ci: Add new example chart meant for testing and QA

.github/scripts/branch-tags.sh

@@ -40,10 +40,18 @@ elif [[ "$ref" == refs/heads/release/* ]]; then
   prevTag=$(getPreviousTag "${version}-head-")
 else
   echo "Unsupported branch pattern. Expected 'main' or 'release/*'."
-  exit 1
+  # This exits with status 0 to ensure it doesn't stop CI in GHA
+  # Outside of `main` or `release/*` branches it will use other tags
+  exit 0
 fi
 
 # Output the results
-echo "branch_tag=${branchTag}"
-echo "branch_static_tag=${branchStaticTag}"
-echo "prev_static_tag=${prevTag}"
+if [ "$1" == "ENV" ]; then
+  echo "BRANCH_TAG=${branchTag}"
+  echo "BRANCH_STATIC_TAG=${branchStaticTag}"
+  echo "PREV_STATIC_TAG=${prevTag}"
+else
+  echo "branch_tag=${branchTag}"
+  echo "branch_static_tag=${branchStaticTag}"
+  echo "prev_static_tag=${prevTag}"
+fi

.github/workflows/ci.yml

@@ -0,0 +1,53 @@
+name: CI tests
+
+on:
+  workflow_call:
+  push:
+    branches:
+      - main
+      - release/v[0-9]+.(0|x)
+      - release/v[0-9]+.[0-9]+.(0|x)
+      - release/v[0-9]+.[0-9]+.[0-9]+
+    paths-ignore:
+      - 'docs/**'
+      - '*.md'
+      - '.gitignore'
+      - 'CODEOWNERS'
+      - 'LICENSE'
+  pull_request:
+    paths-ignore:
+      - 'docs/**'
+      - '*.md'
+      - '.gitignore'
+      - 'CODEOWNERS'
+      - 'LICENSE'
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+permissions:
+  contents: write # Upload artefacts to release.
+
+env:
+  PUBLIC_REGISTRY: ghcr.io
+
+jobs:
+  ci:
+    runs-on: runs-on,runner=2cpu-linux-x64,run-id=${{ github.run_id }}
+    steps:
+      -
+        # Add support for more platforms with QEMU (optional)
+        # https://github.com/docker/setup-qemu-action
+        name: Set up QEMU
+        uses: docker/setup-qemu-action@v3
+      - name: Check out repository code
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      - name: Basic CI
+        run: make ci
+      - name: Upload CI files to artifacts (on failure)
+        uses: actions/upload-artifact@v4
+        if: failure()
+        with:
+          path: 'ci'
+          retention-days: 7

.github/workflows/release.yml

@@ -33,12 +33,20 @@ jobs:
       packages: write
       attestations: write
 
-    runs-on: ubuntu-latest
+    runs-on: runs-on,runner=2cpu-linux-x64,run-id=${{ github.run_id }}
 
     steps:
       - name: Check out repository code
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
 
+      - name : Make test helm chart
+        run: TAG=$TAG_NAME make package-helm
+      - name: Add test helm chart to release
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: |
+          gh release upload "$TAG_NAME" "./build/charts/rancher-kubectl-test-${TAG_NAME}.tgz"
+
       - name: Load Secrets from Vault
         uses: rancher-eio/read-vault-secrets@main
         with:

.gitignore

@@ -3,8 +3,11 @@
 /.trash-cache
 /bin
 /dist
+/build
+/ci
 *.swp
 .idea
 versions.txt
 new-versions.txt
-/image_arch_test
+/image_arch_test
+*.oci

Makefile

@@ -14,19 +14,38 @@ IMAGE_NAME = $(REPO)/$(IMAGE)
 FULL_IMAGE_TAG = $(IMAGE_NAME):$(TAG)
 BUILD_ACTION = --load
 
+TARGETS := $(shell ls scripts|grep -ve "^util-\|entry\|^pull-scripts")
+
+# Default behavior for targets without dapper
+$(TARGETS):
+	./scripts/$@
+
+.PHONY: $(TARGETS)
+
 .DEFAULT_GOAL := ci
-ci: validate ## run the targets needed to validate a PR in CI.
 
