github/kubelogin
1
0
Fork 0
mirror of https://github.com/int128/kubelogin.git synced 2026-02-14 16:39:51 +00:00
Code Issues Packages Projects Releases Wiki Activity

Refactor integration-test and acceptance-test (#1252)

Browse Source 
* Refactor tests

* Fix

* Run plugin

* Fix

* Update acceptance-test.yaml

* Fix
This commit is contained in:
Hidetake Iwata
2025-01-20 09:37:10 +09:00
committed by GitHub
parent 3121e55498
commit 4c10146639
6 changed files with 66 additions and 28 deletions
Download Patch File Download Diff File Expand all files Collapse all files

34
.github/workflows/acceptance-test.yaml vendored Normal file
View File

@@ -0,0 +1,34 @@
name: acceptance-test
on:
pull_request:
branches:
- master
paths:
- .github/workflows/acceptance-test.yaml
- acceptance_test/**
push:
branches:
- master
paths:
- .github/workflows/acceptance-test.yaml
- acceptance_test/**
jobs:
test-makefile:
runs-on: ubuntu-latest
timeout-minutes: 10
steps:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
- uses: actions/setup-go@3041bf56c941b39c61721a86cd11f3bb1338122a # v5.2.0
with:
go-version-file: go.mod
cache-dependency-path: go.sum
- run: make -C acceptance_test check
- run: make -C acceptance_test
env:
OIDC_ISSUER_URL: https://accounts.google.com
OIDC_CLIENT_ID: REDACTED.apps.googleusercontent.com
YOUR_EMAIL: REDACTED@gmail.com
- run: make -C acceptance_test delete-cluster
- run: make -C acceptance_test clean

21
acceptance_test/Makefile
View File

@@ -4,33 +4,38 @@ OUTPUT_DIR := $(CURDIR)/output
KUBECONFIG := $(OUTPUT_DIR)/kubeconfig.yaml KUBECONFIG := $(OUTPUT_DIR)/kubeconfig.yaml
export KUBECONFIG export KUBECONFIG
# create a Kubernetes cluster
.PHONY: cluster .PHONY: cluster
cluster: cluster:
# create a cluster # Create a cluster.
mkdir -p $(OUTPUT_DIR) mkdir -p $(OUTPUT_DIR)
sed -e "s|OIDC_ISSUER_URL|$(OIDC_ISSUER_URL)|" -e "s|OIDC_CLIENT_ID|$(OIDC_CLIENT_ID)|" cluster.yaml > $(OUTPUT_DIR)/cluster.yaml sed -e "s|OIDC_ISSUER_URL|$(OIDC_ISSUER_URL)|" -e "s|OIDC_CLIENT_ID|$(OIDC_CLIENT_ID)|" cluster.yaml > $(OUTPUT_DIR)/cluster.yaml
kind create cluster --name $(CLUSTER_NAME) --config $(OUTPUT_DIR)/cluster.yaml kind create cluster --name $(CLUSTER_NAME) --config $(OUTPUT_DIR)/cluster.yaml
# set up access control
# Set up the access control.
kubectl create clusterrole cluster-readonly --verb=get,watch,list --resource='*.*' kubectl create clusterrole cluster-readonly --verb=get,watch,list --resource='*.*'
kubectl create clusterrolebinding cluster-readonly --clusterrole=cluster-readonly --user=$(YOUR_EMAIL) kubectl create clusterrolebinding cluster-readonly --clusterrole=cluster-readonly --user=$(YOUR_EMAIL)
# set up kubectl
# Set up kubectl.
kubectl config set-credentials oidc \ kubectl config set-credentials oidc \
--exec-api-version=client.authentication.k8s.io/v1beta1 \ --exec-api-version=client.authentication.k8s.io/v1 \
--exec-interactive-mode=Never \
--exec-command=$(CURDIR)/../kubelogin \ --exec-command=$(CURDIR)/../kubelogin \
--exec-arg=get-token \ --exec-arg=get-token \
--exec-arg=--token-cache-dir=$(OUTPUT_DIR)/token-cache \ --exec-arg=--token-cache-dir=$(OUTPUT_DIR)/token-cache \
--exec-arg=--oidc-issuer-url=$(OIDC_ISSUER_URL) \ --exec-arg=--oidc-issuer-url=$(OIDC_ISSUER_URL) \
--exec-arg=--oidc-client-id=$(OIDC_CLIENT_ID) \ --exec-arg=--oidc-client-id=$(OIDC_CLIENT_ID) \
--exec-arg=--oidc-client-secret=$(OIDC_CLIENT_SECRET) \
--exec-arg=--oidc-extra-scope=email --exec-arg=--oidc-extra-scope=email
# switch the default user
# Switch the default user.
kubectl config set-context --current --user=oidc kubectl config set-context --current --user=oidc
# clean up the resources # Show the kubeconfig.
kubectl config view
.PHONY: clean .PHONY: clean
clean: clean:
-rm -r $(OUTPUT_DIR) -rm -r $(OUTPUT_DIR)
.PHONY: delete-cluster .PHONY: delete-cluster
delete-cluster: delete-cluster:
kind delete cluster --name $(CLUSTER_NAME) kind delete cluster --name $(CLUSTER_NAME)

