Writing Custom Scorecard Tests

This guide outlines the steps which can be followed to extend the existing scorecard tests and implement operator specific custom tests.

Run scorecard with custom tests:

Building test image:

The following steps explain creating of a custom test image which can be used with Scorecard to run operator specific tests. As an example, let us start by creating a sample go repository containing the test bundle data, custom scorecard tests and a Makefile to help us build a test image.

The sample test image repository present here has the following project structure:

  1. $ tree .
  2. .
  3. ...
  4. ├── config
  5. |   ...
  6.    └── scorecard
  7.        ├── bases
  8.           └── config.yaml
  9.        ├── kustomization.yaml
  10.        └── patches
  11.            ├── basic.config.yaml
  12.            └── olm.config.yaml
  13. ├── Makefile
  14. ├── bundle
  15.    ├── manifests
  16.       ├── cache.example.com_memcached_crd.yaml
  17.       └── memcached-operator.clusterserviceversion.yaml
  18.    ├── metadata
  19.       └── annotations.yaml
  20.    └── tests
  21.        └── scorecard
  22.            └── config.yaml
  23. ├── go.mod
  24. ├── go.sum
  25. ├── images
  26.    └── custom-scorecard-tests
  27.        ├── Dockerfile
  28.        ├── bin
  29.           ├── entrypoint
  30.           └── user_setup
  31.        ├── cmd
  32.           └── test
  33.               └── main.go
  34.        └── custom-scorecard-tests
  35. └── internal
  36.     └── tests
  37.         └── tests.go
  1. config/scorecard - Contains a kustomization for generating a config from a base and set of overlays.
  2. bundle/ - Contains bundle manifests and metadata under test.
  3. bundle/tests/scorecard/config.yaml - Configuration file generated by make bundle from the config/scorecard kustomization.
  4. images/custom-scorecard-tests/main.go - Scorecard test binary.
  5. internal/tests/tests.go - Contains the implementation of custom tests specific to the operator.

Writing custom test logic:

Scorecard currently implements a few basic and olm tests for the image bundle, custom resources and custom resource definitions. Additional tests specific to the operator can also be included in the test suite of scorecard.

The tests.go file is where the custom tests are implemented in the sample test image project. These tests use scapiv1alpha3.TestResult struct to populate the result, which is then converted to json format for the output. For example, the format of a simple custom sample test can be as follows:

  1. package tests
  3. import (
  4.   apimanifests "github.com/operator-framework/api/pkg/manifests"
  5.   scapiv1alpha3 "github.com/operator-framework/api/pkg/apis/scorecard/v1alpha3"
  6. )
  8. const (
  9.   CustomTest1Name = "customtest1"
  10. )
  12. // CustomTest1
  13. func CustomTest1(bundle *apimanifests.Bundle) scapiv1alpha3.TestStatus {
  14.   r := scapiv1alpha3.TestResult{}
  15.   r.Name = CustomTest1Name
  16.   r.State = scapiv1alpha3.PassState
  17.   r.Errors = make([]string, 0)
  18.   r.Suggestions = make([]string, 0)
  20.   // Implement relevant custom test logic here
  22.   return wrapResult(r)
  23. }

Scorecard Configuration file:

The configuration file includes test definitions and metadata to run the test. This file is constructed using a kustomization under config/scorecard, with overlays for test sets.

For the example CustomTest1 function, add the following to config/scorecard/patches/customtest1.config.yaml.

  1. - op: add
  2.   path: /stages/0/tests/-
  3.   value:
  4.     image: quay.io/<username>/custom-scorecard-tests:latest
  5.     entrypoint:
  6.     - custom-scorecard-tests
  7.     - customtest1
  8.     labels:
  9.       suite: custom
  10.       test: customtest1

The important fields to note here are:

  1. image - name and tag of the test image which was specified in the Makefile.
  2. labels - the name of the test and suite the test function belongs to. This can be specified in the operator-sdk scorecard command to run the desired test.

Next, add a JSON 6902 patch to your config/scorecard/kustomization.yaml:

  1. patchesJson6902:
  2. ...
  3. - path: patches/customtest1.config.yaml
  4.   target:
  5.     group: scorecard.operatorframework.io
  6.     version: v1alpha3
  7.     kind: Configuration
  8.     name: config

Once you run make bundle, the bundle/tests/scorecard/config.yaml will be (re)generated with your custom test.

If generating a config file outside of the on-disk bundle, you can run:

  1. $ kustomize build config/scorecard > path/to/config.yaml

Note: The default location of config.yaml inside the bundle is <bundle directory>/tests/scorecard/config.yaml. It can be overridden using the --config flag. For more details regarding the configuration file refer to user docs.

Scorecard binary:

The scorecard test image implementation requires the bundle under test to be present in the test image. The apimanifests.GetBundleFromDir() function reads the pod’s bundle to fetch the manifests and scorecard configuration from desired path.

  1. cfg, err := apimanifests.GetBundleFromDir(scorecard.PodBundleRoot)
  2. if err != nil {
  3.   log.Fatal(err.Error())
  4. }

The scorecard binary uses config.yaml file to locate tests and execute the them as Pods which scorecard creates. Custom test images are included into Pods that scorecard creates, passing in the bundle contents on a shared mount point to the test image container. The specific custom test that is executed is driven by the config.yaml’s entry-point command and arguments.

