ContainerImage.Pinniped/test/integration/concierge_credentialissuerc...

// Copyright 2020-2021 the Pinniped contributors. All Rights Reserved.
// SPDX-License-Identifier: Apache-2.0

package integration

import (
	"context"
	"encoding/base64"
	"testing"
	"time"

	"github.com/stretchr/testify/require"
	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"

	configv1alpha1 "go.pinniped.dev/generated/1.19/apis/concierge/config/v1alpha1"
	"go.pinniped.dev/test/library"
)

func TestCredentialIssuer(t *testing.T) {
	env := library.IntegrationEnv(t)
	config := library.NewClientConfig(t)
	client := library.NewConciergeClientset(t)

	ctx, cancel := context.WithTimeout(context.Background(), 10*time.Second)
	defer cancel()

	t.Run("test successful CredentialIssuer", func(t *testing.T) {
		actualConfigList, err := client.
			ConfigV1alpha1().
			CredentialIssuers(env.ConciergeNamespace).
			List(ctx, metav1.ListOptions{})
		require.NoError(t, err)

		require.Len(t, actualConfigList.Items, 1)

		actualConfig := actualConfigList.Items[0]
		actualStatusKubeConfigInfo := actualConfigList.Items[0].Status.KubeConfigInfo

		for k, v := range env.ConciergeCustomLabels {
			require.Equalf(t, v, actualConfig.Labels[k], "expected ci to have label `%s: %s`", k, v)
		}
		require.Equal(t, env.ConciergeAppName, actualConfig.Labels["app"])

		// Verify the cluster strategy status based on what's expected of the test cluster's ability to share signing keys.
		actualStatusStrategies := actualConfigList.Items[0].Status.Strategies
		require.Len(t, actualStatusStrategies, 1)
		actualStatusStrategy := actualStatusStrategies[0]
		require.Equal(t, configv1alpha1.KubeClusterSigningCertificateStrategyType, actualStatusStrategy.Type)

		if env.HasCapability(library.ClusterSigningKeyIsAvailable) {
			require.Equal(t, configv1alpha1.SuccessStrategyStatus, actualStatusStrategy.Status)
			require.Equal(t, configv1alpha1.FetchedKeyStrategyReason, actualStatusStrategy.Reason)
			require.Equal(t, "Key was fetched successfully", actualStatusStrategy.Message)
			// Verify the published kube config info.
			require.Equal(
				t,
				&configv1alpha1.CredentialIssuerKubeConfigInfo{
					Server:                   config.Host,
					CertificateAuthorityData: base64.StdEncoding.EncodeToString(config.TLSClientConfig.CAData),
				},
				actualStatusKubeConfigInfo,
			)

			// Only validate LastUpdateTime when cluster signing key is available. The last update time
			// will be set every time our controllers resync, but only when there exists controller
			// manager pods (all other pods will be filtered out), hence why this assertion is in this
			// if branch.
			//
			// This behavior is up for debate. We should eventually discuss the contract for this
			// LastUpdateTime field and ensure that the implementation is the same for when the cluster
			// signing key is available and not available.
			require.WithinDuration(t, time.Now(), actualStatusStrategy.LastUpdateTime.Local(), 10*time.Minute)
		} else {
			require.Equal(t, configv1alpha1.ErrorStrategyStatus, actualStatusStrategy.Status)
			require.Equal(t, configv1alpha1.CouldNotFetchKeyStrategyReason, actualStatusStrategy.Reason)
			require.Contains(t, actualStatusStrategy.Message, "did not find kube-controller-manager pod(s)")
			// For now, don't verify the kube config info because its not available on GKE. We'll need to address
			// this somehow once we starting supporting those cluster types.
			// Require `nil` to remind us to address this later for other types of clusters where it is available.
			require.Nil(t, actualStatusKubeConfigInfo)
		}
	})
}
test/integration: fix intermittent failures on GKE See comment. This is at least a first step to make our GKE acceptance environment greener. Previously, this test assumed that the Pinniped-under-test had been deployed in (roughly) the last 10 minutes, which is not an assumption that we make anywhere else in the integration test suite. Signed-off-by: Andrew Keesler <akeesler@vmware.com> 2021-01-05 21:10:18 +00:00			`// Copyright 2020-2021 the Pinniped contributors. All Rights Reserved.`
Save 2 lines by using inline-style comments for Copyright Signed-off-by: Andrew Keesler <akeesler@vmware.com> 2020-09-16 14:19:51 +00:00			`// SPDX-License-Identifier: Apache-2.0`
WIP: start on publisher controller integration 2020-07-31 16:08:07 +00:00
			`package integration`

