forked from jupyterhub/zero-to-jupyterhub-k8s
-
Notifications
You must be signed in to change notification settings - Fork 0
388 lines (342 loc) · 14.5 KB
/
test-chart.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
# This is a GitHub workflow defining a set of jobs with a set of steps.
# ref: https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions
#
name: Test chart
# Trigger the workflow's on all PRs and pushes so that other contributors can
# run tests in their own forks. Avoid triggering these tests on changes to
# documentation only changes.
on:
pull_request:
paths-ignore:
- "docs/**"
- "**.md"
- ".github/workflows/*"
- "!.github/workflows/test-chart.yaml"
push:
paths-ignore:
- "docs/**"
- "**.md"
- ".github/workflows/*"
- "!.github/workflows/test-chart.yaml"
branches-ignore:
- "dependabot/**"
- "pre-commit-ci-update-config"
- "update-*"
- "vuln-scan-*"
workflow_dispatch:
jobs:
lint_shell_scripts:
runs-on: ubuntu-22.04
steps:
- uses: actions/checkout@v4
- uses: actions/setup-python@v5
with:
python-version: "3.11"
- name: Install dependencies
run: pip install pre-commit
- name: Run all stages including shellcheck (disabled by default)
run: pre-commit run --all --hook-stage manual
lint_and_validate_rendered_templates:
runs-on: ubuntu-22.04
steps:
- uses: actions/checkout@v4
- uses: actions/setup-python@v5
with:
python-version: "3.11"
- name: Install dependencies
run: pip install chartpress yamllint
- name: Lint and validate
run: tools/templates/lint-and-validate.py
- name: Lint and validate (--strict, accept failure)
run: tools/templates/lint-and-validate.py --strict
continue-on-error: true
lint_and_validate_templates_with_schema:
runs-on: ubuntu-22.04
strategy:
fail-fast: false
matrix:
# We run this job with the latest lowest helm version we support.
#
# helm version 3.4.X is known to cause the following error in the named
# template "jupyterhub.imagePuller.daemonset.hook.checksum":
#
# error calling merge: reflect: call of reflect.Value.MapKeys on ptr Value
#
include:
- helm-version: "" # latest
- helm-version: v3.5.0 # minimal required version
steps:
- uses: actions/checkout@v4
- uses: actions/setup-python@v5
with:
python-version: "3.11"
- name: Install dependencies
run: |
. ci/common
setup_helm
pip install pyyaml
env:
HELM_VERSION: "${{ matrix.helm-version }}"
- name: Generate values.schema.json
run: tools/generate-json-schema.py
- name: Helm lint (values.yaml)
run: helm lint ./jupyterhub
- name: Helm lint (lint-and-validate-values.yaml)
run: helm lint ./jupyterhub --values tools/templates/lint-and-validate-values.yaml
# FIXME: We can probably emit a GitHub workflow warning if these fail
# instead having them show as green without a warning or similar
#
# NOTE: --strict means that any warning is considered an error, and there
# are several warnings that we should ignore.
#
- name: Helm lint --strict (values.yaml)
run: helm lint --strict ./jupyterhub
continue-on-error: true
- name: Helm lint --strict (lint-and-validate-values.yaml)
run: helm lint --strict ./jupyterhub
continue-on-error: true
test:
runs-on: ubuntu-22.04
timeout-minutes: 20
strategy:
# Keep running even if one variation of the job fail
fail-fast: false
matrix:
# We run this job multiple times with different parameterization
# specified below, these parameters have no meaning on their own and
# gain meaning on how job steps use them.
#
# k3s-version: https://github.com/rancher/k3s/tags
# k3s-channel: https://update.k3s.io/v1-release/channels
#
include:
- k3s-channel: latest
test: install
- k3s-channel: stable # also test hub-slim, and prePuller.hook
test: install
local-chart-extra-args: >-
--set hub.image.name=ghcr.io/tik-nfl/z2jh-hub-slim
--set prePuller.hook.enabled=true
--set prePuller.hook.pullOnlyOnChanges=true
- k3s-channel: v1.31 # also test hub.existingSecret and subdomain_host
test: install
local-chart-extra-args: >-
--set hub.existingSecret=test-hub-existing-secret
--set proxy.secretToken=aaaa1111
--set hub.cookieSecret=bbbb2222
--set hub.config.CryptKeeper.keys[0]=cccc3333
--set hub.config.JupyterHub.subdomain_host=jupyterhub.example.org
create-k8s-test-resources: true
# We run three upgrade tests where we first install an already released
# Helm chart version and then upgrade to the version we are now
# testing:
# - latest stable version (like 1.2.3)
# - latest dev version (like 1.2.3-0.dev.git.5810.hf475e7a4),
# - and an old version that requires a JupyterHub DB upgrade
#
# It can be very useful to see the "Helm diff" step's output from the
# latest dev version.
#
# The upgrade-from input should be a chart version, or match the version
# information from
# https://hub.jupyter.org/helm-chart/info.json
#
- k3s-channel: v1.30
test: upgrade
upgrade-from: stable
upgrade-from-extra-args: >-
--set proxy.secretToken=aaaa1111
--set hub.cookieSecret=bbbb2222
--set hub.config.CryptKeeper.keys[0]=cccc3333
--set hub.db.type=sqlite-pvc
--set singleuser.storage.type=dynamic
local-chart-extra-args: >-
--set hub.db.type=sqlite-pvc
--set singleuser.storage.type=dynamic
create-k8s-test-resources: true
- k3s-channel: v1.29
test: upgrade
upgrade-from: dev
upgrade-from-extra-args: >-
--set proxy.secretToken=aaaa1111
--set hub.db.type=sqlite-pvc
--set singleuser.storage.type=dynamic
local-chart-extra-args: >-
--set hub.db.type=sqlite-pvc
--set singleuser.storage.type=dynamic
- k3s-channel: v1.28
test: upgrade
# We're testing hub.db.upgrade with PostgreSQL so this version must be old
# enough to require a DB upgrade
upgrade-from: 2.0.0
upgrade-from-extra-args: >-
--set proxy.secretToken=aaaa1111
--set hub.cookieSecret=bbbb2222
--set hub.config.CryptKeeper.keys[0]=cccc3333
--set hub.db.type=postgres
--set hub.db.url=postgresql+psycopg2://postgres:postgres@postgresql:5432/jupyterhub
--set singleuser.storage.type=dynamic
local-chart-extra-args: >-
--set hub.db.type=postgres
--set hub.db.url=postgresql+psycopg2://postgres:postgres@postgresql:5432/jupyterhub
--set singleuser.storage.type=dynamic
--set hub.db.upgrade=true
create-k8s-test-resources: true
# https://artifacthub.io/packages/helm/bitnami/postgresql
setup-postgresql-args: >-
--version=16.0.5
--set auth.enablePostgresUser=true
--set auth.postgresPassword=postgres
--set auth.database=jupyterhub
--set audit.logHostname=true
--set audit.logConnections=true
--set audit.logDisconnections=true
--set audit.clientMinMessages=debug
steps:
- uses: actions/checkout@v4
with:
# chartpress requires git history to set chart version and image tags
# correctly
fetch-depth: 0
# Starts a k8s cluster with NetworkPolicy enforcement and installs both
# kubectl and helm
#
# ref: https://github.com/jupyterhub/action-k3s-helm/
- uses: jupyterhub/action-k3s-helm@v4
with:
k3s-channel: ${{ matrix.k3s-channel }}
metrics-enabled: false
traefik-enabled: false
docker-enabled: true
- uses: actions/setup-python@v5
with:
python-version: "3.11"
# Install a local ACME server to fill the role of Let's Encrypt (LE). We
# do this as the HTTP challenge sent out by an ACME server must be able to
# reach the ACME client in our autohttps pod.
- name: Install local ACME server
run: |
helm install pebble --repo https://hub.jupyter.org/helm-chart/ pebble --values dev-config-pebble.yaml
# Build our images if needed and update values.yaml with the tags
- name: Install and run chartpress
run: |
pip3 install -r dev-requirements.txt
chartpress
env:
DOCKER_BUILDKIT: "1"
- name: Generate values.schema.json from values.schema.yaml
run: |
tools/generate-json-schema.py
# Validate rendered helm templates against the k8s api-server with the
# dedicated lint-and-validate-values.yaml config.
- name: "Helm template --validate (with lint and validate config)"
run: |
helm template --validate jupyterhub ./jupyterhub --values tools/templates/lint-and-validate-values.yaml ${{ matrix.helm-template-validate-extra-args }}
# It is only needed at this point forward as this is when we install
# jupyterhub and the autohttps pod is about to start, so for CI
# performance we delayed this until now and did other things in between.
- name: Await local ACME server
uses: jupyterhub/action-k8s-await-workloads@v3
with:
timeout: 150
max-restarts: 1
- name: "(Upgrade) Install PostgreSQL server chart"
if: matrix.setup-postgresql-args
run: |
. ./ci/common
helm install postgresql postgresql --repo=https://charts.bitnami.com/bitnami ${{ matrix.setup-postgresql-args }}
await_kubectl_rollout statefulset/postgresql
- name: "(Upgrade) Install ${{ matrix.upgrade-from }} chart"
if: matrix.test == 'upgrade'
