mirror of
https://github.com/vmware-tanzu/pinniped.git
synced 2026-04-15 07:06:45 +00:00
Merge branch 'main' into rename_stuff
This commit is contained in:
Ryan Richard
@@ -9,7 +9,7 @@ import (
|
||||
"github.com/stretchr/testify/require"
|
||||
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
|
||||
|
||||
"github.com/vmware-tanzu/pinniped/test/library"
|
||||
"go.pinniped.dev/test/library"
|
||||
)
|
||||
|
||||
func TestGetAPIResourceList(t *testing.T) {
|
||||
@@ -26,25 +26,25 @@ func TestGetAPIResourceList(t *testing.T) {
|
||||
}{
|
||||
{
|
||||
group: metav1.APIGroup{
|
||||
Name: "pinniped.dev",
|
||||
Name: "login.pinniped.dev",
|
||||
Versions: []metav1.GroupVersionForDiscovery{
|
||||
{
|
||||
GroupVersion: "pinniped.dev/v1alpha1",
|
||||
GroupVersion: "login.pinniped.dev/v1alpha1",
|
||||
Version: "v1alpha1",
|
||||
},
|
||||
},
|
||||
PreferredVersion: metav1.GroupVersionForDiscovery{
|
||||
GroupVersion: "pinniped.dev/v1alpha1",
|
||||
GroupVersion: "login.pinniped.dev/v1alpha1",
|
||||
Version: "v1alpha1",
|
||||
},
|
||||
},
|
||||
resourceByVersion: map[string][]metav1.APIResource{
|
||||
"pinniped.dev/v1alpha1": {
|
||||
"login.pinniped.dev/v1alpha1": {
|
||||
{
|
||||
Name: "credentialrequests",
|
||||
Kind: "CredentialRequest",
|
||||
Name: "tokencredentialrequests",
|
||||
Kind: "TokenCredentialRequest",
|
||||
Verbs: []string{"create"},
|
||||
Namespaced: false,
|
||||
Namespaced: true,
|
||||
|
||||
// This is currently an empty string in the response; maybe it should not be
|
||||
// empty? Seems like no harm in keeping it like this for now, but feel free
|
||||
@@ -56,20 +56,20 @@ func TestGetAPIResourceList(t *testing.T) {
|
||||
},
|
||||
{
|
||||
group: metav1.APIGroup{
|
||||
Name: "crd.pinniped.dev",
|
||||
Name: "config.pinniped.dev",
|
||||
Versions: []metav1.GroupVersionForDiscovery{
|
||||
{
|
||||
GroupVersion: "crd.pinniped.dev/v1alpha1",
|
||||
GroupVersion: "config.pinniped.dev/v1alpha1",
|
||||
Version: "v1alpha1",
|
||||
},
|
||||
},
|
||||
PreferredVersion: metav1.GroupVersionForDiscovery{
|
||||
GroupVersion: "crd.pinniped.dev/v1alpha1",
|
||||
GroupVersion: "config.pinniped.dev/v1alpha1",
|
||||
Version: "v1alpha1",
|
||||
},
|
||||
},
|
||||
resourceByVersion: map[string][]metav1.APIResource{
|
||||
"crd.pinniped.dev/v1alpha1": {
|
||||
"config.pinniped.dev/v1alpha1": {
|
||||
{
|
||||
Name: "credentialissuerconfigs",
|
||||
SingularName: "credentialissuerconfig",
|
||||
|
||||
@@ -13,9 +13,9 @@ import (
|
||||
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
|
||||
"k8s.io/client-go/kubernetes"
|
||||
|
||||
"github.com/vmware-tanzu/pinniped/generated/1.19/apis/pinniped/v1alpha1"
|
||||
"github.com/vmware-tanzu/pinniped/internal/testutil"
|
||||
"github.com/vmware-tanzu/pinniped/test/library"
|
||||
loginv1alpha1 "go.pinniped.dev/generated/1.19/apis/login/v1alpha1"
|
||||
"go.pinniped.dev/internal/testutil"
|
||||
"go.pinniped.dev/test/library"
|
||||
)
|
||||
|
||||
func TestAPIServingCertificateAutoCreationAndRotation(t *testing.T) {
|
||||
@@ -82,7 +82,7 @@ func TestAPIServingCertificateAutoCreationAndRotation(t *testing.T) {
|
||||
ctx, cancel := context.WithTimeout(context.Background(), 2*time.Minute)
|
||||
defer cancel()
|
||||
|
||||
const apiServiceName = "v1alpha1.pinniped.dev"
|
||||
const apiServiceName = "v1alpha1.login.pinniped.dev"
|
||||
|
||||
// Get the initial auto-generated version of the Secret.
|
||||
secret, err := kubeClient.CoreV1().Secrets(namespaceName).Get(ctx, defaultServingCertResourceName, metav1.GetOptions{})
|
||||
@@ -135,13 +135,10 @@ func TestAPIServingCertificateAutoCreationAndRotation(t *testing.T) {
|
||||
// pod has rotated their cert, but not the other ones sitting behind the service.
|
||||
aggregatedAPIWorking := func() bool {
|
||||
for i := 0; i < 10; i++ {
|
||||
_, err = pinnipedClient.PinnipedV1alpha1().CredentialRequests().Create(ctx, &v1alpha1.CredentialRequest{
|
||||
_, err = pinnipedClient.LoginV1alpha1().TokenCredentialRequests(namespaceName).Create(ctx, &loginv1alpha1.TokenCredentialRequest{
|
||||
TypeMeta: metav1.TypeMeta{},
|
||||
ObjectMeta: metav1.ObjectMeta{},
|
||||
Spec: v1alpha1.CredentialRequestSpec{
|
||||
Type: v1alpha1.TokenCredentialType,
|
||||
Token: &v1alpha1.CredentialRequestTokenCredential{Value: "not a good token"},
|
||||
},
|
||||
Spec: loginv1alpha1.TokenCredentialRequestSpec{Token: "not a good token"},
|
||||
}, metav1.CreateOptions{})
|
||||
if err != nil {
|
||||
break
|
||||
|
||||
@@ -13,7 +13,7 @@ import (
|
||||
corev1 "k8s.io/api/core/v1"
|
||||
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
|
||||
|
||||
"github.com/vmware-tanzu/pinniped/test/library"
|
||||
"go.pinniped.dev/test/library"
|
||||
)
|
||||
|
||||
func TestGetDeployment(t *testing.T) {
|
||||
|
||||
@@ -14,7 +14,7 @@ import (
|
||||
|
||||
"github.com/stretchr/testify/require"
|
||||
|
||||
"github.com/vmware-tanzu/pinniped/test/library"
|
||||
"go.pinniped.dev/test/library"
|
||||
)
|
||||
|
||||
func TestCLI(t *testing.T) {
|
||||
@@ -93,7 +93,7 @@ func buildPinnipedCLI(t *testing.T) (string, func()) {
|
||||
"build",
|
||||
"-o",
|
||||
pinnipedExe,
|
||||
"github.com/vmware-tanzu/pinniped/cmd/pinniped",
|
||||
"go.pinniped.dev/cmd/pinniped",
|
||||
).CombinedOutput()
|
||||
require.NoError(t, err, string(output))
|
||||
|
||||
|
||||
@@ -11,9 +11,9 @@ import (
|
||||
|
||||
"github.com/stretchr/testify/require"
|
||||
|
||||
"github.com/vmware-tanzu/pinniped/internal/client"
|
||||
"github.com/vmware-tanzu/pinniped/internal/here"
|
||||
"github.com/vmware-tanzu/pinniped/test/library"
|
||||
"go.pinniped.dev/internal/client"
|
||||
"go.pinniped.dev/internal/here"
|
||||
"go.pinniped.dev/test/library"
|
||||
)
|
||||
|
||||
// Test certificate and private key that should get an authentication error. Generated with cfssl [1], like this:
|
||||
|
||||
@@ -14,8 +14,8 @@ import (
|
||||
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
|
||||
"k8s.io/client-go/rest"
|
||||
|
||||
crdpinnipedv1alpha1 "github.com/vmware-tanzu/pinniped/generated/1.19/apis/crdpinniped/v1alpha1"
|
||||
"github.com/vmware-tanzu/pinniped/test/library"
|
||||
configv1alpha1 "go.pinniped.dev/generated/1.19/apis/config/v1alpha1"
|
||||
"go.pinniped.dev/test/library"
|
||||
)
|
||||
|
||||
func TestCredentialIssuerConfig(t *testing.T) {
|
||||
@@ -30,7 +30,7 @@ func TestCredentialIssuerConfig(t *testing.T) {
|
||||
|
||||
t.Run("test successful CredentialIssuerConfig", func(t *testing.T) {
|
||||
actualConfigList, err := client.
