ContainerImage.Pinniped/test/library/client.go

/*
Copyright 2020 VMware, Inc.
SPDX-License-Identifier: Apache-2.0
*/

package library

import (
	"io/ioutil"
	"os"
	"testing"

	"github.com/stretchr/testify/require"
	"k8s.io/client-go/kubernetes"
	"k8s.io/client-go/rest"
	"k8s.io/client-go/tools/clientcmd"
	clientcmdapi "k8s.io/client-go/tools/clientcmd/api"
	aggregatorclient "k8s.io/kube-aggregator/pkg/client/clientset_generated/clientset"

	pinnipedclientset "github.com/suzerain-io/pinniped/kubernetes/1.19/client-go/clientset/versioned"
)

func NewClientConfig(t *testing.T) *rest.Config {
	t.Helper()

	return newClientConfigWithOverrides(t, &clientcmd.ConfigOverrides{})
}

func NewClientset(t *testing.T) kubernetes.Interface {
	t.Helper()

	return newClientsetWithConfig(t, NewClientConfig(t))
}

func NewClientsetWithCertAndKey(t *testing.T, clientCertificateData, clientKeyData string) kubernetes.Interface {
	t.Helper()

	return newClientsetWithConfig(t, newClientConfigWithCertAndKey(t, clientCertificateData, clientKeyData))
}

func NewPinnipedClientset(t *testing.T) pinnipedclientset.Interface {
	t.Helper()

	return pinnipedclientset.NewForConfigOrDie(NewClientConfig(t))
}

func NewAnonymousPinnipedClientset(t *testing.T) pinnipedclientset.Interface {
	t.Helper()

	return pinnipedclientset.NewForConfigOrDie(newAnonymousClientConfig(t))
}

func NewAggregatedClientset(t *testing.T) aggregatorclient.Interface {
	t.Helper()

	return aggregatorclient.NewForConfigOrDie(NewClientConfig(t))
}

func newClientConfigWithOverrides(t *testing.T, overrides *clientcmd.ConfigOverrides) *rest.Config {
	t.Helper()

	loader := clientcmd.NewDefaultClientConfigLoadingRules()
	clientConfig := clientcmd.NewNonInteractiveDeferredLoadingClientConfig(loader, overrides)
	config, err := clientConfig.ClientConfig()
	require.NoError(t, err)
	return config
}

func newClientsetWithConfig(t *testing.T, config *rest.Config) kubernetes.Interface {
	t.Helper()

	result, err := kubernetes.NewForConfig(config)
	require.NoError(t, err, "unexpected failure from kubernetes.NewForConfig()")
	return result
}

// Returns a rest.Config without any user authentication info.
// Ensures that we are not accidentally picking up any authentication info from the kube config file.
// E.g. If your kube config were pointing at an Azure cluster, it would have both certs and a token,
// and we don't want our tests to accidentally pick up that token.
func newAnonymousClientConfig(t *testing.T) *rest.Config {
	t.Helper()

	realConfig := NewClientConfig(t)

	out, err := ioutil.TempFile("", "pinniped-anonymous-kubeconfig-test-*")
	require.NoError(t, err)
	defer os.Remove(out.Name())

	anonConfig := clientcmdapi.NewConfig()
	anonConfig.Clusters["anonymous-cluster"] = &clientcmdapi.Cluster{
		Server:                   realConfig.Host,
		CertificateAuthorityData: realConfig.CAData,
	}
	anonConfig.Contexts["anonymous"] = &clientcmdapi.Context{
		Cluster: "anonymous-cluster",
	}
	anonConfig.CurrentContext = "anonymous"

	data, err := clientcmd.Write(*anonConfig)
	require.NoError(t, err)

