- Overview
- 1. Infrastructure Integration Tests (Shell Scripts)
- 2. FastAPI Application Tests (Pytest)
- Test Suite Overview
- 2.1 Caching Tests (
test_caching.py) - 2.2 Cache Demo Unit Tests (
test_cache_demo_unit.py) - 2.3 Circuit Breaker Tests (
test_circuit_breaker.py) - 2.4 CORS Tests (
test_cors.py) - 2.5 Database Demo Tests (
test_database_demo.py) - 2.6 Exception Handler Tests (
test_exception_handlers.py+test_exception_handlers_unit.py) - 2.7 Exception Hierarchy Tests (
test_exceptions.py) - 2.8 Health Router Tests (
test_health_routers.py) - 2.9 Rate Limiting Tests (
test_rate_limiting.py) - 2.10 Redis Cluster Tests (
test_redis_cluster.py) - 2.11 Request Validation Tests (
test_request_validation.py) - 2.12 Request Validators Tests (
test_request_validators.py) - 2.13 Router Unit Tests (
test_routers_unit.py) - 2.14 Vault Service Tests (
test_vault_service.py)
- 3. Shared Test Suite (API Parity Tests)
- Running Tests
- Test Dependencies
- Test Results Format
- Coverage Summary
- 4. Go Reference API
- Total Test Coverage
- Continuous Testing
- Test Quality Metrics
- CI/CD Considerations
- Future Test Improvements
- Documentation
This document describes the comprehensive test coverage for the DevStack Core infrastructure and reference applications.
The DevStack Core project has four distinct test suites and implementations:
- Infrastructure Tests (Shell scripts) - Test Docker containers, services, and integration
- FastAPI Application Tests (Pytest) - Test Python FastAPI reference application code
- Shared Test Suite (Pytest) - Validate code-first and API-first implementation parity
- Go Reference API (Manual testing + planned automated tests) - Go implementation with Gin framework
Total Coverage: 571+ tests across all components, plus Go manual validation
10 tests - Core infrastructure security and certificate management
- Vault container running
- Vault auto-unseal functionality
- Vault keys and token file existence
- PKI bootstrap (Root CA, Intermediate CA)
- Certificate roles for all services
- Service credentials stored in Vault
- PostgreSQL credentials validation
- Certificate issuance functionality
- CA certificate export
- Management script commands
What it validates:
- HashiCorp Vault operational
- PKI infrastructure properly configured
- Auto-unseal working correctly
- All service credentials stored
- Certificate issuance functional
~5 tests - PostgreSQL container, Vault credential integration, connectivity
- Container health and running state
- Vault credentials retrieval
- Database connectivity with Vault credentials
- PostgreSQL version query
- Configuration validation
~5 tests - MySQL container, Vault credential integration, connectivity
- Container health and running state
- Vault credentials retrieval
- Database connectivity with Vault credentials
- MySQL version query
- Configuration validation
~5 tests - MongoDB container, Vault credential integration, connectivity
- Container health and running state
- Vault credentials retrieval
- Database connectivity with Vault credentials
- MongoDB version query
- Configuration validation
12 tests - Comprehensive cluster configuration and operations
- All 3 Redis containers running
- Node reachability (PING test)
- Cluster mode enabled on all nodes
- Cluster initialization state (OK)
- All 16384 hash slots assigned
- 3 master nodes present
- Slot distribution across masters
- Data sharding functionality
- Automatic redirection with
-cflag - Vault password integration
- Comprehensive cluster health check
- Keyslot calculation
What it validates:
- Proper cluster initialization
- Complete slot coverage (16384 slots)
- Data distribution and retrieval
- Cross-node operations
- Vault-managed authentication
- Master-replica topology
~5 tests - RabbitMQ container, Vault credential integration, messaging functionality
- Container health and running state
- Vault credentials retrieval
- RabbitMQ connectivity
- Queue creation and messaging
- Management interface accessibility
14 tests - Container deployment and API endpoint testing
- FastAPI container running
- HTTP endpoint accessible (port 8000)
- HTTPS endpoint accessible when TLS enabled (port 8443)
- Health check endpoint (
/health/all)
-
Redis health check with cluster details
- Validates
cluster_enabled: true - Validates
cluster_state: ok - Validates
total_nodes: 3
- Validates
-
Redis cluster nodes API (
/redis/cluster/nodes)- Returns all 3 nodes
- All nodes have slot assignments
- Node IDs, roles, and slot ranges present
-
Redis cluster slots API (
/redis/cluster/slots)- 16384 total slots
- 100% coverage
- Slot distribution across masters
-
Redis cluster info API (
/redis/cluster/info)- Cluster state: ok
- All slots assigned
- Cluster statistics present
-
Per-node info API (
/redis/nodes/{node_name}/info)- Detailed node information
- Redis version present
- Cluster enabled flag correct
- Swagger UI accessible (
/docs) - OpenAPI schema valid and accessible (
/openapi.json)
- Vault integration (health check)
- Database connectivity (PostgreSQL, MySQL, MongoDB)
- RabbitMQ integration
What it validates:
- All Redis Cluster inspection APIs work correctly
- Dual HTTP/HTTPS support
- Health checks return cluster information
- All service integrations functional
- API documentation generated correctly
63 tests total - Comprehensive backup/restore system validation across 5 test suites
15 tests - Vault AppRole security and lifecycle management
- Vault container running
- Management policy creation with KV v2 paths
- AppRole auth method enabled
- AppRole role creation
- Role-ID retrieval
- Secret-ID generation
- AppRole token acquisition (login)
- Token TTL validation (15 min max)
- Token policy validation (management-policy)
- Secret read permissions (limited scope)
- Secret write restrictions (policy enforcement)
- Admin operation restrictions (prevents privilege escalation)
- Token self-inspection allowed
- AppRole configuration cleanup
- Security boundary validation
What it validates:
- AppRole authentication flow (role-id + secret-id → token)
- Policy-based authorization (limited permissions)
- Token lifecycle management (TTL, renewal)
- Security constraints (prevent privilege escalation)
- Vault API integration from host
See tests/test-approle-auth.sh:1
12 tests - Manifest generation and backup chain validation
- Full backup creates manifest.json
- Manifest contains timestamp (ISO 8601 format)
- Manifest contains backup type (full/incremental)
- Database file checksums (SHA256)
- Checksum format validation (sha256:...)
- File size tracking in bytes
- Backup duration tracking
- Incremental backup references full backup
- Backup chain integrity
- Multiple backup handling
- Manifest completeness validation
- Total size calculation
What it validates:
- JSON manifest structure and metadata
- SHA256 checksum generation for all database dumps
- Incremental backup chain tracking (parent references)
- Timestamp and size tracking
- Backup type differentiation
See tests/test-incremental-backup.sh:1
12 tests - GPG symmetric encryption with AES256
- GPG availability check
- Passphrase file creation with secure permissions (600)
- Encrypted backup creates .gpg files (no .sql)
- Manifest reflects encryption status (encrypted: true)
- Encrypted files can be decrypted
- Decrypted content matches original structure
- Unencrypted backups still work (encrypted: false)
- Encryption metadata complete (algorithm, method, original_file)
- Encryption algorithm verification (AES256)
- Encrypted files unreadable as plaintext
- Passphrase file permissions validation
- Original unencrypted files deleted (security)
What it validates:
- GPG symmetric encryption with AES256 cipher
- Passphrase file security (600 permissions)
- Encrypted files have .gpg extension
- Original .sql files deleted after encryption
- Manifest encryption metadata correct
- Decryption successful with correct passphrase
- Non-encrypted backups still supported
See tests/test-backup-encryption.sh:1
12 tests - Checksum-based integrity validation
- Verify command accepts backup ID
- Valid backup passes verification
- Corrupted file detected (checksum mismatch)
- Missing file detected
- Modified manifest detected
- Verification output format (shows all files)
- Exit code validation (0=pass, 1=fail)
- Encrypted backup verification
- Verification performance (<5 seconds)
- File size reporting in verification
- Extra unexpected files handling
- Verification with empty backup
What it validates:
- SHA256 checksum verification for all files
- Manifest integrity (no tampering)
- File presence validation
- Corruption detection
- Exit codes for automation
- Performance acceptable (<5s for typical backup)
- Works with both encrypted and unencrypted backups
See tests/test-backup-verification.sh:1
12 tests - Full restore workflow validation
- Restore command lists available backups
- Restore without backup ID shows table format
- Restore validates backup existence
- Restore validates backup ID format (YYYYMMDD_HHMMSS)
- Restore fails gracefully for nonexistent backup
- Restore detects encrypted backups (checks for .gpg)
- Restore requires passphrase for encrypted backups
- Restore decrypts files correctly
- Restore list format includes timestamps and types
- Encrypted file paths correct (.gpg extension)
- Directory structure validation
- Backup naming convention enforced
What it validates:
- List all backups with metadata (timestamp, type, encrypted)
- Validate backup ID format before restore
- Detect encryption and prompt for passphrase
- Decrypt encrypted backups before restore
- Exit codes for error conditions
- User-friendly table output for backup selection
- Complete end-to-end restore workflow
See tests/test-backup-restore.sh:1
Task 2.1 Test Summary:
- Total Tests: 63 (all passing, 100% pass rate)
- Coverage Areas: AppRole auth, incremental backups, encryption, verification, restore
- Security Testing: Passphrase permissions, encryption validation, policy enforcement
- Integration Testing: Vault API, GPG, manifest system, checksum validation
- Performance Testing: Verification speed, encryption overhead
Detailed Documentation: See docs/.private/TASK_2.1_TESTING.md for comprehensive test documentation, troubleshooting, and best practices.
145 tests total - Comprehensive security, performance regression, and load testing validation across 5 test suites
16 tests - Redis cluster resilience and failover validation
- Cluster initialized (16384 slots assigned)
- Cluster state is "ok"
- All 3 nodes are reachable
- Data writes work across cluster
- Cluster configuration correct
- Stop redis-1 node
- Cluster continues with 2 nodes
- Failover time validation (<5 seconds)
- Data consistency after failure
- Restart failed node
- Node rejoins cluster
- Cluster returns to healthy state
- Stop redis-2 node
- Cluster continues with remaining nodes
- Restart redis-2 node
- Final cluster health validation
What it validates:
- Cluster resilience to single node failure
- Automatic failover mechanisms
- Data consistency during failover
- Node rejoin process
- Cluster health restoration
See tests/test-redis-failover.sh:1
21 tests - Vault AppRole authentication validation and security boundary testing
- Invalid role_id fails authentication
- Invalid secret_id fails authentication
- Missing role_id fails authentication
- Missing secret_id fails authentication
- Valid PostgreSQL AppRole authentication
- Valid MySQL AppRole authentication
- Valid Redis AppRole authentication
- Valid MongoDB AppRole authentication
- Valid RabbitMQ AppRole authentication
- Valid Forgejo AppRole authentication
- Valid Reference API AppRole authentication
- PostgreSQL token has correct policy
- MySQL token has correct policy
- PostgreSQL token cannot access MySQL secrets
- MySQL token cannot access PostgreSQL secrets
- Token TTL is 1 hour (3600 seconds)
- Token is renewable
- Token has correct metadata
- Cross-service access prevention validation
- Policy enforcement validation
- Token capability validation
What it validates:
- AppRole authentication flow for all services
- Token policy enforcement
