From c5b784465bb3ee65eaa62626298fe92e6352ec58 Mon Sep 17 00:00:00 2001 From: Matt Moyer Date: Tue, 16 Mar 2021 13:54:29 -0500 Subject: [PATCH 1/2] Describe "anonymousAuthenticationSupported" test cluster capability and add more managed cluster types. This new capability describes whether a cluster is expected to allow anonymous requests (most do since k8s 1.6.x, but AKS has it disabled). This commit also contains new capability YAML files for AKS and EKS, mostly to document publicly how we expect our tests to function in those environments. Signed-off-by: Matt Moyer --- test/cluster_capabilities/aks.yaml | 12 ++++++++++++ test/cluster_capabilities/eks.yaml | 12 ++++++++++++ test/cluster_capabilities/gke.yaml | 6 +++++- test/cluster_capabilities/kind.yaml | 6 +++++- test/cluster_capabilities/tkgs.yaml | 6 +++++- test/integration/concierge_credentialrequest_test.go | 4 ++-- test/integration/whoami_test.go | 2 +- test/library/env.go | 3 ++- 8 files changed, 44 insertions(+), 7 deletions(-) create mode 100644 test/cluster_capabilities/aks.yaml create mode 100644 test/cluster_capabilities/eks.yaml diff --git a/test/cluster_capabilities/aks.yaml b/test/cluster_capabilities/aks.yaml new file mode 100644 index 00000000..73862d2f --- /dev/null +++ b/test/cluster_capabilities/aks.yaml @@ -0,0 +1,12 @@ +# Copyright 2020-2021 the Pinniped contributors. All Rights Reserved. +# SPDX-License-Identifier: Apache-2.0 + +# Describe the capabilities of the cluster against which the integration tests will run. +capabilities: + + # Is it possible to borrow the cluster's signing key from the kube API server? + clusterSigningKeyIsAvailable: false + + # Does the cluster allow requests without authentication? + # https://kubernetes.io/docs/reference/access-authn-authz/authentication/#anonymous-requests + anonymousAuthenticationSupported: false diff --git a/test/cluster_capabilities/eks.yaml b/test/cluster_capabilities/eks.yaml new file mode 100644 index 00000000..e5947084 --- /dev/null +++ b/test/cluster_capabilities/eks.yaml @@ -0,0 +1,12 @@ +# Copyright 2020-2021 the Pinniped contributors. All Rights Reserved. +# SPDX-License-Identifier: Apache-2.0 + +# Describe the capabilities of the cluster against which the integration tests will run. +capabilities: + + # Is it possible to borrow the cluster's signing key from the kube API server? + clusterSigningKeyIsAvailable: false + + # Does the cluster allow requests without authentication? + # https://kubernetes.io/docs/reference/access-authn-authz/authentication/#anonymous-requests + anonymousAuthenticationSupported: true diff --git a/test/cluster_capabilities/gke.yaml b/test/cluster_capabilities/gke.yaml index 4852280d..e5947084 100644 --- a/test/cluster_capabilities/gke.yaml +++ b/test/cluster_capabilities/gke.yaml @@ -1,4 +1,4 @@ -# Copyright 2020 the Pinniped contributors. All Rights Reserved. +# Copyright 2020-2021 the Pinniped contributors. All Rights Reserved. # SPDX-License-Identifier: Apache-2.0 # Describe the capabilities of the cluster against which the integration tests will run. @@ -6,3 +6,7 @@ capabilities: # Is it possible to borrow the cluster's signing key from the kube API server? clusterSigningKeyIsAvailable: false + + # Does the cluster allow requests without authentication? + # https://kubernetes.io/docs/reference/access-authn-authz/authentication/#anonymous-requests + anonymousAuthenticationSupported: true diff --git a/test/cluster_capabilities/kind.yaml b/test/cluster_capabilities/kind.yaml index c81f6687..6411cd95 100644 --- a/test/cluster_capabilities/kind.yaml +++ b/test/cluster_capabilities/kind.yaml @@ -1,4 +1,4 @@ -# Copyright 2020 the Pinniped contributors. All Rights Reserved. +# Copyright 2020-2021 the Pinniped contributors. All Rights Reserved. # SPDX-License-Identifier: Apache-2.0 # Describe the capabilities of the cluster against which the integration tests will run. @@ -6,3 +6,7 @@ capabilities: # Is it possible to borrow the cluster's signing key from the kube API server? clusterSigningKeyIsAvailable: true + + # Does the cluster allow requests without authentication? + # https://kubernetes.io/docs/reference/access-authn-authz/authentication/#anonymous-requests + anonymousAuthenticationSupported: true diff --git a/test/cluster_capabilities/tkgs.yaml b/test/cluster_capabilities/tkgs.yaml index c81f6687..6411cd95 100644 --- a/test/cluster_capabilities/tkgs.yaml +++ b/test/cluster_capabilities/tkgs.yaml @@ -1,4 +1,4 @@ -# Copyright 2020 the Pinniped contributors. All Rights Reserved. +# Copyright 2020-2021 the Pinniped