From 25a141e41f9c5081947129a69ccadf8235a09f1b Mon Sep 17 00:00:00 2001 From: Andrew Kenworthy Date: Fri, 11 Jul 2025 12:37:54 +0200 Subject: [PATCH 1/3] fix: Add test for log-server endpoint --- .../kuttl/external-access/50-assert.yaml.j2 | 24 ++++++++++++++ tests/templates/kuttl/ldap/95-assert.yaml.j2 | 24 ++++++++++++++ .../templates/kuttl/logging/70-assert.yaml.j2 | 31 +++++++++++++++++++ .../mount-dags-configmap/70-assert.yaml.j2 | 24 ++++++++++++++ .../mount-dags-gitsync/70-assert.yaml.j2 | 24 ++++++++++++++ tests/templates/kuttl/smoke/80-assert.yaml.j2 | 24 ++++++++++++++ 6 files changed, 151 insertions(+) create mode 100644 tests/templates/kuttl/external-access/50-assert.yaml.j2 create mode 100644 tests/templates/kuttl/ldap/95-assert.yaml.j2 create mode 100644 tests/templates/kuttl/logging/70-assert.yaml.j2 create mode 100644 tests/templates/kuttl/mount-dags-configmap/70-assert.yaml.j2 create mode 100644 tests/templates/kuttl/mount-dags-gitsync/70-assert.yaml.j2 create mode 100644 tests/templates/kuttl/smoke/80-assert.yaml.j2 diff --git a/tests/templates/kuttl/external-access/50-assert.yaml.j2 b/tests/templates/kuttl/external-access/50-assert.yaml.j2 new file mode 100644 index 00000000..e77814fb --- /dev/null +++ b/tests/templates/kuttl/external-access/50-assert.yaml.j2 @@ -0,0 +1,24 @@ +--- +apiVersion: kuttl.dev/v1beta1 +kind: TestAssert +metadata: + name: test-log-endpoint +timeout: 240 +commands: +{% if test_scenario['values']['executor'] == 'celery' %} + - script: | + set -eu + + # Log-Endpoint Test: + # This is executed from the Webserver as JWT keys must be present. + # A small server is started on each worker that serves the logs on its + # 8793 port for the Webserver: we don't use the token as that is an + # internal implementation, but check that the end-point is reachable, + # indicated by a 403. + CURL_RESPONSE=$( + kubectl -n $NAMESPACE exec airflow-webserver-default-0 -- sh -c 'CODE=$(curl -s -o /dev/null -w "%{http_code}" http://airflow-worker-default-headless:8793 2>/dev/null || true);echo "$CODE"' + ) + + # Log-Endpoint Test Assertion: + echo "The HTTP Code should be 403 to indicate the log server is reachable (the internal JWT token is needed for full access): $CURL_RESPONSE" | grep 403 +{% endif %} diff --git a/tests/templates/kuttl/ldap/95-assert.yaml.j2 b/tests/templates/kuttl/ldap/95-assert.yaml.j2 new file mode 100644 index 00000000..e77814fb --- /dev/null +++ b/tests/templates/kuttl/ldap/95-assert.yaml.j2 @@ -0,0 +1,24 @@ +--- +apiVersion: kuttl.dev/v1beta1 +kind: TestAssert +metadata: + name: test-log-endpoint +timeout: 240 +commands: +{% if test_scenario['values']['executor'] == 'celery' %} + - script: | + set -eu + + # Log-Endpoint Test: + # This is executed from the Webserver as JWT keys must be present. + # A small server is started on each worker that serves the logs on its + # 8793 port for the Webserver: we don't use the token as that is an + # internal implementation, but check that the end-point is reachable, + # indicated by a 403. + CURL_RESPONSE=$( + kubectl -n $NAMESPACE exec airflow-webserver-default-0 -- sh -c 'CODE=$(curl -s -o /dev/null -w "%{http_code}" http://airflow-worker-default-headless:8793 2>/dev/null || true);echo "$CODE"' + ) + + # Log-Endpoint Test Assertion: + echo "The HTTP Code should be 403 to indicate the log server is reachable (the internal JWT token is needed for full access): $CURL_RESPONSE" | grep 403 +{% endif %} diff --git a/tests/templates/kuttl/logging/70-assert.yaml.j2 b/tests/templates/kuttl/logging/70-assert.yaml.j2 new file mode 100644 index 00000000..ed364196 --- /dev/null +++ b/tests/templates/kuttl/logging/70-assert.yaml.j2 @@ -0,0 +1,31 @@ +--- +apiVersion: kuttl.dev/v1beta1 +kind: TestAssert +metadata: + name: test-log-endpoint +timeout: 240 +commands: +{% if test_scenario['values']['executor'] == 'celery' %} + - script: | + set -eu + + # Log-Endpoint Test: + # This is executed from the Webserver as JWT keys must be present. + # A small server is started on each worker that serves the logs on its + # 8793 port for the Webserver: we don't use the token as that is an + # internal implementation, but check that the end-point is reachable, + # indicated by a 403. + # Rolegroup custom-log-config + CURL_RESPONSE=$( + kubectl -n $NAMESPACE exec airflow-webserver-custom-log-config-0 -- sh -c 'CODE=$(curl -s -o /dev/null -w "%{http_code}" http://airflow-worker-custom-log-config-headless:8793 2>/dev/null || true);echo "$CODE"' + ) + + # Log-Endpoint Test Assertions: + echo "The HTTP Code should be 403 to indicate the log server is reachable (the internal JWT token is needed for full access): $CURL_RESPONSE" | grep 403 + + # Rolegroup automatic-log-config + CURL_RESPONSE=$( + kubectl -n $NAMESPACE exec airflow-webserver-automatic-log-config-0 -- sh -c 'CODE=$(curl -s -o /dev/null -w "%{http_code}" http://airflow-worker-automatic-log-config-headless:8793 2>/dev/null || true);echo "$CODE"' + ) + echo "The HTTP Code should be 403 to indicate the log server is reachable (the internal JWT token is needed for full access): $CURL_RESPONSE" | grep 403 +{% endif %} diff --git a/tests/templates/kuttl/mount-dags-configmap/70-assert.yaml.j2 b/tests/templates/kuttl/mount-dags-configmap/70-assert.yaml.j2 new file mode 100644 index 00000000..e77814fb --- /dev/null +++ b/tests/templates/kuttl/mount-dags-configmap/70-assert.yaml.j2 @@ -0,0 +1,24 @@ +--- +apiVersion: kuttl.dev/v1beta1 +kind: TestAssert +metadata: + name: test-log-endpoint +timeout: 240 +commands: +{% if test_scenario['values']['executor'] == 'celery' %} + - script: | + set -eu + + # Log-Endpoint Test: + # This is executed from the Webserver as JWT keys must be present. + # A small server is started on each worker that serves the logs on its + # 8793 port for the Webserver: we don't use the token as that is an + # internal implementation, but check that the end-point is reachable, + # indicated by a 403. + CURL_RESPONSE=$( + kubectl -n $NAMESPACE exec airflow-webserver-default-0 -- sh -c 'CODE=$(curl -s -o /dev/null -w "%{http_code}" http://airflow-worker-default-headless:8793 2>/dev/null || true);echo "$CODE"' + ) + + # Log-Endpoint Test Assertion: + echo "The HTTP Code should be 403 to indicate the log server is reachable (the internal JWT token is needed for full access): $CURL_RESPONSE" | grep 403 +{% endif %} diff --git a/tests/templates/kuttl/mount-dags-gitsync/70-assert.yaml.j2 b/tests/templates/kuttl/mount-dags-gitsync/70-assert.yaml.j2 new file mode 100644 index 00000000..e77814fb --- /dev/null +++ b/tests/templates/kuttl/mount-dags-gitsync/70-assert.yaml.j2 @@ -0,0 +1,24 @@ +--- +apiVersion: kuttl.dev/v1beta1 +kind: TestAssert +metadata: + name: test-log-endpoint +timeout: 240 +commands: +{% if test_scenario['values']['executor'] == 'celery' %} + - script: | + set -eu + + # Log-Endpoint Test: + # This is executed from the Webserver as JWT keys must be present. + # A small server is started on each worker that serves the logs on its + # 8793 port for the Webserver: we don't use the token as that is an + # internal implementation, but check that the end-point is reachable, + # indicated by a 403. + CURL_RESPONSE=$( + kubectl -n $NAMESPACE exec airflow-webserver-default-0 -- sh -c 'CODE=$(curl -s -o /dev/null -w "%{http_code}" http://airflow-worker-default-headless:8793 2>/dev/null || true);echo "$CODE"' + ) + + # Log-Endpoint Test Assertion: + echo "The HTTP Code should be 403 to indicate the log server is reachable (the internal JWT token is needed for full access): $CURL_RESPONSE" | grep 403 +{% endif %} diff --git a/tests/templates/kuttl/smoke/80-assert.yaml.j2 b/tests/templates/kuttl/smoke/80-assert.yaml.j2 new file mode 100644 index 00000000..e77814fb --- /dev/null +++ b/tests/templates/kuttl/smoke/80-assert.yaml.j2 @@ -0,0 +1,24 @@ +--- +apiVersion: kuttl.dev/v1beta1 +kind: TestAssert +metadata: + name: test-log-endpoint +timeout: 240 +commands: +{% if test_scenario['values']['executor'] == 'celery' %} + - script: | + set -eu + + # Log-Endpoint Test: + # This is executed from the Webserver as JWT keys must be present. + # A small server is started on each worker that serves the logs on its + # 8793 port for the Webserver: we don't use the token as that is an + # internal implementation, but check that the end-point is reachable, + # indicated by a 403. + CURL_RESPONSE=$( + kubectl -n $NAMESPACE exec airflow-webserver-default-0 -- sh -c 'CODE=$(curl -s -o /dev/null -w "%{http_code}" http://airflow-worker-default-headless:8793 2>/dev/null || true);echo "$CODE"' + ) + + # Log-Endpoint Test Assertion: + echo "The HTTP Code should be 403 to indicate the log server is reachable (the internal JWT token is needed for full access): $CURL_RESPONSE" | grep 403 +{% endif %} From 928a67285fca31126769a0c0d8a535721bd4d120 Mon Sep 17 00:00:00 2001 From: Andrew Kenworthy <1712947+adwk67@users.noreply.github.com> Date: Wed, 16 Jul 2025 16:53:01 +0200 Subject: [PATCH 2/3] Update tests/templates/kuttl/external-access/50-assert.yaml.j2 Co-authored-by: Sebastian Bernauer --- tests/templates/kuttl/external-access/50-assert.yaml.j2 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/templates/kuttl/external-access/50-assert.yaml.j2 b/tests/templates/kuttl/external-access/50-assert.yaml.j2 index e77814fb..035a9bd6 100644 --- a/tests/templates/kuttl/external-access/50-assert.yaml.j2 +++ b/tests/templates/kuttl/external-access/50-assert.yaml.j2 @@ -13,7 +13,7 @@ commands: # This is executed from the Webserver as JWT keys must be present. # A small server is started on each worker that serves the logs on its # 8793 port for the Webserver: we don't use the token as that is an - # internal implementation, but check that the end-point is reachable, + # internal implementation, but check that the endpoint is reachable, # indicated by a 403. CURL_RESPONSE=$( kubectl -n $NAMESPACE exec airflow-webserver-default-0 -- sh -c 'CODE=$(curl -s -o /dev/null -w "%{http_code}" http://airflow-worker-default-headless:8793 2>/dev/null || true);echo "$CODE"' From 415865898f5687c3bd1d2d3cbd44322795b51457 Mon Sep 17 00:00:00 2001 From: Andrew Kenworthy Date: Wed, 16 Jul 2025 18:31:09 +0200 Subject: [PATCH 3/3] corrected testing of return code --- .../templates/kuttl/external-access/50-assert.yaml.j2 | 3 ++- tests/templates/kuttl/ldap/95-assert.yaml.j2 | 5 +++-- tests/templates/kuttl/logging/70-assert.yaml.j2 | 11 ++++++----- .../kuttl/mount-dags-configmap/70-assert.yaml.j2 | 5 +++-- .../kuttl/mount-dags-gitsync/70-assert.yaml.j2 | 5 +++-- tests/templates/kuttl/smoke/80-assert.yaml.j2 | 5 +++-- 6 files changed, 20 insertions(+), 14 deletions(-) diff --git a/tests/templates/kuttl/external-access/50-assert.yaml.j2 b/tests/templates/kuttl/external-access/50-assert.yaml.j2 index 035a9bd6..7227e06f 100644 --- a/tests/templates/kuttl/external-access/50-assert.yaml.j2 +++ b/tests/templates/kuttl/external-access/50-assert.yaml.j2 @@ -20,5 +20,6 @@ commands: ) # Log-Endpoint Test Assertion: - echo "The HTTP Code should be 403 to indicate the log server is reachable (the internal JWT token is needed for full access): $CURL_RESPONSE" | grep 403 + echo "The HTTP Code is $CURL_RESPONSE (an internal JWT token is needed for full access)" + [ "$CURL_RESPONSE" -eq 403 ] {% endif %} diff --git a/tests/templates/kuttl/ldap/95-assert.yaml.j2 b/tests/templates/kuttl/ldap/95-assert.yaml.j2 index e77814fb..7227e06f 100644 --- a/tests/templates/kuttl/ldap/95-assert.yaml.j2 +++ b/tests/templates/kuttl/ldap/95-assert.yaml.j2 @@ -13,12 +13,13 @@ commands: # This is executed from the Webserver as JWT keys must be present. # A small server is started on each worker that serves the logs on its # 8793 port for the Webserver: we don't use the token as that is an - # internal implementation, but check that the end-point is reachable, + # internal implementation, but check that the endpoint is reachable, # indicated by a 403. CURL_RESPONSE=$( kubectl -n $NAMESPACE exec airflow-webserver-default-0 -- sh -c 'CODE=$(curl -s -o /dev/null -w "%{http_code}" http://airflow-worker-default-headless:8793 2>/dev/null || true);echo "$CODE"' ) # Log-Endpoint Test Assertion: - echo "The HTTP Code should be 403 to indicate the log server is reachable (the internal JWT token is needed for full access): $CURL_RESPONSE" | grep 403 + echo "The HTTP Code is $CURL_RESPONSE (an internal JWT token is needed for full access)" + [ "$CURL_RESPONSE" -eq 403 ] {% endif %} diff --git a/tests/templates/kuttl/logging/70-assert.yaml.j2 b/tests/templates/kuttl/logging/70-assert.yaml.j2 index ed364196..97e0ee10 100644 --- a/tests/templates/kuttl/logging/70-assert.yaml.j2 +++ b/tests/templates/kuttl/logging/70-assert.yaml.j2 @@ -13,19 +13,20 @@ commands: # This is executed from the Webserver as JWT keys must be present. # A small server is started on each worker that serves the logs on its # 8793 port for the Webserver: we don't use the token as that is an - # internal implementation, but check that the end-point is reachable, + # internal implementation, but check that the endpoint is reachable, # indicated by a 403. # Rolegroup custom-log-config - CURL_RESPONSE=$( + CURL_RESPONSE_CUSTOM=$( kubectl -n $NAMESPACE exec airflow-webserver-custom-log-config-0 -- sh -c 'CODE=$(curl -s -o /dev/null -w "%{http_code}" http://airflow-worker-custom-log-config-headless:8793 2>/dev/null || true);echo "$CODE"' ) # Log-Endpoint Test Assertions: - echo "The HTTP Code should be 403 to indicate the log server is reachable (the internal JWT token is needed for full access): $CURL_RESPONSE" | grep 403 + echo "The HTTP Code is $CURL_RESPONSE_CUSTOM (an internal JWT token is needed for full access)" # Rolegroup automatic-log-config - CURL_RESPONSE=$( + CURL_RESPONSE_AUTO=$( kubectl -n $NAMESPACE exec airflow-webserver-automatic-log-config-0 -- sh -c 'CODE=$(curl -s -o /dev/null -w "%{http_code}" http://airflow-worker-automatic-log-config-headless:8793 2>/dev/null || true);echo "$CODE"' ) - echo "The HTTP Code should be 403 to indicate the log server is reachable (the internal JWT token is needed for full access): $CURL_RESPONSE" | grep 403 + echo "The HTTP Code is $CURL_RESPONSE_AUTO (an internal JWT token is needed for full access)" + [ "$CURL_RESPONSE_CUSTOM" -eq 403 ] && [ "$CURL_RESPONSE_AUTO" -eq 403 ] {% endif %} diff --git a/tests/templates/kuttl/mount-dags-configmap/70-assert.yaml.j2 