diff --git a/test/integration/concierge_tls_spec_test.go b/test/integration/concierge_tls_spec_test.go index c4aab15ea..314cc7495 100644 --- a/test/integration/concierge_tls_spec_test.go +++ b/test/integration/concierge_tls_spec_test.go @@ -24,336 +24,132 @@ import ( func TestTLSSpecKubeBuilderValidationConcierge_Parallel(t *testing.T) { env := testlib.IntegrationEnv(t) + webhookAuthenticatorYamlTemplate := here.Doc(` + apiVersion: authentication.concierge.%s/v1alpha1 + kind: WebhookAuthenticator + metadata: + name: %s + spec: + endpoint: %s + %s + `) + + jwtAuthenticatorYamlTemplate := here.Doc(` + apiVersion: authentication.concierge.%s/v1alpha1 + kind: JWTAuthenticator + metadata: + name: %s + spec: + issuer: %s + audience: some-audience + %s + `) + testCases := []struct { - name string - customWebhookAuthenticatorYaml string - customJWTAuthenticatorYaml string - resourceNamePrefix string - expectedError string + name string + tlsYAML string + expectedError string }{ { name: "should disallow certificate authority data source with missing name", - customWebhookAuthenticatorYaml: here.Doc(` - --- - apiVersion: authentication.concierge.%s/v1alpha1 - kind: WebhookAuthenticator - metadata: - name: %s - spec: - endpoint: %s + tlsYAML: here.Doc(` tls: certificateAuthorityDataSource: kind: Secret key: bar `), - customJWTAuthenticatorYaml: here.Doc(` - --- - apiVersion: authentication.concierge.%s/v1alpha1 - kind: JWTAuthenticator - metadata: - name: %s - spec: - issuer: %s - audience: some-audience - tls: - certificateAuthorityDataSource: - kind: Secret - key: bar - `), - resourceNamePrefix: "invalid-tls-spec-missing-name", - expectedError: `The %s "%s" is invalid: spec.tls.certificateAuthorityDataSource.name: Required value`, + expectedError: `The %s "%s" is invalid: spec.tls.certificateAuthorityDataSource.name: Required value`, }, { name: "should disallow certificate authority data source with empty value for name", - customWebhookAuthenticatorYaml: here.Doc(` - --- - apiVersion: authentication.concierge.%s/v1alpha1 - kind: WebhookAuthenticator - metadata: - name: %s - spec: - endpoint: %s + tlsYAML: here.Doc(` tls: certificateAuthorityDataSource: kind: Secret name: "" key: bar `), - customJWTAuthenticatorYaml: here.Doc(` - --- - apiVersion: authentication.concierge.%s/v1alpha1 - kind: JWTAuthenticator - metadata: - name: %s - spec: - issuer: %s - audience: some-audience - tls: - certificateAuthorityDataSource: - kind: Secret - name: "" - key: bar - `), - resourceNamePrefix: "invalid-tls-spec-empty-name", - expectedError: `The %s "%s" is invalid: spec.tls.certificateAuthorityDataSource.name: Invalid value: "": spec.tls.certificateAuthorityDataSource.name in body should be at least 1 chars long`, + expectedError: `The %s "%s" is invalid: spec.tls.certificateAuthorityDataSource.name: Invalid value: "": spec.tls.certificateAuthorityDataSource.name in body should be at least 1 chars long`, }, { name: "should disallow certificate authority data source with missing key", - customWebhookAuthenticatorYaml: here.Doc(` - --- - apiVersion: authentication.concierge.%s/v1alpha1 - kind: WebhookAuthenticator - metadata: - name: %s - spec: - endpoint: %s + tlsYAML: here.Doc(` tls: certificateAuthorityDataSource: kind: Secret name: foo `), - customJWTAuthenticatorYaml: here.Doc(` - --- - apiVersion: authentication.concierge.%s/v1alpha1 - kind: JWTAuthenticator - metadata: - name: %s - spec: - issuer: %s - audience: some-audience - tls: - certificateAuthorityDataSource: - kind: Secret - name: foo - `), - resourceNamePrefix: "invalid-tls-spec-missing-key", - expectedError: `The %s "%s" is invalid: spec.tls.certificateAuthorityDataSource.key: Required value`, + expectedError: `The %s "%s" is invalid: spec.tls.certificateAuthorityDataSource.key: Required value`, }, { name: "should disallow certificate authority data source with empty value for key", - customWebhookAuthenticatorYaml: here.Doc(` - --- - apiVersion: authentication.concierge.