Describe "anonymousAuthenticationSupported" test cluster capability and add more managed cluster types.
This new capability describes whether a cluster is expected to allow anonymous requests (most do since k8s 1.6.x, but AKS has it disabled). This commit also contains new capability YAML files for AKS and EKS, mostly to document publicly how we expect our tests to function in those environments. Signed-off-by: Matt Moyer <moyerm@vmware.com>
This commit is contained in:
parent
ab6452ace7
commit
c5b784465b
12
test/cluster_capabilities/aks.yaml
Normal file
12
test/cluster_capabilities/aks.yaml
Normal file
@ -0,0 +1,12 @@
|
|||||||
|
# Copyright 2020-2021 the Pinniped contributors. All Rights Reserved.
|
||||||
|
# SPDX-License-Identifier: Apache-2.0
|
||||||
|
|
||||||
|
# Describe the capabilities of the cluster against which the integration tests will run.
|
||||||
|
capabilities:
|
||||||
|
|
||||||
|
# Is it possible to borrow the cluster's signing key from the kube API server?
|
||||||
|
clusterSigningKeyIsAvailable: false
|
||||||
|
|
||||||
|
# Does the cluster allow requests without authentication?
|
||||||
|
# https://kubernetes.io/docs/reference/access-authn-authz/authentication/#anonymous-requests
|
||||||
|
anonymousAuthenticationSupported: false
|
12
test/cluster_capabilities/eks.yaml
Normal file
12
test/cluster_capabilities/eks.yaml
Normal file
@ -0,0 +1,12 @@
|
|||||||
|
# Copyright 2020-2021 the Pinniped contributors. All Rights Reserved.
|
||||||
|
# SPDX-License-Identifier: Apache-2.0
|
||||||
|
|
||||||
|
# Describe the capabilities of the cluster against which the integration tests will run.
|
||||||
|
capabilities:
|
||||||
|
|
||||||
|
# Is it possible to borrow the cluster's signing key from the kube API server?
|
||||||
|
clusterSigningKeyIsAvailable: false
|
||||||
|
|
||||||
|
# Does the cluster allow requests without authentication?
|
||||||
|
# https://kubernetes.io/docs/reference/access-authn-authz/authentication/#anonymous-requests
|
||||||
|
anonymousAuthenticationSupported: true
|
@ -1,4 +1,4 @@
|
|||||||
# Copyright 2020 the Pinniped contributors. All Rights Reserved.
|
# Copyright 2020-2021 the Pinniped contributors. All Rights Reserved.
|
||||||
# SPDX-License-Identifier: Apache-2.0
|
# SPDX-License-Identifier: Apache-2.0
|
||||||
|
|
||||||
# Describe the capabilities of the cluster against which the integration tests will run.
|
# Describe the capabilities of the cluster against which the integration tests will run.
|
||||||
@ -6,3 +6,7 @@ capabilities:
|
|||||||
|
|
||||||
# Is it possible to borrow the cluster's signing key from the kube API server?
|
# Is it possible to borrow the cluster's signing key from the kube API server?
|
||||||
clusterSigningKeyIsAvailable: false
|
clusterSigningKeyIsAvailable: false
|
||||||
|
|
||||||
|
# Does the cluster allow requests without authentication?
|
||||||
|
# https://kubernetes.io/docs/reference/access-authn-authz/authentication/#anonymous-requests
|
||||||
|
anonymousAuthenticationSupported: true
|
||||||
|
@ -1,4 +1,4 @@
|
|||||||
# Copyright 2020 the Pinniped contributors. All Rights Reserved.
|
# Copyright 2020-2021 the Pinniped contributors. All Rights Reserved.
|
||||||
# SPDX-License-Identifier: Apache-2.0
|
# SPDX-License-Identifier: Apache-2.0
|
||||||
|
|
||||||
# Describe the capabilities of the cluster against which the integration tests will run.
|
# Describe the capabilities of the cluster against which the integration tests will run.
|
||||||
@ -6,3 +6,7 @@ capabilities:
|
|||||||
|
|
||||||
# Is it possible to borrow the cluster's signing key from the kube API server?
|
# Is it possible to borrow the cluster's signing key from the kube API server?
|
||||||
clusterSigningKeyIsAvailable: true
|
clusterSigningKeyIsAvailable: true
|
||||||
|
|
||||||
|
# Does the cluster allow requests without authentication?
|
||||||
|
# https://kubernetes.io/docs/reference/access-authn-authz/authentication/#anonymous-requests
|
||||||
|
anonymousAuthenticationSupported: true
|
||||||
|
@ -1,4 +1,4 @@
|
|||||||
# Copyright 2020 the Pinniped contributors. All Rights Reserved.
|
# Copyright 2020-2021 the Pinniped contributors. All Rights Reserved.
|
||||||
# SPDX-License-Identifier: Apache-2.0
|
# SPDX-License-Identifier: Apache-2.0
|
||||||
|
|
||||||
# Describe the capabilities of the cluster against which the integration tests will run.
|
# Describe the capabilities of the cluster against which the integration tests will run.
|
||||||
@ -6,3 +6,7 @@ capabilities:
|
|||||||
|
|
||||||
# Is it possible to borrow the cluster's signing key from the kube API server?
|
# Is it possible to borrow the cluster's signing key from the kube API server?
|
||||||
clusterSigningKeyIsAvailable: true
|
clusterSigningKeyIsAvailable: true
|
||||||
|
|
||||||
|
# Does the cluster allow requests without authentication?
|
||||||
|
# https://kubernetes.io/docs/reference/access-authn-authz/authentication/#anonymous-requests
|
||||||
|
anonymousAuthenticationSupported: true
|
||||||
|
@ -23,7 +23,7 @@ import (
|
|||||||
)
|
)
|
||||||
|
|
||||||
func TestUnsuccessfulCredentialRequest(t *testing.T) {
|
func TestUnsuccessfulCredentialRequest(t *testing.T) {
|
||||||
env := library.IntegrationEnv(t)
|
env := library.IntegrationEnv(t).WithCapability(library.AnonymousAuthenticationSupported)
|
||||||
|
|
||||||
library.AssertNoRestartsDuringTest(t, env.ConciergeNamespace, "")
|
library.AssertNoRestartsDuringTest(t, env.ConciergeNamespace, "")
|
||||||
|
|
||||||
@ -184,7 +184,7 @@ func TestCredentialRequest_ShouldFailWhenRequestDoesNotIncludeToken(t *testing.T
|
|||||||
}
|
}
|
||||||
|
|
||||||
func TestCredentialRequest_OtherwiseValidRequestWithRealTokenShouldFailWhenTheClusterIsNotCapable(t *testing.T) {
|
func TestCredentialRequest_OtherwiseValidRequestWithRealTokenShouldFailWhenTheClusterIsNotCapable(t *testing.T) {
|
||||||
env := library.IntegrationEnv(t).WithoutCapability(library.ClusterSigningKeyIsAvailable)
|
env := library.IntegrationEnv(t).WithoutCapability(library.ClusterSigningKeyIsAvailable).WithCapability(library.AnonymousAuthenticationSupported)
|
||||||
|
|
||||||
library.AssertNoRestartsDuringTest(t, env.ConciergeNamespace, "")
|
library.AssertNoRestartsDuringTest(t, env.ConciergeNamespace, "")
|
||||||
|
|
||||||
|
@ -344,7 +344,7 @@ func TestWhoAmI_CSR(t *testing.T) {
|
|||||||
}
|
}
|
||||||
|
|
||||||
func TestWhoAmI_Anonymous(t *testing.T) {
|
func TestWhoAmI_Anonymous(t *testing.T) {
|
||||||
_ = library.IntegrationEnv(t)
|
_ = library.IntegrationEnv(t).WithCapability(library.AnonymousAuthenticationSupported)
|
||||||
|
|
||||||
ctx, cancel := context.WithTimeout(context.Background(), 30*time.Second)
|
ctx, cancel := context.WithTimeout(context.Background(), 30*time.Second)
|
||||||
defer cancel()
|
defer cancel()
|
||||||
|
@ -18,7 +18,8 @@ import (
|
|||||||
type Capability string
|
type Capability string
|
||||||
|
|
||||||
const (
|
const (
|
||||||
ClusterSigningKeyIsAvailable Capability = "clusterSigningKeyIsAvailable"
|
ClusterSigningKeyIsAvailable Capability = "clusterSigningKeyIsAvailable"
|
||||||
|
AnonymousAuthenticationSupported Capability = "anonymousAuthenticationSupported"
|
||||||
)
|
)
|
||||||
|
|
||||||
// TestEnv captures all the external parameters consumed by our integration tests.
|
// TestEnv captures all the external parameters consumed by our integration tests.
|
||||||
|
Loading…
Reference in New Issue
Block a user