Change impersonation integration test to use CredentialIssuer spec

rather than a configmap Signed-off-by: Margo Crawford <margaretc@vmware.com>
2021-05-18 09:51:11 -07:00 · 2021-05-18 09:51:11 -07:00 · 9af3cb1115
commit 9af3cb1115
parent 18ccf11905
1 changed files with 40 additions and 58 deletions
--- a/test/integration/concierge_impersonation_proxy_test.go
+++ b/test/integration/concierge_impersonation_proxy_test.go
@ -51,13 +51,12 @@ import (
 	"k8s.io/client-go/util/cert"
 	"k8s.io/client-go/util/certificate/csr"
 	"k8s.io/client-go/util/keyutil"
-	"sigs.k8s.io/yaml"
+	"k8s.io/client-go/util/retry"
 	conciergev1alpha "go.pinniped.dev/generated/latest/apis/concierge/config/v1alpha1"
 	identityv1alpha1 "go.pinniped.dev/generated/latest/apis/concierge/identity/v1alpha1"
 	loginv1alpha1 "go.pinniped.dev/generated/latest/apis/concierge/login/v1alpha1"
 	pinnipedconciergeclientset "go.pinniped.dev/generated/latest/client/concierge/clientset/versioned"
 	"go.pinniped.dev/internal/concierge/impersonator"
 	"go.pinniped.dev/internal/httputil/roundtripper"
 	"go.pinniped.dev/internal/kubeclient"
 	"go.pinniped.dev/internal/testutil"
@ -159,33 +158,25 @@ func TestImpersonationProxy(t *testing.T) { //nolint:gocyclo // yeah, it's compl
 		return mostRecentTokenCredentialRequestResponse.Status.Credential
 	}
-	oldConfigMap, err := adminClient.CoreV1().ConfigMaps(env.ConciergeNamespace).Get(ctx, impersonationProxyConfigMapName(env), metav1.GetOptions{})
+	oldCredentialIssuer, err := adminConciergeClient.ConfigV1alpha1().CredentialIssuers().Get(ctx, credentialIssuerName(env), metav1.GetOptions{})
-	if !k8serrors.IsNotFound(err) {
+	require.NoError(t, err)
-		require.NoError(t, err) // other errors aside from NotFound are unexpected
+	// At the end of the test, clean up the CredentialIssuer
 		t.Logf("stashing a pre-existing configmap %s", oldConfigMap.Name)
 		require.NoError(t, adminClient.CoreV1().ConfigMaps(env.ConciergeNamespace).Delete(ctx, impersonationProxyConfigMapName(env), metav1.DeleteOptions{}))
 	}
 	// At the end of the test, clean up the ConfigMap.
 	t.Cleanup(func() {
 		ctx, cancel := context.WithTimeout(context.Background(), 2*time.Minute)
 		defer cancel()
 		// Delete any version that was created by this test.
-		t.Logf("cleaning up configmap at end of test %s", impersonationProxyConfigMapName(env))
+		t.Logf("cleaning up credentialissuer at end of test %s", credentialIssuerName(env))
-		err := adminClient.CoreV1().ConfigMaps(env.ConciergeNamespace).Delete(ctx, impersonationProxyConfigMapName(env), metav1.DeleteOptions{})
+		err = retry.RetryOnConflict(retry.DefaultRetry, func() error {
-		if !k8serrors.IsNotFound(err) {
+			newCredentialIssuer, err := adminConciergeClient.ConfigV1alpha1().CredentialIssuers().Get(ctx, credentialIssuerName(env), metav1.GetOptions{})
-			require.NoError(t, err) // only not found errors are acceptable
+			if err != nil {
 				return err
 			}
-
+			oldCredentialIssuer.Spec.DeepCopyInto(&newCredentialIssuer.Spec)
-		// Only recreate it if it already existed at the start of this test.
+			_, err = adminConciergeClient.ConfigV1alpha1().CredentialIssuers().Update(ctx, newCredentialIssuer, metav1.UpdateOptions{})
-		if len(oldConfigMap.Data) != 0 {
+			return err
-			t.Log(oldConfigMap)
+		})
 			oldConfigMap.UID = "" // cant have a UID yet
 			oldConfigMap.ResourceVersion = ""
 			t.Logf("restoring a pre-existing configmap %s", oldConfigMap.Name)
 			_, err = adminClient.CoreV1().ConfigMaps(env.ConciergeNamespace).Create(ctx, oldConfigMap, metav1.CreateOptions{})
 		require.NoError(t, err)
 		}
 		// If we are running on an environment that has a load balancer, expect that the
 		// CredentialIssuer will be updated eventually with a successful impersonation proxy frontend.
@ -221,10 +212,11 @@ func TestImpersonationProxy(t *testing.T) { //nolint:gocyclo // yeah, it's compl
 		requireDisabledStrategy(ctx, t, env, adminConciergeClient)
 		// Create configuration to make the impersonation proxy turn on with no endpoint (i.e. automatically create a load balancer).
