Matt Moyer
c6d7724b67
In TestImpersonationProxy, instead of failing in this case just skip the test.
...
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-03-26 16:28:33 -05:00
Ryan Richard
3359311228
concierge_impersonation_proxy_test.go: fix typo in previous commit
2021-03-26 09:49:49 -07:00
Ryan Richard
7e16619146
concierge_impersonation_proxy_test.go: handle TKGS test clusters
...
Handle any test cluster which supports load balancers but should
not automatically start the impersonator, e.g. TKGS clusters.
2021-03-26 09:28:42 -07:00
Margo Crawford
b6e217e13a
Hardcode type "webhook" in concierge_impersonation_proxy_test.go
...
Signed-off-by: Ryan Richard <richardry@vmware.com>
2021-03-25 17:19:47 -07:00
Margo Crawford
6f2882b831
Explicitly set the correct authenticator for impersonator test
...
Signed-off-by: Ryan Richard <richardry@vmware.com>
2021-03-25 16:57:37 -07:00
Margo Crawford
d90398815b
Nothing in parallel in the impersonation proxy integration test
2021-03-22 10:48:09 -07:00
Margo Crawford
7683a98792
Unparallelize run all the verbs and port-forward tests
2021-03-22 09:45:51 -07:00
Margo Crawford
d7e9568137
Unparallelize a couple
2021-03-22 09:43:40 -07:00
Ryan Richard
3e50b4e129
Add -sS to the curl command in concierge_impersonation_proxy_test.go
2021-03-19 13:23:28 -07:00
Ryan Richard
d856221f56
Edit some comments in concierge_impersonation_proxy_test.go
2021-03-19 13:19:17 -07:00
Andrew Keesler
2749044625
test/integration: unparallelize impersonation kubectl test
...
Maybe this will cut down on flakes we see in CI?
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2021-03-19 13:31:28 -04:00
Andrew Keesler
ebd5e45fa6
test/integration: wait for convergence at end of impersonation test
...
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2021-03-19 12:54:37 -04:00
Andrew Keesler
6154883855
test/integration: add temporary debug 'kubectl attach' logging
...
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2021-03-19 10:42:11 -04:00
Andrew Keesler
ebe01a5aef
test/integration: catch early 'kubectl attach' return
...
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2021-03-19 09:59:24 -04:00
Andrew Keesler
1a9922d050
test/integration: poll more quickly in f2a48aee
...
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2021-03-18 17:53:14 -04:00
Andrew Keesler
f2a48aee2b
test/integration: increase timeout to a minute to see if it helps
...
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2021-03-18 17:48:00 -04:00
Andrew Keesler
14a28bec24
test/integration: fix second assertion from dae62929
...
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2021-03-18 16:34:30 -04:00
Andrew Keesler
dae62929e0
test/integration: error assertions pass w/ and w/o middleware
...
In the case where we are using middleware (e.g., when the api group is
different) in our kubeclient, these error messages have a "...middleware request
for..." bit in the middle.
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2021-03-18 15:35:31 -04:00
Ryan Richard
bd8c243636
concierge_impersonation_proxy_test.go: small refactor
2021-03-18 10:46:27 -07:00
Monis Khan
120e46b5f7
test/integration: fix race condition
...
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2021-03-18 11:27:52 -04:00
Margo Crawford
897340860b
Small refactor to impersonation proxy integration test
2021-03-16 16:57:46 -07:00
Margo Crawford
64e0dbb481
Sleep for 1 minute 10 seconds instead of a minute in timeout test
2021-03-15 16:33:47 -07:00
Margo Crawford
939ea30030
Make all tests but disable test parallelized
...
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2021-03-15 14:34:41 -07:00
Andrew Keesler
efd973fa17
Test waiting for a minute and keeping connection open
...
Signed-off-by: Margo Crawford <margaretc@vmware.com>
2021-03-15 14:34:41 -07:00
Ryan Richard
8065a8d2e6
TestKubeCertAgent waits for CredentialIssuer strategy to be successful
...
At the end of the test, wait for the KubeClusterSigningCertificate
strategy on the CredentialIssuer to go back to being healthy, to avoid
polluting other integration tests which follow this one.
2021-03-15 11:43:12 -07:00
Ryan Richard
e22ad6171a
Fix a race detector warning by re-declaring err
in a t.Cleanup()
2021-03-15 11:43:12 -07:00
Monis Khan
b530cef3b1
impersonator: encode proper API status on failure
...
Signed-off-by: Monis Khan <mok@vmware.com>
2021-03-13 20:25:23 -05:00
Margo Crawford
d509e7012e
Add eventually loop to port-forward test
...
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2021-03-12 10:44:11 -08:00
Andrew Keesler
5b1dc0abdf
test/integration: add some more debugging to kubectl impersonation test
...
I think this is nondeterministic...
