e2e: Refactor manifests to test for groups

Refactor the E2E manifests to also test for group membership. In particular: - In Dex, add the groups 'a','b' to 'user'. To do that, we need to use a custom image. [1][2] - In AuthService, accept groups 'a','d','e','system:serviceaccounts', to account for testing OIDC and the Kubernetes authenticator. [1]: dexidp/dex#1080 [2]: candlerb/dex@6a67e7c
arrikto · Sep 16, 2020 · 53f2d2b · 53f2d2b
1 parent 540264b
commit 53f2d2b
Show file tree

Hide file tree

Showing 5 changed files with 16 additions and 80 deletions.
diff --git a/e2e/dex-config.yaml b/e2e/dex-config.yaml
diff --git a/e2e/e2e_test.go b/e2e/e2e_test.go
@@ -197,6 +197,8 @@ func (suite *E2ETestSuite) TestDexLogin() {
 	require.Nil(t, err)
 	dexReqID := loginScreen.Query().Get("req")
 	require.NotEmpty(t, dexReqID)
+	_, err = client.Get(loginScreen.String())
+	require.NoError(t, err)
 
 	// Post login credentials
 	data := url.Values{}
@@ -327,7 +329,7 @@ func createK3DCluster() error {
 	// FIXME: Prefer creating a cluster with a random name. Else, try to remove
 	// the cluster before creating it.
 	cmd := exec.Command("k3d", "cluster", "create", "e2e-test-cluster", "--k3s-server-arg",
-	    "--no-deploy=traefik", "--no-lb", "--wait", "--timeout", "5m",
+		"--no-deploy=traefik", "--no-lb", "--wait", "--timeout", "5m",
 		"--update-default-kubeconfig=false")
 	cmd.Stderr, cmd.Stdout = os.Stderr, os.Stdout
 	err := cmd.Run()

diff --git a/e2e/manifests/authservice/base/params.env b/e2e/manifests/authservice/base/params.env
@@ -3,3 +3,4 @@ AUTHSERVICE_URL_PREFIX=/authservice/
 OIDC_AUTH_URL=/dex/auth
 OIDC_SCOPES=profile,email,groups
 SKIP_AUTH_URLS=/dex/
+GROUPS_ALLOWLIST=a,d,e,system:serviceaccounts
diff --git a/e2e/manifests/dex/overlays/e2e/config-map.yaml b/e2e/manifests/dex/overlays/e2e/config-map.yaml
@@ -27,3 +27,10 @@ data:
       redirectURIs: [/authservice/oidc/callback]
       name: 'Authservice'
       secret: longrandomvalue
+    # This field depends on a Dex fork. It is used to add groups to
+    # the static user, in order to test the groups authorizer.
+    # https://github.com/candlerb/dex/commit/6a67e7c453a101a7ec3d07fde7b1d8f97b878cc8
+    memberships:
+    - connector: local
+      subject: user
+      groups: [a, b]
diff --git a/e2e/manifests/dex/overlays/e2e/kustomization.yaml b/e2e/manifests/dex/overlays/e2e/kustomization.yaml
@@ -4,3 +4,8 @@ bases:
 - ../istio
 patchesStrategicMerge:
   - config-map.yaml
+images:
+- name: gcr.io/arrikto/dexidp/dex
+  newName: gcr.io/arrikto/dex
+  newTag: 6a67e7c453a101a7ec3d07fde7b1d8f97b878cc8
+