Commit 29f8ff32 authored by Kubernetes Submit Queue's avatar Kubernetes Submit Queue Committed by GitHub

Merge pull request #48073 from wanghaoran1988/e2e_bootstrap

Automatic merge from submit-queue (batch tested with PRs 49316, 46117, 49064, 48073, 49323) add e2e tests for the bootstrapsigner and tokencleaner controllers, integration testing for bootstrap token auth **What this PR does / why we need it**: Add e2e test for bootstrap signer **Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes # **Special notes for your reviewer**: **Release note**: ``` None ```
parents 6c5b24b5 f0200833
...@@ -808,6 +808,7 @@ test/e2e/instrumentation/logging ...@@ -808,6 +808,7 @@ test/e2e/instrumentation/logging
test/e2e/instrumentation/monitoring test/e2e/instrumentation/monitoring
test/e2e/kubectl test/e2e/kubectl
test/e2e/lifecycle test/e2e/lifecycle
test/e2e/lifecycle/bootstrap
test/e2e/metrics test/e2e/metrics
test/e2e/scalability test/e2e/scalability
test/e2e/scheduling test/e2e/scheduling
......
...@@ -3868,6 +3868,10 @@ const ( ...@@ -3868,6 +3868,10 @@ const (
TLSCertKey = "tls.crt" TLSCertKey = "tls.crt"
// TLSPrivateKeyKey is the key for the private key field in a TLS secret. // TLSPrivateKeyKey is the key for the private key field in a TLS secret.
TLSPrivateKeyKey = "tls.key" TLSPrivateKeyKey = "tls.key"
// SecretTypeBootstrapToken is used during the automated bootstrap process (first
// implemented by kubeadm). It stores tokens that are used to sign well known
// ConfigMaps. They are used for authn.
SecretTypeBootstrapToken SecretType = "bootstrap.kubernetes.io/token"
) )
// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
......
...@@ -25,6 +25,7 @@ go_test( ...@@ -25,6 +25,7 @@ go_test(
"//test/e2e/instrumentation/monitoring:go_default_library", "//test/e2e/instrumentation/monitoring:go_default_library",
"//test/e2e/kubectl:go_default_library", "//test/e2e/kubectl:go_default_library",
"//test/e2e/lifecycle:go_default_library", "//test/e2e/lifecycle:go_default_library",
"//test/e2e/lifecycle/bootstrap:go_default_library",
"//test/e2e/metrics:go_default_library", "//test/e2e/metrics:go_default_library",
"//test/e2e/scalability:go_default_library", "//test/e2e/scalability:go_default_library",
"//test/e2e/scheduling:go_default_library", "//test/e2e/scheduling:go_default_library",
......
...@@ -26,6 +26,7 @@ import ( ...@@ -26,6 +26,7 @@ import (
_ "k8s.io/kubernetes/test/e2e/instrumentation/monitoring" _ "k8s.io/kubernetes/test/e2e/instrumentation/monitoring"
_ "k8s.io/kubernetes/test/e2e/kubectl" _ "k8s.io/kubernetes/test/e2e/kubectl"
_ "k8s.io/kubernetes/test/e2e/lifecycle" _ "k8s.io/kubernetes/test/e2e/lifecycle"
_ "k8s.io/kubernetes/test/e2e/lifecycle/bootstrap"
_ "k8s.io/kubernetes/test/e2e/scalability" _ "k8s.io/kubernetes/test/e2e/scalability"
_ "k8s.io/kubernetes/test/e2e/scheduling" _ "k8s.io/kubernetes/test/e2e/scheduling"
_ "k8s.io/kubernetes/test/e2e/storage" _ "k8s.io/kubernetes/test/e2e/storage"
......
