-
Notifications
You must be signed in to change notification settings - Fork 583
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Enable TLS for OIDC e2e tests #7551
Enable TLS for OIDC e2e tests #7551
Conversation
Signed-off-by: Leo Li <leoli@redhat.com>
Signed-off-by: Leo Li <leoli@redhat.com>
…kenToDLS Signed-off-by: Leo Li <leoli@redhat.com>
Skipping CI for Draft Pull Request. |
Codecov ReportAll modified and coverable lines are covered by tests ✅
Additional details and impacted files@@ Coverage Diff @@
## main #7551 +/- ##
=======================================
Coverage 74.52% 74.52%
=======================================
Files 262 262
Lines 14970 14970
=======================================
Hits 11157 11157
Misses 3223 3223
Partials 590 590 ☔ View full report in Codecov by Sentry. |
Signed-off-by: Leo Li <leoli@redhat.com>
test/auth/features/oidc/broker.go
Outdated
delivery.WithDeadLetterSinkFromDestination(&duckv1.Destination{ | ||
Ref: service.AsKReference(dls), | ||
Audience: &dlsAudience, | ||
//CACerts: eventshub.GetCaCerts(ctx), |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@creydr Question: Do you have any idea on how should I pass the CACert here? With this line I wrote, it is causing the broker creation fail. And I can't find the error message.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
When you check the created YAML for the broker with the cert, you see we have a wrong indent of the cert.
Simply add 2 more spaces in delivery.WithDeadLetterSinkFromDestination()
when the newlines are replaced:
diff --git a/test/rekt/resources/delivery/delivery.go b/test/rekt/resources/delivery/delivery.go
index 8348e5647..626b62c60 100644
--- a/test/rekt/resources/delivery/delivery.go
+++ b/test/rekt/resources/delivery/delivery.go
@@ -90,7 +90,7 @@ func WithDeadLetterSinkFromDestination(dest *duckv1.Destination) manifest.CfgFn
if dest.CACerts != nil {
// This is a multi-line string and should be indented accordingly.
// Replace "new line" with "new line + spaces".
- dls["CACerts"] = strings.ReplaceAll(*dest.CACerts, "\n", "\n ")
+ dls["CACerts"] = strings.ReplaceAll(*dest.CACerts, "\n", "\n ")
}
if dest.Audience != nil {
Signed-off-by: Leo Li <leoli@redhat.com>
test/auth/oidc_test.go
Outdated
@@ -41,7 +43,7 @@ import ( | |||
"knative.dev/eventing/test/rekt/resources/sequence" | |||
) | |||
|
|||
func TestBrokerSupportsOIDC(t *testing.T) { | |||
func TestBrokerSupportsOIDCUnderTLS(t *testing.T) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Note: Change the test name to include the keyword TLS so that prow will enable TLS for this.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think we can keep it as TestBrokerSupportsOIDC
as we're migrating all of them and we can adjust the prow config for OIDC tests too. And OIDC without TLS is "useless" anyhow
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hey @Leo6Leo,
besides of the comments, I had to do the following to get the tests run/pass:
- enable
string
transport encryption (via feature flag) - we need to do this for CI too (simply adjust test/auth/config/features.yaml) - install the TLS manifests (config/tls, config/brokers/mt-channel-broker-tls and config/channels/in-memory-channel-tls)
test/auth/oidc_test.go
Outdated
@@ -41,7 +43,7 @@ import ( | |||
"knative.dev/eventing/test/rekt/resources/sequence" | |||
) | |||
|
|||
func TestBrokerSupportsOIDC(t *testing.T) { | |||
func TestBrokerSupportsOIDCUnderTLS(t *testing.T) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think we can keep it as TestBrokerSupportsOIDC
as we're migrating all of them and we can adjust the prow config for OIDC tests too. And OIDC without TLS is "useless" anyhow
test/auth/features/oidc/broker.go
Outdated
// create an empty destination ref | ||
d := service.AsDestinationRef("") | ||
d.CACerts = eventshub.GetCaCerts(ctx) | ||
// uri is an addressable, create a new one and put the bad uri in it | ||
d.URI, _ = apis.ParseURL("bad://uri") | ||
trigger.Install(triggerName, brokerName, trigger.WithSubscriberFromDestination(d))(ctx, t) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I got a failed to create resource admission webhook "validation.webhook.eventing.knative.dev" denied the request: validation failed: Absolute URI is not allowed when Ref or [apiVersion, kind, name] is present: spec.subscriber.ref, spec.subscriber.uri, spec.subscriber[apiVersion, kind, name]
when running this.
So there is no need to create a destination via service.AsDestinationRef("")
. You can create it directly via duckv1.Destination{}
and propagate the fields then.
test/auth/features/oidc/broker.go
Outdated
delivery.WithDeadLetterSinkFromDestination(&duckv1.Destination{ | ||
Ref: service.AsKReference(dls), | ||
Audience: &dlsAudience, | ||
//CACerts: eventshub.GetCaCerts(ctx), |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
When you check the created YAML for the broker with the cert, you see we have a wrong indent of the cert.
Simply add 2 more spaces in delivery.WithDeadLetterSinkFromDestination()
when the newlines are replaced:
diff --git a/test/rekt/resources/delivery/delivery.go b/test/rekt/resources/delivery/delivery.go
index 8348e5647..626b62c60 100644
--- a/test/rekt/resources/delivery/delivery.go
+++ b/test/rekt/resources/delivery/delivery.go
@@ -90,7 +90,7 @@ func WithDeadLetterSinkFromDestination(dest *duckv1.Destination) manifest.CfgFn
if dest.CACerts != nil {
// This is a multi-line string and should be indented accordingly.
// Replace "new line" with "new line + spaces".
- dls["CACerts"] = strings.ReplaceAll(*dest.CACerts, "\n", "\n ")
+ dls["CACerts"] = strings.ReplaceAll(*dest.CACerts, "\n", "\n ")
}
if dest.Audience != nil {
Signed-off-by: Leo Li <leoli@redhat.com>
Signed-off-by: Leo Li <leoli@redhat.com>
Signed-off-by: Leo Li <leoli@redhat.com>
@creydr Regarding the way to install the TLS manifest, I saw the implementation here. Don't those config have been installed here? eventing/hack/generate-yamls.sh Lines 100 to 103 in 3cbddd6
Lines 152 to 162 in 3cbddd6
|
Hey @Leo6Leo, yes. Sorry for not being clear, that this is only required for local tests as it is already in CI (in contrast to the feature flag, which was not enabled that time in CI). |
@creydr Sounds good! thanks for the explanation. Then I think I have addressed all the review comments you gave me. PTAL again when you have time! |
Can you check why the auth e2e tests fail? |
Signed-off-by: Leo Li <leoli@redhat.com>
Signed-off-by: Leo Li <leoli@redhat.com>
/retest |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Left some comments. Mostly for naming & style.
And as you included the changes for other resources besides of broker, can you rename the PR?
test/auth/features/oidc/broker.go
Outdated
)) | ||
|
||
f.Setup("install the trigger and specify the CA cert of the destination", func(ctx context.Context, t feature.T) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I would simply name this step install the trigger
, as you do some other configuration besides the CA too. Same in the other files.
test/auth/features/oidc/broker.go
Outdated
f.Setup("Broker is ready", broker.IsReady(brokerName)) | ||
|
||
// FIXME: current progress left over here. Need to figure out why trigger cannot be initialized correctly. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
leftover?
test/auth/features/oidc/broker.go
Outdated
|
||
// Install broker | ||
f.Setup("install broker", broker.Install(brokerName, broker.WithEnvConfig()...)) | ||
f.Setup("Broker is ready", broker.IsReady(brokerName)) | ||
f.Setup("Broker has HTTPS address", broker.ValidateAddress(brokerName, addressable.AssertHTTPSAddress)) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Not sure if we need this, as we have f.Prerequisite("transport encryption is strict", featureflags.TransportEncryptionStrict())
. IMO this should be tested in a TLS related test 🤷
Co-authored-by: Christoph Stäbler <cstabler@redhat.com>
Co-authored-by: Christoph Stäbler <cstabler@redhat.com>
Co-authored-by: Christoph Stäbler <cstabler@redhat.com>
Co-authored-by: Christoph Stäbler <cstabler@redhat.com>
Co-authored-by: Christoph Stäbler <cstabler@redhat.com>
test/auth/features/oidc/sequence.go
Outdated
@@ -54,7 +56,7 @@ func SequenceSendsEventWithOIDC() *feature.FeatureSet { | |||
Name: "Sequence send events with OIDC support", | |||
Features: []*feature.Feature{ | |||
SequenceSendsEventWithOIDCTokenToSteps(), | |||
SequenceSendsEventWithOIDCTokenToReply(), | |||
//SequenceSendsEventWithOIDCTokenToReply(), |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
//SequenceSendsEventWithOIDCTokenToReply(), | |
SequenceSendsEventWithOIDCTokenToReply(), |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
i was in testing it by commenting out the reply portion. I will uncomment it
Signed-off-by: Leo Li <leoli@redhat.com>
… into enable-tls-for-broker-oidc-test
Signed-off-by: Leo Li <leoli@redhat.com>
Signed-off-by: Leo Li <leoli@redhat.com>
Signed-off-by: Leo Li <leoli@redhat.com>
Signed-off-by: Leo Li <leoli@redhat.com>
/cc @creydr |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Awesome! Thanks @Leo6Leo for your work on this!
/lgtm
/retitle Enable TLS for OIDC tests
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: creydr, Leo6Leo The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
Fixes #7496
Fixes #7544
Fixes #7545
Fixes #7546
Fixes #7547
Fixes #7548
Fixes #7549
Fixes #7558
Proposed Changes
Pre-review Checklist
Release Note
Docs