doc/test-framework/scorecard.md: document --olm-deployed prereq… (#1816)

Eric Stroczynski · web-flow · commit 668fffea7548 · 2019-10-25T15:35:30.000-07:00
* doc/test-framework/scorecard.md: document --olm-deployed prereqs and usage
diff --git a/doc/test-framework/scorecard.md b/doc/test-framework/scorecard.md
@@ -1,4 +1,4 @@
-# operator-sdk scorecard 
+# operator-sdk scorecard
 
 <!-- START doctoc generated TOC please keep comment here to allow auto update -->
 <!-- DON'T EDIT THIS SECTION, INSTEAD RE-RUN doctoc TO UPDATE -->
@@ -19,21 +19,21 @@
   - [OLM Integration](#olm-integration)
 - [Extending the Scorecard with Plugins](#extending-the-scorecard-with-plugins)
   - [JSON format](#json-format)
-- [Running the scorecard with a deployed CSV](#running-the-scorecard-with-a-deployed-csv)
+- [Running the scorecard with an OLM-managed operator](#running-the-scorecard-with-an-olm-managed-operator)
 
 <!-- END doctoc generated TOC please keep comment here to allow auto update -->
 
 ## Overview
 
-The scorecard works by creating all resources required by CRs and the operator. 
+The scorecard works by creating all resources required by CRs and the operator.
 
 The scorecard will create another container in the operator deployment which is used to record calls to the API server and run a lot of the tests. The tests performed will also examine some of the fields in the CRs.
 
-The scorecard also supports plugins which allows to extend the functionality of the scorecard and add additional tests on it. 
+The scorecard also supports plugins which allows to extend the functionality of the scorecard and add additional tests on it.
 
-## Requirements 
+## Requirements
 
-Following are some requirements for the operator project which would be  checked by the scorecard. 
+Following are some requirements for the operator project which would be  checked by the scorecard.
 
 - Access to a Kubernetes v1.11.3+ cluster
 
@@ -48,9 +48,9 @@ Following are some requirements for the operator project which would be  checked
 
 1. Setup the `.osdk-scorecard.yaml` configuration file in your project.. See [Config file](#config-file)
 2. Create the namespace defined in the RBAC files(`role_bindinding`)
-3. Then, run the scorecard, for example `$ operator-sdk scorecard`. See the [Command args](#command-args) to check its options. 
+3. Then, run the scorecard, for example `$ operator-sdk scorecard`. See the [Command args](#command-args) to check its options.
 
-**NOTE:** If your operator is non-SDK then some steps will be required in order to meet its requirements. 
+**NOTE:** If your operator is non-SDK then some steps will be required in order to meet its requirements.
 
 ## Configuration
 
@@ -95,13 +95,13 @@ The hierarchy of config methods for the global options that are also configurabl
 The config file support is provided by the `viper` package. For more info on how viper configuration works, see [`viper`'s README][viper].
 
 **NOTE:** The config file can be in any of the `json`, `yaml`, or `toml` formats as long as the file has the correct extension. As the config file may be extended to allow configuration
-of all `operator-sdk` subcommands in the future, the scorecard's configuration must be under a `scorecard` subsection. 
+of all `operator-sdk` subcommands in the future, the scorecard's configuration must be under a `scorecard` subsection.
 
 ### Command Args
 
-While most configuration is done via a config file, there are a few important args that can be used as follows. 
+While most configuration is done via a config file, there are a few important args that can be used as follows.
 
-| Flag        | Type   | Description   | 
+| Flag        | Type   | Description   |
 | --------    | -------- | -------- |
 | `--config`  | string | Path to config file (default `<project_dir>/.osdk-scorecard`; file type and extension can be any of `.yaml`, `.json`, or `.toml`). If a config file is not provided and a config file is not found at the default location, the scorecard will exit with an error. |
 | `--output`, `-o`  | string | Output format. Valid options are: `text` and `json`. The default format is `text`, which is designed to be a simpler human readable format. The `json` format uses the JSON schema output format used for plugins defined later in this document. |
@@ -110,7 +110,7 @@ While most configuration is done via a config file, there are a few important ar
 
 ### Config File Options
 
-| Option        | Type   | Description   | 
+| Option        | Type   | Description   |
 | --------    | -------- | -------- |
 | `output` | string | equivalent of the `--output` flag. If this option is defined by both the config file and the flag, the flag's value takes priority |
 | `kubeconfig` | string | equivalent of the `--kubeconfig` flag. If this option is defined by both the config file and the flag, the flag's value takes priority |
@@ -122,11 +122,11 @@ A plugin object is used to configure plugins. The possible values for the plugin
 
 Note that each Plugin type has different configuration options and they are named differently in the config. Only one of these fields can be set per plugin.
 
-#### Basic and OLM 
+#### Basic and OLM
 
 The `basic` and `olm` internal plugins have the same configuration fields:
 
-| Option        | Type   | Description   | 
+| Option        | Type   | Description   |
 | --------    | -------- | -------- |
 | `cr-manifest` | [\]string | path(s) for CRs being tested.(required if `olm-deployed` is not set or false) |
 | `csv-path` | string | path to CSV for the operator (required for OLM tests or if `olm-deployed` is set to true) |
@@ -143,27 +143,27 @@ The `basic` and `olm` internal plugins have the same configuration fields:
 The scorecard allows developers to write their own plugins for the scorecard that can be run via an executable binary or script. For more information on developing external plugins,
 please see the [Extending the Scorecard with Plugins](#extending-the-scorecard-with-plugins) section. These are the options available to configure external plugins:
 
-| Option        | Type   | Description   | 
+| Option        | Type   | Description   |
 | --------    | -------- | -------- |
 | `command` | string | (required) path to the plugin binary or script. The path can either be absolute or relative to the operator project's root directory. All external plugins are run from the operator project's root directory |
 | `args` | \[\]string | arguments to pass to the plugin |
 | `env` | array | `env var` objects, which consist of a `name` and `value` field. If a `KUBECONFIG` env var is declared in this array as well as via the top-level `kubeconfig` option, the `KUBECONFIG` from the env array for the plugin is used |
 
-## Tests Performed 
+## Tests Performed
 
 Following the description of each internal [Plugin](#plugins). Note that are 8 internal tests across 2 internal plugins that the scorecard can run. If multiple CRs are specified for a plugin, the test environment is fully cleaned up after each CR so each CR gets a clean testing environment.
 
 ### Basic Operator
 
-| Test        | Description   | 
+| Test        | Description   |
 | --------    | -------- |
 | Spec Block Exists | This test checks the Custom Resource(s) created in the cluster to make sure that all CRs have a spec block. This test has a maximum score of 1 |
 | Status Block Exists | This test checks the Custom Resource(s) created in the cluster to make sure that all CRs have a status block. This test has a maximum score of 1 |
 | Writing Into CRs Has An Effect | This test reads the scorecard proxy's logs to verify that the operator is making `PUT` and/or `POST` requests to the API server, indicating that it is modifying resources. This test has a maximum score of 1 |
 
 ### OLM Integration
 
-| Test        | Description   | 
+| Test        | Description   |
 | --------    | -------- |
 | Provided APIs have validation |This test verifies that the CRDs for the provided CRs contain a validation section and that there is validation for each spec and status field detected in the CR. This test has a maximum score equal to the number of CRs provided via the `cr-manifest` option. |
 | Owned CRDs Have Resources Listed | This test makes sure that the CRDs for each CR provided via the `cr-manifest` option have a `resources` subsection in the [`owned` CRDs section][owned-crds] of the CSV. If the test detects used resources that are not listed in the resources section, it will list them in the suggestions at the end of the test. This test has a maximum score equal to the number of CRs provided via the `cr-manifest` option. |
@@ -386,16 +386,162 @@ Example of a valid JSON output:
 **NOTE:** The `ScorecardOutput.Log` field is only intended to be used to log the scorecard's output and the scorecard will ignore that field if a plugin provides it.
 To add logs to the main `ScorecardOuput.Log` field, a plugin can output the logs to `stderr`.
 
