Fix e2e tests for all passing

Signed-off-by: JoshVanL <[email protected]>

Author: JoshVanL

demo/yaml/kube-oidc-proxy.yaml

@@ -135,5 +135,7 @@ rules:
   - "authentication.k8s.io"
   resources:
   - "userextras/scopes"
+  - "tokenreviews"
   verbs:
+  - "create"
   - "impersonate"

deploy/charts/kube-oidc-proxy/templates/clusterrole.yaml

@@ -17,5 +17,7 @@ rules:
   - "authentication.k8s.io"
   resources:
   - "userextras/scopes"
+  - "tokenreviews"
   verbs:
+  - "create"
   - "impersonate"

test/e2e/framework/helper/deploy.go

@@ -125,8 +125,8 @@ func (h *Helper) DeployProxy(ns *corev1.Namespace, issuerURL, clientID string,
 			},
 			{
 				APIGroups: []string{"authentication.k8s.io"},
-				Resources: []string{"userextras/scopes"},
-				Verbs:     []string{"impersonate"},
+				Resources: []string{"userextras/scopes", "tokenreviews"},
+				Verbs:     []string{"impersonate", "create"},
 			},
 		},
 	})
@@ -319,21 +319,28 @@ func (h *Helper) DeleteIssuer(ns string) error {
 	return h.deleteApp(ns, IssuerName)
 }
 func (h *Helper) DeleteProxy(ns string) error {
-	return h.deleteApp(ns, ProxyName)
+	return h.deleteApp(ns, ProxyName, "oidc-ca")
 }
 
-func (h *Helper) deleteApp(ns, name string) error {
+func (h *Helper) deleteApp(ns, name string, extraSecrets ...string) error {
 	err := h.KubeClient.CoreV1().Pods(ns).Delete(name, nil)
 	if err != nil && !k8sErrors.IsNotFound(err) {
 		return err
 	}
 
-	err = h.KubeClient.CoreV1().Secrets(ns).Delete(name, nil)
+	for _, s := range append(extraSecrets, name) {
+		err = h.KubeClient.CoreV1().Secrets(ns).Delete(s, nil)
+		if err != nil && !k8sErrors.IsNotFound(err) {
+			return err
+		}
+	}
+
+	err = h.KubeClient.CoreV1().Services(ns).Delete(name, nil)
 	if err != nil && !k8sErrors.IsNotFound(err) {
 		return err
 	}
 
-	err = h.KubeClient.CoreV1().Services(ns).Delete(name, nil)
+	err = h.KubeClient.CoreV1().ServiceAccounts(ns).Delete(name, nil)
 	if err != nil && !k8sErrors.IsNotFound(err) {
 		return err
 	}

test/e2e/framework/helper/requester.go

@@ -14,7 +14,8 @@ type Requester struct {
 
 func (h *Helper) NewRequester(transport http.RoundTripper, token string) *Requester {
 	r := &Requester{
-		token: token,
+		token:     token,
+		transport: transport,
 	}
 
 	r.client = http.DefaultClient

test/e2e/framework/helper/token.go

@@ -68,7 +68,7 @@ func (h *Helper) NewTokenPayload(issuerURL, clientID string, exp time.Time) []by
 	return []byte(fmt.Sprintf(`{
 	"iss":"%s",
 	"aud":["%s","aud-2"],
-	"email":"foo@example.com",
+	"email":"user@example.com",
 	"groups":["group-1","group-2"],
 	"exp":%d
 	}`, issuerURL, clientID, exp.Unix()))

test/e2e/suite/cases/doc.go

@@ -2,6 +2,7 @@ package cases
 
 import (
 	_ "github.com/jetstack/kube-oidc-proxy/test/e2e/suite/cases/impersonation"
+	_ "github.com/jetstack/kube-oidc-proxy/test/e2e/suite/cases/passthrough"
 	_ "github.com/jetstack/kube-oidc-proxy/test/e2e/suite/cases/rbac"
 	_ "github.com/jetstack/kube-oidc-proxy/test/e2e/suite/cases/token"
 )

test/e2e/suite/cases/impersonation/impersonation.go

@@ -1,16 +1,15 @@
 package impersonation
 
 import (
-	"bytes"
 	"fmt"
-	"io/ioutil"
 	"net/http"
 
 	. "github.com/onsi/ginkgo"
 	. "github.com/onsi/gomega"
 
 	k8sErrors "k8s.io/apimachinery/pkg/api/errors"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/client-go/kubernetes"
 	"k8s.io/client-go/rest"
 
 	"github.com/jetstack/kube-oidc-proxy/test/e2e/framework"
@@ -63,7 +62,7 @@ var _ = framework.CasesDescribe("Impersonation", func() {
 		})
 	})
 
-	It("should not error at proxy when impersonation is disabled impersonation is attempted on a request", func() {
+	It("should not error at proxy when impersonation is disabled and impersonation is attempted on a request", func() {
 		By("Enabling the disabling of impersonation")
 		f.DeployProxyWith("--disable-impersonation")
 
@@ -78,31 +77,25 @@ var _ = framework.CasesDescribe("Impersonation", func() {
 })
 
 func tryImpersonationClient(f *framework.Framework, impConfig rest.ImpersonationConfig) {
+	// build client with impersonation
 	config := f.NewProxyRestConfig()
 	config.Impersonate = impConfig
-
-	tranConfig, err := config.TransportConfig()
+	client, err := kubernetes.NewForConfig(config)
 	Expect(err).NotTo(HaveOccurred())
 
-	client := http.DefaultClient
-	client.Transport = tranConfig.Transport
-
-	// send request with signed token to proxy
-	target := fmt.Sprintf("%s/api/v1/namespaces/%s/pods",
-		config.Host, f.Namespace.Name)
-
-	resp, err := client.Get(target)
-	Expect(err).NotTo(HaveOccurred())
-
-	body, err := ioutil.ReadAll(resp.Body)
-	Expect(err).NotTo(HaveOccurred())
+	_, err = client.CoreV1().Pods(f.Namespace.Name).List(metav1.ListOptions{})
+	kErr, ok := err.(*k8sErrors.StatusError)
+	if !ok {
+		Expect(err).NotTo(HaveOccurred())
+	}
 
-	expRespBody := []byte("Impersonation requests are disabled when using kube-oidc-proxy\n")
+	expRespBody := "Impersonation requests are disabled when using kube-oidc-proxy (get pods)"
+	resp := kErr.Status().Details.Causes[0].Message
 
 	// check body and status code the token was rejected
-	if resp.StatusCode != http.StatusForbidden ||
-		!bytes.Equal(body, expRespBody) {
+	if int(kErr.Status().Code) != http.StatusForbidden ||
+		resp != expRespBody {
+		Expect(fmt.Errorf("expected status code %d with body %q, got= %+v",
+			http.StatusForbidden, expRespBody, kErr)).NotTo(HaveOccurred())
 	}
-	Expect(fmt.Errorf("expected status code %d with body %q, got= %d %q",
-		http.StatusForbidden, expRespBody, resp.StatusCode, body)).NotTo(HaveOccurred())
 }

test/e2e/suite/cases/passthrough/passthrough.go

@@ -1,15 +1,14 @@
 package impersonation
 
 import (
-	"bytes"
 	"fmt"
 	"net/http"
 
 	. "github.com/onsi/ginkgo"
 	. "github.com/onsi/gomega"
-
 	corev1 "k8s.io/api/core/v1"
 	rbacv1 "k8s.io/api/rbac/v1"
+	k8sErrors "k8s.io/apimachinery/pkg/api/errors"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/client-go/kubernetes"
 
@@ -89,22 +88,27 @@ var _ = framework.CasesDescribe("Passthrough", func() {
 		By("Using a ServiceAccount token should error by the proxy")
 
 		// Create requester using the ServiceAccount token
-		proxyConfig := f.NewProxyRestConfig()
-		requester := f.Helper().NewRequester(proxyConfig.Transport, saToken)
+		config := f.NewProxyRestConfig()
+		config.BearerToken = saToken
 
-		// Send request with signed token to proxy
-		target := fmt.Sprintf("%s/api/v1/namespaces/%s/pods",
-			proxyConfig.Host, f.Namespace.Name)
-
-		body, statusCode, err := requester.Get(target)
+		client, err := kubernetes.NewForConfig(config)
 		Expect(err).NotTo(HaveOccurred())
 
+		_, err = client.CoreV1().Pods(f.Namespace.Name).List(metav1.ListOptions{})
+		kErr, ok := err.(*k8sErrors.StatusError)
+		if !ok {
+			Expect(err).NotTo(HaveOccurred())
+		}
+
+		expRespBody := "Unauthorized"
+		resp := kErr.Status().Details.Causes[0].Message
+
 		// Check body and status code the token was rejected
-		if statusCode != http.StatusForbidden ||
-			!bytes.Equal(body, []byte("Unauthorized")) {
+		if int(kErr.Status().Code) != http.StatusUnauthorized ||
+			resp != expRespBody {
+			Expect(fmt.Errorf("expected status code %d with body %q, got= %d %q",
+				http.StatusUnauthorized, expRespBody, int(kErr.Status().Code), resp)).NotTo(HaveOccurred())
 		}
-		Expect(fmt.Errorf("expected status code %d with body Unauthorized, got= %d %q",
-			http.StatusForbidden, statusCode, body)).NotTo(HaveOccurred())
 	})
 
 	It("should not error on a valid OIDC token nor a valid ServiceAccount token with passthrough enabled", func() {

test/e2e/suite/cases/token/token.go

@@ -61,12 +61,13 @@ func expectProxyUnauthorized(f *framework.Framework, tokenPayload []byte) {
 		proxyConfig.Host, f.Namespace.Name)
 
 	body, statusCode, err := requester.Get(target)
+	body = bytes.TrimSpace(body)
 	Expect(err).NotTo(HaveOccurred())
 
 	// Check body and status code the token was rejected
-	if statusCode != http.StatusForbidden ||
+	if statusCode != http.StatusUnauthorized ||
 		!bytes.Equal(body, []byte("Unauthorized")) {
+		Expect(fmt.Errorf("expected status code %d with body Unauthorized, got= %d %q",
+			http.StatusUnauthorized, statusCode, body)).NotTo(HaveOccurred())
 	}
-	Expect(fmt.Errorf("expected status code %d with body Unauthorized, got= %d %q",
-		http.StatusForbidden, statusCode, body)).NotTo(HaveOccurred())
 }

test/e2e/suite/suite.go

@@ -27,11 +27,6 @@ var _ = SynchronizedBeforeSuite(func() []byte {
 	cfg.RepoRoot = env.RootPath()
 	cfg.Environment = env
 
-	cfg.KubeConfigPath = "/home/josh/.kube/kind-config-kube-oidc-proxy-e2e"
-	cfg.Kubectl = "/home/josh/go/src/github.com/jetstack/kube-oidc-proxy/bin/kubectl"
-	cfg.RepoRoot = "/home/josh/go/src/github.com/jetstack/kube-oidc-proxy"
-	cfg.Environment = env
-
 	if err := framework.DefaultConfig.Validate(); err != nil {
 		log.Fatalf("Invalid test config: %v", err)
 	}