%s/v1alpha1 - kind: WebhookAuthenticator - metadata: - name: %s - spec: - endpoint: %s + tlsYAML: here.Doc(` tls: certificateAuthorityDataSource: kind: Secret name: foo key: "" `), - customJWTAuthenticatorYaml: here.Doc(` - --- - apiVersion: authentication.concierge.%s/v1alpha1 - kind: JWTAuthenticator - metadata: - name: %s - spec: - issuer: %s - audience: some-audience - tls: - certificateAuthorityDataSource: - kind: Secret - name: foo - key: "" - `), - resourceNamePrefix: "invalid-tls-spec-empty-kind", - expectedError: `The %s "%s" is invalid: spec.tls.certificateAuthorityDataSource.key: Invalid value: "": spec.tls.certificateAuthorityDataSource.key in body should be at least 1 chars long`, + expectedError: `The %s "%s" is invalid: spec.tls.certificateAuthorityDataSource.key: Invalid value: "": spec.tls.certificateAuthorityDataSource.key in body should be at least 1 chars long`, }, { name: "should disallow certificate authority data source with missing kind", - customWebhookAuthenticatorYaml: here.Doc(` - --- - apiVersion: authentication.concierge.%s/v1alpha1 - kind: WebhookAuthenticator - metadata: - name: %s - spec: - endpoint: %s + tlsYAML: here.Doc(` tls: certificateAuthorityDataSource: name: foo key: bar `), - customJWTAuthenticatorYaml: here.Doc(` - --- - apiVersion: authentication.concierge.%s/v1alpha1 - kind: JWTAuthenticator - metadata: - name: %s - spec: - issuer: %s - audience: some-audience - tls: - certificateAuthorityDataSource: - name: foo - key: bar - `), - resourceNamePrefix: "invalid-tls-spec-missing-kind", - expectedError: `The %s "%s" is invalid: spec.tls.certificateAuthorityDataSource.kind: Required value`, + expectedError: `The %s "%s" is invalid: spec.tls.certificateAuthorityDataSource.kind: Required value`, }, { name: "should disallow certificate authority data source with empty value for kind", - customWebhookAuthenticatorYaml: here.Doc(` - --- - apiVersion: authentication.concierge.%s/v1alpha1 - kind: WebhookAuthenticator - metadata: - name: %s - spec: - endpoint: %s + tlsYAML: here.Doc(` tls: certificateAuthorityDataSource: kind: "" name: foo key: bar `), - customJWTAuthenticatorYaml: here.Doc(` - --- - apiVersion: authentication.concierge.%s/v1alpha1 - kind: JWTAuthenticator - metadata: - name: %s - spec: - issuer: %s - audience: some-audience - tls: - certificateAuthorityDataSource: - kind: "" - name: foo - key: bar - `), - resourceNamePrefix: "invalid-tls-spec-invalid-kind", - expectedError: `The %s "%s" is invalid: spec.tls.certificateAuthorityDataSource.kind: Unsupported value: "": supported values: "Secret", "ConfigMap"`, + expectedError: `The %s "%s" is invalid: spec.tls.certificateAuthorityDataSource.kind: Unsupported value: "": supported values: "Secret", "ConfigMap"`, }, { name: "should disallow certificate authority data source with invalid kind", - customWebhookAuthenticatorYaml: here.Doc(` - --- - apiVersion: authentication.concierge.%s/v1alpha1 - kind: WebhookAuthenticator - metadata: - name: %s - spec: - endpoint: %s + tlsYAML: here.Doc(` tls: certificateAuthorityDataSource: kind: sorcery name: foo key: bar `), - customJWTAuthenticatorYaml: here.Doc(` - --- - apiVersion: authentication.concierge.%s/v1alpha1 - kind: JWTAuthenticator - metadata: - name: %s - spec: - issuer: %s - audience: some-audience - tls: - certificateAuthorityDataSource: - kind: sorcery - name: foo - key: bar - `), - resourceNamePrefix: "invalid-tls-spec-invalid-kind", - expectedError: `The %s "%s" is invalid: spec.tls.certificateAuthorityDataSource.kind: Unsupported value: "sorcery": supported values: "Secret", "ConfigMap"`, + expectedError: `The %s "%s" is invalid: spec.tls.certificateAuthorityDataSource.kind: Unsupported value: "sorcery": supported values: "Secret", "ConfigMap"`, }, { name: "should create a custom resource passing all validations using a Secret source", - customWebhookAuthenticatorYaml: here.Doc(` - --- - apiVersion: authentication.concierge.