-## Running the scorecard with a deployed CSV
-
-The scorecard can be run using only a [Cluster Service Version (CSV)][olm-csv], providing a way to test cluster-ready and non-SDK operators.
+## Running the scorecard with an OLM-managed operator
+
+The scorecard can be run using a [Cluster Service Version (CSV)][olm-csv], providing a way to test cluster-ready and non-SDK operators.
+
+Running with a CSV alone requires both the `csv-path: <CSV manifest path>` and `olm-deployed` options to be set. The scorecard assumes your CSV and relevant CRD's have been deployed onto the cluster using OLM when using `olm-deployed`.
+
+The scorecard requires a proxy container in the operator's `Deployment` pod to read operator logs. A few modifications to your CSV and creation of one extra object are required to run the proxy _before_ deploying your operator with OLM:
+
+1. Create a proxy server secret containing a local Kubeconfig:
+    1. Generate a username using the scorecard proxy's namespaced owner reference.
+          ```sh
+          # Substitute "$your_namespace" for the namespace your operator will be deployed in (if any).
+          $ echo '{"apiVersion":"","kind":"","name":"scorecard","uid":"","Namespace":"'${your_namespace}'"}' | base64 -w 0
+          eyJhcGlWZXJzaW9uIjoiIiwia2luZCI6IiIsIm5hbWUiOiJzY29yZWNhcmQiLCJ1aWQiOiIiLCJOYW1lc3BhY2UiOiJvbG0ifQo=
+          ```
+    1. Write a `Config` manifest `scorecard-config.yaml` using the following template, substituting `${your_username}` for the base64 username generated above:
+          ```yaml
+          apiVersion: v1
+          kind: Config
+          clusters:
+          - cluster:
+              insecure-skip-tls-verify: true
+              server: http://${your_username}@localhost:8889
+            name: proxy-server
+          contexts:
+          - context:
+              cluster: proxy-server
+              user: admin/proxy-server
+            name: $namespace/proxy-server
+          current-context: $namespace/proxy-server
+          preferences: {}
+          users:
+          - name: admin/proxy-server
+            user:
+              username: ${your_username}
+              password: unused
+          ```
+    1. Encode the `Config` as base64:
+          ```sh
+          $ cat scorecard-config.yaml | base64 -w 0
+          YXBpVmVyc2lvbjogdjEKa2luZDogQ29uZmlnCmNsdXN0ZXJzOgotIGNsdXN0ZXI6CiAgICBpbnNlY3VyZS1za2lwLXRscy12ZXJpZnk6IHRydWUKICAgIHNlcnZlcjogaHR0cDovL2V5SmhjR2xXWlhKemFXOXVJam9pSWl3aWEybHVaQ0k2SWlJc0ltNWhiV1VpT2lKelkyOXlaV05oY21RaUxDSjFhV1FpT2lJaUxDSk9ZVzFsYzNCaFkyVWlPaUp2YkcwaWZRbz1AbG9jYWxob3N0Ojg4ODkKICBuYW1lOiBwcm94eS1zZXJ2ZXIKY29udGV4dHM6Ci0gY29udGV4dDoKICAgIGNsdXN0ZXI6IHByb3h5LXNlcnZlcgogICAgdXNlcjogYWRtaW4vcHJveHktc2VydmVyCiAgbmFtZTogL3Byb3h5LXNlcnZlcgpjdXJyZW50LWNvbnRleHQ6IC9wcm94eS1zZXJ2ZXIKcHJlZmVyZW5jZXM6IHt9CnVzZXJzOgotIG5hbWU6IGFkbWluL3Byb3h5LXNlcnZlcgogIHVzZXI6CiAgICB1c2VybmFtZTogZXlKaGNHbFdaWEp6YVc5dUlqb2lJaXdpYTJsdVpDSTZJaUlzSW01aGJXVWlPaUp6WTI5eVpXTmhjbVFpTENKMWFXUWlPaUlpTENKT1lXMWxjM0JoWTJVaU9pSnZiRzBpZlFvPQogICAgcGFzc3dvcmQ6IHVudXNlZAo=
+          ```
+    1. Create a `Secret` manifest `scorecard-secret.yaml` containing the operator's namespace (if any) the `Config`'s base64 encoding as a `spec.data` value under the key `kubeconfig`:
+          ```yaml
+          apiVersion: v1
+          kind: Secret
+          metadata:
+            name: scorecard-kubeconfig
+            namespace: ${your_namespace}
+          data:
+            kubeconfig: ${kubeconfig_base64}
+          ```
+    1. Apply the secret in-cluster:
+          ```sh
+          $ kubectl apply -f scorecard-secret.yaml
+          ```
+    1. Insert a volume referring to the `Secret` into the operator's `Deployment`:
+          ```yaml
+          spec:
+            install:
+              spec:
+                deployments:
+                - name: memcached-operator
+                  spec:
+                    ...
+                    template:
+                      ...
+                      spec:
+                        containers:
+                        ...
+                        volumes:
+                        # scorecard kubeconfig volume
+                        - name: scorecard-kubeconfig
+                          secret:
+                            secretName: scorecard-kubeconfig
+                            items:
+                            - key: kubeconfig
+                              path: config
+          ```
+1. Insert a volume mount and `KUBECONFIG` environment variable into each container in your operator's `Deployment`:
+    ```yaml
+    spec:
+      install:
+        spec:
+          deployments:
+          - name: memcached-operator
+            spec:
+              ...
+              template:
+                ...
+                spec:
+                  containers:
+                  - name: container1
+                    ...
+                    volumeMounts:
+                    # scorecard kubeconfig volume mount
+                    - name: scorecard-kubeconfig
+                      mountPath: /scorecard-secret
+                    env:
+                      # scorecard kubeconfig env
+                    - name: KUBECONFIG
+                      value: /scorecard-secret/config
+                  - name: container2
+                    # Do the same for this and all other containers.
+                    ...
+    ```
+1. Insert the scorecard proxy container into the operator's `Deployment`:
+    ```yaml
+    spec:
+      install:
+        spec:
+          deployments:
+          - name: memcached-operator
+            spec:
+              ...
+              template:
+                ...
+                spec:
+                  containers:
+                  ...
+                  # scorecard proxy container
+                  - name: scorecard-proxy
+                    command:
+                    - scorecard-proxy
+                    env:
+                    - name: WATCH_NAMESPACE
+                      valueFrom:
+                        fieldRef:
+                          apiVersion: v1
+                          fieldPath: metadata.namespace
+                    image: quay.io/operator-framework/scorecard-proxy:master
+                    imagePullPolicy: Always
+                    ports:
+                    - name: proxy
+                      containerPort: 8889
+    ```
+
+Alternatively, the [community-operators][community-operators] repo has several bash functions that can perform these operations for you:
+```sh
+$ curl -Lo csv-manifest-modifiers.sh https://raw.githubusercontent.com/operator-framework/community-operators/master/scripts/lib/file
+$ . ./csv-manifest-modifiers.sh
+# $NAMESPACE is the namespace your operator will deploy in
+$ create_kubeconfig_secret_file scorecard-secret.yaml "$NAMESPACE"
+$ kubectl apply -f scorecard-secret.yaml
+# $CSV_FILE is the path to your operator's CSV manifest
+$ insert_kubeconfig_volume "$CSV_FILE"
+$ insert_kubeconfig_secret_mount "$CSV_FILE"
+$ insert_proxy_container "$CSV_FILE" "quay.io/operator-framework/scorecard-proxy:master"
+```
 