b/tests/templates/kuttl/mount-dags-configmap/70-assert.yaml.j2 index e77814fb..7227e06f 100644 --- a/tests/templates/kuttl/mount-dags-configmap/70-assert.yaml.j2 +++ b/tests/templates/kuttl/mount-dags-configmap/70-assert.yaml.j2 @@ -13,12 +13,13 @@ commands: # This is executed from the Webserver as JWT keys must be present. # A small server is started on each worker that serves the logs on its # 8793 port for the Webserver: we don't use the token as that is an - # internal implementation, but check that the end-point is reachable, + # internal implementation, but check that the endpoint is reachable, # indicated by a 403. CURL_RESPONSE=$( kubectl -n $NAMESPACE exec airflow-webserver-default-0 -- sh -c 'CODE=$(curl -s -o /dev/null -w "%{http_code}" http://airflow-worker-default-headless:8793 2>/dev/null || true);echo "$CODE"' ) # Log-Endpoint Test Assertion: - echo "The HTTP Code should be 403 to indicate the log server is reachable (the internal JWT token is needed for full access): $CURL_RESPONSE" | grep 403 + echo "The HTTP Code is $CURL_RESPONSE (an internal JWT token is needed for full access)" + [ "$CURL_RESPONSE" -eq 403 ] {% endif %} diff --git a/tests/templates/kuttl/mount-dags-gitsync/70-assert.yaml.j2 b/tests/templates/kuttl/mount-dags-gitsync/70-assert.yaml.j2 index e77814fb..7227e06f 100644 --- a/tests/templates/kuttl/mount-dags-gitsync/70-assert.yaml.j2 +++ b/tests/templates/kuttl/mount-dags-gitsync/70-assert.yaml.j2 @@ -13,12 +13,13 @@ commands: # This is executed from the Webserver as JWT keys must be present. # A small server is started on each worker that serves the logs on its # 8793 port for the Webserver: we don't use the token as that is an - # internal implementation, but check that the end-point is reachable, + # internal implementation, but check that the endpoint is reachable, # indicated by a 403. CURL_RESPONSE=$( kubectl -n $NAMESPACE exec airflow-webserver-default-0 -- sh -c 'CODE=$(curl -s -o /dev/null -w "%{http_code}" http://airflow-worker-default-headless:8793 2>/dev/null || true);echo "$CODE"' ) # Log-Endpoint Test Assertion: - echo "The HTTP Code should be 403 to indicate the log server is reachable (the internal JWT token is needed for full access): $CURL_RESPONSE" | grep 403 + echo "The HTTP Code is $CURL_RESPONSE (an internal JWT token is needed for full access)" + [ "$CURL_RESPONSE" -eq 403 ] {% endif %} diff --git a/tests/templates/kuttl/smoke/80-assert.yaml.j2 b/tests/templates/kuttl/smoke/80-assert.yaml.j2 index e77814fb..7227e06f 100644 --- a/tests/templates/kuttl/smoke/80-assert.yaml.j2 +++ b/tests/templates/kuttl/smoke/80-assert.yaml.j2 @@ -13,12 +13,13 @@ commands: # This is executed from the Webserver as JWT keys must be present. # A small server is started on each worker that serves the logs on its # 8793 port for the Webserver: we don't use the token as that is an - # internal implementation, but check that the end-point is reachable, + # internal implementation, but check that the endpoint is reachable, # indicated by a 403. CURL_RESPONSE=$( kubectl -n $NAMESPACE exec airflow-webserver-default-0 -- sh -c 'CODE=$(curl -s -o /dev/null -w "%{http_code}" http://airflow-worker-default-headless:8793 2>/dev/null || true);echo "$CODE"' ) # Log-Endpoint Test Assertion: - echo "The HTTP Code should be 403 to indicate the log server is reachable (the internal JWT token is needed for full access): $CURL_RESPONSE" | grep 403 + echo "The HTTP Code is $CURL_RESPONSE (an internal JWT token is needed for full access)" + [ "$CURL_RESPONSE" -eq 403 ] {% endif %}