constellation/cli/internal/helm/upgrade_test.go

/*
Copyright (c) Edgeless Systems GmbH

SPDX-License-Identifier: AGPL-3.0-only
*/

package helm

import (
	"context"
	"testing"
	"time"

	"github.com/edgelesssys/constellation/v2/cli/internal/clusterid"
	"github.com/edgelesssys/constellation/v2/internal/compatibility"
	"github.com/edgelesssys/constellation/v2/internal/config"
	"github.com/edgelesssys/constellation/v2/internal/logger"
	"github.com/edgelesssys/constellation/v2/internal/semver"
	"github.com/stretchr/testify/assert"
	"github.com/stretchr/testify/require"
	"helm.sh/helm/v3/pkg/chart"
	"helm.sh/helm/v3/pkg/release"
)

func TestShouldUpgrade(t *testing.T) {
	testCases := map[string]struct {
		version            string
		assertCorrectError func(t *testing.T, err error) bool
		wantError          bool
	}{
		"valid upgrade": {
			version: "1.9.0",
		},
		"not a valid upgrade": {
			version: "1.0.0",
			assertCorrectError: func(t *testing.T, err error) bool {
				var target *compatibility.InvalidUpgradeError
				return assert.ErrorAs(t, err, &target)
			},
			wantError: true,
		},
	}

	for name, tc := range testCases {
		t.Run(name, func(t *testing.T) {
			assert := assert.New(t)
			require := require.New(t)

			client := UpgradeClient{kubectl: nil, actions: &stubActionWrapper{version: tc.version}, log: logger.NewTest(t)}

			chart, err := loadChartsDir(helmFS, certManagerInfo.path)
			require.NoError(err)
			chartVersion, err := semver.New(chart.Metadata.Version)
			require.NoError(err)
			err = client.shouldUpgrade(certManagerInfo.releaseName, chartVersion, false)
			if tc.wantError {
				tc.assertCorrectError(t, err)
				return
			}
			assert.NoError(err)
		})
	}
}

func TestUpgradeRelease(t *testing.T) {
	testCases := map[string]struct {
		version   string
		wantError bool
	}{
		"allow": {
			version: "1.9.0",
		},
	}

	for name, tc := range testCases {
		t.Run(name, func(t *testing.T) {
			assert := assert.New(t)
			require := require.New(t)

			client := UpgradeClient{kubectl: nil, actions: &stubActionWrapper{version: tc.version}, log: logger.NewTest(t)}

			chart, err := loadChartsDir(helmFS, certManagerInfo.path)
			require.NoError(err)
			err = client.upgradeRelease(context.Background(), 0, config.Default(), clusterid.File{UID: "test"}, chart)
			if tc.wantError {
				assert.Error(err)
				return
			}
			assert.NoError(err)
		})
	}
}

type stubActionWrapper struct {
	version string
}

// listAction returns a list of len 1 with a release that has only it's version set.
func (a *stubActionWrapper) listAction(_ string) ([]*release.Release, error) {
	return []*release.Release{{Chart: &chart.Chart{Metadata: &chart.Metadata{Version: a.version}}}}, nil
}

func (a *stubActionWrapper) getValues(_ string) (map[string]any, error) {
	return nil, nil
}

func (a *stubActionWrapper) installAction(_ context.Context, _ string, _ *chart.Chart, _ map[string]any, _ time.Duration) error {
	return nil
}

func (a *stubActionWrapper) upgradeAction(_ context.Context, _ string, _ *chart.Chart, _ map[string]any, _ time.Duration) error {
	return nil
}
Microservice upgrades (#729) Run with: constellation upgrade execute --helm. This will only upgrade the helm charts. No config is needed. Upgrades are implemented via helm's upgrade action, i.e. they automatically roll back if something goes wrong. Releases could still be managed via helm, even after an upgrade with constellation has been done. Currently not user facing as CRD/CR backups are still in progress. These backups should be automatically created and saved to the user's disk as updates may delete CRs. This happens implicitly through CRD upgrades, which are part of microservice upgrades. 2022-12-19 15:52:15 +00:00			`/*`
			`Copyright (c) Edgeless Systems GmbH`

