Update CSR e2e to use v1

This commit is contained in:
Jordan Liggitt 2020-06-02 11:23:59 -04:00
parent 7ee2e2f473
commit ea8f4cb536
2 changed files with 67 additions and 43 deletions

View File

@ -1301,6 +1301,27 @@
StorageClass or a dynamic provisioner.
release: v1.9
file: test/e2e/apps/statefulset.go
- testname: CertificateSigningRequest API
codename: '[sig-auth] Certificates API [Privileged:ClusterAdmin] should support
CSR API operations [Conformance]'
description: ' The certificates.k8s.io API group MUST exists in the /apis discovery
document. The certificates.k8s.io/v1 API group/version MUST exist in the /apis/certificates.k8s.io
discovery document. The certificatesigningrequests, certificatesigningrequests/approval,
and certificatesigningrequests/status resources MUST exist in the /apis/certificates.k8s.io/v1
discovery document. The certificatesigningrequests resource must support create,
get, list, watch, update, patch, delete, and deletecollection. The certificatesigningrequests/approval
resource must support get, update, patch. The certificatesigningrequests/status
resource must support get, update, patch.'
release: v1.19
file: test/e2e/auth/certificates.go
- testname: CertificateSigningRequest API Client Certificate
codename: '[sig-auth] Certificates API [Privileged:ClusterAdmin] should support
building a client with a CSR [Conformance]'
description: ' The certificatesigningrequests resource must accept a request for
a certificate signed by kubernetes.io/kube-apiserver-client. The issued certificate
must be valid as a client certificate used to authenticate to the kube-apiserver.'
release: v1.19
file: test/e2e/auth/certificates.go
- testname: Service account tokens auto mount optionally
codename: '[sig-auth] ServiceAccounts should allow opting out of API token automount [Conformance]'
description: Ensure that Service Account keys are mounted into the Pod only when

View File

@ -25,14 +25,15 @@ import (
"fmt"
"time"
certificatesv1beta1 "k8s.io/api/certificates/v1beta1"
certificatesv1 "k8s.io/api/certificates/v1"
v1 "k8s.io/api/core/v1"
rbacv1 "k8s.io/api/rbac/v1"
apierrors "k8s.io/apimachinery/pkg/api/errors"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
types "k8s.io/apimachinery/pkg/types"
"k8s.io/apimachinery/pkg/util/wait"
"k8s.io/apimachinery/pkg/watch"
certificatesclient "k8s.io/client-go/kubernetes/typed/certificates/v1beta1"
certificatesclient "k8s.io/client-go/kubernetes/typed/certificates/v1"
"k8s.io/client-go/rest"
"k8s.io/client-go/util/cert"
"k8s.io/kubernetes/test/e2e/framework"
@ -41,20 +42,20 @@ import (
"github.com/onsi/ginkgo"
)
var _ = SIGDescribe("Certificates API", func() {
var _ = SIGDescribe("Certificates API [Privileged:ClusterAdmin]", func() {
f := framework.NewDefaultFramework("certificates")
/*
Release: v1.19
Testname: CertificateSigningRequest API Client Certificate
Description:
- The certificatesigningrequests resource must accept a request for a certificate signed by kubernetes.io/kube-apiserver-client.
- The issued certificate must be valid as a client certificate used to authenticate to the kube-apiserver.
The certificatesigningrequests resource must accept a request for a certificate signed by kubernetes.io/kube-apiserver-client.
The issued certificate must be valid as a client certificate used to authenticate to the kube-apiserver.
*/
ginkgo.It("should support building a client with a CSR", func() {
framework.ConformanceIt("should support building a client with a CSR", func() {
const commonName = "tester-csr"
csrClient := f.ClientSet.CertificatesV1beta1().CertificateSigningRequests()
csrClient := f.ClientSet.CertificatesV1().CertificateSigningRequests()
pk, err := utils.NewPrivateKey()
framework.ExpectNoError(err)
@ -68,19 +69,18 @@ var _ = SIGDescribe("Certificates API", func() {
csrb, err := cert.MakeCSR(pk, &pkix.Name{CommonName: commonName}, nil, nil)
framework.ExpectNoError(err)
apiserverClientSigner := certificatesv1beta1.KubeAPIServerClientSignerName
csrTemplate := &certificatesv1beta1.CertificateSigningRequest{
csrTemplate := &certificatesv1.CertificateSigningRequest{
ObjectMeta: metav1.ObjectMeta{
GenerateName: commonName + "-",
},
Spec: certificatesv1beta1.CertificateSigningRequestSpec{
Spec: certificatesv1.CertificateSigningRequestSpec{
Request: csrb,
Usages: []certificatesv1beta1.KeyUsage{
certificatesv1beta1.UsageDigitalSignature,
certificatesv1beta1.UsageKeyEncipherment,
certificatesv1beta1.UsageClientAuth,
Usages: []certificatesv1.KeyUsage{
certificatesv1.UsageDigitalSignature,
certificatesv1.UsageKeyEncipherment,
certificatesv1.UsageClientAuth,
},
SignerName: &apiserverClientSigner,
SignerName: certificatesv1.KubeAPIServerClientSignerName,
},
}
@ -121,14 +121,15 @@ var _ = SIGDescribe("Certificates API", func() {
framework.Logf("approving CSR")
framework.ExpectNoError(wait.Poll(5*time.Second, time.Minute, func() (bool, error) {
csr.Status.Conditions = []certificatesv1beta1.CertificateSigningRequestCondition{
csr.Status.Conditions = []certificatesv1.CertificateSigningRequestCondition{
{
Type: certificatesv1beta1.CertificateApproved,
Type: certificatesv1.CertificateApproved,
Status: v1.ConditionTrue,
Reason: "E2E",
Message: "Set from an e2e test",
},
}
csr, err = csrClient.UpdateApproval(context.TODO(), csr, metav1.UpdateOptions{})
csr, err = csrClient.UpdateApproval(context.TODO(), csr.Name, csr, metav1.UpdateOptions{})
if err != nil {
csr, _ = csrClient.Get(context.TODO(), csr.Name, metav1.GetOptions{})
framework.Logf("err updating approval: %v", err)
@ -174,20 +175,20 @@ var _ = SIGDescribe("Certificates API", func() {
Release: v1.19
Testname: CertificateSigningRequest API
Description:
- The certificates.k8s.io API group MUST exists in the /apis discovery document.
- The certificates.k8s.io/v1beta1 API group/version MUST exist in the /apis/certificates.k8s.io discovery document.
- The certificatesigningrequests, certificatesigningrequests/approval, and certificatesigningrequests/status
resources MUST exist in the /apis/certificates.k8s.io/v1beta1 discovery document.
- The certificatesigningrequests resource must support create, get, list, watch, update, patch, delete, and deletecollection.
- The certificatesigningrequests/approval resource must support get, update, patch.
- The certificatesigningrequests/status resource must support get, update, patch.
The certificates.k8s.io API group MUST exists in the /apis discovery document.
The certificates.k8s.io/v1 API group/version MUST exist in the /apis/certificates.k8s.io discovery document.
The certificatesigningrequests, certificatesigningrequests/approval, and certificatesigningrequests/status
resources MUST exist in the /apis/certificates.k8s.io/v1 discovery document.
The certificatesigningrequests resource must support create, get, list, watch, update, patch, delete, and deletecollection.
The certificatesigningrequests/approval resource must support get, update, patch.
The certificatesigningrequests/status resource must support get, update, patch.
*/
ginkgo.It("should support CSR API operations [Privileged:ClusterAdmin]", func() {
framework.ConformanceIt("should support CSR API operations", func() {
// Setup
csrVersion := "v1beta1"
csrClient := f.ClientSet.CertificatesV1beta1().CertificateSigningRequests()
csrResource := certificatesv1beta1.SchemeGroupVersion.WithResource("certificatesigningrequests")
csrVersion := "v1"
csrClient := f.ClientSet.CertificatesV1().CertificateSigningRequests()
