func TestUnprivilegedNewProjectDenied(t *testing.T) {
testutil.RequireEtcd(t)
defer testutil.DumpEtcdOnFailure(t)
_, clusterAdminKubeConfig, err := testserver.StartTestMasterAPI()
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
clusterAdminClient, err := testutil.GetClusterAdminClient(clusterAdminKubeConfig)
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
role, err := clusterAdminClient.ClusterRoles().Get(bootstrappolicy.SelfProvisionerRoleName)
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
role.Rules = []authorizationapi.PolicyRule{}
if _, err := clusterAdminClient.ClusterRoles().Update(role); err != nil {
t.Fatalf("unexpected error: %v", err)
}
clusterAdminClientConfig, err := testutil.GetClusterAdminClientConfig(clusterAdminKubeConfig)
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
valerieClientConfig := *clusterAdminClientConfig
valerieClientConfig.Username = ""
valerieClientConfig.Password = ""
valerieClientConfig.BearerToken = ""
valerieClientConfig.CertFile = ""
valerieClientConfig.KeyFile = ""
valerieClientConfig.CertData = nil
valerieClientConfig.KeyData = nil
accessToken, err := tokencmd.RequestToken(&valerieClientConfig, nil, "valerie", "security!")
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
valerieClientConfig.BearerToken = accessToken
valerieOpenshiftClient, err := client.New(&valerieClientConfig)
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
if err := testutil.WaitForClusterPolicyUpdate(valerieOpenshiftClient, "create", projectapi.Resource("projectrequests"), false); err != nil {
t.Fatalf("unexpected error: %v", err)
}
// confirm that we have access to request the project
_, err = valerieOpenshiftClient.ProjectRequests().List(kapi.ListOptions{})
if err == nil {
t.Fatalf("expected error: %v", err)
}
expectedError := `You may not request a new project via this API.`
if (err != nil) && (err.Error() != expectedError) {
t.Fatalf("expected\n\t%v\ngot\n\t%v", expectedError, err.Error())
}
}
func TestTemplateTransformationFromConfig(t *testing.T) {
testutil.RequireEtcd(t)
defer testutil.DumpEtcdOnFailure(t)
_, clusterAdminKubeConfig, err := testserver.StartTestMaster()
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
clusterAdminClient, err := testutil.GetClusterAdminClient(clusterAdminKubeConfig)
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
walkJSONFiles("../templates/fixtures", func(name, path string, data []byte) {
template, err := runtime.Decode(kapi.Codecs.UniversalDecoder(), data)
if err != nil {
t.Errorf("%q: unexpected error: %v", path, err)
return
}
config, err := clusterAdminClient.TemplateConfigs("default").Create(template.(*templateapi.Template))
if err != nil {
t.Errorf("%q: unexpected error: %v", path, err)
return
}
if len(config.Objects) == 0 {
t.Errorf("%q: no items in config object", path)
return
}
t.Logf("tested %q", path)
})
}
func TestSimpleImageChangeBuildTriggerFromImageStreamTagCustomWithConfigChange(t *testing.T) {
defer testutil.DumpEtcdOnFailure(t)
projectAdminClient, _ := setup(t)
clusterAdminClient, err := testutil.GetClusterAdminClient(testutil.GetBaseDir() + "/openshift.local.config/master/admin.kubeconfig")
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
clusterRoleBindingAccessor := policy.NewClusterRoleBindingAccessor(clusterAdminClient)
subjects := []kapi.ObjectReference{
{
Kind: authorizationapi.SystemGroupKind,
Name: bootstrappolicy.AuthenticatedGroup,
},
}
options := policy.RoleModificationOptions{
RoleNamespace: testutil.Namespace(),
RoleName: bootstrappolicy.BuildStrategyCustomRoleName,
RoleBindingAccessor: clusterRoleBindingAccessor,
Subjects: subjects,
}
options.AddRole()
if err := testutil.WaitForPolicyUpdate(projectAdminClient, testutil.Namespace(), "create", buildapi.Resource(authorizationapi.CustomBuildResource), true); err != nil {
t.Fatal(err)
}
imageStream := mockImageStream2(tag)
imageStreamMapping := mockImageStreamMapping(imageStream.Name, "someimage", tag, "registry:8080/openshift/test-image-trigger:"+tag)
strategy := customStrategy("ImageStreamTag", streamName+":"+tag)
