diff --git a/test/integration/cli_test.go b/test/integration/cli_test.go index c0858a38..aaf3e2c4 100644 --- a/test/integration/cli_test.go +++ b/test/integration/cli_test.go @@ -32,7 +32,7 @@ import ( "go.pinniped.dev/test/library/browsertest" ) -func TestCLIGetKubeconfig(t *testing.T) { +func TestCLIGetKubeconfigStaticToken(t *testing.T) { env := library.IntegrationEnv(t).WithCapability(library.ClusterSigningKeyIsAvailable) // Create a test webhook configuration to use with the CLI. @@ -44,32 +44,68 @@ func TestCLIGetKubeconfig(t *testing.T) { // Build pinniped CLI. pinnipedExe := buildPinnipedCLI(t) - // Run pinniped CLI to get kubeconfig. - kubeConfigYAML := runPinnipedCLIGetKubeconfig(t, pinnipedExe, env.TestUser.Token, env.ConciergeNamespace, "webhook", authenticator.Name) + for _, tt := range []struct { + name string + args []string + expectStderr string + }{ + { + name: "deprecated command", + args: []string{ + "get-kubeconfig", + "--token", env.TestUser.Token, + "--pinniped-namespace", env.ConciergeNamespace, + "--authenticator-type", "webhook", + "--authenticator-name", authenticator.Name, + }, + expectStderr: "Command \"get-kubeconfig\" is deprecated, Please use `pinniped get kubeconfig` instead.\n", + }, + { + name: "newer command, but still using static parameters", + args: []string{ + "get", "kubeconfig", + "--static-token", env.TestUser.Token, + "--concierge-namespace", env.ConciergeNamespace, + "--concierge-authenticator-type", "webhook", + "--concierge-authenticator-name", authenticator.Name, + }, + }, + } { + tt := tt + t.Run(tt.name, func(t *testing.T) { + stdout, stderr := runPinnipedCLI(t, pinnipedExe, tt.args...) + require.Equal(t, tt.expectStderr, stderr) - // In addition to the client-go based testing below, also try the kubeconfig - // with kubectl to validate that it works. - adminClient := library.NewClientset(t) - t.Run( - "access as user with kubectl", - library.AccessAsUserWithKubectlTest(ctx, adminClient, kubeConfigYAML, env.TestUser.ExpectedUsername, env.ConciergeNamespace), - ) - for _, group := range env.TestUser.ExpectedGroups { - group := group - t.Run( - "access as group "+group+" with kubectl", - library.AccessAsGroupWithKubectlTest(ctx, adminClient, kubeConfigYAML, group, env.ConciergeNamespace), - ) - } + // Even the deprecated command should now generate a kubeconfig with the new "pinniped login static" command. + restConfig := library.NewRestConfigFromKubeconfig(t, stdout) + require.NotNil(t, restConfig.ExecProvider) + require.Equal(t, []string{"login", "static"}, restConfig.ExecProvider.Args[:2]) - // Create Kubernetes client with kubeconfig from pinniped CLI. - kubeClient := library.NewClientsetForKubeConfig(t, kubeConfigYAML) + // In addition to the client-go based testing below, also try the kubeconfig + // with kubectl to validate that it works. + adminClient := library.NewClientset(t) + t.Run( + "access as user with kubectl", + library.AccessAsUserWithKubectlTest(ctx, adminClient, stdout, env.TestUser.ExpectedUsername, env.ConciergeNamespace), + ) + for _, group := range env.TestUser.ExpectedGroups { + group := group + t.Run( + "access as group "+group+" with kubectl", + library.AccessAsGroupWithKubectlTest(ctx, adminClient, stdout, group, env.ConciergeNamespace), + ) + } - // Validate that we can auth to the API via our user. - t.Run("access as user with client-go", library.AccessAsUserTest(ctx, adminClient, env.TestUser.ExpectedUsername, kubeClient)) - for _, group := range env.TestUser.ExpectedGroups { - group := group - t.Run("access as group "+group+" with client-go", library.AccessAsGroupTest(ctx, adminClient, group, kubeClient)) + // Create Kubernetes client with kubeconfig from pinniped CLI. + kubeClient := library.NewClientsetForKubeConfig(t, stdout) + + // Validate that we can auth to the API via our user. + t.Run("access as user with client-go", library.AccessAsUserTest(ctx, adminClient, env.TestUser.ExpectedUsername, kubeClient)) + for _, group := range env.TestUser.ExpectedGroups { + group := group + t.Run("access as group "+group+" with client-go", library.AccessAsGroupTest(ctx, adminClient, group, kubeClient)) + } + }) } } @@ -92,25 +128,14 @@ func buildPinnipedCLI(t *testing.T) string { return pinnipedExe } -func runPinnipedCLIGetKubeconfig(t *testing.T, pinnipedExe, token, namespaceName, authenticatorType, authenticatorName string) string { +func runPinnipedCLI(t *testing.T, pinnipedExe string, args ...string) (string, string) { t.Helper() - - output, err := exec.Command( - pinnipedExe, - "get-kubeconfig", - "--token", token, - "--pinniped-namespace", namespaceName, - "--authenticator-type", authenticatorType, - "--authenticator-name", authenticatorName, - ).Output() - - // Log stderr if there is a problem. - var exitErr *exec.ExitError - if errors.As(err, &exitErr) { - t.Logf("stderr:\n%s\n", string(exitErr.Stderr)) - } - require.NoError(t, err, string(output)) - return string(output) + var stdout, stderr bytes.Buffer + cmd := exec.Command(pinnipedExe, args...) + cmd.Stdout = &stdout + cmd.Stderr = &stderr + require.NoErrorf(t, cmd.Run(), "stderr:\n%s\n\nstdout:\n%s\n\n", stderr.String(), stdout.String()) + return stdout.String(), stderr.String() } func TestCLILoginOIDC(t *testing.T) {