Create webhooks per-test and explicitly in demo.md
instead of with ytt in ./deploy
.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
This commit is contained in:
parent
81f2362543
commit
9beb3855b5
@ -21,10 +21,6 @@ image_tag: latest
|
|||||||
#! Optional.
|
#! Optional.
|
||||||
image_pull_dockerconfigjson: #! e.g. {"auths":{"https://registry.example.com":{"username":"USERNAME","password":"PASSWORD","auth":"BASE64_ENCODED_USERNAME_COLON_PASSWORD"}}}
|
image_pull_dockerconfigjson: #! e.g. {"auths":{"https://registry.example.com":{"username":"USERNAME","password":"PASSWORD","auth":"BASE64_ENCODED_USERNAME_COLON_PASSWORD"}}}
|
||||||
|
|
||||||
#! Configure a webhook identity provider.
|
|
||||||
webhook_url: #! e.g., https://example.com
|
|
||||||
webhook_ca_bundle: #! Must be a base64 encoded PEM certificate. e.g., LS0tLS1CRUdJTiBDRVJUSUZJQ0F...
|
|
||||||
|
|
||||||
#! Pinniped will try to guess the right K8s API URL for sharing that information with potential clients.
|
#! Pinniped will try to guess the right K8s API URL for sharing that information with potential clients.
|
||||||
#! This settings allows the guess to be overridden.
|
#! This settings allows the guess to be overridden.
|
||||||
#! Optional.
|
#! Optional.
|
||||||
|
@ -1,16 +0,0 @@
|
|||||||
#! Copyright 2020 the Pinniped contributors. All Rights Reserved.
|
|
||||||
#! SPDX-License-Identifier: Apache-2.0
|
|
||||||
|
|
||||||
#@ load("@ytt:data", "data")
|
|
||||||
|
|
||||||
apiVersion: idp.pinniped.dev/v1alpha1
|
|
||||||
kind: WebhookIdentityProvider
|
|
||||||
metadata:
|
|
||||||
name: #@ data.values.app_name + "-webhook"
|
|
||||||
namespace: #@ data.values.namespace
|
|
||||||
labels:
|
|
||||||
app: #@ data.values.app_name
|
|
||||||
spec:
|
|
||||||
endpoint: #@ data.values.webhook_url
|
|
||||||
tls:
|
|
||||||
certificateAuthorityData: #@ data.values.webhook_ca_bundle
|
|
22
doc/demo.md
22
doc/demo.md
@ -83,10 +83,22 @@
|
|||||||
|
|
||||||
```bash
|
```bash
|
||||||
cd /tmp/pinniped/deploy
|
cd /tmp/pinniped/deploy
|
||||||
ytt --file . \
|
ytt --file . | kapp deploy --yes --app pinniped --diff-changes --file -
|
||||||
--data-value "webhook_url=https://local-user-authenticator.local-user-authenticator.svc/authenticate" \
|
```
|
||||||
--data-value "webhook_ca_bundle=$(cat /tmp/local-user-authenticator-ca-base64-encoded)" \
|
|
||||||
| kapp deploy --yes --app pinniped --diff-changes --file -
|
1. Create a `WebhookIdentityProvider` object to configure Pinniped to authenticate using `local-user-authenticator`
|
||||||
|
|
||||||
|
```bash
|
||||||
|
cat <<EOF | kubectl create --namespace pinniped -f -
|
||||||
|
apiVersion: idp.pinniped.dev/v1alpha1
|
||||||
|
kind: WebhookIdentityProvider
|
||||||
|
metadata:
|
||||||
|
name: local-user-authenticator
|
||||||
|
spec:
|
||||||
|
endpoint: https://local-user-authenticator.local-user-authenticator.svc/authenticate
|
||||||
|
tls:
|
||||||
|
certificateAuthorityData: $(cat /tmp/local-user-authenticator-ca-base64-encoded)
|
||||||
|
EOF
|
||||||
```
|
```
|
||||||
|
|
||||||
1. Download the latest version of the Pinniped CLI binary for your platform
|
1. Download the latest version of the Pinniped CLI binary for your platform
|
||||||
@ -99,7 +111,7 @@
|
|||||||
allow you to authenticate as the user that you created above.
|
allow you to authenticate as the user that you created above.
|
||||||
|
|
||||||
```bash
|
```bash
|
||||||
pinniped get-kubeconfig --token "pinny-the-seal:password123" > /tmp/pinniped-kubeconfig
|
pinniped get-kubeconfig --token "pinny-the-seal:password123" --idp-type webhook --idp-name local-user-authenticator > /tmp/pinniped-kubeconfig
|
||||||
```
|
```
|
||||||
|
|
||||||
Note that the above command will print a warning to the screen. You can ignore this warning.
|
Note that the above command will print a warning to the screen. You can ignore this warning.
|
||||||
|
@ -191,8 +191,6 @@ ytt --file . \
|
|||||||
--data-value "namespace=$namespace" \
|
--data-value "namespace=$namespace" \
|
||||||
--data-value "image_repo=$registry_repo" \
|
--data-value "image_repo=$registry_repo" \
|
||||||
--data-value "image_tag=$tag" \
|
--data-value "image_tag=$tag" \
|
||||||
--data-value "webhook_url=$webhook_url" \
|
|
||||||
--data-value "webhook_ca_bundle=$webhook_ca_bundle" \
|
|
||||||
--data-value "discovery_url=$discovery_url" >"$manifest"
|
--data-value "discovery_url=$discovery_url" >"$manifest"
|
||||||
|
|
||||||
kapp deploy --yes --app "$app_name" --diff-changes --file "$manifest"
|
kapp deploy --yes --app "$app_name" --diff-changes --file "$manifest"
|
||||||
@ -212,6 +210,8 @@ export PINNIPED_APP_NAME=${app_name}
|
|||||||
export PINNIPED_TEST_USER_USERNAME=${test_username}
|
export PINNIPED_TEST_USER_USERNAME=${test_username}
|
||||||
export PINNIPED_TEST_USER_GROUPS=${test_groups}
|
export PINNIPED_TEST_USER_GROUPS=${test_groups}
|
||||||
export PINNIPED_TEST_USER_TOKEN=${test_username}:${test_password}
|
export PINNIPED_TEST_USER_TOKEN=${test_username}:${test_password}
|
||||||
|
export PINNIPED_TEST_WEBHOOK_ENDPOINT=${webhook_url}
|
||||||
|
export PINNIPED_TEST_WEBHOOK_CA_BUNDLE=${webhook_ca_bundle}
|
||||||
|
|
||||||
read -r -d '' PINNIPED_CLUSTER_CAPABILITY_YAML << PINNIPED_CLUSTER_CAPABILITY_YAML_EOF || true
|
read -r -d '' PINNIPED_CLUSTER_CAPABILITY_YAML << PINNIPED_CLUSTER_CAPABILITY_YAML_EOF || true
|
||||||
${pinniped_cluster_capability_file_content}
|
${pinniped_cluster_capability_file_content}
|
||||||
|
@ -27,6 +27,12 @@ func TestCLI(t *testing.T) {
|
|||||||
strings.ReplaceAll(library.GetEnv(t, "PINNIPED_TEST_USER_GROUPS"), " ", ""), ",",
|
strings.ReplaceAll(library.GetEnv(t, "PINNIPED_TEST_USER_GROUPS"), " ", ""), ",",
|
||||||
)
|
)
|
||||||
|
|
||||||
|
// Create a test webhook configuration to use with the CLI.
