djpbessems
/
ContainerImage.Pinniped
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
1,743 Commits 30 Branches 34 Tags 22 MiB
Commit Graph

80 Commits

Author SHA1 Message Date
Ryan Richard 9450048acf Fix lint error from previous commit 2021-04-05 15:14:24 -07:00
Andrew Keesler c53507809d Rename dex namespace, add new ytt value to deploy/tools, and remove Tilt 
- Rename the test/deploy/dex directory to test/deploy/tools
- Rename the dex namespace to tools
- Add a new ytt value called `pinny_ldap_password` for the tools
  ytt templates
- This new value is not used on main at this time. We intend to use
  it in the forthcoming ldap branch. We're defining it on main so
  that the CI scripts can use it across all branches and PRs.

Signed-off-by: Ryan Richard <richardry@vmware.com>
 2021-04-05 15:01:49 -07:00
Matt Moyer 4ebd0f5f12
Deflake TestImpersonationProxy (especially on EKS). 
This test could flake if the load balancer hostname was provisioned but is not yet resolving in DNS from the test process.

The fix is to retry this step for up to 5 minutes.

Signed-off-by: Matt Moyer <moyerm@vmware.com>
 2021-03-30 13:48:53 -05:00
Margo Crawford d8baa43903 Add new non-idle timeout integration test for impersonation proxy 
Signed-off-by: Ryan Richard <richardry@vmware.com>
 2021-03-29 09:30:51 -07:00
Ryan Richard 95bb4c4be5 Fix concierge_impersonation_proxy_test.go on AKS 
Also send the correct instance of `t` into a helper function which
makes assertions.
 2021-03-26 19:32:46 -07:00
Matt Moyer c6d7724b67
In TestImpersonationProxy, instead of failing in this case just skip the test. 
Signed-off-by: Matt Moyer <moyerm@vmware.com>
 2021-03-26 16:28:33 -05:00
Ryan Richard 3359311228 concierge_impersonation_proxy_test.go: fix typo in previous commit 2021-03-26 09:49:49 -07:00
Ryan Richard 7e16619146 concierge_impersonation_proxy_test.go: handle TKGS test clusters 
Handle any test cluster which supports load balancers but should
not automatically start the impersonator, e.g. TKGS clusters.
 2021-03-26 09:28:42 -07:00
Margo Crawford b6e217e13a Hardcode type "webhook" in concierge_impersonation_proxy_test.go 
Signed-off-by: Ryan Richard <richardry@vmware.com>
 2021-03-25 17:19:47 -07:00
Margo Crawford 6f2882b831 Explicitly set the correct authenticator for impersonator test 
Signed-off-by: Ryan Richard <richardry@vmware.com>
 2021-03-25 16:57:37 -07:00
Margo Crawford d90398815b Nothing in parallel in the impersonation proxy integration test 2021-03-22 10:48:09 -07:00
Margo Crawford 7683a98792 Unparallelize run all the verbs and port-forward tests 2021-03-22 09:45:51 -07:00
Margo Crawford d7e9568137 Unparallelize a couple 2021-03-22 09:43:40 -07:00
Ryan Richard 3e50b4e129 Add -sS to the curl command in concierge_impersonation_proxy_test.go 2021-03-19 13:23:28 -07:00
Ryan Richard d856221f56 Edit some comments in concierge_impersonation_proxy_test.go 2021-03-19 13:19:17 -07:00
Andrew Keesler 2749044625
test/integration: unparallelize impersonation kubectl test 
Maybe this will cut down on flakes we see in CI?

Signed-off-by: Andrew Keesler <akeesler@vmware.com>
 2021-03-19 13:31:28 -04:00
Andrew Keesler ebd5e45fa6
test/integration: wait for convergence at end of impersonation test 
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
 2021-03-19 12:54:37 -04:00
Andrew Keesler 6154883855
test/integration: add temporary debug 'kubectl attach' logging 
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
 2021-03-19 10:42:11 -04:00
Andrew Keesler ebe01a5aef
test/integration: catch early 'kubectl attach' return 
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
 2021-03-19 09:59:24 -04:00
Andrew Keesler 1a9922d050
test/integration: poll more quickly in f2a48aee 
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
 2021-03-18 17:53:14 -04:00
Andrew Keesler f2a48aee2b
test/integration: increase timeout to a minute to see if it helps 
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
 2021-03-18 17:48:00 -04:00
Andrew Keesler 14a28bec24
test/integration: fix second assertion from dae62929 
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
 2021-03-18 16:34:30 -04:00
Andrew Keesler dae62929e0
test/integration: error assertions pass w/ and w/o middleware 
In the case where we are using middleware (e.g., when the api group is
different) in our kubeclient, these error messages have a "...middleware request
for..." bit in the middle.

