diff --git a/test/extended/apiserver/security_context.go b/test/extended/apiserver/security_context.go index b15ed67edaec..a770ba203ad2 100644 --- a/test/extended/apiserver/security_context.go +++ b/test/extended/apiserver/security_context.go @@ -12,9 +12,18 @@ import ( e2e "k8s.io/kubernetes/test/e2e/framework" admissionapi "k8s.io/pod-security-admission/api" + configv1 "github.com/openshift/api/config/v1" exutil "github.com/openshift/origin/test/extended/util" ) +type itemUnderTest struct { + namespace string + containerName string + expectedHostPath string + expectHostNetwork bool + requireHostPathMount bool +} + var _ = g.Describe("[sig-auth][Feature:ControlPlaneSecurity]", func() { defer g.GinkgoRecover() ctx := context.Background() @@ -40,13 +49,7 @@ var _ = g.Describe("[sig-auth][Feature:ControlPlaneSecurity]", func() { g.Skip("Hypershift control plane pods are not accessible from hosted cluster") } - checkItems := []struct { - namespace string - containerName string - expectedHostPath string - expectHostNetwork bool - requireHostPathMount bool - }{ + checkItems := []itemUnderTest{ { namespace: "openshift-kube-apiserver", containerName: "kube-apiserver", @@ -61,13 +64,18 @@ var _ = g.Describe("[sig-auth][Feature:ControlPlaneSecurity]", func() { expectHostNetwork: false, requireHostPathMount: false, }, - { + } + + authn, err := oc.AdminConfigClient().ConfigV1().Authentications().Get(ctx, "cluster", metav1.GetOptions{}) + o.Expect(err).NotTo(o.HaveOccurred()) + if len(authn.Spec.Type) == 0 || authn.Spec.Type == configv1.AuthenticationTypeIntegratedOAuth { + checkItems = append(checkItems, itemUnderTest{ namespace: "openshift-oauth-apiserver", containerName: "oauth-apiserver", expectedHostPath: "", expectHostNetwork: false, requireHostPathMount: false, - }, + }) } for _, checkItem := range checkItems { diff --git a/test/extended/apiserver/tls.go b/test/extended/apiserver/tls.go index 58ac08e1524d..28fe66914801 100644 --- a/test/extended/apiserver/tls.go +++ b/test/extended/apiserver/tls.go @@ -24,6 +24,10 @@ const ( namespace = "apiserver-tls-test" ) +type serverUnderTest struct { + name, namespace, port string +} + // This test only checks whether components are serving the proper TLS version based // on the expected version set in the TLS profile config. It is a part of the // openshift/conformance/parallel test suite, and it is expected that there are jobs @@ -69,18 +73,21 @@ var _ = g.Describe("[sig-api-machinery][Feature:APIServer]", func() { g.Skip("Only intermediate or modern profiles are tested") } - targets := []struct { - name, namespace, port string - }{ + targets := []serverUnderTest{ {"apiserver", "openshift-kube-apiserver", "443"}, - {"oauth-openshift", "openshift-authentication", "443"}, {"kube-controller-manager", "openshift-kube-controller-manager", "443"}, {"scheduler", "openshift-kube-scheduler", "443"}, {"api", "openshift-apiserver", "443"}, - {"api", "openshift-oauth-apiserver", "443"}, {"machine-config-controller", "openshift-machine-config-operator", "9001"}, } + authn, err := oc.AdminConfigClient().ConfigV1().Authentications().Get(ctx, "cluster", metav1.GetOptions{}) + o.Expect(err).NotTo(o.HaveOccurred()) + if len(authn.Spec.Type) == 0 || authn.Spec.Type == configv1.AuthenticationTypeIntegratedOAuth { + targets = append(targets, serverUnderTest{"oauth-openshift", "openshift-authentication", "443"}) + targets = append(targets, serverUnderTest{"api", "openshift-oauth-apiserver", "443"}) + } + g.By("Verifying TLS behavior for core control plane components") for _, target := range targets { g.By(fmt.Sprintf("Checking %s/%s on port %s", target.namespace, target.name, target.port))