mirror of
https://github.com/vmware-tanzu/pinniped.git
synced 2025-12-23 06:15:47 +00:00
Add integration tests for tls spec validation in JWTAuthenticator and WebhookAuthenticator
Signed-off-by: Ashish Amarnath <ashish.amarnath@broadcom.com>
This commit is contained in:
Ashish Amarnath
committed by
Ryan Richard
Ryan Richard
parent
2181418cc5
commit
c3405095b2
@@ -164,6 +164,10 @@ func TestConciergeJWTAuthenticatorStatus_Parallel(t *testing.T) {
|
||||
|
||||
unusedLocalhostPort := findRecentlyUnusedLocalhostPorts(t, 1)[0]
|
||||
|
||||
badCABundleConfigMap := testlib.CreateTestConfigMap(t, env.ConciergeNamespace, "ca-bundle", map[string]string{
|
||||
"ca.crt": "This is not a real CA bundle",
|
||||
})
|
||||
|
||||
tests := []struct {
|
||||
name string
|
||||
spec authenticationv1alpha1.JWTAuthenticatorSpec
|
||||
@@ -322,6 +326,297 @@ func TestConciergeJWTAuthenticatorStatus_Parallel(t *testing.T) {
|
||||
},
|
||||
),
|
||||
},
|
||||
{
|
||||
name: "invalid when spec.tls supplies both certificateAuthorityData and certificateAuthorityDataSource",
|
||||
spec: authenticationv1alpha1.JWTAuthenticatorSpec{
|
||||
Issuer: env.CLIUpstreamOIDC.Issuer,
|
||||
Audience: "foo",
|
||||
Claims: authenticationv1alpha1.JWTTokenClaims{
|
||||
Groups: "",
|
||||
Username: "",
|
||||
},
|
||||
TLS: &authenticationv1alpha1.TLSSpec{
|
||||
CertificateAuthorityData: "pretend-this-is-a-certificate",
|
||||
CertificateAuthorityDataSource: &authenticationv1alpha1.CertificateAuthorityDataSourceSpec{
|
||||
Kind: "ConfigMap",
|
||||
Name: "does-not-matter",
|
||||
Key: "also-does-not-matter",
|
||||
},
|
||||
},
|
||||
},
|
||||
wantConditions: []metav1.Condition{
|
||||
{
|
||||
Type: "AuthenticatorValid",
|
||||
Status: "Unknown",
|
||||
Reason: "UnableToValidate",
|
||||
Message: "unable to validate; see other conditions for details",
|
||||
}, {
|
||||
Type: "DiscoveryURLValid",
|
||||
Status: "Unknown",
|
||||
Reason: "UnableToValidate",
|
||||
Message: "unable to validate; see other conditions for details",
|
||||
}, {
|
||||
Type: "IssuerURLValid",
|
||||
Status: "True",
|
||||
Reason: "Success",
|
||||
Message: "issuer is a valid URL",
|
||||
}, {
|
||||
Type: "JWKSFetchValid",
|
||||
Status: "Unknown",
|
||||
Reason: "UnableToValidate",
|
||||
Message: "unable to validate; see other conditions for details",
|
||||
}, {
|
||||
Type: "JWKSURLValid",
|
||||
Status: "Unknown",
|
||||
Reason: "UnableToValidate",
|
||||
Message: "unable to validate; see other conditions for details",
|
||||
}, {
|
||||
Type: "Ready",
|
||||
Status: "False",
|
||||
Reason: "NotReady",
|
||||
Message: "the JWTAuthenticator is not ready: see other conditions for details",
|
||||
},
|
||||
{
|
||||
Type: "TLSConfigurationValid",
|
||||
Status: "False",
|
||||
Reason: "InvalidTLSConfig",
|
||||
Message: "spec.tls is invalid: both tls.certificateAuthorityDataSource and tls.certificateAuthorityData provided",
|
||||
},
|
||||
},
|
||||
wantPhase: authenticationv1alpha1.JWTAuthenticatorPhaseError,
|
||||
},
|
||||
{
|
||||
name: "invalid when spec.tls.certificateAuthorityDataSource refers to a configmap that does not exist",
|
||||
spec: authenticationv1alpha1.JWTAuthenticatorSpec{
|
||||
Issuer: env.CLIUpstreamOIDC.Issuer,
|
||||
Audience: "foo",
|
||||
Claims: authenticationv1alpha1.JWTTokenClaims{
|
||||
Groups: "",
|
||||
Username: "",
|
||||
},
|
||||
TLS: &authenticationv1alpha1.TLSSpec{
|
||||
CertificateAuthorityDataSource: &authenticationv1alpha1.CertificateAuthorityDataSourceSpec{
|
||||
Kind: "ConfigMap",
|
||||
Name: "does-not-exist",
|
||||
Key: "does-not-matter",
|
||||
},
|
||||
},
|
||||
},
|
||||
wantConditions: []metav1.Condition{
|
||||
{
|
||||
Type: "AuthenticatorValid",
|
||||
Status: "Unknown",
|
||||
Reason: "UnableToValidate",
|
||||
Message: "unable to validate; see other conditions for details",
|
||||
}, {
|
||||
Type: "DiscoveryURLValid",
|
||||
Status: "Unknown",
|
||||
Reason: "UnableToValidate",
|
||||
Message: "unable to validate; see other conditions for details",
|
||||
}, {
|
||||
Type: "IssuerURLValid",
|
||||
Status: "True",
|
||||
Reason: "Success",
|
||||
Message: "issuer is a valid URL",
|
||||
}, {
|
||||
Type: "JWKSFetchValid",
|
||||
Status: "Unknown",
|
||||
Reason: "UnableToValidate",
|
||||
Message: "unable to validate; see other conditions for details",
|
||||
}, {
|
||||
Type: "JWKSURLValid",
|
||||
Status: "Unknown",
|
||||
Reason: "UnableToValidate",
|
||||
Message: "unable to validate; see other conditions for details",
|
||||
}, {
|
||||
Type: "Ready",
|
||||
Status: "False",
|
||||
Reason: "NotReady",
|
||||
Message: "the JWTAuthenticator is not ready: see other conditions for details",
|
||||
},
|
||||
{
|
||||
Type: "TLSConfigurationValid",
|
||||
Status: "False",
|
||||
Reason: "InvalidTLSConfig",
|
||||
Message: "spec.tls.certificateAuthorityDataSource is invalid: failed to get configmap \"concierge/does-not-exist\": configmap \"does-not-exist\" not found",
|
||||
},
|
||||
},
|
||||
wantPhase: authenticationv1alpha1.JWTAuthenticatorPhaseError,
|
||||
},
|
||||
{
|
||||
name: "invalid when spec.tls.certificateAuthorityDataSource refers to a secret that does not exist",
|
||||
spec: authenticationv1alpha1.JWTAuthenticatorSpec{
|
||||
Issuer: env.CLIUpstreamOIDC.Issuer,
|
||||
Audience: "foo",
|
||||
Claims: authenticationv1alpha1.JWTTokenClaims{
|
||||
Groups: "",
|
||||
Username: "",
|
||||
},
|
||||
TLS: &authenticationv1alpha1.TLSSpec{
|
||||
CertificateAuthorityDataSource: &authenticationv1alpha1.CertificateAuthorityDataSourceSpec{
|
||||
Kind: "Secret",
|
||||
Name: "does-not-exist",
|
||||
Key: "does-not-matter",
|
||||
},
|
||||
},
|
||||
},
|
||||
wantConditions: []metav1.Condition{
|
||||
{
|
||||
Type: "AuthenticatorValid",
|
||||
Status: "Unknown",
|
||||
Reason: "UnableToValidate",
|
||||
Message: "unable to validate; see other conditions for details",
|
||||
}, {
|
||||
Type: "DiscoveryURLValid",
|
||||
Status: "Unknown",
|
||||
Reason: "UnableToValidate",
|
||||
Message: "unable to validate; see other conditions for details",
|
||||
}, {
|
||||
Type: "IssuerURLValid",
|
||||
Status: "True",
|
||||
Reason: "Success",
|
||||
Message: "issuer is a valid URL",
|
||||
}, {
|
||||
Type: "JWKSFetchValid",
|
||||
Status: "Unknown",
|
||||
Reason: "UnableToValidate",
|
||||
Message: "unable to validate; see other conditions for details",
|
||||
}, {
|
||||
Type: "JWKSURLValid",
|
||||
Status: "Unknown",
|
||||
Reason: "UnableToValidate",
|
||||
Message: "unable to validate; see other conditions for details",
|
||||
}, {
|
||||
Type: "Ready",
|
||||
Status: "False",
|
||||
Reason: "NotReady",
|
||||
Message: "the JWTAuthenticator is not ready: see other conditions for details",
|
||||
},
|
||||
{
|
||||
Type: "TLSConfigurationValid",
|
||||
Status: "False",
|
||||
Reason: "InvalidTLSConfig",
|
||||
Message: "spec.tls.certificateAuthorityDataSource is invalid: failed to get secret \"concierge/does-not-exist\": secret \"does-not-exist\" not found",
|
||||
},
|
||||
},
|
||||
wantPhase: authenticationv1alpha1.JWTAuthenticatorPhaseError,
|
||||
},
|
||||
{
|
||||
name: "invalid when spec.tls.certificateAuthorityDataSource refers to a configmap that does not have valid PEM bytes",
|
||||
spec: authenticationv1alpha1.JWTAuthenticatorSpec{
|
||||
Issuer: env.CLIUpstreamOIDC.Issuer,
|
||||
Audience: "foo",
|
||||
Claims: authenticationv1alpha1.JWTTokenClaims{
|
||||
Groups: "",
|
||||
Username: "",
|
||||
},
|
||||
TLS: &authenticationv1alpha1.TLSSpec{
|
||||
CertificateAuthorityDataSource: &authenticationv1alpha1.CertificateAuthorityDataSourceSpec{
|
||||
Kind: "ConfigMap",
|
||||
Name: badCABundleConfigMap.Name,
|
||||
Key: "ca.crt",
|
||||
},
|
||||
},
|
||||
},
|
||||
wantConditions: []metav1.Condition{
|
||||
{
|
||||
Type: "AuthenticatorValid",
|
||||
Status: "Unknown",
|
||||
Reason: "UnableToValidate",
|
||||
Message: "unable to validate; see other conditions for details",
|
||||
}, {
|
||||
Type: "DiscoveryURLValid",
|
||||
Status: "Unknown",
|
||||
Reason: "UnableToValidate",
|
||||
Message: "unable to validate; see other conditions for details",
|
||||
}, {
|
||||
Type: "IssuerURLValid",
|
||||
Status: "True",
|
||||
Reason: "Success",
|
||||
Message: "issuer is a valid URL",
|
||||
}, {
|
||||
Type: "JWKSFetchValid",
|
||||
Status: "Unknown",
|
||||
Reason: "UnableToValidate",
|
||||
Message: "unable to validate; see other conditions for details",
|
||||
}, {
|
||||
Type: "JWKSURLValid",
|
||||
Status: "Unknown",
|
||||
Reason: "UnableToValidate",
|
||||
Message: "unable to validate; see other conditions for details",
|
||||
}, {
|
||||
Type: "Ready",
|
||||
Status: "False",
|
||||
Reason: "NotReady",
|
||||
Message: "the JWTAuthenticator is not ready: see other conditions for details",
|
||||
},
|
||||
{
|
||||
Type: "TLSConfigurationValid",
|
||||
Status: "False",
|
||||
Reason: "InvalidTLSConfig",
|
||||
Message: fmt.Sprintf("spec.tls.certificateAuthorityDataSource is invalid: key \"ca.crt\" with 28 bytes of data in configmap \"concierge/%s\" is not a PEM-encoded certificate (PEM certificates must begin with \"-----BEGIN CERTIFICATE-----\")", badCABundleConfigMap.Name),
|
||||
},
|
||||
},
|
||||
wantPhase: authenticationv1alpha1.JWTAuthenticatorPhaseError,
|
||||
},
|
||||
{
|
||||
name: "invalid when spec.tls.certificateAuthorityDataSource refers to a key in a configmap that does not exist",
|
||||
spec: authenticationv1alpha1.JWTAuthenticatorSpec{
|
||||
Issuer: env.CLIUpstreamOIDC.Issuer,
|
||||
Audience: "foo",
|
||||
Claims: authenticationv1alpha1.JWTTokenClaims{
|
||||
Groups: "",
|
||||
Username: "",
|
||||
},
|
||||
TLS: &authenticationv1alpha1.TLSSpec{
|
||||
CertificateAuthorityDataSource: &authenticationv1alpha1.CertificateAuthorityDataSourceSpec{
|
||||
Kind: "ConfigMap",
|
||||
Name: badCABundleConfigMap.Name,
|
||||
Key: "key-not-present",
|
||||
},
|
||||
},
|
||||
},
|
||||
wantConditions: []metav1.Condition{
|
||||
{
|
||||
Type: "AuthenticatorValid",
|
||||
Status: "Unknown",
|
||||
Reason: "UnableToValidate",
|
||||
Message: "unable to validate; see other conditions for details",
|
||||
}, {
|
||||
Type: "DiscoveryURLValid",
|
||||
Status: "Unknown",
|
||||
Reason: "UnableToValidate",
|
||||
Message: "unable to validate; see other conditions for details",
|
||||
}, {
|
||||
Type: "IssuerURLValid",
|
||||
Status: "True",
|
||||
Reason: "Success",
|
||||
Message: "issuer is a valid URL",
|
||||
}, {
|
||||
Type: "JWKSFetchValid",
|
||||
Status: "Unknown",
|
||||
Reason: "UnableToValidate",
|
||||
Message: "unable to validate; see other conditions for details",
|
||||
}, {
|
||||
Type: "JWKSURLValid",
|
||||
Status: "Unknown",
|
||||
Reason: "UnableToValidate",
|
||||
Message: "unable to validate; see other conditions for details",
|
||||
}, {
|
||||
Type: "Ready",
|
||||
Status: "False",
|
||||
Reason: "NotReady",
|
||||
Message: "the JWTAuthenticator is not ready: see other conditions for details",
|
||||
},
|
||||
{
|
||||
Type: "TLSConfigurationValid",
|
||||
Status: "False",
|
||||
Reason: "InvalidTLSConfig",
|
||||
Message: fmt.Sprintf("spec.tls.certificateAuthorityDataSource is invalid: key \"key-not-present\" not found in configmap \"concierge/%s\"", badCABundleConfigMap.Name),
|
||||
},
|
||||
},
|
||||
wantPhase: authenticationv1alpha1.JWTAuthenticatorPhaseError,
|
||||
},
|
||||
}
|
||||
for _, test := range tests {
|
||||
t.Run(test.name, func(t *testing.T) {
|
||||
|
||||
@@ -155,6 +155,10 @@ func TestConciergeWebhookAuthenticatorStatus_Parallel(t *testing.T) {
|
||||
|
||||
caBundleSomePivotalCA := "LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURVVENDQWptZ0F3SUJBZ0lWQUpzNStTbVRtaTJXeUI0bGJJRXBXaUs5a1RkUE1BMEdDU3FHU0liM0RRRUIKQ3dVQU1COHhDekFKQmdOVkJBWVRBbFZUTVJBd0RnWURWUVFLREFkUWFYWnZkR0ZzTUI0WERUSXdNRFV3TkRFMgpNamMxT0ZvWERUSTBNRFV3TlRFMk1qYzFPRm93SHpFTE1Ba0dBMVVFQmhNQ1ZWTXhFREFPQmdOVkJBb01CMUJwCmRtOTBZV3d3Z2dFaU1BMEdDU3FHU0liM0RRRUJBUVVBQTRJQkR3QXdnZ0VLQW9JQkFRRERZWmZvWGR4Z2NXTEMKZEJtbHB5a0tBaG9JMlBuUWtsVFNXMno1cGcwaXJjOGFRL1E3MXZzMTRZYStmdWtFTGlvOTRZYWw4R01DdVFrbApMZ3AvUEE5N1VYelhQNDBpK25iNXcwRGpwWWd2dU9KQXJXMno2MFRnWE5NSFh3VHk4ME1SZEhpUFVWZ0VZd0JpCmtkNThzdEFVS1Y1MnBQTU1reTJjNy9BcFhJNmRXR2xjalUvaFBsNmtpRzZ5dEw2REtGYjJQRWV3MmdJM3pHZ2IKOFVVbnA1V05DZDd2WjNVY0ZHNXlsZEd3aGc3cnZ4U1ZLWi9WOEhCMGJmbjlxamlrSVcxWFM4dzdpUUNlQmdQMApYZWhKZmVITlZJaTJtZlczNlVQbWpMdnVKaGpqNDIrdFBQWndvdDkzdWtlcEgvbWpHcFJEVm9wamJyWGlpTUYrCkYxdnlPNGMxQWdNQkFBR2pnWU13Z1lBd0hRWURWUjBPQkJZRUZNTWJpSXFhdVkwajRVWWphWDl0bDJzby9LQ1IKTUI4R0ExVWRJd1FZTUJhQUZNTWJpSXFhdVkwajRVWWphWDl0bDJzby9LQ1JNQjBHQTFVZEpRUVdNQlFHQ0NzRwpBUVVGQndNQ0JnZ3JCZ0VGQlFjREFUQVBCZ05WSFJNQkFmOEVCVEFEQVFIL01BNEdBMVVkRHdFQi93UUVBd0lCCkJqQU5CZ2txaGtpRzl3MEJBUXNGQUFPQ0FRRUFYbEh4M2tIMDZwY2NDTDlEVE5qTnBCYnlVSytGd2R6T2IwWFYKcmpNaGtxdHVmdEpUUnR5T3hKZ0ZKNXhUR3pCdEtKamcrVU1pczBOV0t0VDBNWThVMU45U2c5SDl0RFpHRHBjVQpxMlVRU0Y4dXRQMVR3dnJIUzIrdzB2MUoxdHgrTEFiU0lmWmJCV0xXQ21EODUzRlVoWlFZekkvYXpFM28vd0p1CmlPUklMdUpNUk5vNlBXY3VLZmRFVkhaS1RTWnk3a25FcHNidGtsN3EwRE91eUFWdG9HVnlkb3VUR0FOdFhXK2YKczNUSTJjKzErZXg3L2RZOEJGQTFzNWFUOG5vZnU3T1RTTzdiS1kzSkRBUHZOeFQzKzVZUXJwNGR1Nmh0YUFMbAppOHNaRkhidmxpd2EzdlhxL3p1Y2JEaHEzQzBhZnAzV2ZwRGxwSlpvLy9QUUFKaTZLQT09Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K"
|
||||
|
||||
badCABundleConfigMap := testlib.CreateTestConfigMap(t, env.ConciergeNamespace, "ca-bundle", map[string]string{
|
||||
"ca.crt": "This is not a real CA bundle",
|
||||
})
|
||||
|
||||
tests := []struct {
|
||||
name string
|
||||
spec func() *authenticationv1alpha1.WebhookAuthenticatorSpec
|
||||
@@ -273,6 +277,222 @@ func TestConciergeWebhookAuthenticatorStatus_Parallel(t *testing.T) {
|
||||
},
|
||||
),
|
||||
},
|
||||
{
|
||||
name: "invalid when spec.tls supplies both certificateAuthorityData and certificateAuthorityDataSource",
|
||||
spec: func() *authenticationv1alpha1.WebhookAuthenticatorSpec {
|
||||
webhookSpec := env.TestWebhook.DeepCopy()
|
||||
webhookSpec.TLS = &authenticationv1alpha1.TLSSpec{
|
||||
CertificateAuthorityData: caBundleSomePivotalCA,
|
||||
CertificateAuthorityDataSource: &authenticationv1alpha1.CertificateAuthorityDataSourceSpec{
|
||||
Kind: "ConfigMap",
|
||||
Name: "does-not-matter",
|
||||
Key: "also-does-not-matter",
|
||||
},
|
||||
}
|
||||
webhookSpec.Endpoint = "https://127.0.0.1:443/some-fake-endpoint"
|
||||
return webhookSpec
|
||||
},
|
||||
initialPhase: authenticationv1alpha1.WebhookAuthenticatorPhaseError,
|
||||
finalConditions: replaceSomeConditions(
|
||||
allSuccessfulWebhookAuthenticatorConditions(),
|
||||
[]metav1.Condition{
|
||||
{
|
||||
Type: "Ready",
|
||||
Status: "False",
|
||||
Reason: "NotReady",
|
||||
Message: "the WebhookAuthenticator is not ready: see other conditions for details",
|
||||
}, {
|
||||
Type: "AuthenticatorValid",
|
||||
Status: "Unknown",
|
||||
Reason: "UnableToValidate",
|
||||
Message: "unable to validate; see other conditions for details",
|
||||
}, {
|
||||
Type: "WebhookConnectionValid",
|
||||
Status: "Unknown",
|
||||
Reason: "UnableToValidate",
|
||||
Message: "unable to validate; see other conditions for details",
|
||||
},
|
||||
{
|
||||
Type: "TLSConfigurationValid",
|
||||
Status: "False",
|
||||
Reason: "InvalidTLSConfig",
|
||||
Message: "spec.tls is invalid: both tls.certificateAuthorityDataSource and tls.certificateAuthorityData provided",
|
||||
},
|
||||
},
|
||||
),
|
||||
},
|
||||
{
|
||||
name: "invalid when spec.tls.certificateAuthorityDataSource refers to a configmap that does not exist",
|
||||
spec: func() *authenticationv1alpha1.WebhookAuthenticatorSpec {
|
||||
webhookSpec := env.TestWebhook.DeepCopy()
|
||||
webhookSpec.TLS = &authenticationv1alpha1.TLSSpec{
|
||||
CertificateAuthorityDataSource: &authenticationv1alpha1.CertificateAuthorityDataSourceSpec{
|
||||
Kind: "ConfigMap",
|
||||
Name: "does-not-exist",
|
||||
Key: "does-not-matter",
|
||||
},
|
||||
}
|
||||
webhookSpec.Endpoint = "https://127.0.0.1:443/some-fake-endpoint"
|
||||
return webhookSpec
|
||||
},
|
||||
initialPhase: authenticationv1alpha1.WebhookAuthenticatorPhaseError,
|
||||
finalConditions: replaceSomeConditions(
|
||||
allSuccessfulWebhookAuthenticatorConditions(),
|
||||
[]metav1.Condition{
|
||||
{
|
||||
Type: "Ready",
|
||||
Status: "False",
|
||||
Reason: "NotReady",
|
||||
Message: "the WebhookAuthenticator is not ready: see other conditions for details",
|
||||
}, {
|
||||
Type: "AuthenticatorValid",
|
||||
Status: "Unknown",
|
||||
Reason: "UnableToValidate",
|
||||
Message: "unable to validate; see other conditions for details",
|
||||
}, {
|
||||
Type: "WebhookConnectionValid",
|
||||
Status: "Unknown",
|
||||
Reason: "UnableToValidate",
|
||||
Message: "unable to validate; see other conditions for details",
|
||||
},
|
||||
{
|
||||
Type: "TLSConfigurationValid",
|
||||
Status: "False",
|
||||
Reason: "InvalidTLSConfig",
|
||||
Message: "spec.tls.certificateAuthorityDataSource is invalid: failed to get configmap \"concierge/does-not-exist\": configmap \"does-not-exist\" not found",
|
||||
},
|
||||
},
|
||||
),
|
||||
},
|
||||
{
|
||||
name: "invalid when spec.tls.certificateAuthorityDataSource refers to a secret that does not exist",
|
||||
spec: func() *authenticationv1alpha1.WebhookAuthenticatorSpec {
|
||||
webhookSpec := env.TestWebhook.DeepCopy()
|
||||
webhookSpec.TLS = &authenticationv1alpha1.TLSSpec{
|
||||
CertificateAuthorityDataSource: &authenticationv1alpha1.CertificateAuthorityDataSourceSpec{
|
||||
Kind: "Secret",
|
||||
Name: "does-not-exist",
|
||||
Key: "does-not-matter",
|
||||
},
|
||||
}
|
||||
webhookSpec.Endpoint = "https://127.0.0.1:443/some-fake-endpoint"
|
||||
return webhookSpec
|
||||
},
|
||||
initialPhase: authenticationv1alpha1.WebhookAuthenticatorPhaseError,
|
||||
finalConditions: replaceSomeConditions(
|
||||
allSuccessfulWebhookAuthenticatorConditions(),
|
||||
[]metav1.Condition{
|
||||
{
|
||||
Type: "Ready",
|
||||
Status: "False",
|
||||
Reason: "NotReady",
|
||||
Message: "the WebhookAuthenticator is not ready: see other conditions for details",
|
||||
}, {
|
||||
Type: "AuthenticatorValid",
|
||||
Status: "Unknown",
|
||||
Reason: "UnableToValidate",
|
||||
Message: "unable to validate; see other conditions for details",
|
||||
}, {
|
||||
Type: "WebhookConnectionValid",
|
||||
Status: "Unknown",
|
||||
Reason: "UnableToValidate",
|
||||
Message: "unable to validate; see other conditions for details",
|
||||
},
|
||||
{
|
||||
Type: "TLSConfigurationValid",
|
||||
Status: "False",
|
||||
Reason: "InvalidTLSConfig",
|
||||
Message: "spec.tls.certificateAuthorityDataSource is invalid: failed to get secret \"concierge/does-not-exist\": secret \"does-not-exist\" not found",
|
||||
},
|
||||
},
|
||||
),
|
||||
},
|
||||
{
|
||||
name: "invalid when spec.tls.certificateAuthorityDataSource refers to a configmap that does not have valid PEM bytes",
|
||||
spec: func() *authenticationv1alpha1.WebhookAuthenticatorSpec {
|
||||
webhookSpec := env.TestWebhook.DeepCopy()
|
||||
webhookSpec.TLS = &authenticationv1alpha1.TLSSpec{
|
||||
CertificateAuthorityDataSource: &authenticationv1alpha1.CertificateAuthorityDataSourceSpec{
|
||||
Kind: "ConfigMap",
|
||||
Name: badCABundleConfigMap.Name,
|
||||
Key: "ca.crt",
|
||||
},
|
||||
}
|
||||
webhookSpec.Endpoint = "https://127.0.0.1:443/some-fake-endpoint"
|
||||
return webhookSpec
|
||||
},
|
||||
initialPhase: authenticationv1alpha1.WebhookAuthenticatorPhaseError,
|
||||
finalConditions: replaceSomeConditions(
|
||||
allSuccessfulWebhookAuthenticatorConditions(),
|
||||
[]metav1.Condition{