	_, err = out.Write(data)
	require.NoError(t, err)

	restConfig, err := clientcmd.BuildConfigFromFlags("", out.Name())
	require.NoError(t, err)

	return restConfig
}

// Starting with an anonymous client config, add a cert and key to use for authentication in the API server.
func newClientConfigWithCertAndKey(t *testing.T, clientCertificateData, clientKeyData string) *rest.Config {
	t.Helper()

	realConfig := NewClientConfig(t)

	out, err := ioutil.TempFile("", "pinniped-cert-and-key-kubeconfig-test-*")
	require.NoError(t, err)
	defer os.Remove(out.Name())

	certAndKeyConfig := clientcmdapi.NewConfig()
	certAndKeyConfig.Clusters["cert-and-key-cluster"] = &clientcmdapi.Cluster{
		Server:                   realConfig.Host,
		CertificateAuthorityData: realConfig.CAData,
	}
	certAndKeyConfig.AuthInfos["cert-and-key-auth-info"] = &clientcmdapi.AuthInfo{
		ClientCertificateData: []byte(clientCertificateData),
		ClientKeyData:         []byte(clientKeyData),
	}
	certAndKeyConfig.Contexts["cert-and-key"] = &clientcmdapi.Context{
		Cluster:  "cert-and-key-cluster",
		AuthInfo: "cert-and-key-auth-info",
	}
	certAndKeyConfig.CurrentContext = "cert-and-key"

	data, err := clientcmd.Write(*certAndKeyConfig)
	require.NoError(t, err)

	_, err = out.Write(data)
	require.NoError(t, err)

	restConfig, err := clientcmd.BuildConfigFromFlags("", out.Name())
	require.NoError(t, err)

	return restConfig
}
Add integration test to check app is running Signed-off-by: Monis Khan <mok@vmware.com> 2020-07-09 19:30:59 +00:00			`/*`
			`Copyright 2020 VMware, Inc.`
			`SPDX-License-Identifier: Apache-2.0`
			`*/`

			`package library`

			`import (`
Update how integration tests which use LoginRequest make their clients - When we call the LoginRequest endpoint in loginrequest_test.go, do it with an unauthenticated client, to make sure that endpoint works with unauthenticated clients. - For tests which want to test using certs returned by LoginRequest to make API calls back to kube to check if those certs are working, make sure they start with a bare client and then add only those certs. Avoid accidentally picking up other kubeconfig configuration like tokens, etc. Signed-off-by: Andrew Keesler <akeesler@vmware.com> 2020-08-12 21:29:46 +00:00			`"io/ioutil"`
			`"os"`
Add integration test to check app is running Signed-off-by: Monis Khan <mok@vmware.com> 2020-07-09 19:30:59 +00:00			`"testing"`

			`"github.com/stretchr/testify/require"`
			`"k8s.io/client-go/kubernetes"`
			`"k8s.io/client-go/rest"`
			`"k8s.io/client-go/tools/clientcmd"`
WIP: initial integration test for cert issuing 2020-07-24 15:40:08 +00:00			`clientcmdapi "k8s.io/client-go/tools/clientcmd/api"`
Add integration and more unit tests - Add integration test for serving cert auto-generation and rotation - Add unit test for `WithInitialEvent` of the cert manager controller - Move UpdateAPIService() into the `apicerts` package, since that is the only user of the function. 2020-08-11 17:14:57 +00:00			`aggregatorclient "k8s.io/kube-aggregator/pkg/client/clientset_generated/clientset"`
Initial aggregated API server (#15) Add initial aggregated API server (squashed from a bunch of commits). Signed-off-by: Andrew Keesler <akeesler@vmware.com> Signed-off-by: Aram Price <pricear@vmware.com> Signed-off-by: Ryan Richard <richardry@vmware.com> 2020-07-23 15:05:21 +00:00
Rename project 2020-08-20 17:54:15 +00:00			`pinnipedclientset "github.com/suzerain-io/pinniped/kubernetes/1.19/client-go/clientset/versioned"`
Add integration test to check app is running Signed-off-by: Monis Khan <mok@vmware.com> 2020-07-09 19:30:59 +00:00			`)`

