djpbessems/ContainerImage.Pinniped
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
34e15f03c3
ContainerImage.Pinniped/test/integration/kube_api_discovery_test.go

374 lines
11 KiB
Go
Raw Normal View History

test: wire API group suffix through to tests Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2021-01-19 18:50:22 +00:00
// Copyright 2020-2021 the Pinniped contributors. All Rights Reserved.
Save 2 lines by using inline-style comments for Copyright Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-09-16 14:19:51 +00:00
// SPDX-License-Identifier: Apache-2.0
Move TestGetAPIResourceList to its own file Because it is now testing multiple api types
2020-08-01 00:37:59 +00:00
package integration
import (
Allow multiple Pinnipeds to work on same cluster Yes, this is a huge commit. The middleware allows you to customize the API groups of all of the *.pinniped.dev API groups. Some notes about other small things in this commit: - We removed the internal/client package in favor of pkg/conciergeclient. The two packages do basically the same thing. I don't think we use the former anymore. - We re-enabled cluster-scoped owner assertions in the integration tests. This code was added in internal/ownerref. See a0546942 for when this assertion was removed. - Note: the middlware code is in charge of restoring the GV of a request object, so we should never need to write mutations that do that. - We updated the supervisor secret generation to no longer manually set an owner reference to the deployment since the middleware code now does this. I think we still need some way to make an initial event for the secret generator controller, which involves knowing the namespace and the name of the generated secret, so I still wired the deployment through. We could use a namespace/name tuple here, but I was lazy. Signed-off-by: Andrew Keesler <akeesler@vmware.com> Co-authored-by: Ryan Richard <richardry@vmware.com>
2021-01-13 01:27:41 +00:00
"errors"
test: wire API group suffix through to tests Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2021-01-19 18:50:22 +00:00
"fmt"
Put all of our APIs into a "pinniped" category, and never use "all". We want to have our APIs respond to `kubectl get pinniped`, and we shouldn't use `all` because we don't think most average users should have permission to see our API types, which means if we put our types there, they would get an error from `kubectl get all`. I also added some tests to assert these properties on all `*.pinniped.dev` API resources. Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-11-12 22:24:25 +00:00
"strings"
Move TestGetAPIResourceList to its own file Because it is now testing multiple api types
2020-08-01 00:37:59 +00:00
"testing"
Put all of our APIs into a "pinniped" category, and never use "all". We want to have our APIs respond to `kubectl get pinniped`, and we shouldn't use `all` because we don't think most average users should have permission to see our API types, which means if we put our types there, they would get an error from `kubectl get all`. I also added some tests to assert these properties on all `*.pinniped.dev` API resources. Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-11-12 22:24:25 +00:00
"github.com/stretchr/testify/assert"
Move TestGetAPIResourceList to its own file Because it is now testing multiple api types
2020-08-01 00:37:59 +00:00
"github.com/stretchr/testify/require"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
test: wire API group suffix through to tests Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2021-01-19 18:50:22 +00:00
"k8s.io/apimachinery/pkg/runtime/schema"
Add WhoAmIRequest Aggregated Virtual REST API This change adds a new virtual aggregated API that can be used by any user to echo back who they are currently authenticated as. This has general utility to end users and can be used in tests to validate if authentication was successful. Signed-off-by: Monis Khan <mok@vmware.com>
2021-02-19 18:21:10 +00:00
"k8s.io/apimachinery/pkg/util/sets"
Allow multiple Pinnipeds to work on same cluster Yes, this is a huge commit. The middleware allows you to customize the API groups of all of the *.pinniped.dev API groups. Some notes about other small things in this commit: - We removed the internal/client package in favor of pkg/conciergeclient. The two packages do basically the same thing. I don't think we use the former anymore. - We re-enabled cluster-scoped owner assertions in the integration tests. This code was added in internal/ownerref. See a0546942 for when this assertion was removed. - Note: the middlware code is in charge of restoring the GV of a request object, so we should never need to write mutations that do that. - We updated the supervisor secret generation to no longer manually set an owner reference to the deployment since the middleware code now does this. I think we still need some way to make an initial event for the secret generator controller, which involves knowing the namespace and the name of the generated secret, so I still wired the deployment through. We could use a namespace/name tuple here, but I was lazy. Signed-off-by: Andrew Keesler <akeesler@vmware.com> Co-authored-by: Ryan Richard <richardry@vmware.com>
2021-01-13 01:27:41 +00:00
"k8s.io/client-go/discovery"
Move TestGetAPIResourceList to its own file Because it is now testing multiple api types
2020-08-01 00:37:59 +00:00
Add Go vanity import paths. Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-09-18 19:56:24 +00:00
"go.pinniped.dev/test/library"
Move TestGetAPIResourceList to its own file Because it is now testing multiple api types
2020-08-01 00:37:59 +00:00
)
func TestGetAPIResourceList(t *testing.T) {
test: wire API group suffix through to tests Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2021-01-19 18:50:22 +00:00
env := library.IntegrationEnv(t)
Use Go's `-short` flag as a way to avoid running integration tests. Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-08-07 01:44:14 +00:00
Allow multiple Pinnipeds to work on same cluster Yes, this is a huge commit. The middleware allows you to customize the API groups of all of the *.pinniped.dev API groups. Some notes about other small things in this commit: - We removed the internal/client package in favor of pkg/conciergeclient. The two packages do basically the same thing. I don't think we use the former anymore. - We re-enabled cluster-scoped owner assertions in the integration tests. This code was added in internal/ownerref. See a0546942 for when this assertion was removed. - Note: the middlware code is in charge of restoring the GV of a request object, so we should never need to write mutations that do that. - We updated the supervisor secret generation to no longer manually set an owner reference to the deployment since the middleware code now does this. I think we still need some way to make an initial event for the secret generator controller, which involves knowing the namespace and the name of the generated secret, so I still wired the deployment through. We could use a namespace/name tuple here, but I was lazy. Signed-off-by: Andrew Keesler <akeesler@vmware.com> Co-authored-by: Ryan Richard <richardry@vmware.com>
2021-01-13 01:27:41 +00:00
client := library.NewKubernetesClientset(t)
Move TestGetAPIResourceList to its own file Because it is now testing multiple api types
2020-08-01 00:37:59 +00:00
groups, resources, err := client.Discovery().ServerGroupsAndResources()
Allow multiple Pinnipeds to work on same cluster Yes, this is a huge commit. The middleware allows you to customize the API groups of all of the *.pinniped.dev API groups. Some notes about other small things in this commit: - We removed the internal/client package in favor of pkg/conciergeclient. The two packages do basically the same thing. I don't think we use the former anymore. - We re-enabled cluster-scoped owner assertions in the integration tests. This code was added in internal/ownerref. See a0546942 for when this assertion was removed. - Note: the middlware code is in charge of restoring the GV of a request object, so we should never need to write mutations that do that. - We updated the supervisor secret generation to no longer manually set an owner reference to the deployment since the middleware code now does this. I think we still need some way to make an initial event for the secret generator controller, which involves knowing the namespace and the name of the generated secret, so I still wired the deployment through. We could use a namespace/name tuple here, but I was lazy. Signed-off-by: Andrew Keesler <akeesler@vmware.com> Co-authored-by: Ryan Richard <richardry@vmware.com>
2021-01-13 01:27:41 +00:00
// discovery can have partial failures when an API service is unavailable (i.e. because of TestAPIServingCertificateAutoCreationAndRotation)
// we ignore failures for groups that are not relevant to this test
if err != nil {
discoveryFailed := &discovery.ErrGroupDiscoveryFailed{}
isDiscoveryFailed := errors.As(err, &discoveryFailed)
require.True(t, isDiscoveryFailed, err)
for gv, gvErr := range discoveryFailed.Groups {
if strings.HasSuffix(gv.Group, "."+env.APIGroupSuffix) {
require.NoError(t, gvErr)
}
}
}
Move TestGetAPIResourceList to its own file Because it is now testing multiple api types
2020-08-01 00:37:59 +00:00
test: wire API group suffix through to tests Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2021-01-19 18:50:22 +00:00
makeGV := func(firstSegment, secondSegment string) schema.GroupVersion {
return schema.GroupVersion{
Group: fmt.Sprintf("%s.%s.%s", firstSegment, secondSegment, env.APIGroupSuffix),
Version: "v1alpha1",
}
}
loginConciergeGV := makeGV("login", "concierge")
Add WhoAmIRequest Aggregated Virtual REST API This change adds a new virtual aggregated API that can be used by any user to echo back who they are currently authenticated as. This has general utility to end users and can be used in tests to validate if authentication was successful. Signed-off-by: Monis Khan <mok@vmware.com>
2021-02-19 18:21:10 +00:00
identityConciergeGV := makeGV("identity", "concierge")
test: wire API group suffix through to tests Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2021-01-19 18:50:22 +00:00
authenticationConciergeGV := makeGV("authentication", "concierge")
configConciergeGV := makeGV("config", "concierge")
idpSupervisorGV := makeGV("idp", "supervisor")
configSupervisorGV := makeGV("config", "supervisor")
Expect the WebhookIdentityProvider CRD to be installed. Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-09-09 15:36:38 +00:00
tests := []struct {
group metav1.APIGroup
resourceByVersion map[string][]metav1.APIResource
}{
{
group: metav1.APIGroup{
test: wire API group suffix through to tests Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2021-01-19 18:50:22 +00:00
Name: loginConciergeGV.Group,
Expect the WebhookIdentityProvider CRD to be installed. Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-09-09 15:36:38 +00:00
Versions: []metav1.GroupVersionForDiscovery{
{
test: wire API group suffix through to tests Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2021-01-19 18:50:22 +00:00
