mirrors/pinniped
1
0
Fork 0
mirror of https://github.com/vmware-tanzu/pinniped.git synced 2025-12-23 14:25:50 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

do not drop internal IP annotation from CredentialIssuer in test

Browse Source
This commit is contained in:
Ryan Richard
2025-06-30 12:52:25 -07:00
parent 6de6bcd81a
commit d57005c42a
1 changed files with 28 additions and 16 deletions
Download Patch File Download Diff File Expand all files Collapse all files

30
test/integration/concierge_impersonation_proxy_test.go
View File

@@ -212,15 +212,18 @@ func TestImpersonationProxy(t *testing.T) { //nolint:gocyclo // yeah, it's compl
// this point depending on the capabilities of the cluster under test. We handle each possible case here. // this point depending on the capabilities of the cluster under test. We handle each possible case here.
switch { switch {
case impersonatorShouldHaveStartedAutomaticallyByDefault && clusterSupportsLoadBalancers: case impersonatorShouldHaveStartedAutomaticallyByDefault && clusterSupportsLoadBalancers:
var originalSpecAnnotations map[string]string
if oldCredentialIssuer.Spec.ImpersonationProxy != nil {
originalSpecAnnotations = oldCredentialIssuer.Spec.ImpersonationProxy.Service.Annotations
}
// configure the credential issuer spec to have the impersonation proxy in auto mode // configure the credential issuer spec to have the impersonation proxy in auto mode
updateCredentialIssuer(ctx, t, env, adminConciergeClient, conciergeconfigv1alpha1.CredentialIssuerSpec{ updateCredentialIssuer(ctx, t, env, adminConciergeClient, conciergeconfigv1alpha1.CredentialIssuerSpec{
ImpersonationProxy: &conciergeconfigv1alpha1.ImpersonationProxySpec{ ImpersonationProxy: &conciergeconfigv1alpha1.ImpersonationProxySpec{
Mode: conciergeconfigv1alpha1.ImpersonationProxyModeAuto, Mode: conciergeconfigv1alpha1.ImpersonationProxyModeAuto,
Service: conciergeconfigv1alpha1.ImpersonationProxyServiceSpec{ Service: conciergeconfigv1alpha1.ImpersonationProxyServiceSpec{
Type: conciergeconfigv1alpha1.ImpersonationProxyServiceTypeLoadBalancer, Type: conciergeconfigv1alpha1.ImpersonationProxyServiceTypeLoadBalancer,
Annotations: map[string]string{ // Use the pre-existing annotations, which might include an annotation to request a private IP.
"service.beta.kubernetes.io/aws-load-balancer-connection-idle-timeout": "4000", Annotations: originalSpecAnnotations,
},
}, },
}, },
}) })
@@ -1762,6 +1765,7 @@ func TestImpersonationProxy(t *testing.T) { //nolint:gocyclo // yeah, it's compl
if env.Proxy == "" { if env.Proxy == "" {
t.Skip("Skipping ClusterIP test because squid proxy is not present") t.Skip("Skipping ClusterIP test because squid proxy is not present")
} }
clusterIPServiceURL := fmt.Sprintf("%s.%s.svc.cluster.local", impersonationProxyClusterIPName(env), env.ConciergeNamespace) clusterIPServiceURL := fmt.Sprintf("%s.%s.svc.cluster.local", impersonationProxyClusterIPName(env), env.ConciergeNamespace)
updateCredentialIssuer(ctx, t, env, adminConciergeClient, conciergeconfigv1alpha1.CredentialIssuerSpec{ updateCredentialIssuer(ctx, t, env, adminConciergeClient, conciergeconfigv1alpha1.CredentialIssuerSpec{
ImpersonationProxy: &conciergeconfigv1alpha1.ImpersonationProxySpec{ ImpersonationProxy: &conciergeconfigv1alpha1.ImpersonationProxySpec{
@@ -1793,6 +1797,10 @@ func TestImpersonationProxy(t *testing.T) { //nolint:gocyclo // yeah, it's compl
}) })
t.Run("using externally provided TLS serving cert with stringData", func(t *testing.T) { t.Run("using externally provided TLS serving cert with stringData", func(t *testing.T) {
if env.Proxy == "" {
t.Skip("Skipping ClusterIP test because squid proxy is not present")
}
var externallyProvidedCA *certauthority.CA var externallyProvidedCA *certauthority.CA
externallyProvidedCA, err = certauthority.New("Impersonation Proxy Integration Test CA", 1*time.Hour) externallyProvidedCA, err = certauthority.New("Impersonation Proxy Integration Test CA", 1*time.Hour)
require.NoError(t, err) require.NoError(t, err)