			`import (`
			`"context"`
			`"encoding/base64"`
			`"testing"`
			`"time"`

			`"github.com/stretchr/testify/require"`
			`metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"`

Split the config CRDs into two API groups. Signed-off-by: Matt Moyer <moyerm@vmware.com> 2020-10-30 20:09:14 +00:00			`configv1alpha1 "go.pinniped.dev/generated/1.19/apis/concierge/config/v1alpha1"`
Add Go vanity import paths. Signed-off-by: Matt Moyer <moyerm@vmware.com> 2020-09-18 19:56:24 +00:00			`"go.pinniped.dev/test/library"`
WIP: start on publisher controller integration 2020-07-31 16:08:07 +00:00			`)`

Rename CredentialIssuerConfig to CredentialIssuer. Signed-off-by: Matt Moyer <moyerm@vmware.com> 2020-11-02 21:39:43 +00:00			`func TestCredentialIssuer(t *testing.T) {`
Refactor integration test environment helpers to be more structured. This change replaces our previous test helpers for checking cluster capabilities and passing external test parameters. Prior to this change, we always used `$PINNIPED_*` environment variables and these variables were accessed throughout the test code. The new code introduces a more strongly-typed `TestEnv` structure and helpers which load and expose the parameters. Tests can now call `env := library.IntegrationEnv(t)`, then access parameters such as `env.Namespace` or `env.TestUser.Token`. This should make this data dependency easier to manage and refactor in the future. In many ways this is just an extended version of the previous cluster capabilities YAML. Tests can also check for cluster capabilities easily by using `env := library.IntegrationEnv(t).WithCapability(xyz)`. The actual parameters are still loaded from OS environment variables by default (for compatibility), but the code now also tries to load the data from a Kubernetes Secret (`integration/pinniped-test-env` by default). I'm hoping this will be a more convenient way to pass data between various scripts than the local `/tmp` directory. I hope to remove the OS environment code in a future commit. Signed-off-by: Matt Moyer <moyerm@vmware.com> 2020-09-24 22:51:43 +00:00			`env := library.IntegrationEnv(t)`
Upon pod startup, update the Status of CredentialIssuerConfig - Indicate the success or failure of the cluster signing key strategy - Also introduce the concept of "capabilities" of an integration test cluster to allow the integration tests to be run against clusters that do or don't allow the borrowing of the cluster signing key - Tests that are not expected to pass on clusters that lack the borrowing of the signing key capability are now ignored by calling the new library.SkipUnlessClusterHasCapability test helper - Rename library.Getenv to library.GetEnv - Add copyrights where they were missing 2020-08-25 01:07:34 +00:00			`config := library.NewClientConfig(t)`
Split the config CRDs into two API groups. Signed-off-by: Matt Moyer <moyerm@vmware.com> 2020-10-30 20:09:14 +00:00			`client := library.NewConciergeClientset(t)`
WIP: start on publisher controller integration 2020-07-31 16:08:07 +00:00
			`ctx, cancel := context.WithTimeout(context.Background(), 10*time.Second)`
			`defer cancel()`

Rename CredentialIssuerConfig to CredentialIssuer. Signed-off-by: Matt Moyer <moyerm@vmware.com> 2020-11-02 21:39:43 +00:00			`t.Run("test successful CredentialIssuer", func(t *testing.T) {`
Upon pod startup, update the Status of CredentialIssuerConfig - Indicate the success or failure of the cluster signing key strategy - Also introduce the concept of "capabilities" of an integration test cluster to allow the integration tests to be run against clusters that do or don't allow the borrowing of the cluster signing key - Tests that are not expected to pass on clusters that lack the borrowing of the signing key capability are now ignored by calling the new library.SkipUnlessClusterHasCapability test helper - Rename library.Getenv to library.GetEnv - Add copyrights where they were missing 2020-08-25 01:07:34 +00:00			`actualConfigList, err := client.`
Move CredentialIssuerConfig into new "config.pinniped.dev" API group. Signed-off-by: Matt Moyer <moyerm@vmware.com> 2020-09-18 21:38:45 +00:00			`ConfigV1alpha1().`
Rename CredentialIssuerConfig to CredentialIssuer. Signed-off-by: Matt Moyer <moyerm@vmware.com> 2020-11-02 21:39:43 +00:00			`CredentialIssuers(env.ConciergeNamespace).`
Upon pod startup, update the Status of CredentialIssuerConfig - Indicate the success or failure of the cluster signing key strategy - Also introduce the concept of "capabilities" of an integration test cluster to allow the integration tests to be run against clusters that do or don't allow the borrowing of the cluster signing key - Tests that are not expected to pass on clusters that lack the borrowing of the signing key capability are now ignored by calling the new library.SkipUnlessClusterHasCapability test helper - Rename library.Getenv to library.GetEnv - Add copyrights where they were missing 2020-08-25 01:07:34 +00:00			`List(ctx, metav1.ListOptions{})`
			`require.NoError(t, err)`
Add some log output to TestCredentialIssuerConfig for troubleshooting. Signed-off-by: Matt Moyer <moyerm@vmware.com> 2020-09-15 17:04:46 +00:00
Upon pod startup, update the Status of CredentialIssuerConfig - Indicate the success or failure of the cluster signing key strategy - Also introduce the concept of "capabilities" of an integration test cluster to allow the integration tests to be run against clusters that do or don't allow the borrowing of the cluster signing key - Tests that are not expected to pass on clusters that lack the borrowing of the signing key capability are now ignored by calling the new library.SkipUnlessClusterHasCapability test helper - Rename library.Getenv to library.GetEnv - Add copyrights where they were missing 2020-08-25 01:07:34 +00:00			`require.Len(t, actualConfigList.Items, 1)`
WIP: start on publisher controller integration 2020-07-31 16:08:07 +00:00
Concierge controllers add labels to all created resources 2020-10-15 17:14:23 +00:00			`actualConfig := actualConfigList.Items[0]`
Upon pod startup, update the Status of CredentialIssuerConfig - Indicate the success or failure of the cluster signing key strategy - Also introduce the concept of "capabilities" of an integration test cluster to allow the integration tests to be run against clusters that do or don't allow the borrowing of the cluster signing key - Tests that are not expected to pass on clusters that lack the borrowing of the signing key capability are now ignored by calling the new library.SkipUnlessClusterHasCapability test helper - Rename library.Getenv to library.GetEnv - Add copyrights where they were missing 2020-08-25 01:07:34 +00:00			`actualStatusKubeConfigInfo := actualConfigList.Items[0].Status.KubeConfigInfo`
WIP: start on publisher controller integration 2020-07-31 16:08:07 +00:00
Concierge controllers add labels to all created resources 2020-10-15 17:14:23 +00:00			`for k, v := range env.ConciergeCustomLabels {`
Rename CredentialIssuerConfig to CredentialIssuer. Signed-off-by: Matt Moyer <moyerm@vmware.com> 2020-11-02 21:39:43 +00:00			require.Equalf(t, v, actualConfig.Labels[k], "expected ci to have label `%s: %s`", k, v)
Concierge controllers add labels to all created resources 2020-10-15 17:14:23 +00:00			`}`
			`require.Equal(t, env.ConciergeAppName, actualConfig.Labels["app"])`

