djpbessems/ContainerImage.Pinniped
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
1,715 Commits 30 Branches 34 Tags 22 MiB
bea75bb7ac
Commit Graph

78 Commits

Author SHA1 Message Date
Matt Moyer
4ebd0f5f12
Deflake TestImpersonationProxy (especially on EKS). 
This test could flake if the load balancer hostname was provisioned but is not yet resolving in DNS from the test process.

The fix is to retry this step for up to 5 minutes.

Signed-off-by: Matt Moyer <moyerm@vmware.com>
 2021-03-30 13:48:53 -05:00
Margo Crawford
d8baa43903 Add new non-idle timeout integration test for impersonation proxy 
Signed-off-by: Ryan Richard <richardry@vmware.com>
 2021-03-29 09:30:51 -07:00
Ryan Richard
95bb4c4be5 Fix concierge_impersonation_proxy_test.go on AKS 
Also send the correct instance of `t` into a helper function which
makes assertions.
 2021-03-26 19:32:46 -07:00
Matt Moyer
c6d7724b67
In TestImpersonationProxy, instead of failing in this case just skip the test. 
Signed-off-by: Matt Moyer <moyerm@vmware.com>
 2021-03-26 16:28:33 -05:00
Ryan Richard
3359311228 concierge_impersonation_proxy_test.go: fix typo in previous commit 2021-03-26 09:49:49 -07:00
Ryan Richard
7e16619146 concierge_impersonation_proxy_test.go: handle TKGS test clusters 
Handle any test cluster which supports load balancers but should
not automatically start the impersonator, e.g. TKGS clusters.
 2021-03-26 09:28:42 -07:00
Margo Crawford
b6e217e13a Hardcode type "webhook" in concierge_impersonation_proxy_test.go 
Signed-off-by: Ryan Richard <richardry@vmware.com>
 2021-03-25 17:19:47 -07:00
Margo Crawford
6f2882b831 Explicitly set the correct authenticator for impersonator test 
Signed-off-by: Ryan Richard <richardry@vmware.com>
 2021-03-25 16:57:37 -07:00
Margo Crawford
d90398815b Nothing in parallel in the impersonation proxy integration test 2021-03-22 10:48:09 -07:00
Margo Crawford
7683a98792 Unparallelize run all the verbs and port-forward tests 2021-03-22 09:45:51 -07:00
Margo Crawford
d7e9568137 Unparallelize a couple 2021-03-22 09:43:40 -07:00
Ryan Richard
3e50b4e129 Add -sS to the curl command in concierge_impersonation_proxy_test.go 2021-03-19 13:23:28 -07:00
Ryan Richard
d856221f56 Edit some comments in concierge_impersonation_proxy_test.go 2021-03-19 13:19:17 -07:00
Andrew Keesler
2749044625
test/integration: unparallelize impersonation kubectl test 
Maybe this will cut down on flakes we see in CI?

Signed-off-by: Andrew Keesler <akeesler@vmware.com>
 2021-03-19 13:31:28 -04:00
Andrew Keesler
ebd5e45fa6
test/integration: wait for convergence at end of impersonation test 
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
 2021-03-19 12:54:37 -04:00
Andrew Keesler
6154883855
test/integration: add temporary debug 'kubectl attach' logging 
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
 2021-03-19 10:42:11 -04:00
Andrew Keesler
ebe01a5aef
test/integration: catch early 'kubectl attach' return 
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
 2021-03-19 09:59:24 -04:00
Andrew Keesler
1a9922d050
test/integration: poll more quickly in f2a48aee 
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
 2021-03-18 17:53:14 -04:00
Andrew Keesler
f2a48aee2b
test/integration: increase timeout to a minute to see if it helps 
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
 2021-03-18 17:48:00 -04:00
Andrew Keesler
14a28bec24
test/integration: fix second assertion from dae62929 
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
 2021-03-18 16:34:30 -04:00
Andrew Keesler
dae62929e0
test/integration: error assertions pass w/ and w/o middleware 
In the case where we are using middleware (e.g., when the api group is
different) in our kubeclient, these error messages have a "...middleware request
for..." bit in the middle.

Signed-off-by: Andrew Keesler <akeesler@vmware.com>
 2021-03-18 15:35:31 -04:00
Ryan Richard
bd8c243636 concierge_impersonation_proxy_test.go: small refactor 2021-03-18 10:46:27 -07:00
Monis Khan
120e46b5f7
test/integration: fix race condition 
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
 2021-03-18 11:27:52 -04:00
Margo Crawford
897340860b Small refactor to impersonation proxy integration test 2021-03-16 16:57:46 -07:00
Margo Crawford
64e0dbb481 Sleep for 1 minute 10 seconds instead of a minute in timeout test 2021-03-15 16:33:47 -07:00
Margo Crawford
939ea30030 Make all tests but disable test parallelized 
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
 2021-03-15 14:34:41 -07:00
Andrew Keesler
efd973fa17 Test waiting for a minute and keeping connection open 
Signed-off-by: Margo Crawford <margaretc@vmware.com>
 2021-03-15 14:34:41 -07:00
Ryan Richard
8065a8d2e6 TestKubeCertAgent waits for CredentialIssuer strategy to be successful 
At the end of the test, wait for the KubeClusterSigningCertificate
strategy on the CredentialIssuer to go back to being healthy, to avoid
polluting other integration tests which follow this one.
 2021-03-15 11:43:12 -07:00
Ryan Richard
e22ad6171a Fix a race detector warning by re-declaring err in a t.Cleanup() 2021-03-15 11:43:12 -07:00
Monis Khan
b530cef3b1
impersonator: encode proper API status on failure 
Signed-off-by: Monis Khan <mok@vmware.com>
 2021-03-13 20:25:23 -05:00
Margo Crawford
d509e7012e Add eventually loop to port-forward test 
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
 2021-03-12 10:44:11 -08:00
Andrew Keesler
5b1dc0abdf
test/integration: add some more debugging to kubectl impersonation test 
I think this is nondeterministic...

