Your leader has been eliminated, it's time for the rest of you to die!

Pods that also contain sidecars might never run to completion. That is, unless a particular villain shows up when the main container has died and terminates the others.

Hahaha Watches all Pods using a Label Selector, which defaults to nais.io/naisjob="true", but this selector may be changed using the WATCHES_SELECTOR environment variable.

A different number of sidecars may appear alongside your main container. Here is an explanation for a few of them, some NaisJob specific and some generic.

You can view what HAHAHA tries to do to these sidecars when encountered in actions.rs

Running HAHAHA's tests should be done by invoking cargo test -- --test-threads 1. The reason is that while the Prometheus test generally gets started first, it's usually the last to finish. By limiting the thread count to 1, we'll ensure that it finishes before the other tests run. The other tests are more like integration tests, and also mutate the Prometheus state, which makes it kind of hard to run them in parallel.

The image is signed "keylessly" (is that a word?) using Sigstore cosign. To verify its authenticity run

cosign verify \
--certificate-identity "https://github.com/nais/hahaha/.github/workflows/build_and_push_image.yaml@refs/heads/main" \
--certificate-oidc-issuer "https://token.actions.githubusercontent.com" \
europe-north1-docker.pkg.dev/nais-io/nais/images/hahaha@sha256:<shasum>

The images are also attested with SBOMs in the CycloneDX format. You can verify these by running

cosign verify-attestation --type cyclonedx  \
--certificate-identity "https://github.com/nais/hahaha/.github/workflows/build_and_push_image.yaml@refs/heads/main" \
--certificate-oidc-issuer "https://token.actions.githubusercontent.com" \
europe-north1-docker.pkg.dev/nais-io/nais/images/hahaha@sha256:<shasum>