Merge pull request #499 from vmware-tanzu/add-anon-auth-capability

Describe "anonymousAuthenticationSupported" test cluster capability and add more managed cluster types.
2021-03-16 12:21:47 -07:00 · 2021-03-16 12:21:47 -07:00 · 10168ab2e7
parent ab6452ace7 c5b784465b
commit 10168ab2e7
8 changed files with 44 additions and 7 deletions
--- a/test/cluster_capabilities/aks.yaml
+++ b/test/cluster_capabilities/aks.yaml
@ -0,0 +1,12 @@
+# Copyright 2020-2021 the Pinniped contributors. All Rights Reserved.
+# SPDX-License-Identifier: Apache-2.0
+
+# Describe the capabilities of the cluster against which the integration tests will run.
+capabilities:
+
+  # Is it possible to borrow the cluster's signing key from the kube API server?
+  clusterSigningKeyIsAvailable: false
+
+  # Does the cluster allow requests without authentication?
+  # https://kubernetes.io/docs/reference/access-authn-authz/authentication/#anonymous-requests
+  anonymousAuthenticationSupported: false
--- a/test/cluster_capabilities/eks.yaml
+++ b/test/cluster_capabilities/eks.yaml
@ -0,0 +1,12 @@
+# Copyright 2020-2021 the Pinniped contributors. All Rights Reserved.
+# SPDX-License-Identifier: Apache-2.0
+
+# Describe the capabilities of the cluster against which the integration tests will run.
+capabilities:
+
+  # Is it possible to borrow the cluster's signing key from the kube API server?
+  clusterSigningKeyIsAvailable: false
+
+  # Does the cluster allow requests without authentication?
+  # https://kubernetes.io/docs/reference/access-authn-authz/authentication/#anonymous-requests
+  anonymousAuthenticationSupported: true
--- a/test/cluster_capabilities/gke.yaml
+++ b/test/cluster_capabilities/gke.yaml
@ -1,4 +1,4 @@
-# Copyright 2020 the Pinniped contributors. All Rights Reserved.
+# Copyright 2020-2021 the Pinniped contributors. All Rights Reserved.
 # SPDX-License-Identifier: Apache-2.0

 # Describe the capabilities of the cluster against which the integration tests will run.
@ -6,3 +6,7 @@ capabilities:

  # Is it possible to borrow the cluster's signing key from the kube API server?
  clusterSigningKeyIsAvailable: false
+
+  # Does the cluster allow requests without authentication?
+  # https://kubernetes.io/docs/reference/access-authn-authz/authentication/#anonymous-requests
+  anonymousAuthenticationSupported: true
--- a/test/cluster_capabilities/kind.yaml
+++ b/test/cluster_capabilities/kind.yaml
@ -1,4 +1,4 @@
-# Copyright 2020 the Pinniped contributors. All Rights Reserved.
+# Copyright 2020-2021 the Pinniped contributors. All Rights Reserved.
 # SPDX-License-Identifier: Apache-2.0

 # Describe the capabilities of the cluster against which the integration tests will run.
@ -6,3 +6,7 @@ capabilities:

  # Is it possible to borrow the cluster's signing key from the kube API server?
  clusterSigningKeyIsAvailable: true
+
+  # Does the cluster allow requests without authentication?
+  # https://kubernetes.io/docs/reference/access-authn-authz/authentication/#anonymous-requests
+  anonymousAuthenticationSupported: true
--- a/test/cluster_capabilities/tkgs.yaml
+++ b/test/cluster_capabilities/tkgs.yaml
@ -1,4 +1,4 @@
-# Copyright 2020 the Pinniped contributors. All Rights Reserved.
+# Copyright 2020-2021 the Pinniped contributors. All Rights Reserved.
 # SPDX-License-Identifier: Apache-2.0

 # Describe the capabilities of the cluster against which the integration tests will run.
@ -6,3 +6,7 @@ capabilities:

  # Is it possible to borrow the cluster's signing key from the kube API server?
  clusterSigningKeyIsAvailable: true
+
+  # Does the cluster allow requests without authentication?
+  # https://kubernetes.io/docs/reference/access-authn-authz/authentication/#anonymous-requests
+  anonymousAuthenticationSupported: true
--- a/test/integration/concierge_credentialrequest_test.go
+++ b/test/integration/concierge_credentialrequest_test.go
@ -23,7 +23,7 @@ import (
 )

 func TestUnsuccessfulCredentialRequest(t *testing.T) {
-	env := library.IntegrationEnv(t)
+	env := library.IntegrationEnv(t).WithCapability(library.AnonymousAuthenticationSupported)

 	library.AssertNoRestartsDuringTest(t, env.ConciergeNamespace, "")

@ -184,7 +184,7 @@ func TestCredentialRequest_ShouldFailWhenRequestDoesNotIncludeToken(t *testing.T
 }

 func TestCredentialRequest_OtherwiseValidRequestWithRealTokenShouldFailWhenTheClusterIsNotCapable(t *testing.T) {
-	env := library.IntegrationEnv(t).WithoutCapability(library.ClusterSigningKeyIsAvailable)
+	env := library.IntegrationEnv(t).WithoutCapability(library.ClusterSigningKeyIsAvailable).WithCapability(library.AnonymousAuthenticationSupported)

 	library.AssertNoRestartsDuringTest(t, env.ConciergeNamespace, "")

--- a/test/integration/whoami_test.go
+++ b/test/integration/whoami_test.go
@ -344,7 +344,7 @@ func TestWhoAmI_CSR(t *testing.T) {
 }

 func TestWhoAmI_Anonymous(t *testing.T) {
-	_ = library.IntegrationEnv(t)
+	_ = library.IntegrationEnv(t).WithCapability(library.AnonymousAuthenticationSupported)

 	ctx, cancel := context.WithTimeout(context.Background(), 30*time.Second)
 	defer cancel()
--- a/test/library/env.go
+++ b/test/library/env.go
@ -18,7 +18,8 @@ import (
 type Capability string

 const (
-	ClusterSigningKeyIsAvailable Capability = "clusterSigningKeyIsAvailable"
+	ClusterSigningKeyIsAvailable     Capability = "clusterSigningKeyIsAvailable"
+	AnonymousAuthenticationSupported Capability = "anonymousAuthenticationSupported"
 )

 // TestEnv captures all the external parameters consumed by our integration tests.