🐛 fix integration tests errors (#1411)

* fix: refactor mondoooperatorconfig.yaml to use set for spec properties

* feat: add helm integration tests workflow and integrate with publish and tests workflows

* fix: improve stability of helm integration tests by adding wait for cluster readiness

* fix: update helm integration tests to use specific image tag and improve cluster readiness checks

* fix: pin helm to v3 and disable createConfig in helm integration tests

* fix: update helm integration tests to improve stability and skip tests for external installations

Author: slntopp

.github/workflows/helm-tests.yaml

@@ -0,0 +1,156 @@
+name: Helm integration tests
+on:
+  workflow_call:
+    inputs:
+      build-operator:
+        description: "Build operator image from source (false = use published image from chart defaults)"
+        required: false
+        type: boolean
+        default: true
+    secrets:
+      MONDOO_TEST_ORG_TOKEN:
+        required: true
+
+permissions:
+  contents: read
+
+jobs:
+  build-operator:
+    if: inputs.build-operator
+    runs-on: ubuntu-latest
+    name: Build operator container
+    steps:
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          ref: ${{ github.event.pull_request.head.sha }}
+          persist-credentials: false
+          fetch-depth: 0 # fetch is needed for "git tag --list" in the Makefile
+      - name: Import environment variables from file
+        run: cat ".github/env" >> $GITHUB_ENV
+      - uses: actions/setup-go@7a3fe6cf4cb3a834922a1244abfce67bcef6a0c5 # v6.2.0
+        with:
+          go-version: "${{ env.golang-version }}"
+      - name: Build operator container image
+        run: make docker-save
+      - uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
+        with:
+          name: helm-operator-build
+          path: operator.tar
+          retention-days: 1
+
+  helm-tests:
+    name: Helm integration tests (${{ matrix.k8s-version }})
+    runs-on: ubuntu-latest
+    needs: [build-operator]
+    if: always() && (needs.build-operator.result == 'success' || needs.build-operator.result == 'skipped')
+
+    permissions:
+      contents: read
+      checks: write
+      statuses: write
+
+    strategy:
+      fail-fast: false
+      matrix:
+        k8s-version: [v1.32.0, v1.35.0]
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          ref: ${{ github.event.pull_request.head.sha }}
+          persist-credentials: false
+          fetch-depth: 0 # fetch is needed for "git tag --list" in the Makefile
+
+      - name: Import environment variables from file
+        run: cat ".github/env" >> $GITHUB_ENV
+
+      - name: Install Go
+        uses: actions/setup-go@7a3fe6cf4cb3a834922a1244abfce67bcef6a0c5 # v6.2.0
+        with:
+          go-version: "${{ env.golang-version }}"
+
+      - name: Start minikube
+        uses: medyagh/setup-minikube@aba8d5ff1666d19b9549133e3b92e70d4fc52cb7 # master
+        with:
+          memory: 4000m
+          kubernetes-version: ${{ matrix.k8s-version }}
+
+      - name: Install Helm
+        uses: azure/setup-helm@1a275c3b69536ee54be43f2070a358922e12c8d4 # v4.3.1
+        with:
+          version: v3.17.0
+          token: ${{ secrets.GITHUB_TOKEN }}
+        id: install
+
+      - name: Download operator build artifact
+        if: inputs.build-operator
+        uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7.0.0
+        with:
+          name: helm-operator-build
+
+      - name: Load operator image into minikube
+        if: inputs.build-operator
+        run: minikube image load operator.tar
+
+      - name: Wait for minikube to stabilize
+        run: sleep 10
+
+      # Wait for the cluster to stabilize before installing anything.
+      # Matches the pattern from integration-tests.yaml.
+      - name: Wait for cluster to be ready
+        run: for i in 1 2 3 4 5; do kubectl -n kube-system wait --for=condition=Ready pods --all --timeout=180s && break || sleep 10; done
+
+      - name: Install Mondoo Operator Helm chart
+        run: |
+          HELM_ARGS="--set operator.createConfig=false"
+          if [ "${{ inputs.build-operator }}" = "true" ]; then
+            HELM_ARGS="$HELM_ARGS --set controllerManager.manager.image.tag=$(make print-version) --set controllerManager.manager.imagePullPolicy=Never"
+          fi
+          helm install mondoo-operator charts/mondoo-operator -n mondoo-operator --create-namespace --wait $HELM_ARGS
+
+      - name: Run integration tests
+        env:
+          MONDOO_API_TOKEN: ${{ secrets.MONDOO_TEST_ORG_TOKEN }}
+        run: EXTERNAL_INSTALLATION=1 make test/integration/ci
+
+      - run: mv integration-tests.xml integration-tests-helm-${{ matrix.k8s-version }}.xml
+        if: success() || failure()
+
+      - uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
+        if: success() || failure()
+        with:
+          name: test-results-helm-${{ matrix.k8s-version }}
+          path: integration-tests-helm-${{ matrix.k8s-version }}.xml
+
+      - name: Upload test logs artifact
+        uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
+        if: failure()
+        with:
+          name: helm-test-logs-${{ matrix.k8s-version }}
+          path: /home/runner/work/mondoo-operator/mondoo-operator/tests/integration/_output/
+
+  report-tests:
+    name: Report helm test results
+    runs-on: ubuntu-latest
+    needs: [helm-tests]
+    if: always() && !cancelled()
+    permissions:
+      actions: read
+      contents: read
+      checks: write
+      pull-requests: write
+    steps:
+      - name: Download test results
+        uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7.0.0
+        with:
+          pattern: test-results-helm-*
+          merge-multiple: true
+
+      - name: Publish Test Results
+        uses: EnricoMi/publish-unit-test-result-action@27d65e188ec43221b20d26de30f4892fad91df2f # v2.22.0
+        with:
+          commit: ${{ github.event.workflow_run.head_sha }}
+          event_file: ${{ github.event_path }}
+          event_name: ${{ github.event.workflow_run.event }}
+          files: "*.xml"

