ContainerImage.Pinniped/test/integration/supervisor_healthz_test.go

// Copyright 2020-2021 the Pinniped contributors. All Rights Reserved.
// SPDX-License-Identifier: Apache-2.0

package integration

import (
	"context"
	"crypto/tls"
	"fmt"
	"io/ioutil"
	"net/http"
	"testing"
	"time"

	"github.com/stretchr/testify/require"

	"go.pinniped.dev/test/testlib"
)

// The Supervisor health endpoint is public because that makes it easier
// for users to create an Ingress for the supervisor on platforms like
// GKE where the Ingress wants to perform a health check. It's somewhere
// between inconvenient and impossible to make that Ingress health check
// happen on a private container port at this time.
// This test checks that it is working and that it is public.
func TestSupervisorHealthz(t *testing.T) {
	env := testlib.IntegrationEnv(t)

	if env.SupervisorHTTPAddress == "" {
		t.Skip("PINNIPED_TEST_SUPERVISOR_HTTP_ADDRESS not defined")
	}

	ctx, cancel := context.WithTimeout(context.Background(), 2*time.Minute)
	defer cancel()

	httpClient := &http.Client{}

	httpGet(ctx, t, httpClient, fmt.Sprintf("http://%s/healthz", env.SupervisorHTTPAddress), http.StatusOK, "ok")
}

// Never run this test in parallel since deleting all federation domains and the default TLS secret is disruptive, see main_test.go.
func TestSupervisorHealthzBootstrap_Disruptive(t *testing.T) {
	env := testlib.IntegrationEnv(t)
	pinnipedClient := testlib.NewSupervisorClientset(t)
	kubeClient := testlib.NewKubernetesClientset(t)

	ns := env.SupervisorNamespace
	ctx, cancel := context.WithTimeout(context.Background(), 10*time.Minute)
	defer cancel()

	temporarilyRemoveAllFederationDomainsAndDefaultTLSCertSecret(ctx, t, ns, defaultTLSCertSecretName(env), pinnipedClient, kubeClient)

	httpClient := &http.Client{
		Transport: &http.Transport{
			TLSClientConfig: &tls.Config{InsecureSkipVerify: true}, //nolint:gosec // there is no way for us to know the bootstrap CA
		},
	}

	const badTLSConfigBody = "pinniped supervisor has invalid TLS serving certificate configuration\n"

	httpGet(ctx, t, httpClient, fmt.Sprintf("https://%s/healthz", env.SupervisorHTTPSAddress), http.StatusOK, "ok")
	httpGet(ctx, t, httpClient, fmt.Sprintf("https://%s", env.SupervisorHTTPSAddress), http.StatusInternalServerError, badTLSConfigBody)
	httpGet(ctx, t, httpClient, fmt.Sprintf("https://%s/nothealthz", env.SupervisorHTTPSAddress), http.StatusInternalServerError, badTLSConfigBody)
	httpGet(ctx, t, httpClient, fmt.Sprintf("https://%s/healthz/something", env.SupervisorHTTPSAddress), http.StatusInternalServerError, badTLSConfigBody)
}

func httpGet(ctx context.Context, t *testing.T, client *http.Client, url string, expectedStatus int, expectedBody string) {
	t.Helper()

	req, err := http.NewRequestWithContext(
		ctx,
		http.MethodGet,
		url,
		nil,
	)
	require.NoError(t, err)

	response, err := client.Do(req) //nolint:bodyclose
	require.NoError(t, err)
	require.Equal(t, expectedStatus, response.StatusCode)

	responseBody, err := ioutil.ReadAll(response.Body)
	require.NoError(t, err)
	err = response.Body.Close()
	require.NoError(t, err)
	require.Equal(t, expectedBody, string(responseBody))
}
test/integration: ensure no pods restart during integration tests Signed-off-by: Andrew Keesler <akeesler@vmware.com> 2021-01-12 20:55:31 +00:00			`// Copyright 2020-2021 the Pinniped contributors. All Rights Reserved.`
Make the supervisor healthz endpoint public Based on our experiences today with GKE, it will be easier for our users to configure Ingress health checks if the healthz endpoint is available on the same public port as the OIDC endpoints. Also add an integration test for the healthz endpoint now that it is public. Also add the optional `containers[].ports.containerPort` to the supervisor Deployment because the GKE docs say that GKE will look at that field while inferring how to invoke the health endpoint. See https://cloud.google.com/kubernetes-engine/docs/concepts/ingress#def_inf_hc 2020-10-21 22:24:48 +00:00			`// SPDX-License-Identifier: Apache-2.0`

