Adds arch diagram for test env in kind

philipgough · philipgough · commit 9772bad83a4a · 2026-04-10T10:31:16.000+01:00
diff --git a/test/kind/README.md b/test/kind/README.md
@@ -1,6 +1,11 @@
 # KIND Mixed Authentication Tests
 
-This directory contains end-to-end tests for the Observatorium API's mixed authentication feature using a KIND (Kubernetes in Docker) cluster.
+This directory contains end-to-end tests for the Observatorium API's multi-authenticator feature using in KinD.
+Certificates are generated using cert-manager, and an OIDC provider (Dex) is deployed for authentication testing. 
+The tests verify that the API correctly routes requests to the appropriate authentication method 
+based on path patterns and enforces RBAC authorization.
+
+Endpoints are stubbed to backend services (nginx proxy and httpbin) to validate that authenticated requests are properly forwarded.
 
 ## Overview
 
@@ -9,15 +14,11 @@ The tests verify that:
 - Write endpoints (receive, push) use mTLS authentication  
 - Path-based authentication routing works correctly
 - RBAC authorization is enforced
-- Backend proxying functions properly
 
 ## Prerequisites
 
-- Docker
-- KIND (Kubernetes in Docker)
+- KinD
 - kubectl
-- Go 1.19+
-- make
 
 ## Quick Start
 
@@ -44,138 +45,57 @@ The tests verify that:
    make teardown
    ```
 
-## Test Scenarios
-
-The e2e tests cover:
-
-### ✅ OIDC Authentication Tests
-- Read endpoints accept valid OIDC tokens
-- Query, query_range, labels, series endpoints work with Bearer tokens
-- Tokens are obtained via OAuth2 password grant flow from Dex
-
-### ✅ mTLS Authentication Tests  
-- Write endpoints require client certificates
-- Receive and push endpoints work with valid client certificates
-- Admin client certificates are used for write operations
-
-### ✅ Authentication Rejection Tests
-- Read endpoints reject requests with only mTLS certificates
-- Write endpoints reject requests with only OIDC tokens
-- Invalid certificates are properly rejected
 
-### ✅ Path Pattern Matching
-- Regex path patterns correctly route to appropriate auth methods
-- Edge cases in path matching work as expected
-
-### ✅ RBAC Enforcement
-- Authorization rules are applied after successful authentication
-- User permissions are respected
-
-### ✅ Backend Proxying
-- Authenticated requests are properly forwarded to backend services
-- Request headers and data are preserved
 
