Merge branch 'main' of github.com:vmware-tanzu/pinniped into impersonation-proxy
This commit is contained in:
commit
4d2035ab2a
@ -6,118 +6,110 @@ package integration
|
|||||||
import (
|
import (
|
||||||
"bytes"
|
"bytes"
|
||||||
"os/exec"
|
"os/exec"
|
||||||
|
"strings"
|
||||||
|
"sync"
|
||||||
"testing"
|
"testing"
|
||||||
"time"
|
"time"
|
||||||
|
|
||||||
|
"github.com/stretchr/testify/assert"
|
||||||
"github.com/stretchr/testify/require"
|
"github.com/stretchr/testify/require"
|
||||||
|
|
||||||
"go.pinniped.dev/test/library"
|
"go.pinniped.dev/test/library"
|
||||||
)
|
)
|
||||||
|
|
||||||
|
func runTestKubectlCommand(t *testing.T, args ...string) (string, string) {
|
||||||
|
t.Helper()
|
||||||
|
|
||||||
|
var lock sync.Mutex
|
||||||
|
var stdOut, stdErr bytes.Buffer
|
||||||
|
var err error
|
||||||
|
start := time.Now()
|
||||||
|
attempts := 0
|
||||||
|
if !assert.Eventually(t, func() bool {
|
||||||
|
lock.Lock()
|
||||||
|
defer lock.Unlock()
|
||||||
|
attempts++
|
||||||
|
stdOut.Reset()
|
||||||
|
stdErr.Reset()
|
||||||
|
cmd := exec.Command("kubectl", args...)
|
||||||
|
cmd.Stdout = &stdOut
|
||||||
|
cmd.Stderr = &stdErr
|
||||||
|
err = cmd.Run()
|
||||||
|
return err == nil
|
||||||
|
},
|
||||||
|
120*time.Second,
|
||||||
|
200*time.Millisecond,
|
||||||
|
) {
|
||||||
|
lock.Lock()
|
||||||
|
defer lock.Unlock()
|
||||||
|
t.Logf(
|
||||||
|
"never ran %q successfully even after %d attempts (%s)",
|
||||||
|
"kubectl "+strings.Join(args, " "),
|
||||||
|
attempts,
|
||||||
|
time.Since(start).Round(time.Second),
|
||||||
|
)
|
||||||
|
t.Logf("last error: %v", err)
|
||||||
|
t.Logf("stdout:\n%s\n", stdOut.String())
|
||||||
|
t.Logf("stderr:\n%s\n", stdErr.String())
|
||||||
|
t.FailNow()
|
||||||
|
}
|
||||||
|
return stdOut.String(), stdErr.String()
|
||||||
|
}
|
||||||
func TestGetPinnipedCategory(t *testing.T) {
|
func TestGetPinnipedCategory(t *testing.T) {
|
||||||
env := library.IntegrationEnv(t)
|
env := library.IntegrationEnv(t)
|
||||||
dotSuffix := "." + env.APIGroupSuffix
|
dotSuffix := "." + env.APIGroupSuffix
|
||||||
|
|
||||||
t.Run("category, no special params", func(t *testing.T) {
|
t.Run("category, no special params", func(t *testing.T) {
|
||||||
var stdOut, stdErr bytes.Buffer
|
t.Parallel()
|
||||||
|
stdout, stderr := runTestKubectlCommand(t, "get", "pinniped", "-A")
|
||||||
var err error
|
require.Empty(t, stderr)
|
||||||
require.Eventuallyf(t, func() bool {
|
require.NotContains(t, stdout, "MethodNotAllowed")
|
||||||
cmd := exec.Command("kubectl", "get", "pinniped", "-A")
|
require.Contains(t, stdout, dotSuffix)
|
||||||
cmd.Stdout = &stdOut
|
|
||||||
cmd.Stderr = &stdErr
|
|
||||||
err = cmd.Run()
|
|
||||||
return err == nil
|
|
||||||
},
|
|
||||||
60*time.Second,
|
|
||||||
1*time.Second,
|
|
||||||
"never ran 'kubectl get pinniped -A' successfully:\n%s\n\n%s",
|
|
||||||
stdErr.String(),
|
|
||||||
stdOut.String(),
|
|
||||||
)
|
|
||||||
require.Empty(t, stdErr.String())
|
|
||||||
require.NotContains(t, stdOut.String(), "MethodNotAllowed")
|
|
||||||
require.Contains(t, stdOut.String(), dotSuffix)
|
|
||||||
})
|
})
|
||||||
|
|
||||||
t.Run("category, table params", func(t *testing.T) {
|
t.Run("category, table params", func(t *testing.T) {
|
||||||
var stdOut, stdErr bytes.Buffer
|
t.Parallel()
|
||||||
|
stdout, stderr := runTestKubectlCommand(t, "get", "pinniped", "-A", "-o", "wide", "-v", "10")
|
||||||
cmd := exec.Command("kubectl", "get", "pinniped", "-A", "-o", "wide", "-v", "10")
|
require.NotContains(t, stdout, "MethodNotAllowed")
|
||||||
cmd.Stdout = &stdOut
|
require.Contains(t, stdout, dotSuffix)
|
||||||
cmd.Stderr = &stdErr
|
require.Contains(t, stderr, `"kind":"Table"`)
|
||||||
err := cmd.Run()
|
require.Contains(t, stderr, `"resourceVersion":"0"`)
