func TestImageStreamDelete(t *testing.T) {
_, clusterAdminKubeConfig, err := testserver.StartTestMaster()
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
clusterAdminClient, err := testutil.GetClusterAdminClient(clusterAdminKubeConfig)
if err != nil {
t.Errorf("unexpected error: %v", err)
}
err = testutil.CreateNamespace(clusterAdminKubeConfig, testutil.Namespace())
if err != nil {
t.Errorf("unexpected error: %v", err)
}
stream := mockImageStream()
if err := clusterAdminClient.ImageStreams(testutil.Namespace()).Delete(stream.Name); err == nil || !errors.IsNotFound(err) {
t.Fatalf("Unxpected non-error or type: %v", err)
}
actual, err := clusterAdminClient.ImageStreams(testutil.Namespace()).Create(stream)
if err != nil {
t.Fatalf("Unexpected error: %v", err)
}
if err := clusterAdminClient.ImageStreams(testutil.Namespace()).Delete(actual.Name); err != nil {
t.Fatalf("Unxpected error: %v", err)
}
}
func TestTemplateTransformationFromConfig(t *testing.T) {
_, clusterAdminKubeConfig, err := testserver.StartTestMaster()
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
clusterAdminClient, err := testutil.GetClusterAdminClient(clusterAdminKubeConfig)
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
walkJSONFiles("../templates/fixtures", func(name, path string, data []byte) {
template, err := runtime.Decode(kapi.Codecs.UniversalDecoder(), data)
if err != nil {
t.Errorf("%q: unexpected error: %v", path, err)
return
}
config, err := clusterAdminClient.TemplateConfigs("default").Create(template.(*templateapi.Template))
if err != nil {
t.Errorf("%q: unexpected error: %v", path, err)
return
}
if len(config.Objects) == 0 {
t.Errorf("%q: no items in config object", path)
return
}
t.Logf("tested %q", path)
})
}
func TestAutomaticCreationOfPullSecrets(t *testing.T) {
saNamespace := api.NamespaceDefault
saName := serviceaccountadmission.DefaultServiceAccountName
_, clusterAdminConfig, err := testserver.StartTestMaster()
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
clusterAdminKubeClient, err := testutil.GetClusterAdminKubeClient(clusterAdminConfig)
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
// Get a service account token
saToken, err := waitForServiceAccountToken(clusterAdminKubeClient, saNamespace, saName, 20, time.Second)
if err != nil {
t.Errorf("unexpected error: %v", err)
}
if len(saToken) == 0 {
t.Errorf("token was not created")
}
// Get the matching dockercfg secret
saPullSecret, err := waitForServiceAccountPullSecret(clusterAdminKubeClient, saNamespace, saName, 20, time.Second)
if err != nil {
t.Errorf("unexpected error: %v", err)
}
if len(saPullSecret) == 0 {
t.Errorf("pull secret was not created")
}
}
func TestUnprivilegedNewProject(t *testing.T) {
_, clusterAdminKubeConfig, err := testserver.StartTestMaster()
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
clusterAdminClientConfig, err := testutil.GetClusterAdminClientConfig(clusterAdminKubeConfig)
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
valerieClientConfig := *clusterAdminClientConfig
valerieClientConfig.Username = ""
valerieClientConfig.Password = ""
valerieClientConfig.BearerToken = ""
valerieClientConfig.CertFile = ""
valerieClientConfig.KeyFile = ""
valerieClientConfig.CertData = nil
valerieClientConfig.KeyData = nil
accessToken, err := tokencmd.RequestToken(&valerieClientConfig, nil, "valerie", "security!")
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
valerieClientConfig.BearerToken = accessToken
valerieOpenshiftClient, err := client.New(&valerieClientConfig)
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
// confirm that we have access to request the project
allowed, err := valerieOpenshiftClient.ProjectRequests().List(labels.Everything(), fields.Everything())
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
if allowed.Status != unversioned.StatusSuccess {
t.Fatalf("expected %v, got %v", unversioned.StatusSuccess, allowed.Status)
}
requestProject := oc.NewProjectOptions{
ProjectName: "new-project",
DisplayName: "display name here",
Description: "the special description",
Client: valerieOpenshiftClient,
Out: ioutil.Discard,
}
if err := requestProject.Run(); err != nil {
t.Fatalf("unexpected error: %v", err)
}
waitForProject(t, valerieOpenshiftClient, "new-project", 5*time.Second, 10)
if err := requestProject.Run(); !kapierrors.IsAlreadyExists(err) {
t.Fatalf("expected an already exists error, but got %v", err)
}
}
func TestImageStreamList(t *testing.T) {
testutil.RequireEtcd(t)
defer testutil.DumpEtcdOnFailure(t)
_, clusterAdminKubeConfig, err := testserver.StartTestMaster()
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
clusterAdminClient, err := testutil.GetClusterAdminClient(clusterAdminKubeConfig)
if err != nil {
t.Errorf("unexpected error: %v", err)
}
err = testutil.CreateNamespace(clusterAdminKubeConfig, testutil.Namespace())
if err != nil {
t.Errorf("unexpected error: %v", err)
}
builds, err := clusterAdminClient.ImageStreams(testutil.Namespace()).List(kapi.ListOptions{})
if err != nil {
t.Fatalf("Unexpected error %v", err)
}
if len(builds.Items) != 0 {
t.Errorf("Expected no builds, got %#v", builds.Items)
}
}
func TestClientSet_v1_3(t *testing.T) {
const namespace = "test-clientset-v13"
testutil.RequireEtcd(t)
_, clusterAdminKubeConfig, err := testserver.StartTestMaster()
if err != nil {
t.Fatal(err)
}
clusterAdminClientConfig, err := testutil.GetClusterAdminClientConfig(clusterAdminKubeConfig)
if err != nil {
t.Fatal(err)
}
testCreateProject := func() {
c, err := projectclient.NewForConfig(clusterAdminClientConfig)
if err != nil {
t.Fatal(err)
}
project := &v1projectapi.Project{}
project.Name = namespace
if _, err := c.Projects().Create(project); err != nil {
t.Fatal(err)
}
}
testBuilds := func() {
c, err := buildclient.NewForConfig(clusterAdminClientConfig)
if err != nil {
t.Fatal(err)
}
build := &v1buildapi.Build{}
build.Name = "test-build"
build.Spec.Source.Git = &v1buildapi.GitBuildSource{URI: "http://build.uri/build"}
build.Spec.Strategy.DockerStrategy = &v1buildapi.DockerBuildStrategy{}
build.Spec.Output.To = &kapiv1.ObjectReference{
Kind: "DockerImage",
Name: "namespace/image",
}
if _, err := c.Builds(namespace).Create(build); err != nil {
t.Fatal(err)
}
result, err := c.Builds(namespace).List(api.ListOptions{})
if err != nil {
t.Fatal(err)
}
if len(result.Items) != 1 {
t.Fatal(fmt.Errorf("expected to get 1 build, got %d", len(result.Items)))
}
if _, err := c.Builds(namespace).Get(build.Name); err != nil {