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2021-03-12 10:45:36 -05:00
Andrew Keesler
253e0f8e9a
test/integration: TestImpersonationProxy/websocket_client passes on my machine now
...
I'm kinda surprised this is working with our current implementation of the
impersonator, but regardless this seems like a step forward.
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2021-03-12 09:54:59 -05:00
Ryan Richard
f77c92560f
Rewrite impersonator_test.go, add missing argument to IssuePEM()
...
The impersonator_test.go unit test now starts the impersonation
server and makes real HTTP requests against it using client-go.
It is backed by a fake Kube API server.
The CA IssuePEM() method was missing the argument to allow a slice
of IP addresses to be passed in.
2021-03-11 16:27:16 -08:00
Ryan Richard
c12a23725d
Fix lint errors from a previous commit
2021-03-11 16:21:40 -08:00
Andrew Keesler
71712b2d00
Add test for http2
...
Signed-off-by: Margo Crawford <margaretc@vmware.com>
2021-03-11 15:49:49 -08:00
Ryan Richard
29d7f406f7
Test double impersonation as the cluster admin
2021-03-11 12:53:27 -08:00
Margo Crawford
22ca2da1ff
test/integration: add "kubectl attach" test to TestImpersonationProxy
...
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2021-03-11 15:10:16 -05:00
Andrew Keesler
fcd8c585c3
test/integration: update "kubectl port-forward" test to use non-privileged port
...
This was failing on our laptops because 443 is a privileged port.
Signed-off-by: Margo Crawford <margaretc@vmware.com>
2021-03-11 13:05:26 -05:00
Ryan Richard
a918e9fb97
concierge_impersonation_proxy_test.go: Fix lint error in previous commit
2021-03-11 10:04:24 -08:00
Ryan Richard
34accc3dee
Test using a service account token to auth to the impersonator
...
Also make each t.Run use its own namespace to slight reduce the
interdependency between them.
Use t.Cleanup instead of defer in whoami_test.go just to be consistent
with other integration tests.
2021-03-11 10:01:17 -08:00
Ryan Richard
61d64fc4c6
Use ioutil.ReadFile instead of os.ReadFile
...
Because it works on older golang versions too.
2021-03-11 08:58:54 -08:00
Andrew Keesler
b793b9a17e
test/integration: add 'kubectl logs' test to TestImpersonationProxy
...
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2021-03-11 10:42:28 -05:00
Andrew Keesler
32b038c639
test/integration: add 'kubectl cp' test to TestImpersonationProxy
...
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2021-03-11 10:07:16 -05:00
Ryan Richard
d13bb07b3e
Add integration test for using WhoAmIRequest through impersonator
2021-03-10 16:57:15 -08:00
Margo Crawford
24396b6af1
Use gorilla websocket library so squid proxy works
2021-03-10 16:03:52 -08:00
Ryan Richard
006dc8aa79
Small test refactor
2021-03-10 14:50:46 -08:00
Ryan Richard
1078bf4dfb
Don't pass credentials when testing impersonation proxy port is closed
...
When testing that the impersonation proxy port was closed there
is no need to include credentials in the request. At the point when
we want to test that the impersonation proxy port is closed, it is
possible that we cannot perform a TokenCredentialRequest to get a
credential either.
Also add a new assertion that the TokenCredentialRequest stops handing
out credentials on clusters which have no successful strategies.
Signed-off-by: Monis Khan <mok@vmware.com>
2021-03-10 13:08:15 -08:00
Ryan Richard
0b300cbe42
Use TokenCredentialRequest instead of base64 token with impersonator
...
To make an impersonation request, first make a TokenCredentialRequest
to get a certificate. That cert will either be issued by the Kube
API server's CA or by a new CA specific to the impersonator. Either
way, you can then make a request to the impersonator and present
that client cert for auth and the impersonator will accept it and
make the impesonation call on your behalf.
The impersonator http handler now borrows some Kube library code
to handle request processing. This will allow us to more closely
mimic the behavior of a real API server, e.g. the client cert
auth will work exactly like the real API server.
Signed-off-by: Monis Khan <mok@vmware.com>
2021-03-10 10:30:06 -08:00
Margo Crawford
c853707889
Added integration test for using websockets via the impersonation proxy
...
Tested that this test passed when using the kube api server directly,
so it's just the impersonation proxy that must be improved.
2021-03-09 17:00:30 -08:00
Matt Moyer
0cb1538b39
Fix linter warnings, including a bit of refactoring.
...
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-03-09 15:16:46 -06:00
Margo Crawford
883b90923d
Add integration test for kubectl port-forward with impersonation
2021-03-09 11:32:50 -08:00
Matt Moyer
a58b460bcb
Switch TestImpersonationProxy to get clients from library.NewKubeclient instead of directly from kubernetes.NewForConfig.
...
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-03-08 15:03:34 -06:00