|
||||
CrdV1alpha1().
|
||||
ConfigV1alpha1().
|
||||
CredentialIssuerConfigs(namespaceName).
|
||||
List(ctx, metav1.ListOptions{})
|
||||
require.NoError(t, err)
|
||||
@@ -43,17 +43,17 @@ func TestCredentialIssuerConfig(t *testing.T) {
|
||||
actualStatusStrategies := actualConfigList.Items[0].Status.Strategies
|
||||
require.Len(t, actualStatusStrategies, 1)
|
||||
actualStatusStrategy := actualStatusStrategies[0]
|
||||
require.Equal(t, crdpinnipedv1alpha1.KubeClusterSigningCertificateStrategyType, actualStatusStrategy.Type)
|
||||
require.Equal(t, configv1alpha1.KubeClusterSigningCertificateStrategyType, actualStatusStrategy.Type)
|
||||
|
||||
if library.ClusterHasCapability(t, library.ClusterSigningKeyIsAvailable) {
|
||||
require.Equal(t, crdpinnipedv1alpha1.SuccessStrategyStatus, actualStatusStrategy.Status)
|
||||
require.Equal(t, crdpinnipedv1alpha1.FetchedKeyStrategyReason, actualStatusStrategy.Reason)
|
||||
require.Equal(t, configv1alpha1.SuccessStrategyStatus, actualStatusStrategy.Status)
|
||||
require.Equal(t, configv1alpha1.FetchedKeyStrategyReason, actualStatusStrategy.Reason)
|
||||
require.Equal(t, "Key was fetched successfully", actualStatusStrategy.Message)
|
||||
// Verify the published kube config info.
|
||||
require.Equal(t, expectedStatusKubeConfigInfo(config), actualStatusKubeConfigInfo)
|
||||
} else {
|
||||
require.Equal(t, crdpinnipedv1alpha1.ErrorStrategyStatus, actualStatusStrategy.Status)
|
||||
require.Equal(t, crdpinnipedv1alpha1.CouldNotFetchKeyStrategyReason, actualStatusStrategy.Reason)
|
||||
require.Equal(t, configv1alpha1.ErrorStrategyStatus, actualStatusStrategy.Status)
|
||||
require.Equal(t, configv1alpha1.CouldNotFetchKeyStrategyReason, actualStatusStrategy.Reason)
|
||||
require.Contains(t, actualStatusStrategy.Message, "did not find kube-controller-manager pod")
|
||||
// For now, don't verify the kube config info because its not available on GKE. We'll need to address
|
||||
// this somehow once we starting supporting those cluster types.
|
||||
@@ -68,7 +68,7 @@ func TestCredentialIssuerConfig(t *testing.T) {
|
||||
library.SkipUnlessClusterHasCapability(t, library.ClusterSigningKeyIsAvailable)
|
||||
|
||||
existingConfig, err := client.
|
||||
CrdV1alpha1().
|
||||
ConfigV1alpha1().
|
||||
CredentialIssuerConfigs(namespaceName).
|
||||
Get(ctx, "pinniped-config", metav1.GetOptions{})
|
||||
require.NoError(t, err)
|
||||
@@ -80,17 +80,17 @@ func TestCredentialIssuerConfig(t *testing.T) {
|
||||
updatedServerValue := "https://junk"
|
||||
existingConfig.Status.KubeConfigInfo.Server = updatedServerValue
|
||||
updatedConfig, err := client.