|
||||
{
|
||||
Type: "Ready",
|
||||
Status: "False",
|
||||
Reason: "NotReady",
|
||||
Message: "the WebhookAuthenticator is not ready: see other conditions for details",
|
||||
}, {
|
||||
Type: "AuthenticatorValid",
|
||||
Status: "Unknown",
|
||||
Reason: "UnableToValidate",
|
||||
Message: "unable to validate; see other conditions for details",
|
||||
}, {
|
||||
Type: "WebhookConnectionValid",
|
||||
Status: "Unknown",
|
||||
Reason: "UnableToValidate",
|
||||
Message: "unable to validate; see other conditions for details",
|
||||
},
|
||||
{
|
||||
Type: "TLSConfigurationValid",
|
||||
Status: "False",
|
||||
Reason: "InvalidTLSConfig",
|
||||
Message: fmt.Sprintf("spec.tls.certificateAuthorityDataSource is invalid: key \"ca.crt\" with 28 bytes of data in configmap \"concierge/%s\" is not a PEM-encoded certificate (PEM certificates must begin with \"-----BEGIN CERTIFICATE-----\")", badCABundleConfigMap.Name),
|
||||
},
|
||||
},
|
||||
),
|
||||
},
|
||||
{
|
||||
name: "invalid when spec.tls.certificateAuthorityDataSource refers to a key in a configmap that does not exist",
|
||||
spec: func() *authenticationv1alpha1.WebhookAuthenticatorSpec {
|
||||
webhookSpec := env.TestWebhook.DeepCopy()
|
||||
webhookSpec.TLS = &authenticationv1alpha1.TLSSpec{
|
||||
CertificateAuthorityDataSource: &authenticationv1alpha1.CertificateAuthorityDataSourceSpec{
|
||||
Kind: "ConfigMap",
|
||||
Name: badCABundleConfigMap.Name,
|
||||
Key: "key-not-present",
|
||||
},
|
||||
}
|
||||
webhookSpec.Endpoint = "https://127.0.0.1:443/some-fake-endpoint"
|
||||
return webhookSpec
|
||||
},
|
||||
initialPhase: authenticationv1alpha1.WebhookAuthenticatorPhaseError,
|
||||
finalConditions: replaceSomeConditions(
|
||||
allSuccessfulWebhookAuthenticatorConditions(),
|
||||
[]metav1.Condition{
|
||||
{
|
||||
Type: "Ready",
|
||||
Status: "False",
|
||||
Reason: "NotReady",
|
||||
Message: "the WebhookAuthenticator is not ready: see other conditions for details",
|
||||
}, {
|
||||
Type: "AuthenticatorValid",
|
||||
Status: "Unknown",
|
||||
Reason: "UnableToValidate",
|
||||
Message: "unable to validate; see other conditions for details",
|
||||
}, {
|
||||
Type: "WebhookConnectionValid",
|
||||
Status: "Unknown",
|
||||
Reason: "UnableToValidate",
|
||||
Message: "unable to validate; see other conditions for details",
|
||||
},
|
||||
{
|
||||
Type: "TLSConfigurationValid",
|
||||
Status: "False",
|
||||
Reason: "InvalidTLSConfig",
|
||||
Message: fmt.Sprintf("spec.tls.certificateAuthorityDataSource is invalid: key \"key-not-present\" not found in configmap \"concierge/%s\"", badCABundleConfigMap.Name),
|
||||
},
|
||||
},
|
||||
),
|
||||
},
|
||||
}
|
||||
for _, test := range tests {
|
||||
tt := test
|
||||
|
||||
Reference in New Issue
Block a user