6e59596285
- Indicate the success or failure of the cluster signing key strategy - Also introduce the concept of "capabilities" of an integration test cluster to allow the integration tests to be run against clusters that do or don't allow the borrowing of the cluster signing key - Tests that are not expected to pass on clusters that lack the borrowing of the signing key capability are now ignored by calling the new library.SkipUnlessClusterHasCapability test helper - Rename library.Getenv to library.GetEnv - Add copyrights where they were missing
111 lines
4.5 KiB
Go
111 lines
4.5 KiB
Go
/*
|
|
Copyright 2020 VMware, Inc.
|
|
SPDX-License-Identifier: Apache-2.0
|
|
*/
|
|
|
|
package integration
|
|
|
|
import (
|
|
"context"
|
|
"encoding/base64"
|
|
"testing"
|
|
"time"
|
|
|
|
"github.com/stretchr/testify/assert"
|
|
"github.com/stretchr/testify/require"
|
|
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
|
|
"k8s.io/client-go/rest"
|
|
|
|
crdpinnipedv1alpha1 "github.com/suzerain-io/pinniped/kubernetes/1.19/api/apis/crdpinniped/v1alpha1"
|
|
"github.com/suzerain-io/pinniped/test/library"
|
|
)
|
|
|
|
func TestCredentialIssuerConfig(t *testing.T) {
|
|
library.SkipUnlessIntegration(t)
|
|
namespaceName := library.GetEnv(t, "PINNIPED_NAMESPACE")
|
|
|
|
config := library.NewClientConfig(t)
|
|
client := library.NewPinnipedClientset(t)
|
|
|
|
ctx, cancel := context.WithTimeout(context.Background(), 10*time.Second)
|
|
defer cancel()
|
|
|
|
t.Run("test successful CredentialIssuerConfig", func(t *testing.T) {
|
|
actualConfigList, err := client.
|
|
CrdV1alpha1().
|
|
CredentialIssuerConfigs(namespaceName).
|
|
List(ctx, metav1.ListOptions{})
|
|
require.NoError(t, err)
|
|
require.Len(t, actualConfigList.Items, 1)
|
|
|
|
// Verify the published kube config info.
|
|
actualStatusKubeConfigInfo := actualConfigList.Items[0].Status.KubeConfigInfo
|
|
require.Equal(t, expectedStatusKubeConfigInfo(config), actualStatusKubeConfigInfo)
|
|
|
|
// Verify the cluster strategy status based on what's expected of the test cluster's ability to share signing keys.
|
|
actualStatusStrategies := actualConfigList.Items[0].Status.Strategies
|
|
require.Len(t, actualStatusStrategies, 1)
|
|
actualStatusStrategy := actualStatusStrategies[0]
|
|
require.Equal(t, crdpinnipedv1alpha1.KubeClusterSigningCertificateStrategyType, actualStatusStrategy.Type)
|
|
|
|
if library.ClusterHasCapability(t, library.ClusterSigningKeyIsAvailable) {
|
|
require.Equal(t, crdpinnipedv1alpha1.SuccessStrategyStatus, actualStatusStrategy.Status)
|
|
require.Equal(t, crdpinnipedv1alpha1.FetchedKeyStrategyReason, actualStatusStrategy.Reason)
|
|
require.Equal(t, "Key was fetched successfully", actualStatusStrategy.Message)
|
|
} else {
|
|
require.Equal(t, crdpinnipedv1alpha1.ErrorStrategyStatus, actualStatusStrategy.Status)
|
|
require.Equal(t, crdpinnipedv1alpha1.CouldNotFetchKeyStrategyReason, actualStatusStrategy.Reason)
|
|
require.Contains(t, actualStatusStrategy.Message, "some part of the error message")
|
|
}
|
|
|
|
require.WithinDuration(t, time.Now(), actualStatusStrategy.LastUpdateTime.Local(), 10*time.Minute)
|
|
})
|
|
|
|
t.Run("reconciling CredentialIssuerConfig", func(t *testing.T) {
|
|
library.SkipUnlessClusterHasCapability(t, library.ClusterSigningKeyIsAvailable)
|
|
|
|
existingConfig, err := client.
|
|
CrdV1alpha1().
|
|
CredentialIssuerConfigs(namespaceName).
|
|
Get(ctx, "pinniped-config", metav1.GetOptions{})
|
|
require.NoError(t, err)
|
|
require.Len(t, existingConfig.Status.Strategies, 1)
|
|
initialStrategy := existingConfig.Status.Strategies[0]
|
|
|
|
// Mutate the existing object. Don't delete it because that would mess up its `Status.Strategies` array,
|
|
// since the reconciling controller is not currently responsible for that field.
|
|
existingConfig.Status.KubeConfigInfo.Server = "https://junk"
|
|
updatedConfig, err := client.
|
|
CrdV1alpha1().
|
|
CredentialIssuerConfigs(namespaceName).
|
|
Update(ctx, existingConfig, metav1.UpdateOptions{})
|
|
require.NoError(t, err)
|
|
require.Equal(t, "https://junk", updatedConfig.Status.KubeConfigInfo.Server)
|
|
|
|
// Expect that the object's mutated field is set back to what matches its source of truth.
|
|
var actualCredentialIssuerConfig *crdpinnipedv1alpha1.CredentialIssuerConfig
|
|
var getConfig = func() bool {
|
|
actualCredentialIssuerConfig, err = client.
|
|
CrdV1alpha1().
|
|
CredentialIssuerConfigs(namespaceName).
|
|
Get(ctx, "pinniped-config", metav1.GetOptions{})
|
|
return err == nil
|
|
}
|
|
assert.Eventually(t, getConfig, 5*time.Second, 100*time.Millisecond)
|
|
require.NoError(t, err) // prints out the error and stops the test in case of failure
|
|
actualStatusKubeConfigInfo := actualCredentialIssuerConfig.Status.KubeConfigInfo
|
|
require.Equal(t, expectedStatusKubeConfigInfo(config), actualStatusKubeConfigInfo)
|
|
|
|
// The strategies should not have changed during reconciliation.
|
|
require.Len(t, actualCredentialIssuerConfig.Status.Strategies, 1)
|
|
require.Equal(t, initialStrategy, actualCredentialIssuerConfig.Status.Strategies[0])
|
|
})
|
|
}
|
|
|
|
func expectedStatusKubeConfigInfo(config *rest.Config) *crdpinnipedv1alpha1.CredentialIssuerConfigKubeConfigInfo {
|
|
return &crdpinnipedv1alpha1.CredentialIssuerConfigKubeConfigInfo{
|
|
Server: config.Host,
|
|
CertificateAuthorityData: base64.StdEncoding.EncodeToString(config.TLSClientConfig.CAData),
|
|
}
|
|
}
|