integration: add a test where UID is not passed in Request Headers

test/integration/examples/apiserver_test.go

@@ -255,20 +255,34 @@ func TestAggregatedAPIServer(t *testing.T) {
 	})
 }
 
+func TestFrontProxyConfig(t *testing.T) {
+	t.Run("WithoutUID", func(t *testing.T) {
+		testFrontProxyConfig(t, false)
+	})
+	t.Run("WithUID", func(t *testing.T) {
+		testFrontProxyConfig(t, true)
+	})
+}
+
 // TestFrontProxyConfig tests that the RequestHeader configuration is consumed
 // correctly by the aggregated API servers.
-func TestFrontProxyConfig(t *testing.T) {
+func testFrontProxyConfig(t *testing.T, withUID bool) {
 	const testNamespace = "integration-test-front-proxy-config"
 	const wardleBinaryVersion = "1.1"
 
 	ctx, cancel := context.WithTimeout(context.Background(), 10*time.Minute)
 	t.Cleanup(cancel)
 
+	var extraKASFlags []string
+	if withUID {
+		extraKASFlags = []string{"--requestheader-uid-headers=x-remote-uid"}
+	}
+
 	// each wardle binary is bundled with a specific kube binary.
 	kubeBinaryVersion := sampleserver.WardleVersionToKubeVersion(version.MustParse(wardleBinaryVersion)).String()
 
 	// start up the KAS and prepare the options for the wardle API server
-	testKAS, wardleOptions, wardlePort := prepareAggregatedWardleAPIServer(ctx, t, testNamespace, kubeBinaryVersion, wardleBinaryVersion, []string{"--requestheader-uid-headers=x-remote-uid"})
+	testKAS, wardleOptions, wardlePort := prepareAggregatedWardleAPIServer(ctx, t, testNamespace, kubeBinaryVersion, wardleBinaryVersion, extraKASFlags)
 	kubeConfig := getKubeConfig(testKAS)
 
 	// create the SA that we will use to query the aggregated API
@@ -300,13 +314,20 @@ func TestFrontProxyConfig(t *testing.T) {
 		t.Fatalf("failed to retrieve details about the SA: %v", err)
 	}
 
-	expectedSAUserInfo := serviceaccount.UserInfo(expectedSA.Namespace, expectedSA.Name, string(expectedSA.UID))
+	saUserInfo := serviceaccount.UserInfo(expectedSA.Namespace, expectedSA.Name, string(expectedSA.UID))
-	expectedRealSAGroups := append(expectedSAUserInfo.GetGroups(), user.AllAuthenticated)
+	expectedSAUserInfo := user.DefaultInfo{
-	expectedExtra := expectedSAUserInfo.GetExtra()
+		Name:   saUserInfo.GetName(),
-	if expectedExtra == nil {
+		Groups: append(saUserInfo.GetGroups(), user.AllAuthenticated),
-		expectedExtra = map[string][]string{}
+		Extra:  saUserInfo.GetExtra(),
 	}
-	expectedExtra[user.CredentialIDKey] = saDetails.Status.UserInfo.Extra[user.CredentialIDKey]
+	if withUID {
+		expectedSAUserInfo.UID = saUserInfo.GetUID()
+	}
+
+	if expectedSAUserInfo.Extra == nil {
+		expectedSAUserInfo.Extra = map[string][]string{}
+	}
+	expectedSAUserInfo.Extra[user.CredentialIDKey] = saDetails.Status.UserInfo.Extra[user.CredentialIDKey]
 
 	var checksProcessed atomic.Uint32
 
@@ -325,20 +346,17 @@ func TestFrontProxyConfig(t *testing.T) {
 					return rt.RoundTrip(req)
 				}
 
-				if len(gotUser.GetUID()) == 0 {
-					t.Errorf("expected UID to be non-empty for user %q", gotUser.GetName())
-				}
 				if got, expected := gotUser.GetUID(), expectedSAUserInfo.GetUID(); expected != got {
 					t.Errorf("expected UID: %q, got: %q", expected, got)
 				}
 				if got, expected := gotUser.GetName(), expectedSAUserInfo.GetName(); expected != got {
 					t.Errorf("expected name: %q, got: %q", expected, got)
 				}
-				if got := gotUser.GetGroups(); !reflect.DeepEqual(expectedRealSAGroups, got) {
+				if got, expected := gotUser.GetGroups(), expectedSAUserInfo.GetGroups(); !reflect.DeepEqual(expected, got) {
-					t.Errorf("expected groups: %v, got: %v", expectedRealSAGroups, got)
+					t.Errorf("expected groups: %v, got: %v", expected, got)
 				}
-				if got := gotUser.GetExtra(); !apiequality.Semantic.DeepEqual(expectedExtra, got) {
+				if got, expected := gotUser.GetExtra(), expectedSAUserInfo.GetExtra(); !apiequality.Semantic.DeepEqual(expected, got) {
-					t.Errorf("expected extra to be %v, but got %v", expectedExtra, got)
+					t.Errorf("expected extra to be %v, but got %v", expected, got)
 				}
 
 				checksProcessed.Add(1)