...@@ -54,6 +54,9 @@ filegroup( ...@@ -54,6 +54,9 @@ filegroup(
filegroup( filegroup(
name = "all-srcs", name = "all-srcs",
srcs = [":package-srcs"], srcs = [
":package-srcs",
"//test/e2e/lifecycle/bootstrap:all-srcs",
],
tags = ["automanaged"], tags = ["automanaged"],
) )
package(default_visibility = ["//visibility:public"])
licenses(["notice"])
load(
"@io_bazel_rules_go//go:def.bzl",
"go_library",
)
go_library(
name = "go_default_library",
srcs = [
"bootstrap_signer.go",
"bootstrap_token_cleaner.go",
"util.go",
],
tags = ["automanaged"],
deps = [
"//pkg/bootstrap/api:go_default_library",
"//test/e2e/framework:go_default_library",
"//test/e2e/lifecycle:go_default_library",
"//vendor/github.com/onsi/ginkgo:go_default_library",
"//vendor/github.com/onsi/gomega:go_default_library",
"//vendor/k8s.io/api/core/v1:go_default_library",
"//vendor/k8s.io/apimachinery/pkg/api/errors:go_default_library",
"//vendor/k8s.io/apimachinery/pkg/apis/meta/v1:go_default_library",
"//vendor/k8s.io/apimachinery/pkg/util/wait:go_default_library",
"//vendor/k8s.io/client-go/kubernetes:go_default_library",
],
)
filegroup(
name = "package-srcs",
srcs = glob(["**"]),
tags = ["automanaged"],
visibility = ["//visibility:private"],
)
filegroup(
name = "all-srcs",
srcs = [":package-srcs"],
tags = ["automanaged"],
)
approvers: #sig-cluster-lifecycle is the owner of this feature
- jbeda
- luxas
- wanghaoran1988
reviewers:
- mikedanese
- luxas
- dmmcquay
- krousey
- wanghaoran1988
/*
Copyright 2017 The Kubernetes Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
package bootstrap
import (
. "github.com/onsi/ginkgo"
. "github.com/onsi/gomega"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
clientset "k8s.io/client-go/kubernetes"
bootstrapapi "k8s.io/kubernetes/pkg/bootstrap/api"
"k8s.io/kubernetes/test/e2e/framework"
"k8s.io/kubernetes/test/e2e/lifecycle"
)
const (
TokenIDBytes = 3
TokenSecretBytes = 8
)
var _ = lifecycle.SIGDescribe("[Feature:BootstrapTokens]", func() {
var c clientset.Interface
f := framework.NewDefaultFramework("bootstrap-signer")
AfterEach(func() {
if len(secretNeedClean) > 0 {
By("delete the bootstrap token secret")
err := c.CoreV1().Secrets(metav1.NamespaceSystem).Delete(secretNeedClean, &metav1.DeleteOptions{})
Expect(err).NotTo(HaveOccurred())
secretNeedClean = ""
}
})
BeforeEach(func() {
c = f.ClientSet
})
It("should sign the new added bootstrap tokens", func() {
By("create a new bootstrap token secret")
tokenId, err := GenerateTokenId()
Expect(err).NotTo(HaveOccurred())
secret := newTokenSecret(tokenId, "tokenSecret")
_, err = c.CoreV1().Secrets(metav1.NamespaceSystem).Create(secret)
secretNeedClean = bootstrapapi.BootstrapTokenSecretPrefix + tokenId
Expect(err).NotTo(HaveOccurred())
By("wait for the bootstrap token secret be signed")
err = WaitforSignedClusterInfoByBootStrapToken(c, tokenId)
Expect(err).NotTo(HaveOccurred())
})
It("should resign the bootstrap tokens when the clusterInfo ConfigMap updated [Serial][Disruptive]", func() {
By("create a new bootstrap token secret")
tokenId, err := GenerateTokenId()
Expect(err).NotTo(HaveOccurred())
secret := newTokenSecret(tokenId, "tokenSecret")
secret, err = c.CoreV1().Secrets(metav1.NamespaceSystem).Create(secret)
secretNeedClean = bootstrapapi.BootstrapTokenSecretPrefix + tokenId
By("wait for the bootstrap token secret be signed")
err = WaitforSignedClusterInfoByBootStrapToken(c, tokenId)
cfgMap, err := f.ClientSet.CoreV1().ConfigMaps(metav1.NamespacePublic).Get(bootstrapapi.ConfigMapClusterInfo, metav1.GetOptions{})
Expect(err).NotTo(HaveOccurred())
signedToken, ok := cfgMap.Data[bootstrapapi.JWSSignatureKeyPrefix+tokenId]
Expect(ok).Should(Equal(true))
By("update the cluster-info ConfigMap")
