Merge branch 'main' into jtc/merge-main-5fe94c4e-into-github

test/integration/concierge_credentialissuer_test.go

@@ -1,4 +1,4 @@
-// Copyright 2020-2021 the Pinniped contributors. All Rights Reserved.
+// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0
 
 package integration
@@ -90,7 +90,8 @@ func TestCredentialIssuer(t *testing.T) {
 		} else {
 			require.Equal(t, configv1alpha1.ErrorStrategyStatus, actualStatusStrategy.Status)
 			require.Equal(t, configv1alpha1.CouldNotFetchKeyStrategyReason, actualStatusStrategy.Reason)
-			require.Contains(t, actualStatusStrategy.Message, "could not find a healthy kube-controller-manager pod (0 candidates)")
+			require.Contains(t, actualStatusStrategy.Message, "could not find a healthy kube-controller-manager pod (0 candidates): "+
+				"note that this error is the expected behavior for some cluster types, including most cloud provider clusters (e.g. GKE, AKS, EKS)")
 			require.Nil(t, actualStatusKubeConfigInfo)
 		}
 	})

test/integration/concierge_webhookauthenticator_status_test.go

@@ -276,7 +276,7 @@ func allSuccessfulWebhookAuthenticatorConditions() []metav1.Condition {
 			Type:    "EndpointURLValid",
 			Status:  "True",
 			Reason:  "Success",
-			Message: "endpoint is a valid URL",
+			Message: "spec.endpoint is a valid URL",
 		},
 		{
 			Type:    "Ready",
@@ -294,7 +294,7 @@ func allSuccessfulWebhookAuthenticatorConditions() []metav1.Condition {
 			Type:    "WebhookConnectionValid",
 			Status:  "True",
 			Reason:  "Success",
-			Message: "tls verified",
+			Message: "successfully dialed webhook server",
 		},
 	}
 }

test/integration/securetls_fips_test.go

@@ -1,4 +1,4 @@
-// Copyright 2021-2023 the Pinniped contributors. All Rights Reserved.
+// Copyright 2021-2024 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0
 
 //go:build fips_strict
@@ -23,14 +23,13 @@ import (
 func TestFIPSCipherSuites_Parallel(t *testing.T) {
 	_ = testlib.IntegrationEnv(t)
 
-	server := tlsserver.TLSTestServer(t, http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+	server, ca := tlsserver.TestServerIPv4(t, http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 		// use the default fips config which contains a hard coded list of cipher suites
 		// that should be equal to the default list of fips cipher suites.
 		// assert that the client hello response has the same tls config as this test server.
 		tlsserver.AssertTLS(t, r, ptls.Default)
 	}), tlsserver.RecordTLSHello)
 
-	ca := tlsserver.TLSTestServerCA(server)
 	pool, err := cert.NewPoolFromBytes(ca)
 	require.NoError(t, err)
 	// create a tls config that does not explicitly set cipher suites,

test/integration/securetls_test.go

@@ -23,7 +23,7 @@ import (
 func TestSecureTLSPinnipedCLIToKAS_Parallel(t *testing.T) {
 	_ = testlib.IntegrationEnv(t)
 
-	server := tlsserver.TLSTestServer(t, http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+	server, serverCA := tlsserver.TestServerIPv4(t, http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 		// pinniped CLI uses ptls.Secure when talking to KAS
 		// in FIPS mode the distinction doesn't matter much because
 		// each of the configs is a wrapper for the same base FIPS config
@@ -33,15 +33,13 @@ func TestSecureTLSPinnipedCLIToKAS_Parallel(t *testing.T) {
 			`"status":{"credential":{"token":"some-fancy-token"}}}`)
 	}), tlsserver.RecordTLSHello)
 
-	ca := tlsserver.TLSTestServerCA(server)
-
 	pinnipedExe := testlib.PinnipedCLIPath(t)
 
 	stdout, stderr := runPinnipedCLI(t, nil, pinnipedExe, "login", "static",
 		"--token", "does-not-matter",
 		"--concierge-authenticator-type", "webhook",
 		"--concierge-authenticator-name", "does-not-matter",
-		"--concierge-ca-bundle-data", base64.StdEncoding.EncodeToString(ca),
+		"--concierge-ca-bundle-data", base64.StdEncoding.EncodeToString(serverCA),
 		"--concierge-endpoint", server.URL,
 		"--enable-concierge",
 		"--credential-cache", "",
@@ -57,7 +55,7 @@ func TestSecureTLSPinnipedCLIToKAS_Parallel(t *testing.T) {
 func TestSecureTLSPinnipedCLIToSupervisor_Parallel(t *testing.T) {
 	_ = testlib.IntegrationEnv(t)
 
-	server := tlsserver.TLSTestServer(t, http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+	server, serverCA := tlsserver.TestServerIPv4(t, http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 		// pinniped CLI uses ptls.Default when talking to supervisor
 		// in FIPS mode the distinction doesn't matter much because
 		// each of the configs is a wrapper for the same base FIPS config
@@ -66,12 +64,10 @@ func TestSecureTLSPinnipedCLIToSupervisor_Parallel(t *testing.T) {
 		fmt.Fprint(w, `{"issuer":"https://not-a-good-issuer"}`)
 	}), tlsserver.RecordTLSHello)
 
-	ca := tlsserver.TLSTestServerCA(server)
-
 	pinnipedExe := testlib.PinnipedCLIPath(t)
 
 	stdout, stderr := runPinnipedCLI(&fakeT{T: t}, nil, pinnipedExe, "login", "oidc",
-		"--ca-bundle-data", base64.StdEncoding.EncodeToString(ca),
+		"--ca-bundle-data", base64.StdEncoding.EncodeToString(serverCA),
 		"--issuer", server.URL,
 		"--credential-cache", "",
 		"--upstream-identity-provider-flow", "cli_password",

test/testlib/activedirectory.go

@@ -1,4 +1,4 @@
-// Copyright 2022 the Pinniped contributors. All Rights Reserved.
+// Copyright 2022-2024 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0
 package testlib
 
@@ -199,7 +199,7 @@ func dialTLS(t *testing.T, env *TestEnv) *ldap.Conn {
 	c, err := dialer.DialContext(context.Background(), "tcp", env.SupervisorUpstreamActiveDirectory.Host)
 	require.NoError(t, err)
 	conn := ldap.NewConn(c, true)
-	conn.Start()
+	conn.Start() //nolint:staticcheck // will need a different approach soon
 	return conn
 }