Signed-off-by: Andrew Keesler <akeesler@vmware.com>
 2021-03-12 10:45:36 -05:00
Andrew Keesler
253e0f8e9a
test/integration: TestImpersonationProxy/websocket_client passes on my machine now 
I'm kinda surprised this is working with our current implementation of the
impersonator, but regardless this seems like a step forward.

Signed-off-by: Andrew Keesler <akeesler@vmware.com>
 2021-03-12 09:54:59 -05:00
Ryan Richard
f77c92560f Rewrite impersonator_test.go, add missing argument to IssuePEM() 
The impersonator_test.go unit test now starts the impersonation
server and makes real HTTP requests against it using client-go.
It is backed by a fake Kube API server.

The CA IssuePEM() method was missing the argument to allow a slice
of IP addresses to be passed in.
 2021-03-11 16:27:16 -08:00
Ryan Richard
c12a23725d Fix lint errors from a previous commit 2021-03-11 16:21:40 -08:00
Andrew Keesler
71712b2d00 Add test for http2 
Signed-off-by: Margo Crawford <margaretc@vmware.com>
 2021-03-11 15:49:49 -08:00
Ryan Richard
29d7f406f7 Test double impersonation as the cluster admin 2021-03-11 12:53:27 -08:00
Margo Crawford
22ca2da1ff
test/integration: add "kubectl attach" test to TestImpersonationProxy 
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
 2021-03-11 15:10:16 -05:00
Andrew Keesler
fcd8c585c3
test/integration: update "kubectl port-forward" test to use non-privileged port 
This was failing on our laptops because 443 is a privileged port.

Signed-off-by: Margo Crawford <margaretc@vmware.com>
 2021-03-11 13:05:26 -05:00
Ryan Richard
a918e9fb97 concierge_impersonation_proxy_test.go: Fix lint error in previous commit 2021-03-11 10:04:24 -08:00
Ryan Richard
34accc3dee Test using a service account token to auth to the impersonator 
Also make each t.Run use its own namespace to slight reduce the
interdependency between them.

Use t.Cleanup instead of defer in whoami_test.go just to be consistent
with other integration tests.
 2021-03-11 10:01:17 -08:00
Ryan Richard
61d64fc4c6 Use ioutil.ReadFile instead of os.ReadFile 
Because it works on older golang versions too.
 2021-03-11 08:58:54 -08:00
Andrew Keesler
b793b9a17e
test/integration: add 'kubectl logs' test to TestImpersonationProxy 
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
 2021-03-11 10:42:28 -05:00
Andrew Keesler
32b038c639
test/integration: add 'kubectl cp' test to TestImpersonationProxy 
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
 2021-03-11 10:07:16 -05:00
Ryan Richard
d13bb07b3e Add integration test for using WhoAmIRequest through impersonator 2021-03-10 16:57:15 -08:00
Margo Crawford
24396b6af1 Use gorilla websocket library so squid proxy works 2021-03-10 16:03:52 -08:00
Ryan Richard
006dc8aa79 Small test refactor 2021-03-10 14:50:46 -08:00
Ryan Richard
1078bf4dfb Don't pass credentials when testing impersonation proxy port is closed 
When testing that the impersonation proxy port was closed there
is no need to include credentials in the request. At the point when
we want to test that the impersonation proxy port is closed, it is
possible that we cannot perform a TokenCredentialRequest to get a
credential either.

Also add a new assertion that the TokenCredentialRequest stops handing
out credentials on clusters which have no successful strategies.

Signed-off-by: Monis Khan <mok@vmware.com>
 2021-03-10 13:08:15 -08:00
Ryan Richard
0b300cbe42 Use TokenCredentialRequest instead of base64 token with impersonator 
To make an impersonation request, first make a TokenCredentialRequest
to get a certificate. That cert will either be issued by the Kube
API server's CA or by a new CA specific to the impersonator. Either
way, you can then make a request to the impersonator and present
that client cert for auth and the impersonator will accept it and
make the impesonation call on your behalf.

The impersonator http handler now borrows some Kube library code
to handle request processing. This will allow us to more closely
mimic the behavior of a real API server, e.g. the client cert
auth will work exactly like the real API server.

Signed-off-by: Monis Khan <mok@vmware.com>
 2021-03-10 10:30:06 -08:00
Margo Crawford
c853707889 Added integration test for using websockets via the impersonation proxy 
Tested that this test passed when using the kube api server directly,
so it's just the impersonation proxy that must be improved.
 2021-03-09 17:00:30 -08:00