From 6473f8c7e323bf21b1f4780528facb3bf89f4306 Mon Sep 17 00:00:00 2001
From: Jordan Liggitt <liggitt@google.com>
Date: Tue, 20 Sep 2022 13:52:34 -0400
Subject: [PATCH] Make controlplane integation tests coexist with default API
 server config

---
 .../synthetic_controlplane_test.go            | 94 ++++++-------------
 vendor/modules.txt                            |  1 -
 2 files changed, 31 insertions(+), 64 deletions(-)

diff --git a/test/integration/controlplane/synthetic_controlplane_test.go b/test/integration/controlplane/synthetic_controlplane_test.go
index 57d5351c249..c432351d8ef 100644
--- a/test/integration/controlplane/synthetic_controlplane_test.go
+++ b/test/integration/controlplane/synthetic_controlplane_test.go
@@ -39,20 +39,11 @@ import (
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/runtime"
 	"k8s.io/apimachinery/pkg/util/wait"
-	authauthenticator "k8s.io/apiserver/pkg/authentication/authenticator"
-	"k8s.io/apiserver/pkg/authentication/group"
-	"k8s.io/apiserver/pkg/authentication/request/bearertoken"
-	authenticatorunion "k8s.io/apiserver/pkg/authentication/request/union"
-	"k8s.io/apiserver/pkg/authentication/user"
-	"k8s.io/apiserver/pkg/authorization/authorizer"
-	"k8s.io/apiserver/pkg/authorization/authorizerfactory"
-	"k8s.io/apiserver/plugin/pkg/authenticator/token/tokentest"
 	clientset "k8s.io/client-go/kubernetes"
 	clienttypedv1 "k8s.io/client-go/kubernetes/typed/core/v1"
 	restclient "k8s.io/client-go/rest"
 	"k8s.io/kubernetes/cmd/kube-apiserver/app/options"
 	kubeapiservertesting "k8s.io/kubernetes/cmd/kube-apiserver/app/testing"
-	"k8s.io/kubernetes/pkg/controlplane"
 	"k8s.io/kubernetes/test/integration"
 	"k8s.io/kubernetes/test/integration/framework"
 )
@@ -63,15 +54,6 @@ const (
 	BobToken   string = "xyz987" // username: bob.  Present in token file.
 )
 
-type allowAliceAuthorizer struct{}
-
-func (allowAliceAuthorizer) Authorize(ctx context.Context, a authorizer.Attributes) (authorizer.Decision, string, error) {
-	if a.GetUser() != nil && a.GetUser().GetName() == "alice" {
-		return authorizer.DecisionAllow, "", nil
-	}
-	return authorizer.DecisionNoOpinion, "I can't allow that.  Go ask alice.", nil
-}
-
 func testPrefix(t *testing.T, prefix string) {
 	server := kubeapiservertesting.StartTestServerOrDie(t, nil, nil, framework.SharedEtcd())
 	defer server.TearDownFn()
@@ -163,68 +145,54 @@ func TestEmptyList(t *testing.T) {
 	}
 }
 
-func initStatusForbiddenControlPlaneConfig(config *controlplane.Config) {
-	config.GenericConfig.Authentication.Authenticator = authenticatorunion.New(
-		authauthenticator.RequestFunc(func(req *http.Request) (*authauthenticator.Response, bool, error) {
-			return &authauthenticator.Response{
-				User: &user.DefaultInfo{
-					Name:   "unprivileged",
-					Groups: []string{user.AllAuthenticated},
-				},
-			}, true, nil
-		}))
-	config.GenericConfig.Authorization.Authorizer = authorizerfactory.NewAlwaysDenyAuthorizer()
+func initStatusForbiddenControlPlaneConfig(options *options.ServerRunOptions) {
+	options.Authorization.Modes = []string{"AlwaysDeny"}
 }
 
-func initUnauthorizedControlPlaneConfig(config *controlplane.Config) {
-	tokenAuthenticator := tokentest.New()
-	tokenAuthenticator.Tokens[AliceToken] = &user.DefaultInfo{Name: "alice", UID: "1"}
-	tokenAuthenticator.Tokens[BobToken] = &user.DefaultInfo{Name: "bob", UID: "2"}
-	config.GenericConfig.Authentication.Authenticator = group.NewGroupAdder(bearertoken.New(tokenAuthenticator), []string{user.AllAuthenticated})
-	config.GenericConfig.Authorization.Authorizer = allowAliceAuthorizer{}
+func initUnauthorizedControlPlaneConfig(options *options.ServerRunOptions) {
+	options.Authentication.Anonymous.Allow = false
 }
 
 func TestStatus(t *testing.T) {
 	testCases := []struct {
-		name         string
-		modifyConfig func(*controlplane.Config)
-		statusCode   int
-		reqPath      string
-		reason       string
-		message      string
+		name          string
+		modifyOptions func(*options.ServerRunOptions)
+		statusCode    int
+		reqPath       string
+		reason        string
+		message       string
 	}{
 		{
-			name:         "404",
-			modifyConfig: nil,
-			statusCode:   http.StatusNotFound,
-			reqPath:      "/apis/batch/v1/namespaces/default/jobs/foo",
-			reason:       "NotFound",
-			message:      `jobs.batch "foo" not found`,
+			name:       "404",
+			statusCode: http.StatusNotFound,
+			reqPath:    "/apis/batch/v1/namespaces/default/jobs/foo",
+			reason:     "NotFound",
+			message:    `jobs.batch "foo" not found`,
 		},
 		{
-			name:         "403",
-			modifyConfig: initStatusForbiddenControlPlaneConfig,
-			statusCode:   http.StatusForbidden,
-			reqPath:      "/apis",
-			reason:       "Forbidden",
-			message:      `forbidden: User "unprivileged" cannot get path "/apis": Everything is forbidden.`,
+			name:          "403",
+			modifyOptions: initStatusForbiddenControlPlaneConfig,
+			statusCode:    http.StatusForbidden,
+			reqPath:       "/apis",
+			reason:        "Forbidden",
+			message:       `forbidden: User "system:anonymous" cannot get path "/apis": Everything is forbidden.`,
 		},
 		{
-			name:         "401",
-			modifyConfig: initUnauthorizedControlPlaneConfig,
-			statusCode:   http.StatusUnauthorized,
-			reqPath:      "/apis",
-			reason:       "Unauthorized",
-			message:      `Unauthorized`,
+			name:          "401",
+			modifyOptions: initUnauthorizedControlPlaneConfig,
+			statusCode:    http.StatusUnauthorized,
+			reqPath:       "/apis",
+			reason:        "Unauthorized",
+			message:       `Unauthorized`,
 		},
 	}
 
 	for _, tc := range testCases {
 		t.Run(tc.name, func(t *testing.T) {
 			_, kubeConfig, tearDownFn := framework.StartTestServer(t, framework.TestServerSetup{
-				ModifyServerConfig: func(config *controlplane.Config) {
-					if tc.modifyConfig != nil {
-						tc.modifyConfig(config)
+				ModifyServerRunOptions: func(options *options.ServerRunOptions) {
+					if tc.modifyOptions != nil {
+						tc.modifyOptions(options)
 					}
 				},
 			})
@@ -232,7 +200,7 @@ func TestStatus(t *testing.T) {
 
 			// When modifying authenticator and authorizer, don't use
 			// bearer token than will be always authorized.
-			if tc.modifyConfig != nil {
+			if tc.modifyOptions != nil {
 				kubeConfig.BearerToken = ""
 			}
 			transport, err := restclient.TransportFor(kubeConfig)
diff --git a/vendor/modules.txt b/vendor/modules.txt
index 116a81f7099..b75ab2f92b0 100644
--- a/vendor/modules.txt
+++ b/vendor/modules.txt
@@ -1627,7 +1627,6 @@ k8s.io/apiserver/plugin/pkg/audit/log
 k8s.io/apiserver/plugin/pkg/audit/truncate
 k8s.io/apiserver/plugin/pkg/audit/webhook
 k8s.io/apiserver/plugin/pkg/authenticator/token/oidc
-k8s.io/apiserver/plugin/pkg/authenticator/token/tokentest
 k8s.io/apiserver/plugin/pkg/authenticator/token/webhook
 k8s.io/apiserver/plugin/pkg/authorizer/webhook
 # k8s.io/cli-runtime v0.0.0 => ./staging/src/k8s.io/cli-runtime