End-to-end tests: use Vault 1.12.1 instead of the outdated Vault 1.2.3#5604
Merged
jetstack-bot merged 1 commit intocert-manager:masterfrom Dec 13, 2022
Merged
Conversation
626202d to
05fdf51
Compare
Member
|
I'll take a look at this next week - not really got enough time left today to do it justice. Thanks for raising 👍 |
Member
|
The test failure seems legitimate to me, so I'll hold off on looking for now! |
05fdf51 to
74ae2a5
Compare
6 tasks
5464430 to
c3718c6
Compare
The main reason for bumping Vault's version is because 1.2.3 is not compatible with the config parameter `disable_iss_validation`, which is needed for accommodating the future tests [1] that rely on bound tokens and static tokens. For context, Vault 1.2.3 was released on Sep 9, 2019 [2] but `disable_iss_validation` was only added on July 21st, 2020 in Vault 1.5.0. Due to a breaking change that happened in Vault 1.5.0 [3] in which Vault started loading the pod's token instead of using the same token (to be reviewed) for authenticating. An alternative solution could have been to prevent the service account from being mounted to the pod, but I figured that having the two service accounts separated is a better practice. [1]: cert-manager#5502 [2]: hashicorp/vault@c14bd9a2 [3]: https://github.com/hashicorp/vault/blob/main/CHANGELOG.md#150 Signed-off-by: Maël Valais <mael@vls.dev>
c3718c6 to
f4f72c1
Compare
SgtCoDFish
approved these changes
Dec 13, 2022
Member
SgtCoDFish
left a comment
There was a problem hiding this comment.
/lgtm
/approve
Tests pass so this seems good to merge as far as I'm concerned! Thanks 😁
Contributor
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: maelvls, SgtCoDFish The full list of commands accepted by this bot can be found here. The pull request process is described here DetailsNeeds approval from an approver in each of these files:
Approvers can indicate their approval by writing |
Member
|
/test pull-cert-manager-master-make-test |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
The main reason for bumping Vault's version is because 1.2.3 is not compatible with the config parameter
disable_iss_validation, which is needed for accommodating the future tests coming in #5502 that rely on bound tokens and static tokens.For context, Vault 1.2.3 was released on Sep 9, 2019 (1) but
disable_iss_validationwas only added on July 21st, 2020 in Vault 1.5.0.Due to a breaking change that happened in Vault 1.5.0 (2) in which Vault started loading the pod's token instead of using the token to be reviewed for authenticating, I had to tweak the end-to-end tests. I renamed
serviceAccountNameandnamespacetoboundSAandboundNS, since these two variables now refer to the service account of the token to be reviewed, but not the service account to be used for authenticating. The service account used for authenticating is now the pod's service account.Alternatively, I could have prevented the service account from being mounted to the pod, but I figured that having the two service accounts separated is what most people do (although both ways are fine by me).
In order to upgrade to Vault 1.12.1, I had to change a bit how the end-to-end tests are
/kind cleanup