Validating Operators using the scorecard tool

As an Operator author, you can use the scorecard tool in the Operator SDK to do the following tasks:

  • Validate that your Operator project is free of syntax errors and packaged correctly

  • Review suggestions about ways you can improve your Operator

About the scorecard tool

While the Operator SDK bundle validate subcommand can validate local bundle directories and remote bundle images for content and structure, you can use the scorecard command to run tests on your Operator based on a configuration file and test images. These tests are implemented within test images that are configured and constructed to be executed by the scorecard.

The scorecard assumes it is run with access to a configured Kubernetes cluster, such as OKD. The scorecard runs each test within a pod, from which pod logs are aggregated and test results are sent to the console. The scorecard has built-in basic and Operator Lifecycle Manager (OLM) tests and also provides a means to execute custom test definitions.

Scorecard workflow

  1. Create all resources required by any related custom resources (CRs) and the Operator

  2. Create a proxy container in the deployment of the Operator to record calls to the API server and run tests

  3. Examine parameters in the CRs

The scorecard tests make no assumptions as to the state of the Operator being tested. Creating Operators and CRs for an Operators are beyond the scope of the scorecard itself. Scorecard tests can, however, create whatever resources they require if the tests are designed for resource creation.

scorecard command syntax

  1. $ operator-sdk scorecard <bundle_dir_or_image> [flags]

The scorecard requires a positional argument for either the on-disk path to your Operator bundle or the name of a bundle image.

For further information about the flags, run:

  1. $ operator-sdk scorecard -h

Scorecard configuration

The scorecard tool uses a configuration that allows you to configure internal plugins, as well as several global configuration options. Tests are driven by a configuration file named config.yaml, which is generated by the make bundle command, located in your bundle/ directory:

  1. ./bundle
  2. ...
  3. └── tests
  4. └── scorecard
  5. └── config.yaml

Example scorecard configuration file

  1. kind: Configuration
  2. apiversion: scorecard.operatorframework.io/v1alpha3
  3. metadata:
  4. name: config
  5. stages:
  6. - parallel: true
  7. tests:
  8. - image: quay.io/operator-framework/scorecard-test:v1.25.0
  9. entrypoint:
  10. - scorecard-test
  11. - basic-check-spec
  12. labels:
  13. suite: basic
  14. test: basic-check-spec-test
  15. - image: quay.io/operator-framework/scorecard-test:v1.25.0
  16. entrypoint:
  17. - scorecard-test
  18. - olm-bundle-validation
  19. labels:
  20. suite: olm
  21. test: olm-bundle-validation-test

The configuration file defines each test that scorecard can execute. The following fields of the scorecard configuration file define the test as follows:

Configuration fieldDescription

image

Test container image name that implements a test

entrypoint

Command and arguments that are invoked in the test image to execute a test

labels

Scorecard-defined or custom labels that select which tests to run

Built-in scorecard tests

The scorecard ships with pre-defined tests that are arranged into suites: the basic test suite and the Operator Lifecycle Manager (OLM) suite.

Table 1. Basic test suite
TestDescriptionShort name

Spec Block Exists

This test checks the custom resource (CR) created in the cluster to make sure that all CRs have a spec block.

basic-check-spec-test

Table 2. OLM test suite
TestDescriptionShort name

Bundle Validation

This test validates the bundle manifests found in the bundle that is passed into scorecard. If the bundle contents contain errors, then the test result output includes the validator log as well as error messages from the validation library.

olm-bundle-validation-test

Provided APIs Have Validation

This test verifies that the custom resource definitions (CRDs) for the provided CRs contain a validation section and that there is validation for each spec and status field detected in the CR.

olm-crds-have-validation-test

Owned CRDs Have Resources Listed

This test makes sure that the CRDs for each CR provided via the cr-manifest option have a resources subsection in the owned CRDs section of the ClusterServiceVersion (CSV). If the test detects used resources that are not listed in the resources section, it lists them in the suggestions at the end of the test. Users are required to fill out the resources section after initial code generation for this test to pass.

olm-crds-have-resources-test

Spec Fields With Descriptors

This test verifies that every field in the CRs spec sections has a corresponding descriptor listed in the CSV.

olm-spec-descriptors-test

Status Fields With Descriptors

This test verifies that every field in the CRs status sections have a corresponding descriptor listed in the CSV.

olm-status-descriptors-test

Running the scorecard tool

A default set of Kustomize files are generated by the Operator SDK after running the init command. The default bundle/tests/scorecard/config.yaml file that is generated can be immediately used to run the scorecard tool against your Operator, or you can modify this file to your test specifications.

Prerequisites

  • Operator project generated by using the Operator SDK

Procedure

  1. Generate or regenerate your bundle manifests and metadata for your Operator:

    1. $ make bundle

    This command automatically adds scorecard annotations to your bundle metadata, which is used by the scorecard command to run tests.

  2. Run the scorecard against the on-disk path to your Operator bundle or the name of a bundle image:

    1. $ operator-sdk scorecard <bundle_dir_or_image>

Scorecard output

The --output flag for the scorecard command specifies the scorecard results output format: either text or json.