|
||||
CrdV1alpha1().
|
||||
ConfigV1alpha1().
|
||||
CredentialIssuerConfigs(namespaceName).
|
||||
Update(ctx, existingConfig, metav1.UpdateOptions{})
|
||||
require.NoError(t, err)
|
||||
require.Equal(t, updatedServerValue, updatedConfig.Status.KubeConfigInfo.Server)
|
||||
|
||||
// Expect that the object's mutated field is set back to what matches its source of truth by the controller.
|
||||
var actualCredentialIssuerConfig *crdpinnipedv1alpha1.CredentialIssuerConfig
|
||||
var actualCredentialIssuerConfig *configv1alpha1.CredentialIssuerConfig
|
||||
var configChangesServerField = func() bool {
|
||||
actualCredentialIssuerConfig, err = client.
|
||||
CrdV1alpha1().
|
||||
ConfigV1alpha1().
|
||||
CredentialIssuerConfigs(namespaceName).
|
||||
Get(ctx, "pinniped-config", metav1.GetOptions{})
|
||||
return err == nil && actualCredentialIssuerConfig.Status.KubeConfigInfo.Server != updatedServerValue
|
||||
@@ -106,8 +106,8 @@ func TestCredentialIssuerConfig(t *testing.T) {
|
||||
})
|
||||
}
|
||||
|
||||
func expectedStatusKubeConfigInfo(config *rest.Config) *crdpinnipedv1alpha1.CredentialIssuerConfigKubeConfigInfo {
|
||||
return &crdpinnipedv1alpha1.CredentialIssuerConfigKubeConfigInfo{
|
||||
func expectedStatusKubeConfigInfo(config *rest.Config) *configv1alpha1.CredentialIssuerConfigKubeConfigInfo {
|
||||
return &configv1alpha1.CredentialIssuerConfigKubeConfigInfo{
|
||||
Server: config.Host,
|
||||
CertificateAuthorityData: base64.StdEncoding.EncodeToString(config.TLSClientConfig.CAData),
|
||||
}
|
||||
|
||||
@@ -18,8 +18,8 @@ import (
|
||||
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
|
||||
"k8s.io/client-go/kubernetes"
|
||||
|
||||
"github.com/vmware-tanzu/pinniped/generated/1.19/apis/pinniped/v1alpha1"
|
||||
"github.com/vmware-tanzu/pinniped/test/library"
|
||||
"go.pinniped.dev/generated/1.19/apis/login/v1alpha1"
|
||||
"go.pinniped.dev/test/library"
|
||||
)
|
||||
|
||||
func TestSuccessfulCredentialRequest(t *testing.T) {
|
||||
@@ -74,10 +74,7 @@ func TestFailedCredentialRequestWhenTheRequestIsValidButTheTokenDoesNotAuthentic
|
||||
library.SkipUnlessIntegration(t)
|
||||
library.SkipUnlessClusterHasCapability(t, library.ClusterSigningKeyIsAvailable)
|
||||
|
||||
response, err := makeRequest(t, v1alpha1.CredentialRequestSpec{
|
||||
Type: v1alpha1.TokenCredentialType,
|
||||
Token: &v1alpha1.CredentialRequestTokenCredential{Value: "not a good token"},
|
||||
})
|
||||
response, err := makeRequest(t, v1alpha1.TokenCredentialRequestSpec{Token: "not a good token"})
|
||||
|
||||
require.NoError(t, err)
|
||||
|
||||
@@ -90,10 +87,7 @@ func TestCredentialRequest_ShouldFailWhenRequestDoesNotIncludeToken(t *testing.T
|
||||
library.SkipUnlessIntegration(t)
|
||||
library.SkipUnlessClusterHasCapability(t, library.ClusterSigningKeyIsAvailable)
|
||||
|
||||
response, err := makeRequest(t, v1alpha1.CredentialRequestSpec{
|
||||
Type: v1alpha1.TokenCredentialType,
