pkg/kubeapiserver/options: Improving test coverage

pkg/kubeapiserver/options/admission_test.go

@@ -19,6 +19,9 @@ package options
 import (
 	"reflect"
 	"testing"
+
+	"github.com/spf13/pflag"
+	"github.com/stretchr/testify/assert"
 )
 
 func TestValidate(t *testing.T) {
@@ -51,6 +54,12 @@ func TestValidate(t *testing.T) {
 	if errs := options.Validate(); len(errs) > 0 {
 		t.Errorf("Unexpected err: %v", errs)
 	}
+
+	// nil pointer
+	options = nil
+	if errs := options.Validate(); errs != nil {
+		t.Errorf("expected no errors, error found %+v", errs)
+	}
 }
 
 func TestComputeEnabledAdmission(t *testing.T) {
@@ -86,3 +95,22 @@ func TestComputeEnabledAdmission(t *testing.T) {
 		})
 	}
 }
+
+func TestAdmissionOptionsAddFlags(t *testing.T) {
+	var args = []string{
+		"--enable-admission-plugins=foo,bar,baz",
+		"--admission-control-config-file=admission_control_config.yaml",
+	}
+
+	opts := NewAdmissionOptions()
+	pf := pflag.NewFlagSet("test-admission-opts", pflag.ContinueOnError)
+	opts.AddFlags(pf)
+
+	if err := pf.Parse(args); err != nil {
+		t.Fatal(err)
+	}
+
+	// using assert because cannot compare neither pointer nor function of underlying GenericAdmission
+	assert.Equal(t, opts.GenericAdmission.ConfigFile, "admission_control_config.yaml")
+	assert.Equal(t, opts.GenericAdmission.EnablePlugins, []string{"foo", "bar", "baz"})
+}

pkg/kubeapiserver/options/authentication_test.go

@@ -23,8 +23,10 @@ import (
 	"time"
 
 	"github.com/google/go-cmp/cmp"
+	"github.com/spf13/pflag"
 
 	utilerrors "k8s.io/apimachinery/pkg/util/errors"
+	"k8s.io/apimachinery/pkg/util/wait"
 	"k8s.io/apiserver/pkg/authentication/authenticator"
 	"k8s.io/apiserver/pkg/authentication/authenticatorfactory"
 	"k8s.io/apiserver/pkg/authentication/request/headerrequest"
@@ -34,10 +36,11 @@ import (
 
 func TestAuthenticationValidate(t *testing.T) {
 	testCases := []struct {
-		name      string
-		testOIDC  *OIDCAuthenticationOptions
-		testSA    *ServiceAccountAuthenticationOptions
-		expectErr string
+		name        string
+		testOIDC    *OIDCAuthenticationOptions
+		testSA      *ServiceAccountAuthenticationOptions
+		testWebHook *WebHookAuthenticationOptions
+		expectErr   string
 	}{
 		{
 			name: "test when OIDC and ServiceAccounts are nil",
@@ -133,13 +136,70 @@ func TestAuthenticationValidate(t *testing.T) {
 			},
 			expectErr: "service-account-issuer \"http://[::1]:namedport\" contained a ':' but was not a valid URL",
 		},
+		{
+			name: "test when ServiceAccounts has invalid JWKSURI",
+			testOIDC: &OIDCAuthenticationOptions{
+				UsernameClaim: "sub",
+				SigningAlgs:   []string{"RS256"},
+				IssuerURL:     "testIssuerURL",
+				ClientID:      "testClientID",
+			},
+			testSA: &ServiceAccountAuthenticationOptions{
+				KeyFiles: []string{"cert", "key"},
+				Issuers:  []string{"http://foo.bar.com"},
+				JWKSURI:  "https://host:port",
+			},
+			expectErr: "service-account-jwks-uri must be a valid URL: parse \"https://host:port\": invalid port \":port\" after host",
+		},
+		{
+			name: "test when ServiceAccounts has invalid JWKSURI (not https scheme)",
+			testOIDC: &OIDCAuthenticationOptions{
+				UsernameClaim: "sub",
+				SigningAlgs:   []string{"RS256"},
+				IssuerURL:     "testIssuerURL",
+				ClientID:      "testClientID",
+			},
+			testSA: &ServiceAccountAuthenticationOptions{
+				KeyFiles: []string{"cert", "key"},
+				Issuers:  []string{"http://foo.bar.com"},
+				JWKSURI:  "http://baz.com",
+			},
+			expectErr: "service-account-jwks-uri requires https scheme, parsed as: http://baz.com",
+		},
+		{
+			name: "test when WebHook has invalid retry attempts",
+			testOIDC: &OIDCAuthenticationOptions{
+				UsernameClaim: "sub",
+				SigningAlgs:   []string{"RS256"},
+				IssuerURL:     "testIssuerURL",
+				ClientID:      "testClientID",
+			},
+			testSA: &ServiceAccountAuthenticationOptions{
+				KeyFiles: []string{"cert", "key"},
+				Issuers:  []string{"http://foo.bar.com"},
+				JWKSURI:  "https://baz.com",
+			},
+			testWebHook: &WebHookAuthenticationOptions{
+				ConfigFile: "configfile",
+				Version:    "v1",
+				CacheTTL:   60 * time.Second,
+				RetryBackoff: &wait.Backoff{
+					Duration: 500 * time.Millisecond,
+					Factor:   1.5,
+					Jitter:   0.2,
+					Steps:    0,
+				},
+			},
+			expectErr: "number of webhook retry attempts must be greater than 0, but is: 0",
+		},
 	}
 
