Validation for service type none and external endpoint none
Also added a few more test cases for provisioning a load balancer
This commit is contained in:
parent
4a785e73e6
commit
eaea3471ec
@ -656,8 +656,7 @@ func (c *impersonatorConfigController) findDesiredTLSCertificateName(config *v1a
|
|||||||
// - you have a loadbalancer AND an external endpoint -> either should work since they should be the same
|
// - you have a loadbalancer AND an external endpoint -> either should work since they should be the same
|
||||||
// - external endpoint no loadbalancer or other service -> use the endpoint config
|
// - external endpoint no loadbalancer or other service -> use the endpoint config
|
||||||
// - external endpoint and ClusterIP -> use external endpoint?
|
// - external endpoint and ClusterIP -> use external endpoint?
|
||||||
//
|
// - clusterip and no external endpoint
|
||||||
// - is it legal to have a clusterip and no external endpoint???
|
|
||||||
if config.ExternalEndpoint != "" {
|
if config.ExternalEndpoint != "" {
|
||||||
return c.findTLSCertificateNameFromEndpointConfig(config), nil
|
return c.findTLSCertificateNameFromEndpointConfig(config), nil
|
||||||
} else if config.Service.Type == v1alpha1.ImpersonationProxyServiceTypeClusterIP {
|
} else if config.Service.Type == v1alpha1.ImpersonationProxyServiceTypeClusterIP {
|
||||||
@ -874,7 +873,11 @@ func (c *impersonatorConfigController) doSyncResult(nameInfo *certNameInfo, conf
|
|||||||
|
|
||||||
func validateCredentialIssuerSpec(credIssuer *v1alpha1.CredentialIssuer) error {
|
func validateCredentialIssuerSpec(credIssuer *v1alpha1.CredentialIssuer) error {
|
||||||
// TODO check external endpoint for valid ip or hostname
|
// TODO check external endpoint for valid ip or hostname
|
||||||
// TODO if service type is none and externalendpoint is "" return error
|
impersonationProxySpec := credIssuer.Spec.ImpersonationProxy
|
||||||
|
if impersonationProxySpec.Mode != v1alpha1.ImpersonationProxyModeDisabled &&
|
||||||
|
impersonationProxySpec.ExternalEndpoint == "" && impersonationProxySpec.Service.Type == v1alpha1.ImpersonationProxyServiceTypeNone {
|
||||||
|
return fmt.Errorf("invalid impersonation proxy configuration: must specify an external endpoint or set a service type")
|
||||||
|
}
|
||||||
switch mode := credIssuer.Spec.ImpersonationProxy.Mode; mode {
|
switch mode := credIssuer.Spec.ImpersonationProxy.Mode; mode {
|
||||||
case v1alpha1.ImpersonationProxyModeAuto:
|
case v1alpha1.ImpersonationProxyModeAuto:
|
||||||
case v1alpha1.ImpersonationProxyModeDisabled:
|
case v1alpha1.ImpersonationProxyModeDisabled:
|
||||||
|
@ -1498,6 +1498,36 @@ func TestImpersonatorConfigControllerSync(t *testing.T) {
|
|||||||
})
|
})
|
||||||
})
|
})
|
||||||
|
|
||||||
|
when("the CredentialIssuer has a hostname specified and service type loadbalancer", func() {
|
||||||
|
const fakeHostname = "fake.example.com"
|
||||||
|
it.Before(func() {
|
||||||
|
addCredentialIssuerToTracker(credentialIssuerResourceName, v1alpha1.CredentialIssuerSpec{
|
||||||
|
ImpersonationProxy: v1alpha1.ImpersonationProxySpec{
|
||||||
|
Mode: v1alpha1.ImpersonationProxyModeEnabled,
|
||||||
|
ExternalEndpoint: fakeHostname,
|
||||||
|
Service: v1alpha1.ImpersonationProxyServiceSpec{
|
||||||
|
Type: v1alpha1.ImpersonationProxyServiceTypeLoadBalancer,
|
||||||
|
},
|
||||||
|
},
|
||||||
|
}, pinnipedInformerClient)
|
||||||
|
addNodeWithRoleToTracker("worker", kubeAPIClient)
|
||||||
|
})
|
||||||
|
|
||||||
|
it("starts the impersonator, generates a valid cert for the specified hostname, starts a loadbalancer", func() {
|
||||||
|
startInformersAndController()
|
||||||
|
r.NoError(runControllerSync())
|
||||||
|
r.Len(kubeAPIClient.Actions(), 4)
|
||||||
|
requireNodesListed(kubeAPIClient.Actions()[0])
|
||||||
|
requireLoadBalancerWasCreated(kubeAPIClient.Actions()[1])
|
||||||
|
ca := requireCASecretWasCreated(kubeAPIClient.Actions()[2])
|
||||||
|
requireTLSSecretWasCreated(kubeAPIClient.Actions()[3], ca)
|
||||||
|
// Check that the server is running and that TLS certs that are being served are are for fakeHostname.
