Describe "anonymousAuthenticationSupported" test cluster capability and add more managed cluster types.

This new capability describes whether a cluster is expected to allow anonymous requests (most do since k8s 1.6.x, but AKS has it disabled).

This commit also contains new capability YAML files for AKS and EKS, mostly to document publicly how we expect our tests to function in those environments.

Signed-off-by: Matt Moyer <moyerm@vmware.com>
This commit is contained in:
Matt Moyer 2021-03-16 13:54:29 -05:00
parent ab6452ace7
commit c5b784465b
No known key found for this signature in database
GPG Key ID: EAE88AD172C5AE2D
8 changed files with 44 additions and 7 deletions

View File

@ -0,0 +1,12 @@
# Copyright 2020-2021 the Pinniped contributors. All Rights Reserved.
# SPDX-License-Identifier: Apache-2.0
# Describe the capabilities of the cluster against which the integration tests will run.
capabilities:
# Is it possible to borrow the cluster's signing key from the kube API server?
clusterSigningKeyIsAvailable: false
# Does the cluster allow requests without authentication?
# https://kubernetes.io/docs/reference/access-authn-authz/authentication/#anonymous-requests
anonymousAuthenticationSupported: false

View File

@ -0,0 +1,12 @@
# Copyright 2020-2021 the Pinniped contributors. All Rights Reserved.
# SPDX-License-Identifier: Apache-2.0
# Describe the capabilities of the cluster against which the integration tests will run.
capabilities:
# Is it possible to borrow the cluster's signing key from the kube API server?
clusterSigningKeyIsAvailable: false
# Does the cluster allow requests without authentication?
# https://kubernetes.io/docs/reference/access-authn-authz/authentication/#anonymous-requests
anonymousAuthenticationSupported: true

View File

@ -1,4 +1,4 @@
# Copyright 2020 the Pinniped contributors. All Rights Reserved. # Copyright 2020-2021 the Pinniped contributors. All Rights Reserved.
# SPDX-License-Identifier: Apache-2.0 # SPDX-License-Identifier: Apache-2.0
# Describe the capabilities of the cluster against which the integration tests will run. # Describe the capabilities of the cluster against which the integration tests will run.
@ -6,3 +6,7 @@ capabilities:
# Is it possible to borrow the cluster's signing key from the kube API server? # Is it possible to borrow the cluster's signing key from the kube API server?
clusterSigningKeyIsAvailable: false clusterSigningKeyIsAvailable: false
# Does the cluster allow requests without authentication?
# https://kubernetes.io/docs/reference/access-authn-authz/authentication/#anonymous-requests
anonymousAuthenticationSupported: true

View File

@ -1,4 +1,4 @@
# Copyright 2020 the Pinniped contributors. All Rights Reserved. # Copyright 2020-2021 the Pinniped contributors. All Rights Reserved.
# SPDX-License-Identifier: Apache-2.0 # SPDX-License-Identifier: Apache-2.0
# Describe the capabilities of the cluster against which the integration tests will run. # Describe the capabilities of the cluster against which the integration tests will run.
@ -6,3 +6,7 @@ capabilities:
# Is it possible to borrow the cluster's signing key from the kube API server? # Is it possible to borrow the cluster's signing key from the kube API server?
clusterSigningKeyIsAvailable: true clusterSigningKeyIsAvailable: true
# Does the cluster allow requests without authentication?
# https://kubernetes.io/docs/reference/access-authn-authz/authentication/#anonymous-requests
anonymousAuthenticationSupported: true

View File

@ -1,4 +1,4 @@
# Copyright 2020 the Pinniped contributors. All Rights Reserved. # Copyright 2020-2021 the Pinniped contributors. All Rights Reserved.
# SPDX-License-Identifier: Apache-2.0 # SPDX-License-Identifier: Apache-2.0
# Describe the capabilities of the cluster against which the integration tests will run. # Describe the capabilities of the cluster against which the integration tests will run.
@ -6,3 +6,7 @@ capabilities:
# Is it possible to borrow the cluster's signing key from the kube API server? # Is it possible to borrow the cluster's signing key from the kube API server?
clusterSigningKeyIsAvailable: true clusterSigningKeyIsAvailable: true
# Does the cluster allow requests without authentication?
# https://kubernetes.io/docs/reference/access-authn-authz/authentication/#anonymous-requests
anonymousAuthenticationSupported: true

View File

@ -23,7 +23,7 @@ import (
) )
func TestUnsuccessfulCredentialRequest(t *testing.T) { func TestUnsuccessfulCredentialRequest(t *testing.T) {
env := library.IntegrationEnv(t) env := library.IntegrationEnv(t).WithCapability(library.AnonymousAuthenticationSupported)
library.AssertNoRestartsDuringTest(t, env.ConciergeNamespace, "") library.AssertNoRestartsDuringTest(t, env.ConciergeNamespace, "")
@ -184,7 +184,7 @@ func TestCredentialRequest_ShouldFailWhenRequestDoesNotIncludeToken(t *testing.T
} }
func TestCredentialRequest_OtherwiseValidRequestWithRealTokenShouldFailWhenTheClusterIsNotCapable(t *testing.T) { func TestCredentialRequest_OtherwiseValidRequestWithRealTokenShouldFailWhenTheClusterIsNotCapable(t *testing.T) {
env := library.IntegrationEnv(t).WithoutCapability(library.ClusterSigningKeyIsAvailable) env := library.IntegrationEnv(t).WithoutCapability(library.ClusterSigningKeyIsAvailable).WithCapability(library.AnonymousAuthenticationSupported)
library.AssertNoRestartsDuringTest(t, env.ConciergeNamespace, "") library.AssertNoRestartsDuringTest(t, env.ConciergeNamespace, "")

View File

@ -344,7 +344,7 @@ func TestWhoAmI_CSR(t *testing.T) {
} }
func TestWhoAmI_Anonymous(t *testing.T) { func TestWhoAmI_Anonymous(t *testing.T) {
_ = library.IntegrationEnv(t) _ = library.IntegrationEnv(t).WithCapability(library.AnonymousAuthenticationSupported)
ctx, cancel := context.WithTimeout(context.Background(), 30*time.Second) ctx, cancel := context.WithTimeout(context.Background(), 30*time.Second)
defer cancel() defer cancel()

View File

@ -18,7 +18,8 @@ import (
type Capability string type Capability string
const ( const (
ClusterSigningKeyIsAvailable Capability = "clusterSigningKeyIsAvailable" ClusterSigningKeyIsAvailable Capability = "clusterSigningKeyIsAvailable"
AnonymousAuthenticationSupported Capability = "anonymousAuthenticationSupported"
) )
// TestEnv captures all the external parameters consumed by our integration tests. // TestEnv captures all the external parameters consumed by our integration tests.