2021-01-05 21:10:18 +00:00
|
|
|
// Copyright 2020-2021 the Pinniped contributors. All Rights Reserved.
|
2020-09-16 14:19:51 +00:00
|
|
|
// SPDX-License-Identifier: Apache-2.0
|
2020-07-31 16:08:07 +00:00
|
|
|
|
|
|
|
package integration
|
|
|
|
|
|
|
|
import (
|
|
|
|
"context"
|
|
|
|
"encoding/base64"
|
|
|
|
"testing"
|
|
|
|
"time"
|
|
|
|
|
|
|
|
"github.com/stretchr/testify/require"
|
|
|
|
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
|
2021-02-10 16:12:03 +00:00
|
|
|
apiregistrationv1 "k8s.io/kube-aggregator/pkg/apis/apiregistration/v1"
|
2020-07-31 16:08:07 +00:00
|
|
|
|
2021-02-16 19:00:08 +00:00
|
|
|
configv1alpha1 "go.pinniped.dev/generated/latest/apis/concierge/config/v1alpha1"
|
2020-09-18 19:56:24 +00:00
|
|
|
"go.pinniped.dev/test/library"
|
2020-07-31 16:08:07 +00:00
|
|
|
)
|
|
|
|
|
2020-11-02 21:39:43 +00:00
|
|
|
func TestCredentialIssuer(t *testing.T) {
|
2020-09-24 22:51:43 +00:00
|
|
|
env := library.IntegrationEnv(t)
|
2020-08-25 01:07:34 +00:00
|
|
|
config := library.NewClientConfig(t)
|
2020-10-30 20:09:14 +00:00
|
|
|
client := library.NewConciergeClientset(t)
|
2021-02-10 16:12:03 +00:00
|
|
|
aggregatedClientset := library.NewAggregatedClientset(t)
|
2020-07-31 16:08:07 +00:00
|
|
|
|
2021-03-05 01:25:43 +00:00
|
|
|
ctx, cancel := context.WithTimeout(context.Background(), time.Minute)
|
2020-07-31 16:08:07 +00:00
|
|
|
defer cancel()
|
|
|
|
|
2020-11-02 21:39:43 +00:00
|
|
|
t.Run("test successful CredentialIssuer", func(t *testing.T) {
|
2020-08-25 01:07:34 +00:00
|
|
|
actualConfigList, err := client.
|
2020-09-18 21:38:45 +00:00
|
|
|
ConfigV1alpha1().
|
2021-02-09 18:59:32 +00:00
|
|
|
CredentialIssuers().
|
2020-08-25 01:07:34 +00:00
|
|
|
List(ctx, metav1.ListOptions{})
|
|
|
|
require.NoError(t, err)
|
2020-09-15 17:04:46 +00:00
|
|
|
|
2020-08-25 01:07:34 +00:00
|
|
|
require.Len(t, actualConfigList.Items, 1)
|
2020-07-31 16:08:07 +00:00
|
|
|
|
2020-10-15 17:14:23 +00:00
|
|
|
actualConfig := actualConfigList.Items[0]
|
2020-08-25 01:07:34 +00:00
|
|
|
actualStatusKubeConfigInfo := actualConfigList.Items[0].Status.KubeConfigInfo
|
2020-07-31 16:08:07 +00:00
|
|
|
|
2020-10-15 17:14:23 +00:00
|
|
|
for k, v := range env.ConciergeCustomLabels {
|
2020-11-02 21:39:43 +00:00
|
|
|
require.Equalf(t, v, actualConfig.Labels[k], "expected ci to have label `%s: %s`", k, v)
|
2020-10-15 17:14:23 +00:00
|
|
|
}
|
|
|
|
require.Equal(t, env.ConciergeAppName, actualConfig.Labels["app"])
|
|
|
|
|
2021-02-10 16:12:03 +00:00
|
|
|
apiService, err := aggregatedClientset.ApiregistrationV1().APIServices().Get(ctx, "v1alpha1.login.concierge."+env.APIGroupSuffix, metav1.GetOptions{})
|
|
|
|
require.NoError(t, err)
|
|
|
|
|
|
|
|
// work around stupid behavior of WithoutVersionDecoder.Decode
|
|
|
|
apiService.APIVersion, apiService.Kind = apiregistrationv1.SchemeGroupVersion.WithKind("APIService").ToAPIVersionAndKind()
|
|
|
|
|
2020-08-25 01:07:34 +00:00
|
|
|
// Verify the cluster strategy status based on what's expected of the test cluster's ability to share signing keys.
