Merge branch 'main' of github.com:vmware-tanzu/pinniped into impersonation-proxy

Signed-off-by: Matt Moyer <moyerm@vmware.com>

test/cluster_capabilities/aks.yaml

@@ -0,0 +1,12 @@
+# Copyright 2021 the Pinniped contributors. All Rights Reserved.
+# SPDX-License-Identifier: Apache-2.0
+
+# Describe the capabilities of the cluster against which the integration tests will run.
+capabilities:
+
+  # Is it possible to borrow the cluster's signing key from the kube API server?
+  clusterSigningKeyIsAvailable: false
+
+  # Does the cluster allow requests without authentication?
+  # https://kubernetes.io/docs/reference/access-authn-authz/authentication/#anonymous-requests
+  anonymousAuthenticationSupported: false

test/cluster_capabilities/eks.yaml

@@ -0,0 +1,12 @@
+# Copyright 2021 the Pinniped contributors. All Rights Reserved.
+# SPDX-License-Identifier: Apache-2.0
+
+# Describe the capabilities of the cluster against which the integration tests will run.
+capabilities:
+
+  # Is it possible to borrow the cluster's signing key from the kube API server?
+  clusterSigningKeyIsAvailable: false
+
+  # Does the cluster allow requests without authentication?
+  # https://kubernetes.io/docs/reference/access-authn-authz/authentication/#anonymous-requests
+  anonymousAuthenticationSupported: true

test/cluster_capabilities/gke.yaml

@@ -9,3 +9,7 @@ capabilities:
 
   # Will the cluster successfully provision a load balancer if requested?
   hasExternalLoadBalancerProvider: true
+
+  # Does the cluster allow requests without authentication?
+  # https://kubernetes.io/docs/reference/access-authn-authz/authentication/#anonymous-requests
+  anonymousAuthenticationSupported: true

test/cluster_capabilities/kind.yaml

@@ -9,3 +9,7 @@ capabilities:
 
   # Will the cluster successfully provision a load balancer if requested?
   hasExternalLoadBalancerProvider: false
+
+  # Does the cluster allow requests without authentication?
+  # https://kubernetes.io/docs/reference/access-authn-authz/authentication/#anonymous-requests
+  anonymousAuthenticationSupported: true

test/cluster_capabilities/tkgs.yaml

@@ -9,3 +9,7 @@ capabilities:
 
   # Will the cluster successfully provision a load balancer if requested?
   hasExternalLoadBalancerProvider: true
+
+  # Does the cluster allow requests without authentication?
+  # https://kubernetes.io/docs/reference/access-authn-authz/authentication/#anonymous-requests
+  anonymousAuthenticationSupported: true

test/integration/concierge_credentialrequest_test.go

@@ -23,7 +23,7 @@ import (
 )
 
 func TestUnsuccessfulCredentialRequest(t *testing.T) {
-	env := library.IntegrationEnv(t)
+	env := library.IntegrationEnv(t).WithCapability(library.AnonymousAuthenticationSupported)
 
 	library.AssertNoRestartsDuringTest(t, env.ConciergeNamespace, "")
 

test/integration/whoami_test.go

@@ -333,7 +333,7 @@ func TestWhoAmI_CSR(t *testing.T) {
 }
 
 func TestWhoAmI_Anonymous(t *testing.T) {
-	_ = library.IntegrationEnv(t)
+	_ = library.IntegrationEnv(t).WithCapability(library.AnonymousAuthenticationSupported)
 
 	ctx, cancel := context.WithTimeout(context.Background(), time.Minute)
 	defer cancel()
@@ -345,7 +345,6 @@ func TestWhoAmI_Anonymous(t *testing.T) {
 	require.NoError(t, err)
 
 	// this also asserts that all users, even unauthenticated ones, can call this API when anonymous is enabled
-	// this test will need to be skipped when we start running the integration tests against AKS clusters
 	require.Equal(t,
 		&identityv1alpha1.WhoAmIRequest{
 			Status: identityv1alpha1.WhoAmIRequestStatus{

test/library/env.go

@@ -18,8 +18,9 @@ import (
 type Capability string
 
 const (
-	ClusterSigningKeyIsAvailable    Capability = "clusterSigningKeyIsAvailable"
-	HasExternalLoadBalancerProvider Capability = "hasExternalLoadBalancerProvider"
+	ClusterSigningKeyIsAvailable     Capability = "clusterSigningKeyIsAvailable"
+	AnonymousAuthenticationSupported Capability = "anonymousAuthenticationSupported"
+	HasExternalLoadBalancerProvider  Capability = "hasExternalLoadBalancerProvider"
 )
 
 // TestEnv captures all the external parameters consumed by our integration tests.