diff --git a/internal/controller/authenticator/jwtcachefiller/jwtcachefiller_test.go b/internal/controller/authenticator/jwtcachefiller/jwtcachefiller_test.go index 4b13a500b..8759f8437 100644 --- a/internal/controller/authenticator/jwtcachefiller/jwtcachefiller_test.go +++ b/internal/controller/authenticator/jwtcachefiller/jwtcachefiller_test.go @@ -1163,7 +1163,7 @@ func TestController(t *testing.T) { Spec: auth1alpha1.JWTAuthenticatorSpec{ Issuer: "https://www.example.com/foo/bar/#do-not-include-fragment", Audience: goodAudience, - TLS: conciergetestutil.TlsSpecFromTLSConfig(goodOIDCIssuerServer.TLS), + TLS: conciergetestutil.TLSSpecFromTLSConfig(goodOIDCIssuerServer.TLS), }, }, }, @@ -1176,7 +1176,7 @@ func TestController(t *testing.T) { Spec: auth1alpha1.JWTAuthenticatorSpec{ Issuer: "https://www.example.com/foo/bar/#do-not-include-fragment", Audience: goodAudience, - TLS: conciergetestutil.TlsSpecFromTLSConfig(goodOIDCIssuerServer.TLS), + TLS: conciergetestutil.TLSSpecFromTLSConfig(goodOIDCIssuerServer.TLS), }, Status: auth1alpha1.JWTAuthenticatorStatus{ Conditions: conditionstestutil.Replace( @@ -1210,7 +1210,7 @@ func TestController(t *testing.T) { Spec: auth1alpha1.JWTAuthenticatorSpec{ Issuer: "https://www.example.com/foo/bar/?query-params=not-allowed", Audience: goodAudience, - TLS: conciergetestutil.TlsSpecFromTLSConfig(goodOIDCIssuerServer.TLS), + TLS: conciergetestutil.TLSSpecFromTLSConfig(goodOIDCIssuerServer.TLS), }, }, }, @@ -1223,7 +1223,7 @@ func TestController(t *testing.T) { Spec: auth1alpha1.JWTAuthenticatorSpec{ Issuer: "https://www.example.com/foo/bar/?query-params=not-allowed", Audience: goodAudience, - TLS: conciergetestutil.TlsSpecFromTLSConfig(goodOIDCIssuerServer.TLS), + TLS: conciergetestutil.TLSSpecFromTLSConfig(goodOIDCIssuerServer.TLS), }, Status: auth1alpha1.JWTAuthenticatorStatus{ Conditions: conditionstestutil.Replace( @@ -1257,7 +1257,7 @@ func TestController(t *testing.T) { Spec: auth1alpha1.JWTAuthenticatorSpec{ Issuer: "https://www.example.com/foo/bar/.well-known/openid-configuration", Audience: goodAudience, - TLS: conciergetestutil.TlsSpecFromTLSConfig(goodOIDCIssuerServer.TLS), + TLS: conciergetestutil.TLSSpecFromTLSConfig(goodOIDCIssuerServer.TLS), }, }, }, @@ -1270,7 +1270,7 @@ func TestController(t *testing.T) { Spec: auth1alpha1.JWTAuthenticatorSpec{ Issuer: "https://www.example.com/foo/bar/.well-known/openid-configuration", Audience: goodAudience, - TLS: conciergetestutil.TlsSpecFromTLSConfig(goodOIDCIssuerServer.TLS), + TLS: conciergetestutil.TLSSpecFromTLSConfig(goodOIDCIssuerServer.TLS), }, Status: auth1alpha1.JWTAuthenticatorStatus{ Conditions: conditionstestutil.Replace( @@ -1345,7 +1345,7 @@ func TestController(t *testing.T) { Spec: auth1alpha1.JWTAuthenticatorSpec{ Issuer: goodIssuer + "/path/to/not/found", Audience: goodAudience, - TLS: conciergetestutil.TlsSpecFromTLSConfig(goodOIDCIssuerServer.TLS), + TLS: conciergetestutil.TLSSpecFromTLSConfig(goodOIDCIssuerServer.TLS), }, }, }, @@ -1358,7 +1358,7 @@ func TestController(t *testing.T) { Spec: auth1alpha1.JWTAuthenticatorSpec{ Issuer: goodIssuer + "/path/to/not/found", Audience: goodAudience, - TLS: conciergetestutil.TlsSpecFromTLSConfig(goodOIDCIssuerServer.TLS), + TLS: conciergetestutil.TLSSpecFromTLSConfig(goodOIDCIssuerServer.TLS), }, Status: auth1alpha1.JWTAuthenticatorStatus{ Conditions: conditionstestutil.Replace( diff --git a/internal/controller/authenticator/webhookcachefiller/webhookcachefiller_test.go b/internal/controller/authenticator/webhookcachefiller/webhookcachefiller_test.go index a8ffc4c67..bd1558a93 100644 --- a/internal/controller/authenticator/webhookcachefiller/webhookcachefiller_test.go +++ b/internal/controller/authenticator/webhookcachefiller/webhookcachefiller_test.go @@ -99,7 +99,6 @@ func TestController(t *testing.T) { }), func(thisServer *httptest.Server) { thisTLSConfig := ptls.Default(nil) thisTLSConfig.Certificates = []tls.Certificate{ - // public and private key pair, but server will only use private for serving *hostAsLocalhostServingCert, } thisServer.TLS = thisTLSConfig @@ -219,6 +218,7 @@ func TestController(t *testing.T) { Message: "the WebhookAuthenticator is not ready: see other conditions for details", } } + happyAuthenticatorValid := func(time metav1.Time, observedGeneration int64) metav1.Condition { return metav1.Condition{ Type: "AuthenticatorValid", @@ -1038,8 +1038,6 @@ func TestNewWebhookAuthenticator(t *testing.T) { }, }, conditions) require.Nil(t, res) - // TODO: should this trigger the sync loop again with an error, or should this have been only - // status and log, indicating user must correct? require.EqualError(t, err, "invalid TLS configuration: illegal base64 data at input byte 7") }) @@ -1079,8 +1077,6 @@ func TestNewWebhookAuthenticator(t *testing.T) { }) t.Run("success, webhook authenticator created", func(t *testing.T) { - // TODO(BEN): when enhancing webhook authenticator integration test, can prob - // steal this and create a super simpler server caBundle, url := testutil.TLSTestServer(t, func(w http.ResponseWriter, r *http.Request) { body, err := io.ReadAll(r.Body) require.NoError(t, err) diff --git a/test/integration/cli_test.go b/test/integration/cli_test.go index 394424da2..0da362f66 100644 --- a/test/integration/cli_test.go +++ b/test/integration/cli_test.go @@ -43,7 +43,7 @@ func TestCLIGetKubeconfigStaticToken_Parallel(t *testing.T) { ctx, cancelFunc := context.WithTimeout(context.Background(), 5*time.Minute) defer cancelFunc() - authenticator := testlib.CreateTestWebhookAuthenticator(ctx, t, nil, v1alpha1.WebhookAuthenticatorPhaseReady) + authenticator := testlib.CreateTestWebhookAuthenticator(ctx, t, &testlib.IntegrationEnv(t).TestWebhook, v1alpha1.WebhookAuthenticatorPhaseReady) // Build pinniped CLI. pinnipedExe := testlib.PinnipedCLIPath(t) diff --git a/test/integration/concierge_api_serving_certs_test.go b/test/integration/concierge_api_serving_certs_test.go index 839a31719..d5350c056 100644 --- a/test/integration/concierge_api_serving_certs_test.go +++ b/test/integration/concierge_api_serving_certs_test.go @@ -84,7 +84,7 @@ func TestAPIServingCertificateAutoCreationAndRotation_Disruptive(t *testing.T) { // Create a testWebhook so we have a legitimate authenticator to pass to the // TokenCredentialRequest API. - testWebhook := testlib.CreateTestWebhookAuthenticator(ctx, t, nil, v1alpha1.WebhookAuthenticatorPhaseReady) + testWebhook := testlib.CreateTestWebhookAuthenticator(ctx, t, &testlib.IntegrationEnv(t).TestWebhook, v1alpha1.WebhookAuthenticatorPhaseReady) // Get the initial auto-generated version of the Secret. secret, err := kubeClient.CoreV1().Secrets(env.ConciergeNamespace).Get(ctx, defaultServingCertResourceName, metav1.GetOptions{}) diff --git a/test/integration/concierge_client_test.go b/test/integration/concierge_client_test.go index 824d50068..6a7ffae76 100644 --- a/test/integration/concierge_client_test.go +++ b/test/integration/concierge_client_test.go @@ -59,7 +59,7 @@ func TestClient(t *testing.T) { ctx, cancel := context.WithTimeout(context.Background(), time.Minute) defer cancel() - webhook := testlib.CreateTestWebhookAuthenticator(ctx, t, nil, v1alpha1.WebhookAuthenticatorPhaseReady) + webhook := testlib.CreateTestWebhookAuthenticator(ctx, t, &testlib.IntegrationEnv(t).TestWebhook, v1alpha1.WebhookAuthenticatorPhaseReady) // Use an invalid certificate/key to validate that the ServerVersion API fails like we assume. invalidClient := testlib.NewClientsetWithCertAndKey(t, testCert, testKey) diff --git a/test/integration/concierge_credentialrequest_test.go b/test/integration/concierge_credentialrequest_test.go index c7625dcba..cadf16de9 100644 --- a/test/integration/concierge_credentialrequest_test.go +++ b/test/integration/concierge_credentialrequest_test.go @@ -62,12 +62,7 @@ func TestSuccessfulCredentialRequest_Browser(t *testing.T) { { name: "webhook", authenticator: func(ctx context.Context, t *testing.T) corev1.TypedLocalObjectReference { - authenticator := testlib.CreateTestWebhookAuthenticator(ctx, t, nil, auth1alpha1.WebhookAuthenticatorPhaseReady) - return corev1.TypedLocalObjectReference{ - APIGroup: &auth1alpha1.SchemeGroupVersion.Group, - Kind: "WebhookAuthenticator", - Name: authenticator.Name, - } + return testlib.CreateTestWebhookAuthenticator(ctx, t, &testlib.IntegrationEnv(t).TestWebhook, auth1alpha1.WebhookAuthenticatorPhaseReady) }, token: func(t *testing.T) (string, string, []string) { return testlib.IntegrationEnv(t).TestUser.Token, env.TestUser.ExpectedUsername, env.TestUser.ExpectedGroups @@ -155,7 +150,7 @@ func TestFailedCredentialRequestWhenTheRequestIsValidButTheTokenDoesNotAuthentic // TokenCredentialRequest API. ctx, cancel := context.WithTimeout(context.Background(), time.Minute) defer cancel() - testWebhook := testlib.CreateTestWebhookAuthenticator(ctx, t, nil, auth1alpha1.WebhookAuthenticatorPhaseReady) + testWebhook := testlib.CreateTestWebhookAuthenticator(ctx, t, &testlib.IntegrationEnv(t).TestWebhook, auth1alpha1.WebhookAuthenticatorPhaseReady) response, err := testlib.CreateTokenCredentialRequest(context.Background(), t, loginv1alpha1.TokenCredentialRequestSpec{Token: "not a good token", Authenticator: testWebhook}, @@ -176,7 +171,7 @@ func TestCredentialRequest_ShouldFailWhenRequestDoesNotIncludeToken_Parallel(t * // TokenCredentialRequest API. ctx, cancel := context.WithTimeout(context.Background(), time.Minute) defer cancel() - testWebhook := testlib.CreateTestWebhookAuthenticator(ctx, t, nil, auth1alpha1.WebhookAuthenticatorPhaseReady) + testWebhook := testlib.CreateTestWebhookAuthenticator(ctx, t, &testlib.IntegrationEnv(t).TestWebhook, auth1alpha1.WebhookAuthenticatorPhaseReady) response, err := testlib.CreateTokenCredentialRequest(context.Background(), t, loginv1alpha1.TokenCredentialRequestSpec{Token: "", Authenticator: testWebhook}, diff --git a/test/integration/concierge_impersonation_proxy_test.go b/test/integration/concierge_impersonation_proxy_test.go index d8263881a..38ebb23ce 100644 --- a/test/integration/concierge_impersonation_proxy_test.go +++ b/test/integration/concierge_impersonation_proxy_test.go @@ -121,7 +121,7 @@ func TestImpersonationProxy(t *testing.T) { //nolint:gocyclo // yeah, it's compl // Create a WebhookAuthenticator and prepare a TokenCredentialRequestSpec using the authenticator for use later. credentialRequestSpecWithWorkingCredentials := loginv1alpha1.TokenCredentialRequestSpec{ Token: env.TestUser.Token, - Authenticator: testlib.CreateTestWebhookAuthenticator(ctx, t, nil, v1alpha1.WebhookAuthenticatorPhaseReady), + Authenticator: testlib.CreateTestWebhookAuthenticator(ctx, t, &testlib.IntegrationEnv(t).TestWebhook, v1alpha1.WebhookAuthenticatorPhaseReady), } // The address of the ClusterIP service that points at the impersonation proxy's port (used when there is no load balancer). diff --git a/test/integration/concierge_webhookauthenticator_status_test.go b/test/integration/concierge_webhookauthenticator_status_test.go index 29935a0e7..70a139e98 100644 --- a/test/integration/concierge_webhookauthenticator_status_test.go +++ b/test/integration/concierge_webhookauthenticator_status_test.go @@ -31,7 +31,7 @@ func TestConciergeWebhookAuthenticatorStatus_Parallel(t *testing.T) { webhookAuthenticator := testlib.CreateTestWebhookAuthenticator( ctx, t, - nil, + &testlib.IntegrationEnv(t).TestWebhook, v1alpha1.WebhookAuthenticatorPhaseReady) testlib.WaitForWebhookAuthenticatorStatusConditions( @@ -232,6 +232,18 @@ func TestConciergeWebhookAuthenticatorCRDValidations_Parallel(t *testing.T) { }, { name: "valid authenticator can have empty TLS CertificateAuthorityData", + webhookAuthenticator: &v1alpha1.WebhookAuthenticator{ + ObjectMeta: testlib.ObjectMetaWithRandomName(t, "jwtauthenticator"), + Spec: v1alpha1.WebhookAuthenticatorSpec{ + Endpoint: "https://localhost/webhook-isnt-actually-here", + TLS: &v1alpha1.TLSSpec{ + CertificateAuthorityData: "", + }, + }, + }, + }, { + // since the CRD validations do not assess fitness of the value provided + name: "valid authenticator can have TLS CertificateAuthorityData string that is an invalid certificate", webhookAuthenticator: &v1alpha1.WebhookAuthenticator{ ObjectMeta: testlib.ObjectMetaWithRandomName(t, "jwtauthenticator"), Spec: v1alpha1.WebhookAuthenticatorSpec{ diff --git a/test/testlib/client.go b/test/testlib/client.go index ed06346bf..9be61147a 100644 --- a/test/testlib/client.go +++ b/test/testlib/client.go @@ -177,7 +177,6 @@ func CreateTestWebhookAuthenticator( webhookSpec *auth1alpha1.WebhookAuthenticatorSpec, expectedStatus auth1alpha1.WebhookAuthenticatorPhase) corev1.TypedLocalObjectReference { t.Helper() - testEnv := IntegrationEnv(t) client := NewConciergeClientset(t) webhooks := client.AuthenticationV1alpha1().WebhookAuthenticators() @@ -185,10 +184,6 @@ func CreateTestWebhookAuthenticator( createContext, cancel := context.WithTimeout(ctx, time.Minute) defer cancel() - if webhookSpec == nil { - webhookSpec = &testEnv.TestWebhook - } - webhook, err := webhooks.Create(createContext, &auth1alpha1.WebhookAuthenticator{ ObjectMeta: testObjectMeta(t, "webhook"), Spec: *webhookSpec,