From 6a9f57f83de89cc2f230e27bce96618bfec50201 Mon Sep 17 00:00:00 2001 From: Monis Khan Date: Mon, 22 Feb 2021 23:30:02 -0500 Subject: [PATCH] TestWhoAmI: support older clusters (CSR and impersonation) Signed-off-by: Monis Khan --- test/integration/whoami_test.go | 21 +++++++++++++-------- 1 file changed, 13 insertions(+), 8 deletions(-) diff --git a/test/integration/whoami_test.go b/test/integration/whoami_test.go index 1a6beef4..de478f52 100644 --- a/test/integration/whoami_test.go +++ b/test/integration/whoami_test.go @@ -16,6 +16,7 @@ import ( "github.com/stretchr/testify/require" authenticationv1 "k8s.io/api/authentication/v1" certificatesv1 "k8s.io/api/certificates/v1" + certificatesv1beta1 "k8s.io/api/certificates/v1beta1" corev1 "k8s.io/api/core/v1" "k8s.io/apimachinery/pkg/api/errors" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" @@ -290,19 +291,20 @@ func TestWhoAmI_CSR(t *testing.T) { if t.Failed() { return } - err := kubeClient.CertificatesV1().CertificateSigningRequests().Delete(ctx, csrName, metav1.DeleteOptions{}) + err := kubeClient.CertificatesV1beta1().CertificateSigningRequests().Delete(ctx, csrName, metav1.DeleteOptions{}) require.NoError(t, err) }() // this is a blind update with no resource version checks, which is only safe during tests - _, err = kubeClient.CertificatesV1().CertificateSigningRequests().UpdateApproval(ctx, csrName, &certificatesv1.CertificateSigningRequest{ + // use the beta CSR API to support older clusters + _, err = kubeClient.CertificatesV1beta1().CertificateSigningRequests().UpdateApproval(ctx, &certificatesv1beta1.CertificateSigningRequest{ ObjectMeta: metav1.ObjectMeta{ Name: csrName, }, - Status: certificatesv1.CertificateSigningRequestStatus{ - Conditions: []certificatesv1.CertificateSigningRequestCondition{ + Status: certificatesv1beta1.CertificateSigningRequestStatus{ + Conditions: []certificatesv1beta1.CertificateSigningRequestCondition{ { - Type: certificatesv1.CertificateApproved, + Type: certificatesv1beta1.CertificateApproved, Status: corev1.ConditionTrue, Reason: "WhoAmICSRTest", }, @@ -381,7 +383,8 @@ func TestWhoAmI_ImpersonateDirectly(t *testing.T) { impersonationConfig := library.NewClientConfig(t) impersonationConfig.Impersonate = rest.ImpersonationConfig{ UserName: "solaire", - Groups: []string{"astora", "lordran"}, + // need to impersonate system:authenticated directly to support older clusters otherwise we will get RBAC errors below + Groups: []string{"astora", "lordran", "system:authenticated"}, Extra: map[string][]string{ "covenant": {"warrior-of-sunlight"}, "loves": {"sun", "co-op"}, @@ -402,7 +405,7 @@ func TestWhoAmI_ImpersonateDirectly(t *testing.T) { Groups: []string{ "astora", "lordran", - "system:authenticated", // impersonation will add this implicitly + "system:authenticated", // impersonation will add this implicitly but only in newer clusters }, Extra: map[string]identityv1alpha1.ExtraValue{ "covenant": {"warrior-of-sunlight"}, @@ -417,6 +420,8 @@ func TestWhoAmI_ImpersonateDirectly(t *testing.T) { impersonationAnonymousConfig := library.NewClientConfig(t) impersonationAnonymousConfig.Impersonate.UserName = "system:anonymous" + // need to impersonate system:unauthenticated directly to support older clusters otherwise we will get RBAC errors below + impersonationAnonymousConfig.Impersonate.Groups = []string{"system:unauthenticated"} whoAmIAnonymous, err := library.NewKubeclient(t, impersonationAnonymousConfig).PinnipedConcierge.IdentityV1alpha1().WhoAmIRequests(). Create(ctx, &identityv1alpha1.WhoAmIRequest{}, metav1.CreateOptions{}) @@ -429,7 +434,7 @@ func TestWhoAmI_ImpersonateDirectly(t *testing.T) { User: identityv1alpha1.UserInfo{ Username: "system:anonymous", Groups: []string{ - "system:unauthenticated", // impersonation will add this implicitly + "system:unauthenticated", // impersonation will add this implicitly but only in newer clusters }, }, },