originalData := cfgMap.Data[bootstrapapi.KubeConfigKey]
updatedKubeConfig, err := randBytes(20)
Expect(err).NotTo(HaveOccurred())
cfgMap.Data[bootstrapapi.KubeConfigKey] = updatedKubeConfig
_, err = f.ClientSet.CoreV1().ConfigMaps(metav1.NamespacePublic).Update(cfgMap)
Expect(err).NotTo(HaveOccurred())
defer func() {
By("update back the cluster-info ConfigMap")
cfgMap, err = f.ClientSet.CoreV1().ConfigMaps(metav1.NamespacePublic).Get(bootstrapapi.ConfigMapClusterInfo, metav1.GetOptions{})
Expect(err).NotTo(HaveOccurred())
cfgMap.Data[bootstrapapi.KubeConfigKey] = originalData
_, err = f.ClientSet.CoreV1().ConfigMaps(metav1.NamespacePublic).Update(cfgMap)
Expect(err).NotTo(HaveOccurred())
}()
By("wait for signed bootstrap token updated")
err = WaitForSignedClusterInfoGetUpdatedByBootstrapToken(c, tokenId, signedToken)
Expect(err).NotTo(HaveOccurred())
})
It("should delete the signed bootstrap tokens from clusterInfo ConfigMap when bootstrap token is deleted", func() {
By("create a new bootstrap token secret")
tokenId, err := GenerateTokenId()
Expect(err).NotTo(HaveOccurred())
secret := newTokenSecret(tokenId, "tokenSecret")
_, err = c.CoreV1().Secrets(metav1.NamespaceSystem).Create(secret)
Expect(err).NotTo(HaveOccurred())
By("wait for the bootstrap secret be signed")
err = WaitforSignedClusterInfoByBootStrapToken(c, tokenId)
Expect(err).NotTo(HaveOccurred())
By("delete the bootstrap token secret")
err = c.CoreV1().Secrets(metav1.NamespaceSystem).Delete(bootstrapapi.BootstrapTokenSecretPrefix+tokenId, &metav1.DeleteOptions{})
Expect(err).NotTo(HaveOccurred())
By("wait for the bootstrap token removed from cluster-info ConfigMap")
err = WaitForSignedClusterInfoByBootstrapTokenToDisappear(c, tokenId)
Expect(err).NotTo(HaveOccurred())
})
})
/*
Copyright 2017 The Kubernetes Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
package bootstrap
import (
"time"
. "github.com/onsi/ginkgo"
. "github.com/onsi/gomega"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
clientset "k8s.io/client-go/kubernetes"
bootstrapapi "k8s.io/kubernetes/pkg/bootstrap/api"
"k8s.io/kubernetes/test/e2e/framework"
"k8s.io/kubernetes/test/e2e/lifecycle"
)
var secretNeedClean string
var _ = lifecycle.SIGDescribe("[Feature:BootstrapTokens]", func() {
var c clientset.Interface
f := framework.NewDefaultFramework("bootstrap-token-cleaner")
BeforeEach(func() {
c = f.ClientSet
})
AfterEach(func() {
if len(secretNeedClean) > 0 {
By("delete the bootstrap token secret")
err := c.CoreV1().Secrets(metav1.NamespaceSystem).Delete(secretNeedClean, &metav1.DeleteOptions{})
secretNeedClean = ""
Expect(err).NotTo(HaveOccurred())
}
})
It("should delete the token secret when the secret expired", func() {
By("create a new expired bootstrap token secret")
tokenId, err := GenerateTokenId()
Expect(err).NotTo(HaveOccurred())
tokenSecret, err := GenerateTokenSecret()
Expect(err).NotTo(HaveOccurred())
secret := newTokenSecret(tokenId, tokenSecret)
addSecretExpiration(secret, TimeStringFromNow(-time.Hour))
_, err = c.CoreV1().Secrets(metav1.NamespaceSystem).Create(secret)
Expect(err).NotTo(HaveOccurred())
By("wait for the bootstrap token secret be deleted")
err = WaitForBootstrapTokenSecretToDisappear(c, tokenId)
Expect(err).NotTo(HaveOccurred())
})
It("should not delete the token secret when the secret is not expired", func() {
By("create a new expired bootstrap token secret")
tokenId, err := GenerateTokenId()
Expect(err).NotTo(HaveOccurred())
tokenSecret, err := GenerateTokenSecret()
Expect(err).NotTo(HaveOccurred())
secret := newTokenSecret(tokenId, tokenSecret)
addSecretExpiration(secret, TimeStringFromNow(time.Hour))
_, err = c.CoreV1().Secrets(metav1.NamespaceSystem).Create(secret)