|
|
|
|
actualStatusStrategies := actualConfigList.Items[0].Status.Strategies
|
2021-03-03 22:19:24 +00:00
|
|
|
|
|
|
|
// There should be two. One of type KubeClusterSigningCertificate and one of type ImpersonationProxy.
|
|
|
|
require.Len(t, actualStatusStrategies, 2)
|
|
|
|
|
|
|
|
// The details of the ImpersonationProxy type is tested by a different integration test for the impersonator.
|
|
|
|
// Grab the KubeClusterSigningCertificate result so we can check it in detail below.
|
|
|
|
var actualStatusStrategy configv1alpha1.CredentialIssuerStrategy
|
|
|
|
for _, s := range actualStatusStrategies {
|
|
|
|
if s.Type == configv1alpha1.KubeClusterSigningCertificateStrategyType {
|
|
|
|
actualStatusStrategy = s
|
|
|
|
break
|
|
|
|
}
|
|
|
|
}
|
|
|
|
require.NotNil(t, actualStatusStrategy)
|
2020-07-31 16:08:07 +00:00
|
|
|
|
2020-09-24 22:51:43 +00:00
|
|
|
if env.HasCapability(library.ClusterSigningKeyIsAvailable) {
|
2020-09-18 21:38:45 +00:00
|
|
|
require.Equal(t, configv1alpha1.SuccessStrategyStatus, actualStatusStrategy.Status)
|
|
|
|
require.Equal(t, configv1alpha1.FetchedKeyStrategyReason, actualStatusStrategy.Reason)
|
2021-04-20 19:55:28 +00:00
|
|
|
require.Equal(t, "key was fetched successfully", actualStatusStrategy.Message)
|
2021-03-02 18:55:24 +00:00
|
|
|
require.NotNil(t, actualStatusStrategy.Frontend)
|
|
|
|
require.Equal(t, configv1alpha1.TokenCredentialRequestAPIFrontendType, actualStatusStrategy.Frontend.Type)
|
|
|
|
expectedTokenRequestAPIInfo := configv1alpha1.TokenCredentialRequestAPIInfo{
|
|
|
|
Server: config.Host,
|
|
|
|
CertificateAuthorityData: base64.StdEncoding.EncodeToString(config.TLSClientConfig.CAData),
|
|
|
|
}
|
|
|
|
require.Equal(t, &expectedTokenRequestAPIInfo, actualStatusStrategy.Frontend.TokenCredentialRequestAPIInfo)
|
|
|
|
|
2020-08-28 00:18:48 +00:00
|
|
|
// Verify the published kube config info.
|
2020-09-24 16:19:57 +00:00
|
|
|
require.Equal(
|
|
|
|
t,
|
2020-11-02 21:39:43 +00:00
|
|
|
&configv1alpha1.CredentialIssuerKubeConfigInfo{
|
2021-03-02 18:55:24 +00:00
|
|
|
Server: expectedTokenRequestAPIInfo.Server,
|
|
|
|
CertificateAuthorityData: expectedTokenRequestAPIInfo.CertificateAuthorityData,
|
2020-09-24 16:19:57 +00:00
|
|
|
},
|
|
|
|
actualStatusKubeConfigInfo,
|
|
|
|
)
|
2020-08-25 01:07:34 +00:00
|
|
|
} else {
|
2020-09-18 21:38:45 +00:00
|
|
|
require.Equal(t, configv1alpha1.ErrorStrategyStatus, actualStatusStrategy.Status)
|
|
|
|
require.Equal(t, configv1alpha1.CouldNotFetchKeyStrategyReason, actualStatusStrategy.Reason)
|
2021-04-20 19:55:28 +00:00
|
|
|
require.Contains(t, actualStatusStrategy.Message, "could not find a healthy kube-controller-manager pod (0 candidates)")
|
2020-08-28 00:18:48 +00:00
|
|
|
require.Nil(t, actualStatusKubeConfigInfo)
|
2020-08-25 01:07:34 +00:00
|
|
|
}
|
|
|
|
})
|
2020-07-31 16:08:07 +00:00
|
|
|
}
|