From 3891f90f43f9446f0d5102a1a72cdc1c6397f34c Mon Sep 17 00:00:00 2001 From: Ryan Richard Date: Mon, 29 Jul 2024 11:15:51 -0700 Subject: [PATCH] skip external CA bundle tests when CA bundle is empty Co-authored-by: Ashish Amarnath --- .../concierge_jwtauthenticator_status_test.go | 16 +++--- test/integration/e2e_test.go | 55 +++++++++---------- test/integration/supervisor_login_test.go | 53 +++++++++++------- 3 files changed, 68 insertions(+), 56 deletions(-) diff --git a/test/integration/concierge_jwtauthenticator_status_test.go b/test/integration/concierge_jwtauthenticator_status_test.go index 3c199192a..26e71f732 100644 --- a/test/integration/concierge_jwtauthenticator_status_test.go +++ b/test/integration/concierge_jwtauthenticator_status_test.go @@ -21,6 +21,11 @@ import ( func TestConciergeJWTAuthenticatorWithExternalCABundleStatusIsUpdatedWhenExternalBundleIsUpdated_Parallel(t *testing.T) { env := testlib.IntegrationEnv(t) + + if len(env.SupervisorUpstreamOIDC.CABundle) == 0 { + t.Skip("skipping external CA bundle test because env.SupervisorUpstreamOIDC.CABundle is empty") + } + ctx, cancel := context.WithTimeout(context.Background(), 10*time.Minute) t.Cleanup(cancel) @@ -128,7 +133,7 @@ func TestConciergeJWTAuthenticatorStatus_Parallel(t *testing.T) { }, }, wantPhase: authenticationv1alpha1.JWTAuthenticatorPhaseReady, - wantConditions: allSuccessfulJWTAuthenticatorConditions(true), + wantConditions: allSuccessfulJWTAuthenticatorConditions(len(env.SupervisorUpstreamOIDC.CABundle) != 0), }, { name: "valid spec with invalid CA in TLS config will result in a jwt authenticator that is not ready", @@ -218,11 +223,6 @@ func TestConciergeJWTAuthenticatorStatus_Parallel(t *testing.T) { Status: "False", Reason: "InvalidDiscoveryProbe", Message: `could not perform oidc discovery on provider issuer: Get "` + env.SupervisorUpstreamOIDC.Issuer + `/.well-known/openid-configuration": tls: failed to verify certificate: x509: certificate signed by unknown authority`, - }, { - Type: "TLSConfigurationValid", - Status: "True", - Reason: "Success", - Message: "spec.tls is valid: using configured CA bundle", }, }, ), @@ -238,7 +238,7 @@ func TestConciergeJWTAuthenticatorStatus_Parallel(t *testing.T) { }, wantPhase: authenticationv1alpha1.JWTAuthenticatorPhaseError, wantConditions: replaceSomeConditions( - allSuccessfulJWTAuthenticatorConditions(true), + allSuccessfulJWTAuthenticatorConditions(len(env.SupervisorUpstreamOIDC.CABundle) != 0), []metav1.Condition{ { Type: "Ready", @@ -422,7 +422,7 @@ func TestConciergeJWTAuthenticatorCRDValidations_Parallel(t *testing.T) { } func allSuccessfulJWTAuthenticatorConditions(caBundleExists bool) []metav1.Condition { - tlsConfigValidMsg := "no CA bundle specified" + tlsConfigValidMsg := "spec.tls is valid: no TLS configuration provided: using default root CA bundle from container image" if caBundleExists { tlsConfigValidMsg = "spec.tls is valid: using configured CA bundle" } diff --git a/test/integration/e2e_test.go b/test/integration/e2e_test.go index bd6e7bb08..89edb8d84 100644 --- a/test/integration/e2e_test.go +++ b/test/integration/e2e_test.go @@ -74,35 +74,35 @@ func TestE2EFullIntegration_Browser(t *testing.T) { // Generate a CA bundle with which to serve this provider. t.Logf("generating test CA") - ca, err := certauthority.New("Downstream Test CA", 1*time.Hour) + federationDomainSelfSignedCA, err := certauthority.New("Downstream Test CA", 1*time.Hour) require.NoError(t, err) // Save that bundle plus the one that signs the upstream issuer, for test purposes. - testCABundlePath := filepath.Join(t.TempDir(), "test-ca.pem") - testCABundlePEM := []byte(string(ca.Bundle()) + "\n" + env.SupervisorUpstreamOIDC.CABundle) - testCABundleBase64 := base64.StdEncoding.EncodeToString(testCABundlePEM) - require.NoError(t, os.WriteFile(testCABundlePath, testCABundlePEM, 0600)) + federationDomainCABundlePath := filepath.Join(t.TempDir(), "test-ca.pem") + federationDomainCABundlePEM := federationDomainSelfSignedCA.Bundle() + require.NoError(t, os.WriteFile(federationDomainCABundlePath, federationDomainCABundlePEM, 0600)) // Use the CA to issue a TLS server cert. t.Logf("issuing test certificate") - tlsCert, err := ca.IssueServerCert([]string{issuerURL.Hostname()}, nil, 1*time.Hour) + federationDomainTLSServingCert, err := federationDomainSelfSignedCA.IssueServerCert( + []string{issuerURL.Hostname()}, nil, 1*time.Hour) require.NoError(t, err) - certPEM, keyPEM, err := certauthority.ToPEM(tlsCert) + federationDomainTLSServingCertPEM, federationDomainTLSServingCertKeyPEM, err := certauthority.ToPEM(federationDomainTLSServingCert) require.NoError(t, err) // Write the serving cert to a secret. - certSecret := testlib.CreateTestSecret(t, + federationDomainTLSServingCertSecret := testlib.CreateTestSecret(t, env.SupervisorNamespace, "oidc-provider-tls", corev1.SecretTypeTLS, - map[string]string{"tls.crt": string(certPEM), "tls.key": string(keyPEM)}, + map[string]string{"tls.crt": string(federationDomainTLSServingCertPEM), "tls.key": string(federationDomainTLSServingCertKeyPEM)}, ) // Create the downstream FederationDomain and expect it to go into the success status condition. federationDomain := testlib.CreateTestFederationDomain(topSetupCtx, t, supervisorconfigv1alpha1.FederationDomainSpec{ Issuer: issuerURL.String(), - TLS: &supervisorconfigv1alpha1.FederationDomainTLSSpec{SecretName: certSecret.Name}, + TLS: &supervisorconfigv1alpha1.FederationDomainTLSSpec{SecretName: federationDomainTLSServingCertSecret.Name}, }, supervisorconfigv1alpha1.FederationDomainPhaseError, // in phase error until there is an IDP created ) @@ -113,7 +113,7 @@ func TestE2EFullIntegration_Browser(t *testing.T) { defaultJWTAuthenticatorSpec := authenticationv1alpha1.JWTAuthenticatorSpec{ Issuer: federationDomain.Spec.Issuer, Audience: clusterAudience, - TLS: &authenticationv1alpha1.TLSSpec{CertificateAuthorityData: testCABundleBase64}, + TLS: &authenticationv1alpha1.TLSSpec{CertificateAuthorityData: base64.StdEncoding.EncodeToString(federationDomainCABundlePEM)}, } // Add an OIDC upstream IDP and try using it to authenticate during kubectl commands. @@ -172,7 +172,7 @@ func TestE2EFullIntegration_Browser(t *testing.T) { "--concierge-authenticator-type", "jwt", "--concierge-authenticator-name", authenticator.Name, "--oidc-skip-browser", - "--oidc-ca-bundle", testCABundlePath, + "--oidc-ca-bundle", federationDomainCABundlePath, "--oidc-session-cache", sessionCachePath, "--credential-cache", credentialCachePath, // use