feat(validator): add Chainsaw-style health check assertions via --data flag

Author: xdu31

Dockerfile.validator

@@ -57,6 +57,13 @@ RUN CGO_ENABLED=0 go test -c -o /out/deployment.test ./pkg/validator/checks/depl
 # test2json (e.g. readiness.test -test.v | test2json).
 RUN CGO_ENABLED=0 go build -o /out/test2json cmd/test2json
 
+# Install Chainsaw CLI for component health check assertions.
+ARG CHAINSAW_VERSION=v0.2.12
+RUN set -e; \
+    ARCH=$(go env GOARCH); \
+    curl -fsSL "https://github.com/kyverno/chainsaw/releases/download/${CHAINSAW_VERSION}/chainsaw_linux_${ARCH}.tar.gz" \
+    | tar xz -C /out chainsaw
+
 # ---------------------------------------------------------------------------
 # Final stage: CUDA runtime provides nvidia-smi for GPU validation
 # ---------------------------------------------------------------------------
@@ -71,6 +78,7 @@ COPY --from=builder /out/aicr /usr/local/bin/aicr
 COPY --from=builder /out/deployment.test /usr/local/bin/deployment.test
 COPY --from=builder /out/conformance.test /usr/local/bin/conformance.test
 COPY --from=builder /out/test2json /usr/local/bin/test2json
+COPY --from=builder /out/chainsaw /usr/local/bin/chainsaw
 
 # Copy testdata needed by deployment tests at runtime (loaded via os.ReadFile
 # relative to CWD, e.g. testdata/nvidia-smi-verify-pod.yaml)

pkg/cli/validate.go

@@ -366,6 +366,7 @@ func validateCmdFlags() []cli.Flag {
 			Name:  "result",
 			Usage: "Use a saved validation result file as the source for evidence rendering (live validation still runs). Requires --phase conformance and --evidence-dir.",
 		},
+		dataFlag,
 		outputFlag,
 		formatFlag,
 		kubeconfigFlag,
@@ -433,7 +434,12 @@ Use a saved result file for evidence instead of the live run:
 		Action: func(ctx context.Context, cmd *cli.Command) error {
 			// Validate single-value flags are not duplicated
 			// Note: --phase allows multiple values so it's not included here
-			if err := validateSingleValueFlags(cmd, "recipe", "snapshot", "output", "format", "namespace", "validation-namespace", "image", "job-name", "service-account-name", "timeout", "resume", "result"); err != nil {
+			if err := validateSingleValueFlags(cmd, "recipe", "snapshot", "output", "format", "namespace", "validation-namespace", "image", "job-name", "service-account-name", "timeout", "resume", "result", "data"); err != nil {
+				return err
+			}
+
+			// Initialize external data provider if --data flag is set
+			if err := initDataProvider(cmd); err != nil {
 				return err
 			}
 

pkg/defaults/timeouts.go

@@ -137,6 +137,13 @@ const (
 	ComponentRenderTimeout = 60 * time.Second
 )
 
+// Chainsaw assertion timeouts for component health checks.
+const (
+	// ChainsawAssertTimeout is the timeout for Chainsaw CLI assertions
+	// when evaluating component health check assert files.
+	ChainsawAssertTimeout = 2 * time.Minute
+)
+
 // Conformance test timeouts for DRA and gang scheduling validation.
 const (
 	// DRATestPodTimeout is the timeout for the DRA test pod to complete.

pkg/recipe/components.go

@@ -60,6 +60,17 @@ type ComponentConfig struct {
 
 	// Validations defines component-specific validation checks.
 	Validations []ComponentValidationConfig `yaml:"validations,omitempty"`
+
+	// HealthCheck defines custom health check configuration for this component.
+	HealthCheck HealthCheckConfig `yaml:"healthCheck,omitempty"`
+}
+
+// HealthCheckConfig defines custom health check settings for a component.
+type HealthCheckConfig struct {
+	// AssertFile is the path to a Chainsaw-style assert YAML file (relative to data directory).
+	// When set, the expected-resources check uses Chainsaw CLI to evaluate assertions
+	// instead of the default auto-discovery + typed replica checks.
+	AssertFile string `yaml:"assertFile,omitempty"`
 }
 
