Commit Graph

3207 Commits

Author SHA1 Message Date
Ryan Richard
d8c6894cbc All controller unit tests should not cancel context until test is over
All controller unit tests were accidentally using a timeout context
for the informers, instead of a cancel context which stays alive until
each test is completely finished. There is no reason to risk
unpredictable behavior of a timeout being reached during an individual
test, even though with the previous 3 second timeout it could only be
reached on a machine which is running orders of magnitude slower than
usual, since each test usually runs in about 100-300 ms. Unfortunately,
sometimes our CI workers might get that slow.

This sparked a review of other usages of timeout contexts in other
tests, and all of them were increased to a minimum value of 1 minute,
under the rule of thumb that our tests will be more reliable on slow
machines if they "pass fast and fail slow".
2021-03-04 17:26:01 -08:00
Ryan Richard
b102aa8991 In unit test, wait for obj from informer instead of resource version
In impersonator_config_test.go, instead of waiting for the resource
version to appear in the informers, wait for the actual object to
appear.

This is an attempt to resolve flaky failures that only happen in CI,
but it also cleans up the test a bit by avoiding inventing fake resource
version numbers all over the test.

Signed-off-by: Monis Khan <mok@vmware.com>
2021-03-04 17:26:01 -08:00
Ryan Richard
9eb97e2683 Use Eventually when making tls connections and avoid resource version 0
- Use `Eventually` when making tls connections because the production
  code's handling of starting and stopping the TLS server port
  has some async behavior.
- Don't use resource version "0" because that has special meaning
  in the informer libraries.
2021-03-04 17:26:01 -08:00
Matt Moyer
fea626b654
Remove this proxy-related test code that we ended up not needing.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-03-04 17:19:59 -06:00
Matt Moyer
16163b989b
Use regular http.Client in this test.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-03-04 17:18:24 -06:00
Matt Moyer
165fce67af
Use the unversioned REST client for this check.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-03-04 16:23:39 -06:00
Matt Moyer
6a8f377781
Fix a linter warning.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-03-04 16:16:03 -06:00
Matt Moyer
d24cf4b8a7
Go back to testing entirely through the proxy, but add a retry loop during the first connection.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-03-04 16:05:56 -06:00
Matt Moyer
34e15f03c3
Simplify const declarations in flag_types.go.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-03-04 15:21:50 -06:00
Matt Moyer
274e6281a8
Whoops, missed these fixes in test/library/env.go.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-03-04 15:21:49 -06:00
Matt Moyer
7146cb3880
Remove old debug-make-impersonation-token command.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-03-04 15:02:42 -06:00
Matt Moyer
9dfbe60253
Do the kubeconfig proxy environment injection, but actually render back out the YAML.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-03-04 14:41:20 -06:00
Matt Moyer
1734280a19
Merge branch 'main' of github.com:vmware-tanzu/pinniped into impersonation-proxy 2021-03-04 12:38:00 -06:00
Matt Moyer
9a0f75980d
Set a special proxy environment just for the "pinniped login oidc" command in the E2E test.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-03-04 12:35:29 -06:00
Matt Moyer
ddd1d29e5d
Fix "pinniped get kubeconfig" strategy detection to pick the _first_ working strategy.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-03-04 12:24:57 -06:00
Matt Moyer
03f09c6870
Allow TestE2EFullIntegration to run on clusters where only the impersonation proxy works (again).
This time, don't use the Squid proxy if the cluster supports real external load balancers (as in EKS/GKE/AKS).

Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-03-04 12:04:52 -06:00
Matt Moyer
f99c186c55
Merge pull request #475 from vmware-tanzu/dependabot/go_modules/k8s.io/klog/v2-2.6.0
Bump k8s.io/klog/v2 from 2.5.0 to 2.6.0
2021-03-04 10:04:08 -06:00
dependabot[bot]
14b8def320
Bump k8s.io/klog/v2 from 2.5.0 to 2.6.0
Bumps [k8s.io/klog/v2](https://github.com/kubernetes/klog) from 2.5.0 to 2.6.0.
- [Release notes](https://github.com/kubernetes/klog/releases)
- [Changelog](https://github.com/kubernetes/klog/blob/master/RELEASE.md)
- [Commits](https://github.com/kubernetes/klog/compare/v2.5.0...v2.6.0)

Signed-off-by: dependabot[bot] <support@github.com>
2021-03-04 06:10:36 +00:00
Ryan Richard
5697adc36a Revert "Allow TestE2EFullIntegration to run on clusters where only the impersonation proxy works."
This reverts commit 7c9aff3278.
2021-03-03 17:24:10 -08:00
Ryan Richard
9c1c760f56 Always clean up the ConfigMap at the end of the impersonator int test
Signed-off-by: Margo Crawford <margaretc@vmware.com>
2021-03-03 16:23:07 -08:00
Ryan Richard
48f2ae9eb4 Fix a typo in concierge_impersonation_proxy_test.go 2021-03-03 15:18:01 -08:00
Matt Moyer
7c9aff3278
Allow TestE2EFullIntegration to run on clusters where only the impersonation proxy works.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-03-03 17:05:46 -06:00
Ryan Richard
58607c7e81 Update TestCredentialIssuer int test to ignore ImpersonationProxy type 2021-03-03 14:19:24 -08:00
Ryan Richard
1b3103c9b5 Remove a nolint comment to satisfy the version of the linter used in CI 2021-03-03 13:37:03 -08:00
Ryan Richard
666c0b0e18 Use CredentialIssuer for URL/CA discovery in impersonator int test 2021-03-03 12:53:41 -08:00
Ryan Richard
f0fc84c922 Add new allowed values to field validations on CredentialIssuer
The new values are used by the impersonation proxy's status.
2021-03-03 12:53:41 -08:00
Ryan Richard
7b7901af36 Add -timeout 0 when describing how to run integration tests
Because otherwise `go test` will panic/crash your test if it takes
longer than 10 minutes, which is an annoying way for an integration
test to fail since it skips all of the t.Cleanup's.
2021-03-03 12:53:41 -08:00
Ryan Richard
57453773ea CONTRIBUTING.md: remove mention of Tilt, since it isn't working well 2021-03-03 12:53:41 -08:00
Matt Moyer
f4fcb9bde6
Sort CredentialIssuer strategies in preferred order.
This updates our issuerconfig.UpdateStrategy to sort strategies according to a weighted preference.
The TokenCredentialRequest API strategy is preffered, followed by impersonation proxy, followed by any other unknown types.

Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-03-03 14:03:27 -06:00
Margo Crawford
0799a538dc change FromString to Parse so TargetPort parses correctly 2021-03-03 11:12:37 -08:00
Mo Khan
4f700d4811
Merge pull request #473 from enj/enj/r/oidc_discovery_json
oidc discovery: encode metadata once and reuse
2021-03-03 14:12:33 -05:00
Monis Khan
d7edc41c24
oidc discovery: encode metadata once and reuse
Signed-off-by: Monis Khan <mok@vmware.com>
2021-03-03 13:37:43 -05:00
Ryan Richard
333a3ab4c2 impersonator_config_test.go: Add another unit test 2021-03-03 09:37:08 -08:00
Ryan Richard
730092f39c impersonator_config.go: refactor to clean up cert name handling 2021-03-03 09:22:35 -08:00
Ryan Richard
d3599c541b Fill in the frontend field of CredentialIssuer status for impersonator 2021-03-02 16:52:23 -08:00
Ryan Richard
454f35ccd6 Edit a comment on a type and run codegen 2021-03-02 16:52:23 -08:00
Margo Crawford
27daf0a2fe Increase timeout for creating load balancer in impersonation proxy test 2021-03-02 15:49:30 -08:00
Ryan Richard
8bf03257f4 Add new impersonation-related constants to api types and run codegen 2021-03-02 15:28:13 -08:00
Ryan Richard
1ad2c38509 Impersonation controller updates CredentialIssuer on every call to Sync
- This commit does not include the updates that we plan to make to
  the `status.strategies[].frontend` field of the CredentialIssuer.
  That will come in a future commit.
2021-03-02 15:28:13 -08:00
Ryan Richard
84cc42b2ca Remove tls field from the impersonator config
- Decided that we're not going to implement this now, although
  we may decide to add it in the future
2021-03-02 15:28:13 -08:00
Margo Crawford
4c68050706 Allow all headers besides impersonation-* through impersonation proxy 2021-03-02 15:01:13 -08:00
Matt Moyer
aa826a1579
Merge pull request #472 from mattmoyer/deflake-getpinnipedcategory-test
Make TestGetPinnipedCategory and TestKubeClientOwnerRef tests more resilient.
2021-03-02 16:42:23 -06:00
Matt Moyer
60f92d5fe2
Merge branch 'main' of github.com:vmware-tanzu/pinniped into impersonation-proxy
This is more than an automatic merge. It also includes a rewrite of the CredentialIssuer API impersonation proxy fields using the new structure, and updates to the CLI to account for that new API.

Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-03-02 16:06:19 -06:00
Matt Moyer
df27c2e1fc
Use randomly generated API groups in TestKubeClientOwnerRef.
I think this is another aspect of the test flakes we're trying to fix. This matters especially for the "Multiple Pinnipeds" test environment where two copies of the test suite are running concurrently.

Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-03-02 15:48:13 -06:00
Matt Moyer
45f57939af
Make TestGetPinnipedCategory more resilient.
If the test is run immediately after the Concierge is installed, the API server can still have broken discovery data and return an error on the first call.
This commit adds a retry loop to attempt this first kubectl command for up to 60s before declaring failure.
The subsequent tests should be covered by this as well since they are not run in parallel.

Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-03-02 15:40:17 -06:00
Matt Moyer
30f5f66090
Merge pull request #471 from vmware-tanzu/change-credentialissuer-strategies-api
Deprecate status.kubeConfigInfo field in CredentialIssuer and move this data into strategies field.
2021-03-02 15:39:41 -06:00
Matt Moyer
2a29303e3f
Fix label handling in kubecertagent controllers.
These controllers were a bit inconsistent. There were cases where the controllers ran out of the expected order and the custom labels might not have been applied.

We should still plan to remove this label handling or move responsibility into the middleware layer, but this avoids any regression.

Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-03-02 13:59:46 -06:00
Matt Moyer
643c60fd7a
Drop NewKubeConfigInfoPublisherController, start populating strategy frontend from kubecertagent execer controller.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-03-02 13:09:25 -06:00
Matt Moyer
7174f857d8
Add generated code.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-03-02 13:09:25 -06:00
Matt Moyer
0be2c0d40f
Add CredentialIssuer "status.strategies[].frontend" field.
This field is a new tagged-union style field that describes how clients can connect using each successful strategy.

Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-03-02 13:09:25 -06:00