|
||||||
require.NoError(t, err, stdErr.String(), stdOut.String())
|
require.Contains(t, stderr, `/v1alpha1/tokencredentialrequests`)
|
||||||
|
require.Contains(t, stderr, `/v1alpha1/whoamirequests`)
|
||||||
require.NotContains(t, stdOut.String(), "MethodNotAllowed")
|
|
||||||
require.Contains(t, stdOut.String(), dotSuffix)
|
|
||||||
|
|
||||||
require.Contains(t, stdErr.String(), `"kind":"Table"`)
|
|
||||||
require.Contains(t, stdErr.String(), `"resourceVersion":"0"`)
|
|
||||||
require.Contains(t, stdErr.String(), `/v1alpha1/tokencredentialrequests`)
|
|
||||||
require.Contains(t, stdErr.String(), `/v1alpha1/whoamirequests`)
|
|
||||||
})
|
})
|
||||||
|
|
||||||
t.Run("list, no special params", func(t *testing.T) {
|
t.Run("list, no special params", func(t *testing.T) {
|
||||||
var stdOut, stdErr bytes.Buffer
|
t.Parallel()
|
||||||
|
stdout, stderr := runTestKubectlCommand(t, "get", "tokencredentialrequests.login.concierge"+dotSuffix, "-A")
|
||||||
//nolint: gosec // input is part of test env
|
require.Empty(t, stdout)
|
||||||
cmd := exec.Command("kubectl", "get", "tokencredentialrequests.login.concierge"+dotSuffix, "-A")
|
require.NotContains(t, stderr, "MethodNotAllowed")
|
||||||
cmd.Stdout = &stdOut
|
require.Contains(t, stderr, `No resources found`)
|
||||||
cmd.Stderr = &stdErr
|
|
||||||
err := cmd.Run()
|
|
||||||
require.NoError(t, err, stdErr.String(), stdOut.String())
|
|
||||||
require.Empty(t, stdOut.String())
|
|
||||||
|
|
||||||
require.NotContains(t, stdErr.String(), "MethodNotAllowed")
|
|
||||||
require.Contains(t, stdErr.String(), `No resources found`)
|
|
||||||
})
|
})
|
||||||
|
|
||||||
t.Run("list, table params", func(t *testing.T) {
|
t.Run("list, table params", func(t *testing.T) {
|
||||||
var stdOut, stdErr bytes.Buffer
|
t.Parallel()
|
||||||
|
stdout, stderr := runTestKubectlCommand(t, "get", "tokencredentialrequests.login.concierge"+dotSuffix, "-A", "-o", "wide", "-v", "10")
|
||||||
//nolint: gosec // input is part of test env
|
require.Empty(t, stdout)
|
||||||
cmd := exec.Command("kubectl", "get", "tokencredentialrequests.login.concierge"+dotSuffix, "-A", "-o", "wide", "-v", "10")
|
require.NotContains(t, stderr, "MethodNotAllowed")
|
||||||
cmd.Stdout = &stdOut
|
require.Contains(t, stderr, `"kind":"Table"`)
|
||||||
cmd.Stderr = &stdErr
|
require.Contains(t, stderr, `"resourceVersion":"0"`)
|
||||||
err := cmd.Run()
|
|
||||||
require.NoError(t, err, stdErr.String(), stdOut.String())
|
|
||||||
require.Empty(t, stdOut.String())
|
|
||||||
|
|
||||||
require.NotContains(t, stdErr.String(), "MethodNotAllowed")
|
|
||||||
require.Contains(t, stdErr.String(), `"kind":"Table"`)
|
|
||||||
require.Contains(t, stdErr.String(), `"resourceVersion":"0"`)
|
|
||||||
})
|
})
|
||||||
|
|
||||||
t.Run("raw request to see body, token cred", func(t *testing.T) {
|
t.Run("raw request to see body, token cred", func(t *testing.T) {
|
||||||
var stdOut, stdErr bytes.Buffer
|
t.Parallel()
|
||||||
|
stdout, stderr := runTestKubectlCommand(t, "get", "--raw", "/apis/login.concierge"+dotSuffix+"/v1alpha1/tokencredentialrequests")
|
||||||
//nolint: gosec // input is part of test env
|
require.NotContains(t, stdout, "MethodNotAllowed")
|
||||||
cmd := exec.Command("kubectl", "get", "--raw", "/apis/login.concierge"+dotSuffix+"/v1alpha1/tokencredentialrequests")
|
require.Contains(t, stdout, `{"kind":"TokenCredentialRequestList","apiVersion":"login.concierge`+
|
||||||
cmd.Stdout = &stdOut
|
|
||||||
cmd.Stderr = &stdErr
|
|
||||||
err := cmd.Run()
|
|
||||||
require.NoError(t, err, stdErr.String(), stdOut.String())
|
|
||||||
require.Empty(t, stdErr.String())
|
|
||||||
|
|
||||||
require.NotContains(t, stdOut.String(), "MethodNotAllowed")
|
|
||||||