			`func NewClientConfig(t testing.T) rest.Config {`
			`t.Helper()`

WIP: initial integration test for cert issuing 2020-07-24 15:40:08 +00:00			`return newClientConfigWithOverrides(t, &clientcmd.ConfigOverrides{})`
			`}`

Update how integration tests which use LoginRequest make their clients - When we call the LoginRequest endpoint in loginrequest_test.go, do it with an unauthenticated client, to make sure that endpoint works with unauthenticated clients. - For tests which want to test using certs returned by LoginRequest to make API calls back to kube to check if those certs are working, make sure they start with a bare client and then add only those certs. Avoid accidentally picking up other kubeconfig configuration like tokens, etc. Signed-off-by: Andrew Keesler <akeesler@vmware.com> 2020-08-12 21:29:46 +00:00			`func NewClientset(t *testing.T) kubernetes.Interface {`
			`t.Helper()`

			`return newClientsetWithConfig(t, NewClientConfig(t))`
			`}`

			`func NewClientsetWithCertAndKey(t *testing.T, clientCertificateData, clientKeyData string) kubernetes.Interface {`
			`t.Helper()`

test/library: try another cert rest config We are getting these weird flakes in CI where the kube client that we create with these helper functions doesn't work against the kube API. The kube API tells us that we are unauthorized (401). Seems like something is wrong with the keypair itself, but when I create a one-off kubeconfig with the keypair, I get 200s from the API. Hmmm...I wonder what CI will think of this change? I also tried to align some naming in this package. Signed-off-by: Andrew Keesler <akeesler@vmware.com> 2020-08-24 15:01:37 +00:00			`return newClientsetWithConfig(t, newClientConfigWithCertAndKey(t, clientCertificateData, clientKeyData))`
Update how integration tests which use LoginRequest make their clients - When we call the LoginRequest endpoint in loginrequest_test.go, do it with an unauthenticated client, to make sure that endpoint works with unauthenticated clients. - For tests which want to test using certs returned by LoginRequest to make API calls back to kube to check if those certs are working, make sure they start with a bare client and then add only those certs. Avoid accidentally picking up other kubeconfig configuration like tokens, etc. Signed-off-by: Andrew Keesler <akeesler@vmware.com> 2020-08-12 21:29:46 +00:00			`}`

Rename project 2020-08-20 17:54:15 +00:00			`func NewPinnipedClientset(t *testing.T) pinnipedclientset.Interface {`
WIP: initial integration test for cert issuing 2020-07-24 15:40:08 +00:00			`t.Helper()`

Rename project 2020-08-20 17:54:15 +00:00			`return pinnipedclientset.NewForConfigOrDie(NewClientConfig(t))`
Update how integration tests which use LoginRequest make their clients - When we call the LoginRequest endpoint in loginrequest_test.go, do it with an unauthenticated client, to make sure that endpoint works with unauthenticated clients. - For tests which want to test using certs returned by LoginRequest to make API calls back to kube to check if those certs are working, make sure they start with a bare client and then add only those certs. Avoid accidentally picking up other kubeconfig configuration like tokens, etc. Signed-off-by: Andrew Keesler <akeesler@vmware.com> 2020-08-12 21:29:46 +00:00			`}`

Rename project 2020-08-20 17:54:15 +00:00			`func NewAnonymousPinnipedClientset(t *testing.T) pinnipedclientset.Interface {`
Update how integration tests which use LoginRequest make their clients - When we call the LoginRequest endpoint in loginrequest_test.go, do it with an unauthenticated client, to make sure that endpoint works with unauthenticated clients. - For tests which want to test using certs returned by LoginRequest to make API calls back to kube to check if those certs are working, make sure they start with a bare client and then add only those certs. Avoid accidentally picking up other kubeconfig configuration like tokens, etc. Signed-off-by: Andrew Keesler <akeesler@vmware.com> 2020-08-12 21:29:46 +00:00			`t.Helper()`