GroupVersion: loginConciergeGV.String(),
Version: loginConciergeGV.Version,
Expect the WebhookIdentityProvider CRD to be installed. Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-09-09 15:36:38 +00:00
},
},
PreferredVersion: metav1.GroupVersionForDiscovery{
test: wire API group suffix through to tests Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2021-01-19 18:50:22 +00:00
GroupVersion: loginConciergeGV.String(),
Version: loginConciergeGV.Version,
Refactor GetAPIResourceList test a bit to prep for IDP CRD changes. Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-09-09 15:23:28 +00:00
},
},
Expect the WebhookIdentityProvider CRD to be installed. Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-09-09 15:36:38 +00:00
resourceByVersion: map[string][]metav1.APIResource{
test: wire API group suffix through to tests Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2021-01-19 18:50:22 +00:00
loginConciergeGV.String(): {
Expect the WebhookIdentityProvider CRD to be installed. Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-09-09 15:36:38 +00:00
{
Remove deprecated "pinniped.dev" API group. This has been replaced by the "login.pinniped.dev" group with a slightly different API. Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-09-18 22:15:04 +00:00
Name: "tokencredentialrequests",
Kind: "TokenCredentialRequest",
Add no-op list support to token credential request This allows us to keep all of our resources in the pinniped category while not having kubectl return errors for calls such as: kubectl get pinniped -A Signed-off-by: Monis Khan <mok@vmware.com>
2021-02-05 15:55:19 +00:00
Verbs: []string{"create", "list"},
Make concierge APIs cluster scoped Signed-off-by: Monis Khan <mok@vmware.com>
2021-02-09 16:57:34 +00:00
Namespaced: false,
Put our TokenCredentialRequest API into the "pinniped" category. Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-11-13 18:09:22 +00:00
Categories: []string{"pinniped"},
Expect the WebhookIdentityProvider CRD to be installed. Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-09-09 15:36:38 +00:00
},
},
Refactor GetAPIResourceList test a bit to prep for IDP CRD changes. Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-09-09 15:23:28 +00:00
},
Expect the WebhookIdentityProvider CRD to be installed. Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-09-09 15:36:38 +00:00
},
Add WhoAmIRequest Aggregated Virtual REST API This change adds a new virtual aggregated API that can be used by any user to echo back who they are currently authenticated as. This has general utility to end users and can be used in tests to validate if authentication was successful. Signed-off-by: Monis Khan <mok@vmware.com>
2021-02-19 18:21:10 +00:00
{
group: metav1.APIGroup{
Name: identityConciergeGV.Group,
Versions: []metav1.GroupVersionForDiscovery{
{
GroupVersion: identityConciergeGV.String(),
Version: identityConciergeGV.Version,
},
},
PreferredVersion: metav1.GroupVersionForDiscovery{
GroupVersion: identityConciergeGV.String(),
Version: identityConciergeGV.Version,
},
},
resourceByVersion: map[string][]metav1.APIResource{
identityConciergeGV.String(): {
{
Name: "whoamirequests",
Kind: "WhoAmIRequest",
Verbs: []string{"create", "list"},
Namespaced: false,
Categories: []string{"pinniped"},
},
},
},
},
Expect the WebhookIdentityProvider CRD to be installed. Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-09-09 15:36:38 +00:00
{
group: metav1.APIGroup{
test: wire API group suffix through to tests Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2021-01-19 18:50:22 +00:00
Name: configSupervisorGV.Group,
Expect the WebhookIdentityProvider CRD to be installed. Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-09-09 15:36:38 +00:00
Versions: []metav1.GroupVersionForDiscovery{
{
test: wire API group suffix through to tests Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2021-01-19 18:50:22 +00:00
GroupVersion: configSupervisorGV.String(),
Version: configSupervisorGV.Version,
Expect the WebhookIdentityProvider CRD to be installed. Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-09-09 15:36:38 +00:00
},
},
PreferredVersion: metav1.GroupVersionForDiscovery{
test: wire API group suffix through to tests Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2021-01-19 18:50:22 +00:00
GroupVersion: configSupervisorGV.String(),
Version: configSupervisorGV.Version,
Expect the WebhookIdentityProvider CRD to be installed. Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-09-09 15:36:38 +00:00
},
Refactor GetAPIResourceList test a bit to prep for IDP CRD changes. Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-09-09 15:23:28 +00:00
},
Expect the WebhookIdentityProvider CRD to be installed. Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-09-09 15:36:38 +00:00
resourceByVersion: map[string][]metav1.APIResource{
test: wire API group suffix through to tests Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2021-01-19 18:50:22 +00:00
configSupervisorGV.String(): {
Add integration test for the OIDC discovery endpoint - Intended to be a red test in this commit; will make it go green in a future commit - Enhance env.go and prepare-for-integration-tests.sh to make it possible to write integration tests for the supervisor app by setting more env vars and by exposing the service to the kind host on a localhost port - Add `--clean` option to prepare-for-integration-tests.sh to make it easier to start fresh - Make prepare-for-integration-tests.sh advise you to run `go test -v -count 1 ./test/integration` because this does not buffer the test output - Make concierge_api_discovery_test.go pass by adding expectations for the new OIDCProviderConfig type