%s/v1alpha1 - kind: WebhookAuthenticator - metadata: - name: %s - spec: - endpoint: %s + tlsYAML: here.Doc(` tls: certificateAuthorityDataSource: kind: Secret name: foo key: bar `), - customJWTAuthenticatorYaml: here.Doc(` - --- - apiVersion: authentication.concierge.%s/v1alpha1 - kind: JWTAuthenticator - metadata: - name: %s - spec: - issuer: %s - audience: some-audience - tls: - certificateAuthorityDataSource: - kind: Secret - name: foo - key: bar - `), - resourceNamePrefix: "valid-webhook-auth-secret-kind", - expectedError: "", + expectedError: "", }, { name: "should create a custom resource passing all validations using a ConfigMap source", - customWebhookAuthenticatorYaml: here.Doc(` - --- - apiVersion: authentication.concierge.%s/v1alpha1 - kind: WebhookAuthenticator - metadata: - name: %s - spec: - endpoint: %s + tlsYAML: here.Doc(` tls: certificateAuthorityDataSource: kind: ConfigMap name: foo key: bar `), - customJWTAuthenticatorYaml: here.Doc(` - --- - apiVersion: authentication.concierge.%s/v1alpha1 - kind: JWTAuthenticator - metadata: - name: %s - spec: - issuer: %s - audience: some-audience - tls: - certificateAuthorityDataSource: - kind: ConfigMap - name: foo - key: bar - `), - resourceNamePrefix: "valid-webhook-auth-cm-kind", - expectedError: "", + expectedError: "", }, { - name: "should create a custom resource without any tls spec", - customWebhookAuthenticatorYaml: here.Doc(` - --- - apiVersion: authentication.concierge.%s/v1alpha1 - kind: WebhookAuthenticator - metadata: - name: %s - spec: - endpoint: %s - `), - customJWTAuthenticatorYaml: here.Doc(` - --- - apiVersion: authentication.concierge.%s/v1alpha1 - kind: JWTAuthenticator - metadata: - name: %s - spec: - issuer: %s - audience: some-audience - `), - resourceNamePrefix: "no-tls-spec", - expectedError: "", + name: "should create a custom resource without any tls spec", + tlsYAML: "", + expectedError: "", }, } @@ -361,9 +157,15 @@ func TestTLSSpecKubeBuilderValidationConcierge_Parallel(t *testing.T) { t.Run(tc.name, func(t *testing.T) { t.Parallel() + // Further indent every line except for the first line by four spaces. + // Use four spaces because that's what here.Doc uses. + // Do not indent the first line because the template already indents it. + indentedTLSYAML := strings.ReplaceAll(tc.tlsYAML, "\n", "\n ") + t.Run("apply webhook authenticator", func(t *testing.T) { - webhookResourceName := tc.resourceNamePrefix + "-" + testlib.RandHex(t, 7) - webhookYamlBytes := []byte(fmt.Sprintf(tc.customWebhookAuthenticatorYaml, env.APIGroupSuffix, webhookResourceName, env.TestWebhook.Endpoint)) + webhookResourceName := "test-webhook-authenticator-" + testlib.RandHex(t, 7) + webhookYamlBytes := []byte(fmt.Sprintf(webhookAuthenticatorYamlTemplate, + env.APIGroupSuffix, webhookResourceName, env.TestWebhook.Endpoint, indentedTLSYAML)) performKubectlApply( t, @@ -378,8 +180,9 @@ func TestTLSSpecKubeBuilderValidationConcierge_Parallel(t *testing.T) { t.Run("apply jwt authenticator", func(t *testing.T) { _, supervisorIssuer := env.SupervisorUpstreamOIDC.InferTheIssuerURL(t) - jwtAuthenticatorResourceName := tc.resourceNamePrefix + "-" + testlib.RandHex(t, 7) - jwtAuthenticatorYamlBytes := []byte(fmt.Sprintf(tc.customJWTAuthenticatorYaml, env.APIGroupSuffix, jwtAuthenticatorResourceName, supervisorIssuer)) + jwtAuthenticatorResourceName := "test-jwt-authenticator-" + testlib.RandHex(t, 7) + jwtAuthenticatorYamlBytes := []byte(fmt.Sprintf(jwtAuthenticatorYamlTemplate, + env.APIGroupSuffix, jwtAuthenticatorResourceName, supervisorIssuer, indentedTLSYAML)) performKubectlApply( t,