An example custom scorecard test implementation is present here.

The names with which the tests are identified in config.yaml and would be passed in the scorecard command, are to be specified here.

  1. ...
  2. switch entrypoint[0] {
  3. case tests.CustomTest1Name:
  4.   result = tests.CustomTest1(cfg)
  5.   ...
  6. }
  7. ...

The result of the custom tests which is in scapiv1alpha3.TestResult format, is converted to json for output.

  1. prettyJSON, err := json.MarshalIndent(result, "", "    ")
  2. if err != nil {
  3.   log.Fatal("Failed to generate json", err)
  4. }
  5. fmt.Printf("%s\n", string(prettyJSON))

The names of the custom tests are also included in printValidTests() function:

  1. func printValidTests() (result scapiv1alpha3.TestStatus) {
  2.   ...
  3.   str := fmt.Sprintf("Valid tests for this image include: %s", tests.CustomTest1Name)
  4.   result.Errors = append(result.Errors, str)
  5.   ...
  6. }

Building the project

The SDK project makefile contains targets to build the sample custom test image. The current makefile is found here. You can use this makefile as a reference for your own custom test image makefile.

To build the sample custom test image, run:

  1. make image/custom-scorecard-tests

Running scorecard command

The operator-sdk scorecard command is used to execute the scorecard tests by specifying the location of test bundle in the command. The name or suite of the tests which are to be executed can be specified with the --selector flag. The command will create scorecard pods with the image specified in config.yaml for the respective test. For example, the CustomTest1Name test provides the following json output.

  1. $ operator-sdk scorecard <bundle_dir_or_image> --selector=suite=custom -o json --wait-time=32s --skip-cleanup=false
  2. {
  3.   "kind": "TestList",
  4.   "apiVersion": "scorecard.operatorframework.io/v1alpha3",
  5.   "items": [
  6.     {
  7.       "kind": "Test",
  8.       "apiVersion": "scorecard.operatorframework.io/v1alpha3",
  9.       "spec": {
  10.         "image": "quay.io/operator-framework/scorecard-test:latest",
  11.         "entrypoint": [
  12.           "custom-scorecard-tests",
  13.           "customtest1"
  14.         ],
  15.         "labels": {
  16.           "suite": "custom",
  17.           "test": "customtest1"
  18.         }
  19.       },
  20.       "status": {
  21.         "results": [
  22.           {
  23.             "name": "customtest1",
  24.             "log": "an ISV custom test",
  25.             "state": "pass"
  26.           }
  27.         ]
  28.       }
  29.     }
  30.   ]
  31. }

Note: More details on the usage of operator-sdk scorecard command and its flags can be found in the scorecard user documentation

Debugging scorecard custom tests

The --skip-cleanup flag can be used when executing the operator-sdk scorecard command to cause the scorecard created test pods to be unremoved. This is useful when debugging or writing new tests so that you can view the test logs or the pod manifests.

Storing scorecard test output

The --test-output flag can be used when executing the operator-sdk scorecard command with a config specifying output persistence to store the output of the scorecard tests in a specific directory. Any persistent volume data will be stored in the specified local directory upon completion of the scorecard tests.

  1. $ operator-sdk scorecard ./bundle --test-output=/mytestoutput

Note: By default, the gathered test output will be stored in $(pwd)/test-output.

Overwrite storage and untar images to prevent downloading the images from external registries

The following options are useful to prevent downloading the images from external registries during scorecard job execution. That could be a case of disconnected environments or to prevent an impact of the external registry’s pull limits.

  • The --storage-image flag can be used when executing the operator-sdk scorecard command to overwrite the default busybox image used by the Scorecard pod.
  • The --untar-image flag can be used when executing the operator-sdk scorecard command to overwrite the default untar image used by the Scorecard pod.

Scorecard initContainer

The scorecard inserts an initContainer into the test pods it creates. The initContainer serves the purpose of uncompressing the operator bundle contents, mounting them into a shared mount point accessible by test images. The operator bundle contents are stored within a ConfigMap, uniquely built for each scorecard test execution. Upon scorecard completion, the ConfigMap is removed as part of normal cleanup, along with the test pods created by scorecard.

Using Custom Service Accounts

Scorecard does not deploy service accounts, RBAC resources, or namespaces for your test but instead considers these resources to be outside its scope. You can however specify whichever service account your tests require, like config/rbac/service_account.yaml in Go operator projects, and then specify that service account from the command line:

  1. $ operator-sdk scorecard <bundle_dir_or_image> --service-account=my-project-controller-manager

Also, you can specify a non-default namespace that scorecard will run in:

  1. $ operator-sdk scorecard <bundle_dir_or_image> --namespace=my-project-system

If you do not specify either of these flags, the default namespace and service account will be used by the scorecard to run test pods.

Returning Multiple Test Results

Some custom tests might require or be better implemented to return more than a single test result. For this case, scorecard’s output API allows multiple test results to be defined for a single test.

Accessing the Kube API

Within your custom tests you might require connecting to the Kube API. In golang, you could use the client-go API for example to check Kube resources within your tests, or even create custom resources. Your custom test image is being executed within a Pod, so you can use an in-cluster connection to invoke the Kube API.

Last modified October 15, 2021: [Bugfix for #5285] Expose flags for storage and untar images (#5306) (fad014e2)