Update jwtauthenticator unit tests to check actions

- Add test to verify timestamps are particularly updated
- Improve diff output in tests for actions
- Make jwtauthenticator status tests parallel
- Update copyright headers in multiple files

test/integration/concierge_credentialrequest_test.go

@@ -1,4 +1,4 @@
-// Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
+// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0
 
 package integration

test/integration/concierge_jwtauthenticator_status_test.go

@@ -18,8 +18,7 @@ import (
 	"go.pinniped.dev/test/testlib"
 )
 
-// Never run this test in parallel since deleting all federation domains is disruptive, see main_test.go.
-func TestConciergeJWTAuthenticatorStatus_Disruptive(t *testing.T) {
+func TestConciergeJWTAuthenticatorStatus_Parallel(t *testing.T) {
 	env := testlib.IntegrationEnv(t)
 	ctx, cancel := context.WithTimeout(context.Background(), 10*time.Minute)
 	t.Cleanup(cancel)
@@ -31,28 +30,30 @@ func TestConciergeJWTAuthenticatorStatus_Disruptive(t *testing.T) {
 		{
 			name: "valid spec with no errors and all good status conditions and phase will result in a jwt authenticator that is ready",
 			run: func(t *testing.T) {
+				caBundleString := base64.StdEncoding.EncodeToString([]byte(env.SupervisorUpstreamOIDC.CABundle))
 				jwtAuthenticator := testlib.CreateTestJWTAuthenticator(ctx, t, v1alpha1.JWTAuthenticatorSpec{
 					Issuer:   env.SupervisorUpstreamOIDC.Issuer,
 					Audience: "some-fake-audience",
 					TLS: &v1alpha1.TLSSpec{
-						CertificateAuthorityData: base64.StdEncoding.EncodeToString([]byte(env.SupervisorUpstreamOIDC.CABundle)),
+						CertificateAuthorityData: caBundleString,
 					},
 				}, v1alpha1.JWTAuthenticatorPhaseReady)
 
 				testlib.WaitForJWTAuthenticatorStatusConditions(
 					ctx, t,
 					jwtAuthenticator.Name,
-					allSuccessfulJWTAuthenticatorConditions())
+					allSuccessfulJWTAuthenticatorConditions(len(caBundleString) != 0))
 			},
 		},
 		{
 			name: "valid spec with invalid CA in TLS config will result in a jwt authenticator that is not ready",
 			run: func(t *testing.T) {
+				caBundleString := "invalid base64-encoded data"
 				jwtAuthenticator := testlib.CreateTestJWTAuthenticator(ctx, t, v1alpha1.JWTAuthenticatorSpec{
 					Issuer:   env.SupervisorUpstreamOIDC.Issuer,
 					Audience: "some-fake-audience",
 					TLS: &v1alpha1.TLSSpec{
-						CertificateAuthorityData: "invalid base64-encoded data",
+						CertificateAuthorityData: caBundleString,
 					},
 				}, v1alpha1.JWTAuthenticatorPhaseError)
 
