feat: add promtool validation for golden files

[Arpit529Srivastava]

Description

This PR adds promtool validation for golden files to catch invalid Prometheus configurations early. currently unit tests only compare generated configs against expected golden files (string comparison) but don't validate if the config is actually valid according to Prometheus schema.
This would have caught bugs like #7196 where fallback_scrape_protocol was incorrectly placed in the global config section.

Closes: #7201

If you're contributing for the first-time, check our contribution guidelines.

Type of change

What type of changes does your code introduce to the Prometheus operator? Put an x in the box that apply.

• CHANGE (fix or feature that would cause existing functionality to not work as expected)
• FEATURE (non-breaking change which adds functionality)
• BUGFIX (non-breaking change which fixes an issue)
• ENHANCEMENT (non-breaking change which improves existing functionality)
• NONE (if none of the other choices apply. Example, tooling, build system, CI, docs, etc.)

Verification

Please check the Prometheus-Operator testing guidelines for recommendations about automated tests.

# Run locally (requires promtool installed)
go test -v -tags=promtool ./pkg/prometheus/ -run TestPromtoolGoldenFiles

Changelog entry

[FEATURE] Add promtool validation for golden files to catch invalid Prometheus configurations early. (#7201)

[Arpit529Srivastava]

cc: @slashpai
the ci failure for promtool is expected as it is catching the issue. some golden files are test fixtures with intentionally invalid data.
should i skip known test fixtures or should these golden files be fixed?

[slashpai]

cc: @slashpai the ci failure for promtool is expected as it is catching the issue. some golden files are test fixtures with intentionally invalid data. should i skip known test fixtures or should these golden files be fixed?

Hi @Arpit529Srivastava 👋🏻

Thank you for the PR, I will take a look at this today

Since some of the work is done in #7381 can you add @heliapb as Co-Authored By to the PR commit?

[Arpit529Srivastava]

Hi @Arpit529Srivastava 👋🏻

Thank you for the PR, I will take a look at this today

Since some of the work is done in #7381 can you add @heliapb as Co-Authored By to the PR commit?

sure.

[simonpasquier]

Can we add this to the Makefile so the check is also performed locally? E.g. running make tests-unit or make test-long should have a dependency which verifies the validity of the golden files.

[Arpit529Srivastava]

@simonpasquier , i'll add a test-promtool target. should it be a dependency of test-long or test-unit?

[slashpai]

nit: let's remove master branch as we don't use it

[slashpai]

Since each golden file validation is independent, lets add t.Parallel() after the Run()

[slashpai]

Instead of manually doing this we can use testing package's TempDir which will do autoclean up as well

tmpDir := t.TempDir()
tmpFile := filepath.Join(tmpDir, "config.yaml")
if err := os.WriteFile(tmpFile, content, 0644); err != nil {
	t.Fatalf("failed to write temp file: %v", err)
}

cmd := exec.Command("promtool", "check", "config", tmpFile)
	output, err := cmd.CombinedOutput()
	if err != nil {
		t.Errorf("promtool validation failed:\n%s", string(output))
	}

[slashpai]

t.Skipf already causes test to skip

Suggested change

	if !bytes.HasPrefix(bytes.TrimSpace(content), []byte("global:")) {
	if !bytes.HasPrefix(bytes.TrimSpace(content), []byte("global:")) {
	t.Skipf("skipping partial config: %s", file)
	}

[Arpit529Srivastava]

Done

[slashpai]

We may need a step to extract latest from compatibility matrix

prometheus-operator/pkg/operator/defaults.go

Line 42 in 8b72a71

DefaultPrometheusVersion = PrometheusCompatibilityMatrix[len(PrometheusCompatibilityMatrix)-1]

[Arpit529Srivastava]

@slashpai made the requested changes. PTAL
let me know if i miss anything.
Thank you.

[slashpai]

The steps in this could go as a Makefile target something say test-goldenfiles so we can utilize it locally also and in actions can call the make command directly

[Arpit529Srivastava]

done with the changes.

[Arpit529Srivastava]

@slashpai PTAL

[simonpasquier]

I would follow the same pattern we have for other "tools" and add github.com/prometheus/prometheus/cmd/promtool to scripts/tools.go.

[simonpasquier]

can we simply run promtool check config pkg/prometheus/testdata/*?

[Arpit529Srivastava]

i’ve added the test-goldenfiles makefile target and updated tools.go as requested. about removing promtool_test.go: running promtool on all files fails for partial configs. i can drop the test file and instead use grep in the makefile to only run it on valid configs (starting with global:). does that sound better than keeping the test?

[simonpasquier]

What if we add a marker comment to the golden file to signal that it's not a Prometheus config file?

#skip-promtool-verification

Another option is to move the few problematic files to a sub-directory under testdata/.

We also have a few tests calling generateK8SSDConfig() which could be updated to call GenerateServerConfiguration() instead.