 	for _, testcase := range testCases {
 		t.Run(testcase.name, func(t *testing.T) {
 			options := NewBuiltInAuthenticationOptions()
 			options.OIDC = testcase.testOIDC
 			options.ServiceAccounts = testcase.testSA
+			options.WebHook = testcase.testWebHook
 
 			errs := options.Validate()
 			if len(errs) > 0 && (!strings.Contains(utilerrors.NewAggregate(errs).Error(), testcase.expectErr) || testcase.expectErr == "") {
@@ -239,3 +299,89 @@ func TestToAuthenticationConfig(t *testing.T) {
 		t.Error(cmp.Diff(resultConfig, expectConfig))
 	}
 }
+
+func TestBuiltInAuthenticationOptionsAddFlags(t *testing.T) {
+	var args = []string{
+		"--api-audiences=foo",
+		"--anonymous-auth=true",
+		"--enable-bootstrap-token-auth=true",
+		"--oidc-issuer-url=https://baz.com",
+		"--oidc-client-id=client-id",
+		"--oidc-ca-file=cert",
+		"--oidc-username-prefix=-",
+		"--client-ca-file=client-cacert",
+		"--requestheader-client-ca-file=testdata/root.pem",
+		"--requestheader-username-headers=x-remote-user-custom",
+		"--requestheader-group-headers=x-remote-group-custom",
+		"--requestheader-allowed-names=kube-aggregator",
+		"--service-account-key-file=cert",
+		"--service-account-key-file=key",
+		"--service-account-issuer=http://foo.bar.com",
+		"--service-account-jwks-uri=https://qux.com",
+		"--token-auth-file=tokenfile",
+		"--authentication-token-webhook-config-file=webhook_config.yaml",
+		"--authentication-token-webhook-cache-ttl=180s",
+	}
+
+	expected := &BuiltInAuthenticationOptions{
+		APIAudiences: []string{"foo"},
+		Anonymous: &AnonymousAuthenticationOptions{
+			Allow: true,
+		},
+		BootstrapToken: &BootstrapTokenAuthenticationOptions{
+			Enable: true,
+		},
+		ClientCert: &apiserveroptions.ClientCertAuthenticationOptions{
+			ClientCA: "client-cacert",
+		},
+		OIDC: &OIDCAuthenticationOptions{
+			CAFile:         "cert",
+			ClientID:       "client-id",
+			IssuerURL:      "https://baz.com",
+			UsernameClaim:  "sub",
+			UsernamePrefix: "-",
+			SigningAlgs:    []string{"RS256"},
+		},
+		RequestHeader: &apiserveroptions.RequestHeaderAuthenticationOptions{
+			ClientCAFile:    "testdata/root.pem",
+			UsernameHeaders: []string{"x-remote-user-custom"},
+			GroupHeaders:    []string{"x-remote-group-custom"},
+			AllowedNames:    []string{"kube-aggregator"},
+		},
+		ServiceAccounts: &ServiceAccountAuthenticationOptions{
+			KeyFiles:         []string{"cert", "key"},
+			Lookup:           true,
+			Issuers:          []string{"http://foo.bar.com"},
+			JWKSURI:          "https://qux.com",
+			ExtendExpiration: true,
+		},
+		TokenFile: &TokenFileAuthenticationOptions{
+			TokenFile: "tokenfile",
+		},
+		WebHook: &WebHookAuthenticationOptions{
+			ConfigFile: "webhook_config.yaml",
+			Version:    "v1beta1",
+			CacheTTL:   180 * time.Second,
+			RetryBackoff: &wait.Backoff{
+				Duration: 500 * time.Millisecond,
+				Factor:   1.5,
+				Jitter:   0.2,
+				Steps:    5,
+			},
+		},
+		TokenSuccessCacheTTL: 10 * time.Second,
+		TokenFailureCacheTTL: 0 * time.Second,
+	}
+
+	opts := NewBuiltInAuthenticationOptions().WithAll()
+	pf := pflag.NewFlagSet("test-builtin-authentication-opts", pflag.ContinueOnError)
+	opts.AddFlags(pf)
+
+	if err := pf.Parse(args); err != nil {
+		t.Fatal(err)
+	}
+
+	if !reflect.DeepEqual(opts, expected) {
+		t.Error(cmp.Diff(opts, expected))
+	}
+}