- Cross-service access prevention
- Token TTL and renewability
- Service-specific secret access
- Security boundaries
See tests/test-approle-security.sh:1
24 tests - TLS certificate and connection validation
- CA certificate exists
- CA certificate is valid X.509
- PostgreSQL TLS configuration (ssl=on)
- PostgreSQL certificates exist
- PostgreSQL dual-mode (TLS + non-TLS)
- MySQL TLS configuration (have_ssl=YES)
- MySQL certificates exist
- MySQL dual-mode (TLS + non-TLS)
- Redis node 1 TLS support
- Redis node 2 TLS support
- Redis node 3 TLS support
- Redis dual-mode via port 6379
- MongoDB TLS configuration
- MongoDB certificate verification
- MongoDB dual-mode support
- RabbitMQ non-TLS port 5672
- RabbitMQ TLS port 5671
- Reference API HTTP port 8000
- Reference API HTTPS port 8443
- Forgejo HTTP access
- Vault HTTP API
- CA certificate validity period
- PostgreSQL certificate validation
- MySQL certificate validation
What it validates:
- TLS certificate generation and deployment
- Service TLS configuration
- Dual-mode operation (TLS + non-TLS)
- Certificate validation
- Port configuration
See tests/test-tls-connections.sh:1
9 tests - Performance regression detection and threshold validation
- PostgreSQL TPS regression check (min: 6470 TPS)
- MySQL insert performance regression check (min: 122,000 rows/sec)
- MongoDB insert performance regression check (min: 83,978 docs/sec)
- Redis cluster performance regression check (min: 41,600 ops/sec)
- API health endpoint response time (p95 < 100ms)
- Database query response time (p95 < 50ms)
- Redis operation latency (p95 < 5ms)
- Vault operation latency (p95 < 20ms)
- Overall performance threshold validation
What it validates:
- Database performance maintained (20% regression tolerance)
- Cache performance maintained
- API response times acceptable
- Latency thresholds met (p95)
- Phase 3 optimizations sustained
See tests/test-performance-regression.sh:1
7 tests - System behavior under various load conditions
- Sustained load test (100 concurrent users, 60 seconds)
- Spike load test (500 concurrent users, 10 seconds)
- Gradual ramp test (10 → 200 users over 120 seconds)
- Database load test (1000 concurrent queries)
- Cache load test (10,000 concurrent operations)
- Resource usage monitoring during load
- Overall load handling validation
What it validates:
- System handles sustained concurrent load
- Spike load tolerance (error rate < 1%)
- Graceful scaling with gradual load increase
- Database concurrency (success rate > 99%)
- Cache concurrency handling
- Resource usage under load (CPU < 80%, Memory < 500MB)
Phase 3 Test Summary:
- Total Tests: 77 (new: 16 failover + 21 AppRole + 24 TLS + 9 performance + 7 load)
- Coverage Areas: Security, performance, resilience, load handling
- Security Testing: AppRole authentication, TLS connections, certificate validation
- Performance Testing: Regression detection, latency validation, throughput testing
- Resilience Testing: Cluster failover, node recovery, data consistency
- Load Testing: Sustained load, spike load, gradual ramp, concurrency
Location: reference-apps/fastapi/tests/
Total Tests: 254 tests
- Executed: 178 unit tests (100% pass rate)
- Skipped: 76 integration tests (require full infrastructure)
Code Coverage: 84.39% (exceeds 80% requirement)
Test Framework: pytest with async support, mocking, and coverage reporting
23 tests - Cache middleware and operations
- Basic cache key generation with function name and path params
- Cache keys with query parameters (sorted for consistency)
- Namespace prefixes for cache organization
- Long key hashing (>200 chars → MD5 hash)
- Cache key consistency across requests
- Redis connection initialization
- Graceful failure handling when Redis unavailable
- Connection cleanup on shutdown
- Clear all cache entries functionality
- Pattern-based cache invalidation (wildcards)
- No-match pattern handling
- Specific key invalidation
- Non-existent key handling
- Cache consistency across requests
- Backend call reduction verification
- Different params = different cache keys
- Health endpoint caching behavior
- TTL configuration (5min for Vault, 30s for health)
- Cache expiration behavior
- Prometheus metrics (hits/misses/invalidations)
- Redis client operations (get/set/delete)
11 tests - Cache router operations
- Get existing value from cache
- Get nonexistent value (returns null)
- Get value with no expiration
- Set value without TTL
- Set value with TTL
- Delete existing key
- Delete nonexistent key
- Redis connection error handling
- Get Redis client initialization
10 tests - Circuit breaker pattern implementation
- Circuit open event listener
- Circuit half-open event listener
- Circuit close event listener
- Circuit failure event listener
- Prometheus metrics existence
- Service label in metrics
- Circuit breaker creation
- Opens after threshold failures (5)
- Prevents calls when open
- Allows successful calls
- Middleware integration with FastAPI
13 tests - Cross-Origin Resource Sharing
- Content-Type header allowed
- Authorization header allowed
- Basic OPTIONS request handling
- POST method preflight
- Custom header preflight
- Max-Age header presence
- GET method allowed
- POST method allowed
- DELETE method allowed
- localhost origin allowed
- No origin header works
- CORS with rate limiting
- Consistent CORS across requests
9 tests (6 skipped - require infrastructure)
- Query success (SKIPPED - requires DB)
- Connection failure handling
- Vault credential failure
- Query success (SKIPPED - requires DB)
- Connection failure handling
- Vault credential failure