require.Contains(t, stdOut.String(), `{"kind":"TokenCredentialRequestList","apiVersion":"login.concierge`+
|
|
||||||
dotSuffix+`/v1alpha1","metadata":{"resourceVersion":"0"},"items":[]}`)
|
dotSuffix+`/v1alpha1","metadata":{"resourceVersion":"0"},"items":[]}`)
|
||||||
|
require.Empty(t, stderr)
|
||||||
})
|
})
|
||||||
|
|
||||||
t.Run("raw request to see body, whoami", func(t *testing.T) {
|
t.Run("raw request to see body, whoami", func(t *testing.T) {
|
||||||
var stdOut, stdErr bytes.Buffer
|
t.Parallel()
|
||||||
|
stdout, stderr := runTestKubectlCommand(t, "get", "--raw", "/apis/identity.concierge"+dotSuffix+"/v1alpha1/whoamirequests")
|
||||||
//nolint: gosec // input is part of test env
|
require.NotContains(t, stdout, "MethodNotAllowed")
|
||||||
cmd := exec.Command("kubectl", "get", "--raw", "/apis/identity.concierge"+dotSuffix+"/v1alpha1/whoamirequests")
|
require.Contains(t, stdout, `{"kind":"WhoAmIRequestList","apiVersion":"identity.concierge`+
|
||||||
cmd.Stdout = &stdOut
|
|
||||||
cmd.Stderr = &stdErr
|
|
||||||
err := cmd.Run()
|
|
||||||
require.NoError(t, err, stdErr.String(), stdOut.String())
|
|
||||||
require.Empty(t, stdErr.String())
|
|
||||||
|
|
||||||
require.NotContains(t, stdOut.String(), "MethodNotAllowed")
|
|
||||||
require.Contains(t, stdOut.String(), `{"kind":"WhoAmIRequestList","apiVersion":"identity.concierge`+
|
|
||||||
dotSuffix+`/v1alpha1","metadata":{"resourceVersion":"0"},"items":[]}`)
|
dotSuffix+`/v1alpha1","metadata":{"resourceVersion":"0"},"items":[]}`)
|
||||||
|
require.Empty(t, stderr)
|
||||||
})
|
})
|
||||||
}
|
}
|
||||||
|
@ -4,6 +4,7 @@
|
|||||||
package integration
|
package integration
|
||||||
|
|
||||||
import (
|
import (
|
||||||
|
"bytes"
|
||||||
"context"
|
"context"
|
||||||
"testing"
|
"testing"
|
||||||
"time"
|
"time"
|
||||||
@ -131,13 +132,19 @@ func TestAPIServingCertificateAutoCreationAndRotation(t *testing.T) {
|
|||||||
require.Equal(t, env.ConciergeAppName, secret.Labels["app"])
|
require.Equal(t, env.ConciergeAppName, secret.Labels["app"])
|
||||||
|
|
||||||
// Expect that the APIService was also updated with the new CA.
|
// Expect that the APIService was also updated with the new CA.
|
||||||
aggregatedAPIUpdated := func() bool {
|
require.Eventually(t, func() bool {
|
||||||
apiService, err = aggregatedClient.ApiregistrationV1().APIServices().Get(ctx, apiServiceName, metav1.GetOptions{})
|
apiService, err := aggregatedClient.ApiregistrationV1().APIServices().Get(ctx, apiServiceName, metav1.GetOptions{})
|
||||||
return err == nil
|
if err != nil {
|
||||||
}
|
t.Logf("get for APIService %q returned error %v", apiServiceName, err)
|
||||||
assert.Eventually(t, aggregatedAPIUpdated, 10*time.Second, 250*time.Millisecond)
|
return false
|
||||||
require.NoError(t, err) // prints out the error and stops the test in case of failure
|
}
|
||||||
require.Equal(t, regeneratedCACert, apiService.Spec.CABundle)
|
if !bytes.Equal(regeneratedCACert, apiService.Spec.CABundle) {
|
||||||
|
t.Logf("CA bundle in APIService %q does not yet have the expected value", apiServiceName)
|
||||||
|
return false
|
||||||
|
}
|
||||||
|
t.Logf("found that APIService %q was updated to expected CA certificate", apiServiceName)
|
||||||
|
return true
|
||||||
|
}, 10*time.Second, 250*time.Millisecond, "never saw CA certificate rotate to expected value")
|
||||||
|
|
||||||
// Check that we can still make requests to the aggregated API through the kube API server,
|
// Check that we can still make requests to the aggregated API through the kube API server,
|
||||||
// because the kube API server uses these certs when proxying requests to the aggregated API server,
|
// because the kube API server uses these certs when proxying requests to the aggregated API server,
|
||||||
|
Loading…
Reference in New Issue
Block a user