2020-10-07 00:53:29 +00:00
{
Rename off of main Signed-off-by: Ryan Richard <richardry@vmware.com>
2020-12-16 22:27:09 +00:00
Name: "federationdomains",
SingularName: "federationdomain",
Add integration test for the OIDC discovery endpoint - Intended to be a red test in this commit; will make it go green in a future commit - Enhance env.go and prepare-for-integration-tests.sh to make it possible to write integration tests for the supervisor app by setting more env vars and by exposing the service to the kind host on a localhost port - Add `--clean` option to prepare-for-integration-tests.sh to make it easier to start fresh - Make prepare-for-integration-tests.sh advise you to run `go test -v -count 1 ./test/integration` because this does not buffer the test output - Make concierge_api_discovery_test.go pass by adding expectations for the new OIDCProviderConfig type
2020-10-07 00:53:29 +00:00
Namespaced: true,
Rename off of main Signed-off-by: Ryan Richard <richardry@vmware.com>
2020-12-16 22:27:09 +00:00
Kind: "FederationDomain",
Add integration test for the OIDC discovery endpoint - Intended to be a red test in this commit; will make it go green in a future commit - Enhance env.go and prepare-for-integration-tests.sh to make it possible to write integration tests for the supervisor app by setting more env vars and by exposing the service to the kind host on a localhost port - Add `--clean` option to prepare-for-integration-tests.sh to make it easier to start fresh - Make prepare-for-integration-tests.sh advise you to run `go test -v -count 1 ./test/integration` because this does not buffer the test output - Make concierge_api_discovery_test.go pass by adding expectations for the new OIDCProviderConfig type
2020-10-07 00:53:29 +00:00
Verbs: []string{"delete", "deletecollection", "get", "list", "patch", "create", "update", "watch"},
Put all of our APIs into a "pinniped" category, and never use "all". We want to have our APIs respond to `kubectl get pinniped`, and we shouldn't use `all` because we don't think most average users should have permission to see our API types, which means if we put our types there, they would get an error from `kubectl get all`. I also added some tests to assert these properties on all `*.pinniped.dev` API resources. Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-11-12 22:24:25 +00:00
Categories: []string{"pinniped"},
Add integration test for the OIDC discovery endpoint - Intended to be a red test in this commit; will make it go green in a future commit - Enhance env.go and prepare-for-integration-tests.sh to make it possible to write integration tests for the supervisor app by setting more env vars and by exposing the service to the kind host on a localhost port - Add `--clean` option to prepare-for-integration-tests.sh to make it easier to start fresh - Make prepare-for-integration-tests.sh advise you to run `go test -v -count 1 ./test/integration` because this does not buffer the test output - Make concierge_api_discovery_test.go pass by adding expectations for the new OIDCProviderConfig type
2020-10-07 00:53:29 +00:00
},
Assert all APIs have a status subresource Signed-off-by: Monis Khan <mok@vmware.com>
2021-02-11 02:20:19 +00:00
{
Name: "federationdomains/status",
Namespaced: true,
Kind: "FederationDomain",
Verbs: []string{"get", "patch", "update"},
},
Expect the WebhookIdentityProvider CRD to be installed. Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-09-09 15:36:38 +00:00
},
},
},
Add integration tests for UpstreamOIDCProvider status. Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-11-12 00:28:42 +00:00
{
group: metav1.APIGroup{
test: wire API group suffix through to tests Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2021-01-19 18:50:22 +00:00
Name: idpSupervisorGV.Group,
Add integration tests for UpstreamOIDCProvider status. Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-11-12 00:28:42 +00:00
Versions: []metav1.GroupVersionForDiscovery{
{
test: wire API group suffix through to tests Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2021-01-19 18:50:22 +00:00
GroupVersion: idpSupervisorGV.String(),
Version: idpSupervisorGV.Version,
Add integration tests for UpstreamOIDCProvider status. Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-11-12 00:28:42 +00:00
},
},
PreferredVersion: metav1.GroupVersionForDiscovery{
test: wire API group suffix through to tests Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2021-01-19 18:50:22 +00:00
GroupVersion: idpSupervisorGV.String(),
Version: idpSupervisorGV.Version,
Add integration tests for UpstreamOIDCProvider status. Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-11-12 00:28:42 +00:00
},
},
resourceByVersion: map[string][]metav1.APIResource{
test: wire API group suffix through to tests Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2021-01-19 18:50:22 +00:00
idpSupervisorGV.String(): {
Add integration tests for UpstreamOIDCProvider status. Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-11-12 00:28:42 +00:00
{
Rename off of main Signed-off-by: Ryan Richard <richardry@vmware.com>
2020-12-16 22:27:09 +00:00
Name: "oidcidentityproviders",
SingularName: "oidcidentityprovider",
Add integration tests for UpstreamOIDCProvider status. Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-11-12 00:28:42 +00:00
Namespaced: true,
Rename off of main Signed-off-by: Ryan Richard <richardry@vmware.com>
2020-12-16 22:27:09 +00:00
Kind: "OIDCIdentityProvider",