			`SPDX-License-Identifier: AGPL-3.0-only`
			`*/`

			`package helm`

			`import (`
cli: ask user to confirm cert-manager upgrades 2023-01-04 12:55:10 +00:00			`"context"`
Microservice upgrades (#729) Run with: constellation upgrade execute --helm. This will only upgrade the helm charts. No config is needed. Upgrades are implemented via helm's upgrade action, i.e. they automatically roll back if something goes wrong. Releases could still be managed via helm, even after an upgrade with constellation has been done. Currently not user facing as CRD/CR backups are still in progress. These backups should be automatically created and saved to the user's disk as updates may delete CRs. This happens implicitly through CRD upgrades, which are part of microservice upgrades. 2022-12-19 15:52:15 +00:00			`"testing"`
cli: ask user to confirm cert-manager upgrades 2023-01-04 12:55:10 +00:00			`"time"`
Microservice upgrades (#729) Run with: constellation upgrade execute --helm. This will only upgrade the helm charts. No config is needed. Upgrades are implemented via helm's upgrade action, i.e. they automatically roll back if something goes wrong. Releases could still be managed via helm, even after an upgrade with constellation has been done. Currently not user facing as CRD/CR backups are still in progress. These backups should be automatically created and saved to the user's disk as updates may delete CRs. This happens implicitly through CRD upgrades, which are part of microservice upgrades. 2022-12-19 15:52:15 +00:00
aws: use new LB controller to fix SecurityGroup cleanup on K8s service deletion (#2090) * add current chart add current helm chart * disable service controller for aws ccm * add new iam roles * doc AWS internet LB + add to LB test * pass clusterName to helm for AWS LB * fix update-aws-lb chart to also include .helmignore * move chart outside services * working state * add subnet tags for AWS subnet discovery * fix .helmignore load rule with file in subdirectory * upgrade iam profile * revert new loader impl since cilium is not correctly loaded * install chart if not already present during `upgrade apply` * cleanup PR + fix build + add todos cleanup PR + add todos * shared helm pkg for cli install and bootstrapper * add link to eks docs * refactor iamMigrationCmd * delete unused helm.symwallk * move iammigrate to upgrade pkg * fixup! delete unused helm.symwallk * add to upgradecheck * remove nodeSelector from go code (Otto) * update iam docs and sort permission + remove duplicate roles * fix bug in `upgrade check` * better upgrade check output when svc version upgrade not possible * pr feedback * remove force flag in upgrade_test * use upgrader.GetUpgradeID instead of extra type * remove todos + fix check * update doc lb (leo) * remove bootstrapper helm package * Update cli/internal/cmd/upgradecheck.go Co-authored-by: Daniel Weiße <66256922+daniel-weisse@users.noreply.github.com> * final nits * add docs for e2e upgrade test setup * Apply suggestions from code review Co-authored-by: Daniel Weiße <66256922+daniel-weisse@users.noreply.github.com> * Update cli/internal/helm/loader.go Co-authored-by: Daniel Weiße <66256922+daniel-weisse@users.noreply.github.com> * Update cli/internal/cmd/tfmigrationclient.go Co-authored-by: Daniel Weiße <66256922+daniel-weisse@users.noreply.github.com> * fix daniel review * link to the iam permissions instead of manually updating them (agreed with leo) * disable iam upgrade in upgrade apply --------- Co-authored-by: Daniel Weiße <66256922+daniel-weisse@users.noreply.github.com> Co-authored-by: Malte Poll 2023-07-24 08:30:53 +00:00			`"github.com/edgelesssys/constellation/v2/cli/internal/clusterid"`
cli: upgrade errors for microservice (#1259) Handle invalid upgrade errors similarly as for images and k8s. 2023-02-28 09:23:09 +00:00			`"github.com/edgelesssys/constellation/v2/internal/compatibility"`
cli: helm: prepare values for upgrade correctly Previously the chart's values were not set, relying on the values that are already present in the cluster and reusing those. This does not work as e.g. the image values are only set while loading the charts. Also, the templates are not rendered correctly without all values set. 2023-02-14 17:04:58 +00:00			`"github.com/edgelesssys/constellation/v2/internal/config"`
cli: ask user to confirm cert-manager upgrades 2023-01-04 12:55:10 +00:00			`"github.com/edgelesssys/constellation/v2/internal/logger"`
cli: use Semver type to represent microservice versions (#2125) Previously we used strings to pass microservice versions. This invited bugs due to missing input validation. 2023-07-25 12:20:25 +00:00			`"github.com/edgelesssys/constellation/v2/internal/semver"`
Microservice upgrades (#729) Run with: constellation upgrade execute --helm. This will only upgrade the helm charts. No config is needed. Upgrades are implemented via helm's upgrade action, i.e. they automatically roll back if something goes wrong. Releases could still be managed via helm, even after an upgrade with constellation has been done. Currently not user facing as CRD/CR backups are still in progress. These backups should be automatically created and saved to the user's disk as updates may delete CRs. This happens implicitly through CRD upgrades, which are part of microservice upgrades. 2022-12-19 15:52:15 +00:00			`"github.com/stretchr/testify/assert"`
cli: only create resource backups if upgrade is executed (#1437) Previously backups were created even if no service upgrades were executed. To allow this some things are restructured: * new chartInfo type that holds release name, path and chart name * upgrade execution and version validity are checked separately 2023-03-20 13:49:04 +00:00			`"github.com/stretchr/testify/require"`
cli: ask user to confirm cert-manager upgrades 2023-01-04 12:55:10 +00:00			`"helm.sh/helm/v3/pkg/chart"`
			`"helm.sh/helm/v3/pkg/release"`
Microservice upgrades (#729) Run with: constellation upgrade execute --helm. This will only upgrade the helm charts. No config is needed. Upgrades are implemented via helm's upgrade action, i.e. they automatically roll back if something goes wrong. Releases could still be managed via helm, even after an upgrade with constellation has been done. Currently not user facing as CRD/CR backups are still in progress. These backups should be automatically created and saved to the user's disk as updates may delete CRs. This happens implicitly through CRD upgrades, which are part of microservice upgrades. 2022-12-19 15:52:15 +00:00			`)`

