stackabletech · adwk67 · Jul 11, 2025 · sbernauer · Jul 16, 2025 · sbernauer
diff --git a/tests/templates/kuttl/external-access/50-assert.yaml.j2 b/tests/templates/kuttl/external-access/50-assert.yaml.j2
@@ -0,0 +1,24 @@
+---
+apiVersion: kuttl.dev/v1beta1
+kind: TestAssert
+metadata:
+  name: test-log-endpoint
+timeout: 240
+commands:
+{% if test_scenario['values']['executor'] == 'celery' %}
+  - script: |
+      set -eu
+
+      # Log-Endpoint Test:
+      # This is executed from the Webserver as JWT keys must be present.
+      # A small server is started on each worker that serves the logs on its
+      # 8793 port for the Webserver: we don't use the token as that is an
+      # internal implementation, but check that the end-point is reachable,
-      # internal implementation, but check that the end-point is reachable,
+      # internal implementation, but check that the endpoint is reachable,
-      # internal implementation, but check that the end-point is reachable,
+      # internal implementation, but check that the endpoint is reachable,
+      # indicated by a 403.
+      CURL_RESPONSE=$(
+          kubectl -n $NAMESPACE exec airflow-webserver-default-0 -- sh -c 'CODE=$(curl -s -o /dev/null -w "%{http_code}" http://airflow-worker-default-headless:8793 2>/dev/null || true);echo "$CODE"'
+      )
+
+      # Log-Endpoint Test Assertion:
+      echo "The HTTP Code should be 403 to indicate the log server is reachable (the internal JWT token is needed for full access): $CURL_RESPONSE" | grep 403
+{% endif %}
diff --git a/tests/templates/kuttl/ldap/95-assert.yaml.j2 b/tests/templates/kuttl/ldap/95-assert.yaml.j2
@@ -0,0 +1,24 @@
+---
+apiVersion: kuttl.dev/v1beta1
+kind: TestAssert
+metadata:
+  name: test-log-endpoint
+timeout: 240
+commands:
+{% if test_scenario['values']['executor'] == 'celery' %}
+  - script: |
+      set -eu
+
+      # Log-Endpoint Test:
+      # This is executed from the Webserver as JWT keys must be present.
+      # A small server is started on each worker that serves the logs on its
+      # 8793 port for the Webserver: we don't use the token as that is an
+      # internal implementation, but check that the end-point is reachable,
+      # indicated by a 403.
+      CURL_RESPONSE=$(
+          kubectl -n $NAMESPACE exec airflow-webserver-default-0 -- sh -c 'CODE=$(curl -s -o /dev/null -w "%{http_code}" http://airflow-worker-default-headless:8793 2>/dev/null || true);echo "$CODE"'
+      )
+
+      # Log-Endpoint Test Assertion:
+      echo "The HTTP Code should be 403 to indicate the log server is reachable (the internal JWT token is needed for full access): $CURL_RESPONSE" | grep 403
+{% endif %}
diff --git a/tests/templates/kuttl/logging/70-assert.yaml.j2 b/tests/templates/kuttl/logging/70-assert.yaml.j2
@@ -0,0 +1,31 @@
+---
+apiVersion: kuttl.dev/v1beta1
+kind: TestAssert
+metadata:
+  name: test-log-endpoint
+timeout: 240
+commands:
+{% if test_scenario['values']['executor'] == 'celery' %}
+  - script: |
+      set -eu
+
+      # Log-Endpoint Test:
+      # This is executed from the Webserver as JWT keys must be present.
+      # A small server is started on each worker that serves the logs on its
+      # 8793 port for the Webserver: we don't use the token as that is an
+      # internal implementation, but check that the end-point is reachable,
+      # indicated by a 403.
+      # Rolegroup custom-log-config
+      CURL_RESPONSE=$(
+          kubectl -n $NAMESPACE exec airflow-webserver-custom-log-config-0 -- sh -c 'CODE=$(curl -s -o /dev/null -w "%{http_code}" http://airflow-worker-custom-log-config-headless:8793 2>/dev/null || true);echo "$CODE"'
+      )
+
+      # Log-Endpoint Test Assertions:
+      echo "The HTTP Code should be 403 to indicate the log server is reachable (the internal JWT token is needed for full access): $CURL_RESPONSE" | grep 403
+
+      # Rolegroup automatic-log-config
+      CURL_RESPONSE=$(
+          kubectl -n $NAMESPACE exec airflow-webserver-automatic-log-config-0 -- sh -c 'CODE=$(curl -s -o /dev/null -w "%{http_code}" http://airflow-worker-automatic-log-config-headless:8793 2>/dev/null || true);echo "$CODE"'
+      )
+      echo "The HTTP Code should be 403 to indicate the log server is reachable (the internal JWT token is needed for full access): $CURL_RESPONSE" | grep 403
+{% endif %}
diff --git a/tests/templates/kuttl/mount-dags-configmap/70-assert.yaml.j2 b/tests/templates/kuttl/mount-dags-configmap/70-assert.yaml.j2
@@ -0,0 +1,24 @@
+---
+apiVersion: kuttl.dev/v1beta1
+kind: TestAssert
+metadata:
+  name: test-log-endpoint
+timeout: 240
+commands:
+{% if test_scenario['values']['executor'] == 'celery' %}
+  - script: |
+      set -eu
+
+      # Log-Endpoint Test:
+      # This is executed from the Webserver as JWT keys must be present.
+      # A small server is started on each worker that serves the logs on its
+      # 8793 port for the Webserver: we don't use the token as that is an
+      # internal implementation, but check that the end-point is reachable,
+      # indicated by a 403.
+      CURL_RESPONSE=$(
+          kubectl -n $NAMESPACE exec airflow-webserver-default-0 -- sh -c 'CODE=$(curl -s -o /dev/null -w "%{http_code}" http://airflow-worker-default-headless:8793 2>/dev/null || true);echo "$CODE"'
+      )
+
+      # Log-Endpoint Test Assertion:
+      echo "The HTTP Code should be 403 to indicate the log server is reachable (the internal JWT token is needed for full access): $CURL_RESPONSE" | grep 403
+{% endif %}
diff --git a/tests/templates/kuttl/mount-dags-gitsync/70-assert.yaml.j2 b/tests/templates/kuttl/mount-dags-gitsync/70-assert.yaml.j2
@@ -0,0 +1,24 @@
+---
+apiVersion: kuttl.dev/v1beta1
+kind: TestAssert
+metadata:
+  name: test-log-endpoint
+timeout: 240
+commands:
+{% if test_scenario['values']['executor'] == 'celery' %}
+  - script: |
+      set -eu
+
+      # Log-Endpoint Test:
+      # This is executed from the Webserver as JWT keys must be present.
+      # A small server is started on each worker that serves the logs on its
+      # 8793 port for the Webserver: we don't use the token as that is an
+      # internal implementation, but check that the end-point is reachable,
+      # indicated by a 403.
+      CURL_RESPONSE=$(
+          kubectl -n $NAMESPACE exec airflow-webserver-default-0 -- sh -c 'CODE=$(curl -s -o /dev/null -w "%{http_code}" http://airflow-worker-default-headless:8793 2>/dev/null || true);echo "$CODE"'
+      )
+
+      # Log-Endpoint Test Assertion:
+      echo "The HTTP Code should be 403 to indicate the log server is reachable (the internal JWT token is needed for full access): $CURL_RESPONSE" | grep 403
+{% endif %}
diff --git a/tests/templates/kuttl/smoke/80-assert.yaml.j2 b/tests/templates/kuttl/smoke/80-assert.yaml.j2
@@ -0,0 +1,24 @@
+---
+apiVersion: kuttl.dev/v1beta1
+kind: TestAssert
+metadata:
+  name: test-log-endpoint
+timeout: 240
+commands:
+{% if test_scenario['values']['executor'] == 'celery' %}
+  - script: |
+      set -eu
+
+      # Log-Endpoint Test:
+      # This is executed from the Webserver as JWT keys must be present.
+      # A small server is started on each worker that serves the logs on its
+      # 8793 port for the Webserver: we don't use the token as that is an
+      # internal implementation, but check that the end-point is reachable,
+      # indicated by a 403.
+      CURL_RESPONSE=$(
+          kubectl -n $NAMESPACE exec airflow-webserver-default-0 -- sh -c 'CODE=$(curl -s -o /dev/null -w "%{http_code}" http://airflow-worker-default-headless:8793 2>/dev/null || true);echo "$CODE"'
+      )
+
+      # Log-Endpoint Test Assertion:
+      echo "The HTTP Code should be 403 to indicate the log server is reachable (the internal JWT token is needed for full access): $CURL_RESPONSE" | grep 403
+{% endif %}