secretNeedClean = bootstrapapi.BootstrapTokenSecretPrefix + tokenId
Expect(err).NotTo(HaveOccurred())
By("wait for the bootstrap token secret not be deleted")
err = WaitForBootstrapTokenSecretNotDisappear(c, tokenId, 20*time.Second)
Expect(err).NotTo(HaveOccurred())
})
})
/*
Copyright 2017 The Kubernetes Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
package bootstrap
import (
"crypto/rand"
"encoding/hex"
"errors"
"time"
"k8s.io/api/core/v1"
apierrs "k8s.io/apimachinery/pkg/api/errors"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"k8s.io/apimachinery/pkg/util/wait"
clientset "k8s.io/client-go/kubernetes"
bootstrapapi "k8s.io/kubernetes/pkg/bootstrap/api"
"k8s.io/kubernetes/test/e2e/framework"
)
func newTokenSecret(tokenID, tokenSecret string) *v1.Secret {
return &v1.Secret{
ObjectMeta: metav1.ObjectMeta{
Namespace: metav1.NamespaceSystem,
Name: bootstrapapi.BootstrapTokenSecretPrefix + tokenID,
},
Type: bootstrapapi.SecretTypeBootstrapToken,
Data: map[string][]byte{
bootstrapapi.BootstrapTokenIDKey: []byte(tokenID),
bootstrapapi.BootstrapTokenSecretKey: []byte(tokenSecret),
bootstrapapi.BootstrapTokenUsageSigningKey: []byte("true"),
},
}
}
func GenerateTokenId() (string, error) {
tokenID, err := randBytes(TokenIDBytes)
if err != nil {
return "", err
}
return tokenID, nil
}
func GenerateTokenSecret() (string, error) {
tokenSecret, err := randBytes(TokenSecretBytes)
if err != nil {
return "", err
}
return tokenSecret, err
}
func randBytes(length int) (string, error) {
b := make([]byte, length)
_, err := rand.Read(b)
if err != nil {
return "", err
}
return hex.EncodeToString(b), nil
}
func addSecretExpiration(s *v1.Secret, expiration string) {
s.Data[bootstrapapi.BootstrapTokenExpirationKey] = []byte(expiration)
}
func TimeStringFromNow(delta time.Duration) string {
return time.Now().Add(delta).Format(time.RFC3339)
}
func WaitforSignedClusterInfoByBootStrapToken(c clientset.Interface, tokenID string) error {
return wait.Poll(framework.Poll, 2*time.Minute, func() (bool, error) {
cfgMap, err := c.CoreV1().ConfigMaps(metav1.NamespacePublic).Get(bootstrapapi.ConfigMapClusterInfo, metav1.GetOptions{})
if err != nil {
framework.Failf("Failed to get cluster-info configMap: %v", err)
return false, err
}
_, ok := cfgMap.Data[bootstrapapi.JWSSignatureKeyPrefix+tokenID]
if !ok {
return false, nil
}
return true, nil
})
}
func WaitForSignedClusterInfoGetUpdatedByBootstrapToken(c clientset.Interface, tokenID string, signedToken string) error {
return wait.Poll(framework.Poll, 2*time.Minute, func() (bool, error) {
cfgMap, err := c.CoreV1().ConfigMaps(metav1.NamespacePublic).Get(bootstrapapi.ConfigMapClusterInfo, metav1.GetOptions{})
if err != nil {
framework.Failf("Failed to get cluster-info configMap: %v", err)
return false, err
}
updated, ok := cfgMap.Data[bootstrapapi.JWSSignatureKeyPrefix+tokenID]
if !ok || updated == signedToken {
return false, nil
}
return true, nil
})
}
func WaitForSignedClusterInfoByBootstrapTokenToDisappear(c clientset.Interface, tokenID string) error {
return wait.Poll(framework.Poll, 2*time.Minute, func() (bool, error) {
cfgMap, err := c.CoreV1().ConfigMaps(metav1.NamespacePublic).Get(bootstrapapi.ConfigMapClusterInfo, metav1.GetOptions{})
if err != nil {
framework.Failf("Failed to get cluster-info configMap: %v", err)
return false, err
}
_, ok := cfgMap.Data[bootstrapapi.JWSSignatureKeyPrefix+tokenID]
if ok {
return false, nil
}
return true, nil
})
}
func WaitForBootstrapTokenSecretToDisappear(c clientset.Interface, tokenID string) error {
return wait.Poll(framework.Poll, 1*time.Minute, func() (bool, error) {
_, err := c.CoreV1().Secrets(metav1.NamespaceSystem).Get(bootstrapapi.BootstrapTokenSecretPrefix+tokenID, metav1.GetOptions{})