-		configMap := impersonationProxyConfigMapForConfig(t, env, impersonator.Config{Mode: impersonator.ModeEnabled})
+		updateCredentialIssuer(ctx, t, env, adminConciergeClient, conciergev1alpha.CredentialIssuerSpec{
-		t.Logf("creating configmap %s", configMap.Name)
+			ImpersonationProxy: conciergev1alpha.ImpersonationProxySpec{
-		_, err = adminClient.CoreV1().ConfigMaps(env.ConciergeNamespace).Create(ctx, &configMap, metav1.CreateOptions{})
+				Mode: conciergev1alpha.ImpersonationProxyModeEnabled,
-		require.NoError(t, err)
+			},
 		})
 	default:
 		// Auto mode should have decided that the impersonator will be disabled. We need to manually enable it.
@ -246,13 +238,12 @@ func TestImpersonationProxy(t *testing.T) { //nolint:gocyclo // yeah, it's compl
 		require.Truef(t, isErr, "wanted error %q to be service unavailable via squid error, but: %s", err, message)
 		// Create configuration to make the impersonation proxy turn on with a hard coded endpoint (without a load balancer).
-		configMap := impersonationProxyConfigMapForConfig(t, env, impersonator.Config{
+		updateCredentialIssuer(ctx, t, env, adminConciergeClient, conciergev1alpha.CredentialIssuerSpec{
-			Mode:     impersonator.ModeEnabled,
+			ImpersonationProxy: conciergev1alpha.ImpersonationProxySpec{
-			Endpoint: proxyServiceEndpoint,
+				Mode:             conciergev1alpha.ImpersonationProxyModeEnabled,
 				ExternalEndpoint: proxyServiceEndpoint,
 			},
 		})
 		t.Logf("creating configmap %s", configMap.Name)
 		_, err = adminClient.CoreV1().ConfigMaps(env.ConciergeNamespace).Create(ctx, &configMap, metav1.CreateOptions{})
 		require.NoError(t, err)
 	}
 	// At this point the impersonator should be starting/running. When it is ready, the CredentialIssuer's
@ -1183,16 +1174,11 @@ func TestImpersonationProxy(t *testing.T) { //nolint:gocyclo // yeah, it's compl
 	t.Run("manually disabling the impersonation proxy feature", func(t *testing.T) {
 		// Update configuration to force the proxy to disabled mode
-		configMap := impersonationProxyConfigMapForConfig(t, env, impersonator.Config{Mode: impersonator.ModeDisabled})
+		updateCredentialIssuer(ctx, t, env, adminConciergeClient, conciergev1alpha.CredentialIssuerSpec{
-		if clusterSupportsLoadBalancers {
+			ImpersonationProxy: conciergev1alpha.ImpersonationProxySpec{
-			t.Logf("creating configmap %s", configMap.Name)
+				Mode: conciergev1alpha.ImpersonationProxyModeDisabled,
-			_, err := adminClient.CoreV1().ConfigMaps(env.ConciergeNamespace).Create(ctx, &configMap, metav1.CreateOptions{})
+			},
-			require.NoError(t, err)
+		})
 		} else {
 			t.Logf("updating configmap %s", configMap.Name)
 			_, err := adminClient.CoreV1().ConfigMaps(env.ConciergeNamespace).Update(ctx, &configMap, metav1.UpdateOptions{})
 			require.NoError(t, err)
 		}
 		if clusterSupportsLoadBalancers {
 			// The load balancer should have been deleted when we disabled the impersonation proxy.
@ -1450,19 +1436,19 @@ func kubeconfigProxyFunc(t *testing.T, squidProxyURL string) func(req *http.Requ
 	}
 }
-func impersonationProxyConfigMapForConfig(t *testing.T, env *library.TestEnv, config impersonator.Config) corev1.ConfigMap {
+func updateCredentialIssuer(ctx context.Context, t *testing.T, env *library.TestEnv, adminConciergeClient pinnipedconciergeclientset.Interface, spec conciergev1alpha.CredentialIssuerSpec) {
 	t.Helper()
-	configString, err := yaml.Marshal(config)
+	err := retry.RetryOnConflict(retry.DefaultRetry, func() error {
 		newCredentialIssuer, err := adminConciergeClient.ConfigV1alpha1().CredentialIssuers().Get(ctx, credentialIssuerName(env), metav1.GetOptions{})
 		if err != nil {
 			return err
 		}
 		spec.DeepCopyInto(&newCredentialIssuer.Spec)
 		_, err = adminConciergeClient.ConfigV1alpha1().CredentialIssuers().Update(ctx, newCredentialIssuer, metav1.UpdateOptions{})
 		return err
 	})
 	require.NoError(t, err)
 	configMap := corev1.ConfigMap{
 		ObjectMeta: metav1.ObjectMeta{
 			Name: impersonationProxyConfigMapName(env),
 		},
 		Data: map[string]string{
 			"config.yaml": string(configString),
 		}}
 	return configMap
 }
 func hasImpersonationProxyLoadBalancerService(ctx context.Context, env *library.TestEnv, client kubernetes.Interface) (bool, error) {
@ -1476,10 +1462,6 @@ func hasImpersonationProxyLoadBalancerService(ctx context.Context, env *library.
 	return service.Spec.Type == corev1.ServiceTypeLoadBalancer, nil
 }
 func impersonationProxyConfigMapName(env *library.TestEnv) string {
 	return env.ConciergeAppName + "-impersonation-proxy-config"
 }
 func impersonationProxyTLSSecretName(env *library.TestEnv) string {
 	return env.ConciergeAppName + "-impersonation-proxy-tls-serving-certificate"
 }