			`package integration`

			`import (`
			`"context"`
Allow configuration of supervisor endpoints This change allows configuration of the http and https listeners used by the supervisor. TCP (IPv4 and IPv6 with any interface and port) and Unix domain socket based listeners are supported. Listeners may also be disabled. Binding the http listener to TCP addresses other than 127.0.0.1 or ::1 is deprecated. The deployment now uses https health checks. The supervisor is always able to complete a TLS connection with the use of a bootstrap certificate that is signed by an in-memory certificate authority. To support sidecar containers used by service meshes, Unix domain socket based listeners include ACLs that allow writes to the socket file from any runAsUser specified in the pod's containers. Signed-off-by: Monis Khan <mok@vmware.com> 2021-12-15 20:48:55 +00:00			`"crypto/tls"`
Make the supervisor healthz endpoint public Based on our experiences today with GKE, it will be easier for our users to configure Ingress health checks if the healthz endpoint is available on the same public port as the OIDC endpoints. Also add an integration test for the healthz endpoint now that it is public. Also add the optional `containers[].ports.containerPort` to the supervisor Deployment because the GKE docs say that GKE will look at that field while inferring how to invoke the health endpoint. See https://cloud.google.com/kubernetes-engine/docs/concepts/ingress#def_inf_hc 2020-10-21 22:24:48 +00:00			`"fmt"`
			`"io/ioutil"`
			`"net/http"`
			`"testing"`
			`"time"`

			`"github.com/stretchr/testify/require"`

Fix bad test package name Signed-off-by: Monis Khan <mok@vmware.com> 2021-06-22 15:23:19 +00:00			`"go.pinniped.dev/test/testlib"`
Make the supervisor healthz endpoint public Based on our experiences today with GKE, it will be easier for our users to configure Ingress health checks if the healthz endpoint is available on the same public port as the OIDC endpoints. Also add an integration test for the healthz endpoint now that it is public. Also add the optional `containers[].ports.containerPort` to the supervisor Deployment because the GKE docs say that GKE will look at that field while inferring how to invoke the health endpoint. See https://cloud.google.com/kubernetes-engine/docs/concepts/ingress#def_inf_hc 2020-10-21 22:24:48 +00:00			`)`

			`// The Supervisor health endpoint is public because that makes it easier`
			`// for users to create an Ingress for the supervisor on platforms like`
			`// GKE where the Ingress wants to perform a health check. It's somewhere`
			`// between inconvenient and impossible to make that Ingress health check`
			`// happen on a private container port at this time.`
			`// This test checks that it is working and that it is public.`
			`func TestSupervisorHealthz(t *testing.T) {`
Fix bad test package name Signed-off-by: Monis Khan <mok@vmware.com> 2021-06-22 15:23:19 +00:00			`env := testlib.IntegrationEnv(t)`
Make the supervisor healthz endpoint public Based on our experiences today with GKE, it will be easier for our users to configure Ingress health checks if the healthz endpoint is available on the same public port as the OIDC endpoints. Also add an integration test for the healthz endpoint now that it is public. Also add the optional `containers[].ports.containerPort` to the supervisor Deployment because the GKE docs say that GKE will look at that field while inferring how to invoke the health endpoint. See https://cloud.google.com/kubernetes-engine/docs/concepts/ingress#def_inf_hc 2020-10-21 22:24:48 +00:00
			`if env.SupervisorHTTPAddress == "" {`
			`t.Skip("PINNIPED_TEST_SUPERVISOR_HTTP_ADDRESS not defined")`
			`}`

			`ctx, cancel := context.WithTimeout(context.Background(), 2*time.Minute)`
			`defer cancel()`

Allow configuration of supervisor endpoints This change allows configuration of the http and https listeners used by the supervisor. TCP (IPv4 and IPv6 with any interface and port) and Unix domain socket based listeners are supported. Listeners may also be disabled. Binding the http listener to TCP addresses other than 127.0.0.1 or ::1 is deprecated. The deployment now uses https health checks. The supervisor is always able to complete a TLS connection with the use of a bootstrap certificate that is signed by an in-memory certificate authority. To support sidecar containers used by service meshes, Unix domain socket based listeners include ACLs that allow writes to the socket file from any runAsUser specified in the pod's containers. Signed-off-by: Monis Khan <mok@vmware.com> 2021-12-15 20:48:55 +00:00			`httpClient := &http.Client{}`

