kubecertagent: get integration tests passing again
Note: the non-kubecertagent integration tests are still failing :).
This commit is contained in:
Andrew Keesler
parent
526be79b11
commit
1a4f9e3466
@ -47,6 +47,10 @@ rules:
|
||||
- apiGroups: [""]
|
||||
resources: [secrets]
|
||||
verbs: [create, get, list, patch, update, watch, delete]
|
||||
#! We need to be able to CRUD pods in our namespace so we can reconcile the kube-cert-agent pods.
|
||||
- apiGroups: [""]
|
||||
resources: [pods]
|
||||
verbs: [create, get, list, patch, update, watch, delete]
|
||||
- apiGroups: [config.pinniped.dev, idp.pinniped.dev]
|
||||
resources: ["*"]
|
||||
verbs: [create, get, list, update, watch]
|
||||
@ -65,25 +69,22 @@ roleRef:
|
||||
name: #@ data.values.app_name + "-aggregated-api-server"
|
||||
apiGroup: rbac.authorization.k8s.io
|
||||
|
||||
#! Give permission to CRUD pods and pod exec in the kube-system namespace so we can find the API server's private key
|
||||
#! Give permission to read pods in the kube-system namespace so we can find the API server's private key
|
||||
---
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: Role
|
||||
metadata:
|
||||
name: #@ data.values.app_name + "-kube-system-pod-read-write"
|
||||
name: #@ data.values.app_name + "-kube-system-pod-read"
|
||||
namespace: kube-system
|
||||
rules:
|
||||
- apiGroups: [""]
|
||||
resources: [pods]
|
||||
verbs: [create, get, list, patch, update, watch, delete]
|
||||
- apiGroups: [""]
|
||||
resources: [pods/exec]
|
||||
verbs: [create]
|
||||
verbs: [get, list, watch]
|
||||
---
|
||||
kind: RoleBinding
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
metadata:
|
||||
name: #@ data.values.app_name + "-kube-system-pod-read-write"
|
||||
name: #@ data.values.app_name + "-kube-system-pod-read"
|
||||
namespace: kube-system
|
||||
subjects:
|
||||
- kind: ServiceAccount
|
||||
@ -91,7 +92,7 @@ subjects:
|
||||
namespace: #@ data.values.namespace
|
||||
roleRef:
|
||||
kind: Role
|
||||
name: #@ data.values.app_name + "-kube-system-pod-read-write"
|
||||
name: #@ data.values.app_name + "-kube-system-pod-read"
|
||||
apiGroup: rbac.authorization.k8s.io
|
||||
|
||||
#! Allow both authenticated and unauthenticated TokenCredentialRequests (i.e. allow all requests)
|
||||
|
||||
@ -21,13 +21,13 @@ import (
|
||||
)
|
||||
|
||||
const (
|
||||
kubeCertAgentNamespace = "kube-system"
|
||||
kubeCertAgentLabelSelector = "kube-cert-agent.pinniped.dev="
|
||||
)
|
||||
|
||||
func TestKubeCertAgent(t *testing.T) {
|
||||
library.SkipUnlessIntegration(t)
|
||||
library.SkipUnlessClusterHasCapability(t, library.ClusterSigningKeyIsAvailable)
|
||||
namespaceName := library.GetEnv(t, "PINNIPED_NAMESPACE")
|
||||
|
||||
ctx, cancel := context.WithTimeout(context.Background(), 1*time.Minute)
|
||||
defer cancel()
|
||||
@ -39,7 +39,7 @@ func TestKubeCertAgent(t *testing.T) {
|
||||
// We can pretty safely assert there should be more than 1, since there should be a
|
||||
// kube-cert-agent pod per kube-controller-manager pod, and there should probably be at least
|
||||
// 1 kube-controller-manager for this to be a working kube API.
|
||||
originalAgentPods, err := kubeClient.CoreV1().Pods(kubeCertAgentNamespace).List(ctx, metav1.ListOptions{
|
||||
originalAgentPods, err := kubeClient.CoreV1().Pods(namespaceName).List(ctx, metav1.ListOptions{
|
||||
LabelSelector: kubeCertAgentLabelSelector,
|
||||
})
|
||||
require.NoError(t, err)
|
||||
@ -48,7 +48,7 @@ func TestKubeCertAgent(t *testing.T) {
|
||||
|
||||
agentPodsReconciled := func() bool {
|
||||
var currentAgentPods *corev1.PodList
|
||||
currentAgentPods, err = kubeClient.CoreV1().Pods(kubeCertAgentNamespace).List(ctx, metav1.ListOptions{
|
||||
currentAgentPods, err = kubeClient.CoreV1().Pods(namespaceName).List(ctx, metav1.ListOptions{
|
||||
LabelSelector: kubeCertAgentLabelSelector,
|
||||
})
|
||||
|
||||
@ -56,6 +56,13 @@ func TestKubeCertAgent(t *testing.T) {
|
||||
return false
|
||||
}
|
||||
|
||||
if len(originalAgentPods.Items) != len(currentAgentPods.Items) {
|
||||
err = fmt.Errorf(
|
||||
"original agent pod len != current agent pod len: %s",
|
||||
diff.ObjectDiff(originalAgentPods.Items, currentAgentPods.Items),
|
||||
)
|
||||
}
|
||||
|
||||
sortPods(currentAgentPods)
|
||||
for i := range originalAgentPods.Items {
|
||||
if !equality.Semantic.DeepEqual(
|
||||
@ -84,7 +91,7 @@ func TestKubeCertAgent(t *testing.T) {
|
||||
updatedAgentPod.Spec.Tolerations,
|
||||
corev1.Toleration{Key: "fake-toleration"},
|
||||
)
|
||||
_, err = kubeClient.CoreV1().Pods(kubeCertAgentNamespace).Update(ctx, updatedAgentPod, metav1.UpdateOptions{})
|
||||
_, err = kubeClient.CoreV1().Pods(namespaceName).Update(ctx, updatedAgentPod, metav1.UpdateOptions{})
|
||||
require.NoError(t, err)
|
||||
|
||||
// Make sure the original pods come back.
|
||||
@ -96,7 +103,7 @@ func TestKubeCertAgent(t *testing.T) {
|
||||
// Delete the first pod. The controller should see it, and flip it back.
|
||||
err = kubeClient.
|
||||
CoreV1().
|
||||
Pods(kubeCertAgentNamespace).
|
||||
Pods(namespaceName).
|
||||
Delete(ctx, originalAgentPods.Items[0].Name, metav1.DeleteOptions{})
|
||||
require.NoError(t, err)
|
||||
|
||||
|
||||
Loading…
Reference in New Issue
Block a user