|
||||
Token: nil,
|
||||
})
|
||||
response, err := makeRequest(t, v1alpha1.TokenCredentialRequestSpec{Token: ""})
|
||||
|
||||
require.Error(t, err)
|
||||
statusError, isStatus := err.(*errors.StatusError)
|
||||
@@ -122,7 +116,7 @@ func TestCredentialRequest_OtherwiseValidRequestWithRealTokenShouldFailWhenTheCl
|
||||
require.Equal(t, stringPtr("authentication failed"), response.Status.Message)
|
||||
}
|
||||
|
||||
func makeRequest(t *testing.T, spec v1alpha1.CredentialRequestSpec) (*v1alpha1.CredentialRequest, error) {
|
||||
func makeRequest(t *testing.T, spec v1alpha1.TokenCredentialRequestSpec) (*v1alpha1.TokenCredentialRequest, error) {
|
||||
t.Helper()
|
||||
|
||||
client := library.NewAnonymousPinnipedClientset(t)
|
||||
@@ -130,19 +124,16 @@ func makeRequest(t *testing.T, spec v1alpha1.CredentialRequestSpec) (*v1alpha1.C
|
||||
ctx, cancel := context.WithTimeout(context.Background(), 10*time.Second)
|
||||
defer cancel()
|
||||
|
||||
return client.PinnipedV1alpha1().CredentialRequests().Create(ctx, &v1alpha1.CredentialRequest{
|
||||
ns := library.GetEnv(t, "PINNIPED_NAMESPACE")
|
||||
return client.LoginV1alpha1().TokenCredentialRequests(ns).Create(ctx, &v1alpha1.TokenCredentialRequest{
|
||||
TypeMeta: metav1.TypeMeta{},
|
||||
ObjectMeta: metav1.ObjectMeta{},
|
||||
Spec: spec,
|
||||
}, metav1.CreateOptions{})
|
||||
}
|
||||
|
||||
func validCredentialRequestSpecWithRealToken(t *testing.T) v1alpha1.CredentialRequestSpec {
|
||||
token := library.GetEnv(t, "PINNIPED_TEST_USER_TOKEN")
|
||||
return v1alpha1.CredentialRequestSpec{
|
||||
Type: v1alpha1.TokenCredentialType,
|
||||
Token: &v1alpha1.CredentialRequestTokenCredential{Value: token},
|
||||
}
|
||||
func validCredentialRequestSpecWithRealToken(t *testing.T) v1alpha1.TokenCredentialRequestSpec {
|
||||
return v1alpha1.TokenCredentialRequestSpec{Token: library.GetEnv(t, "PINNIPED_TEST_USER_TOKEN")}
|
||||
}
|
||||
|
||||
func addTestClusterRoleBinding(ctx context.Context, t *testing.T, adminClient kubernetes.Interface, binding *rbacv1.ClusterRoleBinding) {
|
||||
|
||||
@@ -10,7 +10,7 @@ import (
|
||||
|
||||
"github.com/stretchr/testify/require"
|
||||
|
||||
"github.com/vmware-tanzu/pinniped/test/library"
|
||||
"go.pinniped.dev/test/library"
|
||||
)
|
||||
|
||||
// Smoke test to see if the kubeconfig works and the cluster is reachable.
|
||||
|
||||
@@ -15,7 +15,7 @@ import (
|
||||
clientcmdapi "k8s.io/client-go/tools/clientcmd/api"
|
||||
aggregatorclient "k8s.io/kube-aggregator/pkg/client/clientset_generated/clientset"
|
||||
|
||||
pinnipedclientset "github.com/vmware-tanzu/pinniped/generated/1.19/client/clientset/versioned"
|
||||
pinnipedclientset "go.pinniped.dev/generated/1.19/client/clientset/versioned"
|
||||
|
||||
// Import to initialize client auth plugins - the kubeconfig that we use for
|
||||
// testing may use gcloud, az, oidc, etc.
|
||||
|
||||
Reference in New Issue
Block a user