 clean: ## clean up project.
 	rm -rf build
+	rm -rf multiarch-image.oci
+	rm -rf ./ci
 
 build-image: buildx-machine ## build (and load) the container image targeting the current platform.
 	$(IMAGE_BUILDER) build -f package/Dockerfile \
 		--builder $(MACHINE) $(IMAGE_ARGS) \
 		--build-arg VERSION=$(VERSION) --platform=$(TARGET_PLATFORMS) -t "$(FULL_IMAGE_TAG)" $(BUILD_ACTION) .
 	@echo "Built $(FULL_IMAGE_TAG)"
 
-push-image: buildx-machine ## build the container image targeting all platforms defined by TARGET_PLATFORMS and push to a registry.
+build-validate: buildx-machine ## build (and load) the container image targeting the current platform.
+	mkdir -p ci
+	$(IMAGE_BUILDER) build -f package/Dockerfile \
+		--builder $(MACHINE) $(IMAGE_ARGS) \
+		--build-arg VERSION=$(VERSION) \
+		--platform=$(TARGET_PLATFORMS) \
+		--output type=oci,dest=ci/multiarch-image.oci \
+		-t "$(FULL_IMAGE_TAG)" .
+	@echo "Built $(FULL_IMAGE_TAG) multi-arch image saved to ci/multiarch-image.oci"
+
+push-image: validate buildx-machine ## build the container image targeting all platforms defined by TARGET_PLATFORMS and push to a registry.
 	$(IMAGE_BUILDER) build -f package/Dockerfile \
 		--builder $(MACHINE) $(IMAGE_ARGS) $(IID_FILE_FLAG) $(BUILDX_ARGS) \
 		--build-arg VERSION=$(VERSION) --platform=$(TARGET_PLATFORMS) -t "$(FULL_IMAGE_TAG)" --push .

charts/kubectl-test/Chart.yaml

@@ -0,0 +1,20 @@
+annotations:
+  catalog.cattle.io/certified: rancher
+  catalog.cattle.io/display-name: Rancher Kubectl Testing
+  catalog.cattle.io/kube-version: '>= 1.26.0-0'
+  catalog.cattle.io/namespace: cattle-testing
+  catalog.cattle.io/os: linux
+  catalog.cattle.io/permits-os: linux,windows
+  catalog.cattle.io/rancher-version: '>= 2.9.0-0'
+  catalog.cattle.io/release-name: rancher-kubectl-test
+  catalog.cattle.io/upstream-version: 999
+apiVersion: v2
+appVersion: 999
+description: Provides ability to test the kubectl image from Rancher.
+keywords:
+  - applications
+  - infrastructure
+  - testing
+kubeVersion: '>= 1.30.0-0'
+name: rancher-kubectl-test
+version: 999

charts/kubectl-test/README.md

@@ -0,0 +1,29 @@
+# Kubectl Test Chart
+This chart facilitates testing of RC versions of `rancher/kuberlr-kubectl` image.
+
+Specifically this allows us to create, test and QA an RC version of the image without needing to involve dependent charts.
+The goal being that we shouldn't need to "mix processes" and utilize another project for testing this project.
+
+## What does this test for?
+To correctly provide a validation w/o using consuming charts, we need to ensure this chart does the same type of stuff.
+Additionally, we should ensure that when it does those actions it will create loud and obvious errors when failure happens.
+
+Some examples of scenarios this should cover:
+- Post upgrade jobs (like BRO, Monitoring),
+- Creating a `ServiceAccount` (with appropriate bindings) and using that for upgrade task (like BRO),
+- Storing upgrade scripts in a `ConfigMap` and then running them on upgrade (like Monitoring)
+
+As we find more specific use-cases within Rancher that existing scenarios do not cover, we should create issues to track adding new tests.
+
+## How does (or will) this work?
+
+This chart will be packaged as a release artifact with each GitHub release.
+In turn every tag going forward will have a direct 1:1 chart that can be used for testing and QA of that tag.
+
+Eng will create a new RC and upon success of the action, they will inform QA (via the related issue) that the RC is ready for testing.
+Once QA picks up the issue for testing they will fetch the debug/QA chart from the release and install via CLI.
+Then they will subsequently "upgrade" to the same version to trigger any upgrade specific jobs.
+
+After each phase QA will be able to verify the resources and jobs in the testing namespace.
+As long as they do not observe any errors - just as they would expect for a production chart - the RC has passed.
+Then once the `rancher/kuberlr-kubectl` tag has been un-RC'd any consuming charts can update to the new stable tag.

