diff --git a/test/cluster_capabilities/aks.yaml b/test/cluster_capabilities/aks.yaml new file mode 100644 index 00000000..cf8a1186 --- /dev/null +++ b/test/cluster_capabilities/aks.yaml @@ -0,0 +1,12 @@ +# Copyright 2021 the Pinniped contributors. All Rights Reserved. +# SPDX-License-Identifier: Apache-2.0 + +# Describe the capabilities of the cluster against which the integration tests will run. +capabilities: + + # Is it possible to borrow the cluster's signing key from the kube API server? + clusterSigningKeyIsAvailable: false + + # Does the cluster allow requests without authentication? + # https://kubernetes.io/docs/reference/access-authn-authz/authentication/#anonymous-requests + anonymousAuthenticationSupported: false diff --git a/test/cluster_capabilities/eks.yaml b/test/cluster_capabilities/eks.yaml new file mode 100644 index 00000000..67fa6bbc --- /dev/null +++ b/test/cluster_capabilities/eks.yaml @@ -0,0 +1,12 @@ +# Copyright 2021 the Pinniped contributors. All Rights Reserved. +# SPDX-License-Identifier: Apache-2.0 + +# Describe the capabilities of the cluster against which the integration tests will run. +capabilities: + + # Is it possible to borrow the cluster's signing key from the kube API server? + clusterSigningKeyIsAvailable: false + + # Does the cluster allow requests without authentication? + # https://kubernetes.io/docs/reference/access-authn-authz/authentication/#anonymous-requests + anonymousAuthenticationSupported: true diff --git a/test/cluster_capabilities/gke.yaml b/test/cluster_capabilities/gke.yaml index 2f97168e..8bba8b8d 100644 --- a/test/cluster_capabilities/gke.yaml +++ b/test/cluster_capabilities/gke.yaml @@ -9,3 +9,7 @@ capabilities: # Will the cluster successfully provision a load balancer if requested? hasExternalLoadBalancerProvider: true + + # Does the cluster allow requests without authentication? + # https://kubernetes.io/docs/reference/access-authn-authz/authentication/#anonymous-requests + anonymousAuthenticationSupported: true diff --git a/test/cluster_capabilities/kind.yaml b/test/cluster_capabilities/kind.yaml index ba9099fa..0724edb9 100644 --- a/test/cluster_capabilities/kind.yaml +++ b/test/cluster_capabilities/kind.yaml @@ -9,3 +9,7 @@ capabilities: # Will the cluster successfully provision a load balancer if requested? hasExternalLoadBalancerProvider: false + + # Does the cluster allow requests without authentication? + # https://kubernetes.io/docs/reference/access-authn-authz/authentication/#anonymous-requests + anonymousAuthenticationSupported: true diff --git a/test/cluster_capabilities/tkgs.yaml b/test/cluster_capabilities/tkgs.yaml index a45b92b3..2ea82b1e 100644 --- a/test/cluster_capabilities/tkgs.yaml +++ b/test/cluster_capabilities/tkgs.yaml @@ -9,3 +9,7 @@ capabilities: # Will the cluster successfully provision a load balancer if requested? hasExternalLoadBalancerProvider: true + + # Does the cluster allow requests without authentication? + # https://kubernetes.io/docs/reference/access-authn-authz/authentication/#anonymous-requests + anonymousAuthenticationSupported: true diff --git a/test/integration/concierge_credentialrequest_test.go b/test/integration/concierge_credentialrequest_test.go index 6dedfcac..285a1f0e 100644 --- a/test/integration/concierge_credentialrequest_test.go +++ b/test/integration/concierge_credentialrequest_test.go @@ -23,7 +23,7 @@ import ( ) func TestUnsuccessfulCredentialRequest(t *testing.T) { - env := library.IntegrationEnv(t) + env := library.IntegrationEnv(t).WithCapability(library.AnonymousAuthenticationSupported) library.AssertNoRestartsDuringTest(t, env.ConciergeNamespace, "") diff --git a/test/integration/whoami_test.go b/test/integration/whoami_test.go index f30175ec..15f87fe2 100644 --- a/test/integration/whoami_test.go +++ b/test/integration/whoami_test.go @@ -333,7 +333,7 @@ func TestWhoAmI_CSR(t *testing.T) { } func TestWhoAmI_Anonymous(t *testing.T) { - _ = library.IntegrationEnv(t) + _ = library.IntegrationEnv(t).WithCapability(library.AnonymousAuthenticationSupported) ctx, cancel := context.WithTimeout(context.Background(), time.Minute) defer cancel() @@ -345,7 +345,6 @@ func TestWhoAmI_Anonymous(t *testing.T) { require.NoError(t, err) // this also asserts that all users, even unauthenticated ones, can call this API when anonymous is enabled - // this test will need to be skipped when we start running the integration tests against AKS clusters require.Equal(t, &identityv1alpha1.WhoAmIRequest{ Status: identityv1alpha1.WhoAmIRequestStatus{ diff --git a/test/library/env.go b/test/library/env.go index 0cf28a42..5149f8a6 100644 --- a/test/library/env.go +++ b/test/library/env.go @@ -18,8 +18,9 @@ import ( type Capability string const ( - ClusterSigningKeyIsAvailable Capability = "clusterSigningKeyIsAvailable" - HasExternalLoadBalancerProvider Capability = "hasExternalLoadBalancerProvider" + ClusterSigningKeyIsAvailable Capability = "clusterSigningKeyIsAvailable" + AnonymousAuthenticationSupported Capability = "anonymousAuthenticationSupported" + HasExternalLoadBalancerProvider Capability = "hasExternalLoadBalancerProvider" ) // TestEnv captures all the external parameters consumed by our integration tests.