cli: only create resource backups if upgrade is executed (#1437) Previously backups were created even if no service upgrades were executed. To allow this some things are restructured: * new chartInfo type that holds release name, path and chart name * upgrade execution and version validity are checked separately 2023-03-20 13:49:04 +00:00			`func TestShouldUpgrade(t *testing.T) {`
cli: ask user to confirm cert-manager upgrades 2023-01-04 12:55:10 +00:00			`testCases := map[string]struct {`
cli: upgrade errors for microservice (#1259) Handle invalid upgrade errors similarly as for images and k8s. 2023-02-28 09:23:09 +00:00			`version string`
			`assertCorrectError func(t *testing.T, err error) bool`
			`wantError bool`
cli: ask user to confirm cert-manager upgrades 2023-01-04 12:55:10 +00:00			`}{`
cli: only create resource backups if upgrade is executed (#1437) Previously backups were created even if no service upgrades were executed. To allow this some things are restructured: * new chartInfo type that holds release name, path and chart name * upgrade execution and version validity are checked separately 2023-03-20 13:49:04 +00:00			`"valid upgrade": {`
			`version: "1.9.0",`
cli: upgrade errors for microservice (#1259) Handle invalid upgrade errors similarly as for images and k8s. 2023-02-28 09:23:09 +00:00			`},`
			`"not a valid upgrade": {`
cli: only create resource backups if upgrade is executed (#1437) Previously backups were created even if no service upgrades were executed. To allow this some things are restructured: * new chartInfo type that holds release name, path and chart name * upgrade execution and version validity are checked separately 2023-03-20 13:49:04 +00:00			`version: "1.0.0",`
cli: upgrade errors for microservice (#1259) Handle invalid upgrade errors similarly as for images and k8s. 2023-02-28 09:23:09 +00:00			`assertCorrectError: func(t *testing.T, err error) bool {`
helm: fix upgrade command unintentionally skipping all service upgrades (#1992) * Fix usage of errors.As in upgrade command implementation * Use struct pointers when working with custom errors --------- Signed-off-by: Daniel Weiße <dw@edgeless.systems> 2023-06-30 14:46:05 +00:00			`var target *compatibility.InvalidUpgradeError`
cli: upgrade errors for microservice (#1259) Handle invalid upgrade errors similarly as for images and k8s. 2023-02-28 09:23:09 +00:00			`return assert.ErrorAs(t, err, &target)`
			`},`
			`wantError: true,`
cli: ask user to confirm cert-manager upgrades 2023-01-04 12:55:10 +00:00			`},`
cli: only create resource backups if upgrade is executed (#1437) Previously backups were created even if no service upgrades were executed. To allow this some things are restructured: * new chartInfo type that holds release name, path and chart name * upgrade execution and version validity are checked separately 2023-03-20 13:49:04 +00:00			`}`

