Blog
Helm Chart Testing on OpenShift Pipelines

Helm Chart Testing on OpenShift Pipelines

March 17, 2024

Introduction

OpenShift Pipelines is a cloud-native CI/CD solution built on Tekton that allows you to define and run pipelines for your applications. Helm charts are a convenient way to package and deploy applications on Kubernetes, including OpenShift. To ensure the quality and reliability of Helm charts, it’s important to perform tests on them. In this blog, we will explore using the Chart Testing tool to perform tests on Helm charts within OpenShift Pipelines.

Prerequisites

Before we begin, make sure you have the following prerequisites installed:

  • OpenShift Cluster
  • OpenShift Pipelines Operator installed
  • Understanding of OpenShift Pipelines and Tasks

Chart Testing Tasks

ct is the the tool for testing Helm charts. It is meant to be used for linting and testing pull requests. It automatically detects charts changed against the target branch.

The ct install command includes helm install and helm test; helm test performs port-forwarding to validate the installation’s success. Since the chart testing commands are run inside a pod, we need to ensure it can connect to the cluster to perform those tasks. If the pod cannot connect to the cluster, you’ll see the error below.

The connection to the server localhost:8080 was refused - did you specify the right host or port?
Error printing details: failed waiting for process: exit status 1
Error printing logs: failed running process: exit status 1
Deleting release "deploy-jgyw6ew05y"...
release "deploy-jgyw6ew05y" uninstalled
------------------------------------------------------------------------------------------------------------------------
 ✖︎ deploy => (version: "0.1.0", path: "deploy") > failed running process: exit status 1
------------------------------------------------------------------------------------------------------------------------
failed installing charts: failed processing charts
Error: failed installing charts: failed processing charts

To solve the above error, we’ll follow below steps:

  • Create a new service account and secret token from the service account.
  • Grant appropriate permissions to the service account.
  • Create a kubeconfig file using the kubeconfig creator task. By mounting the service account token as an environment variable from the secret in the task
  • This task’s output will be the kubeconfig file stored in the workspace and shared across tasks.

Create a new service account

oc create sa ct-helm-task

Create a token secret from serviceaccount,

oc apply -f - <<EOF
apiVersion: v1
kind: Secret
metadata:
  name: ct-helm-task
  annotations:
    kubernetes.io/service-account.name: ct-helm-task
type: kubernetes.io/service-account-token
EOF

Grant permissions to the service account

oc policy add-role-to-user edit -z ct-helm-task -n pipelines-helm

The task will use the kubeconfigwriter image and the provided parameters to create a kubeconfig file that can be used by other tasks in the pipeline to access the target cluster. The kubeconfig will be placed at /workspace/<workspace-name>/kubeconfig.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56

apiVersion: tekton.dev/v1beta1
kind: Task
metadata:
  annotations:
    tekton.dev/categories: 'Deployment, Kubernetes'
    tekton.dev/displayName: kubeconfig creator
    tekton.dev/pipelines.minVersion: 0.12.1
    tekton.dev/platforms: 'linux/amd64,linux/s390x,linux/ppc64le'
    tekton.dev/tags: deploy
  name: kubeconfig-creator
spec:
  params:
    - default: ''
      description: name of the cluster
      name: name
      type: string
    - description: address of the cluster
      name: url
      type: string
    - default: '<CLUSTER_URL>'
      description: bearer token for authentication to the cluster
      name: token
      type: string
    - default: 'true'
      description: >-
        to indicate server should be accessed without verifying the TLS
        certificate
      name: insecure
      type: string
  steps:
    - args:
        - '-clusterConfig'
        - >-
          { "name":"$(params.name)", "url":"$(params.url)",
          "username":"$(params.username)", "password":"$(params.password)",
          "cadata":"$(params.cadata)",
          "clientKeyData":"$(params.clientKeyData)",
          "clientCertificateData":"$(params.clientCertificateData)",
          "namespace":"$(params.namespace)", "token":"$(SA_TOKEN)",
          "Insecure":$(params.insecure) }
        - '-destinationDir'
        - $(workspaces.output.path)
      command:
        - /ko-app/kubeconfigwriter
      env:
        - name: SA_TOKEN
          valueFrom:
            secretKeyRef:
              key: token
              name: ct-helm-task
      image: >-
        gcr.io/tekton-releases/github.com/tektoncd/pipeline/cmd/kubeconfigwriter@sha256:b2c6d0962cda88fb3095128b6202da9b0e6c9c0df3ef6cf7863505ffd25072fd
      name: write
      resources: {}
  workspaces:
    - name: output