@@ -60,7 +61,7 @@ func TestConciergeJWTAuthenticatorStatus_Disruptive(t *testing.T) {
 					ctx, t,
 					jwtAuthenticator.Name,
 					replaceSomeConditions(
-						allSuccessfulJWTAuthenticatorConditions(),
+						allSuccessfulJWTAuthenticatorConditions(len(caBundleString) != 0),
 						[]metav1.Condition{
 							{
 								Type:    "Ready",
@@ -100,6 +101,7 @@ func TestConciergeJWTAuthenticatorStatus_Disruptive(t *testing.T) {
 		{
 			name: "valid spec with valid CA in TLS config but does not match issuer server will result in a jwt authenticator that is not ready",
 			run: func(t *testing.T) {
+				caBundleString := "LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURVVENDQWptZ0F3SUJBZ0lWQUpzNStTbVRtaTJXeUI0bGJJRXBXaUs5a1RkUE1BMEdDU3FHU0liM0RRRUIKQ3dVQU1COHhDekFKQmdOVkJBWVRBbFZUTVJBd0RnWURWUVFLREFkUWFYWnZkR0ZzTUI0WERUSXdNRFV3TkRFMgpNamMxT0ZvWERUSTBNRFV3TlRFMk1qYzFPRm93SHpFTE1Ba0dBMVVFQmhNQ1ZWTXhFREFPQmdOVkJBb01CMUJwCmRtOTBZV3d3Z2dFaU1BMEdDU3FHU0liM0RRRUJBUVVBQTRJQkR3QXdnZ0VLQW9JQkFRRERZWmZvWGR4Z2NXTEMKZEJtbHB5a0tBaG9JMlBuUWtsVFNXMno1cGcwaXJjOGFRL1E3MXZzMTRZYStmdWtFTGlvOTRZYWw4R01DdVFrbApMZ3AvUEE5N1VYelhQNDBpK25iNXcwRGpwWWd2dU9KQXJXMno2MFRnWE5NSFh3VHk4ME1SZEhpUFVWZ0VZd0JpCmtkNThzdEFVS1Y1MnBQTU1reTJjNy9BcFhJNmRXR2xjalUvaFBsNmtpRzZ5dEw2REtGYjJQRWV3MmdJM3pHZ2IKOFVVbnA1V05DZDd2WjNVY0ZHNXlsZEd3aGc3cnZ4U1ZLWi9WOEhCMGJmbjlxamlrSVcxWFM4dzdpUUNlQmdQMApYZWhKZmVITlZJaTJtZlczNlVQbWpMdnVKaGpqNDIrdFBQWndvdDkzdWtlcEgvbWpHcFJEVm9wamJyWGlpTUYrCkYxdnlPNGMxQWdNQkFBR2pnWU13Z1lBd0hRWURWUjBPQkJZRUZNTWJpSXFhdVkwajRVWWphWDl0bDJzby9LQ1IKTUI4R0ExVWRJd1FZTUJhQUZNTWJpSXFhdVkwajRVWWphWDl0bDJzby9LQ1JNQjBHQTFVZEpRUVdNQlFHQ0NzRwpBUVVGQndNQ0JnZ3JCZ0VGQlFjREFUQVBCZ05WSFJNQkFmOEVCVEFEQVFIL01BNEdBMVVkRHdFQi93UUVBd0lCCkJqQU5CZ2txaGtpRzl3MEJBUXNGQUFPQ0FRRUFYbEh4M2tIMDZwY2NDTDlEVE5qTnBCYnlVSytGd2R6T2IwWFYKcmpNaGtxdHVmdEpUUnR5T3hKZ0ZKNXhUR3pCdEtKamcrVU1pczBOV0t0VDBNWThVMU45U2c5SDl0RFpHRHBjVQpxMlVRU0Y4dXRQMVR3dnJIUzIrdzB2MUoxdHgrTEFiU0lmWmJCV0xXQ21EODUzRlVoWlFZekkvYXpFM28vd0p1CmlPUklMdUpNUk5vNlBXY3VLZmRFVkhaS1RTWnk3a25FcHNidGtsN3EwRE91eUFWdG9HVnlkb3VUR0FOdFhXK2YKczNUSTJjKzErZXg3L2RZOEJGQTFzNWFUOG5vZnU3T1RTTzdiS1kzSkRBUHZOeFQzKzVZUXJwNGR1Nmh0YUFMbAppOHNaRkhidmxpd2EzdlhxL3p1Y2JEaHEzQzBhZnAzV2ZwRGxwSlpvLy9QUUFKaTZLQT09Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K"
 				jwtAuthenticator := testlib.CreateTestJWTAuthenticator(ctx, t, v1alpha1.JWTAuthenticatorSpec{
 					Issuer:   env.SupervisorUpstreamOIDC.Issuer,
 					Audience: "some-fake-audience",
@@ -107,7 +109,7 @@ func TestConciergeJWTAuthenticatorStatus_Disruptive(t *testing.T) {
 					// Issuer: C=US, O=Pivotal
 					// No SAN provided
 					TLS: &v1alpha1.TLSSpec{
-						CertificateAuthorityData: "LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURVVENDQWptZ0F3SUJBZ0lWQUpzNStTbVRtaTJXeUI0bGJJRXBXaUs5a1RkUE1BMEdDU3FHU0liM0RRRUIKQ3dVQU1COHhDekFKQmdOVkJBWVRBbFZUTVJBd0RnWURWUVFLREFkUWFYWnZkR0ZzTUI0WERUSXdNRFV3TkRFMgpNamMxT0ZvWERUSTBNRFV3TlRFMk1qYzFPRm93SHpFTE1Ba0dBMVVFQmhNQ1ZWTXhFREFPQmdOVkJBb01CMUJwCmRtOTBZV3d3Z2dFaU1BMEdDU3FHU0liM0RRRUJBUVVBQTRJQkR3QXdnZ0VLQW9JQkFRRERZWmZvWGR4Z2NXTEMKZEJtbHB5a0tBaG9JMlBuUWtsVFNXMno1cGcwaXJjOGFRL1E3MXZzMTRZYStmdWtFTGlvOTRZYWw4R01DdVFrbApMZ3AvUEE5N1VYelhQNDBpK25iNXcwRGpwWWd2dU9KQXJXMno2MFRnWE5NSFh3VHk4ME1SZEhpUFVWZ0VZd0JpCmtkNThzdEFVS1Y1MnBQTU1reTJjNy9BcFhJNmRXR2xjalUvaFBsNmtpRzZ5dEw2REtGYjJQRWV3MmdJM3pHZ2IKOFVVbnA1V05DZDd2WjNVY0ZHNXlsZEd3aGc3cnZ4U1ZLWi9WOEhCMGJmbjlxamlrSVcxWFM4dzdpUUNlQmdQMApYZWhKZmVITlZJaTJtZlczNlVQbWpMdnVKaGpqNDIrdFBQWndvdDkzdWtlcEgvbWpHcFJEVm9wamJyWGlpTUYrCkYxdnlPNGMxQWdNQkFBR2pnWU13Z1lBd0hRWURWUjBPQkJZRUZNTWJpSXFhdVkwajRVWWphWDl0bDJzby9LQ1IKTUI4R0ExVWRJd1FZTUJhQUZNTWJpSXFhdVkwajRVWWphWDl0bDJzby9LQ1JNQjBHQTFVZEpRUVdNQlFHQ0NzRwpBUVVGQndNQ0JnZ3JCZ0VGQlFjREFUQVBCZ05WSFJNQkFmOEVCVEFEQVFIL01BNEdBMVVkRHdFQi93UUVBd0lCCkJqQU5CZ2txaGtpRzl3MEJBUXNGQUFPQ0FRRUFYbEh4M2tIMDZwY2NDTDlEVE5qTnBCYnlVSytGd2R6T2IwWFYKcmpNaGtxdHVmdEpUUnR5T3hKZ0ZKNXhUR3pCdEtKamcrVU1pczBOV0t0VDBNWThVMU45U2c5SDl0RFpHRHBjVQpxMlVRU0Y4dXRQMVR3dnJIUzIrdzB2MUoxdHgrTEFiU0lmWmJCV0xXQ21EODUzRlVoWlFZekkvYXpFM28vd0p1CmlPUklMdUpNUk5vNlBXY3VLZmRFVkhaS1RTWnk3a25FcHNidGtsN3EwRE91eUFWdG9HVnlkb3VUR0FOdFhXK2YKczNUSTJjKzErZXg3L2RZOEJGQTFzNWFUOG5vZnU3T1RTTzdiS1kzSkRBUHZOeFQzKzVZUXJwNGR1Nmh0YUFMbAppOHNaRkhidmxpd2EzdlhxL3p1Y2JEaHEzQzBhZnAzV2ZwRGxwSlpvLy9QUUFKaTZLQT09Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K",
+						CertificateAuthorityData: caBundleString,
 					},
 				}, v1alpha1.JWTAuthenticatorPhaseError)
 