test/library: try another cert rest config We are getting these weird flakes in CI where the kube client that we create with these helper functions doesn't work against the kube API. The kube API tells us that we are unauthorized (401). Seems like something is wrong with the keypair itself, but when I create a one-off kubeconfig with the keypair, I get 200s from the API. Hmmm...I wonder what CI will think of this change? I also tried to align some naming in this package. Signed-off-by: Andrew Keesler <akeesler@vmware.com> 2020-08-24 15:01:37 +00:00			`return pinnipedclientset.NewForConfigOrDie(newAnonymousClientConfig(t))`
Update how integration tests which use LoginRequest make their clients - When we call the LoginRequest endpoint in loginrequest_test.go, do it with an unauthenticated client, to make sure that endpoint works with unauthenticated clients. - For tests which want to test using certs returned by LoginRequest to make API calls back to kube to check if those certs are working, make sure they start with a bare client and then add only those certs. Avoid accidentally picking up other kubeconfig configuration like tokens, etc. Signed-off-by: Andrew Keesler <akeesler@vmware.com> 2020-08-12 21:29:46 +00:00			`}`

			`func NewAggregatedClientset(t *testing.T) aggregatorclient.Interface {`
			`t.Helper()`

			`return aggregatorclient.NewForConfigOrDie(NewClientConfig(t))`
WIP: initial integration test for cert issuing 2020-07-24 15:40:08 +00:00			`}`

			`func newClientConfigWithOverrides(t testing.T, overrides clientcmd.ConfigOverrides) *rest.Config {`
			`t.Helper()`

Add integration test to check app is running Signed-off-by: Monis Khan <mok@vmware.com> 2020-07-09 19:30:59 +00:00			`loader := clientcmd.NewDefaultClientConfigLoadingRules()`
WIP: initial integration test for cert issuing 2020-07-24 15:40:08 +00:00			`clientConfig := clientcmd.NewNonInteractiveDeferredLoadingClientConfig(loader, overrides)`
Add integration test to check app is running Signed-off-by: Monis Khan <mok@vmware.com> 2020-07-09 19:30:59 +00:00			`config, err := clientConfig.ClientConfig()`
			`require.NoError(t, err)`
			`return config`
			`}`

Update how integration tests which use LoginRequest make their clients - When we call the LoginRequest endpoint in loginrequest_test.go, do it with an unauthenticated client, to make sure that endpoint works with unauthenticated clients. - For tests which want to test using certs returned by LoginRequest to make API calls back to kube to check if those certs are working, make sure they start with a bare client and then add only those certs. Avoid accidentally picking up other kubeconfig configuration like tokens, etc. Signed-off-by: Andrew Keesler <akeesler@vmware.com> 2020-08-12 21:29:46 +00:00			`func newClientsetWithConfig(t testing.T, config rest.Config) kubernetes.Interface {`
WIP: initial integration test for cert issuing 2020-07-24 15:40:08 +00:00			`t.Helper()`

Fix a bad assumption in library.NewClientConfigWithCertAndKey. It turns out these fields are not meant to be base64 encoded, even though that's how they are in the kubeconfig. Signed-off-by: Matt Moyer <moyerm@vmware.com> 2020-07-27 12:52:36 +00:00			`result, err := kubernetes.NewForConfig(config)`
			`require.NoError(t, err, "unexpected failure from kubernetes.NewForConfig()")`
			`return result`
Add integration test to check app is running Signed-off-by: Monis Khan <mok@vmware.com> 2020-07-09 19:30:59 +00:00			`}`
Initial aggregated API server (#15) Add initial aggregated API server (squashed from a bunch of commits). Signed-off-by: Andrew Keesler <akeesler@vmware.com> Signed-off-by: Aram Price <pricear@vmware.com> Signed-off-by: Ryan Richard <richardry@vmware.com> 2020-07-23 15:05:21 +00:00
Update how integration tests which use LoginRequest make their clients - When we call the LoginRequest endpoint in loginrequest_test.go, do it with an unauthenticated client, to make sure that endpoint works with unauthenticated clients. - For tests which want to test using certs returned by LoginRequest to make API calls back to kube to check if those certs are working, make sure they start with a bare client and then add only those certs. Avoid accidentally picking up other kubeconfig configuration like tokens, etc. Signed-off-by: Andrew Keesler <akeesler@vmware.com> 2020-08-12 21:29:46 +00:00			`// Returns a rest.Config without any user authentication info.`
			`// Ensures that we are not accidentally picking up any authentication info from the kube config file.`
			`// E.g. If your kube config were pointing at an Azure cluster, it would have both certs and a token,`
			`// and we don't want our tests to accidentally pick up that token.`
test/library: try another cert rest config We are getting these weird flakes in CI where the kube client that we create with these helper functions doesn't work against the kube API. The kube API tells us that we are unauthorized (401). Seems like something is wrong with the keypair itself, but when I create a one-off kubeconfig with the keypair, I get 200s from the API. Hmmm...I wonder what CI will think of this change? I also tried to align some naming in this package. Signed-off-by: Andrew Keesler <akeesler@vmware.com> 2020-08-24 15:01:37 +00:00			`func newAnonymousClientConfig(t testing.T) rest.Config {`
Initial aggregated API server (#15) Add initial aggregated API server (squashed from a bunch of commits). Signed-off-by: Andrew Keesler <akeesler@vmware.com> Signed-off-by: Aram Price <pricear@vmware.com> Signed-off-by: Ryan Richard <richardry@vmware.com> 2020-07-23 15:05:21 +00:00			`t.Helper()`

Update how integration tests which use LoginRequest make their clients - When we call the LoginRequest endpoint in loginrequest_test.go, do it with an unauthenticated client, to make sure that endpoint works with unauthenticated clients. - For tests which want to test using certs returned by LoginRequest to make API calls back to kube to check if those certs are working, make sure they start with a bare client and then add only those certs. Avoid accidentally picking up other kubeconfig configuration like tokens, etc. Signed-off-by: Andrew Keesler <akeesler@vmware.com> 2020-08-12 21:29:46 +00:00			`realConfig := NewClientConfig(t)`

Rename project 2020-08-20 17:54:15 +00:00			`out, err := ioutil.TempFile("", "pinniped-anonymous-kubeconfig-test-*")`
Update how integration tests which use LoginRequest make their clients - When we call the LoginRequest endpoint in loginrequest_test.go, do it with an unauthenticated client, to make sure that endpoint works with unauthenticated clients. - For tests which want to test using certs returned by LoginRequest to make API calls back to kube to check if those certs are working, make sure they start with a bare client and then add only those certs. Avoid accidentally picking up other kubeconfig configuration like tokens, etc. Signed-off-by: Andrew Keesler <akeesler@vmware.com> 2020-08-12 21:29:46 +00:00			`require.NoError(t, err)`
			`defer os.Remove(out.Name())`

			`anonConfig := clientcmdapi.NewConfig()`
			`anonConfig.Clusters["anonymous-cluster"] = &clientcmdapi.Cluster{`
			`Server: realConfig.Host,`
			`CertificateAuthorityData: realConfig.CAData,`
			`}`
			`anonConfig.Contexts["anonymous"] = &clientcmdapi.Context{`
			`Cluster: "anonymous-cluster",`
			`}`
			`anonConfig.CurrentContext = "anonymous"`

			`data, err := clientcmd.Write(*anonConfig)`
			`require.NoError(t, err)`

			`_, err = out.Write(data)`
			`require.NoError(t, err)`

			`restConfig, err := clientcmd.BuildConfigFromFlags("", out.Name())`
			`require.NoError(t, err)`

