Enable TLS for OIDC e2e tests #7551
Conversation
Signed-off-by: Leo Li <leoli@redhat.com>
Signed-off-by: Leo Li <leoli@redhat.com>
…kenToDLS Signed-off-by: Leo Li <leoli@redhat.com>
|
Skipping CI for Draft Pull Request. |
knative-prow
bot
added
do-not-merge/work-in-progress
knative-prow
bot
added
approved
Codecov ReportAll modified and coverable lines are covered by tests ✅
Additional details and impacted files@@ Coverage Diff @@
## main #7551 +/- ##
=======================================
Coverage 74.52% 74.52%
=======================================
Files 262 262
Lines 14970 14970
=======================================
Hits 11157 11157
Misses 3223 3223
Partials 590 590 ☔ View full report in Codecov by Sentry. |
Signed-off-by: Leo Li <leoli@redhat.com>
test/auth/features/oidc/broker.go
Outdated
| delivery.WithDeadLetterSinkFromDestination(&duckv1.Destination{ | ||
| Ref: service.AsKReference(dls), | ||
| Audience: &dlsAudience, | ||
| //CACerts: eventshub.GetCaCerts(ctx), |
There was a problem hiding this comment.
@creydr Question: Do you have any idea on how should I pass the CACert here? With this line I wrote, it is causing the broker creation fail. And I can't find the error message.
There was a problem hiding this comment.
When you check the created YAML for the broker with the cert, you see we have a wrong indent of the cert.
Simply add 2 more spaces in delivery.WithDeadLetterSinkFromDestination() when the newlines are replaced:
diff --git a/test/rekt/resources/delivery/delivery.go b/test/rekt/resources/delivery/delivery.go
index 8348e5647..626b62c60 100644
--- a/test/rekt/resources/delivery/delivery.go
+++ b/test/rekt/resources/delivery/delivery.go
@@ -90,7 +90,7 @@ func WithDeadLetterSinkFromDestination(dest *duckv1.Destination) manifest.CfgFn
if dest.CACerts != nil {
// This is a multi-line string and should be indented accordingly.
// Replace "new line" with "new line + spaces".
- dls["CACerts"] = strings.ReplaceAll(*dest.CACerts, "\n", "\n ")
+ dls["CACerts"] = strings.ReplaceAll(*dest.CACerts, "\n", "\n ")
}
if dest.Audience != nil {
Signed-off-by: Leo Li <leoli@redhat.com>
test/auth/oidc_test.go
Outdated
| @@ -41,7 +43,7 @@ import ( | |||
| "knative.dev/eventing/test/rekt/resources/sequence" | |||
| ) | |||
|
|
|||
| func TestBrokerSupportsOIDC(t *testing.T) { | |||
| func TestBrokerSupportsOIDCUnderTLS(t *testing.T) { | |||
There was a problem hiding this comment.
Note: Change the test name to include the keyword TLS so that prow will enable TLS for this.
There was a problem hiding this comment.
I think we can keep it as TestBrokerSupportsOIDC as we're migrating all of them and we can adjust the prow config for OIDC tests too. And OIDC without TLS is "useless" anyhow
There was a problem hiding this comment.
Hey @Leo6Leo,
besides of the comments, I had to do the following to get the tests run/pass:
- enable
stringtransport encryption (via feature flag) - we need to do this for CI too (simply adjust test/auth/config/features.yaml) - install the TLS manifests (config/tls, config/brokers/mt-channel-broker-tls and config/channels/in-memory-channel-tls)
test/auth/oidc_test.go
Outdated
| @@ -41,7 +43,7 @@ import ( | |||
| "knative.dev/eventing/test/rekt/resources/sequence" | |||
| ) | |||
|
|
|||
| func TestBrokerSupportsOIDC(t *testing.T) { | |||
| func TestBrokerSupportsOIDCUnderTLS(t *testing.T) { | |||
There was a problem hiding this comment.
I think we can keep it as TestBrokerSupportsOIDC as we're migrating all of them and we can adjust the prow config for OIDC tests too. And OIDC without TLS is "useless" anyhow
test/auth/features/oidc/broker.go
Outdated
| // create an empty destination ref | ||
| d := service.AsDestinationRef("") | ||
| d.CACerts = eventshub.GetCaCerts(ctx) | ||
| // uri is an addressable, create a new one and put the bad uri in it | ||
| d.URI, _ = apis.ParseURL("bad://uri") | ||
| trigger.Install(triggerName, brokerName, trigger.WithSubscriberFromDestination(d))(ctx, t) |
There was a problem hiding this comment.
I got a failed to create resource admission webhook "validation.webhook.eventing.knative.dev" denied the request: validation failed: Absolute URI is not allowed when Ref or [apiVersion, kind, name] is present: spec.subscriber.ref, spec.subscriber.uri, spec.subscriber[apiVersion, kind, name] when running this.
So there is no need to create a destination via service.AsDestinationRef(""). You can create it directly via duckv1.Destination{} and propagate the fields then.
test/auth/features/oidc/broker.go
Outdated
| delivery.WithDeadLetterSinkFromDestination(&duckv1.Destination{ | ||
| Ref: service.AsKReference(dls), | ||
| Audience: &dlsAudience, | ||
| //CACerts: eventshub.GetCaCerts(ctx), |
There was a problem hiding this comment.
