integration tests for concierge authenticators

Signed-off-by: Ashish Amarnath <ashish.amarnath@broadcom.com>
2026-01-05 21:15:26 +00:00 · 2024-07-10 00:15:16 -07:00
parent 8eb15a924f
commit cb4b63f8b3
4 changed files with 122 additions and 29 deletions
--- a/test/integration/concierge_client_test.go
+++ b/test/integration/concierge_client_test.go
@@ -5,11 +5,13 @@ package integration

 import (
 	"context"
+	"encoding/base64"
 	"strings"
 	"testing"
 	"time"

 	"github.com/stretchr/testify/require"
+	corev1 "k8s.io/api/core/v1"

 	authenticationv1alpha1 "go.pinniped.dev/generated/latest/apis/concierge/authentication/v1alpha1"
 	"go.pinniped.dev/internal/here"
@@ -59,34 +61,103 @@ func TestClient(t *testing.T) {
 	ctx, cancel := context.WithTimeout(context.Background(), time.Minute)
 	defer cancel()

-	webhook := testlib.CreateTestWebhookAuthenticator(ctx, t, &testlib.IntegrationEnv(t).TestWebhook, authenticationv1alpha1.WebhookAuthenticatorPhaseReady)
-
-	// Use an invalid certificate/key to validate that the ServerVersion API fails like we assume.
-	invalidClient := testlib.NewClientsetWithCertAndKey(t, testCert, testKey)
-	_, err := invalidClient.Discovery().ServerVersion()
-	require.EqualError(t, err, "the server has asked for the client to provide credentials")
-
-	// Using the CA bundle and host from the current (admin) kubeconfig, do the token exchange.
-	clientConfig := testlib.NewClientConfig(t)
-	client, err := conciergeclient.New(
-		conciergeclient.WithCABundle(string(clientConfig.CAData)),
-		conciergeclient.WithEndpoint(clientConfig.Host),
-		conciergeclient.WithAuthenticator("webhook", webhook.Name),
-		conciergeclient.WithAPIGroupSuffix(env.APIGroupSuffix),
-	)
+	defaultWebhook := &testlib.IntegrationEnv(t).TestWebhook
+	TLSCABundle, err := base64.StdEncoding.DecodeString(env.TestWebhook.TLS.CertificateAuthorityData)
 	require.NoError(t, err)

-	testlib.RequireEventually(t, func(requireEventually *require.Assertions) {
-		resp, err := client.ExchangeToken(ctx, env.TestUser.Token)
-		requireEventually.NoError(err)
-		requireEventually.NotNil(resp.Status.ExpirationTimestamp)
-		requireEventually.InDelta(5*time.Minute, time.Until(resp.Status.ExpirationTimestamp.Time), float64(time.Minute))
+	tests := []struct {
+		name string
+		edit func(t *testing.T, spec *authenticationv1alpha1.WebhookAuthenticatorSpec)
+	}{
+		{
+			name: "default webhook authenticator",
+			edit: nil,
+		},
+		{
+			name: "webhook authenticator with secret of type TLS to source ca bundle",
+			edit: func(t *testing.T, spec *authenticationv1alpha1.WebhookAuthenticatorSpec) {
+				caSecret := testlib.CreateTestSecret(t, env.ConciergeNamespace, "ca-cert", corev1.SecretTypeTLS,
+					map[string]string{
+						"ca.crt":  string(TLSCABundle),
+						"tls.crt": "",
+						"tls.key": "",
+					})
+				spec.TLS.CertificateAuthorityData = ""
+				spec.TLS.CertificateAuthorityDataSource = &authenticationv1alpha1.CABundleSource{
+					Kind: "Secret",
+					Name: caSecret.Name,
+					Key:  "ca.crt",
+				}
+			},
+		},
+		{
+			name: "webhook authenticator with secret of type opaque to source ca bundle",
+			edit: func(t *testing.T, spec *authenticationv1alpha1.WebhookAuthenticatorSpec) {
+				caSecret := testlib.CreateTestSecret(t, env.ConciergeNamespace, "ca-cert", corev1.SecretTypeOpaque,
+					map[string]string{
+						"ca.crt": string(TLSCABundle),
+					})
+				spec.TLS.CertificateAuthorityData = ""
+				spec.TLS.CertificateAuthorityDataSource = &authenticationv1alpha1.CABundleSource{
+					Kind: "Secret",
+					Name: caSecret.Name,
+					Key:  "ca.crt",
+				}
+			},
+		},
+		{
+			name: "webhook authenticator with configmap to source ca bundle",
+			edit: func(t *testing.T, spec *authenticationv1alpha1.WebhookAuthenticatorSpec) {
+				caConfigmap := testlib.CreateTestConfigMap(t, env.ConciergeNamespace, "ca-cert",
+					map[string]string{
+						"ca.crt": string(TLSCABundle),
+					})
+				spec.TLS.CertificateAuthorityData = ""
+				spec.TLS.CertificateAuthorityDataSource = &authenticationv1alpha1.CABundleSource{
+					Kind: "ConfigMap",
+					Name: caConfigmap.Name,
+					Key:  "ca.crt",
+				}
+			},
+		},
+	}