config := imageChangeBuildConfigWithConfigChange("custom-imagestreamtag", strategy)
runTest(t, "SimpleImageChangeBuildTriggerFromImageStreamTagCustom", projectAdminClient, imageStream, imageStreamMapping, config, tag)
}
func TestGroupCommands(t *testing.T) {
testutil.RequireEtcd(t)
defer testutil.DumpEtcdOnFailure(t)
_, clusterAdminKubeConfig, err := testserver.StartTestMasterAPI()
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
clusterAdminClient, err := testutil.GetClusterAdminClient(clusterAdminKubeConfig)
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
newGroup := &groupscmd.NewGroupOptions{
GroupClient: clusterAdminClient.Groups(),
Group: "group1",
Users: []string{"first", "second", "third", "first"},
Printer: func(runtime.Object, io.Writer) error {
return nil
},
}
if err := newGroup.AddGroup(); err != nil {
t.Fatalf("unexpected error: %v", err)
}
group1, err := clusterAdminClient.Groups().Get("group1")
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
if e, a := []string{"first", "second", "third"}, group1.Users; !reflect.DeepEqual(e, a) {
t.Errorf("expected %v, actual %v", e, a)
}
modifyUsers := &groupscmd.GroupModificationOptions{
GroupClient: clusterAdminClient.Groups(),
Group: "group1",
Users: []string{"second", "fourth", "fifth"},
}
if err := modifyUsers.AddUsers(); err != nil {
t.Fatalf("unexpected error: %v", err)
}
group1, err = clusterAdminClient.Groups().Get("group1")
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
if e, a := []string{"first", "second", "third", "fourth", "fifth"}, group1.Users; !reflect.DeepEqual(e, a) {
t.Errorf("expected %v, actual %v", e, a)
}
if err := modifyUsers.RemoveUsers(); err != nil {
t.Fatalf("unexpected error: %v", err)
}
group1, err = clusterAdminClient.Groups().Get("group1")
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
if e, a := []string{"first", "third"}, group1.Users; !reflect.DeepEqual(e, a) {
t.Errorf("expected %v, actual %v", e, a)
}
}
func TestLeaderLeaseSwapWhileWaiting(t *testing.T) {
testutil.RequireEtcd(t)
defer testutil.DumpEtcdOnFailure(t)
client := testutil.NewEtcdClient()
key := "/random/key"
if _, err := client.Create(key, "holder", 10); err != nil {
t.Fatal(err)
}
go func() {
time.Sleep(time.Second)
if _, err := client.Set(key, "other", 10); err != nil {
t.Fatal(err)
}
glog.Infof("Changed key ownership")
}()
lease := leaderlease.NewEtcd(client, key, "other", 10)
ch := make(chan error, 1)
go lease.AcquireAndHold(ch)
<-ch
glog.Infof("Lease acquired")
lease.Release()
if err, ok := <-ch; err == nil || !ok || !strings.Contains(err.Error(), "the lease has been lost") {
t.Errorf("Expected error and open channel when lease was swapped: %v %t", err, ok)
}
<-ch
glog.Infof("Lease gone")
}
func TestAutomaticCreationOfPullSecrets(t *testing.T) {
saNamespace := api.NamespaceDefault
saName := serviceaccountadmission.DefaultServiceAccountName
testutil.RequireEtcd(t)
defer testutil.DumpEtcdOnFailure(t)
_, clusterAdminConfig, err := testserver.StartTestMaster()
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
clusterAdminKubeClient, err := testutil.GetClusterAdminKubeClient(clusterAdminConfig)
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
// Get a service account token
saToken, err := waitForServiceAccountToken(clusterAdminKubeClient, saNamespace, saName, 20, time.Second)
if err != nil {
t.Errorf("unexpected error: %v", err)
}
if len(saToken) == 0 {
t.Errorf("token was not created")
}
// Get the matching dockercfg secret
saPullSecret, err := waitForServiceAccountPullSecret(clusterAdminKubeClient, saNamespace, saName, 20, time.Second)
if err != nil {
t.Errorf("unexpected error: %v", err)
}
if len(saPullSecret) == 0 {
t.Errorf("pull secret was not created")
}
}
func TestAccessOriginWebConsole(t *testing.T) {
testutil.RequireEtcd(t)
defer testutil.DumpEtcdOnFailure(t)
masterOptions, err := testserver.DefaultMasterOptions()
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
if _, err = testserver.StartConfiguredMaster(masterOptions); err != nil {
t.Fatalf("unexpected error: %v", err)
}
for endpoint, exp := range map[string]struct {
statusCode int