charts/kubectl-test/files/upgrade/scripts/test.sh

@@ -0,0 +1,7 @@
+#!/bin/bash
+
+set -e
+set -x
+
+echo "This test will simply list all daemonsets on the cluster..."
+kubectl get daemonset -A

charts/kubectl-test/templates/_helpers.tpl

@@ -0,0 +1,97 @@
+{{- define "system_default_registry" -}}
+{{- if .Values.global.cattle.systemDefaultRegistry -}}
+{{- printf "%s/" .Values.global.cattle.systemDefaultRegistry -}}
+{{- else -}}
+{{- "" -}}
+{{- end -}}
+{{- end -}}
+
+{{/*
+The image to use
+*/}}
+{{- define "kubectl.image" -}}
+{{- $temp_registry := (include "system_default_registry" .) }}
+{{- if $temp_registry }}
+{{- printf "%s%s:%s" $temp_registry .Values.global.kubectl.image.repository (default (printf "v%s" .Chart.AppVersion) .Values.global.kubectl.image.tag) }}
+{{- else if .Values.global.imageRegistry }}
+{{- printf "%s/%s:%s" .Values.global.imageRegistry .Values.global.kubectl.image.repository (default (printf "v%s" .Chart.AppVersion) .Values.global.kubectl.image.tag) }}
+{{- else }}
+{{- printf "%s:%s" .Values.global.kubectl.image.repository (default (printf "v%s" .Chart.AppVersion) .Values.global.kubectl.image.tag) }}
+{{- end }}
+{{- end }}
+
+{{/*
+Create a default fully qualified app name.
+We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
+If release name contains chart name it will be used as a full name.
+The components in this chart create additional resources that expand the longest created name strings.
+The longest name that gets created adds and extra 37 characters, so truncation should be 63-35=26.
+*/}}
+{{- define "kubectlTest.fullname" -}}
+{{- if .Values.fullnameOverride -}}
+{{- .Values.fullnameOverride | trunc 26 | trimSuffix "-" -}}
+{{- else -}}
+{{- $name := default .Chart.Name .Values.nameOverride -}}
+{{- if contains $name .Release.Name -}}
+{{- .Release.Name | trunc 26 | trimSuffix "-" -}}
+{{- else -}}
+{{- printf "%s-%s" .Release.Name $name | trunc 26 | trimSuffix "-" -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Create chart name and version as used by the chart label.
+*/}}
+{{- define "kubectlTest.chart" -}}
+{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+Allow the release namespace to be overridden for multi-namespace deployments in combined charts
+*/}}
+{{- define "kubectlTest.namespace" -}}
+  {{- if .Values.namespaceOverride -}}
+    {{- .Values.namespaceOverride -}}
+  {{- else -}}
+    {{- .Release.Namespace -}}
+  {{- end -}}
+{{- end -}}
+
+{{/*
+Common labels
+*/}}
+{{- define "kubectlTest.labels" -}}
+helm.sh/chart: {{ include "kubectlTest.chart" . }}
+{{ include "kubectlTest.selectorLabels" . }}
+{{- if .Chart.AppVersion }}
+app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
+{{- end }}
+app.kubernetes.io/managed-by: {{ .Release.Service }}
+{{- end }}
+
+{{/*
+Selector labels
+*/}}
+{{- define "kubectlTest.selectorLabels" -}}
+app.kubernetes.io/name: {{ include "kubectlTest.fullname" . }}
+app.kubernetes.io/instance: {{ .Release.Name }}
+{{- end }}
+
+{{/*
+Create the name of the service account to use
+*/}}
+{{- define "kubectlTest.serviceAccountName" -}}
+{{ include "kubectlTest.fullname" . }}
+{{- end }}
+
+{{/*
+Windows cluster will add default taint for linux nodes,
+add below linux tolerations to workloads could be scheduled to those linux nodes
+*/}}
+{{- define "linux-node-tolerations" -}}
+- key: "cattle.io/os"
+  value: "linux"
+  effect: "NoSchedule"
+  operator: "Equal"
+{{- end -}}