			`return restConfig`
Initial aggregated API server (#15) Add initial aggregated API server (squashed from a bunch of commits). Signed-off-by: Andrew Keesler <akeesler@vmware.com> Signed-off-by: Aram Price <pricear@vmware.com> Signed-off-by: Ryan Richard <richardry@vmware.com> 2020-07-23 15:05:21 +00:00			`}`
Add integration and more unit tests - Add integration test for serving cert auto-generation and rotation - Add unit test for `WithInitialEvent` of the cert manager controller - Move UpdateAPIService() into the `apicerts` package, since that is the only user of the function. 2020-08-11 17:14:57 +00:00
Update how integration tests which use LoginRequest make their clients - When we call the LoginRequest endpoint in loginrequest_test.go, do it with an unauthenticated client, to make sure that endpoint works with unauthenticated clients. - For tests which want to test using certs returned by LoginRequest to make API calls back to kube to check if those certs are working, make sure they start with a bare client and then add only those certs. Avoid accidentally picking up other kubeconfig configuration like tokens, etc. Signed-off-by: Andrew Keesler <akeesler@vmware.com> 2020-08-12 21:29:46 +00:00			`// Starting with an anonymous client config, add a cert and key to use for authentication in the API server.`
test/library: try another cert rest config We are getting these weird flakes in CI where the kube client that we create with these helper functions doesn't work against the kube API. The kube API tells us that we are unauthorized (401). Seems like something is wrong with the keypair itself, but when I create a one-off kubeconfig with the keypair, I get 200s from the API. Hmmm...I wonder what CI will think of this change? I also tried to align some naming in this package. Signed-off-by: Andrew Keesler <akeesler@vmware.com> 2020-08-24 15:01:37 +00:00			`func newClientConfigWithCertAndKey(t testing.T, clientCertificateData, clientKeyData string) rest.Config {`
Add integration and more unit tests - Add integration test for serving cert auto-generation and rotation - Add unit test for `WithInitialEvent` of the cert manager controller - Move UpdateAPIService() into the `apicerts` package, since that is the only user of the function. 2020-08-11 17:14:57 +00:00			`t.Helper()`

test/library: try another cert rest config We are getting these weird flakes in CI where the kube client that we create with these helper functions doesn't work against the kube API. The kube API tells us that we are unauthorized (401). Seems like something is wrong with the keypair itself, but when I create a one-off kubeconfig with the keypair, I get 200s from the API. Hmmm...I wonder what CI will think of this change? I also tried to align some naming in this package. Signed-off-by: Andrew Keesler <akeesler@vmware.com> 2020-08-24 15:01:37 +00:00			`realConfig := NewClientConfig(t)`

			`out, err := ioutil.TempFile("", "pinniped-cert-and-key-kubeconfig-test-*")`
			`require.NoError(t, err)`
			`defer os.Remove(out.Name())`

			`certAndKeyConfig := clientcmdapi.NewConfig()`
			`certAndKeyConfig.Clusters["cert-and-key-cluster"] = &clientcmdapi.Cluster{`
			`Server: realConfig.Host,`
			`CertificateAuthorityData: realConfig.CAData,`
			`}`
			`certAndKeyConfig.AuthInfos["cert-and-key-auth-info"] = &clientcmdapi.AuthInfo{`
			`ClientCertificateData: []byte(clientCertificateData),`
			`ClientKeyData: []byte(clientKeyData),`
			`}`
			`certAndKeyConfig.Contexts["cert-and-key"] = &clientcmdapi.Context{`
			`Cluster: "cert-and-key-cluster",`
			`AuthInfo: "cert-and-key-auth-info",`
			`}`
			`certAndKeyConfig.CurrentContext = "cert-and-key"`

			`data, err := clientcmd.Write(*certAndKeyConfig)`
			`require.NoError(t, err)`

			`_, err = out.Write(data)`
			`require.NoError(t, err)`

			`restConfig, err := clientcmd.BuildConfigFromFlags("", out.Name())`
			`require.NoError(t, err)`

			`return restConfig`
Add integration and more unit tests - Add integration test for serving cert auto-generation and rotation - Add unit test for `WithInitialEvent` of the cert manager controller - Move UpdateAPIService() into the `apicerts` package, since that is the only user of the function. 2020-08-11 17:14:57 +00:00			`}`