Skip to content

Commit f9f1897

Browse files
everettraveneverettraven
committed
oidc: ensure console and cli OIDC clients are available when enabling OIDC
Signed-off-by: Bryce Palmer <[email protected]>
1 parent 43159a2 commit f9f1897

File tree

1 file changed

+22
-0
lines changed
  • test/extended/authentication

1 file changed

+22
-0
lines changed

test/extended/authentication/oidc.go

Lines changed: 22 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -19,6 +19,7 @@ import (
1919
corev1 "k8s.io/api/core/v1"
2020
"k8s.io/apimachinery/pkg/api/equality"
2121
apierrors "k8s.io/apimachinery/pkg/api/errors"
22+
"k8s.io/apimachinery/pkg/api/meta"
2223
"k8s.io/apimachinery/pkg/util/errors"
2324

2425
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
@@ -116,6 +117,7 @@ var _ = g.Describe("[sig-auth][Suite:openshift/auth/external-oidc][Serial][Slow]
116117
o.Expect(err).NotTo(o.HaveOccurred(), "should not encounter an error configuring OIDC authentication")
117118

118119
waitForRollout(ctx, oc)
120+
waitForHealthyOIDCClients(ctx, oc)
119121
})
120122

121123
g.Describe("external IdP is configured", g.Ordered, func() {
@@ -283,6 +285,7 @@ var _ = g.Describe("[sig-auth][Suite:openshift/auth/external-oidc][Serial][Slow]
283285
o.Expect(err).NotTo(o.HaveOccurred(), "should not encounter an error configuring OIDC authentication")
284286

285287
waitForRollout(ctx, oc)
288+
waitForHealthyOIDCClients(ctx, oc)
286289
})
287290

288291
g.It("should default UID to the 'sub' claim in the access token from the IdP", func() {
@@ -322,6 +325,7 @@ var _ = g.Describe("[sig-auth][Suite:openshift/auth/external-oidc][Serial][Slow]
322325
o.Expect(err).NotTo(o.HaveOccurred(), "should not encounter an error configuring OIDC authentication")
323326

324327
waitForRollout(ctx, oc)
328+
waitForHealthyOIDCClients(ctx, oc)
325329
})
326330

327331
g.Describe("checking cluster identity mapping", g.Ordered, func() {
@@ -601,3 +605,21 @@ func checkKubeAPIServerCondition(ctx context.Context, kasCli operatorv1client.Ku
601605

602606
return nil
603607
}
608+
609+
func waitForHealthyOIDCClients(ctx context.Context, client *exutil.CLI) {
610+
o.Eventually(func(gomega o.Gomega) {
611+
authn, err := client.AdminConfigClient().ConfigV1().Authentications().Get(ctx, "cluster", metav1.GetOptions{})
612+
gomega.Expect(err).NotTo(o.HaveOccurred())
613+
614+
for _, client := range authn.Status.OIDCClients {
615+
// ignore clients that aren't OpenShift default clients
616+
if client.ComponentNamespace != "openshift-console" && !(client.ComponentName == "console" || client.ComponentName == "cli") {
617+
continue
618+
}
619+
620+
availableCondition := meta.FindStatusCondition(client.Conditions, "Available")
621+
gomega.Expect(availableCondition).NotTo(o.BeNil(), fmt.Sprintf("oidc client %s/%s should have an Available condition", client.ComponentNamespace, client.ComponentName))
622+
gomega.Expect(availableCondition.Status).To(o.Equal(metav1.ConditionTrue), fmt.Sprintf("oidc client %s/%s should be available but was not", client.ComponentNamespace, client.ComponentName), availableCondition)
623+
}
624+
}).WithTimeout(10*time.Minute).WithPolling(20*time.Second).Should(o.Succeed(), "should eventually have healthy OIDC client configurations")
625+
}

0 commit comments

Comments
 (0)