charts/kubectl-test/templates/bro-example.yaml

@@ -0,0 +1,78 @@
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ include "kubectlTest.fullname" . }}-patch-sa
+  namespace: {{ include "kubectlTest.namespace" . }}
+  labels: {{ include "kubectlTest.labels" . | nindent 4 }}
+  annotations:
+    "helm.sh/hook": post-install, post-upgrade
+    "helm.sh/hook-delete-policy": hook-succeeded, before-hook-creation
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: {{ include "kubectlTest.fullname" . }}-patch-sa
+  labels: {{ include "kubectlTest.labels" . | nindent 4 }}
+  annotations:
+    "helm.sh/hook": post-install, post-upgrade
+    "helm.sh/hook-delete-policy": hook-succeeded, before-hook-creation
+rules:
+  - apiGroups: [""]
+    resources: ["serviceaccounts"]
+    verbs: ["get", "patch"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: {{ include "kubectlTest.fullname" . }}-patch-sa
+  labels: {{ include "kubectlTest.labels" . | nindent 4 }}
+  annotations:
+    "helm.sh/hook": post-install, post-upgrade
+    "helm.sh/hook-delete-policy": hook-succeeded, before-hook-creation
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: {{ include "kubectlTest.fullname" . }}-patch-sa
+subjects:
+  - kind: ServiceAccount
+    name: {{ include "kubectlTest.fullname" . }}-patch-sa
+    namespace: {{ .Release.Namespace }}
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: {{ include "kubectlTest.fullname" . }}-patch-sa
+  namespace: {{ template "kubectlTest.namespace" . }}
+  labels: {{ include "kubectlTest.labels" . | nindent 4 }}
+  annotations:
+    "helm.sh/hook": post-install, post-upgrade
+    "helm.sh/hook-delete-policy": hook-succeeded, before-hook-creation
+spec:
+  backoffLimit: 1
+  template:
+    spec:
+      serviceAccountName: {{ include "kubectlTest.fullname" . }}-patch-sa
+      securityContext:
+        runAsNonRoot: true
+        runAsUser: 1000
+      restartPolicy: Never
+      nodeSelector:
+        kubernetes.io/os: linux
+        {{- if .Values.nodeSelector }}
+        {{ toYaml .Values.nodeSelector | indent 8 }}
+        {{- end }}
+      tolerations: {{ include "linux-node-tolerations" . | nindent 8 }}
+        {{- if .Values.tolerations }}
+        {{ toYaml .Values.tolerations | indent 8 }}
+        {{- end }}
+      containers:
+        - name: {{ include "kubectlTest.fullname" . }}-patch-sa
+          image: {{ template "kubectl.image" . }}
+          imagePullPolicy: {{ .Values.global.kubectl.pullPolicy | default "Always" }}
+          command: ["kubectl", "-n", {{ .Release.Namespace | quote }}, "patch", "serviceaccount", "default", "-p", "{\"automountServiceAccountToken\": false}"]
+          {{- if and .Values.global.kubectl (hasKey .Values.global.kubectl "kuberlrAllowDownload") }}
+          env:
+            - name: KUBERLR_ALLOWDOWNLOAD
+              value: {{ default .Values.global.kubectl.kuberlrAllowDownload false }}
+          {{- end }}