integration: standardize test infrastructure options

Make embedded DERP server and TLS the default configuration for all integration tests, replacing the per-test opt-in model that led to inconsistent and flaky test behavior. Infrastructure changes: - DefaultConfigEnv() includes embedded DERP server settings - New() auto-generates a proper CA + server TLS certificate pair - CA cert is installed into container trust stores and returned by GetCert() so clients and internal tools (curl) trust the server - CreateCertificate() now returns (caCert, cert, key) instead of discarding the CA certificate - Add WithPublicDERP() and WithoutTLS() opt-out options - Remove WithTLS(), WithEmbeddedDERPServerOnly(), and WithDERPAsIP() since all their behavior is now the default or unnecessary Test cleanup: - Remove all redundant WithTLS/WithEmbeddedDERPServerOnly/WithDERPAsIP calls from test files - Give every test a unique WithTestName by parameterizing aclScenario, sshScenario, and derpServerScenario helpers - Add WithTestName to tests that were missing it - Document all non-standard options with inline comments explaining why each is needed Updates #3139
2026-03-30 22:22:14 +02:00 · 2026-03-16 09:15:46 +00:00
parent 87b8507ac9
commit e5ebe3205a
18 changed files with 209 additions and 236 deletions
--- a/integration/auth_oidc_test.go
+++ b/integration/auth_oidc_test.go
@@ -51,11 +51,13 @@ func TestOIDCAuthenticationPingAll(t *testing.T) {
 		"HEADSCALE_OIDC_CLIENT_SECRET_PATH": "${CREDENTIALS_DIRECTORY_TEST}/hs_client_oidc_secret",
 	}

+	// OIDC tests configure the mock OIDC provider via environment
+	// variables and inject the client secret as a file. This
+	// pattern is shared by all OIDC integration tests.
 	err = scenario.CreateHeadscaleEnvWithLoginURL(
 		nil,
 		hsic.WithTestName("oidcauthping"),
 		hsic.WithConfigEnv(oidcMap),
-		hsic.WithTLS(),
 		hsic.WithFileInContainer("/tmp/hs_client_oidc_secret", []byte(scenario.mockOIDC.ClientSecret())),
 	)
 	requireNoErrHeadscaleEnv(t, err)
@@ -374,7 +376,6 @@ func TestOIDC024UserCreation(t *testing.T) {
 				nil,
 				hsic.WithTestName("oidcmigration"),
 				hsic.WithConfigEnv(oidcMap),
-				hsic.WithTLS(),
 				hsic.WithFileInContainer("/tmp/hs_client_oidc_secret", []byte(scenario.mockOIDC.ClientSecret())),
 			)
 			requireNoErrHeadscaleEnv(t, err)
@@ -432,7 +433,6 @@ func TestOIDCAuthenticationWithPKCE(t *testing.T) {
 		nil,
 		hsic.WithTestName("oidcauthpkce"),
 		hsic.WithConfigEnv(oidcMap),
-		hsic.WithTLS(),
 		hsic.WithFileInContainer("/tmp/hs_client_oidc_secret", []byte(scenario.mockOIDC.ClientSecret())),
 	)
 	requireNoErrHeadscaleEnv(t, err)
@@ -487,12 +487,9 @@ func TestOIDCReloginSameNodeNewUser(t *testing.T) {

 	err = scenario.CreateHeadscaleEnvWithLoginURL(
 		nil,
-		hsic.WithTestName("oidcauthrelog"),
+		hsic.WithTestName("oidc-authrelog"),
 		hsic.WithConfigEnv(oidcMap),
-		hsic.WithTLS(),
 		hsic.WithFileInContainer("/tmp/hs_client_oidc_secret", []byte(scenario.mockOIDC.ClientSecret())),
-		hsic.WithEmbeddedDERPServerOnly(),
-		hsic.WithDERPAsIP(),
 	)
 	requireNoErrHeadscaleEnv(t, err)

@@ -899,11 +896,9 @@ func TestOIDCFollowUpUrl(t *testing.T) {

 	err = scenario.CreateHeadscaleEnvWithLoginURL(
 		nil,
-		hsic.WithTestName("oidcauthrelog"),
+		hsic.WithTestName("oidc-followup"),
 		hsic.WithConfigEnv(oidcMap),
-		hsic.WithTLS(),
 		hsic.WithFileInContainer("/tmp/hs_client_oidc_secret", []byte(scenario.mockOIDC.ClientSecret())),
-		hsic.WithEmbeddedDERPServerOnly(),
 	)
 	require.NoError(t, err)

@@ -1011,9 +1006,7 @@ func TestOIDCMultipleOpenedLoginUrls(t *testing.T) {
 		nil,
 		hsic.WithTestName("oidcauthrelog"),
 		hsic.WithConfigEnv(oidcMap),
-		hsic.WithTLS(),
 		hsic.WithFileInContainer("/tmp/hs_client_oidc_secret", []byte(scenario.mockOIDC.ClientSecret())),
-		hsic.WithEmbeddedDERPServerOnly(),
 	)
 	require.NoError(t, err)

@@ -1145,10 +1138,7 @@ func TestOIDCReloginSameNodeSameUser(t *testing.T) {
 		nil,
 		hsic.WithTestName("oidcsameuser"),
 		hsic.WithConfigEnv(oidcMap),
-		hsic.WithTLS(),
 		hsic.WithFileInContainer("/tmp/hs_client_oidc_secret", []byte(scenario.mockOIDC.ClientSecret())),
-		hsic.WithEmbeddedDERPServerOnly(),
-		hsic.WithDERPAsIP(),
 	)
 	requireNoErrHeadscaleEnv(t, err)

@@ -1373,10 +1363,7 @@ func TestOIDCExpiryAfterRestart(t *testing.T) {
 		nil,
 		hsic.WithTestName("oidcexpiry"),
 		hsic.WithConfigEnv(oidcMap),
-		hsic.WithTLS(),
 		hsic.WithFileInContainer("/tmp/hs_client_oidc_secret", []byte(scenario.mockOIDC.ClientSecret())),
-		hsic.WithEmbeddedDERPServerOnly(),
-		hsic.WithDERPAsIP(),
 	)
 	requireNoErrHeadscaleEnv(t, err)

@@ -1524,7 +1511,6 @@ func TestOIDCACLPolicyOnJoin(t *testing.T) {
 		},
 		hsic.WithTestName("oidcaclpolicy"),
 		hsic.WithConfigEnv(oidcMap),
-		hsic.WithTLS(),
 		hsic.WithFileInContainer("/tmp/hs_client_oidc_secret", []byte(scenario.mockOIDC.ClientSecret())),
 		hsic.WithACLPolicy(
 			&policyv2.Policy{
@@ -1801,10 +1787,7 @@ func TestOIDCReloginSameUserRoutesPreserved(t *testing.T) {
 		},
 		hsic.WithTestName("oidcrouterelogin"),
 		hsic.WithConfigEnv(oidcMap),
-		hsic.WithTLS(),
 		hsic.WithFileInContainer("/tmp/hs_client_oidc_secret", []byte(scenario.mockOIDC.ClientSecret())),
-		hsic.WithEmbeddedDERPServerOnly(),
-		hsic.WithDERPAsIP(),
 		hsic.WithACLPolicy(
 			&policyv2.Policy{
 				ACLs: []policyv2.ACL{