- Query success (SKIPPED - requires DB)
- Connection failure handling
- Vault credential failure
35 tests - Exception handling and error responses
- 503 responses for Vault unavailability
- 404 responses for resource not found
- 422 responses for validation errors
- Retry suggestions in service unavailable responses
- Request ID tracking in error responses
- Error detail preservation in responses
- Error logging with context
- Debug mode behavior (show/hide stack traces)
- Prometheus error counter metrics
- Unhandled exception handling
- HTTP exception conversion
- Custom exception handler registration
- BaseAPIException formatting
- ServiceUnavailableError handling
- ValidationError formatting
- ResourceNotFoundError handling
- Request validation error conversion
- Error response structure
20 tests - Exception classes and inheritance
- VaultUnavailableError with secret paths
- DatabaseConnectionError with connection details
- CacheConnectionError initialization
- ValidationError with field details
- ResourceNotFoundError with resource info
- AuthenticationError handling
- RateLimitError with retry-after headers
- CircuitBreakerError with service names
- TimeoutError with operation details
- All exceptions inherit from BaseAPIException
- Service exceptions inherit from ServiceUnavailableError
- VaultUnavailableError
- DatabaseConnectionError
- CacheConnectionError
- MessageQueueError
- CircuitBreakerError
- TimeoutError uses 504 Gateway Timeout status
- Exception to_dict() serialization
- Service-specific error details
- HTTP error code mapping
- Error message formatting
- Status code validation
- Details dictionary handling
18 tests - Health check endpoints
- Vault health check
- PostgreSQL health check
- MySQL health check
- MongoDB health check
- Redis health check
- RabbitMQ health check
- All services healthy response
- Individual service failure detection
- Overall status calculation (healthy/degraded)
- Response time tracking
- Health endpoint format
- Metrics generation
- Partial outage handling
- Complete outage handling
- Degraded service detection
- Cache health status
- Service dependency tracking
- Health check timeouts
8 tests - Request rate limiting
- Rate limit enforcement
- 429 status code on limit exceeded
- Retry-After header presence
- Rate limit reset after time window
- Different endpoints separate limits
- Sliding window algorithm
- Prometheus rate limit metrics
- Rate limit headers in response (X-RateLimit-*)
15 tests (10 skipped - require cluster)
- Get cluster nodes
- Get cluster info
- Get cluster slot distribution
- Get individual node info
- Cluster failover testing
- Slot rebalancing
- Master-replica verification
- Cluster state validation
- Node health checks
- Cluster topology
- Cluster node retrieval
- Connection failure handling
- Cluster info parsing
- Invalid node handling
- Error response formatting
15 tests - Input validation and sanitization
- Valid cache key format
- Invalid special characters rejection
- Valid service names
- Invalid service names
- Path traversal prevention
- Null byte injection prevention
- Service name lowercase conversion
- Whitespace trimming
- Special character removal
- Maximum length enforcement
- JSON content type validation
- Invalid content type rejection
- Missing content type handling
- Valid parameter ranges
- Invalid parameter values
Tests - Pydantic model validation
- ServiceNameParam validation
- CacheKeyParam validation
- QueueNameParam validation
- SecretKeyParam validation
- Value size limits
- TTL range validation
30+ tests - Individual router unit tests
- Get existing value
- Get nonexistent value
- Set value without TTL
- Set value with TTL
- Delete existing key
- Delete nonexistent key
- Redis error handling
- Get Redis client
- Value expiration
- Cache statistics
- Pattern matching
- Get vault secret
- Get vault secret with key
- PostgreSQL queries (1 SKIPPED)
- MySQL queries (1 SKIPPED)
- MongoDB queries (unit test)
- Publish message
- Publish failure handling
- Consume messages (SKIPPED)
- Get cluster nodes
- Connection failure handling
- Cluster info parsing
- Invalid node errors
17 tests - Vault client implementation
- Successful secret retrieval
- Retrieve specific key from secret
- 404 handling (secret not found)
- 403 handling (permission denied)
- Key not found in secret
- Connection timeout handling
- Connection error handling
- HTTP error handling
- Unexpected error handling
- Healthy Vault status
- Sealed Vault detection
- Uninitialized Vault detection
- Standby node detection
- Connection error handling
- Client initialization with settings
- End-to-end secret retrieval flow
- End-to-end error handling flow
Location: reference-apps/shared/test-suite/
Total Test Runs: 26 (16 test functions, parametrized to run against both APIs)
Purpose: Validate that the code-first and API-first implementations maintain 100% behavioral equivalence.
Test Framework: pytest with async support, parametrized fixtures, and deep comparison
Tests that run against both implementations independently using parametrized fixtures.
How it works:
- Single test function decorated with
api_urlfixture - Pytest automatically runs it twice: once for code-first (port 8000), once for API-first (port 8001)
- Validates each implementation independently
Example:
async def test_health_check(self, api_url, http_client):
# This test runs twice automatically
response = await http_client.get(f"{api_url}/health/")
assert response.status_code == 200Tests that directly compare responses from both APIs to ensure identical behavior.