if apierrs.IsNotFound(err) {
return true, nil
}
return false, nil
})
}
func WaitForBootstrapTokenSecretNotDisappear(c clientset.Interface, tokenID string, t time.Duration) error {
err := wait.Poll(framework.Poll, t, func() (bool, error) {
secret, err := c.CoreV1().Secrets(metav1.NamespaceSystem).Get(bootstrapapi.BootstrapTokenSecretPrefix+tokenID, metav1.GetOptions{})
if apierrs.IsNotFound(err) {
return true, errors.New("secret not exists")
}
if secret != nil {
return false, nil
}
return true, err
})
if err == wait.ErrWaitTimeout {
return nil
}
return err
}
...@@ -13,6 +13,7 @@ go_test( ...@@ -13,6 +13,7 @@ go_test(
srcs = [ srcs = [
"accessreview_test.go", "accessreview_test.go",
"auth_test.go", "auth_test.go",
"bootstraptoken_test.go",
"main_test.go", "main_test.go",
"node_test.go", "node_test.go",
"rbac_test.go", "rbac_test.go",
...@@ -30,6 +31,7 @@ go_test( ...@@ -30,6 +31,7 @@ go_test(
"//pkg/apis/rbac:go_default_library", "//pkg/apis/rbac:go_default_library",
"//pkg/auth/authorizer/abac:go_default_library", "//pkg/auth/authorizer/abac:go_default_library",
"//pkg/auth/nodeidentifier:go_default_library", "//pkg/auth/nodeidentifier:go_default_library",
"//pkg/bootstrap/api:go_default_library",
"//pkg/client/clientset_generated/internalclientset:go_default_library", "//pkg/client/clientset_generated/internalclientset:go_default_library",
"//pkg/client/informers/informers_generated/internalversion:go_default_library", "//pkg/client/informers/informers_generated/internalversion:go_default_library",
"//pkg/kubeapiserver/authorizer:go_default_library", "//pkg/kubeapiserver/authorizer:go_default_library",
...@@ -44,8 +46,10 @@ go_test( ...@@ -44,8 +46,10 @@ go_test(
"//pkg/registry/rbac/rolebinding/storage:go_default_library", "//pkg/registry/rbac/rolebinding/storage:go_default_library",
"//plugin/pkg/admission/admit:go_default_library", "//plugin/pkg/admission/admit:go_default_library",
"//plugin/pkg/admission/noderestriction:go_default_library", "//plugin/pkg/admission/noderestriction:go_default_library",
"//plugin/pkg/auth/authenticator/token/bootstrap:go_default_library",
"//plugin/pkg/auth/authorizer/rbac:go_default_library", "//plugin/pkg/auth/authorizer/rbac:go_default_library",
"//plugin/pkg/auth/authorizer/rbac/bootstrappolicy:go_default_library", "//plugin/pkg/auth/authorizer/rbac/bootstrappolicy:go_default_library",
"//test/e2e/lifecycle/bootstrap:go_default_library",
"//test/integration:go_default_library", "//test/integration:go_default_library",
"//test/integration/framework:go_default_library", "//test/integration/framework:go_default_library",
"//vendor/github.com/golang/glog:go_default_library", "//vendor/github.com/golang/glog:go_default_library",
...@@ -53,6 +57,7 @@ go_test( ...@@ -53,6 +57,7 @@ go_test(
"//vendor/k8s.io/apimachinery/pkg/api/errors:go_default_library", "//vendor/k8s.io/apimachinery/pkg/api/errors:go_default_library",
"//vendor/k8s.io/apimachinery/pkg/api/resource:go_default_library", "//vendor/k8s.io/apimachinery/pkg/api/resource:go_default_library",
"//vendor/k8s.io/apimachinery/pkg/apis/meta/v1:go_default_library", "//vendor/k8s.io/apimachinery/pkg/apis/meta/v1:go_default_library",
"//vendor/k8s.io/apimachinery/pkg/labels:go_default_library",
"//vendor/k8s.io/apimachinery/pkg/runtime/schema:go_default_library", "//vendor/k8s.io/apimachinery/pkg/runtime/schema:go_default_library",
"//vendor/k8s.io/apimachinery/pkg/watch:go_default_library", "//vendor/k8s.io/apimachinery/pkg/watch:go_default_library",
"//vendor/k8s.io/apiserver/pkg/authentication/authenticator:go_default_library", "//vendor/k8s.io/apiserver/pkg/authentication/authenticator:go_default_library",
......