			`for name, tc := range testCases {`
			`t.Run(name, func(t *testing.T) {`
			`assert := assert.New(t)`
			`require := require.New(t)`

cli: install cilium in cli instead of bootstrapper (#2146) * add wait and restartDS * cilium working (tested on azure + gcp) * clean helm code from bootstrapper * fixup! clean helm code from bootstrapper * fixup! clean helm code from bootstrapper * fixup! clean helm code from bootstrapper * add patchnode for gcp * fix gcp * patch node inside bootstrapper * apply renaming of client * fixup! apply renaming of client * otto feedback 2023-08-02 13:49:40 +00:00			`client := UpgradeClient{kubectl: nil, actions: &stubActionWrapper{version: tc.version}, log: logger.NewTest(t)}`
cli: only create resource backups if upgrade is executed (#1437) Previously backups were created even if no service upgrades were executed. To allow this some things are restructured: * new chartInfo type that holds release name, path and chart name * upgrade execution and version validity are checked separately 2023-03-20 13:49:04 +00:00
			`chart, err := loadChartsDir(helmFS, certManagerInfo.path)`
			`require.NoError(err)`
cli: use Semver type to represent microservice versions (#2125) Previously we used strings to pass microservice versions. This invited bugs due to missing input validation. 2023-07-25 12:20:25 +00:00			`chartVersion, err := semver.New(chart.Metadata.Version)`
			`require.NoError(err)`
			`err = client.shouldUpgrade(certManagerInfo.releaseName, chartVersion, false)`
cli: only create resource backups if upgrade is executed (#1437) Previously backups were created even if no service upgrades were executed. To allow this some things are restructured: * new chartInfo type that holds release name, path and chart name * upgrade execution and version validity are checked separately 2023-03-20 13:49:04 +00:00			`if tc.wantError {`
			`tc.assertCorrectError(t, err)`
			`return`
			`}`
			`assert.NoError(err)`
			`})`
			`}`
			`}`

			`func TestUpgradeRelease(t *testing.T) {`
			`testCases := map[string]struct {`
cli: fix duplicate backup creation during `upgrade apply` (#1997) * Use CLI to fetch measurements in e2e test * Abort helm service upgrade early if user confirmation is missing * Add container push to CLI build action --------- Signed-off-by: Daniel Weiße <dw@edgeless.systems> 2023-07-03 13:13:36 +00:00			`version string`
			`wantError bool`
cli: only create resource backups if upgrade is executed (#1437) Previously backups were created even if no service upgrades were executed. To allow this some things are restructured: * new chartInfo type that holds release name, path and chart name * upgrade execution and version validity are checked separately 2023-03-20 13:49:04 +00:00			`}{`
			`"allow": {`
cli: fix duplicate backup creation during `upgrade apply` (#1997) * Use CLI to fetch measurements in e2e test * Abort helm service upgrade early if user confirmation is missing * Add container push to CLI build action --------- Signed-off-by: Daniel Weiße <dw@edgeless.systems> 2023-07-03 13:13:36 +00:00			`version: "1.9.0",`
cli: ask user to confirm cert-manager upgrades 2023-01-04 12:55:10 +00:00			`},`
			`}`