location string
}{
"": {http.StatusFound, masterOptions.AssetConfig.PublicURL},
"healthz": {http.StatusOK, ""},
"login": {http.StatusOK, ""},
"oauth/token/request": {http.StatusFound, masterOptions.AssetConfig.MasterPublicURL + "/oauth/authorize"},
"console": {http.StatusMovedPermanently, "/console/"},
"console/": {http.StatusOK, ""},
"console/java": {http.StatusOK, ""},
} {
url := masterOptions.AssetConfig.MasterPublicURL + "/" + endpoint
tryAccessURL(t, url, exp.statusCode, exp.location, nil)
}
}
func TestLeaderLeaseSwapWhileWaiting(t *testing.T) {
testutil.RequireEtcd(t)
defer testutil.DumpEtcdOnFailure(t)
c, err := testutil.MakeNewEtcdClient()
if err != nil {
t.Fatal(err)
}
client := etcdclient.NewKeysAPI(c)
key := "/random/key"
if _, err := client.Set(context.Background(), key, "holder", &etcdclient.SetOptions{TTL: 10 * time.Second, PrevExist: etcdclient.PrevNoExist}); err != nil {
t.Fatal(err)
}
go func() {
time.Sleep(time.Second)
if _, err := client.Set(context.Background(), key, "other", &etcdclient.SetOptions{TTL: 10 * time.Second}); err != nil {
t.Fatal(err)
}
glog.Infof("Changed key ownership")
}()
lease := leaderlease.NewEtcd(c, key, "other", 10)
ch := make(chan error, 1)
go lease.AcquireAndHold(ch)
<-ch
glog.Infof("Lease acquired")
lease.Release()
if err, ok := <-ch; err == nil || !ok || !strings.Contains(err.Error(), "the lease has been lost") {
t.Errorf("Expected error and open channel when lease was swapped: %v %t", err, ok)
}
<-ch
glog.Infof("Lease gone")
}
func TestClusterResourceOverridePluginWithNoLimits(t *testing.T) {
defer testutil.DumpEtcdOnFailure(t)
config := &overrideapi.ClusterResourceOverrideConfig{
LimitCPUToMemoryPercent: 100,
CPURequestToLimitPercent: 50,
MemoryRequestToLimitPercent: 50,
}
kubeClientset := setupClusterResourceOverrideTest(t, config)
podHandler := kubeClientset.Core().Pods(testutil.Namespace())
// test with no limits object present
podCreated, err := podHandler.Create(testClusterResourceOverridePod("limitless", "2Gi", "1"))
if err != nil {
t.Fatal(err)
}
if memory := podCreated.Spec.Containers[0].Resources.Requests.Memory(); memory.Cmp(resource.MustParse("1Gi")) != 0 {
t.Errorf("limitlesspod: Memory did not match expected 1Gi: %#v", memory)
}
if cpu := podCreated.Spec.Containers[0].Resources.Limits.Cpu(); cpu.Cmp(resource.MustParse("2")) != 0 {
t.Errorf("limitlesspod: CPU limit did not match expected 2 core: %#v", cpu)
}
if cpu := podCreated.Spec.Containers[0].Resources.Requests.Cpu(); cpu.Cmp(resource.MustParse("1")) != 0 {
t.Errorf("limitlesspod: CPU req did not match expected 1 core: %#v", cpu)
}
}
func TestImageStreamList(t *testing.T) {
testutil.RequireEtcd(t)
defer testutil.DumpEtcdOnFailure(t)
_, clusterAdminKubeConfig, err := testserver.StartTestMaster()
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
clusterAdminClient, err := testutil.GetClusterAdminClient(clusterAdminKubeConfig)
if err != nil {
t.Errorf("unexpected error: %v", err)
}
err = testutil.CreateNamespace(clusterAdminKubeConfig, testutil.Namespace())
if err != nil {
t.Errorf("unexpected error: %v", err)
}
builds, err := clusterAdminClient.ImageStreams(testutil.Namespace()).List(kapi.ListOptions{})
if err != nil {
t.Fatalf("Unexpected error %v", err)
}
if len(builds.Items) != 0 {
t.Errorf("Expected no builds, got %#v", builds.Items)
}
}
func TestBootstrapPolicySelfSubjectAccessReviews(t *testing.T) {
testutil.RequireEtcd(t)
defer testutil.DumpEtcdOnFailure(t)
_, clusterAdminKubeConfig, err := testserver.StartTestMasterAPI()
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
clusterAdminClientConfig, err := testutil.GetClusterAdminClientConfig(clusterAdminKubeConfig)
if err != nil {
t.Errorf("unexpected error: %v", err)
}
valerieClientConfig := *clusterAdminClientConfig
valerieClientConfig.Username = ""
valerieClientConfig.Password = ""
valerieClientConfig.BearerToken = ""
valerieClientConfig.CertFile = ""
valerieClientConfig.KeyFile = ""
valerieClientConfig.CertData = nil
valerieClientConfig.KeyData = nil
accessToken, err := tokencmd.RequestToken(&valerieClientConfig, nil, "valerie", "security!")
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
valerieClientConfig.BearerToken = accessToken
valerieOpenshiftClient, err := client.New(&valerieClientConfig)
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
// can I get a subjectaccessreview on myself even if I have no rights to do it generally
askCanICreatePolicyBindings := &authorizationapi.LocalSubjectAccessReview{
Action: authorizationapi.Action{Verb: "create", Resource: "policybindings"},
}
subjectAccessReviewTest{
localInterface: valerieOpenshiftClient.LocalSubjectAccessReviews("openshift"),
localReview: askCanICreatePolicyBindings,
response: authorizationapi.SubjectAccessReviewResponse{
Allowed: false,
Reason: `User "valerie" cannot create policybindings in project "openshift"`,
Namespace: "openshift",
},
}.run(t)
// I shouldn't be allowed to ask whether someone else can perform an action
askCanClusterAdminsCreateProject := &authorizationapi.LocalSubjectAccessReview{
Groups: sets.NewString("system:cluster-admins"),
Action: authorizationapi.Action{Verb: "create", Resource: "projects"},
}
subjectAccessReviewTest{
localInterface: valerieOpenshiftClient.LocalSubjectAccessReviews("openshift"),
localReview: askCanClusterAdminsCreateProject,
err: `User "valerie" cannot create localsubjectaccessreviews in project "openshift"`,
}.run(t)
}
func TestPodNodeConstraintsAdmissionPluginSetNodeSelectorNonAdmin(t *testing.T) {
defer testutil.DumpEtcdOnFailure(t)
config := &pluginapi.PodNodeConstraintsConfig{
NodeSelectorLabelBlacklist: []string{"hostname"},
}
oclient, kclientset := setupUserPodNodeConstraintsTest(t, config, "derples")
testPodNodeConstraintsObjectCreationWithPodTemplate(t, "set node selector, regular user", kclientset, oclient, "", map[string]string{"hostname": "foo"}, true)
}
func TestStorageVersionsUnified(t *testing.T) {
defer testutil.DumpEtcdOnFailure(t)
runStorageTest(t, "unified",
extensions_v1beta1.SchemeGroupVersion,
extensions_v1beta1.SchemeGroupVersion,
extensions_v1beta1.SchemeGroupVersion,
)
}
func TestPodNodeConstraintsAdmissionPluginSetNodeSelectorClusterAdmin(t *testing.T) {
defer testutil.DumpEtcdOnFailure(t)
config := &pluginapi.PodNodeConstraintsConfig{
NodeSelectorLabelBlacklist: []string{"hostname"},
}
oclient, kclientset := setupClusterAdminPodNodeConstraintsTest(t, config)
testPodNodeConstraintsObjectCreationWithPodTemplate(t, "set node selector, cluster admin", kclientset, oclient, "", map[string]string{"hostname": "foo"}, false)
}
func TestWebhookGitHubPing(t *testing.T) {
testutil.RequireEtcd(t)
defer testutil.DumpEtcdOnFailure(t)
_, clusterAdminKubeConfig, err := testserver.StartTestMaster()
if err != nil {
t.Fatalf("unable to start master: %v", err)
}
kubeClient, err := testutil.GetClusterAdminKubeClient(clusterAdminKubeConfig)
if err != nil {
t.Fatalf("unable to get kubeClient: %v", err)
}
osClient, err := testutil.GetClusterAdminClient(clusterAdminKubeConfig)
if err != nil {
t.Fatalf("unable to get osClient: %v", err)
}
kubeClient.Core().Namespaces().Create(&kapi.Namespace{
ObjectMeta: kapi.ObjectMeta{Name: testutil.Namespace()},
})
// create buildconfig
buildConfig := mockBuildConfigImageParms("originalimage", "imagestream", "validtag")
if _, err := osClient.BuildConfigs(testutil.Namespace()).Create(buildConfig); err != nil {
t.Fatalf("Unexpected error: %v", err)
}
watch, err := osClient.Builds(testutil.Namespace()).Watch(kapi.ListOptions{})
if err != nil {
t.Fatalf("Couldn't subscribe to builds: %v", err)
}
defer watch.Stop()
for _, s := range []string{
"/oapi/v1/namespaces/" + testutil.Namespace() + "/buildconfigs/pushbuild/webhooks/secret101/github",
"/oapi/v1/namespaces/" + testutil.Namespace() + "/buildconfigs/pushbuild/webhooks/secret100/github",
"/oapi/v1/namespaces/" + testutil.Namespace() + "/buildconfigs/pushbuild/webhooks/secret102/github",
} {
// trigger build event sending push notification
clusterAdminClientConfig, err := testutil.GetClusterAdminClientConfig(clusterAdminKubeConfig)
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
postFile(osClient.RESTClient.Client, "ping", "pingevent.json", clusterAdminClientConfig.Host+s, http.StatusOK, t)
// TODO: improve negative testing
timer := time.NewTimer(time.Second / 2)
select {
case <-timer.C:
// nothing should happen
case event := <-watch.ResultChan():
build := event.Object.(*buildapi.Build)
t.Fatalf("Unexpected build created: %#v", build)
}
}
}
func TestBootstrapPolicyAuthenticatedUsersAgainstOpenshiftNamespace(t *testing.T) {
testutil.RequireEtcd(t)
defer testutil.DumpEtcdOnFailure(t)
_, clusterAdminKubeConfig, err := testserver.StartTestMasterAPI()
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
clusterAdminClientConfig, err := testutil.GetClusterAdminClientConfig(clusterAdminKubeConfig)
if err != nil {
t.Errorf("unexpected error: %v", err)
}
valerieClientConfig := *clusterAdminClientConfig
valerieClientConfig.Username = ""
valerieClientConfig.Password = ""
valerieClientConfig.BearerToken = ""
valerieClientConfig.CertFile = ""
valerieClientConfig.KeyFile = ""
valerieClientConfig.CertData = nil
valerieClientConfig.KeyData = nil
accessToken, err := tokencmd.RequestToken(&valerieClientConfig, nil, "valerie", "security!")
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
valerieClientConfig.BearerToken = accessToken
valerieOpenshiftClient, err := client.New(&valerieClientConfig)
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
openshiftSharedResourcesNamespace := "openshift"
if _, err := valerieOpenshiftClient.Templates(openshiftSharedResourcesNamespace).List(kapi.ListOptions{}); err != nil {
t.Errorf("unexpected error: %v", err)
}
if _, err := valerieOpenshiftClient.Templates(kapi.NamespaceDefault).List(kapi.ListOptions{}); err == nil || !kapierror.IsForbidden(err) {
t.Errorf("unexpected error: %v", err)
}
if _, err := valerieOpenshiftClient.ImageStreams(openshiftSharedResourcesNamespace).List(kapi.ListOptions{}); err != nil {
t.Errorf("unexpected error: %v", err)
}
if _, err := valerieOpenshiftClient.ImageStreams(kapi.NamespaceDefault).List(kapi.ListOptions{}); err == nil || !kapierror.IsForbidden(err) {
t.Errorf("unexpected error: %v", err)
}
if _, err := valerieOpenshiftClient.ImageStreamTags(openshiftSharedResourcesNamespace).Get("name", "tag"); !kapierror.IsNotFound(err) {
t.Errorf("unexpected error: %v", err)
}
if _, err := valerieOpenshiftClient.ImageStreamTags(kapi.NamespaceDefault).Get("name", "tag"); err == nil || !kapierror.IsForbidden(err) {
t.Errorf("unexpected error: %v", err)
}
}
func TestSimpleImageChangeBuildTriggerFromImageStreamTagDockerWithConfigChange(t *testing.T) {
defer testutil.DumpEtcdOnFailure(t)
projectAdminClient, _ := setup(t)
imageStream := mockImageStream2(tag)
imageStreamMapping := mockImageStreamMapping(imageStream.Name, "someimage", tag, "registry:8080/openshift/test-image-trigger:"+tag)
strategy := dockerStrategy("ImageStreamTag", streamName+":"+tag)
config := imageChangeBuildConfigWithConfigChange("docker-imagestreamtag", strategy)
runTest(t, "SimpleImageChangeBuildTriggerFromImageStreamTagDocker", projectAdminClient, imageStream, imageStreamMapping, config, tag)
}
func TestRootRedirect(t *testing.T) {
testutil.RequireEtcd(t)
defer testutil.DumpEtcdOnFailure(t)
masterConfig, _, err := testserver.StartTestMasterAPI()
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
transport := knet.SetTransportDefaults(&http.Transport{
TLSClientConfig: &tls.Config{
InsecureSkipVerify: true,
},
})
req, err := http.NewRequest("GET", masterConfig.AssetConfig.MasterPublicURL, nil)
req.Header.Set("Accept", "*/*")
resp, err := transport.RoundTrip(req)
if err != nil {
t.Fatalf("Unexpected error: %v", err)
}
if resp.StatusCode != http.StatusOK {
t.Fatalf("Expected %d, got %d", http.StatusOK, resp.StatusCode)
}
if resp.Header.Get("Content-Type") != "application/json" {
t.Fatalf("Expected %s, got %s", "application/json", resp.Header.Get("Content-Type"))
}
type result struct {
Paths []string
}
body, err := ioutil.ReadAll(resp.Body)
if err != nil {
t.Fatalf("Unexpected error reading the body: %v", err)
}
var got result
json.Unmarshal(body, &got)
sort.Strings(got.Paths)
if !reflect.DeepEqual(got.Paths, expectedIndex) {
t.Fatalf("Unexpected index: got=%v, expected=%v", got, expectedIndex)
}
req, err = http.NewRequest("GET", masterConfig.AssetConfig.MasterPublicURL, nil)
req.Header.Set("Accept", "text/html")
resp, err = transport.RoundTrip(req)
if err != nil {
t.Errorf("Unexpected error: %v", err)
}
if resp.StatusCode != http.StatusFound {
t.Errorf("Expected %d, got %d", http.StatusFound, resp.StatusCode)
}
if resp.Header.Get("Location") != masterConfig.AssetConfig.PublicURL {
t.Errorf("Expected %s, got %s", masterConfig.AssetConfig.PublicURL, resp.Header.Get("Location"))
}
// TODO add a test for when asset config is nil, the redirect should not occur in this case even when
// accept header contains text/html
}
func TestClusterResourceOverridePluginWithLimits(t *testing.T) {
defer testutil.DumpEtcdOnFailure(t)