/*
Copyright 2017 The Kubernetes Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
package auth
import (
"bytes"
"fmt"
"io/ioutil"
"net/http"
"testing"
"time"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"k8s.io/apimachinery/pkg/labels"
"k8s.io/apiserver/pkg/authentication/request/bearertoken"
"k8s.io/kubernetes/pkg/api"
bootstrapapi "k8s.io/kubernetes/pkg/bootstrap/api"
"k8s.io/kubernetes/plugin/pkg/admission/admit"
"k8s.io/kubernetes/plugin/pkg/auth/authenticator/token/bootstrap"
bootstraputil "k8s.io/kubernetes/test/e2e/lifecycle/bootstrap"
"k8s.io/kubernetes/test/integration"
"k8s.io/kubernetes/test/integration/framework"
)
type bootstrapSecrets []*api.Secret
func (b bootstrapSecrets) List(selector labels.Selector) (ret []*api.Secret, err error) {
return b, nil
}
func (b bootstrapSecrets) Get(name string) (*api.Secret, error) {
return b[0], nil
}
// TestBootstrapTokenAuth tests the bootstrap token auth provider
func TestBootstrapTokenAuth(t *testing.T) {
tokenId, err := bootstraputil.GenerateTokenId()
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
secret, err := bootstraputil.GenerateTokenSecret()
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
var bootstrapSecretValid = &api.Secret{
ObjectMeta: metav1.ObjectMeta{
Namespace: metav1.NamespaceSystem,
Name: bootstrapapi.BootstrapTokenSecretPrefix,
},
Type: api.SecretTypeBootstrapToken,
Data: map[string][]byte{
bootstrapapi.BootstrapTokenIDKey: []byte(tokenId),
bootstrapapi.BootstrapTokenSecretKey: []byte(secret),
bootstrapapi.BootstrapTokenUsageAuthentication: []byte("true"),
},
}
var bootstrapSecretInvalid = &api.Secret{
ObjectMeta: metav1.ObjectMeta{
Namespace: metav1.NamespaceSystem,
Name: bootstrapapi.BootstrapTokenSecretPrefix,
},
Type: api.SecretTypeBootstrapToken,
Data: map[string][]byte{
bootstrapapi.BootstrapTokenIDKey: []byte(tokenId),
bootstrapapi.BootstrapTokenSecretKey: []byte("invalid"),
bootstrapapi.BootstrapTokenUsageAuthentication: []byte("true"),
},
}
var expiredBootstrapToken = &api.Secret{
ObjectMeta: metav1.ObjectMeta{
Namespace: metav1.NamespaceSystem,
Name: bootstrapapi.BootstrapTokenSecretPrefix,
},
Type: api.SecretTypeBootstrapToken,
Data: map[string][]byte{
bootstrapapi.BootstrapTokenIDKey: []byte(tokenId),
bootstrapapi.BootstrapTokenSecretKey: []byte("invalid"),
bootstrapapi.BootstrapTokenUsageAuthentication: []byte("true"),
bootstrapapi.BootstrapTokenExpirationKey: []byte(bootstraputil.TimeStringFromNow(-time.Hour)),
},
}
type request struct {
verb string
URL string
body string
statusCodes map[int]bool // Set of expected resp.StatusCode if all goes well.