How it works:
- Test receives both API URLs via
both_api_urlsfixture - Makes requests to both implementations
- Compares responses for exact matches
Example:
async def test_responses_match(self, both_api_urls, http_client):
code_first = await http_client.get(f"{both_api_urls['code-first']}/health/")
api_first = await http_client.get(f"{both_api_urls['api-first']}/health/")
assert code_first.json() == api_first.json()7 test runs (4 test functions)
-
Simple health check (
test_simple_health_check)- Runs against both APIs (2 runs)
- Validates
/health/endpoint returns 200 with{"status": "ok"}
-
Health response structure (
test_health_response_structure)- Runs against both APIs (2 runs)
- Validates response is dict with string status field
-
Vault health check (
test_vault_health_check)- Runs against both APIs (2 runs)
- Validates
/health/vaultreturns healthy/unhealthy status
- Health responses match (
test_health_responses_match)- Direct comparison between both APIs
- Ensures identical health response structure and content
19 test runs (12 test functions)
- Root endpoint returns info - Parametrized (2 runs)
- Validates presence of name, version, description
- Root endpoint structure matches - Comparison (1 run)
- Ensures both APIs return identical top-level keys
- OpenAPI endpoint accessible - Parametrized (2 runs)
- Validates
/openapi.jsonreturns valid OpenAPI spec
- Validates
- OpenAPI specs match - Comparison (1 run)
- Ensures both APIs expose identical paths
- OpenAPI version format - Parametrized (2 runs)
- Validates OpenAPI 3.x.x version format
- Vault secret endpoint structure - Parametrized (2 runs)
- Validates
/examples/vault/secret/{path}error handling
- Validates
- Cache GET endpoint exists - Parametrized (2 runs)
- Validates
/examples/cache/{key}endpoint
- Validates
- Cache endpoints have same behavior - Comparison (1 run)
- Ensures identical response structure for cache operations
- Metrics endpoint accessible - Parametrized (2 runs)
- Validates
/metricsreturns Prometheus format
- Validates
- Metrics format matches - Comparison (1 run)
- Ensures both APIs return same Prometheus format
- 404 response format - Parametrized (2 runs)
- Validates consistent 404 error structure
- 404 responses match - Comparison (1 run)
- Ensures identical 404 error responses
@pytest.fixture(params=[CODE_FIRST_URL, API_FIRST_URL])
def api_url(request):
"""Parametrized fixture - tests run twice, once per API"""
return request.param
@pytest.fixture
async def both_api_urls():
"""Fixture providing both URLs for comparison tests"""
return {
"code-first": CODE_FIRST_URL,
"api-first": API_FIRST_URL
}
@pytest.fixture
async def http_client():
"""Async HTTP client for making API requests"""
async with httpx.AsyncClient() as client:
yield client[pytest]
markers =
parity: Tests that run against both implementations
comparison: Tests that compare both implementations
health: Health check related tests| Area | Parity Tests | Comparison Tests | Total Runs |
|---|---|---|---|
| Root Endpoint | 1 × 2 | 1 | 3 |
| OpenAPI Spec | 2 × 2 | 1 | 5 |
| Health Checks | 3 × 2 | 1 | 7 |
| Vault Integration | 1 × 2 | 0 | 2 |
| Cache Operations | 1 × 2 | 1 | 3 |
| Metrics | 1 × 2 | 1 | 3 |
| Error Handling | 1 × 2 | 1 | 3 |
| Total | 10 × 2 | 6 | 26 |
Both APIs must be running:
# Start both implementations
docker compose up -d reference-api api-first
# Verify both are healthy
curl http://localhost:8000/health/
curl http://localhost:8001/health/cd reference-apps/shared/test-suite
pip install -r requirements.txt
pytest -vtest_health_checks.py::TestHealthEndpoints::test_simple_health_check[code-first] PASSED
test_health_checks.py::TestHealthEndpoints::test_simple_health_check[api-first] PASSED
test_health_checks.py::TestHealthParity::test_health_responses_match PASSED
test_api_parity.py::TestRootEndpoint::test_root_endpoint_returns_info[code-first] PASSED
test_api_parity.py::TestRootEndpoint::test_root_endpoint_returns_info[api-first] PASSED
...
========================== 26 passed in 2.34s ===========================
# Health checks only
pytest -v -m health
# Parity tests only
pytest -v -m parity
# Comparison tests only
pytest -v -m comparisonEndpoint Consistency:
- ✅ Identical endpoint paths
- ✅ Identical response structures
- ✅ Identical status codes
- ✅ Identical error handling
API Contract:
- ✅ OpenAPI specifications match
- ✅ Request/response formats identical
- ✅ Content-Type headers consistent
- ✅ Error response formats match
Behavioral Equivalence:
- ✅ Health checks return same information
- ✅ Cache operations behave identically
- ✅ Metrics format is consistent
- ✅ 404 errors formatted the same
Integration Points:
- ✅ Vault integration consistent
- ✅ Database access patterns match
- ✅ Cache behavior identical
- ✅ All service integrations work
The shared test suite enforces:
- 100% pass rate - All 26 tests must pass
- No manual sync - Automated validation prevents drift
- CI/CD integration - Tests run on every commit
- Continuous parity - Both implementations stay synchronized
Current Status: ✅ 26/26 tests passing (100% parity achieved)
When adding new endpoints to either implementation:
- Update OpenAPI spec (
reference-apps/shared/openapi.yaml) - Implement in code-first (
reference-apps/fastapi/) - Implement in API-first (
reference-apps/fastapi-api-first/) - Add parity test to validate endpoint on both implementations
- Add comparison test if responses must be byte-for-byte identical
- Run shared test suite - must achieve 100% pass rate
- Update documentation (this file, README files)
./tests/run-all-tests.shThis runs all test suites in sequence and provides a comprehensive summary.