			`httpGet(ctx, t, httpClient, fmt.Sprintf("http://%s/healthz", env.SupervisorHTTPAddress), http.StatusOK, "ok")`
			`}`

			`// Never run this test in parallel since deleting all federation domains and the default TLS secret is disruptive, see main_test.go.`
			`func TestSupervisorHealthzBootstrap_Disruptive(t *testing.T) {`
			`env := testlib.IntegrationEnv(t)`
			`pinnipedClient := testlib.NewSupervisorClientset(t)`
			`kubeClient := testlib.NewKubernetesClientset(t)`

			`ns := env.SupervisorNamespace`
			`ctx, cancel := context.WithTimeout(context.Background(), 10*time.Minute)`
			`defer cancel()`

			`temporarilyRemoveAllFederationDomainsAndDefaultTLSCertSecret(ctx, t, ns, defaultTLSCertSecretName(env), pinnipedClient, kubeClient)`

			`httpClient := &http.Client{`
			`Transport: &http.Transport{`
			`TLSClientConfig: &tls.Config{InsecureSkipVerify: true}, //nolint:gosec // there is no way for us to know the bootstrap CA`
			`},`
			`}`

			`const badTLSConfigBody = "pinniped supervisor has invalid TLS serving certificate configuration\n"`

			`httpGet(ctx, t, httpClient, fmt.Sprintf("https://%s/healthz", env.SupervisorHTTPSAddress), http.StatusOK, "ok")`
			`httpGet(ctx, t, httpClient, fmt.Sprintf("https://%s", env.SupervisorHTTPSAddress), http.StatusInternalServerError, badTLSConfigBody)`
			`httpGet(ctx, t, httpClient, fmt.Sprintf("https://%s/nothealthz", env.SupervisorHTTPSAddress), http.StatusInternalServerError, badTLSConfigBody)`
			`httpGet(ctx, t, httpClient, fmt.Sprintf("https://%s/healthz/something", env.SupervisorHTTPSAddress), http.StatusInternalServerError, badTLSConfigBody)`
			`}`

			`func httpGet(ctx context.Context, t testing.T, client http.Client, url string, expectedStatus int, expectedBody string) {`
			`t.Helper()`

			`req, err := http.NewRequestWithContext(`
Make the supervisor healthz endpoint public Based on our experiences today with GKE, it will be easier for our users to configure Ingress health checks if the healthz endpoint is available on the same public port as the OIDC endpoints. Also add an integration test for the healthz endpoint now that it is public. Also add the optional `containers[].ports.containerPort` to the supervisor Deployment because the GKE docs say that GKE will look at that field while inferring how to invoke the health endpoint. See https://cloud.google.com/kubernetes-engine/docs/concepts/ingress#def_inf_hc 2020-10-21 22:24:48 +00:00			`ctx,`
			`http.MethodGet,`
Allow configuration of supervisor endpoints This change allows configuration of the http and https listeners used by the supervisor. TCP (IPv4 and IPv6 with any interface and port) and Unix domain socket based listeners are supported. Listeners may also be disabled. Binding the http listener to TCP addresses other than 127.0.0.1 or ::1 is deprecated. The deployment now uses https health checks. The supervisor is always able to complete a TLS connection with the use of a bootstrap certificate that is signed by an in-memory certificate authority. To support sidecar containers used by service meshes, Unix domain socket based listeners include ACLs that allow writes to the socket file from any runAsUser specified in the pod's containers. Signed-off-by: Monis Khan <mok@vmware.com> 2021-12-15 20:48:55 +00:00			`url,`
Make the supervisor healthz endpoint public Based on our experiences today with GKE, it will be easier for our users to configure Ingress health checks if the healthz endpoint is available on the same public port as the OIDC endpoints. Also add an integration test for the healthz endpoint now that it is public. Also add the optional `containers[].ports.containerPort` to the supervisor Deployment because the GKE docs say that GKE will look at that field while inferring how to invoke the health endpoint. See https://cloud.google.com/kubernetes-engine/docs/concepts/ingress#def_inf_hc 2020-10-21 22:24:48 +00:00			`nil,`
			`)`
			`require.NoError(t, err)`

Allow configuration of supervisor endpoints This change allows configuration of the http and https listeners used by the supervisor. TCP (IPv4 and IPv6 with any interface and port) and Unix domain socket based listeners are supported. Listeners may also be disabled. Binding the http listener to TCP addresses other than 127.0.0.1 or ::1 is deprecated. The deployment now uses https health checks. The supervisor is always able to complete a TLS connection with the use of a bootstrap certificate that is signed by an in-memory certificate authority. To support sidecar containers used by service meshes, Unix domain socket based listeners include ACLs that allow writes to the socket file from any runAsUser specified in the pod's containers. Signed-off-by: Monis Khan <mok@vmware.com> 2021-12-15 20:48:55 +00:00			`response, err := client.Do(req) //nolint:bodyclose`
Make the supervisor healthz endpoint public Based on our experiences today with GKE, it will be easier for our users to configure Ingress health checks if the healthz endpoint is available on the same public port as the OIDC endpoints. Also add an integration test for the healthz endpoint now that it is public. Also add the optional `containers[].ports.containerPort` to the supervisor Deployment because the GKE docs say that GKE will look at that field while inferring how to invoke the health endpoint. See https://cloud.google.com/kubernetes-engine/docs/concepts/ingress#def_inf_hc 2020-10-21 22:24:48 +00:00			`require.NoError(t, err)`
Allow configuration of supervisor endpoints This change allows configuration of the http and https listeners used by the supervisor. TCP (IPv4 and IPv6 with any interface and port) and Unix domain socket based listeners are supported. Listeners may also be disabled. Binding the http listener to TCP addresses other than 127.0.0.1 or ::1 is deprecated. The deployment now uses https health checks. The supervisor is always able to complete a TLS connection with the use of a bootstrap certificate that is signed by an in-memory certificate authority. To support sidecar containers used by service meshes, Unix domain socket based listeners include ACLs that allow writes to the socket file from any runAsUser specified in the pod's containers. Signed-off-by: Monis Khan <mok@vmware.com> 2021-12-15 20:48:55 +00:00			`require.Equal(t, expectedStatus, response.StatusCode)`
Make the supervisor healthz endpoint public Based on our experiences today with GKE, it will be easier for our users to configure Ingress health checks if the healthz endpoint is available on the same public port as the OIDC endpoints. Also add an integration test for the healthz endpoint now that it is public. Also add the optional `containers[].ports.containerPort` to the supervisor Deployment because the GKE docs say that GKE will look at that field while inferring how to invoke the health endpoint. See https://cloud.google.com/kubernetes-engine/docs/concepts/ingress#def_inf_hc 2020-10-21 22:24:48 +00:00
			`responseBody, err := ioutil.ReadAll(response.Body)`
			`require.NoError(t, err)`
			`err = response.Body.Close()`
			`require.NoError(t, err)`
Allow configuration of supervisor endpoints This change allows configuration of the http and https listeners used by the supervisor. TCP (IPv4 and IPv6 with any interface and port) and Unix domain socket based listeners are supported. Listeners may also be disabled. Binding the http listener to TCP addresses other than 127.0.0.1 or ::1 is deprecated. The deployment now uses https health checks. The supervisor is always able to complete a TLS connection with the use of a bootstrap certificate that is signed by an in-memory certificate authority. To support sidecar containers used by service meshes, Unix domain socket based listeners include ACLs that allow writes to the socket file from any runAsUser specified in the pod's containers. Signed-off-by: Monis Khan <mok@vmware.com> 2021-12-15 20:48:55 +00:00			`require.Equal(t, expectedBody, string(responseBody))`
Make the supervisor healthz endpoint public Based on our experiences today with GKE, it will be easier for our users to configure Ingress health checks if the healthz endpoint is available on the same public port as the OIDC endpoints. Also add an integration test for the healthz endpoint now that it is public. Also add the optional `containers[].ports.containerPort` to the supervisor Deployment because the GKE docs say that GKE will look at that field while inferring how to invoke the health endpoint. See https://cloud.google.com/kubernetes-engine/docs/concepts/ingress#def_inf_hc 2020-10-21 22:24:48 +00:00			`}`