Signed-off-by: Andrew Keesler <akeesler@vmware.com>
 2021-03-18 15:35:31 -04:00
Ryan Richard bd8c243636 concierge_impersonation_proxy_test.go: small refactor 2021-03-18 10:46:27 -07:00
Monis Khan 120e46b5f7
test/integration: fix race condition 
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
 2021-03-18 11:27:52 -04:00
Margo Crawford 897340860b Small refactor to impersonation proxy integration test 2021-03-16 16:57:46 -07:00
Margo Crawford 64e0dbb481 Sleep for 1 minute 10 seconds instead of a minute in timeout test 2021-03-15 16:33:47 -07:00
Margo Crawford 939ea30030 Make all tests but disable test parallelized 
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
 2021-03-15 14:34:41 -07:00
Andrew Keesler efd973fa17 Test waiting for a minute and keeping connection open 
Signed-off-by: Margo Crawford <margaretc@vmware.com>
 2021-03-15 14:34:41 -07:00
Ryan Richard 8065a8d2e6 TestKubeCertAgent waits for CredentialIssuer strategy to be successful 
At the end of the test, wait for the KubeClusterSigningCertificate
strategy on the CredentialIssuer to go back to being healthy, to avoid
polluting other integration tests which follow this one.
 2021-03-15 11:43:12 -07:00
Ryan Richard e22ad6171a Fix a race detector warning by re-declaring `err` in a t.Cleanup() 2021-03-15 11:43:12 -07:00
Monis Khan b530cef3b1
impersonator: encode proper API status on failure 
Signed-off-by: Monis Khan <mok@vmware.com>
 2021-03-13 20:25:23 -05:00
Margo Crawford d509e7012e Add eventually loop to port-forward test 
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
 2021-03-12 10:44:11 -08:00
Andrew Keesler 5b1dc0abdf
test/integration: add some more debugging to kubectl impersonation test 
I think this is nondeterministic...

Signed-off-by: Andrew Keesler <akeesler@vmware.com>
 2021-03-12 10:45:36 -05:00
Andrew Keesler 253e0f8e9a
test/integration: TestImpersonationProxy/websocket_client passes on my machine now 
I'm kinda surprised this is working with our current implementation of the
impersonator, but regardless this seems like a step forward.

Signed-off-by: Andrew Keesler <akeesler@vmware.com>
 2021-03-12 09:54:59 -05:00
Ryan Richard f77c92560f Rewrite impersonator_test.go, add missing argument to IssuePEM() 
The impersonator_test.go unit test now starts the impersonation
server and makes real HTTP requests against it using client-go.
It is backed by a fake Kube API server.

The CA IssuePEM() method was missing the argument to allow a slice
of IP addresses to be passed in.
 2021-03-11 16:27:16 -08:00
Ryan Richard c12a23725d Fix lint errors from a previous commit 2021-03-11 16:21:40 -08:00
Andrew Keesler 71712b2d00 Add test for http2 
Signed-off-by: Margo Crawford <margaretc@vmware.com>
 2021-03-11 15:49:49 -08:00
Ryan Richard 29d7f406f7 Test double impersonation as the cluster admin 2021-03-11 12:53:27 -08:00
Margo Crawford 22ca2da1ff
test/integration: add "kubectl attach" test to TestImpersonationProxy 
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
 2021-03-11 15:10:16 -05:00
Andrew Keesler fcd8c585c3
test/integration: update "kubectl port-forward" test to use non-privileged port 
This was failing on our laptops because 443 is a privileged port.

Signed-off-by: Margo Crawford <margaretc@vmware.com>
 2021-03-11 13:05:26 -05:00
Ryan Richard a918e9fb97 concierge_impersonation_proxy_test.go: Fix lint error in previous commit 2021-03-11 10:04:24 -08:00
Ryan Richard 34accc3dee Test using a service account token to auth to the impersonator 
Also make each t.Run use its own namespace to slight reduce the
interdependency between them.

Use t.Cleanup instead of defer in whoami_test.go just to be consistent
with other integration tests.
 2021-03-11 10:01:17 -08:00
Ryan Richard 61d64fc4c6 Use ioutil.ReadFile instead of os.ReadFile 
Because it works on older golang versions too.
 2021-03-11 08:58:54 -08:00
Andrew Keesler b793b9a17e
test/integration: add 'kubectl logs' test to TestImpersonationProxy 
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
 2021-03-11 10:42:28 -05:00
Andrew Keesler 32b038c639
test/integration: add 'kubectl cp' test to TestImpersonationProxy 
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
 2021-03-11 10:07:16 -05:00
Ryan Richard d13bb07b3e Add integration test for using WhoAmIRequest through impersonator 2021-03-10 16:57:15 -08:00
Margo Crawford 24396b6af1 Use gorilla websocket library so squid proxy works 2021-03-10 16:03:52 -08:00
Ryan Richard 006dc8aa79 Small test refactor 2021-03-10 14:50:46 -08:00
Ryan Richard 1078bf4dfb Don't pass credentials when testing impersonation proxy port is closed 
When testing that the impersonation proxy port was closed there
is no need to include credentials in the request. At the point when
we want to test that the impersonation proxy port is closed, it is
possible that we cannot perform a TokenCredentialRequest to get a
credential either.

Also add a new assertion that the TokenCredentialRequest stops handing
out credentials on clusters which have no successful strategies.

Signed-off-by: Monis Khan <mok@vmware.com>
 2021-03-10 13:08:15 -08:00