t.Fatal(err)
}
}
// try to create the non-namespaced resource
testCreateProject()
// try to create the namespace resource
testBuilds()
}
func setupBuildStrategyTest(t *testing.T) (clusterAdminClient, projectAdminClient, projectEditorClient *client.Client) {
namespace := testutil.Namespace()
_, clusterAdminKubeConfig, err := testserver.StartTestMaster()
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
clusterAdminClient, err = testutil.GetClusterAdminClient(clusterAdminKubeConfig)
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
clusterAdminClientConfig, err := testutil.GetClusterAdminClientConfig(clusterAdminKubeConfig)
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
projectAdminClient, err = testserver.CreateNewProject(clusterAdminClient, *clusterAdminClientConfig, namespace, "harold")
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
projectEditorClient, _, _, err = testutil.GetClientForUser(*clusterAdminClientConfig, "joe")
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
addJoe := &policy.RoleModificationOptions{
RoleNamespace: "",
RoleName: bootstrappolicy.EditRoleName,
RoleBindingAccessor: policy.NewLocalRoleBindingAccessor(namespace, projectAdminClient),
Users: []string{"joe"},
}
if err := addJoe.AddRole(); err != nil {
t.Fatalf("unexpected error: %v", err)
}
if err := testutil.WaitForPolicyUpdate(projectEditorClient, namespace, "create", authorizationapi.DockerBuildResource, true); err != nil {
t.Fatalf(err.Error())
}
// Create builder image stream and tag
imageStream := &imageapi.ImageStream{}
imageStream.Name = "builderimage"
_, err = clusterAdminClient.ImageStreams(testutil.Namespace()).Create(imageStream)
if err != nil {
t.Fatalf("Couldn't create ImageStream: %v", err)
}
// Create image stream mapping
imageStreamMapping := &imageapi.ImageStreamMapping{}
imageStreamMapping.Name = "builderimage"
imageStreamMapping.Tag = "latest"
imageStreamMapping.Image.Name = "image-id"
imageStreamMapping.Image.DockerImageReference = "test/builderimage:latest"
err = clusterAdminClient.ImageStreamMappings(testutil.Namespace()).Create(imageStreamMapping)
if err != nil {
t.Fatalf("Couldn't create ImageStreamMapping: %v", err)
}
return
}
// TestProjectMustExist verifies that content cannot be added in a project that does not exist
func TestProjectMustExist(t *testing.T) {
_, clusterAdminKubeConfig, err := testserver.StartTestMaster()
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
clusterAdminClient, err := testutil.GetClusterAdminClient(clusterAdminKubeConfig)
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
clusterAdminKubeClient, err := testutil.GetClusterAdminKubeClient(clusterAdminKubeConfig)
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
pod := &kapi.Pod{
ObjectMeta: kapi.ObjectMeta{Name: "pod"},
Spec: kapi.PodSpec{
Containers: []kapi.Container{{Name: "ctr", Image: "image", ImagePullPolicy: "IfNotPresent"}},
RestartPolicy: kapi.RestartPolicyAlways,
DNSPolicy: kapi.DNSClusterFirst,
},
}
_, err = clusterAdminKubeClient.Pods("test").Create(pod)
if err == nil {
t.Errorf("Expected an error on creation of a Kubernetes resource because namespace does not exist")
}
build := &buildapi.Build{
ObjectMeta: kapi.ObjectMeta{Name: "buildid", Namespace: "default"},
Spec: buildapi.BuildSpec{
Source: buildapi.BuildSource{
Git: &buildapi.GitBuildSource{
URI: "http://github.com/my/repository",
},
ContextDir: "context",
},
Strategy: buildapi.BuildStrategy{
DockerStrategy: &buildapi.DockerBuildStrategy{},
},
Output: buildapi.BuildOutput{
To: &kapi.ObjectReference{
Kind: "DockerImage",
Name: "repository/data",
},
},
},
Status: buildapi.BuildStatus{
Phase: buildapi.BuildPhaseNew,
},
}
_, err = clusterAdminClient.Builds("test").Create(build)
if err == nil {
t.Errorf("Expected an error on creation of a Origin resource because namespace does not exist")
}
}
func TestUnprivilegedNewProjectDenied(t *testing.T) {
_, clusterAdminKubeConfig, err := testserver.StartTestMaster()
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
clusterAdminClient, err := testutil.GetClusterAdminClient(clusterAdminKubeConfig)
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
role, err := clusterAdminClient.ClusterRoles().Get(bootstrappolicy.SelfProvisionerRoleName)
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
role.Rules = []authorizationapi.PolicyRule{}
if _, err := clusterAdminClient.ClusterRoles().Update(role); err != nil {
t.Fatalf("unexpected error: %v", err)
}
clusterAdminClientConfig, err := testutil.GetClusterAdminClientConfig(clusterAdminKubeConfig)
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
valerieClientConfig := *clusterAdminClientConfig
valerieClientConfig.Username = ""
valerieClientConfig.Password = ""
valerieClientConfig.BearerToken = ""
valerieClientConfig.CertFile = ""
valerieClientConfig.KeyFile = ""
valerieClientConfig.CertData = nil
valerieClientConfig.KeyData = nil
accessToken, err := tokencmd.RequestToken(&valerieClientConfig, nil, "valerie", "security!")
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
valerieClientConfig.BearerToken = accessToken
valerieOpenshiftClient, err := client.New(&valerieClientConfig)
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
if err := testutil.WaitForClusterPolicyUpdate(valerieOpenshiftClient, "create", "projectrequests", false); err != nil {
t.Fatalf("unexpected error: %v", err)
}
// confirm that we have access to request the project
_, err = valerieOpenshiftClient.ProjectRequests().List(labels.Everything(), fields.Everything())
if err == nil {
t.Fatalf("expected error: %v", err)
}
expectedError := `You may not request a new project via this API.`
if (err != nil) && (err.Error() != expectedError) {
t.Fatalf("expected\n\t%v\ngot\n\t%v", expectedError, err.Error())
}
}
func TestBootstrapPolicySelfSubjectAccessReviews(t *testing.T) {
_, clusterAdminKubeConfig, err := testserver.StartTestMaster()
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
clusterAdminClientConfig, err := testutil.GetClusterAdminClientConfig(clusterAdminKubeConfig)
if err != nil {
t.Errorf("unexpected error: %v", err)
}
valerieClientConfig := *clusterAdminClientConfig
valerieClientConfig.Username = ""
valerieClientConfig.Password = ""
valerieClientConfig.BearerToken = ""
valerieClientConfig.CertFile = ""
valerieClientConfig.KeyFile = ""
valerieClientConfig.CertData = nil
valerieClientConfig.KeyData = nil
accessToken, err := tokencmd.RequestToken(&valerieClientConfig, nil, "valerie", "security!")
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
valerieClientConfig.BearerToken = accessToken
valerieOpenshiftClient, err := client.New(&valerieClientConfig)
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
// can I get a subjectaccessreview on myself even if I have no rights to do it generally
askCanICreatePolicyBindings := &authorizationapi.LocalSubjectAccessReview{
Action: authorizationapi.AuthorizationAttributes{Verb: "create", Resource: "policybindings"},
}
subjectAccessReviewTest{
localInterface: valerieOpenshiftClient.LocalSubjectAccessReviews("openshift"),
localReview: askCanICreatePolicyBindings,
response: authorizationapi.SubjectAccessReviewResponse{
Allowed: false,
Reason: `User "valerie" cannot create policybindings in project "openshift"`,
Namespace: "openshift",
},
}.run(t)
// I shouldn't be allowed to ask whether someone else can perform an action
askCanClusterAdminsCreateProject := &authorizationapi.LocalSubjectAccessReview{
Groups: sets.NewString("system:cluster-admins"),
Action: authorizationapi.AuthorizationAttributes{Verb: "create", Resource: "projects"},
}
subjectAccessReviewTest{
localInterface: valerieOpenshiftClient.LocalSubjectAccessReviews("openshift"),
localReview: askCanClusterAdminsCreateProject,
err: `User "valerie" cannot create localsubjectaccessreviews in project "openshift"`,
}.run(t)
}
func TestWebhookGitHubPing(t *testing.T) {
testutil.RequireEtcd(t)
defer testutil.DumpEtcdOnFailure(t)
_, clusterAdminKubeConfig, err := testserver.StartTestMaster()
if err != nil {
t.Fatalf("unable to start master: %v", err)
}
kubeClient, err := testutil.GetClusterAdminKubeClient(clusterAdminKubeConfig)
if err != nil {
t.Fatalf("unable to get kubeClient: %v", err)
}
osClient, err := testutil.GetClusterAdminClient(clusterAdminKubeConfig)
if err != nil {
t.Fatalf("unable to get osClient: %v", err)
}
kubeClient.Core().Namespaces().Create(&kapi.Namespace{
ObjectMeta: kapi.ObjectMeta{Name: testutil.Namespace()},
})
// create buildconfig
buildConfig := mockBuildConfigImageParms("originalimage", "imagestream", "validtag")
if _, err := osClient.BuildConfigs(testutil.Namespace()).Create(buildConfig); err != nil {
t.Fatalf("Unexpected error: %v", err)
}
watch, err := osClient.Builds(testutil.Namespace()).Watch(kapi.ListOptions{})
if err != nil {
t.Fatalf("Couldn't subscribe to builds: %v", err)
}
defer watch.Stop()
for _, s := range []string{
"/oapi/v1/namespaces/" + testutil.Namespace() + "/buildconfigs/pushbuild/webhooks/secret101/github",
"/oapi/v1/namespaces/" + testutil.Namespace() + "/buildconfigs/pushbuild/webhooks/secret100/github",
"/oapi/v1/namespaces/" + testutil.Namespace() + "/buildconfigs/pushbuild/webhooks/secret102/github",
} {
// trigger build event sending push notification
clusterAdminClientConfig, err := testutil.GetClusterAdminClientConfig(clusterAdminKubeConfig)
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
postFile(osClient.RESTClient.Client, "ping", "pingevent.json", clusterAdminClientConfig.Host+s, http.StatusOK, t)
// TODO: improve negative testing
timer := time.NewTimer(time.Second / 2)
select {
case <-timer.C:
// nothing should happen
case event := <-watch.ResultChan():
build := event.Object.(*buildapi.Build)
t.Fatalf("Unexpected build created: %#v", build)
}
}
}
func TestDeployScale(t *testing.T) {
const namespace = "test-deploy-scale"
testutil.RequireEtcd(t)
_, clusterAdminKubeConfig, err := testserver.StartTestMaster()
checkErr(t, err)
clusterAdminClientConfig, err := testutil.GetClusterAdminClientConfig(clusterAdminKubeConfig)
checkErr(t, err)
clusterAdminClient, err := testutil.GetClusterAdminClient(clusterAdminKubeConfig)
checkErr(t, err)
_, err = testserver.CreateNewProject(clusterAdminClient, *clusterAdminClientConfig, namespace, "my-test-user")
checkErr(t, err)
osClient, _, _, err := testutil.GetClientForUser(*clusterAdminClientConfig, "my-test-user")
checkErr(t, err)
config := deploytest.OkDeploymentConfig(0)
config.Spec.Triggers = []deployapi.DeploymentTriggerPolicy{}
config.Spec.Replicas = 1
dc, err := osClient.DeploymentConfigs(namespace).Create(config)
if err != nil {
t.Fatalf("Couldn't create DeploymentConfig: %v %#v", err, config)
}
scale, err := osClient.DeploymentConfigs(namespace).GetScale(config.Name)
if err != nil {
t.Fatalf("Couldn't get DeploymentConfig scale: %v", err)
}
if scale.Spec.Replicas != 1 {
t.Fatalf("Expected scale.spec.replicas=1, got %#v", scale)
}
scaleUpdate := &extensions.Scale{
ObjectMeta: kapi.ObjectMeta{
Name: dc.Name,
Namespace: namespace,
},
Spec: extensions.ScaleSpec{Replicas: 3},
}
updatedScale, err := osClient.DeploymentConfigs(namespace).UpdateScale(scaleUpdate)
if err != nil {
// If this complains about "Scale" not being registered in "v1", check the kind overrides in the API registration in SubresourceGroupVersionKind
t.Fatalf("Couldn't update DeploymentConfig scale to %#v: %v", scaleUpdate, err)
}
if updatedScale.Spec.Replicas != 3 {
t.Fatalf("Expected scale.spec.replicas=3, got %#v", scale)
}
persistedScale, err := osClient.DeploymentConfigs(namespace).GetScale(config.Name)
if err != nil {
t.Fatalf("Couldn't get DeploymentConfig scale: %v", err)
}
if persistedScale.Spec.Replicas != 3 {
t.Fatalf("Expected scale.spec.replicas=3, got %#v", scale)
}
}
func TestBootstrapPolicyAuthenticatedUsersAgainstOpenshiftNamespace(t *testing.T) {
_, clusterAdminKubeConfig, err := testserver.StartTestMaster()
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
clusterAdminClientConfig, err := testutil.GetClusterAdminClientConfig(clusterAdminKubeConfig)
if err != nil {
t.Errorf("unexpected error: %v", err)
}
valerieClientConfig := *clusterAdminClientConfig
valerieClientConfig.Username = ""
valerieClientConfig.Password = ""
valerieClientConfig.BearerToken = ""
valerieClientConfig.CertFile = ""
valerieClientConfig.KeyFile = ""
valerieClientConfig.CertData = nil
valerieClientConfig.KeyData = nil
accessToken, err := tokencmd.RequestToken(&valerieClientConfig, nil, "valerie", "security!")
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
valerieClientConfig.BearerToken = accessToken
valerieOpenshiftClient, err := client.New(&valerieClientConfig)
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
openshiftSharedResourcesNamespace := "openshift"
if _, err := valerieOpenshiftClient.Templates(openshiftSharedResourcesNamespace).List(labels.Everything(), fields.Everything()); err != nil {
t.Errorf("unexpected error: %v", err)
}
if _, err := valerieOpenshiftClient.Templates(kapi.NamespaceDefault).List(labels.Everything(), fields.Everything()); err == nil || !kapierror.IsForbidden(err) {
t.Errorf("unexpected error: %v", err)
}
if _, err := valerieOpenshiftClient.ImageStreams(openshiftSharedResourcesNamespace).List(labels.Everything(), fields.Everything()); err != nil {
t.Errorf("unexpected error: %v", err)
}
if _, err := valerieOpenshiftClient.ImageStreams(kapi.NamespaceDefault).List(labels.Everything(), fields.Everything()); err == nil || !kapierror.IsForbidden(err) {
t.Errorf("unexpected error: %v", err)
}
if _, err := valerieOpenshiftClient.ImageStreamTags(openshiftSharedResourcesNamespace).Get("name", "tag"); !kapierror.IsNotFound(err) {
t.Errorf("unexpected error: %v", err)
}
if _, err := valerieOpenshiftClient.ImageStreamTags(kapi.NamespaceDefault).Get("name", "tag"); err == nil || !kapierror.IsForbidden(err) {
t.Errorf("unexpected error: %v", err)
}
}
func TestNamespaceLifecycleAdmission(t *testing.T) {
testutil.RequireEtcd(t)
_, clusterAdminKubeConfig, err := testserver.StartTestMaster()
checkErr(t, err)
clusterAdminClient, err := testutil.GetClusterAdminKubeClient(clusterAdminKubeConfig)
checkErr(t, err)
for _, ns := range []string{"default", "openshift", "openshift-infra"} {
if err := clusterAdminClient.Namespaces().Delete(ns); err == nil {
t.Fatalf("expected error deleting %q namespace, got none", ns)
}
}
}
func TestAuthorizationRestrictedAccessForProjectAdmins(t *testing.T) {
_, clusterAdminKubeConfig, err := testserver.StartTestMaster()
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
clusterAdminClient, err := testutil.GetClusterAdminClient(clusterAdminKubeConfig)
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
clusterAdminClientConfig, err := testutil.GetClusterAdminClientConfig(clusterAdminKubeConfig)
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
haroldClient, err := testserver.CreateNewProject(clusterAdminClient, *clusterAdminClientConfig, "hammer-project", "harold")
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
markClient, err := testserver.CreateNewProject(clusterAdminClient, *clusterAdminClientConfig, "mallet-project", "mark")
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
_, err = haroldClient.DeploymentConfigs("hammer-project").List(labels.Everything(), fields.Everything())
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
_, err = markClient.DeploymentConfigs("hammer-project").List(labels.Everything(), fields.Everything())
if (err == nil) || !kapierror.IsForbidden(err) {
t.Fatalf("unexpected error: %v", err)
}
// projects are a special case where a get of a project actually sets a namespace. Make sure that
// the namespace is properly special cased and set for authorization rules
_, err = haroldClient.Projects().Get("hammer-project")
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
_, err = markClient.Projects().Get("hammer-project")
if (err == nil) || !kapierror.IsForbidden(err) {
t.Fatalf("unexpected error: %v", err)
}
// wait for the project authorization cache to catch the change. It is on a one second period
waitForProject(t, haroldClient, "hammer-project", 1*time.Second, 10)
waitForProject(t, markClient, "mallet-project", 1*time.Second, 10)
}
func setupBuildControllerTest(counts controllerCount, t *testing.T) (*client.Client, *kclientset.Clientset) {
testutil.RequireEtcd(t)
master, clusterAdminKubeConfig, err := testserver.StartTestMaster()
if err != nil {
t.Fatal(err)
}
clusterAdminClient, err := testutil.GetClusterAdminClient(clusterAdminKubeConfig)
if err != nil {
t.Fatal(err)
}
clusterAdminKubeClientset, err := testutil.GetClusterAdminKubeClient(clusterAdminKubeConfig)
if err != nil {
t.Fatal(err)
}
_, err = clusterAdminKubeClientset.Core().Namespaces().Create(&kapi.Namespace{
ObjectMeta: kapi.ObjectMeta{Name: testutil.Namespace()},
})
if err != nil {
t.Fatal(err)
}
if err := testserver.WaitForServiceAccounts(clusterAdminKubeClientset, testutil.Namespace(), []string{bootstrappolicy.BuilderServiceAccountName, bootstrappolicy.DefaultServiceAccountName}); err != nil {
t.Fatalf("unexpected error: %v", err)
}
openshiftConfig, err := origin.BuildMasterConfig(*master)
if err != nil {
t.Fatal(err)
}
// Get the build controller clients, since those rely on service account tokens
// We don't want to proceed with the rest of the test until those are available
openshiftConfig.BuildControllerClients()
for i := 0; i < counts.BuildControllers; i++ {
openshiftConfig.RunBuildController(openshiftConfig.Informers)
}
for i := 0; i < counts.BuildPodControllers; i++ {
openshiftConfig.RunBuildPodController()
}
for i := 0; i < counts.ImageChangeControllers; i++ {
openshiftConfig.RunBuildImageChangeTriggerController()
}
for i := 0; i < counts.ConfigChangeControllers; i++ {
openshiftConfig.RunBuildConfigChangeController()
}
return clusterAdminClient, clusterAdminKubeClientset
}
func TestBootstrapPolicyOverwritePolicyCommand(t *testing.T) {
masterConfig, clusterAdminKubeConfig, err := testserver.StartTestMaster()
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
client, err := testutil.GetClusterAdminClient(clusterAdminKubeConfig)
if err != nil {
t.Errorf("unexpected error: %v", err)
}
if err := client.ClusterPolicies().Delete(authorizationapi.PolicyName); err != nil {
t.Errorf("unexpected error: %v", err)
}
// after the policy is deleted, we must wait for it to be cleared from the policy cache
err = wait.Poll(10*time.Millisecond, 10*time.Second, func() (bool, error) {
_, err := client.ClusterPolicies().List(labels.Everything(), fields.Everything())
if err == nil {
return false, nil
}
if !kapierror.IsForbidden(err) {
t.Errorf("unexpected error: %v", err)
}
return true, nil
})
if err != nil {
t.Errorf("timeout: %v", err)
}
etcdClient, err := etcd.GetAndTestEtcdClient(masterConfig.EtcdClientInfo)
if err != nil {
t.Errorf("unexpected error: %v", err)
}
etcdHelper, err := origin.NewEtcdStorage(etcdClient, masterConfig.EtcdStorageConfig.OpenShiftStorageVersion, masterConfig.EtcdStorageConfig.OpenShiftStoragePrefix)
if err != nil {
t.Errorf("unexpected error: %v", err)
}
if err := admin.OverwriteBootstrapPolicy(etcdHelper, masterConfig.PolicyConfig.BootstrapPolicyFile, admin.CreateBootstrapPolicyFileFullCommand, true, ioutil.Discard); err != nil {
t.Errorf("unexpected error: %v", err)
}
if _, err := client.ClusterPolicies().List(labels.Everything(), fields.Everything()); err != nil {
t.Errorf("unexpected error: %v", err)
}
}
func TestGroupCommands(t *testing.T) {
_, clusterAdminKubeConfig, err := testserver.StartTestMaster()
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
clusterAdminClient, err := testutil.GetClusterAdminClient(clusterAdminKubeConfig)
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
newGroup := &groupscmd.NewGroupOptions{clusterAdminClient.Groups(), "group1", []string{"first", "second", "third", "first"}}
if err := newGroup.AddGroup(); err != nil {
t.Fatalf("unexpected error: %v", err)
}
group1, err := clusterAdminClient.Groups().Get("group1")
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
if e, a := []string{"first", "second", "third"}, group1.Users; !reflect.DeepEqual(e, a) {
t.Errorf("expected %v, actual %v", e, a)
}
modifyUsers := &groupscmd.GroupModificationOptions{clusterAdminClient.Groups(), "group1", []string{"second", "fourth", "fifth"}}
if err := modifyUsers.AddUsers(); err != nil {
t.Fatalf("unexpected error: %v", err)
}
group1, err = clusterAdminClient.Groups().Get("group1")
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
if e, a := []string{"first", "second", "third", "fourth", "fifth"}, group1.Users; !reflect.DeepEqual(e, a) {
t.Errorf("expected %v, actual %v", e, a)
}
if err := modifyUsers.RemoveUsers(); err != nil {
t.Fatalf("unexpected error: %v", err)
}
group1, err = clusterAdminClient.Groups().Get("group1")
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
if e, a := []string{"first", "third"}, group1.Users; !reflect.DeepEqual(e, a) {
t.Errorf("expected %v, actual %v", e, a)
}
}
func TestImageStreamCreate(t *testing.T) {
_, clusterAdminKubeConfig, err := testserver.StartTestMaster()
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
clusterAdminClient, err := testutil.GetClusterAdminClient(clusterAdminKubeConfig)
if err != nil {
t.Errorf("unexpected error: %v", err)
}
err = testutil.CreateNamespace(clusterAdminKubeConfig, testutil.Namespace())
if err != nil {
t.Errorf("unexpected error: %v", err)
}
stream := mockImageStream()
if _, err := clusterAdminClient.ImageStreams(testutil.Namespace()).Create(&imageapi.ImageStream{}); err == nil || !errors.IsInvalid(err) {
t.Fatalf("Unexpected error: %v", err)
}
expected, err := clusterAdminClient.ImageStreams(testutil.Namespace()).Create(stream)
if err != nil {
t.Fatalf("Unexpected error: %v", err)
}
if expected.Name == "" {
t.Errorf("Unexpected empty image Name %v", expected)
}
actual, err := clusterAdminClient.ImageStreams(testutil.Namespace()).Get(stream.Name)
if err != nil {
t.Fatalf("Unexpected error: %v", err)
}
if !reflect.DeepEqual(expected, actual) {
t.Errorf("unexpected object: %s", util.ObjectDiff(expected, actual))
}
streams, err := clusterAdminClient.ImageStreams(testutil.Namespace()).List(labels.Everything(), fields.Everything())
if err != nil {
t.Fatalf("Unexpected error %v", err)
}
if len(streams.Items) != 1 {
t.Errorf("Expected one image, got %#v", streams.Items)
}
}
func TestAuthorizationOnlyResolveRolesForBindingsThatMatter(t *testing.T) {
_, clusterAdminKubeConfig, err := testserver.StartTestMaster()
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
clusterAdminClient, err := testutil.GetClusterAdminClient(clusterAdminKubeConfig)
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
addValerie := &policy.RoleModificationOptions{
RoleNamespace: "",
RoleName: bootstrappolicy.ViewRoleName,
RoleBindingAccessor: policy.NewClusterRoleBindingAccessor(clusterAdminClient),
Users: []string{"valerie"},
}
if err := addValerie.AddRole(); err != nil {
t.Fatalf("unexpected error: %v", err)
}
if err = clusterAdminClient.ClusterRoles().Delete(bootstrappolicy.ViewRoleName); err != nil {
t.Fatalf("unexpected error: %v", err)
}
addEdgar := &policy.RoleModificationOptions{
RoleNamespace: "",
RoleName: bootstrappolicy.EditRoleName,
RoleBindingAccessor: policy.NewClusterRoleBindingAccessor(clusterAdminClient),
Users: []string{"edgar"},
}
if err := addEdgar.AddRole(); err != nil {
t.Fatalf("unexpected error: %v", err)
}
// try to add Valerie to a non-existent role
if err := addValerie.AddRole(); !kapierror.IsNotFound(err) {
t.Fatalf("unexpected error: %v", err)
}
}
func TestRootRedirect(t *testing.T) {
masterConfig, _, err := testserver.StartTestMaster()
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
transport := &http.Transport{
TLSClientConfig: &tls.Config{
InsecureSkipVerify: true,
},
}
req, err := http.NewRequest("GET", masterConfig.AssetConfig.MasterPublicURL, nil)
req.Header.Set("Accept", "*/*")
resp, err := transport.RoundTrip(req)
if err != nil {
t.Errorf("Unexpected error: %v", err)
}
if resp.StatusCode != http.StatusOK {
t.Errorf("Expected %d, got %d", http.StatusOK, resp.StatusCode)
}
if resp.Header.Get("Content-Type") != "application/json" {
t.Errorf("Expected %s, got %s", "application/json", resp.Header.Get("Content-Type"))
}
req, err = http.NewRequest("GET", masterConfig.AssetConfig.MasterPublicURL, nil)
req.Header.Set("Accept", "text/html")
resp, err = transport.RoundTrip(req)
if err != nil {
t.Errorf("Unexpected error: %v", err)
}
if resp.StatusCode != http.StatusFound {
t.Errorf("Expected %d, got %d", http.StatusFound, resp.StatusCode)
}
if resp.Header.Get("Location") != masterConfig.AssetConfig.PublicURL {
t.Errorf("Expected %s, got %s", masterConfig.AssetConfig.PublicURL, resp.Header.Get("Location"))
}
// TODO add a test for when asset config is nil, the redirect should not occur in this case even when
// accept header contains text/html
}
func TestSelfSubjectAccessReviewsNonExistingNamespace(t *testing.T) {
_, clusterAdminKubeConfig, err := testserver.StartTestMaster()
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
clusterAdminClientConfig, err := testutil.GetClusterAdminClientConfig(clusterAdminKubeConfig)
if err != nil {
t.Errorf("unexpected error: %v", err)
}
valerieClientConfig := *clusterAdminClientConfig
valerieClientConfig.Username = ""
valerieClientConfig.Password = ""
valerieClientConfig.BearerToken = ""
valerieClientConfig.CertFile = ""
valerieClientConfig.KeyFile = ""
valerieClientConfig.CertData = nil
valerieClientConfig.KeyData = nil
valerieOpenshiftClient, _, _, err := testutil.GetClientForUser(valerieClientConfig, "valerie")
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
// ensure that a SAR for a non-exisitng namespace gives a SAR response and not a
// namespace doesn't exist response from admisison.
askCanICreatePodsInNonExistingNamespace := &authorizationapi.LocalSubjectAccessReview{
Action: authorizationapi.AuthorizationAttributes{Namespace: "foo", Verb: "create", Resource: "pods"},
}
subjectAccessReviewTest{
description: "ensure SAR for non-existing namespace does not leak namespace info",
localInterface: valerieOpenshiftClient.LocalSubjectAccessReviews("foo"),
localReview: askCanICreatePodsInNonExistingNamespace,
response: authorizationapi.SubjectAccessReviewResponse{
Allowed: false,
Reason: `User "valerie" cannot create pods in project "foo"`,
Namespace: "foo",
},
}.run(t)
}
func TestAlwaysPullImagesOff(t *testing.T) {
testutil.RequireEtcd(t)
defer testutil.DumpEtcdOnFailure(t)
_, kubeConfigFile, err := testserver.StartTestMaster()
if err != nil {
t.Fatalf("error starting server: %v", err)
}
kubeClientset, err := testutil.GetClusterAdminKubeClient(kubeConfigFile)
if err != nil {
t.Fatalf("error getting client: %v", err)
}
ns := &kapi.Namespace{}
ns.Name = testutil.Namespace()
_, err = kubeClientset.Core().Namespaces().Create(ns)
if err != nil {
t.Fatalf("error creating namespace: %v", err)
}
if err := testserver.WaitForPodCreationServiceAccounts(kubeClientset, testutil.Namespace()); err != nil {
t.Fatalf("error getting client config: %v", err)
}
testPod := &kapi.Pod{}
testPod.GenerateName = "test"
testPod.Spec.Containers = []kapi.Container{
{
Name: "container",
Image: "openshift/origin-pod:notlatest",
ImagePullPolicy: kapi.PullNever,
},
}
actualPod, err := kubeClientset.Core().Pods(testutil.Namespace()).Create(testPod)
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
if actualPod.Spec.Containers[0].ImagePullPolicy != kapi.PullNever {
t.Errorf("expected %v, got %v", kapi.PullNever, actualPod.Spec.Containers[0].ImagePullPolicy)
}
}
func TestImageStreamList(t *testing.T) {
_, clusterAdminKubeConfig, err := testserver.StartTestMaster()
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
clusterAdminClient, err := testutil.GetClusterAdminClient(clusterAdminKubeConfig)
if err != nil {
t.Errorf("unexpected error: %v", err)
}
err = testutil.CreateNamespace(clusterAdminKubeConfig, testutil.Namespace())
if err != nil {
t.Errorf("unexpected error: %v", err)
}
builds, err := clusterAdminClient.ImageStreams(testutil.Namespace()).List(labels.Everything(), fields.Everything())
if err != nil {
t.Fatalf("Unexpected error %v", err)
}
if len(builds.Items) != 0 {
t.Errorf("Expected no builds, got %#v", builds.Items)
}
}
func setup(t *testing.T) *client.Client {
_, clusterAdminKubeConfigFile, err := testserver.StartTestMaster()
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
clusterAdminClient, err := testutil.GetClusterAdminClient(clusterAdminKubeConfigFile)
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
clusterAdminKubeConfig, err := testutil.GetClusterAdminClientConfig(clusterAdminKubeConfigFile)
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
projectAdminClient, err := testserver.CreateNewProject(clusterAdminClient, *clusterAdminKubeConfig, testutil.Namespace(), testutil.Namespace())
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
return projectAdminClient
}
func testSetupImageSignatureTest(t *testing.T, userName string) (adminClient *client.Client, userClient *client.Client, image *imageapi.Image) {
testutil.RequireEtcd(t)
_, clusterAdminKubeConfig, err := testserver.StartTestMaster()
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
adminClient, err = testutil.GetClusterAdminClient(clusterAdminKubeConfig)
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
image, err = testutil.GetImageFixture("testdata/test-image.json")
if err != nil {
t.Fatalf("failed to read image fixture: %v", err)
}
image, err = adminClient.Images().Create(image)
if err != nil {
t.Fatalf("unexpected error creating image: %v", err)
}
if len(image.Signatures) != 0 {
t.Fatalf("expected empty signatures, not: %s", diff.ObjectDiff(image.Signatures, []imageapi.ImageSignature{}))
}
clusterAdminConfig, err := testutil.GetClusterAdminClientConfig(clusterAdminKubeConfig)
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
userClient, _, _, err = testutil.GetClientForUser(*clusterAdminConfig, userName)
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
return adminClient, userClient, image
}
func TestDNS(t *testing.T) {
testutil.RequireEtcd(t)
defer testutil.DumpEtcdOnFailure(t)
masterConfig, clientFile, err := testserver.StartTestMaster()
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
localAddr := ""
if ip, err := cmdutil.DefaultLocalIP4(); err == nil {
localAddr = ip.String()
} else if err == cmdutil.ErrorNoDefaultIP {
localAddr = "127.0.0.1"
} else if err != nil {
t.Fatalf("Unable to find a local IP address: %v", err)
}
localIP := net.ParseIP(localAddr)
var masterIP net.IP
// verify service DNS entry is visible
stop := make(chan struct{})
waitutil.Until(func() {
m1 := &dns.Msg{
MsgHdr: dns.MsgHdr{Id: dns.Id(), RecursionDesired: false},
Question: []dns.Question{{"kubernetes.default.svc.cluster.local.", dns.TypeA, dns.ClassINET}},
}
in, err := dns.Exchange(m1, masterConfig.DNSConfig.BindAddress)
if err != nil {
t.Logf("unexpected error: %v", err)
return
}
if len(in.Answer) != 1 {
t.Logf("unexpected answer: %#v", in)
return
}
if a, ok := in.Answer[0].(*dns.A); ok {
if a.A == nil {
t.Fatalf("expected an A record with an IP: %#v", a)
}
masterIP = a.A
} else {
t.Fatalf("expected an A record: %#v", in)
}
t.Log(in)
close(stop)
}, 50*time.Millisecond, stop)
client, err := testutil.GetClusterAdminKubeClient(clientFile)
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
// Verify kubernetes service port is 53 and target port is the
// configured masterConfig.DNSConfig.BindAddress port.
_, dnsPortString, err := net.SplitHostPort(masterConfig.DNSConfig.BindAddress)
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
dnsPort, err := strconv.Atoi(dnsPortString)
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
kubernetesService, err := client.Services(kapi.NamespaceDefault).Get("kubernetes")
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
found := false
for _, port := range kubernetesService.Spec.Ports {
if port.Port == 53 && port.TargetPort.IntVal == int32(dnsPort) && port.Protocol == kapi.ProtocolTCP {
found = true
}
}
if !found {
t.Fatalf("did not find DNS port in kubernetes service: %#v", kubernetesService)
}
for {
if _, err := client.Services(kapi.NamespaceDefault).Create(&kapi.Service{
ObjectMeta: kapi.ObjectMeta{
Name: "headless",
},
Spec: kapi.ServiceSpec{
ClusterIP: kapi.ClusterIPNone,
Ports: []kapi.ServicePort{{Port: 443}},
},
}); err != nil {
if errors.IsForbidden(err) {
t.Logf("forbidden, sleeping: %v", err)
time.Sleep(100 * time.Millisecond)
continue
}
t.Fatalf("unexpected error: %v", err)
}
if _, err := client.Endpoints(kapi.NamespaceDefault).Create(&kapi.Endpoints{
ObjectMeta: kapi.ObjectMeta{
Name: "headless",
},
Subsets: []kapi.EndpointSubset{{
Addresses: []kapi.EndpointAddress{{IP: "172.0.0.1"}},
Ports: []kapi.EndpointPort{
{Port: 2345},
},
}},
}); err != nil {
t.Fatalf("unexpected error: %v", err)
}
break
}
headlessIP := net.ParseIP("172.0.0.1")
headlessIPHash := getHash(headlessIP.String())
if _, err := client.Services(kapi.NamespaceDefault).Create(&kapi.Service{
ObjectMeta: kapi.ObjectMeta{
Name: "headless2",
},
Spec: kapi.ServiceSpec{
ClusterIP: kapi.ClusterIPNone,
Ports: []kapi.ServicePort{{Port: 443}},
},
}); err != nil {
t.Fatalf("unexpected error: %v", err)
}
if _, err := client.Endpoints(kapi.NamespaceDefault).Create(&kapi.Endpoints{
ObjectMeta: kapi.ObjectMeta{
Name: "headless2",
},
Subsets: []kapi.EndpointSubset{{
Addresses: []kapi.EndpointAddress{{IP: "172.0.0.2"}},
Ports: []kapi.EndpointPort{
{Port: 2345, Name: "other"},
{Port: 2346, Name: "http"},
},
}},
}); err != nil {
t.Fatalf("unexpected error: %v", err)
}
headless2IP := net.ParseIP("172.0.0.2")
precannedIP := net.ParseIP("10.2.4.50")
headless2IPHash := getHash(headless2IP.String())
tests := []struct {
dnsQuestionName string
recursionExpected bool
retry bool
expect []*net.IP
srv []*dns.SRV
}{
{ // wildcard resolution of a service works
dnsQuestionName: "foo.kubernetes.default.svc.cluster.local.",
expect: []*net.IP{&masterIP},
},
{ // resolving endpoints of a service works
dnsQuestionName: "_endpoints.kubernetes.default.svc.cluster.local.",
expect: []*net.IP{&localIP},
},
{ // openshift override works
dnsQuestionName: "openshift.default.svc.cluster.local.",
expect: []*net.IP{&masterIP},
},
{ // pod by IP
dnsQuestionName: "10-2-4-50.default.pod.cluster.local.",
expect: []*net.IP{&precannedIP},
},
{ // headless service
dnsQuestionName: "headless.default.svc.cluster.local.",
expect: []*net.IP{&headlessIP},
},
{ // specific port of a headless service
dnsQuestionName: "unknown-port-2345.e1.headless.default.svc.cluster.local.",
expect: []*net.IP{&headlessIP},
},
{ // SRV record for that service
dnsQuestionName: "headless.default.svc.cluster.local.",
srv: []*dns.SRV{
{
Target: headlessIPHash + "._unknown-port-2345._tcp.headless.default.svc.cluster.local.",
Port: 2345,
},
},
},
{ // the SRV record resolves to the IP
dnsQuestionName: "unknown-port-2345.e1.headless.default.svc.cluster.local.",
expect: []*net.IP{&headlessIP},
},
{ // headless 2 service
dnsQuestionName: "headless2.default.svc.cluster.local.",
expect: []*net.IP{&headless2IP},
},
{ // SRV records for that service
dnsQuestionName: "headless2.default.svc.cluster.local.",
srv: []*dns.SRV{
{
Target: headless2IPHash + "._http._tcp.headless2.default.svc.cluster.local.",
Port: 2346,
},
{
Target: headless2IPHash + "._other._tcp.headless2.default.svc.cluster.local.",
Port: 2345,
},
},
},
{ // the SRV record resolves to the IP
dnsQuestionName: "other.e1.headless2.default.svc.cluster.local.",
expect: []*net.IP{&headless2IP},
},
{
dnsQuestionName: "www.google.com.",
recursionExpected: true,
},
}
for i, tc := range tests {
qType := dns.TypeA
if tc.srv != nil {
qType = dns.TypeSRV
}
m1 := &dns.Msg{
MsgHdr: dns.MsgHdr{Id: dns.Id(), RecursionDesired: tc.recursionExpected},
Question: []dns.Question{{tc.dnsQuestionName, qType, dns.ClassINET}},
}
ch := make(chan struct{})
count := 0
failedLatency := 0
waitutil.Until(func() {
count++
if count > 100 {
t.Errorf("%d: failed after max iterations", i)
close(ch)
return
}
before := time.Now()
in, err := dns.Exchange(m1, masterConfig.DNSConfig.BindAddress)
if err != nil {
return
}
after := time.Now()
delta := after.Sub(before)
if delta > 500*time.Millisecond {
failedLatency++
if failedLatency > 10 {
t.Errorf("%d: failed after 10 requests took longer than 500ms", i)
close(ch)
}
return
}
switch {
case tc.srv != nil:
if len(in.Answer) != len(tc.srv) {
t.Logf("%d: incorrect number of answers: %#v", i, in)
return
}
case tc.recursionExpected:
if len(in.Answer) == 0 {
t.Errorf("%d: expected forward resolution: %#v", i, in)
}
close(ch)
return
default:
if len(in.Answer) != len(tc.expect) {
t.Logf("%d: did not resolve or unexpected forward resolution: %#v", i, in)
return
}
}
for _, answer := range in.Answer {
switch a := answer.(type) {
case *dns.A:
matches := false
if a.A != nil {
for _, expect := range tc.expect {
if a.A.String() == expect.String() {
matches = true
break
}
}
}
if !matches {
t.Errorf("%d: A record does not match any expected answer for %q: %v", i, tc.dnsQuestionName, a.A)
}
case *dns.SRV:
matches := false
for _, expect := range tc.srv {
if expect.Port == a.Port && expect.Target == a.Target {
matches = true
break
}
}
if !matches {
t.Errorf("%d: SRV record does not match any expected answer %q: %#v", i, tc.dnsQuestionName, a)
}
default:
t.Errorf("%d: expected an A or SRV record %q: %#v", i, tc.dnsQuestionName, in)
}
}
t.Log(in)
close(ch)
}, 50*time.Millisecond, ch)
}
}
func TestDeployScale(t *testing.T) {
const namespace = "test-deploy-scale"
testutil.RequireEtcd(t)
_, clusterAdminKubeConfig, err := testserver.StartTestMaster()
checkErr(t, err)
clusterAdminClientConfig, err := testutil.GetClusterAdminClientConfig(clusterAdminKubeConfig)
checkErr(t, err)
clusterAdminClient, err := testutil.GetClusterAdminClient(clusterAdminKubeConfig)
checkErr(t, err)
_, err = testserver.CreateNewProject(clusterAdminClient, *clusterAdminClientConfig, namespace, "my-test-user")
checkErr(t, err)
osClient, _, _, err := testutil.GetClientForUser(*clusterAdminClientConfig, "my-test-user")
checkErr(t, err)
config := deploytest.OkDeploymentConfig(0)
config.Spec.Triggers = []deployapi.DeploymentTriggerPolicy{}
config.Spec.Replicas = 1
dc, err := osClient.DeploymentConfigs(namespace).Create(config)
if err != nil {