# Infrastructure
./tests/test-vault.sh
# Databases
./tests/test-postgres.sh
./tests/test-mysql.sh
./tests/test-mongodb.sh
# Cache & Messaging
./tests/test-redis-cluster.sh
./tests/test-rabbitmq.sh
# Application Container
./tests/test-fastapi.shcd reference-apps/fastapi
pytest tests/ -vpytest tests/ --cov=app --cov-report=html --cov-report=termpytest tests/test_vault_service.py -vpytest tests/test_vault_service.py::TestVaultClientGetSecret::test_get_secret_success -vpytest tests/ -v -m unitpytest tests/ -v -m integrationcurl- HTTP client (usually pre-installed)jq- JSON processor# macOS brew install jq # Ubuntu/Debian apt-get install jq
docker- Container runtime (via Colima)docker-compose- Container orchestration
cd reference-apps/fastapi
pip install -r requirements.txtIncludes:
pytest- Test frameworkpytest-asyncio- Async test supportpytest-cov- Coverage reportingpytest-mock- Mocking utilitieshttpx- HTTP client for testingfastapi[all]- FastAPI with all extras
Each shell script test suite provides:
- Real-time test execution output
- Color-coded pass/fail indicators (green ✓ / red ✗)
- Summary with total tests, passed, and failed counts
- List of failed tests (if any)
Example output:
=========================================
FastAPI Reference App Test Suite
=========================================
[TEST] Test 1: FastAPI container is running
[PASS] FastAPI container is running
[TEST] Test 5: Redis health check with cluster details
[PASS] Redis health shows cluster enabled with 3 nodes in ok state
[TEST] Test 7: Redis cluster slots API endpoint
[PASS] Redis cluster slots API shows 100% coverage (16384 slots)
=========================================
Test Results
=========================================
Total tests: 14
Passed: 13
✓ All FastAPI tests passed!
============================= test session starts ==============================
collected 254 items
tests/test_caching.py::TestCacheKeyGeneration::test_generate_cache_key_basic PASSED [ 0%]
tests/test_caching.py::TestCacheKeyGeneration::test_generate_cache_key_with_query_params PASSED [ 1%]
...
tests/test_vault_service.py::TestVaultServiceIntegration::test_vault_error_handling_flow PASSED [100%]
---------- coverage: platform linux, python 3.11.14-final-0 ----------
Name Stmts Miss Cover Missing
--------------------------------------------------------------------
app/__init__.py 0 0 100%
app/config.py 22 0 100%
app/exceptions.py 86 0 100%
...
--------------------------------------------------------------------
TOTAL 974 152 84%
Required test coverage of 80% reached. Total coverage: 84.39%
================= 178 passed, 76 skipped, 6 warnings in 1.76s ==================
| Component | Test Suite | Tests | Coverage |
|---|---|---|---|
| Vault | test-vault.sh | 10 | PKI, secrets, certificates, auto-unseal |
| AppRole Auth | test-approle-auth.sh | 15 | AppRole flow, policies, security boundaries |
| PostgreSQL | test-postgres.sh | ~5 | Container, credentials, connectivity |
| MySQL | test-mysql.sh | ~5 | Container, credentials, connectivity |
| MongoDB | test-mongodb.sh | ~5 | Container, credentials, connectivity |
| Redis Cluster | test-redis-cluster.sh | 12 | Cluster init, slots, sharding, failover |
| RabbitMQ | test-rabbitmq.sh | ~5 | Container, credentials, messaging |
| FastAPI Container | test-fastapi.sh | 14 | Container, APIs, health, cluster endpoints |
| Incremental Backup | test-incremental-backup.sh | 12 | Manifests, checksums, backup chains |
| Backup Encryption | test-backup-encryption.sh | 12 | GPG/AES256, passphrase security |
| Backup Verification | test-backup-verification.sh | 12 | Integrity checking, corruption detection |
| Backup Restore | test-backup-restore.sh | 12 | Restore workflow, decryption |
Subtotal: 196 infrastructure tests (56 original + 63 Task 2.1 + 77 Phase 3)
| Category | Tests | Coverage |
|---|---|---|
| Caching | 34 | Cache middleware, operations, keys, invalidation |
| Circuit Breakers | 10 | Pattern implementation, metrics, events |
| CORS | 13 | Headers, preflight, methods, origins |
| Databases | 9 | PostgreSQL, MySQL, MongoDB integration |
| Exception Handling | 55 | Handlers, hierarchy, formatting, errors |
| Health Checks | 18 | Service health, aggregation, metrics |
| Rate Limiting | 8 | IP-based limits, throttling, headers |
| Redis Cluster | 15 | Cluster ops, nodes, slots, info |
| Request Validation | 15+ | Input validation, sanitization, types |
| Routers | 30+ | Cache, vault, database, messaging routers |
| Vault Service | 17 | Secret retrieval, health checks, errors |
Subtotal: 178 executed unit tests (76 integration tests skipped)
Code Coverage: 84.39%
| Category | Test Runs | Coverage |
|---|---|---|
| Health Checks | 7 | Simple health, structure, Vault health, response matching |
| Root Endpoint | 3 | API info, structure consistency |
| OpenAPI Spec | 5 | Spec access, matching, version format |
| Vault Endpoints | 2 | Error handling, endpoint structure |
| Cache Endpoints | 3 | GET operations, behavior consistency |
| Metrics | 3 | Prometheus format, endpoint access |
| Error Handling | 3 | 404 format, response consistency |
Subtotal: 26 parity test runs (16 test functions, parametrized across both APIs)
Location: reference-apps/golang/
Implementation Status: ✅ Complete and tested
Purpose: Demonstrate language-agnostic infrastructure integration patterns using Go and the Gin web framework.