 ## Architecture
 
+```mermaid
+graph TB
+    Client[Client Requests]
+    
+    subgraph "KIND Cluster"
+        subgraph "Observatorium API"
+            API[obs-api<br/>Multi-Authenticator]
+        end
+        
+        subgraph "Authentication Providers"
+            Dex[Dex OIDC Provider<br/>Identity Server]
+            CertManager[cert-manager<br/>Certificate Authority]
+        end
+        
+        subgraph "Backend Services"
+            Nginx[nginx proxy<br/>Stubbed Backend]
+            HttpBin[httpbin<br/>Test Service]
+        end
+        
+        subgraph "TLS Infrastructure"
+            TLS[TLS Certificates<br/>mTLS Authentication]
+        end
+    end
+    
+    Client -->|Read Requests<br/>query, labels| API
+    Client -->|Write Requests<br/>receive, push| API
+    
+    API -->|OIDC Auth<br/>Read endpoints| Dex
+    API -->|mTLS Auth<br/>Write endpoints| TLS
+    
+    API -->|Authenticated<br/>Requests| Nginx
+    Nginx -->|Proxied<br/>Requests| HttpBin
+    
+    CertManager -->|Generates| TLS
+    
+    style API fill:#e1f5fe
+    style Dex fill:#f3e5f5
+    style TLS fill:#e8f5e8
+    style Nginx fill:#fff3e0
+    style HttpBin fill:#fff3e0
 ```
-Test Runner → Port Forward → Observatorium API → Backend Services
-                              ↓
-                         [OIDC/mTLS Auth]
-                              ↓  
-                           Dex OIDC
-```
-
-### Components
 
-- **KIND Cluster**: Local Kubernetes cluster for testing
-- **Observatorium API**: Main API with mixed authentication
-- **Dex**: OIDC provider for OAuth2/OIDC authentication  
-- **cert-manager**: Automatic TLS certificate generation
-- **HTTPBin**: Backend service for request/response testing
-- **nginx**: Reverse proxy for backend routing
-
-## Configuration
-
-### Authentication Paths
-
-**OIDC Paths** (Bearer token required):
-```
-^/api/(metrics|logs)/v1/auth-tenant/api/v1/(query|query_range|query_exemplars|labels|label/.*/values|series|metadata|rules|alerts).*
-```
-
-**mTLS Paths** (Client certificate required):
-```
-^/api/(metrics|logs)/v1/auth-tenant/api/v1/(receive|push).*
-```
+The architecture demonstrates:
 
-### Test Credentials
-
-**OIDC Users:**
-- Username: `admin@example.com`
-- Password: `password`
-- Client: `observatorium-api`
-
-**mTLS Certificates:**
-- Admin client cert: `testdata/admin-client.{crt,key}`
-- Test client cert: `testdata/test-client.{crt,key}`
-- CA cert: `testdata/ca.crt`
-
-## Makefile Targets
-
-- `make setup` - Complete environment setup
-- `make cluster-create` - Create KIND cluster only
-- `make deploy` - Deploy applications only  
-- `make test` - Run e2e tests
-- `make test-comprehensive` - Run comprehensive test suite
-- `make teardown` - Clean up everything
-- `make reset` - Tear down and set up again
-- `make cluster-info` - Show cluster information
-
-## Known Issues
-
-- **TestReadEndpointsRejectMTLS DNS Error**: One test scenario fails with `dial tcp: lookup dex.proxy.svc.cluster.local: no such host`. This occurs when the test tries to access OIDC authentication from outside the cluster. The mixed authentication functionality works correctly - this is a test implementation limitation.
-
-## Troubleshooting
-
-### Port Forward Issues
-If tests fail with connection errors, check that port forwards are working:
-```bash
-# Check if ports are available
-netstat -an | grep :8080
-netstat -an | grep :5556
-
-# Manual port forward test
-kubectl port-forward -n proxy service/observatorium-api 8080:8080
-```
-
-### Certificate Issues  
-Verify certificates are generated correctly:
-```bash
-kubectl get certificates -n proxy
-kubectl describe certificate server-cert -n proxy
-```
-
-### OIDC Issues
-Check Dex logs and configuration:
-```bash
-kubectl logs -n proxy deployment/dex
-kubectl get configmap dex-config -n proxy -o yaml
-```
-
-### API Issues
-Check API logs for authentication errors:
-```bash
-kubectl logs -n proxy deployment/observatorium-api
-```
+- **Path-based routing**: Different endpoints use different authentication methods
+- **OIDC Authentication**: Read endpoints (query, labels) authenticate via Dex OIDC provider
+- **mTLS Authentication**: Write endpoints (receive, push) use mutual TLS certificates
+- **Backend proxying**: Authenticated requests are forwarded to stubbed backend services
+- **Certificate management**: cert-manager handles TLS certificate lifecycle
 
-## Files
-
-- `Makefile` - Build and test automation
-- `e2e.go` - End-to-end test implementation
-- `extract-config.sh` - Certificate and config extraction script
-- `resources/` - Kubernetes resource definitions
-  - `backends.yaml` - Backend services
-  - `certificates.yaml` - TLS certificate requests
-  - `dex.yaml` - Dex OIDC provider
-  - `services.yaml` - Service definitions
-- `testdata/` - Generated certificates and config (created by setup)