			`for name, tc := range testCases {`
			`t.Run(name, func(t *testing.T) {`
			`assert := assert.New(t)`
cli: only create resource backups if upgrade is executed (#1437) Previously backups were created even if no service upgrades were executed. To allow this some things are restructured: * new chartInfo type that holds release name, path and chart name * upgrade execution and version validity are checked separately 2023-03-20 13:49:04 +00:00			`require := require.New(t)`
cli: ask user to confirm cert-manager upgrades 2023-01-04 12:55:10 +00:00
cli: install cilium in cli instead of bootstrapper (#2146) * add wait and restartDS * cilium working (tested on azure + gcp) * clean helm code from bootstrapper * fixup! clean helm code from bootstrapper * fixup! clean helm code from bootstrapper * fixup! clean helm code from bootstrapper * add patchnode for gcp * fix gcp * patch node inside bootstrapper * apply renaming of client * fixup! apply renaming of client * otto feedback 2023-08-02 13:49:40 +00:00			`client := UpgradeClient{kubectl: nil, actions: &stubActionWrapper{version: tc.version}, log: logger.NewTest(t)}`
cli: only create resource backups if upgrade is executed (#1437) Previously backups were created even if no service upgrades were executed. To allow this some things are restructured: * new chartInfo type that holds release name, path and chart name * upgrade execution and version validity are checked separately 2023-03-20 13:49:04 +00:00
			`chart, err := loadChartsDir(helmFS, certManagerInfo.path)`
			`require.NoError(err)`
aws: use new LB controller to fix SecurityGroup cleanup on K8s service deletion (#2090) * add current chart add current helm chart * disable service controller for aws ccm * add new iam roles * doc AWS internet LB + add to LB test * pass clusterName to helm for AWS LB * fix update-aws-lb chart to also include .helmignore * move chart outside services * working state * add subnet tags for AWS subnet discovery * fix .helmignore load rule with file in subdirectory * upgrade iam profile * revert new loader impl since cilium is not correctly loaded * install chart if not already present during `upgrade apply` * cleanup PR + fix build + add todos cleanup PR + add todos * shared helm pkg for cli install and bootstrapper * add link to eks docs * refactor iamMigrationCmd * delete unused helm.symwallk * move iammigrate to upgrade pkg * fixup! delete unused helm.symwallk * add to upgradecheck * remove nodeSelector from go code (Otto) * update iam docs and sort permission + remove duplicate roles * fix bug in `upgrade check` * better upgrade check output when svc version upgrade not possible * pr feedback * remove force flag in upgrade_test * use upgrader.GetUpgradeID instead of extra type * remove todos + fix check * update doc lb (leo) * remove bootstrapper helm package * Update cli/internal/cmd/upgradecheck.go Co-authored-by: Daniel Weiße <66256922+daniel-weisse@users.noreply.github.com> * final nits * add docs for e2e upgrade test setup * Apply suggestions from code review Co-authored-by: Daniel Weiße <66256922+daniel-weisse@users.noreply.github.com> * Update cli/internal/helm/loader.go Co-authored-by: Daniel Weiße <66256922+daniel-weisse@users.noreply.github.com> * Update cli/internal/cmd/tfmigrationclient.go Co-authored-by: Daniel Weiße <66256922+daniel-weisse@users.noreply.github.com> * fix daniel review * link to the iam permissions instead of manually updating them (agreed with leo) * disable iam upgrade in upgrade apply --------- Co-authored-by: Daniel Weiße <66256922+daniel-weisse@users.noreply.github.com> Co-authored-by: Malte Poll 2023-07-24 08:30:53 +00:00			`err = client.upgradeRelease(context.Background(), 0, config.Default(), clusterid.File{UID: "test"}, chart)`
cli: ask user to confirm cert-manager upgrades 2023-01-04 12:55:10 +00:00			`if tc.wantError {`
cli: fix duplicate backup creation during `upgrade apply` (#1997) * Use CLI to fetch measurements in e2e test * Abort helm service upgrade early if user confirmation is missing * Add container push to CLI build action --------- Signed-off-by: Daniel Weiße <dw@edgeless.systems> 2023-07-03 13:13:36 +00:00			`assert.Error(err)`
cli: ask user to confirm cert-manager upgrades 2023-01-04 12:55:10 +00:00			`return`
			`}`
			`assert.NoError(err)`
			`})`
			`}`
			`}`

cli: upgrade errors for microservice (#1259) Handle invalid upgrade errors similarly as for images and k8s. 2023-02-28 09:23:09 +00:00			`type stubActionWrapper struct {`
			`version string`
			`}`
cli: ask user to confirm cert-manager upgrades 2023-01-04 12:55:10 +00:00
			`// listAction returns a list of len 1 with a release that has only it's version set.`
			`func (a stubActionWrapper) listAction(_ string) ([]release.Release, error) {`
cli: upgrade errors for microservice (#1259) Handle invalid upgrade errors similarly as for images and k8s. 2023-02-28 09:23:09 +00:00			`return []*release.Release{{Chart: &chart.Chart{Metadata: &chart.Metadata{Version: a.version}}}}, nil`
cli: ask user to confirm cert-manager upgrades 2023-01-04 12:55:10 +00:00			`}`

go: remove unused parameters Signed-off-by: Paul Meyer <49727155+katexochen@users.noreply.github.com> 2023-03-20 10:03:36 +00:00			`func (a *stubActionWrapper) getValues(_ string) (map[string]any, error) {`
cli: ask user to confirm cert-manager upgrades 2023-01-04 12:55:10 +00:00			`return nil, nil`
			`}`

Add upgrade path for new/not-installed charts Signed-off-by: Daniel Weiße <dw@edgeless.systems> 2023-06-30 11:43:23 +00:00			`func (a stubActionWrapper) installAction(_ context.Context, _ string, _ chart.Chart, _ map[string]any, _ time.Duration) error {`
			`return nil`
			`}`

go: remove unused parameters Signed-off-by: Paul Meyer <49727155+katexochen@users.noreply.github.com> 2023-03-20 10:03:36 +00:00			`func (a stubActionWrapper) upgradeAction(_ context.Context, _ string, _ chart.Chart, _ map[string]any, _ time.Duration) error {`
cli: ask user to confirm cert-manager upgrades 2023-01-04 12:55:10 +00:00			`return nil`
			`}`