TestKubeCertAgent waits for CredentialIssuer strategy to be successful

At the end of the test, wait for the KubeClusterSigningCertificate
strategy on the CredentialIssuer to go back to being healthy, to avoid
polluting other integration tests which follow this one.
This commit is contained in:
Ryan Richard 2021-03-15 11:42:57 -07:00
parent e22ad6171a
commit 8065a8d2e6
2 changed files with 34 additions and 9 deletions

View File

@ -39,7 +39,7 @@ import (
"k8s.io/client-go/rest" "k8s.io/client-go/rest"
"sigs.k8s.io/yaml" "sigs.k8s.io/yaml"
"go.pinniped.dev/generated/latest/apis/concierge/config/v1alpha1" conciergev1alpha "go.pinniped.dev/generated/latest/apis/concierge/config/v1alpha1"
identityv1alpha1 "go.pinniped.dev/generated/latest/apis/concierge/identity/v1alpha1" identityv1alpha1 "go.pinniped.dev/generated/latest/apis/concierge/identity/v1alpha1"
loginv1alpha1 "go.pinniped.dev/generated/latest/apis/concierge/login/v1alpha1" loginv1alpha1 "go.pinniped.dev/generated/latest/apis/concierge/login/v1alpha1"
"go.pinniped.dev/generated/latest/client/concierge/clientset/versioned" "go.pinniped.dev/generated/latest/client/concierge/clientset/versioned"
@ -1008,7 +1008,7 @@ func performImpersonatorDiscovery(ctx context.Context, t *testing.T, env *librar
} }
for _, strategy := range credentialIssuer.Status.Strategies { for _, strategy := range credentialIssuer.Status.Strategies {
// There will be other strategy types in the list, so ignore those. // There will be other strategy types in the list, so ignore those.
if strategy.Type == v1alpha1.ImpersonationProxyStrategyType && strategy.Status == v1alpha1.SuccessStrategyStatus { //nolint:nestif if strategy.Type == conciergev1alpha.ImpersonationProxyStrategyType && strategy.Status == conciergev1alpha.SuccessStrategyStatus { //nolint:nestif
if strategy.Frontend == nil { if strategy.Frontend == nil {
return false, fmt.Errorf("did not find a Frontend") // unexpected, fail the test return false, fmt.Errorf("did not find a Frontend") // unexpected, fail the test
} }
@ -1021,10 +1021,10 @@ func performImpersonatorDiscovery(ctx context.Context, t *testing.T, env *librar
return false, err // unexpected, fail the test return false, err // unexpected, fail the test
} }
return true, nil // found it, continue the test! return true, nil // found it, continue the test!
} else if strategy.Type == v1alpha1.ImpersonationProxyStrategyType { } else if strategy.Type == conciergev1alpha.ImpersonationProxyStrategyType {
t.Logf("Waiting for successful impersonation proxy strategy on %s: found status %s with reason %s and message: %s", t.Logf("Waiting for successful impersonation proxy strategy on %s: found status %s with reason %s and message: %s",
credentialIssuerName(env), strategy.Status, strategy.Reason, strategy.Message) credentialIssuerName(env), strategy.Status, strategy.Reason, strategy.Message)
if strategy.Reason == v1alpha1.ErrorDuringSetupStrategyReason { if strategy.Reason == conciergev1alpha.ErrorDuringSetupStrategyReason {
// The server encountered an unexpected error while starting the impersonator, so fail the test fast. // The server encountered an unexpected error while starting the impersonator, so fail the test fast.
return false, fmt.Errorf("found impersonation strategy in %s state with message: %s", strategy.Reason, strategy.Message) return false, fmt.Errorf("found impersonation strategy in %s state with message: %s", strategy.Reason, strategy.Message)
} }
@ -1049,14 +1049,14 @@ func requireDisabledByConfigurationStrategy(ctx context.Context, t *testing.T, e
} }
for _, strategy := range credentialIssuer.Status.Strategies { for _, strategy := range credentialIssuer.Status.Strategies {
// There will be other strategy types in the list, so ignore those. // There will be other strategy types in the list, so ignore those.
if strategy.Type == v1alpha1.ImpersonationProxyStrategyType && if strategy.Type == conciergev1alpha.ImpersonationProxyStrategyType &&
strategy.Status == v1alpha1.ErrorStrategyStatus && strategy.Status == conciergev1alpha.ErrorStrategyStatus &&
strategy.Reason == v1alpha1.DisabledStrategyReason { //nolint:nestif strategy.Reason == conciergev1alpha.DisabledStrategyReason { //nolint:nestif
return true, nil // found it, continue the test! return true, nil // found it, continue the test!
} else if strategy.Type == v1alpha1.ImpersonationProxyStrategyType { } else if strategy.Type == conciergev1alpha.ImpersonationProxyStrategyType {
t.Logf("Waiting for disabled impersonation proxy strategy on %s: found status %s with reason %s and message: %s", t.Logf("Waiting for disabled impersonation proxy strategy on %s: found status %s with reason %s and message: %s",
credentialIssuerName(env), strategy.Status, strategy.Reason, strategy.Message) credentialIssuerName(env), strategy.Status, strategy.Reason, strategy.Message)
if strategy.Reason == v1alpha1.ErrorDuringSetupStrategyReason { if strategy.Reason == conciergev1alpha.ErrorDuringSetupStrategyReason {
// The server encountered an unexpected error while stopping the impersonator, so fail the test fast. // The server encountered an unexpected error while stopping the impersonator, so fail the test fast.
return false, fmt.Errorf("found impersonation strategy in %s state with message: %s", strategy.Reason, strategy.Message) return false, fmt.Errorf("found impersonation strategy in %s state with message: %s", strategy.Reason, strategy.Message)
} }

