Create first integration test#42
Merged
Jakob-Naucke merged 14 commits intoNov 13, 2025
Merged
Conversation
alicefr
force-pushed
the
integration-tests
branch
4 times, most recently
from
1bcaa6b to
a812001
Compare
Contributor
Jakob-Naucke
left a comment
Jakob-Naucke
left a comment
There was a problem hiding this comment.
Thanks @alicefr. Couple of small things. Maybe add something to the README?
Contributor
Author
|
@Jakob-Naucke I'm thinking of publishing a new version where we run an integration test in a different namespace, so we don't need to worry to clean up and recover the initial state and they can be run in parallel. We do need to install each time the operator from scratch |
alicefr
force-pushed
the
integration-tests
branch
4 times, most recently
from
f4853e2 to
601d252
Compare
Jakob-Naucke
reviewed
Oct 6, 2025
alicefr
force-pushed
the
integration-tests
branch
from
601d252 to
cafef03
Compare
Jakob-Naucke
reviewed
Oct 6, 2025
alicefr
force-pushed
the
integration-tests
branch
11 times, most recently
from
81dd386 to
ff5a9a0
Compare
alicefr
force-pushed
the
integration-tests
branch
from
ff5a9a0 to
df97c0b
Compare
alicefr
force-pushed
the
integration-tests
branch
from
df97c0b to
2ee127e
Compare
alicefr
force-pushed
the
integration-tests
branch
2 times, most recently
from
a93b847 to
600d952
Compare
Jakob-Naucke
reviewed
Nov 7, 2025
Contributor
There was a problem hiding this comment.
For this review, I tried things out more than I looked at the code. I want to do a separate one but maybe we can iron some things out in this round before delaying the review more.
- The parallel start of tests also lead to this for me:
INFO: test_parallel_vm_attestation: CRDs and RBAC generated successfully
INFO: test_vm_reboot_attestation: CRDs and RBAC generated successfully
INFO: test_vm_reboot_attestation: Manifests generated successfully
INFO: test_vm_reboot_attestation: Applying CRDs
INFO: test_parallel_vm_attestation: Manifests generated successfully
INFO: test_parallel_vm_attestation: Applying CRDs
INFO: test_attestation: CRDs and RBAC generated successfully
INFO: test_attestation: Manifests generated successfully
INFO: test_attestation: Applying CRDs
INFO: test_parallel_vm_attestation: Preparing RBAC manifests
INFO: test_parallel_vm_attestation: Preparing RBAC kustomization
INFO: test_parallel_vm_attestation: Applying RBAC
Error: Failed to apply CRDs: Error from server (AlreadyExists): error when creating "/tmp/manifests-0f3e99c9-e361-49bf-a2c3-3c9034cb7993/crd/confidential-clusters.io_confidentialclusters.yaml": customresourcedefinitions.apiextensions.k8s.io "confidentialclusters.confidential-clusters.io" already exists
test test_vm_reboot_attestation ... FAILED
- The
test_parallel_vm_attestationalso irreproducibly failed once (unknown resource but no particular log from the Trustee pod) and then worked fine afterwards 😬 e: could be that there is some timing issue with the key not being stored in time
alicefr
force-pushed
the
integration-tests
branch
2 times, most recently
from
e1d364c to
5ff7fc4
Compare
Contributor
Author
Good catch, this was happening because the cocl CRD isn't namespaced, hence we only need to create once. I add the check to verify if it already exist, not to install it again |
Only run the unit tests since the integration tests require a cluster to be created and configured. Signed-off-by: Alice Frosi <afrosi@redhat.com>
Set timeout for the kind cluster and avoid the replace flag for docker Signed-off-by: Alice Frosi <afrosi@redhat.com>
KubeVirt is using centos stream 9 secure boot variables and our library compute the ones from fedora. This will be fixed in a follow-up PR. Signed-off-by: Alice Frosi <afrosi@redhat.com>
Signed-off-by: Alice Frosi <afrosi@redhat.com>
Setting -x for the cluster creation for better debuggability on the ci. Signed-off-by: Alice Frosi <afrosi@redhat.com>
Source isn't recognized as command by the github actions. Signed-off-by: Alice Frosi <afrosi@redhat.com>
KubeVirt doesn't properly work with the default CNI plugin of kind. Therefore, it requires calico as CNI. Signed-off-by: Alice Frosi <afrosi@redhat.com>
It possible that the job name has a '-' has 63 character and the name is invalid. Signed-off-by: Alice Frosi <afrosi@redhat.com>
Signed-off-by: Alice Frosi <afrosi@redhat.com>
alicefr
force-pushed
the
integration-tests
branch
from
5ff7fc4 to
065dc43
Compare
Contributor
Jakob-Naucke
left a comment
Jakob-Naucke
left a comment
There was a problem hiding this comment.
CRD still already exists :(
Introduction of a new test framework for integration testing: - Create test_utils crate in workspace root with: - TestContext for test lifecycle management - Automatic namespace creation/cleanup - Operator deployment and manifest generation - Helper macros (test_info!, named_test!, setup!) - Polling utility for async resource waiting - Add confidential_cluster integration test that validates: - ConfidentialCluster CR creation and reconciliation - Image PCRs computation and ConfigMap updates - Resource cleanup on CR deletion. Signed-off-by: Alice Frosi <afrosi@redhat.com>
Add support for KubeVirt-based integration testing:
- Add virtualization feature flag to test_utils and tests crates
- Create test_utils/src/virt.rs with KubeVirt helper functions:
- SSH key generation and injection into ssh-agent
- Ignition config generation
- KubeVirt VM creation and lifecycle management
- SSH command execution via virtctl
- Encrypted root device verification
- Add attestation integration test that validates:
- if a VM attests and boots successfully
- if the attestation can be run in parallel by starting 2 VMs
- if the attestation properly works for subsequent boots by rebooting
the VM multiple times
Tests can run with: cargo test --features virtualization
Signed-off-by: Alice Frosi <afrosi@redhat.com>
Signed-off-by: Alice Frosi <afrosi@redhat.com>
Without the installation of the standard CNI, the waiting for the cluster to be ready times out. This is probably a bug in kind, then let's create the cluster and wait for the API server to be running. Signed-off-by: Alice Frosi <afrosi@redhat.com>
alicefr
force-pushed
the
integration-tests
branch
from
d15a9ba to
667bd68
Compare
We still need to investigate how to correctly parellelize the tests, for now to get the first tests integrated we decide to run them serially. Signed-off-by: Alice Frosi <afrosi@redhat.com>
Jakob-Naucke
approved these changes
Nov 12, 2025
Contributor
Jakob-Naucke
left a comment
Jakob-Naucke
left a comment
There was a problem hiding this comment.
Thank you for your work!
Contributor
Author
|
can we merge it? |
Jakob-Naucke
merged commit 5bdb137
into
trusted-execution-clusters:main
8 checks passed
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Uh oh!
There was an error while loading. Please reload this page.