path: data.CONTAINER_USER
+          value: '20202:0'
+  - it: should allow CONTAINER_USER to be set when setSecurityContext=true
+    set:
+      pman.config.CONTAINER_USER: '20202:0'
+      pman.setSecurityContext: true
+    asserts:
+      - equal:
+          path: data.CONTAINER_USER
+          value: '20202:0'
+  - it: should disallow setting of CONTAINER_USER when setSecurityContext=false
+    set:
+      pman.config.CONTAINER_USER: '20202:0'
+      pman.setSecurityContext: false
+    asserts:
+      - failedTemplate:
+          errorMessage: Cannot set value for .Values.pman.config.CONTAINER_USER because .Values.pman.setSecurityContext=false.

charts/pfcon/values.yaml

@@ -93,7 +93,7 @@ pman:
     REMOVE_JOBS: "yes"
     IGNORE_LIMITS: "no"
 
-  # Set securityContext of containers created by pman to have the same securityContext as .global.podSecurityContext
-  # or the default fnndsc/cube container user, so that the container user can write to the shared volume's filesystem.
-  # Should be disabled on OpenShift.
-  setSecurityContext: true
+  # -- Set securityContext of containers created by pman to have the same securityContext as .global.podSecurityContext
+  # -- or the default fnndsc/cube container user, so that the container user can write to the shared volume's filesystem.
+  # -- Default behavior is to detect whether on OpenShift: if so, set as false, true otherwise.
+  setSecurityContext: