Creates unit test for readiness probe

Signed-off-by: JoshVanL <[email protected]>

Author: JoshVanL

cmd/app/options/kube_oidc_proxy.go

@@ -13,6 +13,8 @@ type TokenPassthroughOptions struct {
 type KubeOIDCProxyOptions struct {
 	DisableImpersonation bool
 	TokenPassthrough     TokenPassthroughOptions
+
+	ReadinessProbePort int
 }
 
 func (t *TokenPassthroughOptions) AddFlags(fs *pflag.FlagSet) {
@@ -34,5 +36,8 @@ func (k *KubeOIDCProxyOptions) AddFlags(fs *pflag.FlagSet) {
 		"(Alpha) Disable the impersonation of authenticated requests. All "+
 			"authenticated requests will be forwarded as is.")
 
+	fs.IntVarP(&k.ReadinessProbePort, "readiness-probe-port", "P", 8080,
+		"Port to expose readiness probe.")
+
 	k.TokenPassthrough.AddFlags(fs)
 }

cmd/app/run.go

@@ -24,7 +24,7 @@ import (
 )
 
 const (
-	readinessProbePort = 8080
+	appName = "kube-oidc-proxy"
 )
 
 func NewRunCommand(stopCh <-chan struct{}) *cobra.Command {
@@ -36,7 +36,7 @@ func NewRunCommand(stopCh <-chan struct{}) *cobra.Command {
 		BindPort:    6443,
 		Required:    true,
 		ServerCert: apiserveroptions.GeneratableKeyCert{
-			PairName:      "kube-oidc-proxy",
+			PairName:      appName,
 			CertDirectory: "/var/run/kubernetes",
 		},
 	}
@@ -48,7 +48,7 @@ func NewRunCommand(stopCh <-chan struct{}) *cobra.Command {
 
 	// proxy command
 	cmd := &cobra.Command{
-		Use:  "kube-oidc-proxy",
+		Use:  appName,
 		Long: "kube-oidc-proxy is a reverse proxy to authenticate users to Kubernetes API servers with Open ID Connect Authentication.",
 		RunE: func(cmd *cobra.Command, args []string) error {
 			var err error
@@ -61,7 +61,7 @@ func NewRunCommand(stopCh <-chan struct{}) *cobra.Command {
 				return err
 			}
 
-			if ssoptionsWithLB.SecureServingOptions.BindPort == readinessProbePort {
+			if ssoptionsWithLB.SecureServingOptions.BindPort == kopOptions.ReadinessProbePort {
 				return errors.New("unable to securely serve on port 8080, used by readiness prob")
 			}
 
@@ -116,8 +116,8 @@ func NewRunCommand(stopCh <-chan struct{}) *cobra.Command {
 			}
 
 			// Start readiness probe
-			if err := probe.Run(strconv.Itoa(readinessProbePort),
-				fakeJWT, p.OIDCAuthenticator()); err != nil {
+			if err := probe.Run(strconv.Itoa(kopOptions.ReadinessProbePort),
+				fakeJWT, p.OIDCTokenAuthenticator()); err != nil {
 				return err
 			}
 

pkg/probe/probe.go

@@ -2,37 +2,33 @@
 package probe
 
 import (
+	"context"
 	"fmt"
 	"net"
 	"net/http"
 	"strings"
 	"time"
 
 	"github.com/heptiolabs/healthcheck"
-	"k8s.io/apiserver/pkg/authentication/request/bearertoken"
+	"k8s.io/apiserver/pkg/authentication/authenticator"
+	//"k8s.io/apiserver/pkg/authentication/request/bearertoken"
 	"k8s.io/klog"
 )
 
 type HealthCheck struct {
 	handler healthcheck.Handler
 
-	oidcAuther *bearertoken.Authenticator
-	req        *http.Request
+	oidcAuther authenticator.Token
+	fakeJWT    string
 
 	ready bool
 }
 
-func Run(port, fakeJWT string, oidcAuther *bearertoken.Authenticator) error {
-	req, err := http.NewRequest("GET", "http://fake", nil)
-	if err != nil {
-		return fmt.Errorf("failed to build fake probe request: %s", err)
-	}
-	req.Header.Set("Authorization", fmt.Sprintf("Bearer %s", fakeJWT))
-
+func Run(port, fakeJWT string, oidcAuther authenticator.Token) error {
 	h := &HealthCheck{
 		handler:    healthcheck.NewHandler(),
 		oidcAuther: oidcAuther,
-		req:        req,
+		fakeJWT:    fakeJWT,
 	}
 
 	h.handler.AddReadinessCheck("secure serving", h.Check)
@@ -55,7 +51,7 @@ func (h *HealthCheck) Check() error {
 		return nil
 	}
 
-	_, _, err := h.oidcAuther.AuthenticateRequest(h.req)
+	_, _, err := h.oidcAuther.AuthenticateToken(context.Background(), h.fakeJWT)
 	if err != nil && strings.HasSuffix(err.Error(), "authenticator not initialized") {
 		err = fmt.Errorf("OIDC provider not yet initialized: %s", err)
 		klog.V(4).Infof(err.Error())

pkg/probe/probe_test.go

@@ -2,21 +2,55 @@
 package probe
 
 import (
+	"context"
+	"errors"
 	"fmt"
 	"net/http"
 	"testing"
 	"time"
 
+	"k8s.io/apiserver/pkg/authentication/authenticator"
+
 	"github.com/jetstack/kube-oidc-proxy/pkg/util"
 )
 
-func Test_Check(t *testing.T) {
+type fakeTokenAuthenticator struct {
+	returnErr bool
+}
+
+var _ authenticator.Token = &fakeTokenAuthenticator{}
+
+func (f *fakeTokenAuthenticator) AuthenticateToken(context.Context, string) (*authenticator.Response, bool, error) {
+	if f.returnErr {
+		return nil, false, errors.New("foo bar authenticator not initialized")
+	}
+
+	return nil, false, errors.New("some other error")
+}
+
+func TestRun(t *testing.T) {
+	f := &fakeTokenAuthenticator{
+		returnErr: true,
+	}
+
 	port, err := util.FreePort()
 	if err != nil {
-		t.Fatalf("unexpected error: %s", err)
+		t.Error(err.Error())
+		t.FailNow()
 	}
 
-	p := New(port)
+	fakeJWT, err := util.FakeJWT("issuer", nil)
+	if err != nil {
+		t.Error(err.Error())
+		t.FailNow()
+	}
+
+	if err := Run(port, fakeJWT, f); err != nil {
+		t.Error(err.Error())
+		t.FailNow()
+	}
+
+	// Wait for probe to become ready
 	time.Sleep(time.Second)
 
 	url := fmt.Sprintf("http://0.0.0.0:%s", port)
@@ -31,7 +65,7 @@ func Test_Check(t *testing.T) {
 			503, resp.StatusCode)
 	}
 
-	p.SetReady()
+	f.returnErr = false
 
 	resp, err = http.Get(url + "/ready")
 	if err != nil {
@@ -43,15 +77,18 @@ func Test_Check(t *testing.T) {
 			200, resp.StatusCode)
 	}
 
-	p.SetNotReady()
+	// Once the authenticator has returned with an non-initialised error, then
+	// should always return ready
+
+	f.returnErr = true
 
 	resp, err = http.Get(url + "/ready")
 	if err != nil {
 		t.Fatalf("unexpected error: %s", err)
 	}
 
-	if resp.StatusCode != 503 {
-		t.Errorf("expected ready probe to be responding and not ready, exp=%d got=%d",
-			503, resp.StatusCode)
+	if resp.StatusCode != 200 {
+		t.Errorf("expected ready probe to be responding and ready, exp=%d got=%d",
+			200, resp.StatusCode)
 	}
 }

pkg/proxy/proxy.go

@@ -11,6 +11,7 @@ import (
 	"time"
 
 	utilnet "k8s.io/apimachinery/pkg/util/net"
+	"k8s.io/apiserver/pkg/authentication/authenticator"
 	"k8s.io/apiserver/pkg/authentication/request/bearertoken"
 	authuser "k8s.io/apiserver/pkg/authentication/user"
 	"k8s.io/apiserver/pkg/server"
@@ -40,7 +41,8 @@ type Options struct {
 }
 
 type Proxy struct {
-	oidcAuther        *bearertoken.Authenticator
+	oidcRequestAuther *bearertoken.Authenticator
+	tokenAuther       authenticator.Token
 	tokenReviewer     *tokenreview.TokenReview
 	secureServingInfo *server.SecureServingInfo
 
@@ -72,14 +74,13 @@ func New(restConfig *rest.Config, oidcOptions *options.OIDCAuthenticationOptions
 		return nil, err
 	}
 
-	oidcAuther := bearertoken.New(tokenAuther)
-
 	return &Proxy{
 		restConfig:        restConfig,
 		tokenReviewer:     tokenReviewer,
 		secureServingInfo: ssinfo,
 		options:           options,
-		oidcAuther:        oidcAuther,
+		oidcRequestAuther: bearertoken.New(tokenAuther),
+		tokenAuther:       tokenAuther,
 	}, nil
 }
 
@@ -144,7 +145,7 @@ func (p *Proxy) RoundTrip(req *http.Request) (*http.Response, error) {
 	reqCpy := utilnet.CloneRequest(req)
 
 	// auth request and handle unauthed
-	info, ok, err := p.oidcAuther.AuthenticateRequest(reqCpy)
+	info, ok, err := p.oidcRequestAuther.AuthenticateRequest(reqCpy)
 	if err != nil {
 
 		// attempt to passthrough request if valid token
@@ -306,6 +307,6 @@ func (p *Proxy) roundTripperForRestConfig(config *rest.Config) (http.RoundTrippe
 }
 
 // Return the proxy OIDC token authenticator
-func (p *Proxy) OIDCAuthenticator() *bearertoken.Authenticator {
-	return p.oidcAuther
+func (p *Proxy) OIDCTokenAuthenticator() authenticator.Token {
+	return p.tokenAuther
 }

pkg/proxy/proxy_test.go

@@ -257,9 +257,9 @@ func newTestProxy(t *testing.T) *fakeProxy {
 		fakeToken: fakeToken,
 		fakeRT:    fakeRT,
 		Proxy: &Proxy{
-			oidcAuther:      bearertoken.New(fakeToken),
-			clientTransport: fakeRT,
-			options:         new(Options),
+			oidcRequestAuther: bearertoken.New(fakeToken),
+			clientTransport:   fakeRT,
+			options:           new(Options),
 		},
 	}
 }