|
||||||
|
requireTLSServerIsRunning(ca, fakeHostname, map[string]string{fakeHostname + httpsPort: testServerAddr()})
|
||||||
|
requireCredentialIssuer(newSuccessStrategy(fakeHostname, ca))
|
||||||
|
requireSigningCertProviderHasLoadedCerts(signingCACertPEM, signingCAKeyPEM)
|
||||||
|
})
|
||||||
|
})
|
||||||
|
|
||||||
when("the CredentialIssuer has a endpoint which is an IP address with a port", func() {
|
when("the CredentialIssuer has a endpoint which is an IP address with a port", func() {
|
||||||
const fakeIPWithPort = "127.0.0.1:3000"
|
const fakeIPWithPort = "127.0.0.1:3000"
|
||||||
it.Before(func() {
|
it.Before(func() {
|
||||||
@ -1556,6 +1586,36 @@ func TestImpersonatorConfigControllerSync(t *testing.T) {
|
|||||||
})
|
})
|
||||||
})
|
})
|
||||||
|
|
||||||
|
when("the CredentialIssuer has a endpoint which is a hostname with a port, service type loadbalancer", func() {
|
||||||
|
const fakeHostnameWithPort = "fake.example.com:3000"
|
||||||
|
it.Before(func() {
|
||||||
|
addCredentialIssuerToTracker(credentialIssuerResourceName, v1alpha1.CredentialIssuerSpec{
|
||||||
|
ImpersonationProxy: v1alpha1.ImpersonationProxySpec{
|
||||||
|
Mode: v1alpha1.ImpersonationProxyModeEnabled,
|
||||||
|
ExternalEndpoint: fakeHostnameWithPort,
|
||||||
|
Service: v1alpha1.ImpersonationProxyServiceSpec{
|
||||||
|
Type: v1alpha1.ImpersonationProxyServiceTypeLoadBalancer,
|
||||||
|
},
|
||||||
|
},
|
||||||
|
}, pinnipedInformerClient)
|
||||||
|
addNodeWithRoleToTracker("worker", kubeAPIClient)
|
||||||
|
})
|
||||||
|
|
||||||
|
it("starts the impersonator, starts the loadbalancer, generates a valid cert for the specified hostname", func() {
|
||||||
|
startInformersAndController()
|
||||||
|
r.NoError(runControllerSync())
|
||||||
|
r.Len(kubeAPIClient.Actions(), 4)
|
||||||
|
requireNodesListed(kubeAPIClient.Actions()[0])
|
||||||
|
requireLoadBalancerWasCreated(kubeAPIClient.Actions()[1])
|
||||||
|
ca := requireCASecretWasCreated(kubeAPIClient.Actions()[2])
|
||||||
|
requireTLSSecretWasCreated(kubeAPIClient.Actions()[3], ca)
|
||||||
|
// Check that the server is running and that TLS certs that are being served are are for fakeHostnameWithPort.
|
||||||
|
requireTLSServerIsRunning(ca, fakeHostnameWithPort, map[string]string{fakeHostnameWithPort: testServerAddr()})
|
||||||
|
requireCredentialIssuer(newSuccessStrategy(fakeHostnameWithPort, ca))
|
||||||
|
requireSigningCertProviderHasLoadedCerts(signingCACertPEM, signingCAKeyPEM)
|
||||||
|
})
|
||||||
|
})
|
||||||
|
|
||||||
when("switching the CredentialIssuer from ip address endpoint to hostname endpoint and back to ip address", func() {
|
when("switching the CredentialIssuer from ip address endpoint to hostname endpoint and back to ip address", func() {
|
||||||
const fakeHostname = "fake.example.com"
|
const fakeHostname = "fake.example.com"
|
||||||
const fakeIP = "127.0.0.42"
|
const fakeIP = "127.0.0.42"
|
||||||
@ -2711,6 +2771,28 @@ func TestImpersonatorConfigControllerSync(t *testing.T) {
|
|||||||
})
|
})
|
||||||
})
|
})
|
||||||
})
|
})
|
||||||
|
|
||||||
|
when("the impersonator is enabled but the service type is none and the external endpoint is empty", func() {
|
||||||
|
it.Before(func() {
|
||||||
|
addSecretToTrackers(signingCASecret, kubeInformerClient)
|
||||||
|
addCredentialIssuerToTracker(credentialIssuerResourceName, v1alpha1.CredentialIssuerSpec{
|
||||||
|
ImpersonationProxy: v1alpha1.ImpersonationProxySpec{
|
||||||
|
Mode: v1alpha1.ImpersonationProxyModeEnabled,
|
||||||
|
ExternalEndpoint: "",
|
||||||
|
Service: v1alpha1.ImpersonationProxyServiceSpec{
|
||||||
|
Type: v1alpha1.ImpersonationProxyServiceTypeNone,
|
||||||
|
},
|
||||||
|
},
|
||||||
|
}, pinnipedInformerClient)
|
||||||
|
addNodeWithRoleToTracker("control-plane", kubeAPIClient)
|
||||||
|
})
|
||||||
|
|
||||||
|
it("returns a validation error", func() {
|
||||||
|
startInformersAndController()
|
||||||
|
r.EqualError(runControllerSync(), "invalid impersonator configuration: invalid impersonation proxy configuration: must specify an external endpoint or set a service type")
|
||||||
|
r.Len(kubeAPIClient.Actions(), 0)
|
||||||
|
})
|
||||||
|
})
|
||||||
}, spec.Report(report.Terminal{}))
|
}, spec.Report(report.Terminal{}))
|
||||||
}
|
}
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user