From 0770682bf941594da21ac70c2f8406fe41f93943 Mon Sep 17 00:00:00 2001 From: Mo Khan Date: Mon, 10 May 2021 00:50:59 -0400 Subject: [PATCH] impersonation proxy test: handle admin users with UID such as on EKS Signed-off-by: Mo Khan --- .../concierge_impersonation_proxy_test.go | 42 ++++++++++++++++++- 1 file changed, 41 insertions(+), 1 deletion(-) diff --git a/test/integration/concierge_impersonation_proxy_test.go b/test/integration/concierge_impersonation_proxy_test.go index 4fa7329e..4206b57e 100644 --- a/test/integration/concierge_impersonation_proxy_test.go +++ b/test/integration/concierge_impersonation_proxy_test.go @@ -622,7 +622,12 @@ func TestImpersonationProxy(t *testing.T) { //nolint:gocyclo // yeah, it's compl expectedOriginalUserInfo := authenticationv1.UserInfo{ Username: whoAmIAdmin.Status.KubernetesUserInfo.User.Username, // The WhoAmI API is lossy so this will fail when the admin user actually does have a UID - UID: whoAmIAdmin.Status.KubernetesUserInfo.User.UID, + // Thus we fallback to the CSR API to grab the UID + UID: getUIDViaCSR(ctx, t, whoAmIAdmin.Status.KubernetesUserInfo.User.UID, + newImpersonationProxyClientWithCredentials(t, + clusterAdminCredentials, impersonationProxyURL, impersonationProxyCACertPEM, nil). + Kubernetes, + ), Groups: whoAmIAdmin.Status.KubernetesUserInfo.User.Groups, Extra: expectedExtra, } @@ -1725,3 +1730,38 @@ func getCredForConfig(t *testing.T, config *rest.Config) *loginv1alpha1.ClusterC return out } + +func getUIDViaCSR(ctx context.Context, t *testing.T, uid string, client kubernetes.Interface) string { + t.Helper() + + if len(uid) != 0 { + return uid // in the future this may not be empty on some clusters + } + + privateKey, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader) + require.NoError(t, err) + + csrPEM, err := cert.MakeCSR(privateKey, &pkix.Name{ + CommonName: "panda-man", + Organization: []string{"living-the-dream", "need-more-sleep"}, + }, nil, nil) + require.NoError(t, err) + + csrName, _, err := csr.RequestCertificate( + client, + csrPEM, + "", + certificatesv1.KubeAPIServerClientSignerName, + []certificatesv1.KeyUsage{certificatesv1.UsageClientAuth}, + privateKey, + ) + require.NoError(t, err) + + csReq, err := client.CertificatesV1beta1().CertificateSigningRequests().Get(ctx, csrName, metav1.GetOptions{}) + require.NoError(t, err) + + err = client.CertificatesV1beta1().CertificateSigningRequests().Delete(ctx, csrName, metav1.DeleteOptions{}) + require.NoError(t, err) + + return csReq.Spec.UID +}