The Go reference API provides a production-ready implementation showcasing:
- Vault Integration: HashiCorp Vault client for secrets management
- Database Connectivity: PostgreSQL (pgx/v5), MySQL (go-sql-driver), MongoDB (mongo-driver)
- Caching: Redis cluster operations with go-redis/v9
- Messaging: RabbitMQ integration with amqp091-go
- Health Checks: Comprehensive service health monitoring
- Redis Cluster Management: Full cluster inspection and node monitoring
- Concurrency: Goroutines for concurrent health checks
- Context Propagation: Proper context.Context usage throughout
- Graceful Shutdown: Signal handling (SIGINT/SIGTERM) with clean termination
- Structured Logging: Logrus with JSON formatting and request ID correlation
- Type Safety: Strong typing with explicit error handling
- Prometheus Metrics: Native Go Prometheus client integration
Container: golang-api (dev-golang-api)
Ports: 8002 (HTTP), 8445 (HTTPS)
Framework: Gin v1.9.1
Go Version: 1.21
| Endpoint | Method | Description |
|---|---|---|
/ |
GET | API information and endpoint discovery |
/health/ |
GET | Simple health check (no dependencies) |
/health/all |
GET | Aggregate health (concurrent checks) |
/health/vault |
GET | Vault connectivity and status |
/health/postgres |
GET | PostgreSQL connection test |
/health/mysql |
GET | MySQL connection test |
/health/mongodb |
GET | MongoDB connection test |
/health/redis |
GET | Redis cluster health |
/health/rabbitmq |
GET | RabbitMQ connectivity |
/examples/vault/secret/:service_name |
GET | Retrieve service secrets |
/examples/vault/secret/:service_name/:key |
GET | Retrieve specific secret key |
/examples/database/postgres/query |
GET | PostgreSQL query example |
/examples/database/mysql/query |
GET | MySQL query example |
/examples/database/mongodb/query |
GET | MongoDB query example |
/examples/cache/:key |
GET | Get cache value |
/examples/cache/:key |
POST | Set cache value with TTL |
/examples/cache/:key |
DELETE | Delete cache key |
/redis/cluster/nodes |
GET | List all cluster nodes |
/redis/cluster/slots |
GET | Slot distribution |
/redis/cluster/info |
GET | Cluster information |
/redis/nodes/:node_name/info |
GET | Detailed node information |
/examples/messaging/publish/:queue |
POST | Publish message to queue |
/examples/messaging/queue/:queue_name/info |
GET | Queue information |
/metrics |
GET | Prometheus metrics |
Test Date: 2025-10-27
-
Root Endpoint (
/)- Returns comprehensive API information
- Lists all available endpoint categories
- Includes security configuration details
-
Simple Health Check (
/health/)- Returns
{"status": "ok"} - No external dependencies
- Fast response (<5ms)
- Returns
-
Vault Health Check (
/health/vault)- Successfully connects to Vault
- Returns initialization status, seal status, version
- Proper error handling
-
Aggregate Health Check (
/health/all)- Uses goroutines for concurrent service checks
- Returns health status for all available services
- Fast execution with parallel checks
-
Prometheus Metrics (
/metrics)- Exposes Go runtime metrics (goroutines, memory, GC)
- Standard Prometheus format
- HTTP request counters and histograms
Database and cache endpoints properly return errors when Vault secrets are missing:
/health/postgres- Returns "secret not found" error (correct behavior)/health/redis- Returns "secret not found" error (correct behavior)/examples/cache/*- Returns "secret not found" error (correct behavior)
This demonstrates the implementation correctly integrates with Vault and handles missing credentials appropriately.
reference-apps/golang/
├── cmd/api/main.go # Application entry point
├── internal/
│ ├── config/config.go # Configuration management
│ ├── handlers/ # HTTP handlers
│ │ ├── health.go
│ │ ├── vault.go
│ │ ├── database.go
│ │ ├── cache.go
│ │ ├── redis_cluster.go
│ │ └── messaging.go
│ ├── middleware/logging.go # Logging + CORS
│ └── services/vault.go # Vault client
├── Dockerfile # Multi-stage build
├── init.sh # Vault integration + TLS
└── start.sh # Application startup
Dependency Injection:
healthHandler := handlers.NewHealthHandler(cfg, vaultClient)Context Propagation:
ctx, cancel := context.WithTimeout(c.Request.Context(), 5*time.Second)
defer cancel()Resource Cleanup:
defer conn.Close(ctx)Concurrent Operations:
var wg sync.WaitGroup
for _, service := range services {
wg.Add(1)
go checkService(service, &wg)
}
wg.Wait()| Feature | Go (Gin) | Python (FastAPI) |
|---|---|---|
| Concurrency Model | Goroutines (native) | asyncio (event loop) |
| Type System | Static typing (compile-time) | Type hints (runtime optional) |
| Performance | Compiled, very fast | Interpreted, fast with async |
| Memory Usage | Low (~20-30MB) | Higher (~80-150MB) |
| Startup Time | Instant (<100ms) | Slower (~1-2s) |
| Deployment | Single binary | Python + dependencies |
| Error Handling | Explicit returns | Exceptions |
| Context Management | context.Context | async context |
| Testing | go test | pytest |
- Docker image builds successfully
- Container starts and initializes
- All routes registered correctly
- Vault connectivity verified
- Health check endpoints functional
- Prometheus metrics exposed
- Error handling for missing Vault secrets
- Graceful shutdown working
- Logging middleware operational
- CORS middleware configured
The following features require Vault secrets to be bootstrapped:
- Database connectivity tests (PostgreSQL, MySQL, MongoDB)
- Redis cache operations
- RabbitMQ messaging operations
- Redis cluster management APIs
These endpoints correctly detect missing credentials and return appropriate error messages.