|
||||||
|
ctx, cancelFunc := context.WithTimeout(context.Background(), 30*time.Second)
|
||||||
|
defer cancelFunc()
|
||||||
|
|
||||||
|
idp := library.CreateTestWebhookIDP(ctx, t)
|
||||||
|
|
||||||
// Remove all Pinniped environment variables for the remainder of this test
|
// Remove all Pinniped environment variables for the remainder of this test
|
||||||
// because some of their names clash with the env vars expected by our
|
// because some of their names clash with the env vars expected by our
|
||||||
// kubectl exec plugin. We would like this test to prove that the exec
|
// kubectl exec plugin. We would like this test to prove that the exec
|
||||||
@ -56,14 +62,11 @@ func TestCLI(t *testing.T) {
|
|||||||
defer cleanupFunc()
|
defer cleanupFunc()
|
||||||
|
|
||||||
// Run pinniped CLI to get kubeconfig.
|
// Run pinniped CLI to get kubeconfig.
|
||||||
kubeConfigYAML := runPinnipedCLI(t, pinnipedExe, token, namespaceName)
|
kubeConfigYAML := runPinnipedCLI(t, pinnipedExe, token, namespaceName, "webhook", idp.Name)
|
||||||
|
|
||||||
adminClient := library.NewClientset(t)
|
|
||||||
ctx, cancelFunc := context.WithTimeout(context.Background(), time.Second*3)
|
|
||||||
defer cancelFunc()
|
|
||||||
|
|
||||||
// In addition to the client-go based testing below, also try the kubeconfig
|
// In addition to the client-go based testing below, also try the kubeconfig
|
||||||
// with kubectl to validate that it works.
|
// with kubectl to validate that it works.
|
||||||
|
adminClient := library.NewClientset(t)
|
||||||
t.Run(
|
t.Run(
|
||||||
"access as user with kubectl",
|
"access as user with kubectl",
|
||||||
accessAsUserWithKubectlTest(ctx, adminClient, kubeConfigYAML, testUsername, namespaceName),
|
accessAsUserWithKubectlTest(ctx, adminClient, kubeConfigYAML, testUsername, namespaceName),
|
||||||
@ -108,7 +111,7 @@ func buildPinnipedCLI(t *testing.T) (string, func()) {
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
func runPinnipedCLI(t *testing.T, pinnipedExe, token, namespaceName string) string {
|
func runPinnipedCLI(t *testing.T, pinnipedExe, token, namespaceName, idpType, idpName string) string {
|
||||||
t.Helper()
|
t.Helper()
|
||||||
|
|
||||||
output, err := exec.Command(
|
output, err := exec.Command(
|
||||||
@ -116,6 +119,8 @@ func runPinnipedCLI(t *testing.T, pinnipedExe, token, namespaceName string) stri
|
|||||||
"get-kubeconfig",
|
"get-kubeconfig",
|
||||||
"--token", token,
|
"--token", token,
|
||||||
"--pinniped-namespace", namespaceName,
|
"--pinniped-namespace", namespaceName,
|
||||||
|
"--idp-type", idpType,
|
||||||
|
"--idp-name", idpName,
|
||||||
).CombinedOutput()
|
).CombinedOutput()
|
||||||
require.NoError(t, err, string(output))
|
require.NoError(t, err, string(output))
|
||||||
|
|
||||||
|
@ -10,9 +10,7 @@ import (
|
|||||||
"time"
|
"time"
|
||||||
|
|
||||||
"github.com/stretchr/testify/require"
|
"github.com/stretchr/testify/require"
|
||||||
corev1 "k8s.io/api/core/v1"
|
|
||||||
|
|
||||||
idpv1alpha1 "go.pinniped.dev/generated/1.19/apis/idp/v1alpha1"
|
|
||||||
"go.pinniped.dev/internal/client"
|
"go.pinniped.dev/internal/client"
|
||||||
"go.pinniped.dev/internal/here"
|
"go.pinniped.dev/internal/here"
|
||||||
"go.pinniped.dev/test/library"
|
"go.pinniped.dev/test/library"
|
||||||
@ -63,6 +61,8 @@ func TestClient(t *testing.T) {
|
|||||||
ctx, cancel := context.WithTimeout(context.Background(), 30*time.Second)
|
ctx, cancel := context.WithTimeout(context.Background(), 30*time.Second)
|
||||||
defer cancel()
|
defer cancel()
|
||||||
|
|
||||||
|
idp := library.CreateTestWebhookIDP(ctx, t)
|
||||||
|
|
||||||
// Use an invalid certificate/key to validate that the ServerVersion API fails like we assume.