Add integration tests for UpstreamOIDCProvider status. Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-11-12 00:28:42 +00:00
Verbs: []string{"delete", "deletecollection", "get", "list", "patch", "create", "update", "watch"},
Categories: []string{"pinniped", "pinniped-idp", "pinniped-idps"},
},
{
Rename off of main Signed-off-by: Ryan Richard <richardry@vmware.com>
2020-12-16 22:27:09 +00:00
Name: "oidcidentityproviders/status",
Add integration tests for UpstreamOIDCProvider status. Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-11-12 00:28:42 +00:00
Namespaced: true,
Rename off of main Signed-off-by: Ryan Richard <richardry@vmware.com>
2020-12-16 22:27:09 +00:00
Kind: "OIDCIdentityProvider",
Add integration tests for UpstreamOIDCProvider status. Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-11-12 00:28:42 +00:00
Verbs: []string{"get", "patch", "update"},
},
},
},
},
Split the config CRDs into two API groups. Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-10-30 20:09:14 +00:00
{
group: metav1.APIGroup{
test: wire API group suffix through to tests Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2021-01-19 18:50:22 +00:00
Name: configConciergeGV.Group,
Split the config CRDs into two API groups. Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-10-30 20:09:14 +00:00
Versions: []metav1.GroupVersionForDiscovery{
{
test: wire API group suffix through to tests Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2021-01-19 18:50:22 +00:00
GroupVersion: configConciergeGV.String(),
Version: configConciergeGV.Version,
Split the config CRDs into two API groups. Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-10-30 20:09:14 +00:00
},
},
PreferredVersion: metav1.GroupVersionForDiscovery{
test: wire API group suffix through to tests Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2021-01-19 18:50:22 +00:00
GroupVersion: configConciergeGV.String(),
Version: configConciergeGV.Version,
Split the config CRDs into two API groups. Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-10-30 20:09:14 +00:00
},
},
resourceByVersion: map[string][]metav1.APIResource{
test: wire API group suffix through to tests Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2021-01-19 18:50:22 +00:00
configConciergeGV.String(): {
Split the config CRDs into two API groups. Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-10-30 20:09:14 +00:00
{
Rename CredentialIssuerConfig to CredentialIssuer. Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-11-02 21:39:43 +00:00
Name: "credentialissuers",
SingularName: "credentialissuer",
Make concierge APIs cluster scoped Signed-off-by: Monis Khan <mok@vmware.com>
2021-02-09 16:57:34 +00:00
Namespaced: false,
Rename CredentialIssuerConfig to CredentialIssuer. Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-11-02 21:39:43 +00:00
Kind: "CredentialIssuer",
Split the config CRDs into two API groups. Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-10-30 20:09:14 +00:00
Verbs: []string{"delete", "deletecollection", "get", "list", "patch", "create", "update", "watch"},
Put all of our APIs into a "pinniped" category, and never use "all". We want to have our APIs respond to `kubectl get pinniped`, and we shouldn't use `all` because we don't think most average users should have permission to see our API types, which means if we put our types there, they would get an error from `kubectl get all`. I also added some tests to assert these properties on all `*.pinniped.dev` API resources. Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-11-12 22:24:25 +00:00
Categories: []string{"pinniped"},
Split the config CRDs into two API groups. Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-10-30 20:09:14 +00:00
},
Assert all APIs have a status subresource Signed-off-by: Monis Khan <mok@vmware.com>
2021-02-11 02:20:19 +00:00
{
Name: "credentialissuers/status",
Namespaced: false,
Kind: "CredentialIssuer",
Verbs: []string{"get", "patch", "update"},
},
Split the config CRDs into two API groups. Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-10-30 20:09:14 +00:00
},
},
},
Expect the WebhookIdentityProvider CRD to be installed. Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-09-09 15:36:38 +00:00
{
group: metav1.APIGroup{
test: wire API group suffix through to tests Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2021-01-19 18:50:22 +00:00
Name: authenticationConciergeGV.Group,
Expect the WebhookIdentityProvider CRD to be installed. Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-09-09 15:36:38 +00:00
Versions: []metav1.GroupVersionForDiscovery{
{
test: wire API group suffix through to tests Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2021-01-19 18:50:22 +00:00
GroupVersion: authenticationConciergeGV.String(),
Version: authenticationConciergeGV.Version,
Expect the WebhookIdentityProvider CRD to be installed. Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-09-09 15:36:38 +00:00
},
},
PreferredVersion: metav1.GroupVersionForDiscovery{
test: wire API group suffix through to tests Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2021-01-19 18:50:22 +00:00
GroupVersion: authenticationConciergeGV.String(),
Version: authenticationConciergeGV.Version,
Expect the WebhookIdentityProvider CRD to be installed. Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-09-09 15:36:38 +00:00
},
},
resourceByVersion: map[string][]metav1.APIResource{
test: wire API group suffix through to tests Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2021-01-19 18:50:22 +00:00
authenticationConciergeGV.String(): {
