Always pass spec to CreateTestWebhookAuthenticator

2026-01-07 05:57:02 +00:00 · 2024-03-18 16:14:42 -04:00
parent a45a537cdb
commit 097e6d5340
9 changed files with 29 additions and 31 deletions
--- a/test/integration/cli_test.go
+++ b/test/integration/cli_test.go
@@ -43,7 +43,7 @@ func TestCLIGetKubeconfigStaticToken_Parallel(t *testing.T) {
 	ctx, cancelFunc := context.WithTimeout(context.Background(), 5*time.Minute)
 	defer cancelFunc()

-	authenticator := testlib.CreateTestWebhookAuthenticator(ctx, t, nil, v1alpha1.WebhookAuthenticatorPhaseReady)
+	authenticator := testlib.CreateTestWebhookAuthenticator(ctx, t, &testlib.IntegrationEnv(t).TestWebhook, v1alpha1.WebhookAuthenticatorPhaseReady)

 	// Build pinniped CLI.
 	pinnipedExe := testlib.PinnipedCLIPath(t)
--- a/test/integration/concierge_api_serving_certs_test.go
+++ b/test/integration/concierge_api_serving_certs_test.go
@@ -84,7 +84,7 @@ func TestAPIServingCertificateAutoCreationAndRotation_Disruptive(t *testing.T) {

 			// Create a testWebhook so we have a legitimate authenticator to pass to the
 			// TokenCredentialRequest API.
-			testWebhook := testlib.CreateTestWebhookAuthenticator(ctx, t, nil, v1alpha1.WebhookAuthenticatorPhaseReady)
+			testWebhook := testlib.CreateTestWebhookAuthenticator(ctx, t, &testlib.IntegrationEnv(t).TestWebhook, v1alpha1.WebhookAuthenticatorPhaseReady)

 			// Get the initial auto-generated version of the Secret.
 			secret, err := kubeClient.CoreV1().Secrets(env.ConciergeNamespace).Get(ctx, defaultServingCertResourceName, metav1.GetOptions{})
--- a/test/integration/concierge_client_test.go
+++ b/test/integration/concierge_client_test.go
@@ -59,7 +59,7 @@ func TestClient(t *testing.T) {
 	ctx, cancel := context.WithTimeout(context.Background(), time.Minute)
 	defer cancel()

-	webhook := testlib.CreateTestWebhookAuthenticator(ctx, t, nil, v1alpha1.WebhookAuthenticatorPhaseReady)
+	webhook := testlib.CreateTestWebhookAuthenticator(ctx, t, &testlib.IntegrationEnv(t).TestWebhook, v1alpha1.WebhookAuthenticatorPhaseReady)

 	// Use an invalid certificate/key to validate that the ServerVersion API fails like we assume.
 	invalidClient := testlib.NewClientsetWithCertAndKey(t, testCert, testKey)
--- a/test/integration/concierge_credentialrequest_test.go
+++ b/test/integration/concierge_credentialrequest_test.go
@@ -62,12 +62,7 @@ func TestSuccessfulCredentialRequest_Browser(t *testing.T) {
 		{
 			name: "webhook",
 			authenticator: func(ctx context.Context, t *testing.T) corev1.TypedLocalObjectReference {
-				authenticator := testlib.CreateTestWebhookAuthenticator(ctx, t, nil, auth1alpha1.WebhookAuthenticatorPhaseReady)
-				return corev1.TypedLocalObjectReference{
-					APIGroup: &auth1alpha1.SchemeGroupVersion.Group,
-					Kind:     "WebhookAuthenticator",
-					Name:     authenticator.Name,
-				}
+				return testlib.CreateTestWebhookAuthenticator(ctx, t, &testlib.IntegrationEnv(t).TestWebhook, auth1alpha1.WebhookAuthenticatorPhaseReady)
 			},
 			token: func(t *testing.T) (string, string, []string) {
 				return testlib.IntegrationEnv(t).TestUser.Token, env.TestUser.ExpectedUsername, env.TestUser.ExpectedGroups
@@ -155,7 +150,7 @@ func TestFailedCredentialRequestWhenTheRequestIsValidButTheTokenDoesNotAuthentic
 	// TokenCredentialRequest API.
 	ctx, cancel := context.WithTimeout(context.Background(), time.Minute)
 	defer cancel()
-	testWebhook := testlib.CreateTestWebhookAuthenticator(ctx, t, nil, auth1alpha1.WebhookAuthenticatorPhaseReady)
+	testWebhook := testlib.CreateTestWebhookAuthenticator(ctx, t, &testlib.IntegrationEnv(t).TestWebhook, auth1alpha1.WebhookAuthenticatorPhaseReady)

 	response, err := testlib.CreateTokenCredentialRequest(context.Background(), t,
 		loginv1alpha1.TokenCredentialRequestSpec{Token: "not a good token", Authenticator: testWebhook},
@@ -176,7 +171,7 @@ func TestCredentialRequest_ShouldFailWhenRequestDoesNotIncludeToken_Parallel(t *
 	// TokenCredentialRequest API.
 	ctx, cancel := context.WithTimeout(context.Background(), time.Minute)
 	defer cancel()
-	testWebhook := testlib.CreateTestWebhookAuthenticator(ctx, t, nil, auth1alpha1.WebhookAuthenticatorPhaseReady)
+	testWebhook := testlib.CreateTestWebhookAuthenticator(ctx, t, &testlib.IntegrationEnv(t).TestWebhook, auth1alpha1.WebhookAuthenticatorPhaseReady)

 	response, err := testlib.CreateTokenCredentialRequest(context.Background(), t,
 		loginv1alpha1.TokenCredentialRequestSpec{Token: "", Authenticator: testWebhook},
--- a/test/integration/concierge_impersonation_proxy_test.go
+++ b/test/integration/concierge_impersonation_proxy_test.go
@@ -121,7 +121,7 @@ func TestImpersonationProxy(t *testing.T) { //nolint:gocyclo // yeah, it's compl
 	// Create a WebhookAuthenticator and prepare a TokenCredentialRequestSpec using the authenticator for use later.
 	credentialRequestSpecWithWorkingCredentials := loginv1alpha1.TokenCredentialRequestSpec{
 		Token:         env.TestUser.Token,
-		Authenticator: testlib.CreateTestWebhookAuthenticator(ctx, t, nil, v1alpha1.WebhookAuthenticatorPhaseReady),
+		Authenticator: testlib.CreateTestWebhookAuthenticator(ctx, t, &testlib.IntegrationEnv(t).TestWebhook, v1alpha1.WebhookAuthenticatorPhaseReady),
 	}

 	// The address of the ClusterIP service that points at the impersonation proxy's port (used when there is no load balancer).
--- a/test/integration/concierge_webhookauthenticator_status_test.go
+++ b/test/integration/concierge_webhookauthenticator_status_test.go
@@ -31,7 +31,7 @@ func TestConciergeWebhookAuthenticatorStatus_Parallel(t *testing.T) {
 				webhookAuthenticator := testlib.CreateTestWebhookAuthenticator(
 					ctx,
 					t,
-					nil,
+					&testlib.IntegrationEnv(t).TestWebhook,
 					v1alpha1.WebhookAuthenticatorPhaseReady)

 				testlib.WaitForWebhookAuthenticatorStatusConditions(
@@ -232,6 +232,18 @@ func TestConciergeWebhookAuthenticatorCRDValidations_Parallel(t *testing.T) {
 		},
 		{
 			name: "valid authenticator can have empty TLS CertificateAuthorityData",
+			webhookAuthenticator: &v1alpha1.WebhookAuthenticator{
+				ObjectMeta: testlib.ObjectMetaWithRandomName(t, "jwtauthenticator"),
+				Spec: v1alpha1.WebhookAuthenticatorSpec{
+					Endpoint: "https://localhost/webhook-isnt-actually-here",
+					TLS: &v1alpha1.TLSSpec{
+						CertificateAuthorityData: "",
+					},
+				},
+			},
+		}, {
+			// since the CRD validations do not assess fitness of the value provided
+			name: "valid authenticator can have TLS CertificateAuthorityData string that is an invalid certificate",
 			webhookAuthenticator: &v1alpha1.WebhookAuthenticator{
 				ObjectMeta: testlib.ObjectMetaWithRandomName(t, "jwtauthenticator"),
 				Spec: v1alpha1.WebhookAuthenticatorSpec{
--- a/test/testlib/client.go
+++ b/test/testlib/client.go
@@ -177,7 +177,6 @@ func CreateTestWebhookAuthenticator(
 	webhookSpec *auth1alpha1.WebhookAuthenticatorSpec,
 	expectedStatus auth1alpha1.WebhookAuthenticatorPhase) corev1.TypedLocalObjectReference {
 	t.Helper()
-	testEnv := IntegrationEnv(t)

 	client := NewConciergeClientset(t)
 	webhooks := client.AuthenticationV1alpha1().WebhookAuthenticators()
@@ -185,10 +184,6 @@ func CreateTestWebhookAuthenticator(
 	createContext, cancel := context.WithTimeout(ctx, time.Minute)
 	defer cancel()

-	if webhookSpec == nil {
-		webhookSpec = &testEnv.TestWebhook
-	}
-
 	webhook, err := webhooks.Create(createContext, &auth1alpha1.WebhookAuthenticator{
 		ObjectMeta: testObjectMeta(t, "webhook"),
 		Spec:       *webhookSpec,