run: |
# NOTE: We change the directory so jupyterhub the chart name won't be
# misunderstood as the local folder name.
#
# https://github.com/helm/helm/issues/9244
cd ci
if [ ${{ matrix.upgrade-from }} = stable ]; then
UPGRADE_FROM_VERSION=$(helm show chart --repo=https://hub.jupyter.org/helm-chart/ jupyterhub | yq e '.version' -)
elif [ ${{ matrix.upgrade-from }} = dev ]; then
UPGRADE_FROM_VERSION=$(helm show chart --devel --repo=https://hub.jupyter.org/helm-chart/ jupyterhub | yq e '.version' -)
else
UPGRADE_FROM_VERSION=${{ matrix.upgrade-from }}
fi
echo "UPGRADE_FROM_VERSION=$UPGRADE_FROM_VERSION" >> $GITHUB_ENV
echo ""
echo "Installing already released jupyterhub version $UPGRADE_FROM_VERSION"
helm install jupyterhub --repo https://hub.jupyter.org/helm-chart/ jupyterhub --values ../dev-config.yaml --version=$UPGRADE_FROM_VERSION ${{ matrix.upgrade-from-extra-args }}
- name: "(Upgrade) Install helm diff"
if: matrix.test == 'upgrade'
run: |
helm plugin install https://github.com/databus23/helm-diff
- name: "(Upgrade) Helm diff ${{ matrix.upgrade-from }} chart with local chart"
if: matrix.test == 'upgrade'
run: |
LOCAL_CHART_VERSION=$(cat jupyterhub/Chart.yaml | yq e '.version' -)
export STRING_REPLACER_A=$LOCAL_CHART_VERSION
export STRING_REPLACER_B=$UPGRADE_FROM_VERSION
echo "NOTE: Helm diff upgrade won't trigger lookup functions, so it"
echo " will look like we seed new passwords all the time."
echo
echo "NOTE: For the helm diff only, we have replaced the new chart"
echo " version with the old chart version to reduce clutter."
echo
echo " Old version: $UPGRADE_FROM_VERSION"
echo " New version: $LOCAL_CHART_VERSION (replaced)"
echo
helm diff upgrade --install jupyterhub ./jupyterhub --values dev-config.yaml \
--values dev-config-local-chart-extra-config.yaml \
${{ matrix.local-chart-extra-args }} \
--show-secrets \
--context=3 \
--post-renderer=ci/string-replacer.sh
- name: "(Upgrade) Await ${{ matrix.upgrade-from }} chart"
if: matrix.test == 'upgrade'
uses: jupyterhub/action-k8s-await-workloads@v3
with:
timeout: 150
max-restarts: 1
- name: "(Upgrade) Await ${{ matrix.upgrade-from }} chart cert acquisition"
if: matrix.test == 'upgrade'
run: |
. ./ci/common
await_autohttps_tls_cert_acquisition
await_autohttps_tls_cert_save
- name: Create k8s test resources
if: matrix.create-k8s-test-resources
run: |
kubectl apply -f ci/test-hub-existing-secret.yaml
- name: "Install local chart"
run: |
helm upgrade --install jupyterhub ./jupyterhub \
--values dev-config.yaml \
--values dev-config-local-chart-extra-config.yaml \
${{ matrix.local-chart-extra-args }}
- name: "Await local chart"
uses: jupyterhub/action-k8s-await-workloads@v3
with:
timeout: 150
max-restarts: 1
- name: Await local chart cert acquisition
run: |
. ./ci/common
await_autohttps_tls_cert_acquisition
- name: Run tests
continue-on-error: ${{ matrix.accept-failure == true }}
run: |
. ./ci/common
if [ "${{ contains(matrix.local-chart-extra-args, 'subdomain_host') }}" = "true" ]; then
export CI_SUBDOMAIN_HOST=jupyterhub.example.org
fi
# If you have problems with the tests add '--capture=no' to show stdout
pytest --verbose --maxfail=2 --color=yes ./tests
# ref: https://github.com/jupyterhub/action-k8s-namespace-report
- name: Kubernetes namespace report
uses: jupyterhub/action-k8s-namespace-report@v1
if: always()
with:
important-workloads: deploy/hub deploy/proxy
- name: Debug PostgreSQL logs on failure
if: failure() && matrix.setup-postgresql-args
run: |
kubectl logs statefulset/postgresql