Describe "anonymousAuthenticationSupported" test cluster capability and add more managed cluster types.

This new capability describes whether a cluster is expected to allow anonymous requests (most do since k8s 1.6.x, but AKS has it disabled). This commit also contains new capability YAML files for AKS and EKS, mostly to document publicly how we expect our tests to function in those environments. Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-03-16 13:54:29 -05:00 · 2021-03-16 13:54:29 -05:00 · c5b784465b
commit c5b784465b
parent ab6452ace7
8 changed files with 44 additions and 7 deletions
--- a/test/cluster_capabilities/aks.yaml
+++ b/test/cluster_capabilities/aks.yaml
@ -0,0 +1,12 @@
+# Copyright 2020-2021 the Pinniped contributors. All Rights Reserved.
+# SPDX-License-Identifier: Apache-2.0
+
+# Describe the capabilities of the cluster against which the integration tests will run.
+capabilities:
+
+  # Is it possible to borrow the cluster's signing key from the kube API server?
+  clusterSigningKeyIsAvailable: false
+
+  # Does the cluster allow requests without authentication?
+  # https://kubernetes.io/docs/reference/access-authn-authz/authentication/#anonymous-requests
+  anonymousAuthenticationSupported: false
--- a/test/cluster_capabilities/eks.yaml
+++ b/test/cluster_capabilities/eks.yaml
@ -0,0 +1,12 @@
+# Copyright 2020-2021 the Pinniped contributors. All Rights Reserved.
+# SPDX-License-Identifier: Apache-2.0
+
+# Describe the capabilities of the cluster against which the integration tests will run.
+capabilities:
+
+  # Is it possible to borrow the cluster's signing key from the kube API server?
+  clusterSigningKeyIsAvailable: false
+
+  # Does the cluster allow requests without authentication?
+  # https://kubernetes.io/docs/reference/access-authn-authz/authentication/#anonymous-requests
+  anonymousAuthenticationSupported: true
--- a/test/cluster_capabilities/gke.yaml
+++ b/test/cluster_capabilities/gke.yaml
@ -1,4 +1,4 @@
-# Copyright 2020 the Pinniped contributors. All Rights Reserved.
+# Copyright 2020-2021 the Pinniped contributors. All Rights Reserved.
 # SPDX-License-Identifier: Apache-2.0

 # Describe the capabilities of the cluster against which the integration tests will run.
@ -6,3 +6,7 @@ capabilities:

  # Is it possible to borrow the cluster's signing key from the kube API server?
  clusterSigningKeyIsAvailable: false
+
+  # Does the cluster allow requests without authentication?
+  # https://kubernetes.io/docs/reference/access-authn-authz/authentication/#anonymous-requests
+  anonymousAuthenticationSupported: true
--- a/test/cluster_capabilities/kind.yaml
+++ b/test/cluster_capabilities/kind.yaml
@ -1,4 +1,4 @@
-# Copyright 2020 the Pinniped contributors. All Rights Reserved.
+# Copyright 2020-2021 the Pinniped contributors. All Rights Reserved.
 # SPDX-License-Identifier: Apache-2.0

 # Describe the capabilities of the cluster against which the integration tests will run.
@ -6,3 +6,7 @@ capabilities:

  # Is it possible to borrow the cluster's signing key from the kube API server?
  clusterSigningKeyIsAvailable: true
+
+  # Does the cluster allow requests without authentication?
+  # https://kubernetes.io/docs/reference/access-authn-authz/authentication/#anonymous-requests
+  anonymousAuthenticationSupported: true
--- a/test/cluster_capabilities/tkgs.yaml
+++ b/test/cluster_capabilities/tkgs.yaml
@ -1,4 +1,4 @@
-# Copyright 2020 the Pinniped contributors. All Rights Reserved.
+# Copyright 2020-2021 the Pinniped contributors. All Rights Reserved.
 # SPDX-License-Identifier: Apache-2.0

 # Describe the capabilities of the cluster against which the integration tests will run.
@ -6,3 +6,7 @@ capabilities:

  # Is it possible to borrow the cluster's signing key from the kube API server?
  clusterSigningKeyIsAvailable: true
+
+  # Does the cluster allow requests without authentication?
+  # https://kubernetes.io/docs/reference/access-authn-authz/authentication/#anonymous-requests
+  anonymousAuthenticationSupported: true
--- a/test/integration/concierge_credentialrequest_test.go
+++ b/test/integration/concierge_credentialrequest_test.go
@ -23,7 +23,7 @@ import (
 )

 func TestUnsuccessfulCredentialRequest(t *testing.T) {
-	env := library.IntegrationEnv(t)
+	env := library.IntegrationEnv(t).WithCapability(library.AnonymousAuthenticationSupported)

 	library.AssertNoRestartsDuringTest(t, env.ConciergeNamespace, "")

@ -184,7 +184,7 @@ func TestCredentialRequest_ShouldFailWhenRequestDoesNotIncludeToken(t *testing.T
 }

 func TestCredentialRequest_OtherwiseValidRequestWithRealTokenShouldFailWhenTheClusterIsNotCapable(t *testing.T) {
-	env := library.IntegrationEnv(t).WithoutCapability(library.ClusterSigningKeyIsAvailable)
+	env := library.IntegrationEnv(t).WithoutCapability(library.ClusterSigningKeyIsAvailable).WithCapability(library.AnonymousAuthenticationSupported)

 	library.AssertNoRestartsDuringTest(t, env.ConciergeNamespace, "")

--- a/test/integration/whoami_test.go
+++ b/test/integration/whoami_test.go
@ -344,7 +344,7 @@ func TestWhoAmI_CSR(t *testing.T) {
 }

 func TestWhoAmI_Anonymous(t *testing.T) {
-	_ = library.IntegrationEnv(t)
+	_ = library.IntegrationEnv(t).WithCapability(library.AnonymousAuthenticationSupported)

 	ctx, cancel := context.WithTimeout(context.Background(), 30*time.Second)
 	defer cancel()
--- a/test/library/env.go
+++ b/test/library/env.go
@ -18,7 +18,8 @@ import (
 type Capability string

 const (
-	ClusterSigningKeyIsAvailable Capability = "clusterSigningKeyIsAvailable"
+	ClusterSigningKeyIsAvailable     Capability = "clusterSigningKeyIsAvailable"
+	AnonymousAuthenticationSupported Capability = "anonymousAuthenticationSupported"
 )

 // TestEnv captures all the external parameters consumed by our integration tests.