Remove AllowAll IDP dependency for extended and integration tests
#11269
Conversation
|
cc @brenton |
| @@ -64,52 +65,59 @@ func GetClusterAdminClientConfig(adminKubeConfigFile string) (*restclient.Config | |||
| } | |||
|
|
|||
| func GetClientForUser(clientConfig restclient.Config, username string) (*client.Client, *kclient.Client, *restclient.Config, error) { | |||
There was a problem hiding this comment.
add a first param of adminClient *client.Client instead of assuming the clientConfig is both the admin config and the template for the user config
| if _, _, _, err := GetClientForUser(clientConfig, username); err != nil { | ||
| return nil, nil, nil, err | ||
| func getOrCreateUser(adminClient *client.Client, username string) (*userapi.User, error) { | ||
| user, err := adminClient.Users().Create(&userapi.User{ObjectMeta: kapi.ObjectMeta{Name: username}}) |
There was a problem hiding this comment.
user, err := ... create
if err == nil {
return user, nil
}
if kerrs.IsAlreadyExists(err) {
return adminClient.Users().Get(username)
}
return nil, err
| return nil, nil, nil, err | ||
|
|
||
| var err error | ||
| token, err = adminClient.OAuthAccessTokens().Create(token) |
There was a problem hiding this comment.
return adminClient.OAuthAccessTokens().Create(token)
| return token, nil | ||
| } | ||
|
|
||
| func getScopedClientForConfig(clientConfig *restclient.Config, token string) (*client.Client, *kclient.Client, *restclient.Config, error) { |
There was a problem hiding this comment.
better name, this doesn't have anything to do with scopes
|
Thanks for looking at this @enj! Would it be possible to have the tests remove the users when the tests terminate as part of this PR? |
|
[test] |
|
While I think it is worthwhile to remove the dependency on the
Useful how? The tests validate our code, not our customer's cluster's health.
This could delete valid users just as easily as it would delete the test users. |
|
@liggitt minus the flakes this seems to working. I may have been overzealous with the refactor though... |
|
@enj , To clean up projects and users we could probably improve our logging to make it easy for admins to run a cleanup job afterwards. While the conformance tests are primarily concerned with validating OpenShift/Kube code itself. They do exercise a fair amount of the environment. Many admins have expressed the need to be able to produce large numbers of builds and deployments to validate their infrastructure changes. Eg, post upgrade they like to know if something is broken rather than waiting for their users to report it. |
|
The problem with using these tests is that any developer at any point could add a test that does |
|
@enj, Ahh, I see your concern. For what it's worth, we certainly are going to review the subset of tests that customers would be allowed to run. There would be another wrapper script to explicitly run certain tests. QE would even validate this wrapper script doesn't break a running environment before we would ever ship them in the product. |
|
@brenton IMO this is the wrong approach, especially with the amount of work that is being proposed via QE validation. I believe a better way to go about it would be to make an entirely separate repository (something like
@liggitt thoughts? |
|
If someone had time to do that I don't deny it would be ideal. My understanding is that our own performance team is also using the Conformance tests to generate load today. They are another team that has requested being able to run these tests on an environment that has authentication configured (though they were not concerned with the upgrade scenario, only fresh installs of OCP). |
|
I don't entirely see the need for an entirely new repository though. Perhaps a new directory in Origin with a README. Otherwise there's a little more overhear maintaining it along with new PRs that come in. |
openshift-bot
added
the
needs-rebase
openshift-bot
added
needs-rebase
openshift-bot
added
needs-rebase
| @@ -1191,7 +1191,7 @@ func TestOldLocalSubjectAccessReviewEndpoint(t *testing.T) { | |||
| }, | |||
| } | |||
| actualResponse := &authorizationapi.SubjectAccessReviewResponse{} | |||
| err := haroldClient.Post().Namespace(namespace).Resource("subjectAccessReviews").Body(sar).Do().Into(actualResponse) | |||
| err := haroldClient.(*client.Client).Post().Namespace(namespace).Resource("subjectAccessReviews").Body(sar).Do().Into(actualResponse) | |||
There was a problem hiding this comment.
why are these casts needed?
There was a problem hiding this comment.
Because I changed the functions to return the client interface instead of the raw client. I should be able to get rid of the casts by implementing anything missing.
| token := &oauthapi.OAuthAccessToken{ | ||
| ObjectMeta: kapi.ObjectMeta{Name: fmt.Sprintf("%s-token-plus-some-padding-here-to-make-the-limit-%d", username, rand.Int())}, | ||
| ObjectMeta: kapi.ObjectMeta{Name: fmt.Sprintf("%s-token-plus-some-padding-here-to-make-the-limit-%d", user.Name, rand.Int())}, |
There was a problem hiding this comment.
auto-creating a token named like this is just one of the many reasons this should never be run on a production cluster
|
most of this seems fine, though I wouldn't merge it until we could get rid of the type casts... @brenton, the assumptions that random usernames are available to run tests as, the destruction of random namespaces, and the generation of insecure tokens are all reasons these tests shouldn't run against a production server |
|
@liggitt, that definitely makes sense given the current state of things. I still hear a lot of people wishing they had a suite of tests to run on production environments and they are going to have many of the same bootstrapping challenges as the e2e tests. Does it seem reasonable to reserve certain resources as test only? Take the example.com domain. They built that in to the dns spec for the purposes of testing. |
enj
force-pushed
the
enj/i/et_explicit_user_token/11255
branch
from
6754be3 to
c07d082
Compare
enj
removed
the
needs-rebase
| if err != nil { | ||
| return nil, err | ||
| } | ||
| rawClient, ok := adminClient.(*client.Client) |
There was a problem hiding this comment.
@liggitt This is the only type cast I was not able to remove without adding a bunch of code.
| } | ||
|
|
||
| // do not use this func unless you need to do raw REST or other low level operations | ||
| func GetClusterAdminClientRaw(adminKubeConfigFile string) (*client.Client, error) { |
There was a problem hiding this comment.
@liggitt This allowed me to get around the other type casts in the places where we needed the raw client.
|
@liggitt This is ready assuming the tests pass. |
Signed-off-by: Monis Khan <mkhan@redhat.com>
enj
force-pushed
the
enj/i/et_explicit_user_token/11255
branch
from
29076b2 to
c6dd940
Compare
|
Evaluated for origin test up to c6dd940 |
|
continuous-integration/openshift-jenkins/test FAILURE (https://ci.openshift.redhat.com/jenkins/job/test_pr_origin/13092/) (Base Commit: 9a006a8) |
|
Flake on #12558 |
openshift-bot
added
the
needs-rebase
openshift-bot
added
needs-rebase
openshift-bot
added
needs-rebase
openshift-bot
added
needs-rebase
openshift-bot
added
needs-rebase
openshift-bot
added
needs-rebase
openshift-bot
added
needs-rebase
|
Origin Action Required: Pull request cannot be automatically merged, please rebase your branch from latest HEAD and push again |
openshift-bot
added
the
needs-rebase
|
@soltysh did you ever end up doing anything with this? |
|
@enj nope I didn't do anything with it, this is the first time I hear about it. |
|
@soltysh I just remember you wanting to switch tests to use the client interface, which I had started to do here. |
|
Oh that, hmm... that is still on my todo list ;) |
Fixes #11255