123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387 |
- /*
- Copyright 2019 The Kubernetes Authors.
- Licensed under the Apache License, Version 2.0 (the "License");
- you may not use this file except in compliance with the License.
- You may obtain a copy of the License at
- http://www.apache.org/licenses/LICENSE-2.0
- Unless required by applicable law or agreed to in writing, software
- distributed under the License is distributed on an "AS IS" BASIS,
- WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- See the License for the specific language governing permissions and
- limitations under the License.
- */
- package clusterauthenticationtrust
- import (
- "reflect"
- "testing"
- "github.com/davecgh/go-spew/spew"
- corev1 "k8s.io/api/core/v1"
- apierrors "k8s.io/apimachinery/pkg/api/errors"
- metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
- "k8s.io/apimachinery/pkg/runtime"
- "k8s.io/apimachinery/pkg/runtime/schema"
- "k8s.io/apimachinery/pkg/util/diff"
- "k8s.io/apimachinery/pkg/util/validation/field"
- "k8s.io/apiserver/pkg/authentication/request/headerrequest"
- "k8s.io/apiserver/pkg/server/dynamiccertificates"
- "k8s.io/client-go/kubernetes/fake"
- corev1listers "k8s.io/client-go/listers/core/v1"
- clienttesting "k8s.io/client-go/testing"
- "k8s.io/client-go/tools/cache"
- )
- var (
- someRandomCA = []byte(`-----BEGIN CERTIFICATE-----
- MIIBqDCCAU2gAwIBAgIUfbqeieihh/oERbfvRm38XvS/xHAwCgYIKoZIzj0EAwIw
- GjEYMBYGA1UEAxMPSW50ZXJtZWRpYXRlLUNBMCAXDTE2MTAxMTA1MDYwMFoYDzIx
- MTYwOTE3MDUwNjAwWjAUMRIwEAYDVQQDEwlNeSBDbGllbnQwWTATBgcqhkjOPQIB
- BggqhkjOPQMBBwNCAARv6N4R/sjMR65iMFGNLN1GC/vd7WhDW6J4X/iAjkRLLnNb
- KbRG/AtOUZ+7upJ3BWIRKYbOabbQGQe2BbKFiap4o3UwczAOBgNVHQ8BAf8EBAMC
- BaAwEwYDVR0lBAwwCgYIKwYBBQUHAwIwDAYDVR0TAQH/BAIwADAdBgNVHQ4EFgQU
- K/pZOWpNcYai6eHFpmJEeFpeQlEwHwYDVR0jBBgwFoAUX6nQlxjfWnP6aM1meO/Q
- a6b3a9kwCgYIKoZIzj0EAwIDSQAwRgIhAIWTKw/sjJITqeuNzJDAKU4xo1zL+xJ5
- MnVCuBwfwDXCAiEAw/1TA+CjPq9JC5ek1ifR0FybTURjeQqYkKpve1dveps=
- -----END CERTIFICATE-----
- `)
- anotherRandomCA = []byte(`-----BEGIN CERTIFICATE-----
- MIIDQDCCAiigAwIBAgIJANWw74P5KJk2MA0GCSqGSIb3DQEBCwUAMDQxMjAwBgNV
- BAMMKWdlbmVyaWNfd2ViaG9va19hZG1pc3Npb25fcGx1Z2luX3Rlc3RzX2NhMCAX
- DTE3MTExNjAwMDUzOVoYDzIyOTEwOTAxMDAwNTM5WjAjMSEwHwYDVQQDExh3ZWJo
- b29rLXRlc3QuZGVmYXVsdC5zdmMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK
- AoIBAQDXd/nQ89a5H8ifEsigmMd01Ib6NVR3bkJjtkvYnTbdfYEBj7UzqOQtHoLa
- dIVmefny5uIHvj93WD8WDVPB3jX2JHrXkDTXd/6o6jIXHcsUfFTVLp6/bZ+Anqe0
- r/7hAPkzA2A7APyTWM3ZbEeo1afXogXhOJ1u/wz0DflgcB21gNho4kKTONXO3NHD
- XLpspFqSkxfEfKVDJaYAoMnYZJtFNsa2OvsmLnhYF8bjeT3i07lfwrhUZvP+7Gsp
- 7UgUwc06WuNHjfx1s5e6ySzH0QioMD1rjYneqOvk0pKrMIhuAEWXqq7jlXcDtx1E
- j+wnYbVqqVYheHZ8BCJoVAAQGs9/AgMBAAGjZDBiMAkGA1UdEwQCMAAwCwYDVR0P
- BAQDAgXgMB0GA1UdJQQWMBQGCCsGAQUFBwMCBggrBgEFBQcDATApBgNVHREEIjAg
- hwR/AAABghh3ZWJob29rLXRlc3QuZGVmYXVsdC5zdmMwDQYJKoZIhvcNAQELBQAD
- ggEBAD/GKSPNyQuAOw/jsYZesb+RMedbkzs18sSwlxAJQMUrrXwlVdHrA8q5WhE6
- ABLqU1b8lQ8AWun07R8k5tqTmNvCARrAPRUqls/ryER+3Y9YEcxEaTc3jKNZFLbc
- T6YtcnkdhxsiO136wtiuatpYL91RgCmuSpR8+7jEHhuFU01iaASu7ypFrUzrKHTF
- bKwiLRQi1cMzVcLErq5CDEKiKhUkoDucyARFszrGt9vNIl/YCcBOkcNvM3c05Hn3
- M++C29JwS3Hwbubg6WO3wjFjoEhpCwU6qRYUz3MRp4tHO4kxKXx+oQnUiFnR7vW0
- YkNtGc1RUDHwecCTFpJtPb7Yu/E=
- -----END CERTIFICATE-----
- `)
- someRandomCAProvider dynamiccertificates.CAContentProvider
- anotherRandomCAProvider dynamiccertificates.CAContentProvider
- )
- func init() {
- var err error
- someRandomCAProvider, err = dynamiccertificates.NewStaticCAContent("foo", someRandomCA)