Expect the WebhookIdentityProvider CRD to be installed. Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-09-09 15:36:38 +00:00
{
Rename WebhookIdentityProvider to WebhookAuthenticator. Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-10-30 16:39:26 +00:00
Name: "webhookauthenticators",
SingularName: "webhookauthenticator",
Make concierge APIs cluster scoped Signed-off-by: Monis Khan <mok@vmware.com>
2021-02-09 16:57:34 +00:00
Namespaced: false,
Rename WebhookIdentityProvider to WebhookAuthenticator. Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-10-30 16:39:26 +00:00
Kind: "WebhookAuthenticator",
Expect the WebhookIdentityProvider CRD to be installed. Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-09-09 15:36:38 +00:00
Verbs: []string{"delete", "deletecollection", "get", "list", "patch", "create", "update", "watch"},
Put all of our APIs into a "pinniped" category, and never use "all". We want to have our APIs respond to `kubectl get pinniped`, and we shouldn't use `all` because we don't think most average users should have permission to see our API types, which means if we put our types there, they would get an error from `kubectl get all`. I also added some tests to assert these properties on all `*.pinniped.dev` API resources. Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-11-12 22:24:25 +00:00
Categories: []string{"pinniped", "pinniped-authenticator", "pinniped-authenticators"},
Expect the WebhookIdentityProvider CRD to be installed. Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-09-09 15:36:38 +00:00
},
Assert all APIs have a status subresource Signed-off-by: Monis Khan <mok@vmware.com>
2021-02-11 02:20:19 +00:00
{
Name: "webhookauthenticators/status",
Namespaced: false,
Kind: "WebhookAuthenticator",
Verbs: []string{"get", "patch", "update"},
},
Add JWTAuthenticator API type Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-12-08 01:37:43 +00:00
{
Name: "jwtauthenticators",
SingularName: "jwtauthenticator",
Make concierge APIs cluster scoped Signed-off-by: Monis Khan <mok@vmware.com>
2021-02-09 16:57:34 +00:00
Namespaced: false,
Add JWTAuthenticator API type Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-12-08 01:37:43 +00:00
Kind: "JWTAuthenticator",
Verbs: []string{"delete", "deletecollection", "get", "list", "patch", "create", "update", "watch"},
Categories: []string{"pinniped", "pinniped-authenticator", "pinniped-authenticators"},
},
Assert all APIs have a status subresource Signed-off-by: Monis Khan <mok@vmware.com>
2021-02-11 02:20:19 +00:00
{
Name: "jwtauthenticators/status",
Namespaced: false,
Kind: "JWTAuthenticator",
Verbs: []string{"get", "patch", "update"},
},
Expect the WebhookIdentityProvider CRD to be installed. Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-09-09 15:36:38 +00:00
},
},
},
Move TestGetAPIResourceList to its own file Because it is now testing multiple api types
2020-08-01 00:37:59 +00:00
}
Refactor GetAPIResourceList test a bit to prep for IDP CRD changes. Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-09-09 15:23:28 +00:00
Put all of our APIs into a "pinniped" category, and never use "all". We want to have our APIs respond to `kubectl get pinniped`, and we shouldn't use `all` because we don't think most average users should have permission to see our API types, which means if we put our types there, they would get an error from `kubectl get all`. I also added some tests to assert these properties on all `*.pinniped.dev` API resources. Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-11-12 22:24:25 +00:00
t.Run("every Pinniped API has explicit test coverage", func(t *testing.T) {
t.Parallel()
testedGroups := map[string]bool{}
for _, tt := range tests {
testedGroups[tt.group.Name] = true
}
Allow multiple Pinnipeds to work on same cluster Yes, this is a huge commit. The middleware allows you to customize the API groups of all of the *.pinniped.dev API groups. Some notes about other small things in this commit: - We removed the internal/client package in favor of pkg/conciergeclient. The two packages do basically the same thing. I don't think we use the former anymore. - We re-enabled cluster-scoped owner assertions in the integration tests. This code was added in internal/ownerref. See a0546942 for when this assertion was removed. - Note: the middlware code is in charge of restoring the GV of a request object, so we should never need to write mutations that do that. - We updated the supervisor secret generation to no longer manually set an owner reference to the deployment since the middleware code now does this. I think we still need some way to make an initial event for the secret generator controller, which involves knowing the namespace and the name of the generated secret, so I still wired the deployment through. We could use a namespace/name tuple here, but I was lazy. Signed-off-by: Andrew Keesler <akeesler@vmware.com> Co-authored-by: Ryan Richard <richardry@vmware.com>
2021-01-13 01:27:41 +00:00
foundPinnipedGroups := 0
Put all of our APIs into a "pinniped" category, and never use "all". We want to have our APIs respond to `kubectl get pinniped`, and we shouldn't use `all` because we don't think most average users should have permission to see our API types, which means if we put our types there, they would get an error from `kubectl get all`. I also added some tests to assert these properties on all `*.pinniped.dev` API resources. Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-11-12 22:24:25 +00:00
for _, g := range groups {
test: wire API group suffix through to tests Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2021-01-19 18:50:22 +00:00
if !strings.Contains(g.Name, env.APIGroupSuffix) {
Put all of our APIs into a "pinniped" category, and never use "all". We want to have our APIs respond to `kubectl get pinniped`, and we shouldn't use `all` because we don't think most average users should have permission to see our API types, which means if we put our types there, they would get an error from `kubectl get all`. I also added some tests to assert these properties on all `*.pinniped.dev` API resources. Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-11-12 22:24:25 +00:00
continue
}
Allow multiple Pinnipeds to work on same cluster Yes, this is a huge commit. The middleware allows you to customize the API groups of all of the *.pinniped.dev API groups. Some notes about other small things in this commit: - We removed the internal/client package in favor of pkg/conciergeclient. The two packages do basically the same thing. I don't think we use the former anymore. - We re-enabled cluster-scoped owner assertions in the integration tests. This code was added in internal/ownerref. See a0546942 for when this assertion was removed. - Note: the middlware code is in charge of restoring the GV of a request object, so we should never need to write mutations that do that. - We updated the supervisor secret generation to no longer manually set an owner reference to the deployment since the middleware code now does this. I think we still need some way to make an initial event for the secret generator controller, which involves knowing the namespace and the name of the generated secret, so I still wired the deployment through. We could use a namespace/name tuple here, but I was lazy. Signed-off-by: Andrew Keesler <akeesler@vmware.com> Co-authored-by: Ryan Richard <richardry@vmware.com>
2021-01-13 01:27:41 +00:00
foundPinnipedGroups++
Put all of our APIs into a "pinniped" category, and never use "all". We want to have our APIs respond to `kubectl get pinniped`, and we shouldn't use `all` because we don't think most average users should have permission to see our API types, which means if we put our types there, they would get an error from `kubectl get all`. I also added some tests to assert these properties on all `*.pinniped.dev` API resources. Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-11-12 22:24:25 +00:00
assert.Truef(t, testedGroups[g.Name], "expected group %q to have assertions defined", g.Name)
}
Allow multiple Pinnipeds to work on same cluster Yes, this is a huge commit. The middleware allows you to customize the API groups of all of the *.pinniped.dev API groups. Some notes about other small things in this commit: - We removed the internal/client package in favor of pkg/conciergeclient. The two packages do basically the same thing. I don't think we use the former anymore. - We re-enabled cluster-scoped owner assertions in the integration tests. This code was added in internal/ownerref. See a0546942 for when this assertion was removed. - Note: the middlware code is in charge of restoring the GV of a request object, so we should never need to write mutations that do that. - We updated the supervisor secret generation to no longer manually set an owner reference to the deployment since the middleware code now does this. I think we still need some way to make an initial event for the secret generator controller, which involves knowing the namespace and the name of the generated secret, so I still wired the deployment through. We could use a namespace/name tuple here, but I was lazy. Signed-off-by: Andrew Keesler <akeesler@vmware.com> Co-authored-by: Ryan Richard <richardry@vmware.com>
2021-01-13 01:27:41 +00:00
require.Equal(t, len(testedGroups), foundPinnipedGroups)
Put all of our APIs into a "pinniped" category, and never use "all". We want to have our APIs respond to `kubectl get pinniped`, and we shouldn't use `all` because we don't think most average users should have permission to see our API types, which means if we put our types there, they would get an error from `kubectl get all`. I also added some tests to assert these properties on all `*.pinniped.dev` API resources. Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-11-12 22:24:25 +00:00
})
t.Run("every API categorized appropriately", func(t *testing.T) {
t.Parallel()
for _, r := range resources {
test: wire API group suffix through to tests Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2021-01-19 18:50:22 +00:00
if !strings.Contains(r.GroupVersion, env.APIGroupSuffix) {
Put all of our APIs into a "pinniped" category, and never use "all". We want to have our APIs respond to `kubectl get pinniped`, and we shouldn't use `all` because we don't think most average users should have permission to see our API types, which means if we put our types there, they would get an error from `kubectl get all`. I also added some tests to assert these properties on all `*.pinniped.dev` API resources. Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-11-12 22:24:25 +00:00
continue
}
for _, a := range r.APIResources {
Add integration tests for UpstreamOIDCProvider status. Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-11-12 00:28:42 +00:00
if strings.HasSuffix(a.Name, "/status") {
continue
}
assert.Containsf(t, a.Categories, "pinniped", "expected resource %q to be in the 'pinniped' category", a.Name)
Put our TokenCredentialRequest API into the "pinniped" category. Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-11-13 18:09:22 +00:00
assert.NotContainsf(t, a.Categories, "all", "expected resource %q not to be in the 'all' category", a.Name)
