-
Notifications
You must be signed in to change notification settings - Fork 78
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
tests/e2e: Add auth registry libvirt tests #1932
base: main
Are you sure you want to change the base?
Changes from all commits
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -5,7 +5,6 @@ package e2e | |
|
||
import ( | ||
"bytes" | ||
"encoding/json" | ||
"fmt" | ||
"math/rand" | ||
"os" | ||
|
@@ -241,52 +240,22 @@ func DoTestCreatePeerPodWithPVCAndCSIWrapper(t *testing.T, e env.Environment, as | |
NewTestCase(t, e, "PeerPodWithPVCAndCSIWrapper", assert, "PVC is created and mounted as expected").WithPod(pod).WithPVC(myPVC).WithTestCommands(testCommands).Run() | ||
} | ||
|
||
func DoTestCreatePeerPodWithAuthenticatedImagewithValidCredentials(t *testing.T, e env.Environment, assert CloudAssert) { | ||
func DoTestCreatePeerPodWithAuthenticatedImageWithValidCredentials(t *testing.T, e env.Environment, assert CloudAssert) { | ||
randseed := rand.New(rand.NewSource(time.Now().UnixNano())) | ||
podName := "authenticated-image-valid-" + strconv.Itoa(int(randseed.Uint32())) + "-pod" | ||
expectedAuthStatus := "Completed" | ||
podName := "authenticated-image-with-creds-" + strconv.Itoa(int(randseed.Uint32())) + "-pod" | ||
imageName := os.Getenv("AUTHENTICATED_REGISTRY_IMAGE") | ||
pod := NewPod(E2eNamespace, podName, podName, imageName, WithRestartPolicy(v1.RestartPolicyNever)) | ||
NewTestCase(t, e, "ValidAuthImagePeerPod", assert, "Peer pod with Authenticated Image with Valid Credentials(Default service account) has been created").WithPod(pod).WithAuthenticatedImage().WithAuthImageStatus(expectedAuthStatus).WithCustomPodState(v1.PodPending).Run() | ||
} | ||
|
||
func DoTestCreatePeerPodWithAuthenticatedImageWithInvalidCredentials(t *testing.T, e env.Environment, assert CloudAssert) { | ||
registryName := "quay.io" | ||
if os.Getenv("AUTHENTICATED_REGISTRY_IMAGE") != "" { | ||
registryName = strings.Split(os.Getenv("AUTHENTICATED_REGISTRY_IMAGE"), "/")[0] | ||
} | ||
randseed := rand.New(rand.NewSource(time.Now().UnixNano())) | ||
podName := "authenticated-image-invalid-" + strconv.Itoa(int(randseed.Uint32())) + "-pod" | ||
secretName := "auth-json-secret-invalid" | ||
data := map[string]interface{}{ | ||
"auths": map[string]interface{}{ | ||
registryName: map[string]interface{}{ | ||
"auth": "aW52YWxpZHVzZXJuYW1lOmludmFsaWRwYXNzd29yZAo=", | ||
}, | ||
}, | ||
} | ||
jsondata, err := json.MarshalIndent(data, "", " ") | ||
if err != nil { | ||
t.Fatal(err) | ||
} | ||
if err != nil { | ||
t.Fatal(err) | ||
} | ||
expectedAuthStatus := "ImagePullBackOff" | ||
secretData := map[string][]byte{v1.DockerConfigJsonKey: jsondata} | ||
secret := NewSecret(E2eNamespace, secretName, secretData, v1.SecretTypeDockerConfigJson) | ||
imageName := os.Getenv("AUTHENTICATED_REGISTRY_IMAGE") | ||
pod := NewPod(E2eNamespace, podName, podName, imageName, WithRestartPolicy(v1.RestartPolicyNever), WithImagePullSecrets(secretName)) | ||
NewTestCase(t, e, "InvalidAuthImagePeerPod", assert, "Peer pod with Authenticated Image with Invalid Credentials has been created").WithSecret(secret).WithPod(pod).WithAuthenticatedImage().WithAuthImageStatus(expectedAuthStatus).WithCustomPodState(v1.PodPending).Run() | ||
NewTestCase(t, e, "ValidAuthImagePeerPod", assert, "Peer pod with Authenticated Image with Valid Credentials(Default service account) has been created").WithPod(pod).WithCustomPodState(v1.PodRunning).Run() | ||
} | ||
|
||
// Check that without creds the image can't be pulled to ensure we don't have a false positive in our auth test | ||
func DoTestCreatePeerPodWithAuthenticatedImageWithoutCredentials(t *testing.T, e env.Environment, assert CloudAssert) { | ||
randseed := rand.New(rand.NewSource(time.Now().UnixNano())) | ||
podName := "authenticated-image-without-creds-" + strconv.Itoa(int(randseed.Uint32())) + "-pod" | ||
expectedAuthStatus := "WithoutCredentials" | ||
imageName := os.Getenv("AUTHENTICATED_REGISTRY_IMAGE") | ||
pod := NewPod(E2eNamespace, podName, podName, imageName, WithRestartPolicy(v1.RestartPolicyNever)) | ||
NewTestCase(t, e, "InvalidAuthImagePeerPod", assert, "Peer pod with Authenticated Image without Credentials has been created").WithPod(pod).WithAuthenticatedImage().WithAuthImageStatus(expectedAuthStatus).WithCustomPodState(v1.PodPending).Run() | ||
expectedErrorString := "401 UNAUTHORIZED" | ||
NewTestCase(t, e, "InvalidAuthImagePeerPod", assert, "Peer pod with Authenticated Image without Credentials has been created").WithPod(pod).WithNoAuthJson().WithExpectedPodDescribe(expectedErrorString).WithCustomPodState(v1.PodPending).Run() | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. The generalization to allow running tests There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Yeah, the framework has lots of building blocks, which can be helpful, but many of them are quite specific, which just makes it a struggle to understand the flow and which path you are going down (for me at least), so I wanted to simplify and make some more basic ones that mimic more how I test things myself. |
||
} | ||
|
||
func DoTestPodVMwithNoAnnotations(t *testing.T, e env.Environment, assert CloudAssert, expectedType string) { | ||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hi @stevenhorsman !
I'm curious why originally it was checking for
v1.PodPending
but nowv1.PodRunning
(which seems the correct indeed).There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I can't recall the logic as I think I re-wrote it 2 months ago, but I think I ended up surprised that some of these tests ever passed. We did only run them for the ibm cloud provider, which has not had well supported tests for a long long time, so it might have been that if you got lucky with pull timing then pending was enough, but I was trying to make them more robust.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
ok, got it. thx!