Integration tests should expect that the Supervisor hostname might be an IP address

test/testlib/browsertest/browsertest.go

@@ -365,8 +365,8 @@ func LoginToUpstreamOIDC(t *testing.T, b *Browser, upstream testlib.TestOIDCUpst
 		},
 		{
 			Name:                "Dex",
-			IssuerPattern:       regexp.MustCompile(`\Ahttps://dex\.tools\.svc\.cluster\.local/dex.*\z`),
-			LoginPagePattern:    regexp.MustCompile(`\Ahttps://dex\.tools\.svc\.cluster\.local/dex/auth/local.+\z`),
+			IssuerPattern:       regexp.MustCompile(`\Ahttps://.*/dex.*\z`),
+			LoginPagePattern:    regexp.MustCompile(`\Ahttps://.*/dex/auth/local.+\z`),
 			UsernameSelector:    "input#login",
 			PasswordSelector:    "input#password",
 			LoginButtonSelector: "button#submit-login",
@@ -378,7 +378,7 @@ func LoginToUpstreamOIDC(t *testing.T, b *Browser, upstream testlib.TestOIDCUpst
 		}
 	}
 	if cfg == nil {
-		require.Failf(t, "could not find login provider for issuer %q", upstream.Issuer)
+		require.Failf(t, "failure message goes here", "could not find login provider for issuer %q", upstream.Issuer)
 		return
 	}
 

test/testlib/env.go

@@ -5,17 +5,20 @@ package testlib
 
 import (
 	"encoding/base64"
+	"net"
 	"net/url"
 	"os"
 	"sort"
 	"strings"
 	"sync"
 	"testing"
+	"time"
 
 	"github.com/stretchr/testify/require"
 	"sigs.k8s.io/yaml"
 
 	authenticationv1alpha1 "go.pinniped.dev/generated/latest/apis/concierge/authentication/v1alpha1"
+	"go.pinniped.dev/internal/certauthority"
 )
 
 type Capability string
@@ -84,18 +87,73 @@ type TestOIDCUpstream struct {
 	ExpectedGroups   []string `json:"expectedGroups"`
 }
 
-// InferSupervisorIssuerURL infers the downstream issuer URL from the callback associated with the upstream test client registration.
-func (e *TestEnv) InferSupervisorIssuerURL(t *testing.T) (*url.URL, string) {
+type SupervisorIssuer struct {
+	issuerURL *url.URL
+}
+
+func NewSupervisorIssuer(t *testing.T, issuer string) SupervisorIssuer {
 	t.Helper()
-	issuerURL, err := url.Parse(e.SupervisorUpstreamOIDC.CallbackURL)
+
+	t.Logf("NewSupervisorIssuer: %s", issuer)
+
+	issuerURL, err := url.Parse(issuer)
 	require.NoError(t, err)
-	require.True(t, strings.HasSuffix(issuerURL.Path, "/callback"))
-	issuerURL.Path = strings.TrimSuffix(issuerURL.Path, "/callback")
 
-	issuerAsString := issuerURL.String()
-	t.Logf("testing with downstream issuer URL %s", issuerAsString)
+	return SupervisorIssuer{
+		issuerURL: issuerURL,
+	}
+}
 
-	return issuerURL, issuerAsString
+func (s SupervisorIssuer) Issuer() string {
+	return s.issuerURL.String()
+}
+
+func (s SupervisorIssuer) Hostnames() []string {
+	// TODO: Why does this happen?
+	if s.issuerURL.Hostname() == "" {
+		return []string{"localhost"}
+	}
+	return []string{s.issuerURL.Hostname()}
+}
+
+func (s SupervisorIssuer) IPs() []net.IP {
+	var ips []net.IP
+	if ip := net.ParseIP(s.issuerURL.Hostname()); ip != nil {
+		ips = append(ips, ip)
+	}
+	return ips
+}
+
+func (s SupervisorIssuer) IssuerServerCert(
+	t *testing.T,
+	ca *certauthority.CA,
+) ([]byte, []byte) {
+	t.Helper()
+
+	t.Logf("issuing server cert for Supervisor: hostname=%+v, ips=%+v",
+		s.Hostnames(), s.IPs())
+
+	cert, err := ca.IssueServerCert(s.Hostnames(), s.IPs(), 24*time.Hour)
+	require.NoError(t, err)
+	certPEM, keyPEM, err := certauthority.ToPEM(cert)
+	require.NoError(t, err)
+	return certPEM, keyPEM
+}
+
+func (s SupervisorIssuer) IsIPAddress() bool {
+	return len(s.IPs()) > 0
+}
+
+// InferSupervisorIssuerURL infers the downstream issuer URL from the callback associated with the upstream test client registration.
+func (e *TestEnv) InferSupervisorIssuerURL(t *testing.T) SupervisorIssuer {
+	t.Helper()
+	supervisorIssuer := NewSupervisorIssuer(t, e.SupervisorUpstreamOIDC.CallbackURL)
+	require.True(t, strings.HasSuffix(supervisorIssuer.issuerURL.Path, "/callback"))
+	supervisorIssuer.issuerURL.Path = strings.TrimSuffix(supervisorIssuer.issuerURL.Path, "/callback")
+
+	t.Logf("InferSupervisorIssuerURL(): testing with downstream issuer URL %s", supervisorIssuer.Issuer())
+
+	return supervisorIssuer
 }
 
 func (e *TestEnv) DefaultTLSCertSecretName() string {