From 56a5be13cb1f92becfa64963fccb5e784ea896e2 Mon Sep 17 00:00:00 2001 From: Tim Ross Date: Thu, 20 Nov 2025 11:17:15 -0500 Subject: [PATCH] chore: integration test improvements The changes here are meant to reduce resources consumed by integration tests and eliminate the footgun of connecting to a host before its been populated in the appropriate caches. `(integrationTestSuite) defaultServiceConfig` now disables more services by default. Host user creation, the Web UI and Web Service, and the Database Proxy are all now turned off by default. The tests that require them can opt into turning them on. `(TeleInstance) Start` now blocks until the processes SSH server is present in caches before returning. Most tests were already calling this manually after Start, however, not all of them were. This is frequently forgotten in new tests and causes flakes if client connections are attempted as soon as Start returns. There are still cases where calling WaitForNodeCount directly applies - tests that spin up additional nodes or tests that create nodes in a leaf cluster. --- integration/helpers/instance.go | 20 +++- integration/hostuser_test.go | 3 +- integration/integration_test.go | 169 +++++++++----------------------- 3 files changed, 66 insertions(+), 126 deletions(-) diff --git a/integration/helpers/instance.go b/integration/helpers/instance.go index 2cf0995cef4fe..5635dd4c33a6b 100644 --- a/integration/helpers/instance.go +++ b/integration/helpers/instance.go @@ -672,7 +672,7 @@ func (i *TeleInstance) createTeleportProcess(tconf *servicecfg.Config) (*service } // CreateWithConf creates a new instance of Teleport using the supplied config -func (i *TeleInstance) CreateWithConf(_ *testing.T, tconf *servicecfg.Config) error { +func (i *TeleInstance) CreateWithConf(t *testing.T, tconf *servicecfg.Config) error { i.Config = tconf var err error i.Process, err = i.createTeleportProcess(tconf) @@ -689,7 +689,7 @@ func (i *TeleInstance) CreateWithConf(_ *testing.T, tconf *servicecfg.Config) er // create users and roles if they don't exist, or sign their keys if they're // already present auth := i.Process.GetAuthServer() - ctx := context.TODO() + ctx := t.Context() for _, user := range i.Secrets.Users { teleUser, err := types.NewUser(user.Username) @@ -1379,6 +1379,18 @@ func (i *TeleInstance) Start() error { "received_events_count", len(receivedEvents), ) + // Wait for any SSH instances to be visible in the inventory before returning + // to prevent any immediate connection attempts from failing because the host + // has not yet been propagated to the caches. + expectedNodes := len(i.Nodes) + if i.Config.SSH.Enabled { + expectedNodes++ + } + + if err := i.WaitForNodeCount(context.Background(), i.Secrets.SiteName, expectedNodes); err != nil { + return trace.Wrap(err) + } + return nil } @@ -1957,6 +1969,10 @@ func (i *TeleInstance) WaitForNodeCount(ctx context.Context, clusterName string, iterWaitTime = time.Second ) + if count <= 0 || i.Config == nil || !i.Config.Auth.Enabled || !i.Config.Proxy.Enabled { + return nil + } + err := retryutils.RetryStaticFor(deadline, iterWaitTime, func() error { cluster, err := i.Tunnel.Cluster(ctx, clusterName) if err != nil { diff --git a/integration/hostuser_test.go b/integration/hostuser_test.go index d614be3ec9ee2..f5db6b65f704f 100644 --- a/integration/hostuser_test.go +++ b/integration/hostuser_test.go @@ -680,8 +680,6 @@ func TestRootLoginAsHostUser(t *testing.T) { require.NoError(t, instance.StopAll()) }) - instance.WaitForNodeCount(context.Background(), helpers.Site, 1) - tests := []struct { name string command []string @@ -759,6 +757,7 @@ func TestRootStaticHostUsers(t *testing.T) { require.NoError(t, instance.StopAll()) }) nodeCfg := servicecfg.MakeDefaultConfig() + nodeCfg.SSH.DisableCreateHostUser = false nodeCfg.SSH.Labels = map[string]string{ "foo": "bar", } diff --git a/integration/integration_test.go b/integration/integration_test.go index ce0978d09ebcd..ebee0ab262bc5 100644 --- a/integration/integration_test.go +++ b/integration/integration_test.go @@ -218,10 +218,7 @@ func testDifferentPinnedIP(t *testing.T, suite *integrationTestSuite) { tconf := suite.defaultServiceConfig() tconf.Auth.Enabled = true tconf.Proxy.Enabled = true - tconf.Proxy.DisableWebService = true - tconf.Proxy.DisableWebInterface = true tconf.SSH.Enabled = true - tconf.SSH.DisableCreateHostUser = true teleInstance := suite.NewTeleportInstance(t) @@ -240,8 +237,6 @@ func testDifferentPinnedIP(t *testing.T, suite *integrationTestSuite) { site := teleInstance.GetSiteAPI(helpers.Site) require.NotNil(t, site) - require.NoError(t, teleInstance.WaitForNodeCount(t.Context(), helpers.Site, 1)) - connectionProblem := func(t require.TestingT, err error, i ...any) { require.Error(t, err, i...) require.True(t, trace.IsConnectionProblem(err), "expected a connection problem error, got: %v", err) @@ -298,10 +293,7 @@ func testAuthLocalNodeControlStream(t *testing.T, suite *integrationTestSuite) { tconf := suite.defaultServiceConfig() tconf.Auth.Enabled = true tconf.Proxy.Enabled = true - tconf.Proxy.DisableWebService = true - tconf.Proxy.DisableWebInterface = true tconf.SSH.Enabled = true - tconf.SSH.DisableCreateHostUser = true // deliberately create a teleport instance that will end up binding // unspecified addr (`0.0.0.0`/`::`). we use this further down to confirm @@ -423,8 +415,6 @@ func testAuditOn(t *testing.T, suite *integrationTestSuite) { tconf.Auth.AuditConfig = auditConfig tconf.Auth.SessionRecordingConfig = recConfig tconf.Proxy.Enabled = true - tconf.Proxy.DisableWebService = true - tconf.Proxy.DisableWebInterface = true tconf.SSH.Enabled = true return t, nil, nil, tconf } @@ -446,7 +436,7 @@ func testAuditOn(t *testing.T, suite *integrationTestSuite) { site := teleport.GetSiteAPI(helpers.Site) require.NotNil(t, site) - ctx := context.Background() + ctx := t.Context() // wait for both nodes to show up, otherwise // we'll have trouble connecting to the node below. @@ -747,7 +737,6 @@ func (s *integrationTestSuite) newTeleportIoT(t *testing.T, logins []string) *he tconf.Proxy.Enabled = true tconf.Proxy.DisableWebService = false - tconf.Proxy.DisableWebInterface = true tconf.SSH.Enabled = false @@ -786,7 +775,7 @@ func replaceNewlines(in string) string { // TestUUIDBasedProxy verifies that attempts to proxy to nodes using ambiguous // hostnames fails with the correct error, and that proxying by UUID succeeds. func testUUIDBasedProxy(t *testing.T, suite *integrationTestSuite) { - ctx := context.Background() + ctx := t.Context() tr := utils.NewTracer(utils.ThisFunction()).Start() defer tr.Stop() @@ -835,7 +824,7 @@ func testUUIDBasedProxy(t *testing.T, suite *integrationTestSuite) { // testSSHTracker verifies that an SSH session creates a tracker for sessions. func testSSHTracker(t *testing.T, suite *integrationTestSuite) { - ctx, cancel := context.WithCancel(context.Background()) + ctx, cancel := context.WithCancel(t.Context()) defer cancel() teleport := suite.newTeleport(t, nil, true) @@ -896,7 +885,7 @@ func testInteractiveReverseTunnel(t *testing.T, suite *integrationTestSuite) { } func testSessionRecordingModes(t *testing.T, suite *integrationTestSuite) { - ctx := context.Background() + ctx := t.Context() tr := utils.NewTracer(utils.ThisFunction()).Start() defer tr.Stop() @@ -909,8 +898,6 @@ func testSessionRecordingModes(t *testing.T, suite *integrationTestSuite) { cfg := suite.defaultServiceConfig() cfg.Auth.Enabled = true cfg.Auth.SessionRecordingConfig = recConfig - cfg.Proxy.DisableWebService = true - cfg.Proxy.DisableWebInterface = true cfg.Proxy.Enabled = true cfg.SSH.Enabled = true @@ -961,7 +948,6 @@ func testSessionRecordingModes(t *testing.T, suite *integrationTestSuite) { filesessions.SetOpenFileFunc(os.OpenFile) } - teleport.WaitForNodeCount(ctx, helpers.Site, 1) for name, test := range map[string]struct { recordingMode constants.SessionRecordingMode expectSessionFailure bool @@ -1121,7 +1107,7 @@ func testLeafProxySessionRecording(t *testing.T, suite *integrationTestSuite) { }) require.NoError(t, err) - ctx := context.Background() + ctx := t.Context() clt, err := tc.ConnectToCluster(ctx) require.NoError(t, err) t.Cleanup(func() { @@ -1229,8 +1215,6 @@ func testCustomReverseTunnel(t *testing.T, suite *integrationTestSuite) { conf.Auth.Enabled = true conf.Proxy.Enabled = true conf.Proxy.DisableWebService = false - conf.Proxy.DisableWebInterface = true - conf.Proxy.DisableDatabaseProxy = true conf.Proxy.TunnelPublicAddrs = []utils.NetAddr{ { // Connect on the address that refuses connection on purpose @@ -1463,7 +1447,7 @@ func testIPPropagation(t *testing.T, suite *integrationTestSuite) { testGRPCNodeConnection := func(t *testing.T, instance *helpers.TeleInstance, clusterName, nodeName string) { person := NewTerminal(250) - ctx := context.Background() + ctx := t.Context() tc, err := instance.NewClient(helpers.ClientConfig{ Login: suite.Me.Username, @@ -1512,7 +1496,7 @@ func testIPPropagation(t *testing.T, suite *integrationTestSuite) { } testGRPCAuthConnection := func(t *testing.T, instance *helpers.TeleInstance, clusterName string) { - ctx := context.Background() + ctx := t.Context() tc, err := instance.NewClient(helpers.ClientConfig{ Login: suite.Me.Username, @@ -1716,7 +1700,7 @@ func testShutdown(t *testing.T, suite *integrationTestSuite) { tc.Stdin = term tc.Stdout = term - sshCtx, sshCancel := context.WithCancel(context.Background()) + sshCtx, sshCancel := context.WithCancel(t.Context()) t.Cleanup(sshCancel) go func() { sshErr <- tc.SSH(sshCtx, nil) @@ -1741,7 +1725,7 @@ func testShutdown(t *testing.T, suite *integrationTestSuite) { require.NoError(t, err) go func() { - err := utils.ProxyConn(context.Background(), term, stream) + err := utils.ProxyConn(t.Context(), term, stream) sshErr <- err }() }, @@ -1757,7 +1741,6 @@ func testShutdown(t *testing.T, suite *integrationTestSuite) { cfg.Auth.Enabled = true cfg.Auth.Preference.SetSecondFactor("off") cfg.Proxy.DisableWebService = false - cfg.Proxy.DisableWebInterface = true cfg.Proxy.Enabled = true cfg.SSH.Enabled = true @@ -1788,7 +1771,7 @@ func testShutdown(t *testing.T, suite *integrationTestSuite) { }, 10*time.Second, 200*time.Millisecond) // initiate shutdown - shutdownContext := teleport.Process.StartShutdown(context.Background()) + shutdownContext := teleport.Process.StartShutdown(t.Context()) require.Eventually(t, func() bool { // TODO: check that we either get a connection that fully works or a connection refused error @@ -1909,14 +1892,9 @@ func testClientIdleConnection(t *testing.T, suite *integrationTestSuite) { netConfig := types.DefaultClusterNetworkingConfig() netConfig.SetClientIdleTimeout(3 * time.Second) - tconf := servicecfg.MakeDefaultConfig() + tconf := suite.defaultServiceConfig() tconf.SSH.Enabled = true - tconf.Logger = logtest.NewLogger() - tconf.Proxy.DisableWebService = true - tconf.Proxy.DisableWebInterface = true tconf.Auth.NetworkingConfig = netConfig - tconf.CircuitBreakerConfig = breaker.NoopBreakerConfig() - tconf.InstanceMetadataClient = imds.NewDisabledIMDSClient() instance := suite.NewTeleportWithConfig(t, nil, nil, tconf) t.Cleanup(func() { require.NoError(t, instance.StopAll()) }) @@ -1944,7 +1922,7 @@ func testClientIdleConnection(t *testing.T, suite *integrationTestSuite) { cl.Stdin = reader // Terminate the session after 2x the idle timeout - ctx, cancel := context.WithTimeout(context.Background(), netConfig.GetClientIdleTimeout()*2) + ctx, cancel := context.WithTimeout(t.Context(), netConfig.GetClientIdleTimeout()*2) defer cancel() sessionErr <- cl.SSH(ctx, nil) } @@ -2077,7 +2055,7 @@ func testDisconnectScenarios(t *testing.T, suite *integrationTestSuite) { } func runDisconnectTest(t *testing.T, suite *integrationTestSuite, tc disconnectTestCase) { - ctx, cancel := context.WithCancel(context.Background()) + ctx, cancel := context.WithCancel(t.Context()) defer cancel() teleport := suite.NewTeleportInstance(t) @@ -2107,8 +2085,6 @@ func runDisconnectTest(t *testing.T, suite *integrationTestSuite, tc disconnectT cfg.Auth.Enabled = true cfg.Auth.NetworkingConfig = netConfig cfg.Auth.SessionRecordingConfig = recConfig - cfg.Proxy.DisableWebService = true - cfg.Proxy.DisableWebInterface = true cfg.Proxy.Enabled = true cfg.SSH.Enabled = true @@ -2121,9 +2097,6 @@ func runDisconnectTest(t *testing.T, suite *integrationTestSuite, tc disconnectT tc.concurrentConns = 1 } - err = teleport.WaitForNodeCount(ctx, helpers.Site, 1) - require.NoError(t, err) - asyncErrors := make(chan error, 1) for range tc.concurrentConns { @@ -2242,7 +2215,7 @@ func enterInput(ctx context.Context, person *Terminal, command, pattern string) // testEnvironmentVariables validates that session specific environment // variables set by Teleport are present. func testEnvironmentVariables(t *testing.T, suite *integrationTestSuite) { - ctx := context.Background() + ctx := t.Context() tr := utils.NewTracer(utils.ThisFunction()).Start() defer tr.Stop() @@ -2299,7 +2272,7 @@ func testInvalidLogins(t *testing.T, suite *integrationTestSuite) { }) require.NoError(t, err) - err = tc.SSH(context.Background(), cmd) + err = tc.SSH(t.Context(), cmd) require.ErrorContains(t, err, "failed connecting to host localhost: looking up remote cluster \"wrong-site\"\n\tnot found") } @@ -2347,11 +2320,11 @@ func testTwoClustersTunnel(t *testing.T, suite *integrationTestSuite) { }) } - slog.InfoContext(context.Background(), "Tests done,cleaning up") + slog.InfoContext(t.Context(), "Tests done,cleaning up") } func twoClustersTunnel(t *testing.T, suite *integrationTestSuite, now time.Time, proxyRecordMode string, execCountSiteA, execCountSiteB int) { - ctx := context.Background() + ctx := t.Context() // start the http proxy, we need to make sure this was not used ph := &helpers.ProxyHandler{} ts := httptest.NewServer(ph) @@ -2378,16 +2351,12 @@ func twoClustersTunnel(t *testing.T, suite *integrationTestSuite, now time.Time, acfg := suite.defaultServiceConfig() acfg.Auth.Enabled = true acfg.Proxy.Enabled = true - acfg.Proxy.DisableWebService = true - acfg.Proxy.DisableWebInterface = true acfg.SSH.Enabled = true bcfg := suite.defaultServiceConfig() bcfg.Auth.Enabled = true bcfg.Auth.SessionRecordingConfig = recConfig bcfg.Proxy.Enabled = true - bcfg.Proxy.DisableWebService = true - bcfg.Proxy.DisableWebInterface = true bcfg.SSH.Enabled = false require.NoError(t, b.CreateEx(t, a.Secrets.AsSlice(), bcfg)) @@ -2464,9 +2433,6 @@ func twoClustersTunnel(t *testing.T, suite *integrationTestSuite, now time.Time, require.NoError(t, err) tc.Stdout = &outputB - // Wait for the target host to appear in the inventory before connecting to it. - b.WaitForNodeCount(ctx, b.Secrets.SiteName, 1) - err = tc.SSH(ctx, cmd) require.NoError(t, err) require.Equal(t, outputA.String(), outputB.String()) @@ -2583,7 +2549,7 @@ func testTwoClustersProxy(t *testing.T, suite *integrationTestSuite) { // and we switch to local persistent caches func testHA(t *testing.T, suite *integrationTestSuite) { t.Setenv("TELEPORT_UNSTABLE_SKIP_VERSION_UPGRADE_CHECK", "1") - ctx := context.Background() + ctx := t.Context() tr := utils.NewTracer(utils.ThisFunction()).Start() defer tr.Stop() @@ -2681,7 +2647,7 @@ func testHA(t *testing.T, suite *integrationTestSuite) { // TestMapRoles tests local to remote role mapping and access patterns func testMapRoles(t *testing.T, suite *integrationTestSuite) { - ctx := context.Background() + ctx := t.Context() tr := utils.NewTracer(utils.ThisFunction()).Start() defer tr.Stop() @@ -2710,7 +2676,6 @@ func testMapRoles(t *testing.T, suite *integrationTestSuite) { tconf := suite.defaultServiceConfig() tconf.SSH.Enabled = enableSSH tconf.Proxy.DisableWebService = false - tconf.Proxy.DisableWebInterface = true return t, nil, tconf } lib.SetInsecureDevMode(true) @@ -2990,7 +2955,7 @@ func standardPortsOrMuxSetup(t *testing.T, mux bool, fds *[]*servicecfg.FileDesc } func createAndUpdateTrustedClusters(t *testing.T, suite *integrationTestSuite, test trustedClusterTest) { - ctx := context.Background() + ctx := t.Context() username := suite.Me.Username clusterMain := "cluster-main" @@ -3033,7 +2998,6 @@ func createAndUpdateTrustedClusters(t *testing.T, suite *integrationTestSuite, t makeConfig := func(instance *helpers.TeleInstance, enableSSH bool) (*testing.T, *servicecfg.Config) { tconf := suite.defaultServiceConfig() tconf.Proxy.DisableWebService = false - tconf.Proxy.DisableWebInterface = true tconf.SSH.Enabled = enableSSH tconf, err := instance.GenerateConfig(t, nil, tconf) require.NoError(t, err) @@ -3100,7 +3064,7 @@ func createAndUpdateTrustedClusters(t *testing.T, suite *integrationTestSuite, t } func trustedClusters(t *testing.T, suite *integrationTestSuite, test trustedClusterTest) { - ctx := context.Background() + ctx := t.Context() username := suite.Me.Username clusterMain := "cluster-main" @@ -3160,7 +3124,6 @@ func trustedClusters(t *testing.T, suite *integrationTestSuite, test trustedClus makeConfig := func(enableSSH bool) (*testing.T, []*helpers.InstanceSecrets, *servicecfg.Config) { tconf := suite.defaultServiceConfig() tconf.Proxy.DisableWebService = false - tconf.Proxy.DisableWebInterface = true tconf.SSH.Enabled = enableSSH return t, nil, tconf } @@ -3343,7 +3306,7 @@ func trustedClusters(t *testing.T, suite *integrationTestSuite, test trustedClus } func trustedDisabledCluster(t *testing.T, suite *integrationTestSuite, test trustedClusterTest) { - ctx := context.Background() + ctx := t.Context() username := suite.Me.Username clusterMain := "cluster-main" @@ -3406,7 +3369,6 @@ func trustedDisabledCluster(t *testing.T, suite *integrationTestSuite, test trus makeConfig := func(instance *helpers.TeleInstance, enableSSH bool) (*testing.T, *servicecfg.Config) { tconf := suite.defaultServiceConfig() tconf.Proxy.DisableWebService = false - tconf.Proxy.DisableWebInterface = true tconf.SSH.Enabled = enableSSH tconf, err := instance.GenerateConfig(t, nil, tconf) require.NoError(t, err) @@ -3483,7 +3445,7 @@ func trustedDisabledCluster(t *testing.T, suite *integrationTestSuite, test trus } func trustedClustersRoleMapChanges(t *testing.T, suite *integrationTestSuite, test trustedClusterTest) { - ctx := context.Background() + ctx := t.Context() username := suite.Me.Username clusterMain := "cluster-main" @@ -3545,7 +3507,6 @@ func trustedClustersRoleMapChanges(t *testing.T, suite *integrationTestSuite, te makeConfig := func(instance *helpers.TeleInstance, enableSSH bool) (*testing.T, *servicecfg.Config) { tconf := suite.defaultServiceConfig() tconf.Proxy.DisableWebService = false - tconf.Proxy.DisableWebInterface = true tconf.SSH.Enabled = enableSSH tconf, err := instance.GenerateConfig(t, nil, tconf) require.NoError(t, err) @@ -3630,7 +3591,7 @@ func trustedClustersRoleMapChanges(t *testing.T, suite *integrationTestSuite, te } func testTrustedTunnelNode(t *testing.T, suite *integrationTestSuite) { - ctx := context.Background() + ctx := t.Context() username := suite.Me.Username clusterMain := "cluster-main" @@ -3654,7 +3615,6 @@ func testTrustedTunnelNode(t *testing.T, suite *integrationTestSuite) { makeConfig := func(enableSSH bool) (*testing.T, []*helpers.InstanceSecrets, *servicecfg.Config) { tconf := suite.defaultServiceConfig() tconf.Proxy.DisableWebService = false - tconf.Proxy.DisableWebInterface = true tconf.SSH.Enabled = enableSSH tconf.CachePolicy.MaxRetryPeriod = time.Millisecond * 500 return t, nil, tconf @@ -3761,7 +3721,7 @@ func testTrustedTunnelNode(t *testing.T, suite *integrationTestSuite) { // Use assert package to get access to the returned error. In this way we can log it. if !assert.Eventually(t, func() bool { - err = tunnelClient.SSH(context.Background(), cmd) + err = tunnelClient.SSH(t.Context(), cmd) return err == nil }, 10*time.Second, 200*time.Millisecond) { require.FailNow(t, "Failed to established SSH connection", err) @@ -3775,7 +3735,7 @@ func testTrustedTunnelNode(t *testing.T, suite *integrationTestSuite) { } func testTrustedClusterAgentless(t *testing.T, suite *integrationTestSuite) { - ctx := context.Background() + ctx := t.Context() username := suite.Me.Username clusterMain := "cluster-main" @@ -3797,7 +3757,6 @@ func testTrustedClusterAgentless(t *testing.T, suite *integrationTestSuite) { makeConfig := func(enableSSH bool) (*testing.T, []*helpers.InstanceSecrets, *servicecfg.Config) { tconf := suite.defaultServiceConfig() tconf.Proxy.DisableWebService = false - tconf.Proxy.DisableWebInterface = true tconf.SSH.Enabled = enableSSH return t, nil, tconf } @@ -3887,7 +3846,6 @@ func testTrustedClusterAgentless(t *testing.T, suite *integrationTestSuite) { err = main.WaitForNodeCount(ctx, clusterAux, 1) require.NoError(t, err) - // connect to leaf agentless node creds, err := helpers.GenerateUserCreds(helpers.UserCredsRequest{ Process: main.Process, @@ -3924,7 +3882,7 @@ func testTrustedClusterAgentless(t *testing.T, suite *integrationTestSuite) { // TestDiscoveryRecovers ensures that discovery protocol recovers from a bad discovery // state (all known proxies are offline). func testDiscoveryRecovers(t *testing.T, suite *integrationTestSuite) { - ctx := context.Background() + ctx := t.Context() tr := utils.NewTracer(utils.ThisFunction()).Start() defer tr.Stop() @@ -4059,7 +4017,7 @@ func testDiscoveryRecovers(t *testing.T, suite *integrationTestSuite) { // TestDiscovery tests case for multiple proxies and a reverse tunnel // agent that eventually connnects to the right proxy func testDiscovery(t *testing.T, suite *integrationTestSuite) { - ctx := context.Background() + ctx := t.Context() tr := utils.NewTracer(utils.ThisFunction()).Start() defer tr.Stop() @@ -4192,7 +4150,7 @@ func testDiscovery(t *testing.T, suite *integrationTestSuite) { // nodes will reconnect when network connection between the proxy and node // is restored. func testReverseTunnelCollapse(t *testing.T, suite *integrationTestSuite) { - ctx := context.Background() + ctx := t.Context() tr := utils.NewTracer(utils.ThisFunction()).Start() t.Cleanup(func() { tr.Stop() }) @@ -4221,8 +4179,6 @@ func testReverseTunnelCollapse(t *testing.T, suite *integrationTestSuite) { }, } tconf.Proxy.DisableWebService = false - tconf.Proxy.DisableWebInterface = true - tconf.Proxy.DisableALPNSNIListener = true tconf.SSH.Enabled = false @@ -4346,7 +4302,7 @@ func testReverseTunnelCollapse(t *testing.T, suite *integrationTestSuite) { // TestDiscoveryNode makes sure the discovery protocol works with nodes. func testDiscoveryNode(t *testing.T, suite *integrationTestSuite) { - ctx := context.Background() + ctx := t.Context() tr := utils.NewTracer(utils.ThisFunction()).Start() defer tr.Stop() @@ -4376,8 +4332,6 @@ func testDiscoveryNode(t *testing.T, suite *integrationTestSuite) { }, } tconf.Proxy.DisableWebService = false - tconf.Proxy.DisableWebInterface = true - tconf.Proxy.DisableALPNSNIListener = true tconf.SSH.Enabled = false @@ -4568,8 +4522,6 @@ func testExternalClient(t *testing.T, suite *integrationTestSuite) { tconf.Auth.SessionRecordingConfig = recConfig tconf.Proxy.Enabled = true - tconf.Proxy.DisableWebService = true - tconf.Proxy.DisableWebInterface = true tconf.SSH.Enabled = true @@ -4664,8 +4616,6 @@ func testControlMaster(t *testing.T, suite *integrationTestSuite) { tconf.Auth.SessionRecordingConfig = recConfig tconf.Proxy.Enabled = true - tconf.Proxy.DisableWebService = true - tconf.Proxy.DisableWebInterface = true tconf.SSH.Enabled = true @@ -4758,8 +4708,6 @@ func testX11Forwarding(t *testing.T, suite *integrationTestSuite) { tconf.Auth.SessionRecordingConfig = recConfig tconf.Proxy.Enabled = true - tconf.Proxy.DisableWebService = true - tconf.Proxy.DisableWebInterface = true tconf.SSH.Enabled = true tconf.SSH.X11 = &x11.ServerConfig{ @@ -4918,9 +4866,6 @@ func testProxyHostKeyCheck(t *testing.T, suite *integrationTestSuite) { tconf.Auth.SessionRecordingConfig = recConfig tconf.Proxy.Enabled = true - tconf.Proxy.DisableWebService = true - tconf.Proxy.DisableWebInterface = true - return t, nil, nil, tconf } instance := suite.NewTeleportWithConfig(makeConfig()) @@ -4980,7 +4925,7 @@ func testProxyHostKeyCheck(t *testing.T, suite *integrationTestSuite) { func testAuditOff(t *testing.T, suite *integrationTestSuite) { tr := utils.NewTracer(utils.ThisFunction()).Start() defer tr.Stop() - ctx := context.Background() + ctx := t.Context() var err error @@ -5002,8 +4947,6 @@ func testAuditOff(t *testing.T, suite *integrationTestSuite) { tconf.Auth.SessionRecordingConfig = recConfig tconf.Proxy.Enabled = true - tconf.Proxy.DisableWebService = true - tconf.Proxy.DisableWebInterface = true tconf.SSH.Enabled = true @@ -5249,8 +5192,6 @@ func testPAM(t *testing.T, suite *integrationTestSuite) { tconf.Auth.Enabled = true tconf.Proxy.Enabled = true - tconf.Proxy.DisableWebService = true - tconf.Proxy.DisableWebInterface = true tconf.SSH.Enabled = true tconf.SSH.PAM.Enabled = tt.inEnabled @@ -5849,8 +5790,6 @@ func (s *integrationTestSuite) rotationConfig(disableWebService bool) *servicecf tconf := s.defaultServiceConfig() tconf.SSH.Enabled = true tconf.Proxy.DisableWebService = disableWebService - tconf.Proxy.DisableWebInterface = true - tconf.Proxy.DisableDatabaseProxy = true tconf.Proxy.DisableALPNSNIListener = true tconf.PollingPeriod = time.Second tconf.Testing.ClientTimeout = time.Second @@ -5895,7 +5834,7 @@ func runAndMatch(tc *client.TeleportClient, attempts int, command []string, patt func testWindowChange(t *testing.T, suite *integrationTestSuite) { tr := utils.NewTracer(utils.ThisFunction()).Start() defer tr.Stop() - ctx := context.Background() + ctx := t.Context() teleport := suite.newTeleport(t, nil, true) defer teleport.StopAll() @@ -6012,7 +5951,7 @@ func testWindowChange(t *testing.T, suite *integrationTestSuite) { // testList checks that the list of servers returned is identity aware. func testList(t *testing.T, suite *integrationTestSuite) { - ctx := context.Background() + ctx := t.Context() tr := utils.NewTracer(utils.ThisFunction()).Start() defer tr.Stop() @@ -6029,8 +5968,6 @@ func testList(t *testing.T, suite *integrationTestSuite) { tconf.Auth.Enabled = true tconf.Auth.SessionRecordingConfig = recConfig tconf.Proxy.Enabled = true - tconf.Proxy.DisableWebService = true - tconf.Proxy.DisableWebInterface = true tconf.SSH.Enabled = true tconf.SSH.Labels = map[string]string{ "role": "worker", @@ -6158,7 +6095,6 @@ func testCmdLabels(t *testing.T, suite *integrationTestSuite) { tconf.Auth.SessionRecordingConfig = recConfig tconf.Proxy.Enabled = true tconf.Proxy.DisableWebService = false - tconf.Proxy.DisableWebInterface = true tconf.SSH.Enabled = true tconf.SSH.Labels = map[string]string{ "role": "worker", @@ -6263,9 +6199,6 @@ func testDataTransfer(t *testing.T, suite *integrationTestSuite) { main := suite.newTeleport(t, nil, true) defer main.StopAll() - err := main.WaitForNodeCount(context.Background(), helpers.Site, 1) - require.NoError(t, err) - // Create a client to the above Teleport cluster. clientConfig := helpers.ClientConfig{ Login: suite.Me.Username, @@ -6358,7 +6291,6 @@ func testBPFInteractive(t *testing.T, suite *integrationTestSuite) { // Configure Proxy. tconf.Proxy.Enabled = true tconf.Proxy.DisableWebService = false - tconf.Proxy.DisableWebInterface = true // Configure Node. If session are being recorded at the proxy, don't enable // BPF to simulate an OpenSSH node. @@ -6486,7 +6418,6 @@ func testBPFExec(t *testing.T, suite *integrationTestSuite) { // Configure Proxy. tconf.Proxy.Enabled = true tconf.Proxy.DisableWebService = false - tconf.Proxy.DisableWebInterface = true // Configure Node. If session are being recorded at the proxy, don't enable // BPF to simulate an OpenSSH node. @@ -6607,7 +6538,6 @@ func testSSHExitCode(t *testing.T, suite *integrationTestSuite) { // Configure Proxy. tconf.Proxy.Enabled = true tconf.Proxy.DisableWebService = false - tconf.Proxy.DisableWebInterface = true // Configure Node. tconf.SSH.Enabled = true @@ -6689,7 +6619,6 @@ func testBPFSessionDifferentiation(t *testing.T, suite *integrationTestSuite) { // Configure Proxy. tconf.Proxy.Enabled = true tconf.Proxy.DisableWebService = false - tconf.Proxy.DisableWebInterface = true // Configure Node. If session are being recorded at the proxy, don't enable // BPF to simulate an OpenSSH node. @@ -6922,7 +6851,7 @@ func testSessionStartContainsAccessRequest(t *testing.T, suite *integrationTestS main := suite.newTeleport(t, nil, true) defer main.StopAll() - ctx := context.Background() + ctx := t.Context() // Get auth server authServer := main.Process.GetAuthServer() @@ -7234,6 +7163,10 @@ func (s *integrationTestSuite) defaultServiceConfig() *servicecfg.Config { cfg.CircuitBreakerConfig = breaker.NoopBreakerConfig() cfg.InstanceMetadataClient = imds.NewDisabledIMDSClient() cfg.DebugService.Enabled = false + cfg.Proxy.DisableDatabaseProxy = true + cfg.Proxy.DisableWebInterface = true + cfg.Proxy.DisableWebService = true + cfg.SSH.DisableCreateHostUser = true return cfg } @@ -7347,7 +7280,7 @@ func TestWebProxyInsecure(t *testing.T) { // TestTraitsPropagation makes sure that user traits are applied properly to // roles in root and leaf clusters. func TestTraitsPropagation(t *testing.T) { - ctx := context.Background() + ctx := t.Context() log := logtest.NewLogger() privateKey, publicKey, err := testauthority.New().GenerateKeyPair() @@ -7463,7 +7396,7 @@ func TestTraitsPropagation(t *testing.T) { // testSessionStreaming tests streaming events from session recordings. func testSessionStreaming(t *testing.T, suite *integrationTestSuite) { - ctx := context.Background() + ctx := t.Context() sessionID := session.ID(uuid.New().String()) teleport := suite.newTeleport(t, nil, true) defer teleport.StopAll() @@ -7529,7 +7462,7 @@ outer: type serviceCfgOpt func(cfg *servicecfg.Config, isRoot bool) func createTrustedClusterPair(t *testing.T, suite *integrationTestSuite, extraServices func(*testing.T, *helpers.TeleInstance, *helpers.TeleInstance), cfgOpts ...serviceCfgOpt) (*client.TeleportClient, *helpers.TeleInstance, *helpers.TeleInstance) { - ctx := context.Background() + ctx := t.Context() username := suite.Me.Username rootName := "root-test" leafName := "leaf-test" @@ -7584,7 +7517,6 @@ func createTrustedClusterPair(t *testing.T, suite *integrationTestSuite, extraSe makeConfig := func(isRoot bool) (*testing.T, []*helpers.InstanceSecrets, *servicecfg.Config) { tconf := suite.defaultServiceConfig() tconf.Proxy.DisableWebService = false - tconf.Proxy.DisableWebInterface = true tconf.SSH.Enabled = false tconf.CachePolicy.MaxRetryPeriod = time.Millisecond * 500 @@ -7682,7 +7614,6 @@ func testJoinOverReverseTunnelOnly(t *testing.T, suite *integrationTestSuite) { mainConfig.Proxy.Enabled = true mainConfig.Proxy.DisableWebService = false - mainConfig.Proxy.DisableWebInterface = true mainConfig.Proxy.PROXYProtocolMode = proxyProtocolMode mainConfig.SSH.Enabled = false @@ -7733,7 +7664,6 @@ func testJoinOverReverseTunnelOnly(t *testing.T, suite *integrationTestSuite) { mainConfig.Proxy.Enabled = true mainConfig.Proxy.DisableWebService = false - mainConfig.Proxy.DisableWebInterface = true mainConfig.SSH.Enabled = false @@ -8180,9 +8110,6 @@ func testSFTP(t *testing.T, suite *integrationTestSuite) { teleport.StopAll() }) - err := teleport.WaitForNodeCount(context.Background(), helpers.Site, 1) - require.NoError(t, err) - agentlessHost := "agentless-node" agentlessNode := CreateAgentlessNode(t, teleport.Process.GetAuthServer(), helpers.Site, agentlessHost) @@ -8439,7 +8366,6 @@ func testWebSFTP(t *testing.T, suite *integrationTestSuite) { cfg.Auth.Preference.SetSecondFactor("off") cfg.Auth.PROXYProtocolMode = proxyProtocolMode cfg.Proxy.DisableWebService = false - cfg.Proxy.DisableWebInterface = true cfg.Proxy.Enabled = true cfg.SSH.Enabled = true teleport := suite.NewTeleportWithConfig(t, []string{"alice"}, nil, cfg) @@ -8467,7 +8393,6 @@ func testWebSFTP(t *testing.T, suite *integrationTestSuite) { Port: lbFrontend.Port(0), }) require.NoError(t, err) - require.NoError(t, teleport.WaitForNodeCount(t.Context(), helpers.Site, 1)) t.Run("upload", func(t *testing.T) { localFile := filepath.Join(t.TempDir(), "foo.txt") @@ -8515,7 +8440,7 @@ func testAgentlessConn(t *testing.T, tc, joinTC *client.TeleportClient, node *ty t.Helper() // connect to cluster - ctx := context.Background() + ctx := t.Context() clt, err := tc.ConnectToCluster(ctx) require.NoError(t, err) t.Cleanup(func() { @@ -8654,8 +8579,8 @@ func TestProxySSHPortMultiplexing(t *testing.T) { rcConf.DataDir = t.TempDir() rcConf.Auth.Preference.SetSecondFactor("off") rcConf.SSH.Enabled = false - rcConf.Proxy.DisableWebInterface = true rcConf.Proxy.DisableTLS = false + rcConf.Proxy.DisableWebInterface = true rcConf.Proxy.DisableALPNSNIListener = test.disableTLSRouting rcConf.CircuitBreakerConfig = breaker.NoopBreakerConfig() @@ -8842,6 +8767,7 @@ func TestConnectivityWithoutAuth(t *testing.T) { nodeCfg.Proxy.Enabled = true nodeCfg.Proxy.DisableWebService = false nodeCfg.Proxy.DisableWebInterface = true + nodeCfg.Proxy.DisableDatabaseProxy = true nodeCfg.FileDescriptors = append(nodeCfg.FileDescriptors, node.Fds...) nodeCfg.Proxy.SSHAddr.Addr = node.SSHProxy nodeCfg.Proxy.WebAddr.Addr = node.Web @@ -8981,6 +8907,7 @@ func TestConnectivityDuringAuthRestart(t *testing.T) { // Configure Proxy. nodeCfg.Proxy.Enabled = true nodeCfg.Proxy.DisableWebService = false + nodeCfg.Proxy.DisableDatabaseProxy = true nodeCfg.Proxy.DisableWebInterface = true nodeCfg.FileDescriptors = append(nodeCfg.FileDescriptors, node.Fds...) nodeCfg.Proxy.SSHAddr.Addr = node.SSHProxy @@ -9106,7 +9033,6 @@ func testModeratedSessions(t *testing.T, suite *integrationTestSuite) { cfg.Auth.Preference.(*types.AuthPreferenceV2).Spec.RequireMFAType = types.RequireMFAType_SESSION cfg.Auth.Preference.SetWebauthn(&types.Webauthn{RPID: "127.0.0.1"}) cfg.Proxy.DisableWebService = false - cfg.Proxy.DisableWebInterface = true cfg.Proxy.Enabled = true cfg.SSH.Enabled = true @@ -9287,8 +9213,8 @@ func testModeratedSessions(t *testing.T, suite *integrationTestSuite) { func testNegotiatedALPNProtocols(t *testing.T, suite *integrationTestSuite) { cfg := suite.defaultServiceConfig() cfg.Auth.Enabled = true + cfg.Proxy.DisableDatabaseProxy = false cfg.Proxy.DisableWebService = false - cfg.Proxy.DisableWebInterface = true cfg.Proxy.Enabled = true cfg.Proxy.Kube.Enabled = true @@ -9331,7 +9257,6 @@ func testForceListenerInTunnelMode(t *testing.T, suite *integrationTestSuite) { tconf.Proxy.Enabled = true tconf.Proxy.DisableWebService = false - tconf.Proxy.DisableWebInterface = true tconf.SSH.Enabled = false @@ -9459,7 +9384,7 @@ func testForceListenerInTunnelMode(t *testing.T, suite *integrationTestSuite) { func CreateAgentlessNode(t *testing.T, authServer *auth.Server, clusterName, nodeHostname string) *types.ServerV2 { t.Helper() - ctx := context.Background() + ctx := t.Context() openSSHCA, err := authServer.GetCertAuthority(ctx, types.CertAuthID{ Type: types.OpenSSHCA, DomainName: clusterName,