|
// Use an invalid certificate/key to validate that the ServerVersion API fails like we assume.
|
||||||
invalidClient := library.NewClientsetWithCertAndKey(t, testCert, testKey)
|
invalidClient := library.NewClientsetWithCertAndKey(t, testCert, testKey)
|
||||||
_, err := invalidClient.Discovery().ServerVersion()
|
_, err := invalidClient.Discovery().ServerVersion()
|
||||||
@ -71,11 +71,6 @@ func TestClient(t *testing.T) {
|
|||||||
// Using the CA bundle and host from the current (admin) kubeconfig, do the token exchange.
|
// Using the CA bundle and host from the current (admin) kubeconfig, do the token exchange.
|
||||||
clientConfig := library.NewClientConfig(t)
|
clientConfig := library.NewClientConfig(t)
|
||||||
|
|
||||||
idp := corev1.TypedLocalObjectReference{
|
|
||||||
APIGroup: &idpv1alpha1.SchemeGroupVersion.Group,
|
|
||||||
Kind: "WebhookIdentityProvider",
|
|
||||||
Name: "pinniped-webhook",
|
|
||||||
}
|
|
||||||
resp, err := client.ExchangeToken(ctx, namespace, idp, token, string(clientConfig.CAData), clientConfig.Host)
|
resp, err := client.ExchangeToken(ctx, namespace, idp, token, string(clientConfig.CAData), clientConfig.Host)
|
||||||
require.NoError(t, err)
|
require.NoError(t, err)
|
||||||
require.NotNil(t, resp.Status.ExpirationTimestamp)
|
require.NotNil(t, resp.Status.ExpirationTimestamp)
|
||||||
|
@ -12,6 +12,7 @@ import (
|
|||||||
"time"
|
"time"
|
||||||
|
|
||||||
"github.com/stretchr/testify/require"
|
"github.com/stretchr/testify/require"
|
||||||
|
corev1 "k8s.io/api/core/v1"
|
||||||
"k8s.io/apimachinery/pkg/api/errors"
|
"k8s.io/apimachinery/pkg/api/errors"
|
||||||
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
|
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
|
||||||
|
|
||||||
@ -26,8 +27,12 @@ func TestSuccessfulCredentialRequest(t *testing.T) {
|
|||||||
expectedTestUserGroups := strings.Split(
|
expectedTestUserGroups := strings.Split(
|
||||||
strings.ReplaceAll(library.GetEnv(t, "PINNIPED_TEST_USER_GROUPS"), " ", ""), ",",
|
strings.ReplaceAll(library.GetEnv(t, "PINNIPED_TEST_USER_GROUPS"), " ", ""), ",",
|
||||||
)
|
)
|
||||||
|
ctx, cancel := context.WithTimeout(context.Background(), 20*time.Second)
|
||||||
|
defer cancel()
|
||||||
|
|
||||||
response, err := makeRequest(t, validCredentialRequestSpecWithRealToken(t))
|
testWebhook := library.CreateTestWebhookIDP(ctx, t)
|
||||||
|
|
||||||
|
response, err := makeRequest(ctx, t, validCredentialRequestSpecWithRealToken(t, testWebhook))
|
||||||
require.NoError(t, err)
|
require.NoError(t, err)
|
||||||
|
|
||||||
require.NotNil(t, response.Status.Credential)
|
require.NotNil(t, response.Status.Credential)
|
||||||
@ -41,9 +46,6 @@ func TestSuccessfulCredentialRequest(t *testing.T) {
|
|||||||
require.NotNil(t, response.Status.Credential.ExpirationTimestamp)
|
require.NotNil(t, response.Status.Credential.ExpirationTimestamp)
|
||||||
require.InDelta(t, time.Until(response.Status.Credential.ExpirationTimestamp.Time), 1*time.Hour, float64(3*time.Minute))
|
require.InDelta(t, time.Until(response.Status.Credential.ExpirationTimestamp.Time), 1*time.Hour, float64(3*time.Minute))
|
||||||
|
|
||||||
ctx, cancel := context.WithTimeout(context.Background(), 20*time.Second)
|
|
||||||
defer cancel()
|
|
||||||
|
|
||||||
// Create a client using the admin kubeconfig.
|
// Create a client using the admin kubeconfig.
|
||||||
adminClient := library.NewClientset(t)
|
adminClient := library.NewClientset(t)
|
||||||
|
|
||||||
@ -71,7 +73,7 @@ func TestFailedCredentialRequestWhenTheRequestIsValidButTheTokenDoesNotAuthentic
|
|||||||
library.SkipUnlessIntegration(t)
|
library.SkipUnlessIntegration(t)
|
||||||
library.SkipUnlessClusterHasCapability(t, library.ClusterSigningKeyIsAvailable)
|
library.SkipUnlessClusterHasCapability(t, library.ClusterSigningKeyIsAvailable)
|
||||||
|
|
||||||
response, err := makeRequest(t, v1alpha1.TokenCredentialRequestSpec{Token: "not a good token"})
|
response, err := makeRequest(context.Background(), t, v1alpha1.TokenCredentialRequestSpec{Token: "not a good token"})
|
||||||
|
|
||||||
require.NoError(t, err)
|
require.NoError(t, err)
|
||||||
|
|
||||||
@ -84,7 +86,7 @@ func TestCredentialRequest_ShouldFailWhenRequestDoesNotIncludeToken(t *testing.T
|
|||||||
library.SkipUnlessIntegration(t)
|
library.SkipUnlessIntegration(t)
|
||||||
library.SkipUnlessClusterHasCapability(t, library.ClusterSigningKeyIsAvailable)
|
library.SkipUnlessClusterHasCapability(t, library.ClusterSigningKeyIsAvailable)
|
||||||
|
|
||||||
response, err := makeRequest(t, v1alpha1.TokenCredentialRequestSpec{Token: ""})
|
response, err := makeRequest(context.Background(), t, v1alpha1.TokenCredentialRequestSpec{Token: ""})
|
||||||
|
|
||||||
require.Error(t, err)
|
require.Error(t, err)
|
||||||
statusError, isStatus := err.(*errors.StatusError)
|
statusError, isStatus := err.(*errors.StatusError)
|
||||||
@ -104,7 +106,12 @@ func TestCredentialRequest_OtherwiseValidRequestWithRealTokenShouldFailWhenTheCl
|
|||||||
library.SkipUnlessIntegration(t)
|
library.SkipUnlessIntegration(t)
|
||||||
library.SkipWhenClusterHasCapability(t, library.ClusterSigningKeyIsAvailable)
|
library.SkipWhenClusterHasCapability(t, library.ClusterSigningKeyIsAvailable)
|
||||||
|
|
||||||
response, err := makeRequest(t, validCredentialRequestSpecWithRealToken(t))
|
ctx, cancel := context.WithTimeout(context.Background(), 20*time.Second)
|
||||||
|
defer cancel()
|
||||||
|
|
||||||
|
testWebhook := library.CreateTestWebhookIDP(ctx, t)
|
||||||
|
|
||||||
|
response, err := makeRequest(ctx, t, validCredentialRequestSpecWithRealToken(t, testWebhook))
|
||||||
|
|
||||||
require.NoError(t, err)
|
require.NoError(t, err)
|
||||||
|
|
||||||
@ -113,24 +120,27 @@ func TestCredentialRequest_OtherwiseValidRequestWithRealTokenShouldFailWhenTheCl
|
|||||||
require.Equal(t, stringPtr("authentication failed"), response.Status.Message)
|
require.Equal(t, stringPtr("authentication failed"), response.Status.Message)
|
||||||
}
|
}
|
||||||
|
|
||||||
func makeRequest(t *testing.T, spec v1alpha1.TokenCredentialRequestSpec) (*v1alpha1.TokenCredentialRequest, error) {
|
func makeRequest(ctx context.Context, t *testing.T, spec v1alpha1.TokenCredentialRequestSpec) (*v1alpha1.TokenCredentialRequest, error) {
|
||||||
t.Helper()
|
t.Helper()
|
||||||
|
|
||||||
client := library.NewAnonymousPinnipedClientset(t)
|
client := library.NewAnonymousPinnipedClientset(t)
|
||||||
|
|
||||||
ctx, cancel := context.WithTimeout(context.Background(), 10*time.Second)
|
ctx, cancel := context.WithTimeout(ctx, 10*time.Second)
|
||||||
defer cancel()
|
defer cancel()
|
||||||
|
|
||||||
ns := library.GetEnv(t, "PINNIPED_NAMESPACE")
|
ns := library.GetEnv(t, "PINNIPED_NAMESPACE")
|
||||||
return client.LoginV1alpha1().TokenCredentialRequests(ns).Create(ctx, &v1alpha1.TokenCredentialRequest{
|
return client.LoginV1alpha1().TokenCredentialRequests(ns).Create(ctx, &v1alpha1.TokenCredentialRequest{
|
||||||
TypeMeta: metav1.TypeMeta{},
|
TypeMeta: metav1.TypeMeta{},
|
||||||
ObjectMeta: metav1.ObjectMeta{},
|
ObjectMeta: metav1.ObjectMeta{Namespace: ns},
|
||||||
Spec: spec,
|
Spec: spec,
|
||||||
}, metav1.CreateOptions{})
|
}, metav1.CreateOptions{})
|
||||||
}
|
}
|
||||||
|
|
||||||
func validCredentialRequestSpecWithRealToken(t *testing.T) v1alpha1.TokenCredentialRequestSpec {
|
func validCredentialRequestSpecWithRealToken(t *testing.T, idp corev1.TypedLocalObjectReference) v1alpha1.TokenCredentialRequestSpec {
|
||||||
return v1alpha1.TokenCredentialRequestSpec{Token: library.GetEnv(t, "PINNIPED_TEST_USER_TOKEN")}
|
return v1alpha1.TokenCredentialRequestSpec{
|
||||||
|
Token: library.GetEnv(t, "PINNIPED_TEST_USER_TOKEN"),
|
||||||
|
IdentityProvider: idp,
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
func stringPtr(s string) *string {
|
func stringPtr(s string) *string {
|
||||||
|
@ -4,17 +4,22 @@
|
|||||||
package library
|
package library
|
||||||
|
|
||||||
import (
|
import (
|
||||||
|
"context"
|
||||||
"io/ioutil"
|
"io/ioutil"
|
||||||
"os"
|
"os"
|
||||||
"testing"
|
"testing"
|
||||||
|
"time"
|
||||||
|
|
||||||
"github.com/stretchr/testify/require"
|
"github.com/stretchr/testify/require"
|
||||||
|
corev1 "k8s.io/api/core/v1"
|
||||||
|
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
|
||||||
"k8s.io/client-go/kubernetes"
|
"k8s.io/client-go/kubernetes"
|
||||||
"k8s.io/client-go/rest"
|
"k8s.io/client-go/rest"
|
||||||
"k8s.io/client-go/tools/clientcmd"
|
"k8s.io/client-go/tools/clientcmd"
|
||||||
clientcmdapi "k8s.io/client-go/tools/clientcmd/api"
|
clientcmdapi "k8s.io/client-go/tools/clientcmd/api"
|
||||||
aggregatorclient "k8s.io/kube-aggregator/pkg/client/clientset_generated/clientset"
|
aggregatorclient "k8s.io/kube-aggregator/pkg/client/clientset_generated/clientset"
|
||||||
|
|
||||||
|
idpv1alpha1 "go.pinniped.dev/generated/1.19/apis/idp/v1alpha1"
|
||||||
pinnipedclientset "go.pinniped.dev/generated/1.19/client/clientset/versioned"
|
pinnipedclientset "go.pinniped.dev/generated/1.19/client/clientset/versioned"
|
||||||
|
|
||||||
// Import to initialize client auth plugins - the kubeconfig that we use for
|
// Import to initialize client auth plugins - the kubeconfig that we use for
|
||||||
@ -136,3 +141,45 @@ func newAnonymousClientRestConfigWithCertAndKeyAdded(t *testing.T, clientCertifi
|
|||||||
config.KeyData = []byte(clientKeyData)
|
config.KeyData = []byte(clientKeyData)
|
||||||
return config
|
return config
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// CreateTestWebhookIDP creates and returns a test WebhookIdentityProvider in $PINNIPED_NAMESPACE, which will be
|
||||||
|
// automatically deleted at the end of the current test's lifetime. It returns a corev1.TypedLocalObjectReference which
|
||||||
|
// descibes the test IDP within the test namespace.