contributors. All Rights Reserved. # SPDX-License-Identifier: Apache-2.0 # Describe the capabilities of the cluster against which the integration tests will run. @@ -6,3 +6,7 @@ capabilities: # Is it possible to borrow the cluster's signing key from the kube API server? clusterSigningKeyIsAvailable: true + + # Does the cluster allow requests without authentication? + # https://kubernetes.io/docs/reference/access-authn-authz/authentication/#anonymous-requests + anonymousAuthenticationSupported: true diff --git a/test/integration/concierge_credentialrequest_test.go b/test/integration/concierge_credentialrequest_test.go index 7a37c9c7..00fe5d0f 100644 --- a/test/integration/concierge_credentialrequest_test.go +++ b/test/integration/concierge_credentialrequest_test.go @@ -23,7 +23,7 @@ import ( ) func TestUnsuccessfulCredentialRequest(t *testing.T) { - env := library.IntegrationEnv(t) + env := library.IntegrationEnv(t).WithCapability(library.AnonymousAuthenticationSupported) library.AssertNoRestartsDuringTest(t, env.ConciergeNamespace, "") @@ -184,7 +184,7 @@ func TestCredentialRequest_ShouldFailWhenRequestDoesNotIncludeToken(t *testing.T } func TestCredentialRequest_OtherwiseValidRequestWithRealTokenShouldFailWhenTheClusterIsNotCapable(t *testing.T) { - env := library.IntegrationEnv(t).WithoutCapability(library.ClusterSigningKeyIsAvailable) + env := library.IntegrationEnv(t).WithoutCapability(library.ClusterSigningKeyIsAvailable).WithCapability(library.AnonymousAuthenticationSupported) library.AssertNoRestartsDuringTest(t, env.ConciergeNamespace, "") diff --git a/test/integration/whoami_test.go b/test/integration/whoami_test.go index de478f52..00090231 100644 --- a/test/integration/whoami_test.go +++ b/test/integration/whoami_test.go @@ -344,7 +344,7 @@ func TestWhoAmI_CSR(t *testing.T) { } func TestWhoAmI_Anonymous(t *testing.T) { - _ = library.IntegrationEnv(t) + _ = library.IntegrationEnv(t).WithCapability(library.AnonymousAuthenticationSupported) ctx, cancel := context.WithTimeout(context.Background(), 30*time.Second) defer cancel() diff --git a/test/library/env.go b/test/library/env.go index edd5d78b..3f96b9a0 100644 --- a/test/library/env.go +++ b/test/library/env.go @@ -18,7 +18,8 @@ import ( type Capability string const ( - ClusterSigningKeyIsAvailable Capability = "clusterSigningKeyIsAvailable" + ClusterSigningKeyIsAvailable Capability = "clusterSigningKeyIsAvailable" + AnonymousAuthenticationSupported Capability = "anonymousAuthenticationSupported" ) // TestEnv captures all the external parameters consumed by our integration tests. From 2319606cd2c9fb9444ac1e09f617e055fa958411 Mon Sep 17 00:00:00 2001 From: Matt Moyer Date: Tue, 16 Mar 2021 13:54:29 -0500 Subject: [PATCH 2/2] Fix some nits from the previous commit that I accidentally merged before fixing. Signed-off-by: Matt Moyer --- test/cluster_capabilities/aks.yaml | 2 +- test/cluster_capabilities/eks.yaml | 2 +- test/integration/whoami_test.go | 1 - 3 files changed, 2 insertions(+), 3 deletions(-) diff --git a/test/cluster_capabilities/aks.yaml b/test/cluster_capabilities/aks.yaml index 73862d2f..cf8a1186 100644 --- a/test/cluster_capabilities/aks.yaml +++ b/test/cluster_capabilities/aks.yaml @@ -1,4 +1,4 @@ -# Copyright 2020-2021 the Pinniped contributors. All Rights Reserved. +# Copyright 2021 the Pinniped contributors. All Rights Reserved. # SPDX-License-Identifier: Apache-2.0 # Describe the capabilities of the cluster against which the integration tests will run. diff --git a/test/cluster_capabilities/eks.yaml b/test/cluster_capabilities/eks.yaml index e5947084..67fa6bbc 100644 --- a/test/cluster_capabilities/eks.yaml +++ b/test/cluster_capabilities/eks.yaml @@ -1,4 +1,4 @@ -# Copyright 2020-2021 the Pinniped contributors. All Rights Reserved. +# Copyright 2021 the Pinniped contributors. All Rights Reserved. # SPDX-License-Identifier: Apache-2.0 # Describe the capabilities of the cluster against which the integration tests will run. diff --git a/test/integration/whoami_test.go b/test/integration/whoami_test.go index 00090231..d39f828f 100644 --- a/test/integration/whoami_test.go +++ b/test/integration/whoami_test.go @@ -356,7 +356,6 @@ func TestWhoAmI_Anonymous(t *testing.T) { require.NoError(t, err) // this also asserts that all users, even unauthenticated ones, can call this API when anonymous is enabled - // this test will need to be skipped when we start running the integration tests against AKS clusters require.Equal(t, &identityv1alpha1.WhoAmIRequest{ Status: identityv1alpha1.WhoAmIRequestStatus{