Modernize Crossplane conformance suite

[jbw976]

Description of your changes

This PR updates the Crossplane conformance test suite and build logic to be aligned and compliant with Crossplane v2.0 The tests are all now compliant with a Crossplane v2.0 control plane. The current builds in this repo were last verified to work with Crossplane v1.2, so there were a number of updates to incorporate from those ~20 intermediary minor releases and 1 major release 😇

Major changes to call out:

• Conformance test cases target API behavior from Crossplane v2.0, the most recently released upstream Crossplane version
• Provider conformance tests have been removed, the main focus of this suite will now be core Crossplane itself
• go module dependencies updates to modern versions, e.g. crossplane-runtime:v2.0.0
• Build submodule switched from https://github.com/upbound/build to https://github.com/crossplane/build
• Build and CI versions updated to similar versions used in more recent Crossplane ecosystem projects, e.g. golang 1.23.2, ubuntu-24.04 runners, etc.
• Additional CI checks have been added such as codeql and trivy-scan-fs
• Added many common test helpers like CreateNamespace and TestResourceRefs

Test case high level areas of coverage:

• API Extensions - Modern (v2)
  • TestCompositeResourceDefinitionNamespace: Creates and validates a namespaced XRD and
    verifies it generates conformant CRDs for composite resources
  • TestCompositeResourceDefinitionCluster: Creates and validates a cluster-scoped XRD and
    verifies it generates conformant CRDs for composite resources
  • TestCompositeResourceNamespace: Tests end-to-end namespaced composite resource
    functionality with a function pipeline
  • TestCompositeResourceCluster: Tests end-to-end cluster-scoped composite resource
    functionality with a function pipeline
• API Extensions - Legacy (v1)
  • TestCompositeResourceDefinitionLegacy: Validates legacy XRDs create conformant CRDs for
    both composite resources and claims
  • TestCompositeResourceLegacy: Tests end-to-end legacy composite resource and claim
    functionality using a function pipeline
• Packages
  • Configurations
    • TestConfiguration: Validates Configuration package installation, health status, and expected resources
  • Providers
    • TestProvider: Validates Provider package installation, health status, expected resources (CRDs via MRDs)
  • Functions
    • TestFunction: Validates Function package installation, health status, and expected resources
• Crossplane CRDs
  • TestCustomResourceDefinitions: Verifies all core Crossplane CRDs exist with proper
    structure and categorization
• Usages
  • TestUsageProtectionNamespaced: Validates namespaced Usage objects properly protect
    resources from deletion while in use
  • TestUsageProtectionCluster: Validates ClusterUsage objects properly protect cluster-scoped
    resources from deletion while in use
  • TestUsageLegacy: Validates legacy Usage objects properly protect cluster-scoped resources from deletion
• Operations
  • TestOperation: Validates Operation execution and verifies applied resource references
  • TestWatchOperation: Tests WatchOperation functionality to detect resource changes and
    trigger operation pipelines
  • TestCronOperation: Tests CronOperation functionality to schedule and execute operation
    pipelines on a cron schedule

I have:

• Read and followed conformance's contribution process.
• Run make reviewable test to ensure this PR is ready for review.

How has this code been tested

I have run all tests locally against a v2.0 Crossplane control plane with the following command:

❯ go test -v -run ^Test tests/*

I have also built the plugin and executed it against a v2.0 control plane with sonobouy:

CONFORMANCE_VERSION=v2.0.0
VERSION=${CONFORMANCE_VERSION} make build.all
docker tag build-ae964580/conformance-amd64 xpkg.crossplane.io/crossplane/conformance:${CONFORMANCE_VERSION}
kind load docker-image xpkg.crossplane.io/crossplane/conformance:${CONFORMANCE_VERSION} 

# update plugin-crossplane.yaml with:
# image: xpkg.crossplane.io/crossplane/conformance:v2.0.0-rc.0
# imagePullPolicy: Never

sonobuoy run --wait --plugin ./plugin-crossplane.yaml

Everything passes with the exception of TestConfiguration, which will not pass until we update index.docker.io/crossplane/conformance-testdata-configuration:latest after merging the CI changes included in the PR. I have gotten that test case to pass locally though by temporarily using xpkg.upbound.io/jaredorg/conformance-testdata-configuration:v0.0.1, which is essentially the same thing.

Future improvements to consider

Some improvements that are not included in this PR, but could be considered as follow-ups:

• setup Renovate to keep all dependencies and build tools up to date
• port the tests to use the same sigs.k8s.io/e2e-framework that crossplane uses for consistency and maintainability sake

[jbw976]

oh wow, off to a pretty poor start for the CI in https://github.com/crossplane/conformance/actions/runs/11259504031/job/31308621246?pr=31 🙄

GitHub Actions has encountered an internal error when running your job.

[github-advanced-security]

This pull request sets up GitHub code scanning for this repository. Once the scans have completed and the checks have passed, the analysis results for this pull request branch will appear on this overview. Once you merge this pull request, the 'Security' tab will show more code scanning analysis results (for example, for the default branch). Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results. For more information about GitHub code scanning, check out the documentation.

[jbw976]

@negz I've moved this PR out of draft after getting it to state I'm feeling decent about. I'll continue some more clean up work, but the bulk of what I wanted to accomplish here is now completed.

Let me know if you'd like a sync session to walk through these changes effectively together, or how I can help make your review easier. Thank you! 🙇

[negz]

LGTM overall. None of my comments are blocking - I think this is worth merging to modernize these ancient tests.

port the tests to use the same sigs.k8s.io/e2e-framework that crossplane uses for consistency and maintainability sake

I think we should consider deduping these conformance tests with the E2E tests. I could imagine keeping both under c/c test/e2e directory. I suspect we could use labels such that conformance tests only ran a subset of the E2E tests (plus some conformance specific tests)?

The conformance test for distros of Crossplane would then become "must pass the c/c E2E suite with --label type=conformance. I suspect this'd reduce duplication and ongoing maintenance burden.

[negz]

I wonder if we should test that you can't do legacy stuff (e.g. use claims) when using v2 style XRs. e.g. Test hat only LegacyCluster XRs make claim CRDs.

[jbw976]

good idea! i'll include a test case for this as well, to ensure that modern XRDs do not produce claim CRDs.

[negz]

Nit: This doesn't match the actual test name.

[negz]

This particular test does seem a little low value without actually doing this. 🤔

The CRD could be completely different schematically, as long as it was e.g. cluster scoped and in the right categories.

[jbw976]

That's a fair point - I do like though that it is at least verifying the entire expected API surface area. This test will fail if a distribution doesn't have all the required APIs, which has some value in testing.

[jbw976]

I think we should consider deduping these conformance tests with the E2E tests.

this sounds like a good idea for long term maintenance. We would lose (i think) the current UX that is standard for Kubernetes conformance too where folks basically just have to execute sonobuoy run and everything is deployed/executed/processed with a nice results format output for them. For a distributor, that is a nice experience.

I'm not sure exactly what the experience would be for running conformance if it was part of e2e tests, but it probably has a slightly higher burden, like maybe checking out the c/c repo and then an earthly +e2e with relevant arguments? Haven't thought about it much yet, but I will capture this in an issue on this repo 🤓

edit: ah, we have a tracking issue already with #15

[jbw976]

I pushed another commit to add a new verification that modern XRDs do not create claim CRDs. I've incoporated/responded to all the feedback here, so I'll go ahead and merge now if CI is green 🙏

Thanks for the review @negz!