default for --oidc-scopes, which is to request all relevant scopes @@ -231,7 +231,7 @@ func TestE2EFullIntegration_Browser(t *testing.T) { // in this test, use a secret of type TLS to source ca bundle for the JWT authenticator caSecret := testlib.CreateTestSecret(t, env.ConciergeNamespace, "ca-cert", corev1.SecretTypeTLS, map[string]string{ - "ca.crt": string(testCABundlePEM), + "ca.crt": string(federationDomainCABundlePEM), "tls.crt": "", "tls.key": "", }) @@ -243,6 +243,7 @@ func TestE2EFullIntegration_Browser(t *testing.T) { Key: "ca.crt", } authenticator := testlib.CreateTestJWTAuthenticator(testCtx, t, *jwtAuthnSpec, authenticationv1alpha1.JWTAuthenticatorPhaseError) + // Create upstream OIDC provider and wait for it to become ready. createdProvider := testlib.CreateTestOIDCIdentityProvider(t, idpv1alpha1.OIDCIdentityProviderSpec{ Issuer: env.SupervisorUpstreamOIDC.Issuer, @@ -273,7 +274,7 @@ func TestE2EFullIntegration_Browser(t *testing.T) { "--concierge-authenticator-type", "jwt", "--concierge-authenticator-name", authenticator.Name, "--oidc-skip-browser", - "--oidc-ca-bundle", testCABundlePath, + "--oidc-ca-bundle", federationDomainCABundlePath, "--oidc-session-cache", sessionCachePath, "--credential-cache", credentialCachePath, "--oidc-scopes", "offline_access,openid,pinniped:request-audience", // does not request username or groups @@ -334,9 +335,8 @@ func TestE2EFullIntegration_Browser(t *testing.T) { // in this test, use a secret of type opaque to source ca bundle for the JWT authenticator caSecret := testlib.CreateTestSecret(t, env.ConciergeNamespace, "ca-cert", corev1.SecretTypeOpaque, map[string]string{ - "ca.crt": string(testCABundlePEM), + "ca.crt": string(federationDomainCABundlePEM), }) - t.Logf("created secret %s/%s", caSecret.Namespace, caSecret.Name) jwtAuthnSpec := defaultJWTAuthenticatorSpec.DeepCopy() jwtAuthnSpec.TLS.CertificateAuthorityData = "" jwtAuthnSpec.TLS.CertificateAuthorityDataSource = &authenticationv1alpha1.CABundleSource{ @@ -344,9 +344,8 @@ func TestE2EFullIntegration_Browser(t *testing.T) { Name: caSecret.Name, Key: "ca.crt", } - authenticator := testlib.CreateTestJWTAuthenticator(testCtx, t, *jwtAuthnSpec, authenticationv1alpha1.JWTAuthenticatorPhaseError) - t.Logf("authenticator: %s/%s; concierge ns: %s", authenticator.Namespace, authenticator.Name, env.ConciergeNamespace) + // Create upstream OIDC provider and wait for it to become ready. createdProvider := testlib.CreateTestOIDCIdentityProvider(t, idpv1alpha1.OIDCIdentityProviderSpec{ Issuer: env.SupervisorUpstreamOIDC.Issuer, @@ -378,7 +377,7 @@ func TestE2EFullIntegration_Browser(t *testing.T) { "--concierge-authenticator-name", authenticator.Name, "--oidc-skip-browser", "--oidc-skip-listen", - "--oidc-ca-bundle", testCABundlePath, + "--oidc-ca-bundle", federationDomainCABundlePath, "--oidc-session-cache", sessionCachePath, "--credential-cache", credentialCachePath, // use default for --oidc-scopes, which is to request all relevant scopes @@ -474,7 +473,7 @@ func TestE2EFullIntegration_Browser(t *testing.T) { // in this test, use a configmap to source ca bundle for the JWT authenticator caConfigMap := testlib.CreateTestConfigMap(t, env.ConciergeNamespace, "ca-cert", map[string]string{ - "ca.crt": string(testCABundlePEM), + "ca.crt": string(federationDomainCABundlePEM), }) jwtAuthnSpec := defaultJWTAuthenticatorSpec.DeepCopy() jwtAuthnSpec.TLS.CertificateAuthorityData = "" @@ -483,8 +482,8 @@ func TestE2EFullIntegration_Browser(t *testing.T) { Name: caConfigMap.Name, Key: "ca.crt", } + authenticator := testlib.CreateTestJWTAuthenticator(testCtx, t, *jwtAuthnSpec, authenticationv1alpha1.JWTAuthenticatorPhaseError) - authenticator := testlib.CreateTestJWTAuthenticator(testCtx, t, defaultJWTAuthenticatorSpec, authenticationv1alpha1.JWTAuthenticatorPhaseError) // Create upstream OIDC provider and wait for it to become ready. createdProvider := testlib.CreateTestOIDCIdentityProvider(t, idpv1alpha1.OIDCIdentityProviderSpec{ Issuer: env.SupervisorUpstreamOIDC.Issuer, @@ -516,7 +515,7 @@ func TestE2EFullIntegration_Browser(t *testing.T) { "--concierge-authenticator-name", authenticator.Name, "--oidc-skip-browser", "--oidc-skip-listen", - "--oidc-ca-bundle", testCABundlePath, + "--oidc-ca-bundle", federationDomainCABundlePath, "--oidc-session-cache", sessionCachePath, "--credential-cache", credentialCachePath, // use default for --oidc-scopes, which is to request all relevant scopes @@ -649,7 +648,7 @@ func TestE2EFullIntegration_Browser(t *testing.T) { "--oidc-skip-browser", "--oidc-skip-listen", "--upstream-identity-provider-flow", "cli_password", // create a kubeconfig configured to use the cli_password flow - "--oidc-ca-bundle", testCABundlePath, + "--oidc-ca-bundle", federationDomainCABundlePath, "--oidc-session-cache", sessionCachePath, "--credential-cache", credentialCachePath, // use default for --oidc-scopes, which is to request all relevant scopes @@ -729,7 +728,7 @@ func TestE2EFullIntegration_Browser(t *testing.T) { "--upstream-identity-provider-name", oidcIdentityProvider.Name, "--upstream-identity-provider-type", "oidc", "--upstream-identity-provider-flow", "cli_password", - "--oidc-ca-bundle", testCABundlePath, + "--oidc-ca-bundle", federationDomainCABundlePath, "--oidc-session-cache", sessionCachePath, "--credential-cache", credentialCachePath, // use default for --oidc-scopes, which is to request all relevant scopes @@ -1116,7 +1115,7 @@ func TestE2EFullIntegration_Browser(t *testing.T) { "--concierge-authenticator-type", "jwt", "--concierge-authenticator-name", authenticator.Name, "--oidc-skip-browser", - "--oidc-ca-bundle", testCABundlePath, + "--oidc-ca-bundle", federationDomainCABundlePath, "--upstream-identity-provider-flow", "browser_authcode", "--oidc-session-cache", sessionCachePath, "--credential-cache", credentialCachePath, @@ -1172,7 +1171,7 @@ func TestE2EFullIntegration_Browser(t *testing.T) { "--concierge-authenticator-type", "jwt", "--concierge-authenticator-name", authenticator.Name, "--oidc-skip-browser", - "--oidc-ca-bundle", testCABundlePath, + "--oidc-ca-bundle", federationDomainCABundlePath, "--upstream-identity-provider-flow", "browser_authcode", "--oidc-session-cache", sessionCachePath, "--credential-cache", credentialCachePath, @@ -1228,7 +1227,7 @@ func TestE2EFullIntegration_Browser(t *testing.T) { "--concierge-authenticator-type", "jwt", "--concierge-authenticator-name", authenticator.Name, "--oidc-skip-browser", - "--oidc-ca-bundle", testCABundlePath, + "--oidc-ca-bundle", federationDomainCABundlePath, "--upstream-identity-provider-flow", "cli_password", // put cli_password in the kubeconfig, so we can override it with the env var "--oidc-session-cache", sessionCachePath, "--credential-cache", credentialCachePath, @@ -1317,7 +1316,7 @@ func TestE2EFullIntegration_Browser(t *testing.T) { "--concierge-authenticator-type", "jwt", "--concierge-authenticator-name", authenticator.Name, "--oidc-skip-browser", - "--oidc-ca-bundle", testCABundlePath, + "--oidc-ca-bundle", federationDomainCABundlePath, "--oidc-session-cache", sessionCachePath, "--credential-cache", credentialCachePath, // use default for --oidc-scopes, which is to request all relevant scopes diff --git a/test/integration/supervisor_login_test.go b/test/integration/supervisor_login_test.go index 98442418f..d6482e36c 100644 --- a/test/integration/supervisor_login_test.go +++ b/test/integration/supervisor_login_test.go @@ -178,6 +178,29 @@ func TestSupervisorLogin_Browser(t *testing.T) { testlib.SkipTestWhenActiveDirectoryIsUnavailable(t, env) } + skipExternalCABundleOIDCTestsWhenCABundleIsEmpty := func(t *testing.T) { + t.Helper() + if len(env.SupervisorUpstreamOIDC.CABundle) == 0 { + t.Skip("skipping external CA bundle test because env.SupervisorUpstreamOIDC.CABundle is empty") + } + } + + skipExternalCABundleLDAPTestsWhenCABundleIsEmpty := func(t *testing.T) { + t.Helper() + skipLDAPTests(t) + if len(env.SupervisorUpstreamLDAP.CABundle) == 0 { + t.Skip("skipping external CA bundle test because env.SupervisorUpstreamLDAP.CABundle is empty") + } + } + + skipExternalCABundleActiveDirectoryTestsWhenCABundleIsEmpty := func(t *testing.T) { + t.Helper() + skipActiveDirectoryTests(t) + if len(env.SupervisorUpstreamActiveDirectory.CABundle) == 0 { + t.Skip("skipping external CA bundle test because env.SupervisorUpstreamActiveDirectory.CABundle is empty") + } + } + basicOIDCIdentityProviderSpec := func() idpv1alpha1.OIDCIdentityProviderSpec { return idpv1alpha1.OIDCIdentityProviderSpec{ Issuer: env.SupervisorUpstreamOIDC.Issuer, @@ -340,7 +363,7 @@ func TestSupervisorLogin_Browser(t *testing.T) { }, { name: "oidc IDP using secrets of type opaque to source ca bundle with default username and groups claim settings", - maybeSkip: skipNever, + maybeSkip: skipExternalCABundleOIDCTestsWhenCABundleIsEmpty, createIDP: func(t *testing.T) string { idpSpec := basicOIDCIdentityProviderSpec() caData, err := base64.StdEncoding.DecodeString(idpSpec.TLS.CertificateAuthorityData) @@ -355,7 +378,6 @@ func TestSupervisorLogin_Browser(t *testing.T) { Name: caSecret.Name, Key: "ca.crt", } - return testlib.CreateTestOIDCIdentityProvider(t, idpSpec, idpv1alpha1.PhaseReady).Name }, requestAuthorization: requestAuthorizationUsingBrowserAuthcodeFlowOIDC, @@ -369,7 +391,7 @@ func TestSupervisorLogin_Browser(t *testing.T) { }, { name: "oidc IDP using secrets of type TLS to source ca bundle with default username and groups claim settings", - maybeSkip: skipNever, + maybeSkip: skipExternalCABundleOIDCTestsWhenCABundleIsEmpty, createIDP: func(t *testing.T) string { idpSpec := basicOIDCIdentityProviderSpec() caData, err := base64.StdEncoding.DecodeString(idpSpec.TLS.CertificateAuthorityData) @@ -386,7 +408,6 @@ func TestSupervisorLogin_Browser(t *testing.T) { Name: caSecret.Name, Key: "ca.crt", } - return testlib.CreateTestOIDCIdentityProvider(t, idpSpec, idpv1alpha1.PhaseReady).Name }, requestAuthorization: requestAuthorizationUsingBrowserAuthcodeFlowOIDC, @@ -400,7 +421,7 @@ func TestSupervisorLogin_Browser(t *testing.T) { }, { name: "oidc IDP using configmaps to source ca bundle with default username and groups claim settings", - maybeSkip: skipNever, + maybeSkip: skipExternalCABundleOIDCTestsWhenCABundleIsEmpty, createIDP: func(t *testing.T) string { idpSpec := basicOIDCIdentityProviderSpec() caData, err := base64.StdEncoding.DecodeString(idpSpec.TLS.CertificateAuthorityData) @@ -414,7 +435,6 @@ func TestSupervisorLogin_Browser(t *testing.T) { Name: caConfigMap.Name, Key: "ca.crt", } - return testlib.CreateTestOIDCIdentityProvider(t, idpSpec, idpv1alpha1.PhaseReady).Name }, requestAuthorization: requestAuthorizationUsingBrowserAuthcodeFlowOIDC, @@ -429,7 +449,7 @@ func TestSupervisorLogin_Browser(t *testing.T) { { name: "oidc IDP using secrets of type opaque to source ca bundle with default username and groups claim settings", - maybeSkip: skipNever, + maybeSkip: skipExternalCABundleOIDCTestsWhenCABundleIsEmpty, createIDP: func(t *testing.T) string { idpSpec := basicOIDCIdentityProviderSpec() caData, err := base64.StdEncoding.DecodeString(idpSpec.TLS.CertificateAuthorityData) @@ -444,7 +464,6 @@ func TestSupervisorLogin_Browser(t *testing.T) { Name: caSecret.Name, Key: "ca.crt", } - return testlib.CreateTestOIDCIdentityProvider(t, idpSpec, idpv1alpha1.PhaseReady).Name }, requestAuthorization: requestAuthorizationUsingBrowserAuthcodeFlowOIDC, @@ -655,14 +674,13 @@ func TestSupervisorLogin_Browser(t *testing.T) { }, { name: "ldap IDP using secrets of type opaque to source ca bundle and with email as username and groups names as DNs and using an LDAP provider which supports TLS", - maybeSkip: skipLDAPTests, + maybeSkip: skipExternalCABundleLDAPTestsWhenCABundleIsEmpty, createIDP: func(t *testing.T) string { idp, _ := createLDAPIdentityProvider(t, func(spec *idpv1alpha1.LDAPIdentityProviderSpec) { caSecret := testlib.CreateTestSecret(t, env.SupervisorNamespace, "ca-cert", corev1.SecretTypeOpaque, map[string]string{ "ca.crt": env.SupervisorUpstreamLDAP.CABundle, }) - spec.TLS.CertificateAuthorityData = "" spec.TLS.CertificateAuthorityDataSource = &idpv1alpha1.CABundleSource{ Kind: "Secret", @@ -705,7 +723,7 @@ func TestSupervisorLogin_Browser(t *testing.T) { }, { name: "ldap IDP using secrets of type TLS to source ca bundle and with email as username and groups names as DNs and using an LDAP provider which supports TLS", - maybeSkip: skipLDAPTests, + maybeSkip: skipExternalCABundleLDAPTestsWhenCABundleIsEmpty, createIDP: func(t *testing.T) string { idp, _ := createLDAPIdentityProvider(t, func(spec *idpv1alpha1.LDAPIdentityProviderSpec) { caSecret := testlib.CreateTestSecret(t, env.SupervisorNamespace, "ca-cert", corev1.SecretTypeTLS, @@ -714,7 +732,6 @@ func TestSupervisorLogin_Browser(t *testing.T) { "tls.crt": "", "tls.key": "", }) - spec.TLS.CertificateAuthorityData = "" spec.TLS.CertificateAuthorityDataSource = &idpv1alpha1.CABundleSource{ Kind: "Secret", @@ -757,14 +774,13 @@ func TestSupervisorLogin_Browser(t *testing.T) { }, { name: "ldap IDP using configmaps to source ca bundle and with email as username and groups names as DNs and using an LDAP provider which supports TLS", - maybeSkip: skipLDAPTests, + maybeSkip: skipExternalCABundleLDAPTestsWhenCABundleIsEmpty, createIDP: func(t *testing.T) string { idp, _ := createLDAPIdentityProvider(t, func(spec *idpv1alpha1.LDAPIdentityProviderSpec) { caConfigMap := testlib.CreateTestConfigMap(t, env.SupervisorNamespace, "ca-cert", map[string]string{ "ca.crt": env.SupervisorUpstreamLDAP.CABundle, }) - spec.TLS.CertificateAuthorityData = "" spec.TLS.CertificateAuthorityDataSource = &idpv1alpha1.CABundleSource{ Kind: "ConfigMap", @@ -1242,14 +1258,13 @@ func TestSupervisorLogin_Browser(t *testing.T) { }, { name: "active directory IDP using secret of type opaque to source ca bundle with all default options", - maybeSkip: skipActiveDirectoryTests, + maybeSkip: skipExternalCABundleActiveDirectoryTestsWhenCABundleIsEmpty, createIDP: func(t *testing.T) string { idp, _ := createActiveDirectoryIdentityProvider(t, func(spec *idpv1alpha1.ActiveDirectoryIdentityProviderSpec) { caSecret := testlib.CreateTestSecret(t, env.SupervisorNamespace, "ca-cert", corev1.SecretTypeOpaque, map[string]string{ "ca.crt": env.SupervisorUpstreamActiveDirectory.CABundle, }) - spec.TLS.CertificateAuthorityData = "" spec.TLS.CertificateAuthorityDataSource = &idpv1alpha1.CABundleSource{ Kind: "Secret", @@ -1283,7 +1298,7 @@ func TestSupervisorLogin_Browser(t *testing.T) { }, { name: "active directory IDP using secret of type TLS to source ca bundle with all default options", - maybeSkip: skipActiveDirectoryTests, + maybeSkip: skipExternalCABundleActiveDirectoryTestsWhenCABundleIsEmpty, createIDP: func(t *testing.T) string { idp, _ := createActiveDirectoryIdentityProvider(t, func(spec *idpv1alpha1.ActiveDirectoryIdentityProviderSpec) { caSecret := testlib.CreateTestSecret(t, env.SupervisorNamespace, "ca-cert", corev1.SecretTypeTLS, @@ -1292,7 +1307,6 @@ func TestSupervisorLogin_Browser(t *testing.T) { "tls.crt": "", "tls.key": "", }) - spec.TLS.CertificateAuthorityData = "" spec.TLS.CertificateAuthorityDataSource = &idpv1alpha1.CABundleSource{ Kind: "Secret", @@ -1326,14 +1340,13 @@ func TestSupervisorLogin_Browser(t *testing.T) { }, { name: "active directory IDP using configmaps to source ca bundle with all default options", - maybeSkip: skipActiveDirectoryTests, + maybeSkip: skipExternalCABundleActiveDirectoryTestsWhenCABundleIsEmpty, createIDP: func(t *testing.T) string { idp, _ := createActiveDirectoryIdentityProvider(t, func(spec *idpv1alpha1.ActiveDirectoryIdentityProviderSpec) { caConfigMap := testlib.CreateTestConfigMap(t, env.SupervisorNamespace, "ca-cert", map[string]string{ "ca.crt": env.SupervisorUpstreamActiveDirectory.CABundle, }) - spec.TLS.CertificateAuthorityData = "" spec.TLS.CertificateAuthorityDataSource = &idpv1alpha1.CABundleSource{ Kind: "Secret",