.github/workflows/publish.yaml

@@ -240,107 +240,22 @@ jobs:
       # this should ensure the manifest is tagged latest, which is required for the install automation
       - release-helm
 
-  # publish helm chart after the release of container images is complete
+  # Run helm integration tests using the published container images
   run-helm-tests:
-    name: Run helm integration tests
     if: startsWith(github.ref, 'refs/tags/v')
     needs:
       - push-virtual-tag
-    runs-on: ubuntu-latest
-
+    uses: ./.github/workflows/helm-tests.yaml
+    with:
+      build-operator: false
     permissions:
       contents: read
+      actions: read
       checks: write
       statuses: write
-
-    strategy:
-      fail-fast: false
-      matrix:
-        k8s-version: [v1.32.0, v1.35.0]
-
-    steps:
-      - name: Checkout
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-        with:
-          fetch-depth: 0
-
-      - name: Import environment variables from file
-        run: cat ".github/env" >> $GITHUB_ENV
-
-      - name: Install Go
-        uses: actions/setup-go@7a3fe6cf4cb3a834922a1244abfce67bcef6a0c5 # v6.2.0
-        with:
-          go-version: "${{ env.golang-version }}"
-
-      - name: Start minikube
-        uses: medyagh/setup-minikube@master
-        with:
-          memory: 4000m
-          kubernetes-version: ${{ matrix.k8s-version }}
-
-      - name: Install Helm
-        uses: azure/setup-helm@1a275c3b69536ee54be43f2070a358922e12c8d4 # v4.3.1
-        with:
-          token: ${{ secrets.GITHUB_TOKEN }}
-        id: install
-
-      - name: Extract Docker metadata
-        id: meta
-        uses: docker/metadata-action@c299e40c65443455700f0fdfc63efafe5b349051 # v5.10.0
-        with:
-          images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
-
-      - name: Install Mondoo Operator Helm chart
-        run: helm install mondoo-operator charts/mondoo-operator -n mondoo-operator --create-namespace --wait
-
-      # Now that dependencies are cached the tests start almost immediately after minikube has started
-      # this makes tests fail occasionally. This sleep gives the runner some time to become more stable
-      # before the test execution starts.
-      - name: Wait a bit for the runner to become more stable
-        run: kubectl -n kube-system wait --for=condition=Ready pods --all --timeout=60s
-
-      - name: Run integration tests
-        env:
-          MONDOO_API_TOKEN: ${{ secrets.MONDOO_TEST_ORG_TOKEN }}
-        run: EXTERNAL_INSTALLATION=1 VERSION=${{ steps.meta.outputs.version }} make test/integration/ci
-
-      - uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
-        if: success() || failure()        # run this step even if previous step failed
-        with:                             # upload a combined archive with unit and integration test results
-          name: test-results-helm-${{ matrix.k8s-version }}
-          path: integration-tests-helm-${{ matrix.k8s-version }}.xml
-
-      - name: Upload test logs artifact
-        uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
-        if: failure()
-        with:
-          name: helm-test-logs-${{ matrix.k8s-version }}
-          path: /home/runner/work/mondoo-operator/mondoo-operator/tests/integration/_output/
-
-  report-tests:
-    name: Report test results
-    runs-on: ubuntu-latest
-    needs:
-      - run-helm-tests
-    permissions:
-      actions: read # Required to read the artifact
-      contents: read # Required to read the source
-      checks: write # Required to write the results
-      pull-requests: write # Required to write comments
-    steps:
-      - name: Download test results
-        uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7.0.0
-        with:
-          pattern: test-results-*
-          merge-multiple: true
-
-      - name: Publish Test Results
-        uses: EnricoMi/publish-unit-test-result-action@27d65e188ec43221b20d26de30f4892fad91df2f # v2.22.0
-        with:
-          commit: ${{ github.event.workflow_run.head_sha }}
-          event_file: ${{ github.event_path }}
-          event_name: ${{ github.event.workflow_run.event }}
-          files: "*.xml"
+      pull-requests: write
+    secrets:
+      MONDOO_TEST_ORG_TOKEN: ${{ secrets.MONDOO_TEST_ORG_TOKEN }}
 
   release-helm:
     name: Release helm chart
@@ -367,6 +282,7 @@ jobs:
       - name: Install Helm
         uses: azure/setup-helm@1a275c3b69536ee54be43f2070a358922e12c8d4 # v4.3.1
         with:
+          version: v3.17.0
           token: ${{ secrets.GITHUB_TOKEN }}
         id: install
 

