Add a test to ensure upgrades work

.github/workflows/helm-chart-ci.yaml

@@ -239,3 +239,44 @@ jobs:
 
       - name: Install and test example
         run: ${{ matrix.example }}/run-tests.sh
+
+  upgrade-test:
+    runs-on: ubuntu-22.04
+
+    needs:
+      - lint-chart
+      - build-matrix
+
+    strategy:
+      fail-fast: false
+      matrix:
+        k8s:
+          - v1.27.2
+          - v1.26.4
+          - v1.25.9
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4.0.0
+
+      - name: Set up Helm
+        uses: azure/setup-helm@v3.5
+        with:
+          version: ${{ env.HELM_VERSION }}
+
+      - name: Set up Python
+        uses: actions/setup-python@v4
+        with:
+          python-version: ${{ env.PYTHON_VERSION }}
+
+      - name: Create kind cluster
+        uses: helm/kind-action@v1.8.0
+        # Only build a kind cluster if there are chart changes to test.
+        with:
+          version: ${{ env.KIND_VERSION }}
+          node_image: kindest/node:v1.26.4
+          config: .github/kind/conf/kind-config.yaml
+          verbosity: 1
+
+      - name: Install and test example
+        run: examples/production/run-tests.sh -u

examples/production/run-tests.sh

@@ -2,6 +2,9 @@
 
 set -xe
 
+UPGRADE_VERSION=v0.13.0
+UPGRADE_REPO=https://spiffe.github.io/helm-charts
+
 SCRIPT="$(readlink -f "$0")"
 SCRIPTPATH="$(dirname "${SCRIPT}")"
 TESTDIR="${SCRIPTPATH}/../../.github/tests"
@@ -15,6 +18,17 @@ source "${TESTDIR}/common.sh"
 helm_install=(helm upgrade --install --create-namespace)
 ns=spire-server
 
+UPGRADE_ARGS=""
+
+for i in "$@"; do
+  case $i in
+    -u)
+      UPGRADE_ARGS="--repo $UPGRADE_REPO --version $UPGRADE_VERSION"
+      shift # past argument=value
+      ;;
+  esac
+done
+
 teardown() {
   helm uninstall --namespace "${ns}" spire 2>/dev/null || true
   kubectl delete ns "${ns}" 2>/dev/null || true
@@ -70,19 +84,31 @@ spire-server:
           - "spire-server-federation.production.other"
 EOF
 
-"${helm_install[@]}" spire charts/spire \
-  --namespace "${ns}" \
-  --values "${SCRIPTPATH}/values.yaml" \
-  --values "${SCRIPTPATH}/values-export-spiffe-oidc-discovery-provider-ingress-nginx.yaml" \
-  --values "${SCRIPTPATH}/values-export-spire-server-ingress-nginx.yaml" \
-  --values "${SCRIPTPATH}/values-export-federation-https-web-ingress-nginx.yaml" \
-  --values /tmp/dummydns \
-  --set spiffe-oidc-discovery-provider.tests.tls.customCA=tls-cert,spire-server.tests.tls.customCA=tls-cert \
-  --set spire-agent.server.address=spire-server.production.other,spire-agent.server.port=443 \
-  --values "${SCRIPTPATH}/example-your-values.yaml" \
-  --wait
+install_and_test() {
+  # Can't pass an array to a function. We completely control the string so its safe.
+  # shellcheck disable=SC2086
+  "${helm_install[@]}" spire "$1" \
+    --namespace "${ns}" \
+    --values "${SCRIPTPATH}/values.yaml" \
+    --values "${SCRIPTPATH}/values-export-spiffe-oidc-discovery-provider-ingress-nginx.yaml" \
+    --values "${SCRIPTPATH}/values-export-spire-server-ingress-nginx.yaml" \
+    --values "${SCRIPTPATH}/values-export-federation-https-web-ingress-nginx.yaml" \
+    --values /tmp/dummydns \
+    --set spiffe-oidc-discovery-provider.tests.tls.customCA=tls-cert,spire-server.tests.tls.customCA=tls-cert \
+    --set spire-agent.server.address=spire-server.production.other,spire-agent.server.port=443 \
+    --values "${SCRIPTPATH}/example-your-values.yaml" \
+    $2 \
+    --wait
+
+    helm test --namespace "${ns}" spire
+}
+
+if [[ -n "$UPGRADE_ARGS" ]]; then
+  install_and_test spire "$UPGRADE_ARGS"
+  # Any other upgrade steps go here. (Upgrade crds, delete statefulsets without cascade, etc.)
+fi
 
-helm test --namespace "${ns}" spire
+install_and_test charts/spire ""
 
 if helm get manifest -n spire-server spire | grep -i example; then
   echo Global settings did not work. Please fix.