From 93cfd8c93aee9206b213bbf0d91482b82761504b Mon Sep 17 00:00:00 2001 From: Andrew Keesler Date: Wed, 9 Dec 2020 09:50:50 -0500 Subject: [PATCH 1/2] Fix prepare-for-integration-tests.sh and Tiltfile for kubectl 1.20 kubectl 1.20 prints "Kubernetes control plane" instead of "Kubernetes master". Signed-off-by: Andrew Keesler Signed-off-by: Andrew Keesler --- hack/lib/tilt/Tiltfile | 2 +- hack/prepare-for-integration-tests.sh | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/hack/lib/tilt/Tiltfile b/hack/lib/tilt/Tiltfile index 675b61a5..6bd2e479 100644 --- a/hack/lib/tilt/Tiltfile +++ b/hack/lib/tilt/Tiltfile @@ -149,7 +149,7 @@ k8s_yaml(local([ '--data-value image_repo=image/concierge ' + '--data-value image_tag=tilt-dev ' + '--data-value kube_cert_agent_image=debian:10.6-slim ' + - '--data-value discovery_url=$(TERM=dumb kubectl cluster-info | awk \'/Kubernetes master/ {print $NF}\') ' + + '--data-value discovery_url=$(TERM=dumb kubectl cluster-info | awk \'/master|control plane/ {print $NF}\') ' + '--data-value log_level=debug ' + '--data-value-yaml replicas=1 ' + '--data-value-yaml "custom_labels={myConciergeCustomLabelName: myConciergeCustomLabelValue}"' diff --git a/hack/prepare-for-integration-tests.sh b/hack/prepare-for-integration-tests.sh index 4634330c..f6c89544 100755 --- a/hack/prepare-for-integration-tests.sh +++ b/hack/prepare-for-integration-tests.sh @@ -123,7 +123,7 @@ if ! tilt_mode; then # Our kind config exposes node port 31234 as 127.0.0.1:12345, 31243 as 127.0.0.1:12344, and 31235 as 127.0.0.1:12346 ./hack/kind-up.sh else - if ! kubectl cluster-info | grep master | grep -q 127.0.0.1; then + if ! kubectl cluster-info | grep -E '(master|control plane)' | grep -q 127.0.0.1; then log_error "Seems like your kubeconfig is not targeting a local cluster." log_error "Exiting to avoid accidentally running tests against a real cluster." exit 1 @@ -249,7 +249,7 @@ concierge_app_name="pinniped-concierge" concierge_namespace="concierge" webhook_url="https://local-user-authenticator.local-user-authenticator.svc/authenticate" webhook_ca_bundle="$(kubectl get secret local-user-authenticator-tls-serving-certificate --namespace local-user-authenticator -o 'jsonpath={.data.caCertificate}')" -discovery_url="$(TERM=dumb kubectl cluster-info | awk '/Kubernetes master/ {print $NF}')" +discovery_url="$(TERM=dumb kubectl cluster-info | awk '/master|control plane/ {print $NF}')" concierge_custom_labels="{myConciergeCustomLabelName: myConciergeCustomLabelValue}" if ! tilt_mode; then From 4c0fb12cf67741c682da18f12fcd7bfef952e5b8 Mon Sep 17 00:00:00 2001 From: Andrew Keesler Date: Wed, 9 Dec 2020 09:51:58 -0500 Subject: [PATCH 2/2] test/integration: only set JWTAuthenticator CA bundle when it exists See comment in code. Signed-off-by: Andrew Keesler --- test/library/client.go | 14 +++++++++++--- 1 file changed, 11 insertions(+), 3 deletions(-) diff --git a/test/library/client.go b/test/library/client.go index 7a24b54d..d11869d2 100644 --- a/test/library/client.go +++ b/test/library/client.go @@ -180,14 +180,22 @@ func CreateTestJWTAuthenticator(ctx context.Context, t *testing.T) corev1.TypedL createContext, cancel := context.WithTimeout(ctx, 5*time.Second) defer cancel() + // If the test upstream does not have a CA bundle specified, then don't configure one in the + // JWTAuthenticator. Leaving TLSSpec set to nil will result in OIDC discovery using the OS's root + // CA store. + tlsSpec := &auth1alpha1.TLSSpec{ + CertificateAuthorityData: base64.StdEncoding.EncodeToString([]byte(testEnv.CLITestUpstream.CABundle)), + } + if testEnv.CLITestUpstream.CABundle == "" { + tlsSpec = nil + } + jwtAuthenticator, err := jwtAuthenticators.Create(createContext, &auth1alpha1.JWTAuthenticator{ ObjectMeta: testObjectMeta(t, "jwt-authenticator"), Spec: auth1alpha1.JWTAuthenticatorSpec{ Issuer: testEnv.CLITestUpstream.Issuer, Audience: testEnv.CLITestUpstream.ClientID, - TLS: &auth1alpha1.TLSSpec{ - CertificateAuthorityData: base64.StdEncoding.EncodeToString([]byte(testEnv.CLITestUpstream.CABundle)), - }, + TLS: tlsSpec, }, }, metav1.CreateOptions{}) require.NoError(t, err, "could not create test JWTAuthenticator")