- if err != nil {
- panic(err)
- }
- anotherRandomCAProvider, err = dynamiccertificates.NewStaticCAContent("bar", anotherRandomCA)
- if err != nil {
- panic(err)
- }
- }
- func TestWriteClientCAs(t *testing.T) {
- tests := []struct {
- name string
- clusterAuthInfo ClusterAuthenticationInfo
- preexistingObjs []runtime.Object
- expectedConfigMaps map[string]*corev1.ConfigMap
- expectCreate bool
- }{
- {
- name: "basic",
- clusterAuthInfo: ClusterAuthenticationInfo{
- ClientCA: someRandomCAProvider,
- RequestHeaderUsernameHeaders: headerrequest.StaticStringSlice{"alfa", "bravo", "charlie"},
- RequestHeaderGroupHeaders: headerrequest.StaticStringSlice{"delta"},
- RequestHeaderExtraHeaderPrefixes: headerrequest.StaticStringSlice{"echo", "foxtrot"},
- RequestHeaderCA: anotherRandomCAProvider,
- RequestHeaderAllowedNames: headerrequest.StaticStringSlice{"first", "second"},
- },
- expectedConfigMaps: map[string]*corev1.ConfigMap{
- "extension-apiserver-authentication": {
- ObjectMeta: metav1.ObjectMeta{Namespace: metav1.NamespaceSystem, Name: "extension-apiserver-authentication"},
- Data: map[string]string{
- "client-ca-file": string(someRandomCA),
- "requestheader-username-headers": `["alfa","bravo","charlie"]`,
- "requestheader-group-headers": `["delta"]`,
- "requestheader-extra-headers-prefix": `["echo","foxtrot"]`,
- "requestheader-client-ca-file": string(anotherRandomCA),
- "requestheader-allowed-names": `["first","second"]`,
- },
- },
- },
- expectCreate: true,
- },
- {
- name: "skip extension-apiserver-authentication",
- clusterAuthInfo: ClusterAuthenticationInfo{
- RequestHeaderCA: anotherRandomCAProvider,
- RequestHeaderAllowedNames: headerrequest.StaticStringSlice{"first", "second"},
- },
- expectedConfigMaps: map[string]*corev1.ConfigMap{
- "extension-apiserver-authentication": {
- ObjectMeta: metav1.ObjectMeta{Namespace: metav1.NamespaceSystem, Name: "extension-apiserver-authentication"},
- Data: map[string]string{
- "requestheader-username-headers": `[]`,
- "requestheader-group-headers": `[]`,
- "requestheader-extra-headers-prefix": `[]`,
- "requestheader-client-ca-file": string(anotherRandomCA),
- "requestheader-allowed-names": `["first","second"]`,
- },
- },
- },
- expectCreate: true,
- },
- {
- name: "skip extension-apiserver-authentication",
- clusterAuthInfo: ClusterAuthenticationInfo{
- ClientCA: someRandomCAProvider,
- },
- expectedConfigMaps: map[string]*corev1.ConfigMap{
- "extension-apiserver-authentication": {
- ObjectMeta: metav1.ObjectMeta{Namespace: metav1.NamespaceSystem, Name: "extension-apiserver-authentication"},
- Data: map[string]string{
- "client-ca-file": string(someRandomCA),
- },
- },
- },
- expectCreate: true,
- },
- {
- name: "empty allowed names",
- clusterAuthInfo: ClusterAuthenticationInfo{
- RequestHeaderCA: anotherRandomCAProvider,
- },
- expectedConfigMaps: map[string]*corev1.ConfigMap{
- "extension-apiserver-authentication": {
- ObjectMeta: metav1.ObjectMeta{Namespace: metav1.NamespaceSystem, Name: "extension-apiserver-authentication"},
- Data: map[string]string{
- "requestheader-username-headers": `[]`,
- "requestheader-group-headers": `[]`,
- "requestheader-extra-headers-prefix": `[]`,
- "requestheader-client-ca-file": string(anotherRandomCA),
- "requestheader-allowed-names": `[]`,
- },
- },
- },
- expectCreate: true,
- },
- {
- name: "overwrite extension-apiserver-authentication",
- clusterAuthInfo: ClusterAuthenticationInfo{
- ClientCA: someRandomCAProvider,
- },
- preexistingObjs: []runtime.Object{