Upon pod startup, update the Status of CredentialIssuerConfig - Indicate the success or failure of the cluster signing key strategy - Also introduce the concept of "capabilities" of an integration test cluster to allow the integration tests to be run against clusters that do or don't allow the borrowing of the cluster signing key - Tests that are not expected to pass on clusters that lack the borrowing of the signing key capability are now ignored by calling the new library.SkipUnlessClusterHasCapability test helper - Rename library.Getenv to library.GetEnv - Add copyrights where they were missing 2020-08-25 01:07:34 +00:00			`// Verify the cluster strategy status based on what's expected of the test cluster's ability to share signing keys.`
			`actualStatusStrategies := actualConfigList.Items[0].Status.Strategies`
			`require.Len(t, actualStatusStrategies, 1)`
			`actualStatusStrategy := actualStatusStrategies[0]`
Move CredentialIssuerConfig into new "config.pinniped.dev" API group. Signed-off-by: Matt Moyer <moyerm@vmware.com> 2020-09-18 21:38:45 +00:00			`require.Equal(t, configv1alpha1.KubeClusterSigningCertificateStrategyType, actualStatusStrategy.Type)`
WIP: start on publisher controller integration 2020-07-31 16:08:07 +00:00
Refactor integration test environment helpers to be more structured. This change replaces our previous test helpers for checking cluster capabilities and passing external test parameters. Prior to this change, we always used `$PINNIPED_*` environment variables and these variables were accessed throughout the test code. The new code introduces a more strongly-typed `TestEnv` structure and helpers which load and expose the parameters. Tests can now call `env := library.IntegrationEnv(t)`, then access parameters such as `env.Namespace` or `env.TestUser.Token`. This should make this data dependency easier to manage and refactor in the future. In many ways this is just an extended version of the previous cluster capabilities YAML. Tests can also check for cluster capabilities easily by using `env := library.IntegrationEnv(t).WithCapability(xyz)`. The actual parameters are still loaded from OS environment variables by default (for compatibility), but the code now also tries to load the data from a Kubernetes Secret (`integration/pinniped-test-env` by default). I'm hoping this will be a more convenient way to pass data between various scripts than the local `/tmp` directory. I hope to remove the OS environment code in a future commit. Signed-off-by: Matt Moyer <moyerm@vmware.com> 2020-09-24 22:51:43 +00:00			`if env.HasCapability(library.ClusterSigningKeyIsAvailable) {`
Move CredentialIssuerConfig into new "config.pinniped.dev" API group. Signed-off-by: Matt Moyer <moyerm@vmware.com> 2020-09-18 21:38:45 +00:00			`require.Equal(t, configv1alpha1.SuccessStrategyStatus, actualStatusStrategy.Status)`
			`require.Equal(t, configv1alpha1.FetchedKeyStrategyReason, actualStatusStrategy.Reason)`
Upon pod startup, update the Status of CredentialIssuerConfig - Indicate the success or failure of the cluster signing key strategy - Also introduce the concept of "capabilities" of an integration test cluster to allow the integration tests to be run against clusters that do or don't allow the borrowing of the cluster signing key - Tests that are not expected to pass on clusters that lack the borrowing of the signing key capability are now ignored by calling the new library.SkipUnlessClusterHasCapability test helper - Rename library.Getenv to library.GetEnv - Add copyrights where they were missing 2020-08-25 01:07:34 +00:00			`require.Equal(t, "Key was fetched successfully", actualStatusStrategy.Message)`
Fix an assumption about GKE in an integration test 2020-08-28 00:18:48 +00:00			`// Verify the published kube config info.`
kube_config_info_publisher.go no longer watches cic's with an informer Simplifies the implementation, makes it more consistent with other updaters of the cic (CredentialIssuerConfig), and also retries on update conflicts Signed-off-by: Ryan Richard <richardry@vmware.com> 2020-09-24 16:19:57 +00:00			`require.Equal(`
