Commit Graph

20 Commits

Author SHA1 Message Date
Ryan Richard
5ed97f7f9e Merge branch 'main' into self_test 2020-08-25 19:02:27 -07:00
Ryan Richard
80153f9a80 Allow app to start despite failing to borrow the cluster signing key
- Controller and aggregated API server are allowed to run
- Keep retrying to borrow the cluster signing key in case the failure
  to get it was caused by a transient failure
- The CredentialRequest endpoint will always return an authentication
  failure as long as the cluster signing key cannot be borrowed
- Update which integration tests are skipped to reflect what should
  and should not work based on the cluster's capability under this
  new behavior
- Move CreateOrUpdateCredentialIssuerConfig() and related methods
  to their own file
- Update the CredentialIssuerConfig's Status every time we try to
  refresh the cluster signing key
2020-08-25 18:22:53 -07:00
Andrew Keesler
4306599396
Fix linter errors 2020-08-25 10:40:59 -04:00
Ryan Richard
6e59596285 Upon pod startup, update the Status of CredentialIssuerConfig
- Indicate the success or failure of the cluster signing key strategy
- Also introduce the concept of "capabilities" of an integration test
  cluster to allow the integration tests to be run against clusters
  that do or don't allow the borrowing of the cluster signing key
- Tests that are not expected to pass on clusters that lack the
  borrowing of the signing key capability are now ignored by
  calling the new library.SkipUnlessClusterHasCapability test helper
- Rename library.Getenv to library.GetEnv
- Add copyrights where they were missing
2020-08-24 18:07:34 -07:00
Matt Moyer
8b36f2e8ae Convert code to use the new generated packages.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-08-24 14:42:27 -05:00
Andrew Keesler
ed8b1be178
Revert "test/library: try another cert rest config"
Didn't fix CI. I didn't think it would.

I have never seen the integration tests fail like this locally, so I
have to imagine the failure has something to do with the environment
on which we are testing.

This reverts commit ba2e2f509a.
2020-08-24 11:52:47 -04:00
Andrew Keesler
ba2e2f509a
test/library: try another cert rest config
We are getting these weird flakes in CI where the kube client that we
create with these helper functions doesn't work against the kube API.
The kube API tells us that we are unauthorized (401). Seems like something
is wrong with the keypair itself, but when I create a one-off kubeconfig
with the keypair, I get 200s from the API. Hmmm...I wonder what CI will
think of this change?

I also tried to align some naming in this package.

Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-08-24 11:01:37 -04:00
Ryan Richard
3929fa672e Rename project 2020-08-20 10:54:15 -07:00
Ryan Richard
9648db0837 Update how integration tests which use LoginRequest make their clients
- When we call the LoginRequest endpoint in loginrequest_test.go,
  do it with an unauthenticated client, to make sure that endpoint works
  with unauthenticated clients.
- For tests which want to test using certs returned by LoginRequest to
  make API calls back to kube to check if those certs are working, make
  sure they start with a bare client and then add only those certs.
  Avoid accidentally picking up other kubeconfig configuration like
  tokens, etc.

Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-08-12 14:30:07 -07:00
Ryan Richard
4cb0fd3949 Use a DaemonSet instead of a Deployment to deploy our app
- For high availability reasons, we would like our app to scale linearly
  with the size of the control plane. Using a DaemonSet allows us to run
  one pod on each node-role.kubernetes.io/master node.
- The hope is that the Service that we create should load balance
  between these pods appropriately.
2020-08-11 17:55:34 -07:00
Ryan Richard
fadd718d08 Add integration and more unit tests
- Add integration test for serving cert auto-generation and rotation
- Add unit test for `WithInitialEvent` of the cert manager controller
- Move UpdateAPIService() into the `apicerts` package, since that is
  the only user of the function.
2020-08-11 10:14:57 -07:00
Matt Moyer
6dd331b21d Use Go's -short flag as a way to avoid running integration tests.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-08-06 20:44:14 -05:00
Matt Moyer
ad55f9e310 Pull placeholder-name-client-go back into this repo as a library.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-08-06 19:38:13 -05:00
Andrew Keesler
31e6d8fbb1
Drop main module dependency on test module
I suppose we could solve this other ways, but this utility was
only used in one place right now, so it is easiest to copy it over.

Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-08-06 10:29:04 -04:00
Andrew Keesler
597408a977
Allow override of discovery URL via ConfigMap
Signed-off-by: Andrew Keesler <akeesler@vmware.com>

- Seems like the next step is to allow override of the CA bundle; I didn't
  do that here for simplicity of the commit, but seems like it is the right
  thing to do in the future.
2020-08-03 10:17:11 -04:00
Matt Moyer
531954511b Extract a test library helper for ErrorWriter{}.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-07-28 15:15:59 -05:00
Matt Moyer
f7b0cf8f8a Fix a bad assumption in library.NewClientConfigWithCertAndKey.
It turns out these fields are not meant to be base64 encoded, even though that's how they are in the kubeconfig.

Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-07-27 12:33:33 -07:00
Andrew Keesler
9f0d2606b1 WIP: initial integration test for cert issuing 2020-07-27 12:31:30 -07:00
Mo Khan
5fdc20886d
Initial aggregated API server (#15)
Add initial aggregated API server (squashed from a bunch of commits).

Signed-off-by: Andrew Keesler <akeesler@vmware.com>
Signed-off-by: Aram Price <pricear@vmware.com>
Signed-off-by: Ryan Richard <richardry@vmware.com>
2020-07-23 10:05:21 -05:00
Monis Khan
a544f7d7bf
Add integration test to check app is running
Signed-off-by: Monis Khan <mok@vmware.com>
2020-07-09 15:30:59 -04:00