test: add helm test hook to test resources

[Kortekaasy]

What type of PR is this?
cleanup

Which issue does this PR fix:
When deploying the helm chart, the two secrets from the test-connection.yaml test are also deployed in the K8s cluster.

What does this PR do / Why do we need it:
This PR adds the "helm.sh/hook": test annotation to these two secrets, such that they are only deployed when a Helm test is run.

If an issue # is not available please add repro steps and logs showing the issue:
To reproduce, install helm chart and check the secrets associated to the helm chart.

Testing done on this change:

Automation added to e2e:

Will this break upgrades or downgrades?
Probably not? Unless a deployment is dependent on these testing resources being present

Does this PR introduce any user-facing change?:

yes

No longer deploys `servercert` and `serverkey` Secrets when not testing

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.

[Kortekaasy]

Not sure why test here is failing, when using a fresh minikube cluster, the helm install&test seems to work fine...

% minikube delete              
🔥  Deleting "minikube" in docker ...
🔥  Deleting container "minikube" ...
🔥  Removing /Users/kortekaasy/.minikube/machines/minikube ...
💀  Removed all traces of the "minikube" cluster.
% minikube start               
😄  minikube v1.31.2 on Darwin 14.0 (arm64)
✨  Automatically selected the docker driver. Other choices: qemu2, ssh, podman (experimental)
📌  Using Docker Desktop driver with root privileges
👍  Starting control plane node minikube in cluster minikube
🚜  Pulling base image ...
🔥  Creating docker container (CPUs=2, Memory=4000MB) ...
🐳  Preparing Kubernetes v1.27.4 on Docker 24.0.4 ...
    ▪ Generating certificates and keys ...
    ▪ Booting up control plane ...
    ▪ Configuring RBAC rules ...
🔗  Configuring bridge CNI (Container Networking Interface) ...
🔎  Verifying Kubernetes components...
    ▪ Using image gcr.io/k8s-minikube/storage-provisioner:v5
🌟  Enabled addons: storage-provisioner, default-storageclass
🏄  Done! kubectl is now configured to use "minikube" cluster and "default" namespace by default
% helm install myzot charts/zot
NAME: myzot
LAST DEPLOYED: Mon Oct 23 15:49:59 2023
NAMESPACE: default
STATUS: deployed
REVISION: 1
NOTES:
Get the application URL by running these commands:
  export NODE_PORT=$(kubectl get --namespace default -o jsonpath="{.spec.ports[0].nodePort}" services myzot)
  export NODE_IP=$(kubectl get nodes --namespace default -o jsonpath="{.items[0].status.addresses[0].address}")
  echo http://$NODE_IP:$NODE_PORT
% helm test myzot              
NAME: myzot
LAST DEPLOYED: Mon Oct 23 15:49:59 2023
NAMESPACE: default
STATUS: deployed
REVISION: 1
TEST SUITE:     servercert
Last Started:   Mon Oct 23 15:51:13 2023
Last Completed: Mon Oct 23 15:51:13 2023
Phase:          Succeeded
TEST SUITE:     serverkey
Last Started:   Mon Oct 23 15:51:13 2023
Last Completed: Mon Oct 23 15:51:13 2023
Phase:          Succeeded
TEST SUITE:     myzot-test-connection-fails
Last Started:   Mon Oct 23 15:51:11 2023
Last Completed: Mon Oct 23 15:51:13 2023
Phase:          Succeeded
TEST SUITE:     myzot-test-connection
Last Started:   Mon Oct 23 15:50:56 2023
Last Completed: Mon Oct 23 15:51:11 2023
Phase:          Succeeded
NOTES:
Get the application URL by running these commands:
  export NODE_PORT=$(kubectl get --namespace default -o jsonpath="{.spec.ports[0].nodePort}" services myzot)
  export NODE_IP=$(kubectl get nodes --namespace default -o jsonpath="{.items[0].status.addresses[0].address}")
  echo http://$NODE_IP:$NODE_PORT

[Kortekaasy]

@rchincha @andaaron @peusebiu @Andreea-Lupu Any comments on this PR?