			`t,`
Rename CredentialIssuerConfig to CredentialIssuer. Signed-off-by: Matt Moyer <moyerm@vmware.com> 2020-11-02 21:39:43 +00:00			`&configv1alpha1.CredentialIssuerKubeConfigInfo{`
kube_config_info_publisher.go no longer watches cic's with an informer Simplifies the implementation, makes it more consistent with other updaters of the cic (CredentialIssuerConfig), and also retries on update conflicts Signed-off-by: Ryan Richard <richardry@vmware.com> 2020-09-24 16:19:57 +00:00			`Server: config.Host,`
			`CertificateAuthorityData: base64.StdEncoding.EncodeToString(config.TLSClientConfig.CAData),`
			`},`
			`actualStatusKubeConfigInfo,`
			`)`
test/integration: fix intermittent failures on GKE See comment. This is at least a first step to make our GKE acceptance environment greener. Previously, this test assumed that the Pinniped-under-test had been deployed in (roughly) the last 10 minutes, which is not an assumption that we make anywhere else in the integration test suite. Signed-off-by: Andrew Keesler <akeesler@vmware.com> 2021-01-05 21:10:18 +00:00
			`// Only validate LastUpdateTime when cluster signing key is available. The last update time`
			`// will be set every time our controllers resync, but only when there exists controller`
			`// manager pods (all other pods will be filtered out), hence why this assertion is in this`
			`// if branch.`
			`//`
			`// This behavior is up for debate. We should eventually discuss the contract for this`
			`// LastUpdateTime field and ensure that the implementation is the same for when the cluster`
			`// signing key is available and not available.`
			`require.WithinDuration(t, time.Now(), actualStatusStrategy.LastUpdateTime.Local(), 10*time.Minute)`
Upon pod startup, update the Status of CredentialIssuerConfig - Indicate the success or failure of the cluster signing key strategy - Also introduce the concept of "capabilities" of an integration test cluster to allow the integration tests to be run against clusters that do or don't allow the borrowing of the cluster signing key - Tests that are not expected to pass on clusters that lack the borrowing of the signing key capability are now ignored by calling the new library.SkipUnlessClusterHasCapability test helper - Rename library.Getenv to library.GetEnv - Add copyrights where they were missing 2020-08-25 01:07:34 +00:00			`} else {`
Move CredentialIssuerConfig into new "config.pinniped.dev" API group. Signed-off-by: Matt Moyer <moyerm@vmware.com> 2020-09-18 21:38:45 +00:00			`require.Equal(t, configv1alpha1.ErrorStrategyStatus, actualStatusStrategy.Status)`
			`require.Equal(t, configv1alpha1.CouldNotFetchKeyStrategyReason, actualStatusStrategy.Reason)`
Fix expected CIC status message on non-hosted control planes 2020-09-24 21:56:55 +00:00			`require.Contains(t, actualStatusStrategy.Message, "did not find kube-controller-manager pod(s)")`
Fix an assumption about GKE in an integration test 2020-08-28 00:18:48 +00:00			`// For now, don't verify the kube config info because its not available on GKE. We'll need to address`
			`// this somehow once we starting supporting those cluster types.`
			// Require `nil` to remind us to address this later for other types of clusters where it is available.
			`require.Nil(t, actualStatusKubeConfigInfo)`
Upon pod startup, update the Status of CredentialIssuerConfig - Indicate the success or failure of the cluster signing key strategy - Also introduce the concept of "capabilities" of an integration test cluster to allow the integration tests to be run against clusters that do or don't allow the borrowing of the cluster signing key - Tests that are not expected to pass on clusters that lack the borrowing of the signing key capability are now ignored by calling the new library.SkipUnlessClusterHasCapability test helper - Rename library.Getenv to library.GetEnv - Add copyrights where they were missing 2020-08-25 01:07:34 +00:00			`}`
			`})`
WIP: start on publisher controller integration 2020-07-31 16:08:07 +00:00			`}`