Test Status: ✅ 35+ tests, 100% PASS RATE
internal/config/config_test.go- Configuration testinginternal/services/vault_test.go- Vault client testinginternal/middleware/logging_test.go- Middleware testing
Config Package (12 tests)
- Default configuration values
- Custom HTTP/HTTPS ports
- Vault address and token configuration
- Debug mode enabled/disabled
- Environment settings (development/production)
- Database configuration (PostgreSQL, MySQL, MongoDB)
- Redis configuration
- RabbitMQ configuration
- Environment variable fallback handling
- Configuration completeness validation
- Coverage: 91.7%
Vault Service (9 test groups)
- VaultClient creation with various configurations
- GetSecret context handling (timeout, cancellation)
- GetSecretKey method validation
- HealthCheck functionality
- Client structure validation
- Concurrent access safety
- Error message formatting
- Method signature validation
- Coverage: 62.5%
Middleware (14 tests)
- Request ID generation and propagation
- Request logging with structured fields
- HTTP method logging (GET, POST, PUT, DELETE, PATCH)
- Status code logging (200, 201, 400, 404, 500)
- Request duration measurement
- CORS header configuration
- OPTIONS preflight request handling
- Credential allowance
- Max-Age cache control
- Standard header allowance
- Middleware integration
- Coverage: 100.0%
cd reference-apps/golang
go test ./... -v -coverResults:
✓ Config: 12 tests PASS (91.7% coverage)
✓ Services: 9 tests PASS (62.5% coverage)
✓ Middleware: 14 tests PASS (100.0% coverage)
────────────────────────────────────────────
TOTAL: 35+ tests, 100% PASS RATE
- Table-Driven Tests: Structured test cases for multiple scenarios
- Subtests: Organized test output with t.Run()
- Context Testing: Timeout and cancellation handling
- HTTP Testing: Using httptest.Recorder and httptest.NewRequest
- Concurrency Testing: Goroutine safety validation
- Error Validation: Comprehensive error message checking
- Handler tests using httptest (database, cache, messaging handlers)
- Integration tests with mock Vault server
- Benchmark tests for performance validation
- E2E tests with full infrastructure stack
# Build and start
docker-compose up -d golang-api
# View logs
docker-compose logs -f golang-api
# Check health
curl http://localhost:8002/health/# Root endpoint
curl http://localhost:8002/ | jq .
# Health checks
curl http://localhost:8002/health/all | jq .
curl http://localhost:8002/health/vault | jq .
# Metrics
curl http://localhost:8002/metrics
# Cache operations (requires Vault bootstrap)
curl -X POST "http://localhost:8002/examples/cache/test?value=hello&ttl=60"
curl http://localhost:8002/examples/cache/test
# Redis cluster info (requires Vault bootstrap)
curl http://localhost:8002/redis/cluster/nodes | jq .Main Dependencies:
github.com/gin-gonic/ginv1.9.1 - Web frameworkgithub.com/hashicorp/vault/apiv1.10.0 - Vault clientgithub.com/jackc/pgx/v5v5.5.0 - PostgreSQL drivergithub.com/go-sql-driver/mysqlv1.7.1 - MySQL drivergo.mongodb.org/mongo-driverv1.13.1 - MongoDB drivergithub.com/redis/go-redis/v9v9.3.0 - Redis clientgithub.com/rabbitmq/amqp091-gov1.9.0 - RabbitMQ clientgithub.com/prometheus/client_golangv1.17.0 - Prometheus metricsgithub.com/sirupsen/logrusv1.9.3 - Structured logging
Total Dependencies: 76 (including transitive)
Infrastructure + Application + Parity: 571+ tests
- 196 infrastructure integration tests (shell scripts) - includes 63 Task 2.1 backup tests + 77 Phase 3 tests
- 178 application unit tests (pytest - executed)
- 76 application integration tests (pytest - skipped in CI)
- 26 shared parity test runs (pytest - validates API equivalence)
- 95+ Go unit tests (go test)
Combined Coverage:
- All Docker containers and services
- Vault PKI and secrets management
- Vault AppRole authentication (Task 2.1 - 15 tests)
- Database connectivity and credentials
- Backup system (Task 2.1 - 48 tests)
- Incremental backups with manifest tracking
- GPG/AES256 encryption
- Checksum-based verification
- Full restore workflow
- Redis cluster operations and failover
- RabbitMQ messaging
- FastAPI application endpoints
- Middleware (caching, circuit breakers, CORS, rate limiting)
- Exception handling
- Request validation
- Health checks
- Prometheus metrics
- API parity validation (code-first vs API-first equivalence)
- Phase 3: Security & Performance (77 tests)
- Redis cluster failover and resilience (16 tests)
- AppRole authentication for all services (21 tests)
- TLS certificate validation (24 tests)
- Performance regression detection (9 tests)
- Load testing and concurrency (7 tests)
Run tests after:
- Initial infrastructure setup (
./devstack.sh start) - Service configuration changes
- Certificate regeneration
- Vault bootstrap
- Container restarts
- Application deployments
- Code changes (
pytest tests/) - Pull request reviews
- Pre-production deployment
This ensures all components remain properly configured, integrated, and functional.
- Real environment testing: Tests run against actual Docker containers
- Integration validation: Tests verify inter-service communication
- Credential security: Tests verify Vault integration throughout
- High unit test coverage: 84.39% code coverage
- 100% pass rate: All 178 executed tests passing
- Comprehensive mocking: External dependencies mocked for speed
- Async support: Full async/await testing with pytest-asyncio
- Fast execution: Unit tests complete in <2 seconds
# Example GitHub Actions workflow
jobs:
infrastructure-tests:
runs-on: ubuntu-latest
steps:
- Install Docker/Colima
- ./devstack.sh start
- ./tests/run-all-tests.sh
application-tests:
runs-on: ubuntu-latest
steps:
- cd reference-apps/fastapi
- pip install -r requirements.txt
- pytest tests/ --cov=app --cov-fail-under=80- Local Development: All tests (infrastructure + application)
- CI/CD: Unit tests only (fast feedback)
- Pre-Production: Full integration tests
- Production: Smoke tests + health checks
Planned enhancements:
- Performance testing
- Load testing with Locust
- Security testing
- End-to-end user workflows
- Automated snapshot testing
- Chaos engineering tests
- Main README: ../README.md
- FastAPI (Code-First) README: ../reference-apps/fastapi/README.md
- FastAPI (API-First) README: ../reference-apps/fastapi-api-first/README.md
- Go Reference API README: ../reference-apps/golang/README.md
- API Patterns: ../reference-apps/API_PATTERNS.md
- Reference Apps Overview: ../reference-apps/README.md