diff --git a/pkg/registration/register/aws_irsa/aws.go b/pkg/registration/register/aws_irsa/aws.go index 4da436ab2..352b8881b 100644 --- a/pkg/registration/register/aws_irsa/aws.go +++ b/pkg/registration/register/aws_irsa/aws.go @@ -3,6 +3,7 @@ package aws_irsa import ( "context" "fmt" + "k8s.io/apimachinery/pkg/api/meta" apierrors "k8s.io/apimachinery/pkg/api/errors" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" @@ -38,12 +39,11 @@ func (v *v1AWSIRSAControl) isApproved(name string) (bool, error) { } v1Managedcluster := managedcluster.(*v1.ManagedCluster) approved := false - for _, condition := range v1Managedcluster.Status.Conditions { - if condition.Type == v1.ManagedClusterConditionHubDenied { - return false, nil - } else if condition.Type == v1.ManagedClusterConditionHubAccepted { - approved = true - } + condition := meta.FindStatusCondition(v1Managedcluster.Status.Conditions, v1.ManagedClusterConditionHubAccepted) + if condition != nil { + approved = true + } else { + return false, nil } return approved, nil } diff --git a/pkg/registration/register/aws_irsa/aws_test.go b/pkg/registration/register/aws_irsa/aws_test.go index 4206268d1..bba02c631 100644 --- a/pkg/registration/register/aws_irsa/aws_test.go +++ b/pkg/registration/register/aws_irsa/aws_test.go @@ -1,6 +1,8 @@ package aws_irsa import ( + "fmt" + "open-cluster-management.io/ocm/test/integration/util" "reflect" "testing" @@ -49,21 +51,27 @@ func TestBuildKubeconfig(t *testing.T) { caData []byte clientCertFile string clientKeyFile string + AuthInfoExec *clientcmdapi.ExecConfig }{ { - name: "without proxy", - server: "https://127.0.0.1:6443", - caData: []byte("fake-ca-bundle"), - clientCertFile: "tls.crt", - clientKeyFile: "tls.key", - }, - { - name: "with proxy", - server: "https://127.0.0.1:6443", - caData: []byte("fake-ca-bundle-with-proxy-ca"), - proxyURL: "https://127.0.0.1:3129", - clientCertFile: "tls.crt", - clientKeyFile: "tls.key", + name: "without proxy", + server: "https://127.0.0.1:6443", + AuthInfoExec: &clientcmdapi.ExecConfig{ + APIVersion: "client.authentication.k8s.io/v1beta1", + Command: "aws", + Args: []string{ + "--region", + "us-west-2", + "eks", + "get-token", + "--cluster-name", + "hub-cluster1", + "--output", + "json", + "--role", + fmt.Sprintf("arn:aws:iam::123456789012:role/ocm-hub-%s", ManagedClusterIAMRoleSuffix), + }, + }, }, } for _, c := range cases { @@ -71,10 +79,8 @@ func TestBuildKubeconfig(t *testing.T) { bootstrapKubeconfig := &clientcmdapi.Config{ Clusters: map[string]*clientcmdapi.Cluster{ "default-cluster": { - Server: c.server, - InsecureSkipTLSVerify: false, - CertificateAuthorityData: c.caData, - ProxyURL: c.proxyURL, + Server: c.server, + InsecureSkipTLSVerify: false, }}, // Define a context that connects the auth info and cluster, and set it as the default Contexts: map[string]*clientcmdapi.Context{register.DefaultKubeConfigContext: { @@ -92,6 +98,8 @@ func TestBuildKubeconfig(t *testing.T) { } registerImpl := &AWSIRSADriver{} + registerImpl.hubClusterArn = util.HubClusterArn + registerImpl.managedClusterRoleSuffix = ManagedClusterIAMRoleSuffix kubeconfig := registerImpl.BuildKubeConfigFromTemplate(bootstrapKubeconfig) currentContext, ok := kubeconfig.Contexts[kubeconfig.CurrentContext] if !ok { @@ -107,26 +115,23 @@ func TestBuildKubeconfig(t *testing.T) { t.Errorf("expected server %q, but got %q", c.server, cluster.Server) } - if cluster.ProxyURL != c.proxyURL { - t.Errorf("expected proxy URL %q, but got %q", c.proxyURL, cluster.ProxyURL) - } - - if !reflect.DeepEqual(cluster.CertificateAuthorityData, c.caData) { - t.Errorf("expected ca data %v, but got %v", c.caData, cluster.CertificateAuthorityData) - } - authInfo, ok := kubeconfig.AuthInfos[currentContext.AuthInfo] if !ok { t.Errorf("auth info %q not found: %v", currentContext.AuthInfo, kubeconfig) } - if