9
acceptance_test/README.md
View File

@@ -1,16 +1,14 @@
# kubelogin/acceptance_test # kubelogin/acceptance_test
This is a manual test for verifying Kubernetes OIDC authentication with your OIDC provider. This is a manual test to verify if the Kubernetes OIDC authentication works with your OIDC provider.
## Purpose ## Purpose
This test checks the following points: This test checks the following points:
1. You can set up your OIDC provider using [setup guide](../docs/setup.md). 1. You can set up your OIDC provider using the [setup guide](../docs/setup.md).
1. The plugin works with your OIDC provider. 1. The plugin works with your OIDC provider.
## Getting Started ## Getting Started
### Prerequisite ### Prerequisite
@@ -22,7 +20,7 @@ make -C ..
``` ```
You need to set up your provider. You need to set up your provider.
See [setup guide](../docs/setup.md) for more. See the [setup guide](../docs/setup.md) for more.
You need to install the following tools: You need to install the following tools:
@@ -44,7 +42,6 @@ For example, you can create a cluster with Google account authentication.
```sh ```sh
make OIDC_ISSUER_URL=https://accounts.google.com \ make OIDC_ISSUER_URL=https://accounts.google.com \
OIDC_CLIENT_ID=REDACTED.apps.googleusercontent.com \ OIDC_CLIENT_ID=REDACTED.apps.googleusercontent.com \
OIDC_CLIENT_SECRET=REDACTED \
YOUR_EMAIL=REDACTED@gmail.com YOUR_EMAIL=REDACTED@gmail.com
``` ```

6
system_test/README.md
View File

@@ -2,12 +2,11 @@
This is an automated test for verifying behavior of the plugin with a real Kubernetes cluster and OIDC provider. This is an automated test for verifying behavior of the plugin with a real Kubernetes cluster and OIDC provider.
## Purpose ## Purpose
This test checks the following points: This test checks the following points:
1. User can set up Kubernetes OIDC authentication using [setup guide](../docs/setup.md). 1. User can set up Kubernetes OIDC authentication using the [setup guide](../docs/setup.md).
1. User can log in to an OIDC provider on a browser. 1. User can log in to an OIDC provider on a browser.
1. User can access the cluster using a token returned from the plugin. 1. User can access the cluster using a token returned from the plugin.
@@ -18,7 +17,6 @@ It depends on the following components:
- Browser (Chrome) - Browser (Chrome)
- kubectl command - kubectl command
## How it works ## How it works
Let's take a look at the diagram. Let's take a look at the diagram.
@@ -45,7 +43,6 @@ It performs the test by the following steps:
1. kube-apiserver verifies the token by Dex. 1. kube-apiserver verifies the token by Dex.
1. Check if kubectl exited with code 0. 1. Check if kubectl exited with code 0.
## Run locally ## Run locally
You need to set up the following components: You need to set up the following components:
@@ -80,7 +77,6 @@ make terminate
make clean make clean
``` ```
## Technical consideration ## Technical consideration
### Network and DNS ### Network and DNS

11
system_test/cluster/Makefile
View File

@@ -8,13 +8,16 @@ export KUBECONFIG
cluster: cluster:
cp $(CERT_DIR)/ca.crt /tmp/kubelogin-system-test-dex-ca.crt cp $(CERT_DIR)/ca.crt /tmp/kubelogin-system-test-dex-ca.crt
kind create cluster --name $(CLUSTER_NAME) --config cluster.yaml kind create cluster --name $(CLUSTER_NAME) --config cluster.yaml
# add the Dex container IP to /etc/hosts
# Add the Dex container IP to /etc/hosts.
docker inspect -f '{{.NetworkSettings.Networks.kind.IPAddress}}' dex-server | sed -e 's,$$, dex-server,' | \ docker inspect -f '{{.NetworkSettings.Networks.kind.IPAddress}}' dex-server | sed -e 's,$$, dex-server,' | \
docker exec -i $(CLUSTER_NAME)-control-plane tee -a /etc/hosts docker exec -i $(CLUSTER_NAME)-control-plane tee -a /etc/hosts
# wait for kube-apiserver oidc initialization
# (oidc authenticator will retry oidc discovery every 10s) # Wait for kube-apiserver oidc initialization.
# oidc authenticator will retry oidc discovery every 10s.
sleep 10 sleep 10
# add the cluster role
# Add the cluster role.
kubectl create clusterrole cluster-readonly --verb=get,watch,list --resource='*.*' kubectl create clusterrole cluster-readonly --verb=get,watch,list --resource='*.*'
kubectl create clusterrolebinding cluster-readonly --clusterrole=cluster-readonly --user=admin@example.com kubectl create clusterrolebinding cluster-readonly --clusterrole=cluster-readonly --user=admin@example.com

13
system_test/dex/Makefile
View File

@@ -2,15 +2,18 @@ CERT_DIR := ../cert
.PHONY: dex .PHONY: dex
dex: dex.yaml dex: dex.yaml
# wait for kind network # Wait for kind network.
while true; do if docker network inspect kind; then break; fi; sleep 1; done until docker network inspect kind; do sleep 1; done
# create a container
# Create a container.
docker create -q --name dex-server -p 10443:10443 --network kind ghcr.io/dexidp/dex:v2.39.0 dex serve /dex.yaml docker create -q --name dex-server -p 10443:10443 --network kind ghcr.io/dexidp/dex:v2.39.0 dex serve /dex.yaml
# deploy the config
# Deploy the config.
docker cp $(CERT_DIR)/server.crt dex-server:/ docker cp $(CERT_DIR)/server.crt dex-server:/
docker cp $(CERT_DIR)/server.key dex-server:/ docker cp $(CERT_DIR)/server.key dex-server:/
docker cp dex.yaml dex-server:/ docker cp dex.yaml dex-server:/
# start the container
# Start the container.
docker start dex-server docker start dex-server
docker logs dex-server docker logs dex-server