Put all of our APIs into a "pinniped" category, and never use "all". We want to have our APIs respond to `kubectl get pinniped`, and we shouldn't use `all` because we don't think most average users should have permission to see our API types, which means if we put our types there, they would get an error from `kubectl get all`. I also added some tests to assert these properties on all `*.pinniped.dev` API resources. Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-11-12 22:24:25 +00:00
}
}
})
Make concierge APIs cluster scoped Signed-off-by: Monis Khan <mok@vmware.com>
2021-02-09 16:57:34 +00:00
t.Run("every concierge API is cluster scoped", func(t *testing.T) {
t.Parallel()
for _, r := range resources {
if !strings.Contains(r.GroupVersion, env.APIGroupSuffix) {
continue
}
if !strings.Contains(r.GroupVersion, ".concierge.") {
continue
}
for _, a := range r.APIResources {
assert.False(t, a.Namespaced, "concierge APIs must be cluster scoped: %#v", a)
}
}
})
Assert all APIs have a status subresource Signed-off-by: Monis Khan <mok@vmware.com>
2021-02-11 02:20:19 +00:00
t.Run("every API has a status subresource", func(t *testing.T) {
t.Parallel()
Add WhoAmIRequest Aggregated Virtual REST API This change adds a new virtual aggregated API that can be used by any user to echo back who they are currently authenticated as. This has general utility to end users and can be used in tests to validate if authentication was successful. Signed-off-by: Monis Khan <mok@vmware.com>
2021-02-19 18:21:10 +00:00
aggregatedAPIs := sets.NewString("tokencredentialrequests", "whoamirequests")
Assert all APIs have a status subresource Signed-off-by: Monis Khan <mok@vmware.com>
2021-02-11 02:20:19 +00:00
var regular, status []string
for _, r := range resources {
if !strings.Contains(r.GroupVersion, env.APIGroupSuffix) {
continue
}
for _, a := range r.APIResources {
Add WhoAmIRequest Aggregated Virtual REST API This change adds a new virtual aggregated API that can be used by any user to echo back who they are currently authenticated as. This has general utility to end users and can be used in tests to validate if authentication was successful. Signed-off-by: Monis Khan <mok@vmware.com>
2021-02-19 18:21:10 +00:00
if aggregatedAPIs.Has(a.Name) {
continue // skip our special aggregated APIs with their own magical properties
Assert all APIs have a status subresource Signed-off-by: Monis Khan <mok@vmware.com>
2021-02-11 02:20:19 +00:00
}
if strings.HasSuffix(a.Name, "/status") {
status = append(status, strings.TrimSuffix(a.Name, "/status"))
} else {
regular = append(regular, a.Name)
}
}
}
assert.Equal(t, regular, status)
})
Test that Pinniped APis do not have short names, either. Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-11-12 22:49:21 +00:00
t.Run("Pinniped resources do not have short names", func(t *testing.T) {
t.Parallel()
for _, r := range resources {
test: wire API group suffix through to tests Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2021-01-19 18:50:22 +00:00
if !strings.Contains(r.GroupVersion, env.APIGroupSuffix) {
Test that Pinniped APis do not have short names, either. Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-11-12 22:49:21 +00:00
continue
}
for _, a := range r.APIResources {
assert.Empty(t, a.ShortNames, "expected resource %q not to have any short names", a.Name)
}
}
})
Expect the WebhookIdentityProvider CRD to be installed. Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-09-09 15:36:38 +00:00
for _, tt := range tests {
tt := tt
t.Run(tt.group.Name, func(t *testing.T) {
Put all of our APIs into a "pinniped" category, and never use "all". We want to have our APIs respond to `kubectl get pinniped`, and we shouldn't use `all` because we don't think most average users should have permission to see our API types, which means if we put our types there, they would get an error from `kubectl get all`. I also added some tests to assert these properties on all `*.pinniped.dev` API resources. Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-11-12 22:24:25 +00:00
t.Parallel()
Expect the WebhookIdentityProvider CRD to be installed. Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-09-09 15:36:38 +00:00
require.Contains(t, groups, &tt.group)
for groupVersion, expectedResources := range tt.resourceByVersion {
// Find the actual resource list and make a copy.
var actualResourceList *metav1.APIResourceList
for _, resource := range resources {
if resource.GroupVersion == groupVersion {
actualResourceList = resource.DeepCopy()
}
}
require.NotNilf(t, actualResourceList, "could not find groupVersion %s", groupVersion)
// Because its hard to predict the storage version hash (e.g. "t/+v41y+3e4="), we just don't
// worry about comparing that field.
for i := range actualResourceList.APIResources {
actualResourceList.APIResources[i].StorageVersionHash = ""
}
Make concierge_api_discovery_test.go less sensitive to order in a list Signed-off-by: Ryan Richard <richardry@vmware.com>
2020-10-07 18:42:30 +00:00
require.ElementsMatch(t, expectedResources, actualResourceList.APIResources, "unexpected API resources")
Expect the WebhookIdentityProvider CRD to be installed. Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-09-09 15:36:38 +00:00
}
})
Refactor GetAPIResourceList test a bit to prep for IDP CRD changes. Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-09-09 15:23:28 +00:00
}
Move TestGetAPIResourceList to its own file Because it is now testing multiple api types
2020-08-01 00:37:59 +00:00
}
Reference in New Issue Copy Permalink