|
||||||
|
func CreateTestWebhookIDP(ctx context.Context, t *testing.T) corev1.TypedLocalObjectReference {
|
||||||
|
t.Helper()
|
||||||
|
|
||||||
|
namespace := GetEnv(t, "PINNIPED_NAMESPACE")
|
||||||
|
endpoint := GetEnv(t, "PINNIPED_TEST_WEBHOOK_ENDPOINT")
|
||||||
|
caBundle := GetEnv(t, "PINNIPED_TEST_WEBHOOK_CA_BUNDLE")
|
||||||
|
client := NewPinnipedClientset(t)
|
||||||
|
webhooks := client.IDPV1alpha1().WebhookIdentityProviders(namespace)
|
||||||
|
|
||||||
|
createContext, cancel := context.WithTimeout(ctx, 5*time.Second)
|
||||||
|
defer cancel()
|
||||||
|
idp, err := webhooks.Create(createContext, &idpv1alpha1.WebhookIdentityProvider{
|
||||||
|
ObjectMeta: metav1.ObjectMeta{
|
||||||
|
GenerateName: "test-webhook-",
|
||||||
|
Labels: map[string]string{"pinniped.dev/test": t.Name()},
|
||||||
|
},
|
||||||
|
Spec: idpv1alpha1.WebhookIdentityProviderSpec{
|
||||||
|
Endpoint: endpoint,
|
||||||
|
TLS: &idpv1alpha1.TLSSpec{CertificateAuthorityData: caBundle},
|
||||||
|
},
|
||||||
|
}, metav1.CreateOptions{})
|
||||||
|
require.NoError(t, err, "could not create test WebhookIdentityProvider")
|
||||||
|
t.Logf("created test WebhookIdentityProvider %s/%s", idp.Namespace, idp.Name)
|
||||||
|
|
||||||
|
t.Cleanup(func() {
|
||||||
|
t.Logf("cleaning up test WebhookIdentityProvider %s/%s", idp.Namespace, idp.Name)
|
||||||
|
deleteCtx, cancel := context.WithTimeout(context.Background(), 5*time.Second)
|
||||||
|
defer cancel()
|
||||||
|
err := webhooks.Delete(deleteCtx, idp.Name, metav1.DeleteOptions{})
|
||||||
|
require.NoErrorf(t, err, "could not cleanup test WebhookIdentityProvider %s/%s", idp.Namespace, idp.Name)
|
||||||
|
})
|
||||||
|
|
||||||
|
return corev1.TypedLocalObjectReference{
|
||||||
|
APIGroup: &idpv1alpha1.SchemeGroupVersion.Group,
|
||||||
|
Kind: "WebhookIdentityProvider",
|
||||||
|
Name: idp.Name,
|
||||||
|
}
|
||||||
|
}
|
||||||
|
Loading…
Reference in New Issue
Block a user