t.Fatalf("Couldn't create DeploymentConfig: %v %#v", err, config)
}
condition := func() (bool, error) {
config, err := osClient.DeploymentConfigs(namespace).Get(dc.Name)
if err != nil {
return false, nil
}
return deployutil.HasSynced(config), nil
}
if err := wait.PollImmediate(500*time.Millisecond, 10*time.Second, condition); err != nil {
t.Fatalf("Deployment config never synced: %v", err)
}
scale, err := osClient.DeploymentConfigs(namespace).GetScale(config.Name)
if err != nil {
t.Fatalf("Couldn't get DeploymentConfig scale: %v", err)
}
if scale.Spec.Replicas != 1 {
t.Fatalf("Expected scale.spec.replicas=1, got %#v", scale)
}
scaleUpdate := deployapi.ScaleFromConfig(dc)
scaleUpdate.Spec.Replicas = 3
updatedScale, err := osClient.DeploymentConfigs(namespace).UpdateScale(scaleUpdate)
if err != nil {
// If this complains about "Scale" not being registered in "v1", check the kind overrides in the API registration in SubresourceGroupVersionKind
t.Fatalf("Couldn't update DeploymentConfig scale to %#v: %v", scaleUpdate, err)
}
if updatedScale.Spec.Replicas != 3 {
t.Fatalf("Expected scale.spec.replicas=3, got %#v", scale)
}
persistedScale, err := osClient.DeploymentConfigs(namespace).GetScale(config.Name)
if err != nil {
t.Fatalf("Couldn't get DeploymentConfig scale: %v", err)
}
if persistedScale.Spec.Replicas != 3 {
t.Fatalf("Expected scale.spec.replicas=3, got %#v", scale)
}
}
func TestAuthorizationResolution(t *testing.T) {
_, clusterAdminKubeConfig, err := testserver.StartTestMaster()
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
clusterAdminClient, err := testutil.GetClusterAdminClient(clusterAdminKubeConfig)
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
addValerie := &policy.RoleModificationOptions{
RoleNamespace: "",
RoleName: bootstrappolicy.ViewRoleName,
RoleBindingAccessor: policy.NewClusterRoleBindingAccessor(clusterAdminClient),
Users: []string{"valerie"},
}
if err := addValerie.AddRole(); err != nil {
t.Fatalf("unexpected error: %v", err)
}
if err = clusterAdminClient.ClusterRoles().Delete(bootstrappolicy.ViewRoleName); err != nil {
t.Fatalf("unexpected error: %v", err)
}
addEdgar := &policy.RoleModificationOptions{
RoleNamespace: "",
RoleName: bootstrappolicy.EditRoleName,
RoleBindingAccessor: policy.NewClusterRoleBindingAccessor(clusterAdminClient),
Users: []string{"edgar"},
}
if err := addEdgar.AddRole(); err != nil {
t.Fatalf("unexpected error: %v", err)
}
// try to add Valerie to a non-existent role
if err := addValerie.AddRole(); !kapierror.IsNotFound(err) {
t.Fatalf("unexpected error: %v", err)
}
roleWithGroup := &authorizationapi.ClusterRole{}
roleWithGroup.Name = "with-group"
roleWithGroup.Rules = append(roleWithGroup.Rules, authorizationapi.PolicyRule{
Verbs: sets.NewString("list"),
Resources: sets.NewString(authorizationapi.BuildGroupName),
})
if _, err := clusterAdminClient.ClusterRoles().Create(roleWithGroup); err != nil {
t.Fatalf("unexpected error: %v", err)
}
addBuildLister := &policy.RoleModificationOptions{
RoleNamespace: "",
RoleName: "with-group",
RoleBindingAccessor: policy.NewClusterRoleBindingAccessor(clusterAdminClient),
Users: []string{"build-lister"},
}
if err := addBuildLister.AddRole(); err != nil {
t.Fatalf("unexpected error: %v", err)
}
clusterAdminConfig, err := testutil.GetClusterAdminClientConfig(clusterAdminKubeConfig)
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
buildListerClient, _, _, err := testutil.GetClientForUser(*clusterAdminConfig, "build-lister")
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
if _, err := buildListerClient.Builds(kapi.NamespaceDefault).List(labels.Everything(), fields.Everything()); err != nil {
t.Fatalf("unexpected error: %v", err)
}
if _, err := buildListerClient.DeploymentConfigs(kapi.NamespaceDefault).List(labels.Everything(), fields.Everything()); !kapierror.IsForbidden(err) {
t.Errorf("expected forbidden, got %v", err)
}
}
// TestOldLocalResourceAccessReviewEndpoint checks to make sure that the old resource access review endpoint still functions properly
// this is needed to support old who-can client
func TestOldLocalResourceAccessReviewEndpoint(t *testing.T) {
_, clusterAdminKubeConfig, err := testserver.StartTestMaster()
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
clusterAdminClient, err := testutil.GetClusterAdminClient(clusterAdminKubeConfig)
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
clusterAdminClientConfig, err := testutil.GetClusterAdminClientConfig(clusterAdminKubeConfig)
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
haroldClient, err := testserver.CreateNewProject(clusterAdminClient, *clusterAdminClientConfig, "hammer-project", "harold")
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
namespace := "hammer-project"
// simple check
{
rar := &authorizationapi.ResourceAccessReview{
Action: authorizationapi.AuthorizationAttributes{
Verb: "get",
Resource: "imagestreams/layers",
},
}
actualResponse := &authorizationapi.ResourceAccessReviewResponse{}
err := haroldClient.Post().Namespace(namespace).Resource("resourceAccessReviews").Body(rar).Do().Into(actualResponse)
if err != nil {
t.Errorf("unexpected error: %v", err)
}
expectedResponse := &authorizationapi.ResourceAccessReviewResponse{
Namespace: namespace,
Users: sets.NewString("harold", "system:serviceaccount:hammer-project:builder"),
Groups: sets.NewString("system:cluster-admins", "system:masters", "system:serviceaccounts:hammer-project"),
}
if (actualResponse.Namespace != expectedResponse.Namespace) ||
!reflect.DeepEqual(actualResponse.Users.List(), expectedResponse.Users.List()) ||
!reflect.DeepEqual(actualResponse.Groups.List(), expectedResponse.Groups.List()) {
t.Errorf("review\n\t%#v\nexpected\n\t%#v\ngot\n\t%#v", rar, expectedResponse, actualResponse)
}
}
// namespace forced to allowed namespace so we can't trick the server into leaking
{
rar := &authorizationapi.ResourceAccessReview{
Action: authorizationapi.AuthorizationAttributes{
Namespace: "sneaky-user",
Verb: "get",
Resource: "imagestreams/layers",
},
}
actualResponse := &authorizationapi.ResourceAccessReviewResponse{}
err := haroldClient.Post().Namespace(namespace).Resource("resourceAccessReviews").Body(rar).Do().Into(actualResponse)
if err != nil {
t.Errorf("unexpected error: %v", err)
}
expectedResponse := &authorizationapi.ResourceAccessReviewResponse{
Namespace: namespace,
Users: sets.NewString("harold", "system:serviceaccount:hammer-project:builder"),
Groups: sets.NewString("system:cluster-admins", "system:masters", "system:serviceaccounts:hammer-project"),
}
if (actualResponse.Namespace != expectedResponse.Namespace) ||
!reflect.DeepEqual(actualResponse.Users.List(), expectedResponse.Users.List()) ||
!reflect.DeepEqual(actualResponse.Groups.List(), expectedResponse.Groups.List()) {
t.Errorf("review\n\t%#v\nexpected\n\t%#v\ngot\n\t%#v", rar, expectedResponse, actualResponse)
}
}
}
