Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

tests: Investigate Removing kinit Dependency #159

Open
bflad opened this issue Jul 27, 2021 · 0 comments
Open

tests: Investigate Removing kinit Dependency #159

bflad opened this issue Jul 27, 2021 · 0 comments
Labels
tests

Comments

@bflad
Copy link
Contributor

bflad commented Jul 27, 2021
edited
Loading

Description

Currently, the provider acceptance testing via internal/provider/acceptance.sh has an explicit dependency on the kinit executable to verify Kerberos session authentication (versus password and keytab authentication):

terraform-provider-dns/internal/provider/acceptance.sh

Lines 102 to 120 in 69966bb

# Run with Kerberos authentication (session authentication)
docker run -d --tmpfs /tmp --tmpfs /run \
-v /sys/fs/cgroup:/sys/fs/cgroup:ro \
-v /etc/localtime:/etc/localtime:ro \
-p 127.0.0.1:88:88 \
-p 127.0.0.1:88:88/udp \
-p 127.0.0.1:464:464 \
-p 127.0.0.1:464:464/udp \
--rm --name kdc kdc || failed
docker run -d --tmpfs /tmp --tmpfs /run \
-v /sys/fs/cgroup:/sys/fs/cgroup:ro \
-v /etc/localtime:/etc/localtime:ro \
-v $PWD/internal/provider/testdata/named.conf.kerberos:/etc/named.conf:ro \
-p 127.0.0.1:53:53 \
-p 127.0.0.1:53:53/udp \
--rm --name ns --hostname ns.example.com ns || failed
echo "password" | kinit [email protected]
GO111MODULE=on make testacc TEST=./internal/provider || failed

It might be possible to replace the requirement for Kerberos client tools by instead implementing Go code (e.g. via github.com/jcmturner/gokrb5/v8) which writes out a Kerberos credentials cache file that is then picked up by the acceptance testing (e.g. via environment variable such as KRB5CCNAME or known location such as /tmp/krb5cc_$(id -u)). This will ease development environment requirements and potentially aid in simplifying macOS and Windows testing in CI.

There are some challenges here however as operating systems may implement credential caches in differing formats or locations and the current Kerberos package does not support writing credential caches natively.

Another option may be to run acceptance testing in a container, therefore moving any requirements to that environment which can be explicitly managed. This however introduces its own complexity, removes the operating system differences we are trying to test against, and is in no way common for provider acceptance testing.

References
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
tests
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@bflad