@@ -115,7 +117,7 @@ func TestConciergeJWTAuthenticatorStatus_Disruptive(t *testing.T) {
 					ctx, t,
 					jwtAuthenticator.Name,
 					replaceSomeConditions(
-						allSuccessfulJWTAuthenticatorConditions(),
+						allSuccessfulJWTAuthenticatorConditions(len(caBundleString) != 0),
 						[]metav1.Condition{
 							{
 								Type:    "Ready",
@@ -155,12 +157,13 @@ func TestConciergeJWTAuthenticatorStatus_Disruptive(t *testing.T) {
 		{
 			name: "invalid with bad issuer will result in a jwt authenticator that is not ready",
 			run: func(t *testing.T) {
+				caBundleString := base64.StdEncoding.EncodeToString([]byte(env.SupervisorUpstreamOIDC.CABundle))
 				fakeIssuerURL := "https://127.0.0.1:443/some-fake-issuer"
 				jwtAuthenticator := testlib.CreateTestJWTAuthenticator(ctx, t, v1alpha1.JWTAuthenticatorSpec{
 					Issuer:   fakeIssuerURL,
 					Audience: "some-fake-audience",
 					TLS: &v1alpha1.TLSSpec{
-						CertificateAuthorityData: base64.StdEncoding.EncodeToString([]byte(env.SupervisorUpstreamOIDC.CABundle)),
+						CertificateAuthorityData: caBundleString,
 					},
 				}, v1alpha1.JWTAuthenticatorPhaseError)
 
@@ -168,7 +171,7 @@ func TestConciergeJWTAuthenticatorStatus_Disruptive(t *testing.T) {
 					ctx, t,
 					jwtAuthenticator.Name,
 					replaceSomeConditions(
-						allSuccessfulJWTAuthenticatorConditions(),
+						allSuccessfulJWTAuthenticatorConditions(len(caBundleString) != 0),
 						[]metav1.Condition{
 							{
 								Type:    "Ready",
@@ -347,12 +350,15 @@ func TestConciergeJWTAuthenticatorCRDValidations_Parallel(t *testing.T) {
 			} else {
 				require.NoError(t, createErr)
 			}
-
 		})
 	}
 }
 
-func allSuccessfulJWTAuthenticatorConditions() []metav1.Condition {
+func allSuccessfulJWTAuthenticatorConditions(caBundleExists bool) []metav1.Condition {
+	tlsConfigValidMsg := "no CA bundle specified"
+	if caBundleExists {
+		tlsConfigValidMsg = "successfully parsed specified CA bundle"
+	}
 	return []metav1.Condition{{
 		Type:    "AuthenticatorValid",
 		Status:  "True",
@@ -387,6 +393,6 @@ func allSuccessfulJWTAuthenticatorConditions() []metav1.Condition {
 		Type:    "TLSConfigurationValid",
 		Status:  "True",
 		Reason:  "Success",
-		Message: "successfully parsed specified CA bundle",
+		Message: tlsConfigValidMsg,
 	}}
 }

test/integration/kube_api_discovery_test.go

@@ -1,4 +1,4 @@
-// Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
+// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0
 
 package integration