Finally, create a task using the chart-testing image. We’ll export the KUBECONFIG variable with the kubeconfig location from the workspace to the helm chart testing task.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39

apiVersion: tekton.dev/v1beta1
kind: Task
metadata:
  name: helm-ci-task
spec:
  description: >-
    This task can be used to replace fields in YAML files. For example for altering helm charts on GitOps repos.
  workspaces:
    - name: source
      description: A workspace that contains the file which needs to be altered.
  params:
    - name: image
      type: string
      description: The chart testing image to use.
      default: quay.io/helmpack/chart-testing:v3.7.1
    - name: chart-dirs
      type: string
      description: directory of the charts
      default: "charts/"
    - name: charts
      type: string
      description: name of the chart to test
      default: ""
    - name: namespace
      type: string
      description: namespace to run ci tests
      default: "helm-tekton-pipeline"
    - name: ct-config-file
      type: string
      description: config file for running ct commands
      default: "ct.yaml"
  steps:
    - name: ct-script
      image: quay.io/helmpack/chart-testing:v3.5.1
      workingDir: $(workspaces.source.path)
      script: |
        ## export kubeconfig file from previous step
        export KUBECONFIG="$(workspaces.source.path)/kubeconfig"
        ct lint-and-install --chart-dirs $(params.chart-dirs) --charts $(params.charts) --namespace $(params.namespace) --config $(params.ct-config-file)

Setting Up OpenShift Pipeline

Create a pipeline resource to perform git-clone of the helm chart repository, then create a kubeconfig file and chart-testing task to run lint and install to validate the chart changes.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56

apiVersion: tekton.dev/v1beta1
kind: Pipeline
metadata:
  name: helm-ct-pipeline
spec:
  workspaces:
  - name: shared-workspace
  params:
  - name: git-url
    type: string
    description: url of the git repo for the code of deployment
  - name: git-revision
    type: string
    description: revision to be used from repo of the code for deployment
    default: master
  tasks:
  - name: fetch-repository
    taskRef:
      name: git-clone
      kind: ClusterTask
    workspaces:
    - name: output
      workspace: shared-workspace
    params:
    - name: url
      value: $(params.git-url)
    - name: subdirectory
      value: ""
    - name: deleteExisting
      value: "true"
    - name: revision
      value: $(params.git-revision)
  - name: kubeconfig-creator
    params:
      - name: url
        value: 'https://api.cluster.example.com:6443'
    runAfter:
      - fetch-repository
    taskRef:
      kind: Task
      name: kubeconfig-creator
    workspaces:
      - name: output
        workspace: shared-workspace
  - name: run-ct-test
    taskRef:
      name: helm-ci-task
      kind: Task
    params:
    - name: charts
      value: deploy
    workspaces:
    - name: source
      workspace: shared-workspace
    runAfter:
    - kubeconfig-creator

Conclusion

In this blog, we have demonstrated how to perform tests on Helm charts using the Chart Testing tool within OpenShift Pipelines. By setting up a pipeline with tasks for linting and testing, you can ensure the quality and reliability of your Helm charts before deploying them to your OpenShift cluster.

Last updated on
Setting Up Cloudflared Tunnel on OpenShiftHelm Multi-Values Plugin with Argo's CMP