// Copyright 2020-2021 the Pinniped contributors. All Rights Reserved. // SPDX-License-Identifier: Apache-2.0 package integration import ( "context" "encoding/base64" "testing" "time" "github.com/stretchr/testify/require" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" apiregistrationv1 "k8s.io/kube-aggregator/pkg/apis/apiregistration/v1" configv1alpha1 "go.pinniped.dev/generated/latest/apis/concierge/config/v1alpha1" "go.pinniped.dev/test/testlib" ) func TestCredentialIssuer(t *testing.T) { env := testlib.IntegrationEnv(t) config := testlib.NewClientConfig(t) client := testlib.NewConciergeClientset(t) aggregatedClientset := testlib.NewAggregatedClientset(t) ctx, cancel := context.WithTimeout(context.Background(), time.Minute) defer cancel() t.Run("test successful CredentialIssuer", func(t *testing.T) { actualConfigList, err := client. ConfigV1alpha1(). CredentialIssuers(). List(ctx, metav1.ListOptions{}) require.NoError(t, err) require.Len(t, actualConfigList.Items, 1) actualConfig := actualConfigList.Items[0] actualStatusKubeConfigInfo := actualConfigList.Items[0].Status.KubeConfigInfo for k, v := range env.ConciergeCustomLabels { require.Equalf(t, v, actualConfig.Labels[k], "expected ci to have label `%s: %s`", k, v) } require.Equal(t, env.ConciergeAppName, actualConfig.Labels["app"]) apiService, err := aggregatedClientset.ApiregistrationV1().APIServices().Get(ctx, "v1alpha1.login.concierge."+env.APIGroupSuffix, metav1.GetOptions{}) require.NoError(t, err) // work around stupid behavior of WithoutVersionDecoder.Decode apiService.APIVersion, apiService.Kind = apiregistrationv1.SchemeGroupVersion.WithKind("APIService").ToAPIVersionAndKind() // Verify the cluster strategy status based on what's expected of the test cluster's ability to share signing keys. actualStatusStrategies := actualConfigList.Items[0].Status.Strategies // There should be two. One of type KubeClusterSigningCertificate and one of type ImpersonationProxy. require.Len(t, actualStatusStrategies, 2) // The details of the ImpersonationProxy type is tested by a different integration test for the impersonator. // Grab the KubeClusterSigningCertificate result so we can check it in detail below. var actualStatusStrategy configv1alpha1.CredentialIssuerStrategy for _, s := range actualStatusStrategies { if s.Type == configv1alpha1.KubeClusterSigningCertificateStrategyType { actualStatusStrategy = s break } } require.NotNil(t, actualStatusStrategy) if env.HasCapability(testlib.ClusterSigningKeyIsAvailable) { require.Equal(t, configv1alpha1.SuccessStrategyStatus, actualStatusStrategy.Status) require.Equal(t, configv1alpha1.FetchedKeyStrategyReason, actualStatusStrategy.Reason) require.Equal(t, "key was fetched successfully", actualStatusStrategy.Message) require.NotNil(t, actualStatusStrategy.Frontend) require.Equal(t, configv1alpha1.TokenCredentialRequestAPIFrontendType, actualStatusStrategy.Frontend.Type) expectedTokenRequestAPIInfo := configv1alpha1.TokenCredentialRequestAPIInfo{ Server: config.Host, CertificateAuthorityData: base64.StdEncoding.EncodeToString(config.TLSClientConfig.CAData), } require.Equal(t, &expectedTokenRequestAPIInfo, actualStatusStrategy.Frontend.TokenCredentialRequestAPIInfo) // Verify the published kube config info. require.Equal( t, &configv1alpha1.CredentialIssuerKubeConfigInfo{ Server: expectedTokenRequestAPIInfo.Server, CertificateAuthorityData: expectedTokenRequestAPIInfo.CertificateAuthorityData, }, actualStatusKubeConfigInfo, ) } else { require.Equal(t, configv1alpha1.ErrorStrategyStatus, actualStatusStrategy.Status) require.Equal(t, configv1alpha1.CouldNotFetchKeyStrategyReason, actualStatusStrategy.Reason) require.Contains(t, actualStatusStrategy.Message, "could not find a healthy kube-controller-manager pod (0 candidates)") require.Nil(t, actualStatusKubeConfigInfo) } }) }