generate httest during the run and seperate webhooks

Signed-off-by: Karol Szwaj <[email protected]> On-behalf-of: @SAP [email protected]
kcp-dev · Feb 5, 2025 · eb22ab6 · eb22ab6
1 parent f99a881
commit eb22ab6
Show file tree

Hide file tree

Showing 10 changed files with 52 additions and 142 deletions.
diff --git a/test/e2e/authorizer/authmodes.kubeconfig b/test/e2e/authorizer/authmodes.kubeconfig
@@ -0,0 +1,12 @@
+apiVersion: v1
+kind: Config
+clusters:
+  - name: httest
+    cluster:
+      certificate-authority: .TestAuthorizationModes/ca.crt
+      server: https://localhost:8081/
+current-context: webhook
+contexts:
+  - name: webhook
+    context:
+      cluster: httest
diff --git a/test/e2e/authorizer/authorizationmodes_test.go b/test/e2e/authorizer/authorizationmodes_test.go
@@ -1,4 +1,4 @@
-/*
+/* /*
 Copyright 2025 The KCP Authors.
 
 Licensed under the Apache License, Version 2.0 (the "License");
@@ -37,12 +37,15 @@ func TestAuthorizationModes(t *testing.T) {
 
 	ctx, cancelFunc := context.WithCancel(context.Background())
 	t.Cleanup(cancelFunc)
+	// start a webhook that allows kcp to boot up
+	webhookStop := RunWebhook(ctx, t, "8081", "kubernetes:authz:allow")
+	t.Cleanup(webhookStop)
 
 	server := framework.PrivateKcpServer(t, framework.WithCustomArguments(
 		"--authorization-modes",
 		"Webhook,AlwaysAllowPaths,AlwaysAllowGroups,RBAC",
 		"--authorization-webhook-config-file",
-		"webhook.kubeconfig",
+		"authmodes.kubeconfig",
 	))
 
 	// create clients
@@ -78,7 +81,7 @@ func TestAuthorizationModes(t *testing.T) {
 	require.NoError(t, err)
 
 	// run the webhook with deny policy
-	webhookStop := RunWebhook(ctx, t, "kubernetes:authz:deny")
+	webhookStop = RunWebhook(ctx, t, "8081", "kubernetes:authz:deny")
 	t.Cleanup(webhookStop)
 
 	t.Log("Admin should not be allowed now to list Workspaces.")

diff --git a/test/e2e/authorizer/utils.go b/test/e2e/authorizer/utils.go
@@ -18,31 +18,55 @@ package authorizer
 
 import (
 	"context"
+	"fmt"
+	"net"
+	"os"
 	"os/exec"
 	"testing"
 	"time"
+
+	"github.com/kcp-dev/kcp/test/e2e/framework"
+	"k8s.io/apimachinery/pkg/util/wait"
 )
 
-func RunWebhook(ctx context.Context, t *testing.T, response string) context.CancelFunc {
+func RunWebhook(ctx context.Context, t *testing.T, port string, response string) context.CancelFunc {
+	t.Logf("Starting webhook with %s policy...", response)
+
+	ctx, cancel := context.WithCancel(ctx)
+	pkiDir := fmt.Sprintf(".%s", t.Name())
 	args := []string{
 		"--tls",
 		"--response", response,
-		"--pki-directory", "webhook-httest-pki",
+		"--pki-directory", pkiDir,
+		"--listen", fmt.Sprintf("localhost:%s", port),
 	}
 
-	t.Logf("Starting webhook with %s policy...", response)
-
-	ctx, cancel := context.WithCancel(ctx)
-
 	cmd := exec.CommandContext(ctx, "httest", args...)
 	if err := cmd.Start(); err != nil {
 		cancel()
 		t.Fatalf("Failed to start webhook: %v", err)
 	}
-
 	// give httest a moment to boot up
 	time.Sleep(2 * time.Second)
 
+	framework.Eventually(t, func() (bool, string) {
+		caCertPath := fmt.Sprintf("%s/ca.crt", pkiDir)
+		if _, err := os.Stat(caCertPath); os.IsNotExist(err) {
+			return false, "ca.crt file does not exist"
+		}
+		return true, ""
+	}, wait.ForeverTestTimeout, time.Millisecond*100)
+
+	address := fmt.Sprintf("localhost:%s", port)
+	framework.Eventually(t, func() (bool, string) {
+		conn, err := net.DialTimeout("tcp", address, time.Second)
+		if err != nil {
+			return false, fmt.Sprintf("Webhook is not serving on %s: %v", address, err)
+		}
+		_ = conn.Close()
+		return true, ""
+	}, wait.ForeverTestTimeout, time.Millisecond*200)
+
 	return func() {
 		t.Log("Stopping webhook...")
 		cancel()

diff --git a/test/e2e/authorizer/webhook-httest-pki/ca.crt b/test/e2e/authorizer/webhook-httest-pki/ca.crt
diff --git a/test/e2e/authorizer/webhook-httest-pki/ca.key b/test/e2e/authorizer/webhook-httest-pki/ca.key
diff --git a/test/e2e/authorizer/webhook-httest-pki/fullchain.crt b/test/e2e/authorizer/webhook-httest-pki/fullchain.crt
diff --git a/test/e2e/authorizer/webhook-httest-pki/serving.crt b/test/e2e/authorizer/webhook-httest-pki/serving.crt
diff --git a/test/e2e/authorizer/webhook-httest-pki/serving.key b/test/e2e/authorizer/webhook-httest-pki/serving.key
diff --git a/test/e2e/authorizer/webhook.kubeconfig b/test/e2e/authorizer/webhook.kubeconfig
@@ -3,7 +3,7 @@ kind: Config
 clusters:
   - name: httest
     cluster:
-      certificate-authority: webhook-httest-pki/ca.crt
+      certificate-authority: .TestWebhook/ca.crt
       server: https://localhost:8080/
 current-context: webhook
 contexts:

diff --git a/test/e2e/authorizer/webhook_test.go b/test/e2e/authorizer/webhook_test.go
@@ -39,7 +39,7 @@ func TestWebhook(t *testing.T) {
 	t.Cleanup(cancelFunc)
 
 	// start a webhook that allows kcp to boot up
-	webhookStop := RunWebhook(ctx, t, "kubernetes:authz:allow")
+	webhookStop := RunWebhook(ctx, t, "8080", "kubernetes:authz:allow")
 	t.Cleanup(webhookStop)
 
 	server := framework.PrivateKcpServer(t, framework.WithCustomArguments(
@@ -60,8 +60,7 @@ func TestWebhook(t *testing.T) {
 
 	// stop the webhook and switch to a deny policy
 	webhookStop()
-
-	webhookStop = RunWebhook(ctx, t, "kubernetes:authz:deny")
+	webhookStop = RunWebhook(ctx, t, "8080", "kubernetes:authz:deny")
 	t.Cleanup(webhookStop)
 
 	t.Log("Admin should not be allowed to list ConfigMaps.")