Test verify subcommand in Go end-to-end

[burgerdev]

No description provided.

[katexochen]

Otherwise looks good to me. 🦭

[katexochen]

I'd say this shouldn't be part of the OpenSSL test. We should rather create a test suite in TestMain or at least run subtests in this within this test.

[burgerdev]

I moved this into a TestMain, but then realized that there's a bunch of duplication between that and the OpenSSL test proper, so I decided to restructure the Kubeclient a bit.

• It now owns the k8s namespace (in anticipation of being responsible for creating it later).
• It exposes a Setup/Teardown pair, to be called by the TestMain.
• Nunki verify (and later apply and set) are part of Setup (and cleaned up in Teardown).

A bit ugly is how the kubeclient is passed to TestOpenssl (via global var).

[3u13r]

Good Job! the overall architecture looks very usable.

[3u13r]

I think that this makes the Kubeclient a bit too stateful. At least we should think about separating the Kubernetes parts from the Contrast/testing parts.
Generally, I think it's fine to hold the namespace state at e.g. the testing level.

[burgerdev]

Thanks for the suggestion, it's probably for the better to split these up.

[3u13r]

Since we want to assert the behavior of the Nunki steps contained in here, this should likely be part of the test code. Also this makes more sense, since this code is purpose built for the e2e tests.

[burgerdev]

On the other hand, this is the same for all test variants (simple, openssl, enojivoto), and at least set is a prerequisite for running the tests at all. Maybe my idea of putting all of just default into Setup is wrong, and it should rather be Setup and a dedicated test for verify. Let me try to rework that.

[3u13r]

I don't think that we need global state in the test. Sure, there is sort of global state since we are re-using on AKS, but by using different e.g. namespaces we can keep the tests independent (and also execute them conurrently if we were to scale up the AKS)

[burgerdev]

We have global state, in the sense that the coordinator is shared between tests and set up/torn down in the TestMain (see also @katexochen's requested changes). Sharing the kubeclient just seemed like a convenient way of sharing that state, but I agree that it's less obvious what state is shared.

[3u13r]

Talked to Paul and convinced him that it's not a good idea to generally share the coordinator between tests. The reasoning is mostly that the emojivoto test should be completely independent of the openssl test.

Of course we want to re-use the coordinator for (sub-)tests of the same functionality, i.e. 1. Test is calling set and asserting the certs and the 2. test calls set again and also checks that the new mesh certs are not singed by the same Mesh/IntermRoot.

This creates some overhead, mostly in the memory the coordinator is using so we likely want to call those test with --parallel=1.

[katexochen]

This creates some overhead, mostly in the memory the coordinator is using so we likely want to call those test with --parallel=1.

Test and subtests in the same package should run sequentially if they don't call t.Parallel(). The rest can be done using the sync server (soon™).

[burgerdev]

True for subtests, but I don't think execution order is specified for top-level tests.

[katexochen]

No order isn't specified, and tests should not rely on order. But still won't run in parallel.

[3u13r]

Yeah, according to what I found top-level test are run in separate go go routines which execution can overlap. I wasn't sure if we put all e2e tests in the same package, therefore the hint.

[burgerdev]

I was reading @3u13r's proposal as having set, verify and specific tests in separate Test functions on the same level, which only works if execution order is guaranteed. Maybe I got that wrong. But we can have ordered subtests to that:

func TestOpenSSL(t *testing.T) {
  c := kubeclient.NewForTest(t)

  // Generate and apply YAML
  
  cli := nunkitest.New(t)
  
  t.Run("set", cli.set)
  t.Run("verify", cli.verify)
  t.Run("openssl-specifics", func(t *testing.T) {
    // exec into backend, etc.
  })
}

[katexochen]

Maybe even:

func TestBasicCommands(t *testing.T) {
   c := kubeclient.NewForTest(t)

  // Generate and apply YAML
  
  cli := nunkitest.New(t)
  
  t.Run("set", cli.set)
  t.Run("verify", cli.verify)

  // Teardown
}

func TestOpenSSL(t *testing.T) {
  c := kubeclient.NewForTest(t)

  // Generate and apply YAML

  cli := nunkitest.New(t)
  t.Run("set", cli.set)

  t.Run("openssl test a", func(t *testing.T) {
    // exec into backend, etc.
  })
  t.Run("openssl test b", func(t *testing.T) {
    // exec into backend, etc.
  })

  // Teardown
}

The most important part here is that we get individual feedback from different tests, even if some of them fail. I'm not that sure about the grouping in this case, but we will for sure have tests that should be executed against a separate coordinator, so it might be a good idea to do that for the supported tests now so it is part of our test structure already.

[burgerdev]

Sounds good, thanks for the discussion everybody. While I revisit that, I would like to advertise a spin off at #191 that should be less contentious and would help me keep things focused here.

[burgerdev]

I rewrote this PR to focus on the use of verify for the OpenSSL test case. Next steps should be:

1. Add set to the Go test code, similarly to how verify is added here.
2. Factor verify (and set, ...) into a test helper lib to cater the common use cases (e.g. get mesh CA cert). I decided against doing that here because the concrete API is not obvious to me without having seen additional use cases, and I'd like to agree on the overall approach first.

stale