diff --git a/test/cluster_capabilities/aks.yaml b/test/cluster_capabilities/aks.yaml new file mode 100644 index 00000000..73862d2f --- /dev/null +++ b/test/cluster_capabilities/aks.yaml @@ -0,0 +1,12 @@ +# Copyright 2020-2021 the Pinniped contributors. All Rights Reserved. +# SPDX-License-Identifier: Apache-2.0 + +# Describe the capabilities of the cluster against which the integration tests will run. +capabilities: + + # Is it possible to borrow the cluster's signing key from the kube API server? + clusterSigningKeyIsAvailable: false + + # Does the cluster allow requests without authentication? + # https://kubernetes.io/docs/reference/access-authn-authz/authentication/#anonymous-requests + anonymousAuthenticationSupported: false diff --git a/test/cluster_capabilities/eks.yaml b/test/cluster_capabilities/eks.yaml new file mode 100644 index 00000000..e5947084 --- /dev/null +++ b/test/cluster_capabilities/eks.yaml @@ -0,0 +1,12 @@ +# Copyright 2020-2021 the Pinniped contributors. All Rights Reserved. +# SPDX-License-Identifier: Apache-2.0 + +# Describe the capabilities of the cluster against which the integration tests will run. +capabilities: + + # Is it possible to borrow the cluster's signing key from the kube API server? + clusterSigningKeyIsAvailable: false + + # Does the cluster allow requests without authentication? + # https://kubernetes.io/docs/reference/access-authn-authz/authentication/#anonymous-requests + anonymousAuthenticationSupported: true diff --git a/test/cluster_capabilities/gke.yaml b/test/cluster_capabilities/gke.yaml index 4852280d..e5947084 100644 --- a/test/cluster_capabilities/gke.yaml +++ b/test/cluster_capabilities/gke.yaml @@ -1,4 +1,4 @@ -# Copyright 2020 the Pinniped contributors. All Rights Reserved. +# Copyright 2020-2021 the Pinniped contributors. All Rights Reserved. # SPDX-License-Identifier: Apache-2.0 # Describe the capabilities of the cluster against which the integration tests will run. @@ -6,3 +6,7 @@ capabilities: # Is it possible to borrow the cluster's signing key from the kube API server? clusterSigningKeyIsAvailable: false + + # Does the cluster allow requests without authentication? + # https://kubernetes.io/docs/reference/access-authn-authz/authentication/#anonymous-requests + anonymousAuthenticationSupported: true diff --git a/test/cluster_capabilities/kind.yaml b/test/cluster_capabilities/kind.yaml index c81f6687..6411cd95 100644 --- a/test/cluster_capabilities/kind.yaml +++ b/test/cluster_capabilities/kind.yaml @@ -1,4 +1,4 @@ -# Copyright 2020 the Pinniped contributors. All Rights Reserved. +# Copyright 2020-2021 the Pinniped contributors. All Rights Reserved. # SPDX-License-Identifier: Apache-2.0 # Describe the capabilities of the cluster against which the integration tests will run. @@ -6,3 +6,7 @@ capabilities: # Is it possible to borrow the cluster's signing key from the kube API server? clusterSigningKeyIsAvailable: true + + # Does the cluster allow requests without authentication? + # https://kubernetes.io/docs/reference/access-authn-authz/authentication/#anonymous-requests + anonymousAuthenticationSupported: true diff --git a/test/cluster_capabilities/tkgs.yaml b/test/cluster_capabilities/tkgs.yaml index c81f6687..6411cd95 100644 --- a/test/cluster_capabilities/tkgs.yaml +++ b/test/cluster_capabilities/tkgs.yaml @@ -1,4 +1,4 @@ -# Copyright 2020 the Pinniped contributors. All Rights Reserved. +# Copyright 2020-2021 the Pinniped contributors. All Rights Reserved. # SPDX-License-Identifier: Apache-2.0 # Describe the capabilities of the cluster against which the integration tests will run. @@ -6,3 +6,7 @@ capabilities: # Is it possible to borrow the cluster's signing key from the kube API server? clusterSigningKeyIsAvailable: true + + # Does the cluster allow requests without authentication? + # https://kubernetes.io/docs/reference/access-authn-authz/authentication/#anonymous-requests + anonymousAuthenticationSupported: true diff --git a/test/integration/concierge_credentialrequest_test.go b/test/integration/concierge_credentialrequest_test.go index 7a37c9c7..00fe5d0f 100644 --- a/test/integration/concierge_credentialrequest_test.go +++ b/test/integration/concierge_credentialrequest_test.go @@ -23,7 +23,7 @@ import ( ) func TestUnsuccessfulCredentialRequest(t *testing.T) { - env := library.IntegrationEnv(t) + env := library.IntegrationEnv(t).WithCapability(library.AnonymousAuthenticationSupported) library.AssertNoRestartsDuringTest(t, env.ConciergeNamespace, "") @@ -184,7 +184,7 @@ func TestCredentialRequest_ShouldFailWhenRequestDoesNotIncludeToken(t *testing.T } func TestCredentialRequest_OtherwiseValidRequestWithRealTokenShouldFailWhenTheClusterIsNotCapable(t *testing.T) { - env := library.IntegrationEnv(t).WithoutCapability(library.ClusterSigningKeyIsAvailable) + env := library.IntegrationEnv(t).WithoutCapability(library.ClusterSigningKeyIsAvailable).WithCapability(library.AnonymousAuthenticationSupported) library.AssertNoRestartsDuringTest(t, env.ConciergeNamespace, "") diff --git a/test/integration/whoami_test.go b/test/integration/whoami_test.go index de478f52..00090231 100644 --- a/test/integration/whoami_test.go +++ b/test/integration/whoami_test.go @@ -344,7 +344,7 @@ func TestWhoAmI_CSR(t *testing.T) { } func TestWhoAmI_Anonymous(t *testing.T) { - _ = library.IntegrationEnv(t) + _ = library.IntegrationEnv(t).WithCapability(library.AnonymousAuthenticationSupported) ctx, cancel := context.WithTimeout(context.Background(), 30*time.Second) defer cancel() diff --git a/test/library/env.go b/test/library/env.go index edd5d78b..3f96b9a0 100644 --- a/test/library/env.go +++ b/test/library/env.go @@ -18,7 +18,8 @@ import ( type Capability string const ( - ClusterSigningKeyIsAvailable Capability = "clusterSigningKeyIsAvailable" + ClusterSigningKeyIsAvailable Capability = "clusterSigningKeyIsAvailable" + AnonymousAuthenticationSupported Capability = "anonymousAuthenticationSupported" ) // TestEnv captures all the external parameters consumed by our integration tests.