Example JSON output snippet

  1. {
  2. "apiVersion": "scorecard.operatorframework.io/v1alpha3",
  3. "kind": "TestList",
  4. "items": [
  5. {
  6. "kind": "Test",
  7. "apiVersion": "scorecard.operatorframework.io/v1alpha3",
  8. "spec": {
  9. "image": "quay.io/operator-framework/scorecard-test:v1.25.0",
  10. "entrypoint": [
  11. "scorecard-test",
  12. "olm-bundle-validation"
  13. ],
  14. "labels": {
  15. "suite": "olm",
  16. "test": "olm-bundle-validation-test"
  17. }
  18. },
  19. "status": {
  20. "results": [
  21. {
  22. "name": "olm-bundle-validation",
  23. "log": "time=\"2020-06-10T19:02:49Z\" level=debug msg=\"Found manifests directory\" name=bundle-test\ntime=\"2020-06-10T19:02:49Z\" level=debug msg=\"Found metadata directory\" name=bundle-test\ntime=\"2020-06-10T19:02:49Z\" level=debug msg=\"Getting mediaType info from manifests directory\" name=bundle-test\ntime=\"2020-06-10T19:02:49Z\" level=info msg=\"Found annotations file\" name=bundle-test\ntime=\"2020-06-10T19:02:49Z\" level=info msg=\"Could not find optional dependencies file\" name=bundle-test\n",
  24. "state": "pass"
  25. }
  26. ]
  27. }
  28. }
  29. ]
  30. }

Example text output snippet

  1. --------------------------------------------------------------------------------
  2. Image: quay.io/operator-framework/scorecard-test:v1.25.0
  3. Entrypoint: [scorecard-test olm-bundle-validation]
  4. Labels:
  5. "suite":"olm"
  6. "test":"olm-bundle-validation-test"
  7. Results:
  8. Name: olm-bundle-validation
  9. State: pass
  10. Log:
  11. time="2020-07-15T03:19:02Z" level=debug msg="Found manifests directory" name=bundle-test
  12. time="2020-07-15T03:19:02Z" level=debug msg="Found metadata directory" name=bundle-test
  13. time="2020-07-15T03:19:02Z" level=debug msg="Getting mediaType info from manifests directory" name=bundle-test
  14. time="2020-07-15T03:19:02Z" level=info msg="Found annotations file" name=bundle-test
  15. time="2020-07-15T03:19:02Z" level=info msg="Could not find optional dependencies file" name=bundle-test

The output format spec matches the Test type layout.

Selecting tests

Scorecard tests are selected by setting the --selector CLI flag to a set of label strings. If a selector flag is not supplied, then all the tests within the scorecard configuration file are run.

Tests are run serially with test results being aggregated by the scorecard and written to standard output, or stdout.

Procedure

  1. To select a single test, for example basic-check-spec-test, specify the test by using the --selector flag:

    1. $ operator-sdk scorecard <bundle_dir_or_image> \
    2. -o text \
    3. --selector=test=basic-check-spec-test
  2. To select a suite of tests, for example olm, specify a label that is used by all of the OLM tests:

    1. $ operator-sdk scorecard <bundle_dir_or_image> \
    2. -o text \
    3. --selector=suite=olm
  3. To select multiple tests, specify the test names by using the selector flag using the following syntax:

    1. $ operator-sdk scorecard <bundle_dir_or_image> \
    2. -o text \
    3. --selector='test in (basic-check-spec-test,olm-bundle-validation-test)'

Enabling parallel testing

As an Operator author, you can define separate stages for your tests using the scorecard configuration file. Stages run sequentially in the order they are defined in the configuration file. A stage contains a list of tests and a configurable parallel setting.

By default, or when a stage explicitly sets parallel to false, tests in a stage are run sequentially in the order they are defined in the configuration file. Running tests one at a time is helpful to guarantee that no two tests interact and conflict with each other.

However, if tests are designed to be fully isolated, they can be parallelized.

Procedure

  • To run a set of isolated tests in parallel, include them in the same stage and set parallel to true:

    1. apiVersion: scorecard.operatorframework.io/v1alpha3
    2. kind: Configuration
    3. metadata:
    4. name: config
    5. stages:
    6. - parallel: true (1)
    7. tests:
    8. - entrypoint:
    9. - scorecard-test
    10. - basic-check-spec
    11. image: quay.io/operator-framework/scorecard-test:v1.25.0
    12. labels:
    13. suite: basic
    14. test: basic-check-spec-test
    15. - entrypoint:
    16. - scorecard-test
    17. - olm-bundle-validation
    18. image: quay.io/operator-framework/scorecard-test:v1.25.0
    19. labels:
    20. suite: olm
    21. test: olm-bundle-validation-test
    1Enables parallel testing

    All tests in a parallel stage are executed simultaneously, and scorecard waits for all of them to finish before proceding to the next stage. This can make your tests run much faster.

Custom scorecard tests

The scorecard tool can run custom tests that follow these mandated conventions:

  • Tests are implemented within a container image

  • Tests accept an entrypoint which include a command and arguments

  • Tests produce v1alpha3 scorecard output in JSON format with no extraneous logging in the test output

  • Tests can obtain the bundle contents at a shared mount point of /bundle

  • Tests can access the Kubernetes API using an in-cluster client connection

Writing custom tests in other programming languages is possible if the test image follows the above guidelines.

The following example shows of a custom test image written in Go:

Example custom scorecard test

  1. // Copyright 2020 The Operator-SDK Authors
  2. //
  3. // Licensed under the Apache License, Version 2.0 (the "License");
  4. // you may not use this file except in compliance with the License.
  5. // You may obtain a copy of the License at
  6. //
  7. // http://www.apache.org/licenses/LICENSE-2.0
  8. //
  9. // Unless required by applicable law or agreed to in writing, software
  10. // distributed under the License is distributed on an "AS IS" BASIS,
  11. // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  12. // See the License for the specific language governing permissions and
  13. // limitations under the License.
  14. package main
  15. import (
  16. "encoding/json"
  17. "fmt"
  18. "log"
  19. "os"
  20. scapiv1alpha3 "github.com/operator-framework/api/pkg/apis/scorecard/v1alpha3"
  21. apimanifests "github.com/operator-framework/api/pkg/manifests"
  22. )
  23. // This is the custom scorecard test example binary
  24. // As with the Redhat scorecard test image, the bundle that is under
  25. // test is expected to be mounted so that tests can inspect the
  26. // bundle contents as part of their test implementations.
  27. // The actual test is to be run is named and that name is passed
  28. // as an argument to this binary. This argument mechanism allows
  29. // this binary to run various tests all from within a single
  30. // test image.
  31. const PodBundleRoot = "/bundle"
  32. func main() {
  33. entrypoint := os.Args[1:]
  34. if len(entrypoint) == 0 {
  35. log.Fatal("Test name argument is required")
  36. }
  37. // Read the pod's untar'd bundle from a well-known path.
  38. cfg, err := apimanifests.GetBundleFromDir(PodBundleRoot)
  39. if err != nil {
  40. log.Fatal(err.Error())
  41. }
  42. var result scapiv1alpha3.TestStatus
  43. // Names of the custom tests which would be passed in the
  44. // `operator-sdk` command.
  45. switch entrypoint[0] {
  46. case CustomTest1Name:
  47. result = CustomTest1(cfg)
  48. case CustomTest2Name:
  49. result = CustomTest2(cfg)
  50. default:
  51. result = printValidTests()
  52. }
  53. // Convert scapiv1alpha3.TestResult to json.
  54. prettyJSON, err := json.MarshalIndent(result, "", " ")
  55. if err != nil {
  56. log.Fatal("Failed to generate json", err)
  57. }
  58. fmt.Printf("%s\n", string(prettyJSON))
  59. }
  60. // printValidTests will print out full list of test names to give a hint to the end user on what the valid tests are.
  61. func printValidTests() scapiv1alpha3.TestStatus {
  62. result := scapiv1alpha3.TestResult{}
  63. result.State = scapiv1alpha3.FailState
  64. result.Errors = make([]string, 0)
  65. result.Suggestions = make([]string, 0)
  66. str := fmt.Sprintf("Valid tests for this image include: %s %s",
  67. CustomTest1Name,
  68. CustomTest2Name)
  69. result.Errors = append(result.Errors, str)
  70. return scapiv1alpha3.TestStatus{
  71. Results: []scapiv1alpha3.TestResult{result},
  72. }
  73. }
  74. const (
  75. CustomTest1Name = "customtest1"
  76. CustomTest2Name = "customtest2"
  77. )
  78. // Define any operator specific custom tests here.
  79. // CustomTest1 and CustomTest2 are example test functions. Relevant operator specific
  80. // test logic is to be implemented in similarly.
  81. func CustomTest1(bundle *apimanifests.Bundle) scapiv1alpha3.TestStatus {
  82. r := scapiv1alpha3.TestResult{}
  83. r.Name = CustomTest1Name
  84. r.State = scapiv1alpha3.PassState
  85. r.Errors = make([]string, 0)
  86. r.Suggestions = make([]string, 0)
  87. almExamples := bundle.CSV.GetAnnotations()["alm-examples"]
  88. if almExamples == "" {
  89. fmt.Println("no alm-examples in the bundle CSV")
  90. }
  91. return wrapResult(r)
  92. }
  93. func CustomTest2(bundle *apimanifests.Bundle) scapiv1alpha3.TestStatus {
  94. r := scapiv1alpha3.TestResult{}
  95. r.Name = CustomTest2Name
  96. r.State = scapiv1alpha3.PassState
  97. r.Errors = make([]string, 0)
  98. r.Suggestions = make([]string, 0)
  99. almExamples := bundle.CSV.GetAnnotations()["alm-examples"]
  100. if almExamples == "" {
  101. fmt.Println("no alm-examples in the bundle CSV")
  102. }
  103. return wrapResult(r)
  104. }
  105. func wrapResult(r scapiv1alpha3.TestResult) scapiv1alpha3.TestStatus {
  106. return scapiv1alpha3.TestStatus{
  107. Results: []scapiv1alpha3.TestResult{r},
  108. }
  109. }