.github/workflows/tests.yaml

@@ -42,3 +42,16 @@ jobs:
     with:
       cnspecImageTag: ""
     secrets: inherit
+  helm-tests:
+    name: Helm tests
+    needs: [unit-tests]
+    if: needs.unit-tests.result == 'success'
+    uses: ./.github/workflows/helm-tests.yaml
+    permissions:
+      contents: read
+      actions: read
+      checks: write
+      statuses: write
+      pull-requests: write
+    secrets:
+      MONDOO_TEST_ORG_TOKEN: ${{ secrets.MONDOO_TEST_ORG_TOKEN }}

Makefile

@@ -86,6 +86,10 @@ LDFLAGS="-s -w -X go.mondoo.com/mondoo-operator/pkg/version.Version=$(VERSION) -
 
 all: build
 
+.PHONY: print-version
+print-version: ## Print the current VERSION
+	@echo $(VERSION)
+
 ##@ General
 
 # The help target prints out all targets with their descriptions organized

charts/mondoo-operator/templates/mondoooperatorconfig.yaml

@@ -6,33 +6,33 @@ metadata:
   labels:
   {{- include "mondoo-operator.labels" . | nindent 4 }}
 spec:
+  {{- $spec := dict }}
   {{- if .Values.operator.httpProxy }}
-  httpProxy: {{ .Values.operator.httpProxy | quote }}
+  {{- $_ := set $spec "httpProxy" .Values.operator.httpProxy }}
   {{- end }}
   {{- if .Values.operator.httpsProxy }}
-  httpsProxy: {{ .Values.operator.httpsProxy | quote }}
+  {{- $_ := set $spec "httpsProxy" .Values.operator.httpsProxy }}
   {{- end }}
   {{- if .Values.operator.noProxy }}
-  noProxy: {{ .Values.operator.noProxy | quote }}
+  {{- $_ := set $spec "noProxy" .Values.operator.noProxy }}
   {{- end }}
   {{- if .Values.operator.containerProxy }}
-  containerProxy: {{ .Values.operator.containerProxy | quote }}
+  {{- $_ := set $spec "containerProxy" .Values.operator.containerProxy }}
   {{- end }}
   {{- if .Values.operator.imagePullSecrets }}
-  imagePullSecrets:
-  {{- toYaml .Values.operator.imagePullSecrets | nindent 4 }}
+  {{- $_ := set $spec "imagePullSecrets" .Values.operator.imagePullSecrets }}
   {{- end }}
   {{- if .Values.operator.imageRegistry }}
-  imageRegistry: {{ .Values.operator.imageRegistry | quote }}
+  {{- $_ := set $spec "imageRegistry" .Values.operator.imageRegistry }}
   {{- end }}
   {{- if .Values.operator.registryMirrors }}
-  registryMirrors:
-  {{- toYaml .Values.operator.registryMirrors | nindent 4 }}
+  {{- $_ := set $spec "registryMirrors" .Values.operator.registryMirrors }}
   {{- end }}
   {{- if .Values.operator.skipContainerResolution }}
-  skipContainerResolution: {{ .Values.operator.skipContainerResolution }}
+  {{- $_ := set $spec "skipContainerResolution" .Values.operator.skipContainerResolution }}
   {{- end }}
   {{- if .Values.operator.skipProxyForCnspec }}
-  skipProxyForCnspec: {{ .Values.operator.skipProxyForCnspec }}
+  {{- $_ := set $spec "skipProxyForCnspec" .Values.operator.skipProxyForCnspec }}
   {{- end }}
+  {{- $spec | toYaml | nindent 2 }}
 {{- end }}

tests/integration/helm_chart_test.go

@@ -17,6 +17,7 @@ import (
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/types"
 
+	"go.mondoo.com/mondoo-operator/tests/framework/installer"
 	"go.mondoo.com/mondoo-operator/tests/framework/utils"
 )
 
@@ -93,6 +94,10 @@ func (s *HelmChartSuite) TestHelmTemplate() {
 }
 
 func (s *HelmChartSuite) TestHelmInstallAndUninstall() {
+	if _, ok := os.LookupEnv(installer.ExternalInstallationEnvVar); ok {
+		s.T().Skip("Skipping helm install test when operator is installed externally (cluster-scoped resources conflict)")
+	}
+
 	chartPath := filepath.Join(s.rootFolder, helmChartPath)
 
 	imageRepo := os.Getenv("MONDOO_OPERATOR_IMAGE_REPO")