smolnar82 opened a new pull request, #1271: URL: https://github.com/apache/knox/pull/1271
[KNOX-3353](https://issues.apache.org/jira/browse/KNOX-3353) - Add Docker-based integration tests for the k8s ServiceAccountValidator ## What changes were proposed in this pull request? Adds Docker Compose integration test coverage for the new k8s pre-auth `ServiceAccountValidator` (`SPIFFE id → ServiceAccount annotation` matching). - **compose/docker-compose.yml** — adds a single-node k3s service (real API server for the fabric8 client to talk to) and a one-shot k8s-bootstrap service that derives a Knox-reachable `kubeconfig` (server rewritten to `https://k3s:6443`, matched by `--tls-san=k3s`) and applies the test fixtures. The knox service mounts that kubeconfig (`KUBECONFIG`) and waits for bootstrap to complete. The `kubeconfig` is re-derived inside the readiness loop so it always converges on k3s's live CA, even across volume reuse/restarts. - **compose/k8s/manifests/test-sa.yaml** — namespace `test` + `test-sa` ServiceAccount annotated `knox.apache.org/owner-username: bob`. - **build/conf/topologies/k8sauth.xml + Dockerfile** — bakes a `k8sauth` topology (HeaderPreAuth federation backed by ServiceAccountValidator, fronting the HEALTH service). - **tests/test_k8s_serviceaccount_validation.py** — new `pytest` cases. ## How was this patch tested? Ran the full Docker Compose suite locally: ``` docker compose -f ./.github/workflows/compose/docker-compose.yml down --volumes docker compose -f ./.github/workflows/compose/docker-compose.yml up --exit-code-from tests tests ``` All 28 tests pass, including the 6 new ones. No production code changed — this is test infrastructure only: ``` tests-1 | ============================= test session starts ============================== tests-1 | platform linux -- Python 3.10.20, pytest-8.3.4, pluggy-1.6.0 tests-1 | rootdir: /tests tests-1 | collected 28 items tests-1 | tests-1 | test_health.py ..... [ 17%] tests-1 | test_k8s_serviceaccount_validation.py ...... [ 39%] tests-1 | test_knox_auth_service_and_ldap.py ... [ 50%] tests-1 | test_knox_configs.py . [ 53%] tests-1 | test_knoxauth_preauth_and_paths.py ...... [ 75%] tests-1 | test_remote_auth.py ... [ 85%] tests-1 | test_remoteauth_extauthz_additional_path.py .... [100%] tests-1 | tests-1 | =============================== warnings summary =============================== ... tests-1 | tests-1 | -- Docs: https://docs.pytest.org/en/stable/how-to/capture-warnings.html tests-1 | ----------------- generated xml file: /tests/test-results.xml ------------------ tests-1 | ======================= 28 passed, 28 warnings in 1.43s ======================== ``` ## Integration Tests Added tests/test_k8s_serviceaccount_validation.py against the k8sauth topology: - asserted user matching the SA annotation (bob) →` 200 / OK` - mismatched user (sam) → `403` - missing SPIFFE header, missing user header, unparseable SPIFFE id, unknown ServiceAccount → `403` ## UI changes N/A -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
