Merge branch 'main' into oidc_password_grant
This commit is contained in:
commit
62c6d53a21
@ -55,7 +55,11 @@ type provider struct {
|
|||||||
// NewServingCert returns a Private that is go routine safe.
|
// NewServingCert returns a Private that is go routine safe.
|
||||||
// It can only hold key pairs that have IsCA=false.
|
// It can only hold key pairs that have IsCA=false.
|
||||||
func NewServingCert(name string) Private {
|
func NewServingCert(name string) Private {
|
||||||
return &provider{name: name}
|
return struct {
|
||||||
|
Private
|
||||||
|
}{
|
||||||
|
Private: &provider{name: name},
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
// NewCA returns a Provider that is go routine safe.
|
// NewCA returns a Provider that is go routine safe.
|
||||||
|
@ -12,6 +12,7 @@ import (
|
|||||||
"time"
|
"time"
|
||||||
|
|
||||||
"github.com/google/go-cmp/cmp"
|
"github.com/google/go-cmp/cmp"
|
||||||
|
"github.com/stretchr/testify/assert"
|
||||||
"github.com/stretchr/testify/require"
|
"github.com/stretchr/testify/require"
|
||||||
"k8s.io/apimachinery/pkg/util/wait"
|
"k8s.io/apimachinery/pkg/util/wait"
|
||||||
"k8s.io/apiserver/pkg/server/dynamiccertificates"
|
"k8s.io/apiserver/pkg/server/dynamiccertificates"
|
||||||
@ -224,3 +225,19 @@ func poolSubjects(pool *x509.CertPool) [][]byte {
|
|||||||
}
|
}
|
||||||
return pool.Subjects()
|
return pool.Subjects()
|
||||||
}
|
}
|
||||||
|
|
||||||
|
func TestNewServingCert(t *testing.T) {
|
||||||
|
got := NewServingCert("")
|
||||||
|
|
||||||
|
ok1 := assert.Implements(fakeT{}, (*Private)(nil), got)
|
||||||
|
ok2 := assert.Implements(fakeT{}, (*Public)(nil), got)
|
||||||
|
ok3 := assert.Implements(fakeT{}, (*Provider)(nil), got)
|
||||||
|
|
||||||
|
require.True(t, ok1, "NewServingCert must implement Private")
|
||||||
|
require.False(t, ok2, "NewServingCert must not implement Public")
|
||||||
|
require.False(t, ok3, "NewServingCert must not implement Provider")
|
||||||
|
}
|
||||||
|
|
||||||
|
type fakeT struct{}
|
||||||
|
|
||||||
|
func (fakeT) Errorf(string, ...interface{}) {}
|
||||||
|
@ -944,21 +944,17 @@ func TestImpersonationProxy(t *testing.T) { //nolint:gocyclo // yeah, it's compl
|
|||||||
return // stop test early since the token request API is not enabled on this cluster - other errors are caught below
|
return // stop test early since the token request API is not enabled on this cluster - other errors are caught below
|
||||||
}
|
}
|
||||||
|
|
||||||
pod, err := kubeClient.Pods(namespaceName).Create(ctx, &corev1.Pod{
|
pod := testlib.CreatePod(ctx, t, "impersonation-proxy", namespaceName,
|
||||||
ObjectMeta: metav1.ObjectMeta{
|
corev1.PodSpec{
|
||||||
GenerateName: "test-impersonation-proxy-",
|
|
||||||
},
|
|
||||||
Spec: corev1.PodSpec{
|
|
||||||
Containers: []corev1.Container{
|
Containers: []corev1.Container{
|
||||||
{
|
{
|
||||||
Name: "ignored-but-required",
|
Name: "ignored-but-required",
|
||||||
Image: "does-not-matter",
|
Image: "busybox",
|
||||||
|
Command: []string{"sh", "-c", "sleep 3600"},
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
ServiceAccountName: saName,
|
ServiceAccountName: saName,
|
||||||
},
|
})
|
||||||
}, metav1.CreateOptions{})
|
|
||||||
require.NoError(t, err)
|
|
||||||
|
|
||||||
tokenRequestBadAudience, err := kubeClient.ServiceAccounts(namespaceName).CreateToken(ctx, saName, &authenticationv1.TokenRequest{
|
tokenRequestBadAudience, err := kubeClient.ServiceAccounts(namespaceName).CreateToken(ctx, saName, &authenticationv1.TokenRequest{
|
||||||
Spec: authenticationv1.TokenRequestSpec{
|
Spec: authenticationv1.TokenRequestSpec{
|
||||||
|
@ -164,21 +164,17 @@ func TestWhoAmI_ServiceAccount_TokenRequest(t *testing.T) {
|
|||||||
return // stop test early since the token request API is not enabled on this cluster - other errors are caught below
|
return // stop test early since the token request API is not enabled on this cluster - other errors are caught below
|
||||||
}
|
}
|
||||||
|
|
||||||
pod, err := kubeClient.Pods(ns.Name).Create(ctx, &corev1.Pod{
|
pod := testlib.CreatePod(ctx, t, "whoami", ns.Name,
|
||||||
ObjectMeta: metav1.ObjectMeta{
|
corev1.PodSpec{
|
||||||
GenerateName: "test-whoami-",
|
|
||||||
},
|
|
||||||
Spec: corev1.PodSpec{
|
|
||||||
Containers: []corev1.Container{
|
Containers: []corev1.Container{
|
||||||
{
|
{
|
||||||
Name: "ignored-but-required",
|
Name: "ignored-but-required",
|
||||||
Image: "does-not-matter",
|
Image: "busybox",
|
||||||
|
Command: []string{"sh", "-c", "sleep 3600"},
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
ServiceAccountName: sa.Name,
|
ServiceAccountName: sa.Name,
|
||||||
},
|
})
|
||||||
}, metav1.CreateOptions{})
|
|
||||||
require.NoError(t, err)
|
|
||||||
|
|
||||||
tokenRequestBadAudience, err := kubeClient.ServiceAccounts(ns.Name).CreateToken(ctx, sa.Name, &authenticationv1.TokenRequest{
|
tokenRequestBadAudience, err := kubeClient.ServiceAccounts(ns.Name).CreateToken(ctx, sa.Name, &authenticationv1.TokenRequest{
|
||||||
Spec: authenticationv1.TokenRequestSpec{
|
Spec: authenticationv1.TokenRequestSpec{
|
||||||
|
@ -142,8 +142,8 @@ func IntegrationEnv(t *testing.T) *TestEnv {
|
|||||||
memoizedTestEnvsByTest.Store(t, &result)
|
memoizedTestEnvsByTest.Store(t, &result)
|
||||||
|
|
||||||
// In every integration test, assert that no pods in our namespaces restart during the test.
|
// In every integration test, assert that no pods in our namespaces restart during the test.
|
||||||
assertNoRestartsDuringTest(t, result.ConciergeNamespace, "")
|
assertNoRestartsDuringTest(t, result.ConciergeNamespace, "!pinniped.dev/test")
|
||||||
assertNoRestartsDuringTest(t, result.SupervisorNamespace, "")
|
assertNoRestartsDuringTest(t, result.SupervisorNamespace, "!pinniped.dev/test")
|
||||||
return &result
|
return &result
|
||||||
}
|
}
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user