config := &overrideapi.ClusterResourceOverrideConfig{
LimitCPUToMemoryPercent: 100,
CPURequestToLimitPercent: 50,
MemoryRequestToLimitPercent: 50,
}
kubeClientset := setupClusterResourceOverrideTest(t, config)
podHandler := kubeClientset.Core().Pods(testutil.Namespace())
limitHandler := kubeClientset.Core().LimitRanges(testutil.Namespace())
// test with limits object with defaults;
// I wanted to test with a limits object without defaults to see limits forbid an empty resource spec,
// but found that if defaults aren't set in the limit object, something still fills them in.
// note: defaults are only used when quantities are *missing*, not when they are 0
limitItem := kapi.LimitRangeItem{
Type: kapi.LimitTypeContainer,
Max: testResourceList("2Gi", "2"),
Min: testResourceList("128Mi", "200m"),
Default: testResourceList("512Mi", "500m"), // note: auto-filled from max if we set that;
DefaultRequest: testResourceList("128Mi", "200m"), // filled from max if set, or min if that is set
MaxLimitRequestRatio: kapi.ResourceList{},
}
limit := &kapi.LimitRange{
ObjectMeta: kapi.ObjectMeta{Name: "limit"},
Spec: kapi.LimitRangeSpec{Limits: []kapi.LimitRangeItem{limitItem}},
}
_, err := limitHandler.Create(limit)
if err != nil {
t.Fatal(err)
}
podCreated, err := podHandler.Create(testClusterResourceOverridePod("limit-with-default", "", "1"))
if err != nil {
t.Fatal(err)
}
if memory := podCreated.Spec.Containers[0].Resources.Limits.Memory(); memory.Cmp(resource.MustParse("512Mi")) != 0 {
t.Errorf("limit-with-default: Memory limit did not match default 512Mi: %v", memory)
}
if memory := podCreated.Spec.Containers[0].Resources.Requests.Memory(); memory.Cmp(resource.MustParse("256Mi")) != 0 {
t.Errorf("limit-with-default: Memory req did not match expected 256Mi: %v", memory)
}
if cpu := podCreated.Spec.Containers[0].Resources.Limits.Cpu(); cpu.Cmp(resource.MustParse("500m")) != 0 {
t.Errorf("limit-with-default: CPU limit did not match expected 500 mcore: %v", cpu)
}
if cpu := podCreated.Spec.Containers[0].Resources.Requests.Cpu(); cpu.Cmp(resource.MustParse("250m")) != 0 {
t.Errorf("limit-with-default: CPU req did not match expected 250 mcore: %v", cpu)
}
// set it up so that the overrides create resources that fail validation
_, err = podHandler.Create(testClusterResourceOverridePod("limit-with-default-fail", "128Mi", "1"))
if err == nil {
t.Errorf("limit-with-default-fail: expected to be forbidden")
} else if !apierrors.IsForbidden(err) {
t.Errorf("limit-with-default-fail: unexpected error: %v", err)
}
}
func TestBasicFunctionalityWithAudit(t *testing.T) {
kubeClient, _ := setupAuditTest(t)
defer testutil.DumpEtcdOnFailure(t)
if _, err := kubeClient.Core().Pods(kapi.NamespaceDefault).Watch(kapi.ListOptions{}); err != nil {
t.Errorf("Unexpected error watching pods: %v", err)
}
// TOOD: test oc debug, exec, rsh, port-forward
}
func TestBuildOverrideForcePull(t *testing.T) {
defer testutil.DumpEtcdOnFailure(t)
oclient, kclientset := setupBuildOverridesAdmissionTest(t, &overridesapi.BuildOverridesConfig{
ForcePull: true,
})
build, _ := runBuildPodAdmissionTest(t, oclient, kclientset, buildPodAdmissionTestDockerBuild())
if !build.Spec.Strategy.DockerStrategy.ForcePull {
t.Errorf("ForcePull was not set on resulting build")
}
}
func TestPolicyBasedRestrictionOfBuildConfigCreateAndInstantiateByStrategy(t *testing.T) {
defer testutil.DumpEtcdOnFailure(t)
clusterAdminClient, projectAdminClient, projectEditorClient := setupBuildStrategyTest(t, true)
clients := map[string]*client.Client{"admin": projectAdminClient, "editor": projectEditorClient}
buildConfigs := map[string]*buildapi.BuildConfig{}
// by default admins and editors can create all type of buildconfigs
for _, strategy := range buildStrategyTypes() {
for clientType, client := range clients {
var err error
if buildConfigs[string(strategy)+clientType], err = createBuildConfig(t, client.BuildConfigs(testutil.Namespace()), strategy); err != nil {
t.Errorf("unexpected error for strategy %s and client %s: %v", strategy, clientType, err)
}
}
}
// by default admins and editors can instantiate build configs
for _, strategy := range buildStrategyTypes() {
for clientType, client := range clients {
if _, err := instantiateBuildConfig(t, client.BuildConfigs(testutil.Namespace()), buildConfigs[string(strategy)+clientType]); err != nil {
t.Errorf("unexpected instantiate error for strategy %s and client %s: %v", strategy, clientType, err)
}
}
}
removeBuildStrategyRoleResources(t, clusterAdminClient, projectAdminClient, projectEditorClient)
// make sure buildconfigs are rejected
for _, strategy := range buildStrategyTypes() {
for clientType, client := range clients {
if _, err := createBuildConfig(t, client.BuildConfigs(testutil.Namespace()), strategy); !kapierror.IsForbidden(err) {
t.Errorf("expected forbidden for strategy %s and client %s: got %v", strategy, clientType, err)
}
}
}
// make sure buildconfig updates are rejected
for _, strategy := range buildStrategyTypes() {
for clientType, client := range clients {
if _, err := updateBuildConfig(t, client.BuildConfigs(testutil.Namespace()), buildConfigs[string(strategy)+clientType]); !kapierror.IsForbidden(err) {
t.Errorf("expected forbidden for strategy %s and client %s: got %v", strategy, clientType, err)
}
}
}
// make sure instantiate is rejected
for _, strategy := range buildStrategyTypes() {
for clientType, client := range clients {
if _, err := instantiateBuildConfig(t, client.BuildConfigs(testutil.Namespace()), buildConfigs[string(strategy)+clientType]); !kapierror.IsForbidden(err) {
t.Errorf("expected forbidden for strategy %s and client %s: got %v", strategy, clientType, err)
}
}
}
}
func TestBuildDefaultAnnotations(t *testing.T) {
defer testutil.DumpEtcdOnFailure(t)
annotations := map[string]string{"KEY": "VALUE"}
oclient, kclientset := setupBuildDefaultsAdmissionTest(t, &defaultsapi.BuildDefaultsConfig{
Annotations: annotations,
})
_, pod := runBuildPodAdmissionTest(t, oclient, kclientset, buildPodAdmissionTestDockerBuild())
if actual := pod.Annotations; strings.Compare(actual["KEY"], annotations["KEY"]) != 0 {
t.Errorf("Resulting pod did not get expected annotations: actual: %v, expected: %v", actual["KEY"], annotations["KEY"])
}
}
func TestBuildDefaultGitHTTPSProxy(t *testing.T) {
defer testutil.DumpEtcdOnFailure(t)
httpsProxy := "https://my.test.proxy:12345"
oclient, kclientset := setupBuildDefaultsAdmissionTest(t, &defaultsapi.BuildDefaultsConfig{
GitHTTPSProxy: httpsProxy,
})
build, _ := runBuildPodAdmissionTest(t, oclient, kclientset, buildPodAdmissionTestDockerBuild())
if actual := build.Spec.Source.Git.HTTPSProxy; actual == nil || *actual != httpsProxy {
t.Errorf("Resulting build did not get expected HTTPS proxy: %v", actual)
}
}
func TestBuildDefaultNodeSelectors(t *testing.T) {
defer testutil.DumpEtcdOnFailure(t)
selectors := map[string]string{"KEY": "VALUE"}
oclient, kclientset := setupBuildDefaultsAdmissionTest(t, &defaultsapi.BuildDefaultsConfig{
NodeSelector: selectors,
})
_, pod := runBuildPodAdmissionTest(t, oclient, kclientset, buildPodAdmissionTestDockerBuild())
if actual := pod.Spec.NodeSelector; !reflect.DeepEqual(selectors, actual) {
t.Errorf("Resulting pod did not get expected nodeselectors: %v", actual)
}
}
func TestBuildDefaultLabels(t *testing.T) {
defer testutil.DumpEtcdOnFailure(t)
labels := []buildapi.ImageLabel{{Name: "KEY", Value: "VALUE"}}
oclient, kclientset := setupBuildDefaultsAdmissionTest(t, &defaultsapi.BuildDefaultsConfig{
ImageLabels: labels,
})
build, _ := runBuildPodAdmissionTest(t, oclient, kclientset, buildPodAdmissionTestDockerBuild())
if actual := build.Spec.Output.ImageLabels; !reflect.DeepEqual(labels, actual) {
t.Errorf("Resulting build did not get expected labels: %v", actual)
}
}
func TestAuthorizationRestrictedAccessForProjectAdmins(t *testing.T) {
testutil.RequireEtcd(t)
defer testutil.DumpEtcdOnFailure(t)
_, clusterAdminKubeConfig, err := testserver.StartTestMasterAPI()
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
clusterAdminClient, err := testutil.GetClusterAdminClient(clusterAdminKubeConfig)
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
clusterAdminClientConfig, err := testutil.GetClusterAdminClientConfig(clusterAdminKubeConfig)
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
haroldClient, err := testserver.CreateNewProject(clusterAdminClient, *clusterAdminClientConfig, "hammer-project", "harold")
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
markClient, err := testserver.CreateNewProject(clusterAdminClient, *clusterAdminClientConfig, "mallet-project", "mark")
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
_, err = haroldClient.DeploymentConfigs("hammer-project").List(kapi.ListOptions{})
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
_, err = markClient.DeploymentConfigs("hammer-project").List(kapi.ListOptions{})
if (err == nil) || !kapierror.IsForbidden(err) {
t.Fatalf("unexpected error: %v", err)
}
// projects are a special case where a get of a project actually sets a namespace. Make sure that
// the namespace is properly special cased and set for authorization rules
_, err = haroldClient.Projects().Get("hammer-project")
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
_, err = markClient.Projects().Get("hammer-project")
if (err == nil) || !kapierror.IsForbidden(err) {
t.Fatalf("unexpected error: %v", err)
}
// wait for the project authorization cache to catch the change. It is on a one second period
waitForProject(t, haroldClient, "hammer-project", 1*time.Second, 10)
waitForProject(t, markClient, "mallet-project", 1*time.Second, 10)
}
// TestRouterReloadSuppressionOnSync validates that the router will
// not be reloaded until all events from the initial sync have been
// processed. Reload should similarly suppressed on subsequent
// resyncs.
func TestRouterReloadSuppressionOnSync(t *testing.T) {
defer testutil.DumpEtcdOnFailure(t)
stressRouter(
t,
// Allow the test to be configured to enable experimentation
// without a costly (~60s+) go build.
cmdutil.EnvInt("OS_TEST_NAMESPACE_COUNT", 1, 1),
cmdutil.EnvInt("OS_TEST_ROUTES_PER_NAMESPACE", 10, 10),
cmdutil.EnvInt("OS_TEST_ROUTER_COUNT", 1, 1),
cmdutil.EnvInt("OS_TEST_MAX_ROUTER_DELAY", 10, 10),
)
}
func TestRunOnceDurationAdmissionPlugin(t *testing.T) {
defer testutil.DumpEtcdOnFailure(t)
var secs int64 = 3600
config := &pluginapi.RunOnceDurationConfig{
ActiveDeadlineSecondsLimit: &secs,
}
kclient := setupRunOnceDurationTest(t, config, nil)
testPodDuration(t, "global, no duration", kclient, testRunOnceDurationPod(0), 3600)
testPodDuration(t, "global, larger duration", kclient, testRunOnceDurationPod(7200), 3600)
testPodDuration(t, "global, smaller duration", kclient, testRunOnceDurationPod(100), 100)
}
func TestBuildOverrideForcePullCustomStrategy(t *testing.T) {
defer testutil.DumpEtcdOnFailure(t)
oclient, kclientset := setupBuildOverridesAdmissionTest(t, &overridesapi.BuildOverridesConfig{
ForcePull: true,
})
build, pod := runBuildPodAdmissionTest(t, oclient, kclientset, buildPodAdmissionTestCustomBuild())
if pod.Spec.Containers[0].ImagePullPolicy != kapi.PullAlways {
t.Errorf("Pod ImagePullPolicy is not PullAlways")
}
if !build.Spec.Strategy.CustomStrategy.ForcePull {
t.Errorf("ForcePull was not set on resulting build")
}
}
