-
Notifications
You must be signed in to change notification settings - Fork 677
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Auth: Add external auth integration tests #2717
Comments
Sample fixtures # Create a self-signed issuer to give us secrets.
apiVersion: cert-manager.io/v1alpha3
kind: ClusterIssuer
metadata:
name: selfsigned
spec:
selfSigned: {}
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: ingress-conformance-echo
$apply:
fixture:
as: echo
---
apiVersion: v1
kind: Service
metadata:
name: ingress-conformance-echo
$apply:
fixture:
as: echo
---
apiVersion: cert-manager.io/v1alpha2
kind: Certificate
metadata:
name: echo
spec:
dnsNames:
- echo.projectcontour.io
secretName: echo
issuerRef:
name: selfsigned
kind: ClusterIssuer
---
# Separate testserver into its own namespace.
apiVersion: v1
kind: Namespace
metadata:
name: testserver-auth
---
# Issue a self-signed certificate for testserver.
apiVersion: cert-manager.io/v1alpha3
kind: Certificate
metadata:
name: testserver
namespace: testserver-auth
spec:
dnsNames:
- testserver
secretName: testserver
issuerRef:
name: selfsigned
kind: ClusterIssuer
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: testserver
namespace: testserver-auth
labels:
app.kubernetes.io/name: testserver
spec:
selector:
matchLabels:
app.kubernetes.io/name: testserver
replicas: 1
template:
metadata:
labels:
app.kubernetes.io/name: testserver
spec:
serviceAccountName: testserver
automountServiceAccountToken: false
containers:
- name: testserver
image: docker.io/projectcontour/contour-authserver:v1
imagePullPolicy: IfNotPresent
command:
- /contour-authserver
args:
- testserver
- --address=:9443
- --tls-ca-path=/tls/ca.crt
- --tls-cert-path=/tls/tls.crt
- --tls-key-path=/tls/tls.key
ports:
- name: auth
containerPort: 9443
protocol: TCP
volumeMounts:
- name: tls
mountPath: /tls
readOnly: true
resources:
limits:
cpu: 100m
memory: 30Mi
volumes:
- name: tls
secret:
secretName: testserver
---
apiVersion: v1
kind: Service
metadata:
name: testserver
namespace: testserver-auth
labels:
app.kubernetes.io/name: testserver
spec:
ports:
- name: auth
protocol: TCP
port: 9443
targetPort: 9443
selector:
app.kubernetes.io/name: testserver
type: ClusterIP
---
apiVersion: projectcontour.io/v1alpha1
kind: ExtensionService
metadata:
name: testserver
namespace: testserver-auth
spec:
services:
- name: testserver
port: 9443
---
apiVersion: projectcontour.io/v1
kind: HTTPProxy
metadata:
name: echo
spec:
virtualhost:
fqdn: echo.projectcontour.io
tls:
secretName: echo
authorization:
serviceRef:
apiVersion: projectcontour.io/v1alpha1
kind: ExtensionService
name: testserver
namespace: testserver-auth
timeout: 500ms
authPolicy:
disabled: false
context:
key1: value1
key2: value2
routes:
- services:
- name: echo
port: 80
|
Add basic integration test for an external authorization server. This ensures that if the authorization server is present, context is propagated correctly, and authorization can be disabled on routes. This updates projectcontour#2717. Signed-off-by: James Peach <jpeach@vmware.com>
Add a basic integration test for an external authorization server. This ensures that if the authorization server is present, context is propagated correctly, and authorization can be disabled on routes. This updates projectcontour#2717. Signed-off-by: James Peach <jpeach@vmware.com>
Add a basic integration test for an external authorization server. This ensures that if the authorization server is present, context is propagated correctly, and authorization can be disabled on routes. This updates projectcontour#2717. Signed-off-by: James Peach <jpeach@vmware.com>
Add a basic integration test for an external authorization server. This ensures that if the authorization server is present, context is propagated correctly, and authorization can be disabled on routes. This updates projectcontour#2717. Signed-off-by: James Peach <jpeach@vmware.com>
Add a basic integration test for an external authorization server. This ensures that if the authorization server is present, context is propagated correctly, and authorization can be disabled on routes. This updates #2717. Signed-off-by: James Peach <jpeach@vmware.com>
The Contour project currently lacks enough contributors to adequately respond to all Issues. This bot triages Issues according to the following rules:
You can:
Please send feedback to the #contour channel in the Kubernetes Slack |
The Contour project currently lacks enough contributors to adequately respond to all Issues. This bot triages Issues according to the following rules:
You can:
Please send feedback to the #contour channel in the Kubernetes Slack |
Please describe the problem you have
Add integration tests to cover the major points of the external auth API. Ensure that context is provided properly, along with fail open, enable/disable and other API fields.
xref #432
xref #2643
The text was updated successfully, but these errors were encountered: