@@ -609,129 +609,131 @@ func validateGCPAuthAddon(ctx context.Context, t *testing.T, profile string) {
609609 validateGCPAuthNamespaces (ctx , t , profile )
610610 })
611611
612- // schedule a pod to check environment variables
613- rr , err := Run (t , exec .CommandContext (ctx , "kubectl" , "--context" , profile , "create" , "-f" , filepath .Join (* testdataDir , "busybox.yaml" )))
614- if err != nil {
615- t .Fatalf ("%s failed: %v" , rr .Command (), err )
616- }
617-
618- serviceAccountName := "gcp-auth-test"
619- // create a dummy service account so we know the pull secret got added
620- rr , err = Run (t , exec .CommandContext (ctx , "kubectl" , "--context" , profile , "create" , "sa" , serviceAccountName ))
621- if err != nil {
622- t .Fatalf ("%s failed: %v" , rr .Command (), err )
623- }
624-
625- // 8 minutes, because 4 is not enough for images to pull in all cases.
626- names , err := PodWait (ctx , t , profile , "default" , "integration-test=busybox" , Minutes (8 ))
627- if err != nil {
628- t .Fatalf ("wait: %v" , err )
629- }
630-
631- // Use this pod to confirm that the env vars are set correctly
632- rr , err = Run (t , exec .CommandContext (ctx , "kubectl" , "--context" , profile , "exec" , names [0 ], "--" , "/bin/sh" , "-c" , "printenv GOOGLE_APPLICATION_CREDENTIALS" ))
633- if err != nil {
634- t .Fatalf ("printenv creds: %v" , err )
635- }
636-
637- got := strings .TrimSpace (rr .Stdout .String ())
638- expected := "/google-app-creds.json"
639- if got != expected {
640- t .Errorf ("'printenv GOOGLE_APPLICATION_CREDENTIALS' returned %s, expected %s" , got , expected )
641- }
642-
643- // Now check the service account and make sure the "gcp-auth" image pull secret is present
644- rr , err = Run (t , exec .CommandContext (ctx , "kubectl" , "--context" , profile , "describe" , "sa" , serviceAccountName ))
645- if err != nil {
646- t .Fatalf ("%s failed: %v" , rr .Command (), err )
647- }
648-
649- expectedPullSecret := "gcp-auth"
650- re := regexp .MustCompile (`.*Image pull secrets:.*` )
651- secrets := re .FindString (rr .Stdout .String ())
652- if ! strings .Contains (secrets , expectedPullSecret ) {
653- t .Errorf ("Unexpected image pull secrets. expected %s, got %s" , expectedPullSecret , secrets )
654- }
612+ t .Run ("PullSecret" , func (t * testing.T ) {
613+ // schedule a pod to check environment variables
614+ rr , err := Run (t , exec .CommandContext (ctx , "kubectl" , "--context" , profile , "create" , "-f" , filepath .Join (* testdataDir , "busybox.yaml" )))
615+ if err != nil {
616+ t .Fatalf ("%s failed: %v" , rr .Command (), err )
617+ }
655618
656- if ! detect . IsOnGCE () || detect . IsCloudShell () {
657- // Make sure the file contents are correct
658- rr , err = Run (t , exec .CommandContext (ctx , "kubectl" , "--context" , profile , "exec " , names [ 0 ], "-- ""/bin/sh" , "-c" , "cat /google-app-creds.json" ))
619+ serviceAccountName := "gcp-auth-test"
620+ // create a dummy service account so we know the pull secret got added
621+ rr , err = Run (t , exec .CommandContext (ctx , "kubectl" , "--context" , profile , "create " , "sa "serviceAccountName ))
659622 if err != nil {
660- t .Fatalf ("cat creds : %v" , err )
623+ t .Fatalf ("%s failed : %v" , rr . Command () , err )
661624 }
662625
663- var gotJSON map [ string ] string
664- err = json . Unmarshal ( bytes . TrimSpace ( rr . Stdout . Bytes ()), & gotJSON )
626+ // 8 minutes, because 4 is not enough for images to pull in all cases.
627+ names , err := PodWait ( ctx , t , profile , "default" , "integration-test=busybox" , Minutes ( 8 ) )
665628 if err != nil {
666- t .Fatalf ("unmarshal json : %v" , err )
629+ t .Fatalf ("wait : %v" , err )
667630 }
668- expectedJSON := map [string ]string {
669- "client_id" : "haha" ,
670- "client_secret" : "nice_try" ,
671- "quota_project_id" : "this_is_fake" ,
672- "refresh_token" : "maybe_next_time" ,
673- "type" : "authorized_user" ,
631+
632+ // Use this pod to confirm that the env vars are set correctly
633+ rr , err = Run (t , exec .CommandContext (ctx , "kubectl" , "--context" , profile , "exec" , names [0 ], "--" , "/bin/sh" , "-c" , "printenv GOOGLE_APPLICATION_CREDENTIALS" ))
634+ if err != nil {
635+ t .Fatalf ("printenv creds: %v" , err )
674636 }
675637
676- if ! reflect .DeepEqual (gotJSON , expectedJSON ) {
677- t .Fatalf ("unexpected creds file: got %v, expected %v" , gotJSON , expectedJSON )
638+ got := strings .TrimSpace (rr .Stdout .String ())
639+ expected := "/google-app-creds.json"
640+ if got != expected {
641+ t .Errorf ("'printenv GOOGLE_APPLICATION_CREDENTIALS' returned %s, expected %s" , got , expected )
678642 }
679- }
680643
681- // Check the GOOGLE_CLOUD_PROJECT env var as well
682- rr , err = Run (t , exec .CommandContext (ctx , "kubectl" , "--context" , profile , "exec " , names [ 0 ], "-- ""/bin/sh" , "-c" , "printenv GOOGLE_CLOUD_PROJECT" ))
683- if err != nil {
684- t .Fatalf ("print env project : %v" , err )
685- }
644+ // Now check the service account and make sure the "gcp-auth" image pull secret is present
645+ rr , err = Run (t , exec .CommandContext (ctx , "kubectl" , "--context" , profile , "describe " , "sa "serviceAccountName ))
646+ if err != nil {
647+ t .Fatalf ("%s failed : %v" , rr . Command () , err )
648+ }
686649
687- got = strings .TrimSpace (rr .Stdout .String ())
688- expected = "this_is_fake"
650+ expectedPullSecret := "gcp-auth"
651+ re := regexp .MustCompile (`.*Image pull secrets:.*` )
652+ secrets := re .FindString (rr .Stdout .String ())
653+ if ! strings .Contains (secrets , expectedPullSecret ) {
654+ t .Errorf ("Unexpected image pull secrets. expected %s, got %s" , expectedPullSecret , secrets )
655+ }
689656
690- if got != expected {
691- t .Errorf ("'printenv GOOGLE_CLOUD_PROJECT' returned %s, expected %s" , got , expected )
692- }
657+ if ! detect .IsOnGCE () || detect .IsCloudShell () {
658+ // Make sure the file contents are correct
659+ rr , err = Run (t , exec .CommandContext (ctx , "kubectl" , "--context" , profile , "exec" , names [0 ], "--" , "/bin/sh" , "-c" , "cat /google-app-creds.json" ))
660+ if err != nil {
661+ t .Fatalf ("cat creds: %v" , err )
662+ }
693663
694- // If we're on GCE, we have proper credentials and can test the registry secrets with an artifact registry image
695- if detect .IsOnGCE () && ! detect .IsCloudShell () && ! VMDriver () {
696- t .Skip ("skipping GCPAuth addon test until 'Permission \" artifactregistry.repositories.downloadArtifacts\" denied on resource \" projects/k8s-minikube/locations/us/repositories/test-artifacts\" (or it may not exist)' issue is resolved" )
697- // "Setting the environment variable MOCK_GOOGLE_TOKEN to true will prevent using the google application credentials to fetch the token used for the image pull secret. Instead the token will be mocked."
698- // ref: https://github.com/GoogleContainerTools/gcp-auth-webhook#gcp-auth-webhook
699- os .Unsetenv ("MOCK_GOOGLE_TOKEN" )
700- // re-set MOCK_GOOGLE_TOKEN once we're done
701- defer os .Setenv ("MOCK_GOOGLE_TOKEN" , "true" )
664+ var gotJSON map [string ]string
665+ err = json .Unmarshal (bytes .TrimSpace (rr .Stdout .Bytes ()), & gotJSON )
666+ if err != nil {
667+ t .Fatalf ("unmarshal json: %v" , err )
668+ }
669+ expectedJSON := map [string ]string {
670+ "client_id" : "haha" ,
671+ "client_secret" : "nice_try" ,
672+ "quota_project_id" : "this_is_fake" ,
673+ "refresh_token" : "maybe_next_time" ,
674+ "type" : "authorized_user" ,
675+ }
702676
703- os .Unsetenv ("GOOGLE_APPLICATION_CREDENTIALS" )
704- os .Unsetenv ("GOOGLE_CLOUD_PROJECT" )
705- args := []string {"-p" , profile , "addons" , "enable" , "gcp-auth" }
706- rr , err := Run (t , exec .CommandContext (ctx , Target (), args ... ))
707- if err != nil {
708- t .Errorf ("%s failed: %v" , rr .Command (), err )
709- } else if ! strings .Contains (rr .Output (), "It seems that you are running in GCE" ) {
710- t .Errorf ("Unexpected error message: %v" , rr .Output ())
677+ if ! reflect .DeepEqual (gotJSON , expectedJSON ) {
678+ t .Fatalf ("unexpected creds file: got %v, expected %v" , gotJSON , expectedJSON )
679+ }
711680 }
712- _ , err = Run (t , exec .CommandContext (ctx , "kubectl" , "--context" , profile , "apply" , "-f" , filepath .Join (* testdataDir , "private-image.yaml" )))
681+
682+ // Check the GOOGLE_CLOUD_PROJECT env var as well
683+ rr , err = Run (t , exec .CommandContext (ctx , "kubectl" , "--context" , profile , "exec" , names [0 ], "--" , "/bin/sh" , "-c" , "printenv GOOGLE_CLOUD_PROJECT" ))
713684 if err != nil {
714685 t .Fatalf ("print env project: %v" , err )
715686 }
716687
717- // Make sure the pod is up and running, which means we successfully pulled the private image down
718- // 8 minutes, because 4 is not enough for images to pull in all cases.
719- _ , err = PodWait (ctx , t , profile , "default" , "integration-test=private-image" , Minutes (8 ))
720- if err != nil {
721- t .Fatalf ("wait for private image: %v" , err )
722- }
688+ got = strings .TrimSpace (rr .Stdout .String ())
689+ expected = "this_is_fake"
723690
724- // Try it with a European mirror as well
725- _ , err = Run (t , exec .CommandContext (ctx , "kubectl" , "--context" , profile , "apply" , "-f" , filepath .Join (* testdataDir , "private-image-eu.yaml" )))
726- if err != nil {
727- t .Fatalf ("print env project: %v" , err )
691+ if got != expected {
692+ t .Errorf ("'printenv GOOGLE_CLOUD_PROJECT' returned %s, expected %s" , got , expected )
728693 }
729694
730- _ , err = PodWait (ctx , t , profile , "default" , "integration-test=private-image-eu" , Minutes (8 ))
731- if err != nil {
732- t .Fatalf ("wait for private image: %v" , err )
695+ // If we're on GCE, we have proper credentials and can test the registry secrets with an artifact registry image
696+ if detect .IsOnGCE () && ! detect .IsCloudShell () && ! VMDriver () {
697+ t .Skip ("skipping GCPAuth addon test until 'Permission \" artifactregistry.repositories.downloadArtifacts\" denied on resource \" projects/k8s-minikube/locations/us/repositories/test-artifacts\" (or it may not exist)' issue is resolved" )
698+ // "Setting the environment variable MOCK_GOOGLE_TOKEN to true will prevent using the google application credentials to fetch the token used for the image pull secret. Instead the token will be mocked."
699+ // ref: https://github.com/GoogleContainerTools/gcp-auth-webhook#gcp-auth-webhook
700+ os .Unsetenv ("MOCK_GOOGLE_TOKEN" )
701+ // re-set MOCK_GOOGLE_TOKEN once we're done
702+ defer os .Setenv ("MOCK_GOOGLE_TOKEN" , "true" )
703+
704+ os .Unsetenv ("GOOGLE_APPLICATION_CREDENTIALS" )
705+ os .Unsetenv ("GOOGLE_CLOUD_PROJECT" )
706+ args := []string {"-p" , profile , "addons" , "enable" , "gcp-auth" }
707+ rr , err := Run (t , exec .CommandContext (ctx , Target (), args ... ))
708+ if err != nil {
709+ t .Errorf ("%s failed: %v" , rr .Command (), err )
710+ } else if ! strings .Contains (rr .Output (), "It seems that you are running in GCE" ) {
711+ t .Errorf ("Unexpected error message: %v" , rr .Output ())
712+ }
713+ _ , err = Run (t , exec .CommandContext (ctx , "kubectl" , "--context" , profile , "apply" , "-f" , filepath .Join (* testdataDir , "private-image.yaml" )))
714+ if err != nil {
715+ t .Fatalf ("print env project: %v" , err )
716+ }
717+
718+ // Make sure the pod is up and running, which means we successfully pulled the private image down
719+ // 8 minutes, because 4 is not enough for images to pull in all cases.
720+ _ , err = PodWait (ctx , t , profile , "default" , "integration-test=private-image" , Minutes (8 ))
721+ if err != nil {
722+ t .Fatalf ("wait for private image: %v" , err )
723+ }
724+
725+ // Try it with a European mirror as well
726+ _ , err = Run (t , exec .CommandContext (ctx , "kubectl" , "--context" , profile , "apply" , "-f" , filepath .Join (* testdataDir , "private-image-eu.yaml" )))
727+ if err != nil {
728+ t .Fatalf ("print env project: %v" , err )
729+ }
730+
731+ _ , err = PodWait (ctx , t , profile , "default" , "integration-test=private-image-eu" , Minutes (8 ))
732+ if err != nil {
733+ t .Fatalf ("wait for private image: %v" , err )
734+ }
733735 }
734- }
736+ })
735737}
736738
737739func validateHeadlampAddon (ctx context.Context , t * testing.T , profile string ) {
0 commit comments