View File

@ -18,6 +18,7 @@ import (
"k8s.io/apimachinery/pkg/util/diff" "k8s.io/apimachinery/pkg/util/diff"
"k8s.io/apimachinery/pkg/util/wait" "k8s.io/apimachinery/pkg/util/wait"
conciergev1alpha "go.pinniped.dev/generated/latest/apis/concierge/config/v1alpha1"
"go.pinniped.dev/test/library" "go.pinniped.dev/test/library"
) )
@ -127,6 +128,30 @@ func TestKubeCertAgent(t *testing.T) {
assert.Eventually(t, agentPodsReconciled, 10*time.Second, 250*time.Millisecond) assert.Eventually(t, agentPodsReconciled, 10*time.Second, 250*time.Millisecond)
require.NoError(t, err) require.NoError(t, err)
}) })
// Because the above tests have purposefully put the kube cert issuer strategy into a broken
// state, wait for it to become healthy again before moving on to other integration tests,
// otherwise those tests would be polluted by this test and would have to wait for the
// strategy to become successful again.
library.RequireEventuallyWithoutError(t, func() (bool, error) {
adminConciergeClient := library.NewConciergeClientset(t)
credentialIssuer, err := adminConciergeClient.ConfigV1alpha1().CredentialIssuers().Get(ctx, credentialIssuerName(env), metav1.GetOptions{})
if err != nil || credentialIssuer.Status.Strategies == nil {
t.Log("Did not find any CredentialIssuer with any strategies")
return false, nil // didn't find it, but keep trying
}
for _, strategy := range credentialIssuer.Status.Strategies {
// There will be other strategy types in the list, so ignore those.
if strategy.Type == conciergev1alpha.KubeClusterSigningCertificateStrategyType && strategy.Status == conciergev1alpha.SuccessStrategyStatus { //nolint:nestif
if strategy.Frontend == nil {
return false, fmt.Errorf("did not find a Frontend") // unexpected, fail the test
}
return true, nil // found it, continue the test!
}
}
t.Log("Did not find any successful KubeClusterSigningCertificate strategy on CredentialIssuer")
return false, nil // didn't find it, but keep trying
}, 3*time.Minute, 3*time.Second)
} }
func ensureKubeCertAgentSteadyState(t *testing.T, agentPodsReconciled func() bool) { func ensureKubeCertAgentSteadyState(t *testing.T, agentPodsReconciled func() bool) {