authInfo.ClientCertificate != c.clientCertFile { - t.Errorf("expected client certificate %q, but got %q", c.clientCertFile, authInfo.ClientCertificate) + if authInfo.Exec.APIVersion != c.AuthInfoExec.APIVersion { + t.Errorf("The value of api version is %s but is expected to be %s", authInfo.Exec.APIVersion, c.AuthInfoExec.APIVersion) } - if authInfo.ClientKey != c.clientKeyFile { - t.Errorf("expected client key %q, but got %q", c.clientKeyFile, authInfo.ClientKey) + if authInfo.Exec.Command != c.AuthInfoExec.Command { + t.Errorf("Value of AuthInfo.Exec.Command is expected to be %s but got %s", authInfo.Exec.Command, c.AuthInfoExec.Command) } + + if !reflect.DeepEqual(authInfo.Exec.Args, c.AuthInfoExec.Args) { + t.Errorf("Value of AuthInfo.Exec.Args is expected to be %s but got %s", authInfo.Exec.Args, c.AuthInfoExec.Args) + } + }) } } diff --git a/pkg/registration/spoke/spokeagent.go b/pkg/registration/spoke/spokeagent.go index 3d1b348e4..e3525b080 100644 --- a/pkg/registration/spoke/spokeagent.go +++ b/pkg/registration/spoke/spokeagent.go @@ -190,8 +190,7 @@ func (o *SpokeAgentConfig) RunSpokeAgentWithSpokeInformers(ctx context.Context, // initiate registration driver var registerDriver register.RegisterDriver - var registrationOption = o.registrationOption - if registrationOption.RegistrationAuth == AwsIrsaAuthType { + if o.registrationOption.RegistrationAuth == AwsIrsaAuthType { registerDriver = awsIrsa.NewAWSIRSADriver(o.registrationOption.ManagedClusterArn, o.registrationOption.ManagedClusterRoleSuffix, o.registrationOption.HubClusterArn, diff --git a/test/integration/registration/spokecluster_aws_joining_test.go b/test/integration/registration/spokecluster_aws_joining_test.go index 2ba6ab071..6b97fbec5 100644 --- a/test/integration/registration/spokecluster_aws_joining_test.go +++ b/test/integration/registration/spokecluster_aws_joining_test.go @@ -80,9 +80,11 @@ var _ = ginkgo.Describe("Joining Process for aws flow", func() { err = authn.ApproveSpokeClusterCSR(kubeClient, managedClusterName, time.Hour*24) gomega.Expect(err).To(gomega.HaveOccurred()) - // ensure that generated hub-kubeconfig-secret is correct + // Kubeconfig secret in integration test for AWS won't be able to connect to hub server, since it is not in the eks environment + // So we only ensure that generated hub-kubeconfig-secret has a correct format + gomega.Eventually(func() error { - secret, err := util.GetFilledAWSHubKubeConfigSecret(kubeClient, testNamespace, hubKubeconfigSecret) + secret, err := util.GetHubKubeConfigFromSecret(kubeClient, testNamespace, hubKubeconfigSecret) if err != nil { return err } diff --git a/test/integration/util/authentication.go b/test/integration/util/authentication.go index 520afe741..1d7ab2d4f 100644 --- a/test/integration/util/authentication.go +++ b/test/integration/util/authentication.go @@ -516,7 +516,7 @@ func PrepareSpokeAgentNamespace(kubeClient kubernetes.Interface, namespace strin } func GetFilledHubKubeConfigSecret(kubeClient kubernetes.Interface, secretNamespace, secretName string) (*corev1.Secret, error) { - secret, err := GetFilledAWSHubKubeConfigSecret(kubeClient, secretNamespace, secretName) + secret, err := GetHubKubeConfigFromSecret(kubeClient, secretNamespace, secretName) if err != nil { return nil, err } @@ -530,7 +530,7 @@ func GetFilledHubKubeConfigSecret(kubeClient kubernetes.Interface, secretNamespa return secret, nil } -func GetFilledAWSHubKubeConfigSecret(kubeClient kubernetes.Interface, secretNamespace, secretName string) (*corev1.Secret, error) { +func GetHubKubeConfigFromSecret(kubeClient kubernetes.Interface, secretNamespace, secretName string) (*corev1.Secret, error) { secret, err := kubeClient.CoreV1().Secrets(secretNamespace).Get(context.TODO(), secretName, metav1.GetOptions{}) if err != nil { return nil, err