- &corev1.ConfigMap{
- ObjectMeta: metav1.ObjectMeta{Namespace: metav1.NamespaceSystem, Name: "extension-apiserver-authentication"},
- Data: map[string]string{
- "client-ca-file": string(anotherRandomCA),
- },
- },
- },
- expectedConfigMaps: map[string]*corev1.ConfigMap{
- "extension-apiserver-authentication": {
- ObjectMeta: metav1.ObjectMeta{Namespace: metav1.NamespaceSystem, Name: "extension-apiserver-authentication"},
- Data: map[string]string{
- "client-ca-file": string(anotherRandomCA) + string(someRandomCA),
- },
- },
- },
- },
- {
- name: "overwrite extension-apiserver-authentication requestheader",
- clusterAuthInfo: ClusterAuthenticationInfo{
- RequestHeaderUsernameHeaders: headerrequest.StaticStringSlice{},
- RequestHeaderGroupHeaders: headerrequest.StaticStringSlice{},
- RequestHeaderExtraHeaderPrefixes: headerrequest.StaticStringSlice{},
- RequestHeaderCA: anotherRandomCAProvider,
- RequestHeaderAllowedNames: headerrequest.StaticStringSlice{},
- },
- preexistingObjs: []runtime.Object{
- &corev1.ConfigMap{
- ObjectMeta: metav1.ObjectMeta{Namespace: metav1.NamespaceSystem, Name: "extension-apiserver-authentication"},
- Data: map[string]string{
- "requestheader-username-headers": `[]`,
- "requestheader-group-headers": `[]`,
- "requestheader-extra-headers-prefix": `[]`,
- "requestheader-client-ca-file": string(someRandomCA),
- "requestheader-allowed-names": `[]`,
- },
- },
- },
- expectedConfigMaps: map[string]*corev1.ConfigMap{
- "extension-apiserver-authentication": {
- ObjectMeta: metav1.ObjectMeta{Namespace: metav1.NamespaceSystem, Name: "extension-apiserver-authentication"},
- Data: map[string]string{
- "requestheader-username-headers": `[]`,
- "requestheader-group-headers": `[]`,
- "requestheader-extra-headers-prefix": `[]`,
- "requestheader-client-ca-file": string(someRandomCA) + string(anotherRandomCA),
- "requestheader-allowed-names": `[]`,
- },
- },
- },
- },
- {
- name: "namespace exists",
- clusterAuthInfo: ClusterAuthenticationInfo{
- ClientCA: someRandomCAProvider,
- },
- preexistingObjs: []runtime.Object{
- &corev1.Namespace{ObjectMeta: metav1.ObjectMeta{Name: metav1.NamespaceSystem}},
- },
- expectedConfigMaps: map[string]*corev1.ConfigMap{
- "extension-apiserver-authentication": {
- ObjectMeta: metav1.ObjectMeta{Namespace: metav1.NamespaceSystem, Name: "extension-apiserver-authentication"},
- Data: map[string]string{
- "client-ca-file": string(someRandomCA),
- },
- },
- },
- expectCreate: true,
- },
- {
- name: "skip on no change",
- clusterAuthInfo: ClusterAuthenticationInfo{
- RequestHeaderUsernameHeaders: headerrequest.StaticStringSlice{},
- RequestHeaderGroupHeaders: headerrequest.StaticStringSlice{},
- RequestHeaderExtraHeaderPrefixes: headerrequest.StaticStringSlice{},
- RequestHeaderCA: anotherRandomCAProvider,
- RequestHeaderAllowedNames: headerrequest.StaticStringSlice{},
- },
- preexistingObjs: []runtime.Object{
- &corev1.ConfigMap{
- ObjectMeta: metav1.ObjectMeta{Namespace: metav1.NamespaceSystem, Name: "extension-apiserver-authentication"},
- Data: map[string]string{
- "requestheader-username-headers": `[]`,
- "requestheader-group-headers": `[]`,
- "requestheader-extra-headers-prefix": `[]`,
- "requestheader-client-ca-file": string(anotherRandomCA),
- "requestheader-allowed-names": `[]`,
- },
- },
- },
- expectedConfigMaps: map[string]*corev1.ConfigMap{},
- expectCreate: false,
- },
- }
- for _, test := range tests {
- t.Run(test.name, func(t *testing.T) {
- client := fake.NewSimpleClientset(test.preexistingObjs...)
- configMapIndexer := cache.NewIndexer(cache.MetaNamespaceKeyFunc, cache.Indexers{cache.NamespaceIndex: cache.MetaNamespaceIndexFunc})
- for _, obj := range test.preexistingObjs {
- configMapIndexer.Add(obj)
- }
- configmapLister := corev1listers.NewConfigMapLister(configMapIndexer)
- c := &Controller{
- configMapLister: configmapLister,
- configMapClient: client.CoreV1(),
- namespaceClient: client.CoreV1(),
- requiredAuthenticationData: test.clusterAuthInfo,
- }
- err := c.syncConfigMap()
- if err != nil {
- t.Fatal(err)
- }
- actualConfigMaps, updated := getFinalConfigMaps(t, client)
- if !reflect.DeepEqual(test.expectedConfigMaps, actualConfigMaps) {
- t.Fatalf("%s: %v", test.name, diff.ObjectReflectDiff(test.expectedConfigMaps, actualConfigMaps))
- }
- if test.expectCreate != updated {
- t.Fatalf("%s: expected %v, got %v", test.name, test.expectCreate, updated)
- }
- })
- }
- }
- func getFinalConfigMaps(t *testing.T, client *fake.Clientset) (map[string]*corev1.ConfigMap, bool) {
- ret := map[string]*corev1.ConfigMap{}
- created := false
- for _, action := range client.Actions() {
- t.Log(spew.Sdump(action))
- if action.Matches("create", "configmaps") {
- created = true
- obj := action.(clienttesting.CreateAction).GetObject().(*corev1.ConfigMap)
- ret[obj.Name] = obj
- }
- if action.Matches("update", "configmaps") {
- obj := action.(clienttesting.UpdateAction).GetObject().(*corev1.ConfigMap)
- ret[obj.Name] = obj
- }
- }
- return ret, created
- }
- func TestWriteConfigMapDeleted(t *testing.T) {
- // the basics are tested above, this checks the deletion logic when the ca bundles are too large
- cm := &corev1.ConfigMap{
- ObjectMeta: metav1.ObjectMeta{Namespace: metav1.NamespaceSystem, Name: "extension-apiserver-authentication"},
- Data: map[string]string{
- "requestheader-username-headers": `[]`,
- "requestheader-group-headers": `[]`,
- "requestheader-extra-headers-prefix": `[]`,
- "requestheader-client-ca-file": string(anotherRandomCA),
- "requestheader-allowed-names": `[]`,
- },
- }
- t.Run("request entity too large", func(t *testing.T) {
- client := fake.NewSimpleClientset()
- client.PrependReactor("update", "configmaps", func(action clienttesting.Action) (handled bool, ret runtime.Object, err error) {
- return true, nil, apierrors.NewRequestEntityTooLargeError("way too big")
- })
- client.PrependReactor("delete", "configmaps", func(action clienttesting.Action) (handled bool, ret runtime.Object, err error) {
- return true, nil, nil
- })
- err := writeConfigMap(client.CoreV1(), cm)
- if err == nil || err.Error() != "Request entity too large: way too big" {
- t.Fatal(err)
- }
- if len(client.Actions()) != 2 {
- t.Fatal(client.Actions())
- }
- _, ok := client.Actions()[1].(clienttesting.DeleteAction)
- if !ok {
- t.Fatal(client.Actions())
- }
- })
- t.Run("ca bundle too large", func(t *testing.T) {
- client := fake.NewSimpleClientset()
- client.PrependReactor("update", "configmaps", func(action clienttesting.Action) (handled bool, ret runtime.Object, err error) {
- return true, nil, apierrors.NewInvalid(schema.GroupKind{Kind: "ConfigMap"}, cm.Name, field.ErrorList{field.TooLong(field.NewPath(""), cm, corev1.MaxSecretSize)})
- })
- client.PrependReactor("delete", "configmaps", func(action clienttesting.Action) (handled bool, ret runtime.Object, err error) {
- return true, nil, nil
- })
- err := writeConfigMap(client.CoreV1(), cm)
- if err == nil || err.Error() != `ConfigMap "extension-apiserver-authentication" is invalid: []: Too long: must have at most 1048576 bytes` {
- t.Fatal(err)
- }
- if len(client.Actions()) != 2 {
- t.Fatal(client.Actions())
- }
- _, ok := client.Actions()[1].(clienttesting.DeleteAction)
- if !ok {
- t.Fatal(client.Actions())
- }
- })
- }
|