When you check the created YAML for the broker with the cert, you see we have a wrong indent of the cert.
Simply add 2 more spaces in delivery.WithDeadLetterSinkFromDestination() when the newlines are replaced:
diff --git a/test/rekt/resources/delivery/delivery.go b/test/rekt/resources/delivery/delivery.go
index 8348e5647..626b62c60 100644
--- a/test/rekt/resources/delivery/delivery.go
+++ b/test/rekt/resources/delivery/delivery.go
@@ -90,7 +90,7 @@ func WithDeadLetterSinkFromDestination(dest *duckv1.Destination) manifest.CfgFn
if dest.CACerts != nil {
// This is a multi-line string and should be indented accordingly.
// Replace "new line" with "new line + spaces".
- dls["CACerts"] = strings.ReplaceAll(*dest.CACerts, "\n", "\n ")
+ dls["CACerts"] = strings.ReplaceAll(*dest.CACerts, "\n", "\n ")
}
if dest.Audience != nil {
Signed-off-by: Leo Li <leoli@redhat.com>
Signed-off-by: Leo Li <leoli@redhat.com>
Signed-off-by: Leo Li <leoli@redhat.com>
@creydr Regarding the way to install the TLS manifest, I saw the implementation here. Don't those config have been installed here? eventing/hack/generate-yamls.sh Lines 100 to 103 in 3cbddd6 Lines 152 to 162 in 3cbddd6 |
Hey @Leo6Leo, yes. Sorry for not being clear, that this is only required for local tests as it is already in CI (in contrast to the feature flag, which was not enabled that time in CI). |
|
@creydr Sounds good! thanks for the explanation. Then I think I have addressed all the review comments you gave me. PTAL again when you have time! |
Can you check why the auth e2e tests fail? |
Signed-off-by: Leo Li <leoli@redhat.com>
Signed-off-by: Leo Li <leoli@redhat.com>
|
/retest |
test/auth/features/oidc/broker.go
Outdated
| )) | ||
|
|
||
| f.Setup("install the trigger and specify the CA cert of the destination", func(ctx context.Context, t feature.T) { |
There was a problem hiding this comment.
I would simply name this step install the trigger, as you do some other configuration besides the CA too. Same in the other files.
test/auth/features/oidc/broker.go
Outdated
| f.Setup("Broker is ready", broker.IsReady(brokerName)) | ||
|
|
||
| // FIXME: current progress left over here. Need to figure out why trigger cannot be initialized correctly. |
test/auth/features/oidc/broker.go
Outdated
|
|
||
| // Install broker | ||
| f.Setup("install broker", broker.Install(brokerName, broker.WithEnvConfig()...)) | ||
| f.Setup("Broker is ready", broker.IsReady(brokerName)) | ||
| f.Setup("Broker has HTTPS address", broker.ValidateAddress(brokerName, addressable.AssertHTTPSAddress)) |
There was a problem hiding this comment.
Not sure if we need this, as we have f.Prerequisite("transport encryption is strict", featureflags.TransportEncryptionStrict()). IMO this should be tested in a TLS related test 🤷
Co-authored-by: Christoph Stäbler <cstabler@redhat.com>
Co-authored-by: Christoph Stäbler <cstabler@redhat.com>
Co-authored-by: Christoph Stäbler <cstabler@redhat.com>
Co-authored-by: Christoph Stäbler <cstabler@redhat.com>
Co-authored-by: Christoph Stäbler <cstabler@redhat.com>
test/auth/features/oidc/sequence.go
Outdated
| @@ -54,7 +56,7 @@ func SequenceSendsEventWithOIDC() *feature.FeatureSet { | |||
| Name: "Sequence send events with OIDC support", | |||
| Features: []*feature.Feature{ | |||
| SequenceSendsEventWithOIDCTokenToSteps(), | |||
| SequenceSendsEventWithOIDCTokenToReply(), | |||
| //SequenceSendsEventWithOIDCTokenToReply(), | |||
There was a problem hiding this comment.
| //SequenceSendsEventWithOIDCTokenToReply(), | |
| SequenceSendsEventWithOIDCTokenToReply(), |
There was a problem hiding this comment.
i was in testing it by commenting out the reply portion. I will uncomment it
Leo6Leo
changed the title
Signed-off-by: Leo Li <leoli@redhat.com>
… into enable-tls-for-broker-oidc-test
Signed-off-by: Leo Li <leoli@redhat.com>
Signed-off-by: Leo Li <leoli@redhat.com>
Signed-off-by: Leo Li <leoli@redhat.com>
Leo6Leo
changed the title
knative-prow
bot
removed
the
do-not-merge/work-in-progress
Signed-off-by: Leo Li <leoli@redhat.com>
|
/cc @creydr |
knative-prow
bot
changed the title
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: creydr, Leo6Leo The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
Fixes #7496
Fixes #7544
Fixes #7545
Fixes #7546
Fixes #7547
Fixes #7548
Fixes #7549
Fixes #7558
Proposed Changes
Pre-review Checklist
Release Note
Docs