 // HelmConfig contains default Helm chart settings for a component.
@@ -161,6 +172,15 @@ func GetComponentRegistry() (*ComponentRegistry, error) {
 	return globalRegistry, globalRegistryErr
 }
 
+// ResetComponentRegistryForTesting resets the singleton registry so it will be
+// reloaded from the current DataProvider on the next call to GetComponentRegistry.
+// This must only be called from tests.
+func ResetComponentRegistryForTesting() {
+	globalRegistry = nil
+	globalRegistryErr = nil
+	globalRegistryOnce = sync.Once{}
+}
+
 // MustGetComponentRegistry returns the global component registry or panics.
 // Use this in init() functions where the registry must be available.
 func MustGetComponentRegistry() *ComponentRegistry {

pkg/recipe/metadata.go

@@ -111,6 +111,12 @@ type ComponentRef struct {
 	// ExpectedResources lists Kubernetes resources that should exist after deployment.
 	// Used by deployment phase validation to verify component health.
 	ExpectedResources []ExpectedResource `json:"expectedResources,omitempty" yaml:"expectedResources,omitempty"`
+
+	// HealthCheckAsserts contains raw Chainsaw-style assert YAML loaded from the
+	// registry's healthCheck.assertFile via the DataProvider. When non-empty, the
+	// expected-resources check runs Chainsaw CLI to evaluate assertions instead of
+	// the default auto-discovery + typed replica checks.
+	HealthCheckAsserts string `json:"healthCheckAsserts,omitempty" yaml:"healthCheckAsserts,omitempty"`
 }
 
 // ExpectedResource represents a Kubernetes resource that should exist after deployment.
@@ -479,6 +485,11 @@ func mergeComponentRef(base, overlay ComponentRef) ComponentRef {
 		result.ExpectedResources = overlay.ExpectedResources
 	}
 
+	// HealthCheckAsserts: overlay takes precedence if set
+	if overlay.HealthCheckAsserts != "" {
+		result.HealthCheckAsserts = overlay.HealthCheckAsserts
+	}
+
 	return result
 }
 

pkg/validator/chainsaw/runner.go

@@ -0,0 +1,196 @@
+// Copyright (c) 2025, NVIDIA CORPORATION.  All rights reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+// Package chainsaw executes Chainsaw-style assertions against a live Kubernetes cluster.
+package chainsaw
+
+import (
+	"bytes"
+	"context"
+	"fmt"
+	"log/slog"
+	"os"
+	"os/exec"
+	"path/filepath"
+	"sync"
+	"text/template"
+	"time"
+
+	"github.com/NVIDIA/aicr/pkg/errors"
+)
+
+// ComponentAssert holds the data needed to run Chainsaw for one component.
+type ComponentAssert struct {
+	// Name is the component name (e.g., "gpu-operator").
+	Name string
+
+	// AssertYAML is the raw Chainsaw assert file content.
+	AssertYAML string
+}
+
+// Result holds the outcome of a Chainsaw assertion run for one component.
+type Result struct {
+	// Component is the component name.
+	Component string
+
+	// Passed indicates whether the assertion passed.
+	Passed bool
+
+	// Output contains Chainsaw stdout/stderr for diagnostics.
+	Output string
+
+	// Error contains any error from executing Chainsaw.
+	Error error
+}
+
+// chainsawTestTemplate is the Chainsaw test manifest template.
+var chainsawTestTemplate = template.Must(template.New("chainsaw-test").Parse(`apiVersion: chainsaw.kyverno.io/v1alpha1
+kind: Test
+metadata:
+  name: {{ .Name }}
+spec:
+  timeouts:
+    assert: {{ .Timeout }}
+  steps:
+  - try:
+    - assert:
+        file: assert.yaml
+`))
+
+// chainsawTestData holds template parameters for generating chainsaw-test.yaml.
+type chainsawTestData struct {
+	Name    string
+	Timeout string
+}
+
+// Run executes Chainsaw assertions for a set of components.
+// Creates a temp directory structure and runs `chainsaw test` per component.
+// Components are run concurrently with bounded parallelism.
+func Run(ctx context.Context, asserts []ComponentAssert, timeout time.Duration) []Result {
+	if len(asserts) == 0 {
+		return nil
+	}
+
+	results := make([]Result, len(asserts))
+
+	var wg sync.WaitGroup
+	// Limit concurrency to 4 parallel Chainsaw runs.
+	sem := make(chan struct{}, 4)
+
+	for i, ca := range asserts {
+		wg.Add(1)
+		go func() {
+			defer wg.Done()
+			sem <- struct{}{}
+			defer func() { <-sem }()
+
+			results[i] = runSingle(ctx, ca, timeout)
+		}()
+	}
+
+	wg.Wait()
+	return results
+}
+
+// runSingle executes Chainsaw for a single component.
+func runSingle(ctx context.Context, ca ComponentAssert, timeout time.Duration) Result {
+	result := Result{Component: ca.Name}
+
+	// Create temp directory for this component's test files.
+	baseDir, err := os.MkdirTemp("", "chainsaw-run-*")
+	if err != nil {
+		result.Error = errors.Wrap(errors.ErrCodeInternal, "failed to create temp directory", err)
+		return result
+	}
+	defer os.RemoveAll(baseDir)
+
+	testDir := filepath.Join(baseDir, ca.Name)
+	if err := os.MkdirAll(testDir, 0o750); err != nil {
+		result.Error = errors.Wrap(errors.ErrCodeInternal, "failed to create test directory", err)
+		return result
+	}
+
+	// Write assert.yaml.
+	assertPath := filepath.Join(testDir, "assert.yaml")
+	if err := os.WriteFile(assertPath, []byte(ca.AssertYAML), 0o600); err != nil {
+		result.Error = errors.Wrap(errors.ErrCodeInternal, "failed to write assert.yaml", err)
+		return result
+	}
+
+	// Generate chainsaw-test.yaml.
+	testYAMLPath := filepath.Join(testDir, "chainsaw-test.yaml")
+	if err := generateTestManifest(testYAMLPath, ca.Name, timeout); err != nil {
+		result.Error = err
+		return result
+	}
+
+	// Execute chainsaw test.
+	output, execErr := execChainsaw(ctx, testDir)
+	result.Output = output
+
+	if execErr != nil {
+		result.Passed = false
+		result.Error = execErr
+		slog.Warn("chainsaw health check failed",
+			"component", ca.Name,
+			"error", execErr)
+	} else {
+		result.Passed = true
+		slog.Info("chainsaw health check passed", "component", ca.Name)
+	}
+
+	return result
+}
+
+// generateTestManifest writes a chainsaw-test.yaml file for the given component.
+func generateTestManifest(path, componentName string, timeout time.Duration) error {
+	data := chainsawTestData{
+		Name:    componentName,
+		Timeout: fmt.Sprintf("%ds", int(timeout.Seconds())),
+	}
+
+	var buf bytes.Buffer
+	if err := chainsawTestTemplate.Execute(&buf, data); err != nil {
+		return errors.Wrap(errors.ErrCodeInternal, "failed to render chainsaw test template", err)
+	}
+
+	if err := os.WriteFile(path, buf.Bytes(), 0o600); err != nil {
+		return errors.Wrap(errors.ErrCodeInternal, "failed to write chainsaw-test.yaml", err)
+	}
+
+	return nil
+}
+
+// execChainsaw runs `chainsaw test --test-dir <dir> --no-color` and returns
+// combined stdout+stderr output. Returns nil error on exit code 0, otherwise
+// wraps the exec error.
+func execChainsaw(ctx context.Context, testDir string) (string, error) {
+	cmd := exec.CommandContext(ctx, "chainsaw", "test", "--test-dir", testDir, "--no-color")
+
+	var combined bytes.Buffer
+	cmd.Stdout = &combined
+	cmd.Stderr = &combined
+
+	slog.Debug("executing chainsaw", "dir", testDir, "cmd", cmd.String())
+
+	err := cmd.Run()
+	output := combined.String()
+
+	if err != nil {
+		return output, errors.Wrap(errors.ErrCodeInternal,
+			fmt.Sprintf("chainsaw test failed (exit code: %v)", cmd.ProcessState.ExitCode()), err)
+	}
+
+	return output, nil
+}