'envtest' should support test scenarios with Authn/Authz configurations (should expose secure endpoint info of kube-apiserver)

[everpeace]

What is the problem

When we configured some authentication modules by envtest.Environment.KubeAPIServerFlags like below:

// just an example using basic auth module
te := &envtest.Environment{
  KubeAPIServerFlags: append(
    envtest.DefaultKubeAPIServerFlags, "--basic-auth-file=my-file", "--authorization-mode=RBAC",
  ),
}
cfg, _ := te.Start()

envtest.Config points to the insecure endpoint of kube-apiserver. As an official document says, we can't use this endpoint to test some scenarios containing authn/authz configurations. Moreover, envtest doesn't expose any TLS configurations of envtest's kube-apiserver.

Thus, users don't have any method to connect the secure endpoint of envtest's kube-apiserver.

Why does this need??

When controllers/webhooks interact with SubjectAccessReview or SelfSubjectAccessReview, user's wanted to test some scenarios containing authz(mainly RBAC) configurations.

Solution

internal.testing.integration.APIServer can expose TLSClientConfig containing its ca certificate that is setup in starting APIServer by TinyCA. Perhaps, we would envtest.Environment.SecureConfig for user's convenience.

[vincepri]

/milestone v0.6.x

[fejta-bot]

Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Send feedback to sig-testing, kubernetes/test-infra and/or fejta.
/lifecycle stale

[everpeace]

/remove-lifecycle stale

[fejta-bot]

Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Send feedback to sig-testing, kubernetes/test-infra and/or fejta.
/lifecycle stale

[fejta-bot]

Stale issues rot after 30d of inactivity.
Mark the issue as fresh with /remove-lifecycle rotten.
Rotten issues close after an additional 30d of inactivity.

If this issue is safe to close now please do so with /close.

Send feedback to sig-contributor-experience at kubernetes/community.
/lifecycle rotten

[fejta-bot]

Rotten issues close after 30d of inactivity.
Reopen the issue with /reopen.
Mark the issue as fresh with /remove-lifecycle rotten.

Send feedback to sig-contributor-experience at kubernetes/community.
/close

[k8s-ci-robot]

@fejta-bot: Closing this issue.

In response to this:

Rotten issues close after 30d of inactivity.
Reopen the issue with /reopen.
Mark the issue as fresh with /remove-lifecycle rotten.

Send feedback to sig-contributor-experience at kubernetes/community.
/close

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[everpeace]

/remove-lifecycle rotten

[everpeace]

/reopen

[k8s-ci-robot]

@everpeace: Reopened this issue.

In response to this:

/reopen

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[everpeace]

#1486 will fix this issue.

[fejta-bot]

Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Send feedback to sig-contributor-experience at kubernetes/community.
/lifecycle stale

[everpeace]

I'm closing this because it has been resolved by #1486