Merge branch 'main' into oidc_password_grant

This commit is contained in:
Ryan Richard 2021-08-17 15:23:29 -07:00
commit 62c6d53a21
5 changed files with 36 additions and 23 deletions

View File

@ -55,7 +55,11 @@ type provider struct {
// NewServingCert returns a Private that is go routine safe. // NewServingCert returns a Private that is go routine safe.
// It can only hold key pairs that have IsCA=false. // It can only hold key pairs that have IsCA=false.
func NewServingCert(name string) Private { func NewServingCert(name string) Private {
return &provider{name: name} return struct {
Private
}{
Private: &provider{name: name},
}
} }
// NewCA returns a Provider that is go routine safe. // NewCA returns a Provider that is go routine safe.

View File

@ -12,6 +12,7 @@ import (
"time" "time"
"github.com/google/go-cmp/cmp" "github.com/google/go-cmp/cmp"
"github.com/stretchr/testify/assert"
"github.com/stretchr/testify/require" "github.com/stretchr/testify/require"
"k8s.io/apimachinery/pkg/util/wait" "k8s.io/apimachinery/pkg/util/wait"
"k8s.io/apiserver/pkg/server/dynamiccertificates" "k8s.io/apiserver/pkg/server/dynamiccertificates"
@ -224,3 +225,19 @@ func poolSubjects(pool *x509.CertPool) [][]byte {
} }
return pool.Subjects() return pool.Subjects()
} }
func TestNewServingCert(t *testing.T) {
got := NewServingCert("")
ok1 := assert.Implements(fakeT{}, (*Private)(nil), got)
ok2 := assert.Implements(fakeT{}, (*Public)(nil), got)
ok3 := assert.Implements(fakeT{}, (*Provider)(nil), got)
require.True(t, ok1, "NewServingCert must implement Private")
require.False(t, ok2, "NewServingCert must not implement Public")
require.False(t, ok3, "NewServingCert must not implement Provider")
}
type fakeT struct{}
func (fakeT) Errorf(string, ...interface{}) {}

View File

@ -944,21 +944,17 @@ func TestImpersonationProxy(t *testing.T) { //nolint:gocyclo // yeah, it's compl
return // stop test early since the token request API is not enabled on this cluster - other errors are caught below return // stop test early since the token request API is not enabled on this cluster - other errors are caught below
} }
pod, err := kubeClient.Pods(namespaceName).Create(ctx, &corev1.Pod{ pod := testlib.CreatePod(ctx, t, "impersonation-proxy", namespaceName,
ObjectMeta: metav1.ObjectMeta{ corev1.PodSpec{
GenerateName: "test-impersonation-proxy-",
},
Spec: corev1.PodSpec{
Containers: []corev1.Container{ Containers: []corev1.Container{
{ {
Name: "ignored-but-required", Name: "ignored-but-required",
Image: "does-not-matter", Image: "busybox",
Command: []string{"sh", "-c", "sleep 3600"},
}, },
}, },
ServiceAccountName: saName, ServiceAccountName: saName,
}, })
}, metav1.CreateOptions{})
require.NoError(t, err)
tokenRequestBadAudience, err := kubeClient.ServiceAccounts(namespaceName).CreateToken(ctx, saName, &authenticationv1.TokenRequest{ tokenRequestBadAudience, err := kubeClient.ServiceAccounts(namespaceName).CreateToken(ctx, saName, &authenticationv1.TokenRequest{
Spec: authenticationv1.TokenRequestSpec{ Spec: authenticationv1.TokenRequestSpec{

View File

@ -164,21 +164,17 @@ func TestWhoAmI_ServiceAccount_TokenRequest(t *testing.T) {
return // stop test early since the token request API is not enabled on this cluster - other errors are caught below return // stop test early since the token request API is not enabled on this cluster - other errors are caught below
} }
pod, err := kubeClient.Pods(ns.Name).Create(ctx, &corev1.Pod{ pod := testlib.CreatePod(ctx, t, "whoami", ns.Name,
ObjectMeta: metav1.ObjectMeta{ corev1.PodSpec{
GenerateName: "test-whoami-",
},
Spec: corev1.PodSpec{
Containers: []corev1.Container{ Containers: []corev1.Container{
{ {
Name: "ignored-but-required", Name: "ignored-but-required",
Image: "does-not-matter", Image: "busybox",
Command: []string{"sh", "-c", "sleep 3600"},
}, },
}, },
ServiceAccountName: sa.Name, ServiceAccountName: sa.Name,
}, })
}, metav1.CreateOptions{})
require.NoError(t, err)
tokenRequestBadAudience, err := kubeClient.ServiceAccounts(ns.Name).CreateToken(ctx, sa.Name, &authenticationv1.TokenRequest{ tokenRequestBadAudience, err := kubeClient.ServiceAccounts(ns.Name).CreateToken(ctx, sa.Name, &authenticationv1.TokenRequest{
Spec: authenticationv1.TokenRequestSpec{ Spec: authenticationv1.TokenRequestSpec{

View File

@ -142,8 +142,8 @@ func IntegrationEnv(t *testing.T) *TestEnv {
memoizedTestEnvsByTest.Store(t, &result) memoizedTestEnvsByTest.Store(t, &result)
// In every integration test, assert that no pods in our namespaces restart during the test. // In every integration test, assert that no pods in our namespaces restart during the test.
assertNoRestartsDuringTest(t, result.ConciergeNamespace, "") assertNoRestartsDuringTest(t, result.ConciergeNamespace, "!pinniped.dev/test")
assertNoRestartsDuringTest(t, result.SupervisorNamespace, "") assertNoRestartsDuringTest(t, result.SupervisorNamespace, "!pinniped.dev/test")
return &result return &result
} }