kubecertagent: get integration tests passing again
Note: the non-kubecertagent integration tests are still failing :).
This commit is contained in:
Andrew Keesler
parent
526be79b11
commit
1a4f9e3466
|
|
@ -47,6 +47,10 @@ rules:
|
||||||
- apiGroups: [""]
|
- apiGroups: [""]
|
||||||
resources: [secrets]
|
resources: [secrets]
|
||||||
verbs: [create, get, list, patch, update, watch, delete]
|
verbs: [create, get, list, patch, update, watch, delete]
|
||||||
|
#! We need to be able to CRUD pods in our namespace so we can reconcile the kube-cert-agent pods.
|
||||||
|
- apiGroups: [""]
|
||||||
|
resources: [pods]
|
||||||
|
verbs: [create, get, list, patch, update, watch, delete]
|
||||||
- apiGroups: [config.pinniped.dev, idp.pinniped.dev]
|
- apiGroups: [config.pinniped.dev, idp.pinniped.dev]
|
||||||
resources: ["*"]
|
resources: ["*"]
|
||||||
verbs: [create, get, list, update, watch]
|
verbs: [create, get, list, update, watch]
|
||||||
|
|
@ -65,25 +69,22 @@ roleRef:
|
||||||
name: #@ data.values.app_name + "-aggregated-api-server"
|
name: #@ data.values.app_name + "-aggregated-api-server"
|
||||||
apiGroup: rbac.authorization.k8s.io
|
apiGroup: rbac.authorization.k8s.io
|
||||||
|
|
||||||
#! Give permission to CRUD pods and pod exec in the kube-system namespace so we can find the API server's private key
|
#! Give permission to read pods in the kube-system namespace so we can find the API server's private key
|
||||||
---
|
---
|
||||||
apiVersion: rbac.authorization.k8s.io/v1
|
apiVersion: rbac.authorization.k8s.io/v1
|
||||||
kind: Role
|
kind: Role
|
||||||
metadata:
|
metadata:
|
||||||
name: #@ data.values.app_name + "-kube-system-pod-read-write"
|
name: #@ data.values.app_name + "-kube-system-pod-read"
|
||||||
namespace: kube-system
|
namespace: kube-system
|
||||||
rules:
|
rules:
|
||||||
- apiGroups: [""]
|
- apiGroups: [""]
|
||||||
resources: [pods]
|
resources: [pods]
|
||||||
verbs: [create, get, list, patch, update, watch, delete]
|
verbs: [get, list, watch]
|
||||||
- apiGroups: [""]
|
|
||||||
resources: [pods/exec]
|
|
||||||
verbs: [create]
|
|
||||||
---
|
---
|
||||||
kind: RoleBinding
|
kind: RoleBinding
|
||||||
apiVersion: rbac.authorization.k8s.io/v1
|
apiVersion: rbac.authorization.k8s.io/v1
|
||||||
metadata:
|
metadata:
|
||||||
name: #@ data.values.app_name + "-kube-system-pod-read-write"
|
name: #@ data.values.app_name + "-kube-system-pod-read"
|
||||||
namespace: kube-system
|
namespace: kube-system
|
||||||
subjects:
|
subjects:
|
||||||
- kind: ServiceAccount
|
- kind: ServiceAccount
|
||||||
|
|
@ -91,7 +92,7 @@ subjects:
|
||||||
namespace: #@ data.values.namespace
|
namespace: #@ data.values.namespace
|
||||||
roleRef:
|
roleRef:
|
||||||
kind: Role
|
kind: Role
|
||||||
name: #@ data.values.app_name + "-kube-system-pod-read-write"
|
name: #@ data.values.app_name + "-kube-system-pod-read"
|
||||||
apiGroup: rbac.authorization.k8s.io
|
apiGroup: rbac.authorization.k8s.io
|
||||||
|
|
||||||
#! Allow both authenticated and unauthenticated TokenCredentialRequests (i.e. allow all requests)
|
#! Allow both authenticated and unauthenticated TokenCredentialRequests (i.e. allow all requests)
|
||||||
|
|
|
||||||
|
|
@ -21,13 +21,13 @@ import (
|
||||||
)
|
)
|
||||||
|
|
||||||
const (
|
const (
|
||||||
kubeCertAgentNamespace = "kube-system"
|
|
||||||
kubeCertAgentLabelSelector = "kube-cert-agent.pinniped.dev="
|
kubeCertAgentLabelSelector = "kube-cert-agent.pinniped.dev="
|
||||||
)
|
)
|
||||||
|
|
||||||
func TestKubeCertAgent(t *testing.T) {
|
func TestKubeCertAgent(t *testing.T) {
|
||||||
library.SkipUnlessIntegration(t)
|
library.SkipUnlessIntegration(t)
|
||||||
library.SkipUnlessClusterHasCapability(t, library.ClusterSigningKeyIsAvailable)
|
library.SkipUnlessClusterHasCapability(t, library.ClusterSigningKeyIsAvailable)
|
||||||
|
namespaceName := library.GetEnv(t, "PINNIPED_NAMESPACE")
|
||||||
|
|
||||||
ctx, cancel := context.WithTimeout(context.Background(), 1*time.Minute)
|
ctx, cancel := context.WithTimeout(context.Background(), 1*time.Minute)
|
||||||
defer cancel()
|
defer cancel()
|
||||||
|
|
@ -39,7 +39,7 @@ func TestKubeCertAgent(t *testing.T) {
|
||||||
// We can pretty safely assert there should be more than 1, since there should be a
|
// We can pretty safely assert there should be more than 1, since there should be a
|
||||||
// kube-cert-agent pod per kube-controller-manager pod, and there should probably be at least
|
// kube-cert-agent pod per kube-controller-manager pod, and there should probably be at least
|
||||||
// 1 kube-controller-manager for this to be a working kube API.
|
// 1 kube-controller-manager for this to be a working kube API.
|
||||||
originalAgentPods, err := kubeClient.CoreV1().Pods(kubeCertAgentNamespace).List(ctx, metav1.ListOptions{
|
originalAgentPods, err := kubeClient.CoreV1().Pods(namespaceName).List(ctx, metav1.ListOptions{
|
||||||
LabelSelector: kubeCertAgentLabelSelector,
|
LabelSelector: kubeCertAgentLabelSelector,
|
||||||
})
|
})
|
||||||
require.NoError(t, err)
|
require.NoError(t, err)
|
||||||
|
|
@ -48,7 +48,7 @@ func TestKubeCertAgent(t *testing.T) {
|
||||||
|
|
||||||
agentPodsReconciled := func() bool {
|
agentPodsReconciled := func() bool {
|
||||||
var currentAgentPods *corev1.PodList
|
var currentAgentPods *corev1.PodList
|
||||||
currentAgentPods, err = kubeClient.CoreV1().Pods(kubeCertAgentNamespace).List(ctx, metav1.ListOptions{
|
currentAgentPods, err = kubeClient.CoreV1().Pods(namespaceName).List(ctx, metav1.ListOptions{
|
||||||
LabelSelector: kubeCertAgentLabelSelector,
|
LabelSelector: kubeCertAgentLabelSelector,
|
||||||
})
|
})
|
||||||
|
|
||||||
|
|
@ -56,6 +56,13 @@ func TestKubeCertAgent(t *testing.T) {
|
||||||
return false
|
return false
|
||||||
}
|
}
|
||||||
|
|
||||||
|
if len(originalAgentPods.Items) != len(currentAgentPods.Items) {
|
||||||
|
err = fmt.Errorf(
|
||||||
|
"original agent pod len != current agent pod len: %s",
|
||||||
|
diff.ObjectDiff(originalAgentPods.Items, currentAgentPods.Items),
|
||||||
|
)
|
||||||
|
}
|
||||||
|
|
||||||
sortPods(currentAgentPods)
|
sortPods(currentAgentPods)
|
||||||
for i := range originalAgentPods.Items {
|
for i := range originalAgentPods.Items {
|
||||||
if !equality.Semantic.DeepEqual(
|
if !equality.Semantic.DeepEqual(
|
||||||
|
|
@ -84,7 +91,7 @@ func TestKubeCertAgent(t *testing.T) {
|
||||||
updatedAgentPod.Spec.Tolerations,
|
updatedAgentPod.Spec.Tolerations,
|
||||||
corev1.Toleration{Key: "fake-toleration"},
|
corev1.Toleration{Key: "fake-toleration"},
|
||||||
)
|
)
|
||||||
_, err = kubeClient.CoreV1().Pods(kubeCertAgentNamespace).Update(ctx, updatedAgentPod, metav1.UpdateOptions{})
|
_, err = kubeClient.CoreV1().Pods(namespaceName).Update(ctx, updatedAgentPod, metav1.UpdateOptions{})
|
||||||
require.NoError(t, err)
|
require.NoError(t, err)
|
||||||
|
|
||||||
// Make sure the original pods come back.
|
// Make sure the original pods come back.
|
||||||
|
|
@ -96,7 +103,7 @@ func TestKubeCertAgent(t *testing.T) {
|
||||||
// Delete the first pod. The controller should see it, and flip it back.
|
// Delete the first pod. The controller should see it, and flip it back.
|
||||||
err = kubeClient.
|
err = kubeClient.
|
||||||
CoreV1().
|
CoreV1().
|
||||||
Pods(kubeCertAgentNamespace).
|
Pods(namespaceName).
|
||||||
Delete(ctx, originalAgentPods.Items[0].Name, metav1.DeleteOptions{})
|
Delete(ctx, originalAgentPods.Items[0].Name, metav1.DeleteOptions{})
|
||||||
require.NoError(t, err)
|
require.NoError(t, err)
|
||||||
|
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue