test fixes for when Kind cluster VM has no public IP in CI

test/integration/concierge_credentialissuer_test.go

@@ -66,13 +66,22 @@ func TestCredentialIssuer(t *testing.T) {
 		require.NotNil(t, actualStatusStrategy)
 
 		if env.HasCapability(testlib.ClusterSigningKeyIsAvailable) {
+			kubernetesAPIServerURLFromKubeconfig := config.Host
+			expectedServer := kubernetesAPIServerURLFromKubeconfig
+			if actualStatusStrategy.Frontend.TokenCredentialRequestAPIInfo.Server == "https://kind-control-plane:6443" {
+				// When our Kind clusters running in CI are on a VM with only an internal IP address,
+				// then the Kind cluster will not know its own hostname and will instead advertise kind-control-plane.
+				// This is okay, so adjust our expectation in this case.
+				expectedServer = "https://kind-control-plane:6443"
+			}
+
 			require.Equal(t, conciergeconfigv1alpha1.SuccessStrategyStatus, actualStatusStrategy.Status)
 			require.Equal(t, conciergeconfigv1alpha1.FetchedKeyStrategyReason, actualStatusStrategy.Reason)
 			require.Equal(t, "key was fetched successfully", actualStatusStrategy.Message)
 			require.NotNil(t, actualStatusStrategy.Frontend)
 			require.Equal(t, conciergeconfigv1alpha1.TokenCredentialRequestAPIFrontendType, actualStatusStrategy.Frontend.Type)
 			expectedTokenRequestAPIInfo := conciergeconfigv1alpha1.TokenCredentialRequestAPIInfo{
-				Server:                   config.Host,
+				Server:                   expectedServer,
 				CertificateAuthorityData: base64.StdEncoding.EncodeToString(config.CAData),
 			}
 			require.Equal(t, &expectedTokenRequestAPIInfo, actualStatusStrategy.Frontend.TokenCredentialRequestAPIInfo)

test/testlib/env.go

@@ -1,10 +1,12 @@
-// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved.
+// Copyright 2020-2025 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0
 
 package testlib
 
 import (
 	"encoding/base64"
+	"fmt"
+	"net/url"
 	"os"
 	"sort"
 	"strings"
@@ -145,10 +147,27 @@ type TestGithubUpstream struct {
 
 // ProxyEnv returns a set of environment variable strings (e.g., to combine with os.Environ()) which set up the configured test HTTP proxy.
 func (e *TestEnv) ProxyEnv() []string {
+	e.t.Helper()
+
 	if e.Proxy == "" {
 		return nil
 	}
-	return []string{"http_proxy=" + e.Proxy, "https_proxy=" + e.Proxy, "no_proxy=127.0.0.1"}
+
+	// We should never need to use the proxy to access the Kube API server from the kubeconfig.
+	// When the cluster is a Kind cluster running in CI, and if the VM has no external IP, then
+	// the squid proxy running inside the cluster will not able to reach the IP of the VM at all
+	// due to limitations of Docker networking, so in that case we must ensure that we are not
+	// trying to use the proxy to reach the Kubernetes API server from the outside. Therefore,
+	// always add the Kube API server's address or hostname to the no_proxy list.
+	kubeClientConfig := NewClientConfig(e.t)
+	parsedKubeAPIServerURL, err := url.Parse(kubeClientConfig.Host)
+	require.NoError(e.t, err)
+
+	return []string{
+		"http_proxy=" + e.Proxy,
+		"https_proxy=" + e.Proxy,
+		fmt.Sprintf("no_proxy=127.0.0.1,%s", parsedKubeAPIServerURL.Host),
+	}
 }
 
 // memoizedTestEnvsByTest maps *testing.T pointers to *TestEnv. It exists so that we don't do all the