diff --git a/test/integration/certificates/deprecated_api_test.go b/test/integration/certificates/deprecated_api_test.go deleted file mode 100644 index 4d6dd8585a3..00000000000 --- a/test/integration/certificates/deprecated_api_test.go +++ /dev/null @@ -1,208 +0,0 @@ -/* -Copyright 2020 The Kubernetes Authors. - -Licensed under the Apache License, Version 2.0 (the "License"); -you may not use this file except in compliance with the License. -You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - -Unless required by applicable law or agreed to in writing, software -distributed under the License is distributed on an "AS IS" BASIS, -WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -See the License for the specific language governing permissions and -limitations under the License. -*/ - -package certificates - -import ( - "context" - "testing" - "time" - - certv1 "k8s.io/api/certificates/v1" - certv1beta1 "k8s.io/api/certificates/v1beta1" - metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" - "k8s.io/apimachinery/pkg/runtime/schema" - "k8s.io/client-go/informers" - clientset "k8s.io/client-go/kubernetes" - restclient "k8s.io/client-go/rest" - kubeapiservertesting "k8s.io/kubernetes/cmd/kube-apiserver/app/testing" - capi "k8s.io/kubernetes/pkg/apis/certificates" - "k8s.io/kubernetes/pkg/controller/certificates/approver" - "k8s.io/kubernetes/test/integration/framework" -) - -// TODO this test can be removed once we get to 1.22 and v1beta1 is no longer allowed -// Verifies that the signerName field defaulting is wired up correctly. -// An exhaustive set of test cases for all permutations of the possible -// defaulting cases is written as a unit tests in the -// `pkg/apis/certificates/...` directory. -// This test cases exists to show that the defaulting function is wired up into -// the apiserver correctly. -func TestCSRSignerNameDefaulting(t *testing.T) { - strPtr := func(s string) *string { return &s } - tests := map[string]struct { - csr certv1beta1.CertificateSigningRequestSpec - expectedSignerName string - }{ - "defaults to legacy-unknown if not recognised": { - csr: certv1beta1.CertificateSigningRequestSpec{ - Request: pemWithGroup(""), - Usages: []certv1beta1.KeyUsage{certv1beta1.UsageKeyEncipherment, certv1beta1.UsageDigitalSignature}, - }, - expectedSignerName: capi.LegacyUnknownSignerName, - }, - "does not default signerName if an explicit value is provided": { - csr: certv1beta1.CertificateSigningRequestSpec{ - Request: pemWithGroup(""), - Usages: []certv1beta1.KeyUsage{certv1beta1.UsageKeyEncipherment, certv1beta1.UsageDigitalSignature}, - SignerName: strPtr("example.com/my-custom-signer"), - }, - expectedSignerName: "example.com/my-custom-signer", - }, - } - for name, test := range tests { - t.Run(name, func(t *testing.T) { - _, s, closeFn := framework.RunAMaster(nil) - defer closeFn() - client := clientset.NewForConfigOrDie(&restclient.Config{Host: s.URL, ContentConfig: restclient.ContentConfig{GroupVersion: &schema.GroupVersion{Group: "", Version: "v1"}}}) - csrClient := client.CertificatesV1beta1().CertificateSigningRequests() - csr := &certv1beta1.CertificateSigningRequest{ - ObjectMeta: metav1.ObjectMeta{Name: "testcsr"}, - Spec: test.csr, - } - csr, err := csrClient.Create(context.TODO(), csr, metav1.CreateOptions{}) - if err != nil { - t.Fatalf("failed to create CSR resource: %v", err) - } - if *csr.Spec.SignerName != test.expectedSignerName { - t.Errorf("expected CSR signerName to be %q but it was %q", test.expectedSignerName, *csr.Spec.SignerName) - } - }) - } -} - -// TODO this test can be removed once we get to 1.22 and v1beta1 is no longer allowed -// Verifies that the CertificateSubjectRestriction admission controller works as expected. -func TestDeprecatedCertificateSubjectRestrictionPlugin(t *testing.T) { - tests := map[string]struct { - signerName string - group string - error string - }{ - "should admit a request if signerName is NOT kube-apiserver-client and org is system:masters": { - signerName: certv1beta1.LegacyUnknownSignerName, - group: "system:masters", - }, - } - for name, test := range tests { - t.Run(name, func(t *testing.T) { - // Run an apiserver with the default configuration options. - s := kubeapiservertesting.StartTestServerOrDie(t, kubeapiservertesting.NewDefaultTestServerOptions(), []string{""}, framework.SharedEtcd()) - defer s.TearDownFn() - client := clientset.NewForConfigOrDie(s.ClientConfig) - - // Attempt to create the CSR resource. - csr := buildDeprecatedTestingCSR("csr", test.signerName, test.group) - _, err := client.CertificatesV1beta1().CertificateSigningRequests().Create(context.TODO(), csr, metav1.CreateOptions{}) - if err != nil && test.error != err.Error() { - t.Errorf("expected error %q but got: %v", test.error, err) - } - if err == nil && test.error != "" { - t.Errorf("expected to get an error %q but got none", test.error) - } - }) - } -} - -func buildDeprecatedTestingCSR(name, signerName, groupName string) *certv1beta1.CertificateSigningRequest { - return &certv1beta1.CertificateSigningRequest{ - ObjectMeta: metav1.ObjectMeta{ - Name: name, - }, - Spec: certv1beta1.CertificateSigningRequestSpec{ - SignerName: &signerName, - Request: pemWithGroup(groupName), - }, - } -} - -// TODO this test can be removed once we get to 1.22 and v1beta1 is no longer allowed -// Integration tests that verify the behaviour of the CSR auto-approving controller. -func TestDeprecatedController_AutoApproval(t *testing.T) { - tests := map[string]struct { - signerName string - request []byte - usages []certv1beta1.KeyUsage - username string - autoApproved bool - grantNodeClient bool - grantSelfNodeClient bool - }{ - "should not auto-approve CSR that has kube-apiserver-client-kubelet signerName that does not match requirements": { - signerName: certv1.KubeAPIServerClientKubeletSignerName, - request: pemWithGroup("system:notnodes"), - autoApproved: false, - }, - } - for name, test := range tests { - t.Run(name, func(t *testing.T) { - // Run an apiserver with the default configuration options. - s := kubeapiservertesting.StartTestServerOrDie(t, kubeapiservertesting.NewDefaultTestServerOptions(), []string{""}, framework.SharedEtcd()) - defer s.TearDownFn() - client := clientset.NewForConfigOrDie(s.ClientConfig) - informers := informers.NewSharedInformerFactory(clientset.NewForConfigOrDie(restclient.AddUserAgent(s.ClientConfig, "certificatesigningrequest-informers")), time.Second) - - // Register the controller - c := approver.NewCSRApprovingController(client, informers.Certificates().V1().CertificateSigningRequests()) - // Start the controller & informers - stopCh := make(chan struct{}) - defer close(stopCh) - informers.Start(stopCh) - go c.Run(1, stopCh) - - // Configure appropriate permissions - if test.grantNodeClient { - grantUserNodeClientPermissions(t, client, test.username, false) - } - if test.grantSelfNodeClient { - grantUserNodeClientPermissions(t, client, test.username, true) - } - - // Use a client that impersonates the test case 'username' to ensure the `spec.username` - // field on the CSR is set correctly. - impersonationConfig := restclient.CopyConfig(s.ClientConfig) - impersonationConfig.Impersonate.UserName = test.username - impersonationClient, err := clientset.NewForConfig(impersonationConfig) - if err != nil { - t.Fatalf("Error in create clientset: %v", err) - } - csr := &certv1beta1.CertificateSigningRequest{ - ObjectMeta: metav1.ObjectMeta{ - Name: "csr", - }, - Spec: certv1beta1.CertificateSigningRequestSpec{ - Request: test.request, - Usages: test.usages, - SignerName: &test.signerName, - }, - } - _, err = impersonationClient.CertificatesV1beta1().CertificateSigningRequests().Create(context.TODO(), csr, metav1.CreateOptions{}) - if err != nil { - t.Fatalf("failed to create testing CSR: %v", err) - } - - if test.autoApproved { - if err := waitForCertificateRequestApproved(client, csr.Name); err != nil { - t.Errorf("failed to wait for CSR to be auto-approved: %v", err) - } - } else { - if err := ensureCertificateRequestNotApproved(client, csr.Name); err != nil { - t.Errorf("failed to ensure that CSR was not auto-approved: %v", err) - } - } - }) - } -}