From da392686fcb32902b27ed9dbd0eda617c2915df2 Mon Sep 17 00:00:00 2001
From: mamccorm <mark.mccormick@chainguard.dev>
Date: Mon, 20 May 2024 14:02:57 +0100
Subject: [PATCH] Improve docs and add some test coverage (#2705)

Signed-off-by: Mark McCormick <mark.mccormick@chainguard.dev>
---
 images/kube-webhook-certgen/README.md         | 40 +++++++++++-
 images/kube-webhook-certgen/metadata.yaml     |  6 +-
 images/kube-webhook-certgen/tests/main.tf     | 20 ++++--
 .../kube-webhook-certgen/tests/run-tests.sh   | 63 +++++++++++++++++++
 4 files changed, 120 insertions(+), 9 deletions(-)
 create mode 100755 images/kube-webhook-certgen/tests/run-tests.sh

diff --git a/images/kube-webhook-certgen/README.md b/images/kube-webhook-certgen/README.md
index 340958d9c4..bf04e7797c 100644
--- a/images/kube-webhook-certgen/README.md
+++ b/images/kube-webhook-certgen/README.md
@@ -13,7 +13,7 @@
 <!--monopod:end-->
 
 <!--overview:start-->
-Tools to help with self signed cert generation for Kubernetes test environment
+Generates certificates and updates Kubernetes webhooks, integrating with Helm to simplify Kubernetes job execution.
 <!--overview:end-->
 
 <!--getting:start-->
@@ -25,4 +25,40 @@ docker pull cgr.dev/chainguard/kube-webhook-certgen:latest
 ```
 <!--getting:end-->
 
-<!--body:start--><!--body:end-->
+<!--body:start-->
+
+## Forked version, maintained by ingress-nginx project!
+NOTE: this is the ingress-nginx projects fork of `kube-webhook-certgen`. The
+[original project](https://github.com/jet/kube-webhook-certgen) is no longer
+maintained.
+
+## Prometheus operator
+Below is an example of how to deploy the prometheus operator, which utilizes
+this image.
+
+First, add the helm operator:
+
+```bash
+helm repo add prometheus-community https://prometheus-community.github.io/helm-charts
+helm repo update
+```
+
+Then, use the following Terraform configuration to deploy the Prometheus
+Operator. Note, we're utilizing the[Chainguard prometheus operator image](https://github.com/chainguard-images/images/tree/main/images/prometheus-operator),
+as well as the Chainguard kube-webhook-certgen image:
+
+```bash
+helm install prometheus-operator prometheus-community/kube-prometheus-stack \
+  --set prometheusOperator.image.registry=cgr.dev \
+  --set prometheusOperator.image.repository=chainguard/prometheus-operator \
+  --set prometheusOperator.image.tag=latest
+  --set prometheusOperator.admissionWebhooks.patch.image.registry=cgr.dev \
+  --set prometheusOperator.admissionWebhooks.patch.image.repository=chainguard/kube-webhook-certgen \
+  --set prometheusOperator.admissionWebhooks.patch.image.tag=latest
+```
+
+For more information, refer to the following resources:
+- [prometheus operator docs](https://github.com/prometheus-community/helm-charts/tree/main/charts/kube-prometheus-stack)
+- [kube-webhook-certgen docs](https://github.com/kubernetes/ingress-nginx/tree/main/images/kube-webhook-certgen)
+
+<!--body:end-->
diff --git a/images/kube-webhook-certgen/metadata.yaml b/images/kube-webhook-certgen/metadata.yaml
index 718a614aca..620eb218bf 100644
--- a/images/kube-webhook-certgen/metadata.yaml
+++ b/images/kube-webhook-certgen/metadata.yaml
@@ -3,8 +3,8 @@ image: cgr.dev/chainguard/kube-webhook-certgen
 logo: https://storage.googleapis.com/chainguard-academy/logos/kube-webhook-certgen.svg
 endoflife: ""
 console_summary: ""
-short_description: Tools to help with self signed cert generation for Kubernetes test environment
+short_description: Generates certificates and updates Kubernetes webhooks, integrating with Helm to simplify Kubernetes job execution.
 compatibility_notes: ""
 readme_file: README.md
-upstream_url:
-keywords: []
+upstream_url: https://github.com/kubernetes/ingress-nginx/tree/main/images/kube-webhook-certgen
+keywords: [kubernetes]
diff --git a/images/kube-webhook-certgen/tests/main.tf b/images/kube-webhook-certgen/tests/main.tf
index 6abd1de4eb..7c7859a18d 100644
--- a/images/kube-webhook-certgen/tests/main.tf
+++ b/images/kube-webhook-certgen/tests/main.tf
@@ -16,15 +16,23 @@ data "imagetest_inventory" "this" {}
 resource "imagetest_harness_k3s" "this" {
   name      = "kube-webhook-certgen"
   inventory = data.imagetest_inventory.this
+
+  sandbox = {
+    mounts = [
+      {
+        source      = path.module
+        destination = "/tests"
+      }
+    ]
+  }
 }
 
 module "helm" {
   source = "../../../tflib/imagetest/helm"
 
-  name      = "prometheus-operator"
-  namespace = "monitoring"
-  repo      = "https://prometheus-community.github.io/helm-charts"
-  chart     = "kube-prometheus-stack"
+  name  = "prometheus-operator"
+  repo  = "https://prometheus-community.github.io/helm-charts"
+  chart = "kube-prometheus-stack"
 
   values = {
     prometheusOperator = {
@@ -51,6 +59,10 @@ resource "imagetest_feature" "basic" {
       name = "Helm install"
       cmd  = module.helm.install_cmd
     },
+    {
+      name = "Basic smoke test that providers install"
+      cmd  = "/tests/run-tests.sh"
+    }
   ]
 
   labels = {
diff --git a/images/kube-webhook-certgen/tests/run-tests.sh b/images/kube-webhook-certgen/tests/run-tests.sh
new file mode 100755
index 0000000000..dd413b3676
--- /dev/null
+++ b/images/kube-webhook-certgen/tests/run-tests.sh
@@ -0,0 +1,63 @@
+#!/usr/bin/env bash
+
+set -o errexit -o nounset -o pipefail -x
+
+WEBHOOK="prometheus-operator-kube-p-admission"
+
+# Wait for all Prometheus Operator pods to be ready
+kubectl get pods -l app.kubernetes.io/component=prometheus-operator
+kubectl wait --for=condition=ready pod -l app.kubernetes.io/component=prometheus-operator --timeout=300s
+
+# Check CA Bundle in Validating Webhook Configuration
+VALIDATING_CA_BUNDLE=$(kubectl get validatingwebhookconfigurations.admissionregistration.k8s.io $WEBHOOK -o jsonpath="{.webhooks[0].clientConfig.caBundle}")
+if [[ -z "$VALIDATING_CA_BUNDLE" ]]; then
+  echo "'caBundle' was not present in validatingwebhookconfigurations: $WEBHOOK"
+  exit 1
+fi
+
+# Check CA Bundle in Mutating Webhook Configuration
+MUTATING_CA_BUNDLE=$(kubectl get mutatingwebhookconfigurations.admissionregistration.k8s.io $WEBHOOK -o jsonpath="{.webhooks[0].clientConfig.caBundle}")
+if [[ -z "$MUTATING_CA_BUNDLE" ]]; then
+  echo "'caBundle' was not present in mutatingwebhookconfigurations: $WEBHOOK"
+  exit 1
+fi
+
+# Create a test PrometheusRule to trigger the webhook
+cat <<EOF | kubectl apply -f -
+apiVersion: monitoring.coreos.com/v1
+kind: PrometheusRule
+metadata:
+  name: test-rule
+spec:
+  groups:
+  - name: example
+    rules:
+    - alert: TestAlert
+      expr: vector(1)
+      for: 5m
+      labels:
+        severity: warning
+      annotations:
+        summary: "This is a test alert"
+EOF
+sleep 10
+
+# Check if the PrometheusRule resource was created successfully
+if ! kubectl get prometheusrule test-rule; then
+  exit 1
+fi
+
+# Check the logs of the Prometheus Operator pod to ensure it started correctly
+OPERATOR_POD=$(kubectl get pods -l app.kubernetes.io/component=prometheus-operator -o jsonpath="{.items[0].metadata.name}")
+LOGS=$(kubectl logs $OPERATOR_POD)
+
+# Validate logs for expected entries
+echo "$LOGS" | grep -q "Starting Prometheus Operator" || exit 1
+echo "$LOGS" | grep -q "connection established" || exit 1
+echo "$LOGS" | grep -q "successfully synced all caches" || exit 1
+echo "$LOGS" | grep -q "sync prometheus" || exit 1
+
+# Validate prometheus is runnin by checking the metrics endpoint is accessible
+PROMETHEUS_POD=$(kubectl get pods -l app.kubernetes.io/name=prometheus -o jsonpath="{.items[0].metadata.name}")
+
+kubectl exec $PROMETHEUS_POD -- sh -c 'wget -qO- http://localhost:9090/metrics | grep -q "# TYPE"' || exit 1