-		// Create a client using the certificate and key returned by the token exchange.
-		validClient := testlib.NewClientsetWithCertAndKey(t, resp.Status.ClientCertificateData, resp.Status.ClientKeyData)
+	for _, test := range tests {
+		t.Run(test.name, func(t *testing.T) {
+			webhookSpec := defaultWebhook.DeepCopy()
+			if test.edit != nil {
+				test.edit(t, webhookSpec)
+			}
+			webhook := testlib.CreateTestWebhookAuthenticator(ctx, t, webhookSpec, authenticationv1alpha1.WebhookAuthenticatorPhaseReady)

-		// Make a version request, which should succeed even without any authorization.
-		_, err = validClient.Discovery().ServerVersion()
-		requireEventually.NoError(err)
-	}, 10*time.Second, 500*time.Millisecond)
+			// Use an invalid certificate/key to validate that the ServerVersion API fails like we assume.
+			invalidClient := testlib.NewClientsetWithCertAndKey(t, testCert, testKey)
+			_, err := invalidClient.Discovery().ServerVersion()
+			require.EqualError(t, err, "the server has asked for the client to provide credentials")
+
+			// Using the CA bundle and host from the current (admin) kubeconfig, do the token exchange.
+			clientConfig := testlib.NewClientConfig(t)
+			client, err := conciergeclient.New(
+				conciergeclient.WithCABundle(string(clientConfig.CAData)),
+				conciergeclient.WithEndpoint(clientConfig.Host),
+				conciergeclient.WithAuthenticator("webhook", webhook.Name),
+				conciergeclient.WithAPIGroupSuffix(env.APIGroupSuffix),
+			)
+			require.NoError(t, err)
+
+			testlib.RequireEventually(t, func(requireEventually *require.Assertions) {
+				resp, err := client.ExchangeToken(ctx, env.TestUser.Token)
+				requireEventually.NoError(err)
+				requireEventually.NotNil(resp.Status.ExpirationTimestamp)
+				requireEventually.InDelta(5*time.Minute, time.Until(resp.Status.ExpirationTimestamp.Time), float64(time.Minute))
+
+				// Create a client using the certificate and key returned by the token exchange.
+				validClient := testlib.NewClientsetWithCertAndKey(t, resp.Status.ClientCertificateData, resp.Status.ClientKeyData)
+
+				// Make a version request, which should succeed even without any authorization.
+				_, err = validClient.Discovery().ServerVersion()
+				requireEventually.NoError(err)
+			}, 10*time.Second, 500*time.Millisecond)
+		})
+	}
 }