...

Source file src/k8s.io/kubernetes/test/integration/auth/dynamic_client_test.go

Documentation: k8s.io/kubernetes/test/integration/auth 

     1  /*
     2  Copyright 2019 The Kubernetes Authors.
     3  
     4  Licensed under the Apache License, Version 2.0 (the "License");
     5  you may not use this file except in compliance with the License.
     6  You may obtain a copy of the License at
     7  
     8      http://www.apache.org/licenses/LICENSE-2.0
     9  
    10  Unless required by applicable law or agreed to in writing, software
    11  distributed under the License is distributed on an "AS IS" BASIS,
    12  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
    13  See the License for the specific language governing permissions and
    14  limitations under the License.
    15  */
    16  
    17  package auth
    18  
    19  import (
    20  	"context"
    21  	"os"
    22  	"testing"
    23  	"time"
    24  
    25  	utiltesting "k8s.io/client-go/util/testing"
    26  
    27  	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
    28  	"k8s.io/apiserver/pkg/authentication/authenticator"
    29  	clientset "k8s.io/client-go/kubernetes"
    30  	restclient "k8s.io/client-go/rest"
    31  	"k8s.io/controller-manager/pkg/clientbuilder"
    32  	"k8s.io/kubernetes/cmd/kube-apiserver/app/options"
    33  	kubeoptions "k8s.io/kubernetes/pkg/kubeapiserver/options"
    34  	"k8s.io/kubernetes/test/integration/framework"
    35  	"k8s.io/kubernetes/test/utils/ktesting"
    36  )
    37  
    38  func TestDynamicClientBuilder(t *testing.T) {
    39  	tmpfile, err := os.CreateTemp("/tmp", "key")
    40  	if err != nil {
    41  		t.Fatalf("create temp file failed: %v", err)
    42  	}
    43  	defer utiltesting.CloseAndRemove(t, tmpfile)
    44  
    45  	if err = os.WriteFile(tmpfile.Name(), []byte(ecdsaPrivateKey), 0666); err != nil {
    46  		t.Fatalf("write file %s failed: %v", tmpfile.Name(), err)
    47  	}
    48  
    49  	const iss = "https://foo.bar.example.com"
    50  	aud := authenticator.Audiences{"api"}
    51  
    52  	maxExpirationDuration := time.Second * 60 * 60
    53  	if err != nil {
    54  		t.Fatalf("parse duration failed: %v", err)
    55  	}
    56  
    57  	tCtx := ktesting.Init(t)
    58  	baseClient, baseConfig, tearDownFn := framework.StartTestServer(tCtx, t, framework.TestServerSetup{
    59  		ModifyServerRunOptions: func(opts *options.ServerRunOptions) {
    60  			opts.ServiceAccountSigningKeyFile = tmpfile.Name()
    61  			opts.ServiceAccountTokenMaxExpiration = maxExpirationDuration
    62  			if opts.Authentication == nil {
    63  				opts.Authentication = &kubeoptions.BuiltInAuthenticationOptions{}
    64  			}
    65  
    66  			opts.Authentication.APIAudiences = aud
    67  			if opts.Authentication.ServiceAccounts == nil {
    68  				opts.Authentication.ServiceAccounts = &kubeoptions.ServiceAccountAuthenticationOptions{}
    69  			}
    70  			opts.Authentication.ServiceAccounts.Issuers = []string{iss}
    71  			opts.Authentication.ServiceAccounts.KeyFiles = []string{tmpfile.Name()}
    72  			opts.Authorization.Modes = []string{"AlwaysAllow"}
    73  		},
    74  	})
    75  	defer tearDownFn()
    76  
    77  	// We want to test if the token rotation works fine here.
    78  	// To minimize the time this test would consume, we use the minimial token expiration.
    79  	// The minimial token expiration is defined in:
    80  	// pkg/apis/authentication/validation/validation.go
    81  	exp := int64(600)
    82  	leeway := 99
    83  	ns := "default"
    84  	clientBuilder := clientbuilder.NewTestDynamicClientBuilder(
    85  		restclient.AnonymousClientConfig(baseConfig),
    86  		baseClient.CoreV1(),
    87  		ns, exp, leeway)
    88  
    89  	saName := "dt"
    90  	dymClient, err := clientBuilder.Client(saName)
    91  
    92  	if err != nil {
    93  		t.Fatalf("build client via dynamic client builder failed: %v", err)
    94  	}
    95  
    96  	if err = testClientBuilder(dymClient, ns, saName); err != nil {
    97  		t.Fatalf("dynamic client get resources failed befroe deleting sa: %v", err)
    98  	}
    99  
   100  	// We want to trigger token rotation here by deleting service account
   101  	// the dynamic client was using.
   102  	if err = dymClient.CoreV1().ServiceAccounts(ns).Delete(tCtx, saName, metav1.DeleteOptions{}); err != nil {
   103  		t.Fatalf("delete service account %s failed: %v", saName, err)
   104  	}
   105  	time.Sleep(time.Second * 10)
   106  
   107  	if err = testClientBuilder(dymClient, ns, saName); err != nil {
   108  		t.Fatalf("dynamic client get resources failed after deleting sa: %v", err)
   109  	}
   110  }
   111  
   112  func testClientBuilder(dymClient clientset.Interface, ns, saName string) error {
   113  	_, err := dymClient.CoreV1().Namespaces().Get(context.TODO(), ns, metav1.GetOptions{})
   114  	if err != nil {
   115  		return err
   116  	}
   117  
   118  	_, err = dymClient.CoreV1().ServiceAccounts(ns).Get(context.TODO(), saName, metav1.GetOptions{})
   119  	if err != nil {
   120  		return err
   121  	}
   122  	return nil
   123  }
   124  

View as plain text