csrResource := certificatesv1.SchemeGroupVersion.WithResource("certificatesigningrequests")
pk, err := utils.NewPrivateKey()
framework.ExpectNoError(err)
@ -201,12 +202,12 @@ var _ = SIGDescribe("Certificates API", func() {
framework.ExpectNoError(err)
signerName := "example.com/e2e-" + f.UniqueName
csrTemplate := &certificatesv1beta1.CertificateSigningRequest{
csrTemplate := &certificatesv1.CertificateSigningRequest{
ObjectMeta: metav1.ObjectMeta{GenerateName: "e2e-example-csr-"},
Spec: certificatesv1beta1.CertificateSigningRequestSpec{
Spec: certificatesv1.CertificateSigningRequestSpec{
Request: csrData,
SignerName: &signerName,
Usages: []certificatesv1beta1.KeyUsage{certificatesv1beta1.UsageDigitalSignature, certificatesv1beta1.UsageKeyEncipherment, certificatesv1beta1.UsageServerAuth},
SignerName: signerName,
Usages: []certificatesv1.KeyUsage{certificatesv1.UsageDigitalSignature, certificatesv1.UsageKeyEncipherment, certificatesv1.UsageServerAuth},
},
}
@ -218,7 +219,7 @@ var _ = SIGDescribe("Certificates API", func() {
framework.ExpectNoError(err)
found := false
for _, group := range discoveryGroups.Groups {
if group.Name == certificatesv1beta1.GroupName {
if group.Name == certificatesv1.GroupName {
for _, version := range group.Versions {
if version.Version == csrVersion {
found = true
@ -247,7 +248,7 @@ var _ = SIGDescribe("Certificates API", func() {
ginkgo.By("getting /apis/certificates.k8s.io/" + csrVersion)
{
resources, err := f.ClientSet.Discovery().ServerResourcesForGroupVersion(certificatesv1beta1.SchemeGroupVersion.String())
resources, err := f.ClientSet.Discovery().ServerResourcesForGroupVersion(certificatesv1.SchemeGroupVersion.String())
framework.ExpectNoError(err)
foundCSR, foundApproval, foundStatus := false, false, false
for _, resource := range resources.APIResources {
@ -308,7 +309,7 @@ var _ = SIGDescribe("Certificates API", func() {
case evt, ok := <-csrWatch.ResultChan():
framework.ExpectEqual(ok, true, "watch channel should not close")
framework.ExpectEqual(evt.Type, watch.Modified)
watchedCSR, isCSR := evt.Object.(*certificatesv1beta1.CertificateSigningRequest)
watchedCSR, isCSR := evt.Object.(*certificatesv1.CertificateSigningRequest)
framework.ExpectEqual(isCSR, true, fmt.Sprintf("expected CSR, got %T", evt.Object))
if watchedCSR.Annotations["patched"] == "true" {
framework.Logf("saw patched and updated annotations")
@ -327,7 +328,7 @@ var _ = SIGDescribe("Certificates API", func() {
ginkgo.By("getting /approval")
gottenApproval, err := f.DynamicClient.Resource(csrResource).Get(context.TODO(), createdCSR.Name, metav1.GetOptions{}, "approval")
framework.ExpectNoError(err)
framework.ExpectEqual(gottenApproval.GetObjectKind().GroupVersionKind(), certificatesv1beta1.SchemeGroupVersion.WithKind("CertificateSigningRequest"))
framework.ExpectEqual(gottenApproval.GetObjectKind().GroupVersionKind(), certificatesv1.SchemeGroupVersion.WithKind("CertificateSigningRequest"))
framework.ExpectEqual(gottenApproval.GetUID(), createdCSR.UID)
ginkgo.By("patching /approval")
@ -341,22 +342,23 @@ var _ = SIGDescribe("Certificates API", func() {
ginkgo.By("updating /approval")
approvalToUpdate := patchedApproval.DeepCopy()
approvalToUpdate.Status.Conditions = append(approvalToUpdate.Status.Conditions, certificatesv1beta1.CertificateSigningRequestCondition{
Type: certificatesv1beta1.CertificateApproved,
approvalToUpdate.Status.Conditions = append(approvalToUpdate.Status.Conditions, certificatesv1.CertificateSigningRequestCondition{
Type: certificatesv1.CertificateApproved,
Status: v1.ConditionTrue,
Reason: "E2E",
Message: "Set from an e2e test",
})
updatedApproval, err := csrClient.UpdateApproval(context.TODO(), approvalToUpdate, metav1.UpdateOptions{})
updatedApproval, err := csrClient.UpdateApproval(context.TODO(), approvalToUpdate.Name, approvalToUpdate, metav1.UpdateOptions{})
framework.ExpectNoError(err)
framework.ExpectEqual(len(updatedApproval.Status.Conditions), 2, fmt.Sprintf("updated object should have the applied condition, got %#v", updatedApproval.Status.Conditions))
framework.ExpectEqual(updatedApproval.Status.Conditions[1].Type, certificatesv1beta1.CertificateApproved, fmt.Sprintf("updated object should have the approved condition, got %#v", updatedApproval.Status.Conditions))
framework.ExpectEqual(updatedApproval.Status.Conditions[1].Type, certificatesv1.CertificateApproved, fmt.Sprintf("updated object should have the approved condition, got %#v", updatedApproval.Status.Conditions))
// /status subresource operations
ginkgo.By("getting /status")
gottenStatus, err := f.DynamicClient.Resource(csrResource).Get(context.TODO(), createdCSR.Name, metav1.GetOptions{}, "status")
framework.ExpectNoError(err)
framework.ExpectEqual(gottenStatus.GetObjectKind().GroupVersionKind(), certificatesv1beta1.SchemeGroupVersion.WithKind("CertificateSigningRequest"))
framework.ExpectEqual(gottenStatus.GetObjectKind().GroupVersionKind(), certificatesv1.SchemeGroupVersion.WithKind("CertificateSigningRequest"))
framework.ExpectEqual(gottenStatus.GetUID(), createdCSR.UID)
ginkgo.By("patching /status")
@ -369,8 +371,9 @@ var _ = SIGDescribe("Certificates API", func() {
ginkgo.By("updating /status")
statusToUpdate := patchedStatus.DeepCopy()
statusToUpdate.Status.Conditions = append(statusToUpdate.Status.Conditions, certificatesv1beta1.CertificateSigningRequestCondition{
statusToUpdate.Status.Conditions = append(statusToUpdate.Status.Conditions, certificatesv1.CertificateSigningRequestCondition{
Type: "StatusUpdate",
Status: v1.ConditionTrue,
Reason: "E2E",
Message: "Set from an e2e test",
})