[Arpit529Srivastava]

@slashpai @simonpasquier
using skip markers breaks existing golden tests and fixing the tests would require significant refactoring to make partial configs valid. moving the partial configs is the cleanest approach. i’ll move the 12 partial config files to pkg/prometheus/testdata/partial/ and update their references in promcfg_test.go.
thank u

[Arpit529Srivastava]

@slashpai @simonpasquier

• added promtool to scripts/tools.go
• replaced the test with promtool check config in the Makefile
• moved partial configs to testdata/partial/

let me know if anything else needs changes.
thank you.

[slashpai]

Lets add PROMTOOL_BINARY=$(TOOLS_BIN_DIR)/promtool after

prometheus-operator/Makefile

Line 49 in 3bff673

PROMLINTER_BINARY=$(TOOLS_BIN_DIR)/promlinter

to follow approach as other tools and include it in

prometheus-operator/Makefile

Line 54 in 3bff673

TOOLING=$(CONTROLLER_GEN_BINARY) $(GOBINDATA_BINARY) $(JB_BINARY) $(GOJSONTOYAML_BINARY) $(JSONNET_BINARY) $(JSONNETFMT_BINARY) $(SHELLCHECK_BINARY) $(PROMLINTER_BINARY) $(GOLANGCILINTER_BINARY) $(MDOX_BINARY) $(API_DOC_GEN_BINARY) $(GOLANGCIKUBEAPILINTER_BINARY)

[slashpai]

Suggested change

	test-goldenfiles: $(TOOLS_BIN_DIR)/promtool
	test-goldenfiles: $(PROMTOOL_BINARY)

[slashpai]

Suggested change

	-@$(TOOLS_BIN_DIR)/promtool check config pkg/prometheus/testdata/*.golden 2>&1 | tee /dev/stderr | grep -c "SUCCESS" | xargs -I {} echo "{} golden files passed promtool validation"
	-$(PROMTOOL_BINARY) check config pkg/prometheus/testdata/*.golden 2>&1 | tee /dev/stderr | grep -c "SUCCESS" | xargs -I {} echo "{} golden files passed promtool validation"

[slashpai]

we can add this as new job check-goldenfiles in existing workflow checks.yaml

prometheus-operator/.github/workflows/checks.yaml

Line 103 in 3bff673

[slashpai]

Can you also add about the new make file target make test-goldenfiles in TESTING.md explaining its use and partial configs as well.

[slashpai]

Since only testing prometheus golden files here may be name it as test-prometheus-goldenfiles and later when other packages are added create test-goldenfiles as aggregate target

[Arpit529Srivastava]

addressed all the requested changes

[Arpit529Srivastava]

@slashpai PTAL.
Thank you for addressing.

[slashpai]

nit: do we need this?

I am not sure other tools works without it right?

[Arpit529Srivastava]

you're right - it's not needed.
removed it.

[slashpai]

lgtm

I would have @simonpasquier also take a look

[Arpit529Srivastava]

I'd prefer to enforce strict validation first (as I wrote earlier I already spotted a bug about gce_sd_configs). To avoid the PR growing too much, I'd be ok if you fix any issue found by promtool in separate PRs which we can merge before this one.

For partials, I'd also recommend that we update the existing tests to build full configurations which could be passed to promtool. You can also submit individual PRs to migrate the tests first.

Again thanks for the work, I think that it's very valuable!

thanks for the guidance @simonpasquier @slashpai!

here’s my plan:

bug fixes

• pr1: fix the gce_sd_config → gce_sd_configs bug

test migrations (convert partials to full configs)

• pr2: alertmanager config tests (~10 files)
• pr3: sd config tests (k8s, azure, etc.) (~30 files)
• pr4: remotewrite config tests (~10 files)
• pr5: servicemonitor / podmonitor tests (~15 files)
• pr6: remaining tests (~15 files)

final

• this pr: enable strict validation once the above are merged

i’ll start with the gce_sd_configs fix and send it shortly.

[Arpit529Srivastava]

@slashpai @heliapb @simonpasquier when you get a chance, could you do a final review? From my side it looks like the promtool issue is resolved.
thanks :)

[slashpai]

Good work on this
lgtm

[Arpit529Srivastava]

@simonpasquier a gentle ping, thanks :)

[simonpasquier]

(nit) maybe have a more generic stance since we have more than these 2 directories (e.g. testdata subdirectories aren't checked because they contain either configuration fragments or legacy configurations).

[simonpasquier]

can we use the same mechanism as we have for other tools (e.g. add the command to scripts/tools.go)?

[Arpit529Srivastava]

adding promtool to tools.go will significantly increase the dependency footprint in go.mod (roughly 100+ extra packages). cuz prometheus pulls in a wide range of service discovery clients and integrations for multiple cloud providers like aws, azure, gcp, digital ocean, hetzner and others.

[Arpit529Srivastava]

that's why i was initially hesitant to add it to tool.go and went with the binary download approach instead.

[Arpit529Srivastava]

should i go ahead and add it to tools.go for consistency with the other tools, or would you prefer to stick with the binary download approach? or if i am missing anything 🤔

[simonpasquier]

the additional dependencies will only show up in tools/go.mod which is acceptable.

[Arpit529Srivastava]

okay, done.

[Arpit529Srivastava]

@slashpai @simonpasquier final review and then ig we are good to go?..
thanks for reviewing :)

[simonpasquier]

thanks!