[Andreea-Lupu]

Hi @Kortekaasy, the reason for what the checks failed is that zot can't start because secretcert and secretkey secrets can't be found because they are not deployed yet. I saw that the chart with the given values file is installed first and after that the other resources with test hook are deployed, so the secrets will be deployed after installing chart which will fail because it needs those external secrets(for the config in ci/tls-values.yaml). And I think the reason for what your helm install&test works fine is that it uses the default values file which doesn't need secrets, if you will try to run the same commands for ci/tls-values.yaml values file(without creating first those secrets) you will have the same problem with the secrets. We need to find a better way to install those secrets(before deploying the chart using ci/*-values.yaml files) only when helm test is running and I started to work on this.

[Kortekaasy]

Hi @Andreea-Lupu, thanks for the response. Would it make sense to create separate helm charts for every CI test, that refer to the zot-registry chart as sub-chart? That way you could put the extra resources needed for your CI tests in the templates directory of the concerned CI test.

[rchincha]

@Kortekaasy Pls also look at Andreea-Lupu@d3394d9#diff-662dff05c7dfe6681c1007ae601e8573d413a03f9f9d53d951c2cb99caba4fd4 and https://github.com/grafana/helm-charts/blob/main/charts/grafana/values.yaml#L109

There are some options here.

[Kortekaasy]

@rchincha @Andreea-Lupu

Thanks for the pointers. I've played around with testing the different deployments as well, and I've come up with the solution described in my helm-chart-tests branch.

I create separate 'test' helm charts in the /ci/ directory, that refer to the zot chart in the /charts/zot/ directory, and that contain the values & resources needed for that specific test. I'm personally a fan of this approach, since it cleanly separates which resources are needed for which tests, and there is very little probability of 'cross contamination' between different tests.

Let me know what you think about this approach, would be happy to create a PR for it

[rchincha]

@Kortekaasy would put those under tests/ci. But like the approach though. Pls post an updated PR and let's take a lot.

[Kortekaasy]

@rchincha

Sorry, forgot to ping you after I finished my changes. I think everything should be ready like this. Let me know if there's anything else I need to change.

[Andreea-Lupu]

Hi @Kortekaasy . I tried your PR and it looks good for the most part. I like this structure because everything looks cleaner and more organized, but I only have 2 concerns:

1. If ct install is run locally then it will generate some new files and directories, so we should be careful to not push them when commit some new changes, maybe we need something like a .gitignore file to ignore these files
2. If the version of our chart changes then depedencies.zot.version field should also be updated in tests/ci/*/Chart.yaml, otherwise the tests will fail. So we have to take care of that.
   Pls correct me if I'm wrong.

Otherwise lgtm, I like this approach.

[Kortekaasy]

Hi @Andreea-Lupu, thanks for the kind words. Regarding your first comment, could you tell me which files? I don't have ct installed at the moment, so it's not very straightforward to test for me. Regarding your second comment, you're right. Maybe this could be solved with a pre-commit hook? I'm not sure what the right approach would be here. At least the CI-tests will notify you of the missed change.

[Andreea-Lupu]

Hi @Andreea-Lupu, thanks for the kind words. Regarding your first comment, could you tell me which files? I don't have ct installed at the moment, so it's not very straightforward to test for me. Regarding your second comment, you're right. Maybe this could be solved with a pre-commit hook? I'm not sure what the right approach would be here. At least the CI-tests will notify you of the missed change.

For example, ct install --charts tests/ci/default generates these new resources which should be ignored:
tests/ci/default
├── Chart.lock
├── charts
│ └── zot-0.1.35.tgz

so I think tests/ci/*/Chart.lock and tests/ci/*/charts should be added in a .gitignore file.
And for updating the version fields, I think we could do this manually, without a pre-commit hook.

@Kortekaasy could you please add the .gitignore file?

[Kortekaasy]

@Andreea-Lupu added

[Andreea-Lupu]

lgtm

[andaaron]

lgtm

[rchincha]

@Kortekaasy thanks for the PR!