@@ -1864,6 +1872,10 @@ func TestImpersonationProxy(t *testing.T) { //nolint:gocyclo // yeah, it's compl
}) })
t.Run("using externally provided TLS serving cert with data []byte arrays", func(t *testing.T) { t.Run("using externally provided TLS serving cert with data []byte arrays", func(t *testing.T) {
if env.Proxy == "" {
t.Skip("Skipping ClusterIP test because squid proxy is not present")
}
var externallyProvidedCA *certauthority.CA var externallyProvidedCA *certauthority.CA
externallyProvidedCA, err = certauthority.New("Impersonation Proxy Integration Test CA", 1*time.Hour) externallyProvidedCA, err = certauthority.New("Impersonation Proxy Integration Test CA", 1*time.Hour)
require.NoError(t, err) require.NoError(t, err)
@@ -1935,6 +1947,10 @@ func TestImpersonationProxy(t *testing.T) { //nolint:gocyclo // yeah, it's compl
}) })
t.Run("manually disabling the impersonation proxy feature", func(t *testing.T) { t.Run("manually disabling the impersonation proxy feature", func(t *testing.T) {
if env.Proxy == "" {
t.Skip("Skipping disable test because squid proxy is not present")
}
// Update configuration to force the proxy to disabled mode // Update configuration to force the proxy to disabled mode
updateCredentialIssuer(ctx, t, env, adminConciergeClient, conciergeconfigv1alpha1.CredentialIssuerSpec{ updateCredentialIssuer(ctx, t, env, adminConciergeClient, conciergeconfigv1alpha1.CredentialIssuerSpec{
ImpersonationProxy: &conciergeconfigv1alpha1.ImpersonationProxySpec{ ImpersonationProxy: &conciergeconfigv1alpha1.ImpersonationProxySpec{
@@ -1952,11 +1968,6 @@ func TestImpersonationProxy(t *testing.T) { //nolint:gocyclo // yeah, it's compl
} }
// Check that the impersonation proxy port has shut down. // Check that the impersonation proxy port has shut down.
// Ideally we could always check that the impersonation proxy's port has shut down, but on clusters where we
// do not run the squid proxy we have no easy way to see beyond the load balancer to see inside the cluster,
// so we'll skip this check on clusters which have load balancers but don't run the squid proxy.
// The other cluster types that do run the squid proxy will give us sufficient coverage here.
if env.Proxy != "" {
testlib.RequireEventually(t, func(requireEventually *require.Assertions) { testlib.RequireEventually(t, func(requireEventually *require.Assertions) {
// It's okay if this returns RBAC errors because this user has no role bindings. // It's okay if this returns RBAC errors because this user has no role bindings.
// What we want to see is that the proxy eventually shuts down entirely. // What we want to see is that the proxy eventually shuts down entirely.
@@ -1964,7 +1975,6 @@ func TestImpersonationProxy(t *testing.T) { //nolint:gocyclo // yeah, it's compl
isErr, _ := isServiceUnavailableViaSquidError(err, proxyServiceEndpoint) isErr, _ := isServiceUnavailableViaSquidError(err, proxyServiceEndpoint)
requireEventually.Truef(isErr, "wanted service unavailable via squid error, got %v", err) requireEventually.Truef(isErr, "wanted service unavailable via squid error, got %v", err)
}, 20*time.Second, 500*time.Millisecond) }, 20*time.Second, 500*time.Millisecond)
}
// Check that the generated TLS cert Secret was deleted by the controller because it's supposed to clean this up // Check that the generated TLS cert Secret was deleted by the controller because it's supposed to clean this up
// when we disable the impersonator. // when we disable the impersonator.
@@ -2317,6 +2327,8 @@ func updateCredentialIssuer(ctx context.Context, t *testing.T, env *testlib.Test
return err return err
} }
t.Logf("updating CredentialIssuer spec from %+v to new spec %+v", newCredentialIssuer.Spec, spec)
spec.DeepCopyInto(&newCredentialIssuer.Spec) spec.DeepCopyInto(&newCredentialIssuer.Spec)
_, err = adminConciergeClient.ConfigV1alpha1().CredentialIssuers().Update(ctx, newCredentialIssuer, metav1.UpdateOptions{}) _, err = adminConciergeClient.ConfigV1alpha1().CredentialIssuers().Update(ctx, newCredentialIssuer, metav1.UpdateOptions{})
return err return err