Another integration test fix for dynamic clients feature with Okta

Also increase the timeout in an integration test because it is flaking
on one of the GKE environments sometimes, probably because the
Concierge controllers aren't ready fast enough before the integration
tests start.
This commit is contained in:
Ryan Richard 2022-09-26 14:43:50 -07:00
parent f302e71b0f
commit 23185d55a5
2 changed files with 27 additions and 18 deletions

View File

@ -109,25 +109,30 @@ func TestAPIServingCertificateAutoCreationAndRotation_Disruptive(t *testing.T) {
// Expect that the Secret comes back right away with newly minted certs. // Expect that the Secret comes back right away with newly minted certs.
var regeneratedCACert []byte var regeneratedCACert []byte
testlib.RequireEventually(t, func(requireEventually *require.Assertions) { testlib.RequireEventually(t,
var err error func(requireEventually *require.Assertions) {
secret, err = kubeClient.CoreV1().Secrets(env.ConciergeNamespace).Get(ctx, defaultServingCertResourceName, metav1.GetOptions{}) var err error
requireEventually.NoError(err) secret, err = kubeClient.CoreV1().Secrets(env.ConciergeNamespace).Get(ctx, defaultServingCertResourceName, metav1.GetOptions{})
requireEventually.NoError(err)
regeneratedCACert = secret.Data["caCertificate"] regeneratedCACert = secret.Data["caCertificate"]
regeneratedPrivateKey := secret.Data["tlsPrivateKey"] regeneratedPrivateKey := secret.Data["tlsPrivateKey"]
regeneratedCertChain := secret.Data["tlsCertificateChain"] regeneratedCertChain := secret.Data["tlsCertificateChain"]
requireEventually.NotEmpty(regeneratedCACert) requireEventually.NotEmpty(regeneratedCACert)
requireEventually.NotEmpty(regeneratedPrivateKey) requireEventually.NotEmpty(regeneratedPrivateKey)
requireEventually.NotEmpty(regeneratedCertChain) requireEventually.NotEmpty(regeneratedCertChain)
requireEventually.NotEqual(initialCACert, regeneratedCACert) requireEventually.NotEqual(initialCACert, regeneratedCACert)
requireEventually.NotEqual(initialPrivateKey, regeneratedPrivateKey) requireEventually.NotEqual(initialPrivateKey, regeneratedPrivateKey)
requireEventually.NotEqual(initialCertChain, regeneratedCertChain) requireEventually.NotEqual(initialCertChain, regeneratedCertChain)
for k, v := range env.ConciergeCustomLabels { for k, v := range env.ConciergeCustomLabels {
requireEventually.Equalf(v, secret.Labels[k], "expected secret to have label `%s: %s`", k, v) requireEventually.Equalf(v, secret.Labels[k], "expected secret to have label `%s: %s`", k, v)
} }
requireEventually.Equal(env.ConciergeAppName, secret.Labels["app"]) requireEventually.Equal(env.ConciergeAppName, secret.Labels["app"])
}, 2*time.Minute, 250*time.Millisecond) },
// Wait 5 minutes in case the Concierge was just redeployed, in which case it can take time for
// the controllers to be ready again. This test is often run as the very first test in the whole suite.
5*time.Minute,
250*time.Millisecond)
// Expect that the APIService was also updated with the new CA. // Expect that the APIService was also updated with the new CA.
testlib.RequireEventually(t, func(requireEventually *require.Assertions) { testlib.RequireEventually(t, func(requireEventually *require.Assertions) {

View File

@ -1293,6 +1293,10 @@ func TestSupervisorLogin_Browser(t *testing.T) {
maybeSkip: skipNever, maybeSkip: skipNever,
createIDP: func(t *testing.T) string { createIDP: func(t *testing.T) string {
spec := basicOIDCIdentityProviderSpec() spec := basicOIDCIdentityProviderSpec()
spec.Claims = idpv1alpha1.OIDCClaims{
Username: env.SupervisorUpstreamOIDC.UsernameClaim,
Groups: env.SupervisorUpstreamOIDC.GroupsClaim,
}
spec.AuthorizationConfig = idpv1alpha1.OIDCAuthorizationConfig{ spec.AuthorizationConfig = idpv1alpha1.OIDCAuthorizationConfig{
AdditionalScopes: env.SupervisorUpstreamOIDC.AdditionalScopes, AdditionalScopes: env.SupervisorUpstreamOIDC.AdditionalScopes,
} }