-Running with a CSV alone requires both the `--csv-path=<CSV manifest path>` and `--olm-deployed` flags to be set. The scorecard assumes your CSV and relevant CRD's have been deployed onto the cluster using the OLM when using `--olm-deployed`. This [document][olm-deploy-operator] walks through bundling your CSV and CRD's, deploying the OLM on minikube or [OKD][okd], and deploying your operator. Once these steps have been completed, run the scorecard with both the `--csv-path=<CSV manifest path>` and `--olm-deployed` flags.
+Once done, follow the steps in this [document][olm-deploy-operator] to bundle your CSV and CRD's, deploy OLM on minikube or [OKD][okd], and deploy your operator. Once these steps have been completed, run the scorecard with both the `csv-path: <CSV manifest path>` and `olm-deployed` options set.
 
 **NOTES:**
 
 - As of now, using the scorecard with a CSV does not permit multiple CR manifests to be set through the CLI/config/CSV annotations. You will have to tear down your operator in the cluster, re-deploy, and re-run the scorecard for each CR being tested. In the future the scorecard will fully support testing multiple CR's without requiring users to teardown/standup each time.
-- You can either use `--cr-manifest` or your CSV's [`metadata.annotations['alm-examples']`][olm-csv-alm-examples] to provide CR's to the scorecard, but not both.
+- You can either set `cr-manifest` or your CSV's [`metadata.annotations['alm-examples']`][olm-csv-alm-examples] to provide CR's to the scorecard, but not both.
 
 [cli-reference]: ../sdk-cli-reference.md#scorecard
 [writing-tests]: ./writing-e2e-tests.md
@@ -407,3 +553,4 @@ Running with a CSV alone requires both the `--csv-path=<CSV manifest path>` and
 [olm]:https://github.com/operator-framework/operator-lifecycle-manager
 [olm-deploy-operator]:https://github.com/operator-framework/community-operators/blob/master/docs/testing-operators.md
 [okd]:https://www.okd.io/
+[community-operators]:https://github.com/operator-framework/community-operators