}
tests := []struct {
name string
request request
secret *api.Secret
}{
{
name: "valid token",
request: request{verb: "GET", URL: path("pods", "", ""), body: "", statusCodes: integration.Code200},
secret: bootstrapSecretValid,
},
{
name: "invalid token format",
request: request{verb: "GET", URL: path("pods", "", ""), body: "", statusCodes: integration.Code401},
secret: bootstrapSecretInvalid,
},
{
name: "invalid token expired",
request: request{verb: "GET", URL: path("pods", "", ""), body: "", statusCodes: integration.Code401},
secret: expiredBootstrapToken,
},
}
for _, test := range tests {
authenticator := bearertoken.New(bootstrap.NewTokenAuthenticator(bootstrapSecrets{test.secret}))
// Set up a master
masterConfig := framework.NewIntegrationTestMasterConfig()
masterConfig.GenericConfig.Authenticator = authenticator
masterConfig.GenericConfig.AdmissionControl = admit.NewAlwaysAdmit()
_, s, closeFn := framework.RunAMaster(masterConfig)
defer closeFn()
ns := framework.CreateTestingNamespace("auth-bootstrap-token", s, t)
defer framework.DeleteTestingNamespace(ns, s, t)
previousResourceVersion := make(map[string]float64)
transport := http.DefaultTransport
token := tokenId + "." + secret
var bodyStr string
if test.request.body != "" {
sub := ""
if test.request.verb == "PUT" {
// For update operations, insert previous resource version
if resVersion := previousResourceVersion[getPreviousResourceVersionKey(test.request.URL, "")]; resVersion != 0 {
sub += fmt.Sprintf(",\r\n\"resourceVersion\": \"%v\"", resVersion)
}
sub += fmt.Sprintf(",\r\n\"namespace\": %q", ns.Name)
}
bodyStr = fmt.Sprintf(test.request.body, sub)
}
test.request.body = bodyStr
bodyBytes := bytes.NewReader([]byte(bodyStr))
req, err := http.NewRequest(test.request.verb, s.URL+test.request.URL, bodyBytes)
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
req.Header.Set("Authorization", fmt.Sprintf("Bearer %s", token))
if test.request.verb == "PATCH" {
req.Header.Set("Content-Type", "application/merge-patch+json")
}
func() {
resp, err := transport.RoundTrip(req)
defer resp.Body.Close()
if err != nil {
t.Logf("case %v", test.name)
t.Fatalf("unexpected error: %v", err)
}
b, _ := ioutil.ReadAll(resp.Body)
if _, ok := test.request.statusCodes[resp.StatusCode]; !ok {
t.Logf("case %v", test.name)
t.Errorf("Expected status one of %v, but got %v", test.request.statusCodes, resp.StatusCode)
t.Errorf("Body: %v", string(b))
} else {
if test.request.verb == "POST" {
// For successful create operations, extract resourceVersion
id, currentResourceVersion, err := parseResourceVersion(b)
if err == nil {
key := getPreviousResourceVersionKey(test.request.URL, id)
previousResourceVersion[key] = currentResourceVersion
}
}
}
}()
}
}
...@@ -38,6 +38,7 @@ func DeletePodOrErrorf(t *testing.T, c clientset.Interface, ns, name string) { ...@@ -38,6 +38,7 @@ func DeletePodOrErrorf(t *testing.T, c clientset.Interface, ns, name string) {
var Code200 = map[int]bool{200: true} var Code200 = map[int]bool{200: true}
var Code201 = map[int]bool{201: true} var Code201 = map[int]bool{201: true}
var Code400 = map[int]bool{400: true} var Code400 = map[int]bool{400: true}
var Code401 = map[int]bool{401: true}
var Code403 = map[int]bool{403: true} var Code403 = map[int]bool{403: true}
var Code404 = map[int]bool{404: true} var Code404 = map[int]bool{404: true}
var Code405 = map[int]bool{405: true} var Code405 = map[int]bool{405: true}
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment