2020-09-10 15:30:15 +00:00
|
|
|
#!/usr/bin/env bash
|
|
|
|
|
2023-05-26 18:47:54 +00:00
|
|
|
# Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
|
2021-03-31 18:39:10 +00:00
|
|
|
# SPDX-License-Identifier: Apache-2.0
|
|
|
|
|
|
|
|
#
|
2020-09-10 15:30:15 +00:00
|
|
|
# This script can be used to prepare a kind cluster and deploy the app.
|
|
|
|
# You can call this script again to redeploy the app.
|
2020-09-11 00:36:22 +00:00
|
|
|
# It will also output instructions on how to run the integration.
|
2021-03-31 18:39:10 +00:00
|
|
|
#
|
2020-09-10 15:30:15 +00:00
|
|
|
|
|
|
|
set -euo pipefail
|
|
|
|
|
2020-09-11 00:36:22 +00:00
|
|
|
#
|
|
|
|
# Helper functions
|
|
|
|
#
|
2020-09-10 15:30:15 +00:00
|
|
|
function log_note() {
|
|
|
|
GREEN='\033[0;32m'
|
|
|
|
NC='\033[0m'
|
2020-10-14 23:58:43 +00:00
|
|
|
if [[ ${COLORTERM:-unknown} =~ ^(truecolor|24bit)$ ]]; then
|
2020-09-10 20:37:25 +00:00
|
|
|
echo -e "${GREEN}$*${NC}"
|
2020-09-10 15:30:15 +00:00
|
|
|
else
|
2020-09-10 20:37:25 +00:00
|
|
|
echo "$*"
|
2020-09-10 15:30:15 +00:00
|
|
|
fi
|
|
|
|
}
|
|
|
|
|
|
|
|
function log_error() {
|
|
|
|
RED='\033[0;31m'
|
|
|
|
NC='\033[0m'
|
2020-10-14 23:58:43 +00:00
|
|
|
if [[ ${COLORTERM:-unknown} =~ ^(truecolor|24bit)$ ]]; then
|
2020-09-10 20:37:25 +00:00
|
|
|
echo -e "🙁${RED} Error: $* ${NC}"
|
2020-09-10 15:30:15 +00:00
|
|
|
else
|
2020-09-10 20:37:25 +00:00
|
|
|
echo ":( Error: $*"
|
2020-09-10 15:30:15 +00:00
|
|
|
fi
|
|
|
|
}
|
|
|
|
|
2020-09-11 15:19:49 +00:00
|
|
|
function check_dependency() {
|
|
|
|
if ! command -v "$1" >/dev/null; then
|
|
|
|
log_error "Missing dependency..."
|
|
|
|
log_error "$2"
|
|
|
|
exit 1
|
|
|
|
fi
|
|
|
|
}
|
|
|
|
|
2020-09-11 00:36:22 +00:00
|
|
|
#
|
|
|
|
# Handle argument parsing and help message
|
|
|
|
#
|
2020-09-10 15:30:15 +00:00
|
|
|
help=no
|
|
|
|
skip_build=no
|
2020-10-07 00:53:29 +00:00
|
|
|
clean_kind=no
|
2021-02-03 20:07:13 +00:00
|
|
|
api_group_suffix="pinniped.dev" # same default as in the values.yaml ytt file
|
2022-03-29 23:58:41 +00:00
|
|
|
dockerfile_path=""
|
2021-07-22 17:13:38 +00:00
|
|
|
get_active_directory_vars="" # specify a filename for a script to get AD related env variables
|
2022-02-19 14:08:59 +00:00
|
|
|
alternate_deploy="undefined"
|
2023-08-31 19:02:24 +00:00
|
|
|
alternate_deploy_supervisor="undefined"
|
|
|
|
alternate_deploy_concierge="undefined"
|
|
|
|
alternate_deploy_local_user_authenticator="undefined"
|
2023-09-29 19:49:49 +00:00
|
|
|
post_install="undefined"
|
2023-08-31 19:02:24 +00:00
|
|
|
|
|
|
|
# supported variable style:
|
|
|
|
# --dockerfile-path ./foo.sh
|
|
|
|
# unsupported variable style (using = will fail the script):
|
|
|
|
# --dockerfile-path=./foo.sh
|
2020-09-10 15:30:15 +00:00
|
|
|
while (("$#")); do
|
|
|
|
case "$1" in
|
|
|
|
-h | --help)
|
|
|
|
help=yes
|
|
|
|
shift
|
|
|
|
;;
|
|
|
|
-s | --skip-build)
|
|
|
|
skip_build=yes
|
|
|
|
shift
|
|
|
|
;;
|
2020-10-07 00:53:29 +00:00
|
|
|
-c | --clean)
|
|
|
|
clean_kind=yes
|
|
|
|
shift
|
|
|
|
;;
|
2021-02-03 20:07:13 +00:00
|
|
|
-g | --api-group-suffix)
|
|
|
|
shift
|
|
|
|
# If there are no more command line arguments, or there is another command line argument but it starts with a dash, then error
|
|
|
|
if [[ "$#" == "0" || "$1" == -* ]]; then
|
|
|
|
log_error "-g|--api-group-suffix requires a group name to be specified"
|
|
|
|
exit 1
|
|
|
|
fi
|
|
|
|
api_group_suffix=$1
|
|
|
|
shift
|
|
|
|
;;
|
2023-08-31 19:02:24 +00:00
|
|
|
-a | --get-active-directory-vars)
|
2021-07-22 17:13:38 +00:00
|
|
|
shift
|
|
|
|
# If there are no more command line arguments, or there is another command line argument but it starts with a dash, then error
|
|
|
|
if [[ "$#" == "0" || "$1" == -* ]]; then
|
2021-07-26 23:03:12 +00:00
|
|
|
log_error "--get-active-directory-vars requires a script name to be specified"
|
2021-07-22 17:13:38 +00:00
|
|
|
exit 1
|
|
|
|
fi
|
|
|
|
get_active_directory_vars=$1
|
2021-07-08 22:00:04 +00:00
|
|
|
shift
|
|
|
|
;;
|
2022-03-29 23:58:41 +00:00
|
|
|
--dockerfile-path)
|
|
|
|
shift
|
|
|
|
# If there are no more command line arguments, or there is another command line argument but it starts with a dash, then error
|
|
|
|
if [[ "$#" == "0" || "$1" == -* ]]; then
|
|
|
|
log_error "--dockerfile-path requires a script name to be specified"
|
|
|
|
exit 1
|
|
|
|
fi
|
|
|
|
dockerfile_path=$1
|
|
|
|
shift
|
|
|
|
;;
|
2023-09-27 19:32:49 +00:00
|
|
|
--alternate-deploy)
|
2022-02-19 14:08:59 +00:00
|
|
|
shift
|
|
|
|
if [[ "$#" == "0" || "$1" == -* ]]; then
|
|
|
|
log_error "--alternate-deploy requires a script path to be specified"
|
|
|
|
exit 1
|
|
|
|
fi
|
|
|
|
alternate_deploy=$1
|
|
|
|
shift
|
|
|
|
;;
|
2023-09-27 19:32:49 +00:00
|
|
|
--alternate-deploy-supervisor)
|
2023-08-31 19:02:24 +00:00
|
|
|
shift
|
|
|
|
if [[ "$#" == "0" || "$1" == -* ]]; then
|
|
|
|
log_error "--alternate-deploy-supervisor requires a script path to be specified"
|
|
|
|
exit 1
|
|
|
|
fi
|
|
|
|
alternate_deploy_supervisor=$1
|
|
|
|
shift
|
|
|
|
;;
|
2023-09-27 19:32:49 +00:00
|
|
|
--alternate-deploy-concierge)
|
2023-08-31 19:02:24 +00:00
|
|
|
shift
|
|
|
|
if [[ "$#" == "0" || "$1" == -* ]]; then
|
|
|
|
log_error "--alternate-deploy-concierge requires a script path to be specified"
|
|
|
|
exit 1
|
|
|
|
fi
|
|
|
|
alternate_deploy_concierge=$1
|
|
|
|
shift
|
|
|
|
;;
|
2023-09-27 19:32:49 +00:00
|
|
|
--alternate-deploy-local-user-authenticator)
|
2023-08-31 19:02:24 +00:00
|
|
|
shift
|
|
|
|
if [[ "$#" == "0" || "$1" == -* ]]; then
|
|
|
|
log_error "--alternate-deploy-local-user-authenticator requires a script path to be specified"
|
|
|
|
exit 1
|
|
|
|
fi
|
|
|
|
alternate_deploy_local_user_authenticator=$1
|
|
|
|
shift
|
|
|
|
;;
|
2023-09-29 19:49:49 +00:00
|
|
|
--post-install)
|
|
|
|
shift
|
|
|
|
if [[ "$#" == "0" || "$1" == -* ]]; then
|
|
|
|
log_error "--post-install requires a script path to be specified"
|
|
|
|
exit 1
|
|
|
|
fi
|
|
|
|
post_install=$1
|
|
|
|
shift
|
|
|
|
;;
|
2020-09-10 15:30:15 +00:00
|
|
|
-*)
|
|
|
|
log_error "Unsupported flag $1" >&2
|
2021-10-26 23:25:34 +00:00
|
|
|
if [[ "$1" == *"active-directory"* ]]; then
|
|
|
|
log_error "Did you mean --get-active-directory-vars?"
|
|
|
|
fi
|
2020-09-10 15:30:15 +00:00
|
|
|
exit 1
|
|
|
|
;;
|
|
|
|
*)
|
2020-09-11 15:19:49 +00:00
|
|
|
log_error "Unsupported positional arg $1" >&2
|
|
|
|
exit 1
|
2020-09-10 15:30:15 +00:00
|
|
|
;;
|
|
|
|
esac
|
|
|
|
done
|
|
|
|
|
|
|
|
if [[ "$help" == "yes" ]]; then
|
|
|
|
me="$(basename "${BASH_SOURCE[0]}")"
|
2020-09-11 15:19:49 +00:00
|
|
|
log_note "Usage:"
|
|
|
|
log_note " $me [flags]"
|
|
|
|
log_note
|
|
|
|
log_note "Flags:"
|
2023-08-31 19:02:24 +00:00
|
|
|
log_note " -h, --help: print this usage"
|
|
|
|
log_note " -c, --clean: destroy the current kind cluster and make a new one"
|
|
|
|
log_note " -g, --api-group-suffix: deploy Pinniped with an alternate API group suffix"
|
|
|
|
log_note " -s, --skip-build: reuse the most recently built image of the app instead of building"
|
|
|
|
log_note " -a, --get-active-directory-vars: specify a script that exports active directory environment variables"
|
2023-09-27 19:32:49 +00:00
|
|
|
log_note " --alternate-deploy: specify an alternate deploy script to install all components of Pinniped"
|
|
|
|
log_note " --alternate-deploy-supervisor: specify an alternate deploy script to install Pinniped Supervisor"
|
|
|
|
log_note " --alternate-deploy-concierge: specify an alternate deploy script to install Pinniped Concierge"
|
|
|
|
log_note " --alternate-deploy-local-user-authenticator: specify an alternate deploy script to install Pinniped local-user-authenticator"
|
2023-09-29 19:49:49 +00:00
|
|
|
log_note " --post-install: specify an post-install script"
|
2020-09-10 15:30:15 +00:00
|
|
|
exit 1
|
|
|
|
fi
|
|
|
|
|
2020-09-11 15:19:49 +00:00
|
|
|
pinniped_path="$(cd "$(dirname "${BASH_SOURCE[0]}")/.." && pwd)"
|
|
|
|
cd "$pinniped_path" || exit 1
|
2020-09-10 15:30:15 +00:00
|
|
|
|
2020-09-11 00:36:22 +00:00
|
|
|
#
|
|
|
|
# Check for dependencies
|
|
|
|
#
|
2020-09-11 15:19:49 +00:00
|
|
|
check_dependency docker "Please install docker. See https://docs.docker.com/get-docker"
|
|
|
|
check_dependency kind "Please install kind. e.g. 'brew install kind' for MacOS"
|
2022-04-05 14:43:22 +00:00
|
|
|
check_dependency ytt "Please install ytt. e.g. 'brew tap vmware-tanzu/carvel && brew install ytt' for MacOS"
|
|
|
|
check_dependency kapp "Please install kapp. e.g. 'brew tap vmware-tanzu/carvel && brew install kapp' for MacOS"
|
2020-09-11 15:19:49 +00:00
|
|
|
check_dependency kubectl "Please install kubectl. e.g. 'brew install kubectl' for MacOS"
|
|
|
|
check_dependency htpasswd "Please install htpasswd. Should be pre-installed on MacOS. Usually found in 'apache2-utils' package for linux."
|
2021-03-18 18:20:33 +00:00
|
|
|
check_dependency openssl "Please install openssl. Should be pre-installed on MacOS."
|
2021-10-20 11:59:24 +00:00
|
|
|
check_dependency nmap "Please install nmap. e.g. 'brew install nmap' for MacOS"
|
2020-09-10 15:30:15 +00:00
|
|
|
|
2023-08-28 21:57:43 +00:00
|
|
|
# Require kubectl >= 1.21.x.
|
|
|
|
if [ "$(kubectl version --client=true -o=json | grep gitVersion | cut -d '.' -f 2)" -lt 21 ]; then
|
|
|
|
log_error "kubectl >= 1.21.x is required, you have $(kubectl version --client=true --short | cut -d ':' -f2)"
|
2020-09-13 17:22:27 +00:00
|
|
|
exit 1
|
|
|
|
fi
|
|
|
|
|
2021-10-20 11:59:24 +00:00
|
|
|
# Require nmap >= 7.92.x
|
|
|
|
if [ "$(nmap -V | grep 'Nmap version' | cut -d ' ' -f 3 | cut -d '.' -f 2)" -lt 92 ]; then
|
|
|
|
log_error "nmap >= 7.92.x is required, you have $(nmap -V | grep 'Nmap version' | cut -d ' ' -f 3)"
|
|
|
|
exit 1
|
|
|
|
fi
|
|
|
|
|
2021-04-05 22:01:17 +00:00
|
|
|
if [[ "$clean_kind" == "yes" ]]; then
|
|
|
|
log_note "Deleting running kind cluster to prepare from a clean slate..."
|
|
|
|
./hack/kind-down.sh
|
|
|
|
fi
|
2020-09-10 15:30:15 +00:00
|
|
|
|
2021-04-05 22:01:17 +00:00
|
|
|
#
|
|
|
|
# Setup kind and build the app
|
|
|
|
#
|
|
|
|
log_note "Checking for running kind cluster..."
|
|
|
|
if ! kind get clusters | grep -q -e '^pinniped$'; then
|
|
|
|
log_note "Creating a kind cluster..."
|
2022-03-29 00:03:23 +00:00
|
|
|
# Our kind config exposes node port 31243 as 127.0.0.1:12344 and 31235 as 127.0.0.1:12346
|
2021-04-05 22:01:17 +00:00
|
|
|
./hack/kind-up.sh
|
|
|
|
else
|
|
|
|
if ! kubectl cluster-info | grep -E '(master|control plane)' | grep -q 127.0.0.1; then
|
|
|
|
log_error "Seems like your kubeconfig is not targeting a local cluster."
|
|
|
|
log_error "Exiting to avoid accidentally running tests against a real cluster."
|
|
|
|
exit 1
|
2020-09-10 15:30:15 +00:00
|
|
|
fi
|
2021-04-05 22:01:17 +00:00
|
|
|
fi
|
2020-09-10 15:30:15 +00:00
|
|
|
|
2023-10-12 15:23:47 +00:00
|
|
|
|
|
|
|
# since we allow other scripts to write to the environment file, we need to create a new one every time
|
|
|
|
env_file_name="$(mktemp /tmp/pinniped.integration.XXXXXXXX)"
|
|
|
|
log_note "creating environment variable file: $env_file_name"
|
|
|
|
|
2023-09-28 18:48:06 +00:00
|
|
|
# registry="pinniped.local"
|
|
|
|
registry="kind-registry.local:5000"
|
2023-10-16 18:12:10 +00:00
|
|
|
# TODO: need to prompt the user to edit their /etc/hosts here, because otherwise
|
|
|
|
# we can't push images to the registry! maybe check /etc/hosts for this change else error?
|
2021-04-05 22:01:17 +00:00
|
|
|
repo="test/build"
|
|
|
|
registry_repo="$registry/$repo"
|
2023-10-02 19:28:01 +00:00
|
|
|
tag="0.0.0-$(uuidgen)" # always a new tag to force K8s to reload the image on redeploy
|
2021-04-05 22:01:17 +00:00
|
|
|
|
|
|
|
if [[ "$skip_build" == "yes" ]]; then
|
|
|
|
most_recent_tag=$(docker images "$registry/$repo" --format "{{.Tag}}" | head -1)
|
|
|
|
if [[ -n "$most_recent_tag" ]]; then
|
|
|
|
tag="$most_recent_tag"
|
|
|
|
do_build=no
|
2020-09-10 15:30:15 +00:00
|
|
|
else
|
2021-04-05 22:01:17 +00:00
|
|
|
# Oops, there was no previous build. Need to build anyway.
|
2020-09-10 15:30:15 +00:00
|
|
|
do_build=yes
|
|
|
|
fi
|
2021-04-05 22:01:17 +00:00
|
|
|
else
|
|
|
|
do_build=yes
|
|
|
|
fi
|
2020-09-10 15:30:15 +00:00
|
|
|
|
2021-04-05 22:01:17 +00:00
|
|
|
registry_repo_tag="${registry_repo}:${tag}"
|
2020-09-10 15:30:15 +00:00
|
|
|
|
2021-04-05 22:01:17 +00:00
|
|
|
if [[ "$do_build" == "yes" ]]; then
|
|
|
|
# Rebuild the code
|
2023-08-30 00:58:23 +00:00
|
|
|
testing_version="${KUBE_GIT_VERSION:-}"
|
2022-03-29 23:58:41 +00:00
|
|
|
if [[ "$dockerfile_path" != "" ]]; then
|
2023-08-30 00:58:23 +00:00
|
|
|
log_note "Docker building the app with dockerfile $dockerfile_path and KUBE_GIT_VERSION='$testing_version'"
|
2023-08-29 22:31:22 +00:00
|
|
|
DOCKER_BUILDKIT=1 docker build . --tag "$registry_repo_tag" --file "$dockerfile_path" --build-arg "KUBE_GIT_VERSION=$testing_version"
|
2022-03-29 23:58:41 +00:00
|
|
|
else
|
2023-08-30 00:58:23 +00:00
|
|
|
log_note "Docker building the app with KUBE_GIT_VERSION='$testing_version'"
|
2022-03-29 23:58:41 +00:00
|
|
|
# DOCKER_BUILDKIT=1 is optional on MacOS but required on linux.
|
2023-08-29 22:31:22 +00:00
|
|
|
DOCKER_BUILDKIT=1 docker build . --tag "$registry_repo_tag" --build-arg "KUBE_GIT_VERSION=$testing_version"
|
2022-03-29 23:58:41 +00:00
|
|
|
fi
|
2021-04-05 22:01:17 +00:00
|
|
|
fi
|
2020-09-10 15:30:15 +00:00
|
|
|
|
2021-04-05 22:01:17 +00:00
|
|
|
# Load it into the cluster
|
2023-09-28 18:48:06 +00:00
|
|
|
log_note "Loading the app's container image into the local registry ($registry)..."
|
|
|
|
docker push "$registry_repo_tag"
|
2020-09-10 15:30:15 +00:00
|
|
|
|
2021-04-05 22:01:17 +00:00
|
|
|
#
|
|
|
|
# Deploy local-user-authenticator
|
|
|
|
#
|
2022-02-19 14:08:59 +00:00
|
|
|
manifest=/tmp/pinniped-local-user-authenticator.yaml
|
2023-10-12 15:23:47 +00:00
|
|
|
test_username=""
|
|
|
|
test_groups=""
|
|
|
|
test_password=""
|
|
|
|
webhook_ca_bundle=""
|
2023-08-31 19:02:24 +00:00
|
|
|
if [ "$alternate_deploy" != "undefined" ] || [ "$alternate_deploy_local_user_authenticator" != "undefined" ] ; then
|
|
|
|
if [ "$alternate_deploy" != "undefined" ]; then
|
|
|
|
log_note "The Pinniped local-user-authenticator will be deployed with $alternate_deploy local-user-authenticator $tag..."
|
2023-10-12 15:23:47 +00:00
|
|
|
$alternate_deploy local-user-authenticator $tag $env_file_name
|
2023-08-31 19:02:24 +00:00
|
|
|
fi
|
|
|
|
if [ "$alternate_deploy_local_user_authenticator" != "undefined" ]; then
|
|
|
|
log_note "The Pinniped local-user-authenticator will be deployed with $alternate_deploy_local_user_authenticator local-user-authenticator $tag..."
|
2023-10-12 15:23:47 +00:00
|
|
|
$alternate_deploy_local_user_authenticator local-user-authenticator $tag $env_file_name
|
2023-08-31 19:02:24 +00:00
|
|
|
fi
|
2022-02-19 14:08:59 +00:00
|
|
|
else
|
|
|
|
log_note "Deploying the local-user-authenticator app to the cluster using kapp..."
|
2023-08-31 19:02:24 +00:00
|
|
|
pushd deploy/local-user-authenticator >/dev/null
|
2022-02-19 14:08:59 +00:00
|
|
|
ytt --file . \
|
2022-02-25 16:26:53 +00:00
|
|
|
--data-value "image_repo=$registry_repo" \
|
|
|
|
--data-value "image_tag=$tag" >"$manifest"
|
2022-02-19 14:08:59 +00:00
|
|
|
|
|
|
|
kapp deploy --yes --app local-user-authenticator --diff-changes --file "$manifest"
|
|
|
|
kubectl apply --dry-run=client -f "$manifest" # Validate manifest schema.
|
2023-10-02 19:28:01 +00:00
|
|
|
|
2023-10-11 16:49:47 +00:00
|
|
|
|
2023-10-02 19:28:01 +00:00
|
|
|
log_note "Creating test user '$test_username'..."
|
2023-10-12 15:23:47 +00:00
|
|
|
test_username="test-username"
|
|
|
|
test_groups="test-group-0,test-group-1"
|
|
|
|
test_password="$(openssl rand -hex 16)"
|
|
|
|
echo "export PINNIPED_TEST_USER_USERNAME=${test_username}" >> "${env_file_name}"
|
|
|
|
echo "export PINNIPED_TEST_USER_GROUPS=${test_groups}" >> "${env_file_name}"
|
|
|
|
echo "export PINNIPED_TEST_USER_TOKEN=${test_username}:${test_password}" >> "${env_file_name}"
|
|
|
|
|
2023-10-02 19:28:01 +00:00
|
|
|
kubectl create secret generic "$test_username" \
|
|
|
|
--namespace local-user-authenticator \
|
|
|
|
--from-literal=groups="$test_groups" \
|
|
|
|
--from-literal=passwordHash="$(htpasswd -nbBC 10 x "$test_password" | sed -e "s/^x://")" \
|
|
|
|
--dry-run=client \
|
|
|
|
--output yaml |
|
|
|
|
kubectl apply -f -
|
|
|
|
|
2023-10-12 20:58:43 +00:00
|
|
|
# TODO: this is a race, we need to wait for this secret to exist, should we --wait?
|
2023-10-12 15:23:47 +00:00
|
|
|
webhook_ca_bundle="$(kubectl get secret local-user-authenticator-tls-serving-certificate --namespace local-user-authenticator -o 'jsonpath={.data.caCertificate}')"
|
2023-10-12 17:31:50 +00:00
|
|
|
echo "export PINNIPED_TEST_WEBHOOK_CA_BUNDLE=${webhook_ca_bundle}" >> "${env_file_name}"
|
2023-08-31 19:02:24 +00:00
|
|
|
popd >/dev/null
|
2022-02-19 14:08:59 +00:00
|
|
|
fi
|
2020-09-11 00:36:22 +00:00
|
|
|
|
2021-04-05 22:01:17 +00:00
|
|
|
#
|
|
|
|
# Deploy Tools
|
|
|
|
#
|
2022-02-19 14:08:59 +00:00
|
|
|
manifest=/tmp/pinniped-tools.yaml
|
2021-04-05 22:01:17 +00:00
|
|
|
dex_test_password="$(openssl rand -hex 16)"
|
|
|
|
ldap_test_password="$(openssl rand -hex 16)"
|
|
|
|
pushd test/deploy/tools >/dev/null
|
2020-10-13 21:09:13 +00:00
|
|
|
|
2021-04-05 22:01:17 +00:00
|
|
|
log_note "Deploying Tools to the cluster..."
|
|
|
|
ytt --file . \
|
|
|
|
--data-value-yaml "supervisor_redirect_uris=[https://pinniped-supervisor-clusterip.supervisor.svc.cluster.local/some/path/callback]" \
|
|
|
|
--data-value "pinny_ldap_password=$ldap_test_password" \
|
|
|
|
--data-value "pinny_bcrypt_passwd_hash=$(htpasswd -nbBC 10 x "$dex_test_password" | sed -e "s/^x://")" \
|
|
|
|
>"$manifest"
|
2020-12-03 18:45:56 +00:00
|
|
|
|
2021-04-05 22:01:17 +00:00
|
|
|
kapp deploy --yes --app tools --diff-changes --file "$manifest"
|
2021-09-02 21:53:49 +00:00
|
|
|
kubectl apply --dry-run=client -f "$manifest" # Validate manifest schema.
|
2020-10-13 21:09:13 +00:00
|
|
|
|
2021-04-05 22:01:17 +00:00
|
|
|
popd >/dev/null
|
2020-09-11 00:36:22 +00:00
|
|
|
|
2020-10-06 00:28:19 +00:00
|
|
|
#
|
|
|
|
# Deploy the Pinniped Supervisor
|
|
|
|
#
|
2022-02-19 14:08:59 +00:00
|
|
|
manifest=/tmp/pinniped-supervisor.yaml
|
2020-10-07 00:53:29 +00:00
|
|
|
supervisor_app_name="pinniped-supervisor"
|
2020-10-09 23:00:11 +00:00
|
|
|
supervisor_namespace="supervisor"
|
2020-10-15 17:14:23 +00:00
|
|
|
supervisor_custom_labels="{mySupervisorCustomLabelName: mySupervisorCustomLabelValue}"
|
2022-02-19 14:08:59 +00:00
|
|
|
log_level="debug"
|
|
|
|
service_https_nodeport_port="443"
|
|
|
|
service_https_nodeport_nodeport="31243"
|
|
|
|
service_https_clusterip_port="443"
|
|
|
|
|
2023-08-31 19:02:24 +00:00
|
|
|
if [ "$alternate_deploy" != "undefined" ] || [ "$alternate_deploy_supervisor" != "undefined" ] ; then
|
|
|
|
if [ "$alternate_deploy" != "undefined" ]; then
|
|
|
|
log_note "The Pinniped Supervisor will be deployed with $alternate_deploy pinniped-supervisor $tag..."
|
2023-10-12 15:23:47 +00:00
|
|
|
$alternate_deploy pinniped-supervisor $tag $env_file_name
|
2023-08-31 19:02:24 +00:00
|
|
|
fi
|
|
|
|
if [ "$alternate_deploy_supervisor" != "undefined" ]; then
|
|
|
|
log_note "The Pinniped Supervisor will be deployed with $alternate_deploy_supervisor pinniped-supervisor $tag..."
|
2023-10-12 15:23:47 +00:00
|
|
|
$alternate_deploy_supervisor pinniped-supervisor $tag $env_file_name
|
2023-08-31 19:02:24 +00:00
|
|
|
fi
|
2022-02-19 14:08:59 +00:00
|
|
|
else
|
|
|
|
log_note "Deploying the Pinniped Supervisor app to the cluster using kapp..."
|
2023-08-31 19:02:24 +00:00
|
|
|
pushd deploy/supervisor >/dev/null
|
2022-02-19 14:08:59 +00:00
|
|
|
ytt --file . \
|
2022-02-25 16:26:53 +00:00
|
|
|
--data-value "app_name=$supervisor_app_name" \
|
|
|
|
--data-value "namespace=$supervisor_namespace" \
|
2022-02-19 14:08:59 +00:00
|
|
|
--data-value "api_group_suffix=$api_group_suffix" \
|
2022-02-25 16:26:53 +00:00
|
|
|
--data-value "image_repo=$registry_repo" \
|
|
|
|
--data-value "image_tag=$tag" \
|
2022-02-19 14:08:59 +00:00
|
|
|
--data-value "log_level=$log_level" \
|
2022-02-25 16:26:53 +00:00
|
|
|
--data-value-yaml "custom_labels=$supervisor_custom_labels" \
|
2022-02-19 14:08:59 +00:00
|
|
|
--data-value-yaml "service_https_nodeport_port=$service_https_nodeport_port" \
|
|
|
|
--data-value-yaml "service_https_nodeport_nodeport=$service_https_nodeport_nodeport" \
|
|
|
|
--data-value-yaml "service_https_clusterip_port=$service_https_clusterip_port" \
|
|
|
|
>"$manifest"
|
|
|
|
|
|
|
|
kapp deploy --yes --app "$supervisor_app_name" --diff-changes --file "$manifest"
|
|
|
|
kubectl apply --dry-run=client -f "$manifest" # Validate manifest schema.
|
2023-08-31 19:02:24 +00:00
|
|
|
popd >/dev/null
|
2022-02-19 14:08:59 +00:00
|
|
|
fi
|
2021-04-05 22:01:17 +00:00
|
|
|
|
2020-10-06 00:28:19 +00:00
|
|
|
#
|
2020-10-15 17:14:23 +00:00
|
|
|
# Deploy the Pinniped Concierge
|
2020-10-06 00:28:19 +00:00
|
|
|
#
|
2022-02-19 14:08:59 +00:00
|
|
|
manifest=/tmp/pinniped-concierge.yaml
|
2020-10-09 21:25:34 +00:00
|
|
|
concierge_app_name="pinniped-concierge"
|
2020-10-09 23:00:11 +00:00
|
|
|
concierge_namespace="concierge"
|
2020-09-11 00:36:22 +00:00
|
|
|
webhook_url="https://local-user-authenticator.local-user-authenticator.svc/authenticate"
|
2020-12-09 14:50:50 +00:00
|
|
|
discovery_url="$(TERM=dumb kubectl cluster-info | awk '/master|control plane/ {print $NF}')"
|
2020-10-15 17:14:23 +00:00
|
|
|
concierge_custom_labels="{myConciergeCustomLabelName: myConciergeCustomLabelValue}"
|
2022-02-25 16:26:53 +00:00
|
|
|
log_level="debug"
|
2020-09-11 00:36:22 +00:00
|
|
|
|
2023-08-31 19:02:24 +00:00
|
|
|
if [ "$alternate_deploy" != "undefined" ] || [ "$alternate_deploy_concierge" != "undefined" ] ; then
|
|
|
|
if [ "$alternate_deploy" != "undefined" ]; then
|
|
|
|
log_note "The Pinniped Concierge will be deployed with $alternate_deploy pinniped-concierge $tag..."
|
2023-10-12 15:23:47 +00:00
|
|
|
$alternate_deploy pinniped-concierge $tag $env_file_name
|
2023-08-31 19:02:24 +00:00
|
|
|
fi
|
|
|
|
if [ "$alternate_deploy_concierge" != "undefined" ]; then
|
|
|
|
log_note "The Pinniped Concierge will be deployed with $alternate_deploy_concierge pinniped-concierge $tag..."
|
2023-10-12 15:23:47 +00:00
|
|
|
$alternate_deploy_concierge pinniped-concierge $tag $env_file_name
|
2023-08-31 19:02:24 +00:00
|
|
|
fi
|
2022-02-19 14:08:59 +00:00
|
|
|
else
|
|
|
|
log_note "Deploying the Pinniped Concierge app to the cluster using kapp..."
|
2023-08-31 19:02:24 +00:00
|
|
|
pushd deploy/concierge >/dev/null
|
2022-02-19 14:08:59 +00:00
|
|
|
ytt --file . \
|
2022-02-25 16:26:53 +00:00
|
|
|
--data-value "app_name=$concierge_app_name" \
|
|
|
|
--data-value "namespace=$concierge_namespace" \
|
2022-02-19 14:08:59 +00:00
|
|
|
--data-value "api_group_suffix=$api_group_suffix" \
|
|
|
|
--data-value "log_level=$log_level" \
|
2022-02-25 16:26:53 +00:00
|
|
|
--data-value-yaml "custom_labels=$concierge_custom_labels" \
|
2022-03-10 14:08:40 +00:00
|
|
|
--data-value "image_repo=$registry_repo" \
|
2022-02-25 16:26:53 +00:00
|
|
|
--data-value "image_tag=$tag" \
|
2022-02-19 14:08:59 +00:00
|
|
|
--data-value "discovery_url=$discovery_url" >"$manifest"
|
|
|
|
|
|
|
|
kapp deploy --yes --app "$concierge_app_name" --diff-changes --file "$manifest"
|
|
|
|
kubectl apply --dry-run=client -f "$manifest" # Validate manifest schema.
|
2023-08-31 19:02:24 +00:00
|
|
|
popd >/dev/null
|
2022-02-19 14:08:59 +00:00
|
|
|
fi
|
2020-09-11 00:36:22 +00:00
|
|
|
|
2023-10-10 21:22:37 +00:00
|
|
|
#
|
|
|
|
# Call a post-install script
|
|
|
|
# simplifies passing the $tag which may be necessary if the current local build is to be
|
|
|
|
# referenced, for example, deploying via a Carvel package rather than our ytt mechanism
|
|
|
|
# running it after the above also allows appending to the environment variable file
|
|
|
|
if [ "$post_install" != "undefined" ] ; then
|
|
|
|
log_note "The post-install script will be called with $tag..."
|
2023-10-12 17:31:50 +00:00
|
|
|
$post_install post-install-script $tag $env_file_name
|
2023-10-10 21:22:37 +00:00
|
|
|
fi
|
|
|
|
|
2020-11-16 20:04:08 +00:00
|
|
|
#
|
|
|
|
# Download the test CA bundle that was generated in the Dex pod.
|
2021-04-27 17:10:02 +00:00
|
|
|
# Note that this returns a base64 encoded value.
|
2020-11-16 20:04:08 +00:00
|
|
|
#
|
2021-04-27 17:10:02 +00:00
|
|
|
test_ca_bundle_pem="$(kubectl get secrets -n tools certs -o go-template='{{index .data "ca.pem"}}')"
|
2020-11-16 20:04:08 +00:00
|
|
|
|
2020-09-11 00:36:22 +00:00
|
|
|
#
|
2021-04-15 00:26:12 +00:00
|
|
|
# Create the environment file.
|
|
|
|
#
|
|
|
|
# Note that all values should not contains newlines, except for PINNIPED_TEST_CLUSTER_CAPABILITY_YAML,
|
|
|
|
# so that the environment can also be used in tools like GoLand. Therefore, multi-line values,
|
|
|
|
# such as PEM-formatted certificates, should be base64 encoded.
|
2020-09-11 00:36:22 +00:00
|
|
|
#
|
|
|
|
kind_capabilities_file="$pinniped_path/test/cluster_capabilities/kind.yaml"
|
|
|
|
pinniped_cluster_capability_file_content=$(cat "$kind_capabilities_file")
|
|
|
|
|
2023-10-10 16:54:13 +00:00
|
|
|
|
2023-10-12 15:23:47 +00:00
|
|
|
cat <<EOF >>"$env_file_name"
|
2021-03-03 20:08:40 +00:00
|
|
|
# The following env vars should be set before running 'go test -v -count 1 -timeout 0 ./test/integration'
|
2021-04-15 00:26:12 +00:00
|
|
|
export PINNIPED_TEST_TOOLS_NAMESPACE="tools"
|
2020-10-09 21:25:34 +00:00
|
|
|
export PINNIPED_TEST_CONCIERGE_NAMESPACE=${concierge_namespace}
|
|
|
|
export PINNIPED_TEST_CONCIERGE_APP_NAME=${concierge_app_name}
|
2020-10-15 17:14:23 +00:00
|
|
|
export PINNIPED_TEST_CONCIERGE_CUSTOM_LABELS='${concierge_custom_labels}'
|
2020-09-22 00:55:04 +00:00
|
|
|
export PINNIPED_TEST_WEBHOOK_ENDPOINT=${webhook_url}
|
2020-10-09 17:11:47 +00:00
|
|
|
export PINNIPED_TEST_SUPERVISOR_NAMESPACE=${supervisor_namespace}
|
|
|
|
export PINNIPED_TEST_SUPERVISOR_APP_NAME=${supervisor_app_name}
|
2020-10-15 17:14:23 +00:00
|
|
|
export PINNIPED_TEST_SUPERVISOR_CUSTOM_LABELS='${supervisor_custom_labels}'
|
2020-10-27 21:57:25 +00:00
|
|
|
export PINNIPED_TEST_SUPERVISOR_HTTPS_ADDRESS="localhost:12344"
|
2020-11-16 16:40:18 +00:00
|
|
|
export PINNIPED_TEST_PROXY=http://127.0.0.1:12346
|
2021-04-15 00:26:12 +00:00
|
|
|
export PINNIPED_TEST_LDAP_HOST=ldap.tools.svc.cluster.local
|
2021-05-20 20:39:48 +00:00
|
|
|
export PINNIPED_TEST_LDAP_STARTTLS_ONLY_HOST=ldapstarttls.tools.svc.cluster.local
|
2021-04-27 17:10:02 +00:00
|
|
|
export PINNIPED_TEST_LDAP_LDAPS_CA_BUNDLE="${test_ca_bundle_pem}"
|
2021-04-05 22:01:17 +00:00
|
|
|
export PINNIPED_TEST_LDAP_BIND_ACCOUNT_USERNAME="cn=admin,dc=pinniped,dc=dev"
|
|
|
|
export PINNIPED_TEST_LDAP_BIND_ACCOUNT_PASSWORD=password
|
|
|
|
export PINNIPED_TEST_LDAP_USERS_SEARCH_BASE="ou=users,dc=pinniped,dc=dev"
|
|
|
|
export PINNIPED_TEST_LDAP_GROUPS_SEARCH_BASE="ou=groups,dc=pinniped,dc=dev"
|
|
|
|
export PINNIPED_TEST_LDAP_USER_DN="cn=pinny,ou=users,dc=pinniped,dc=dev"
|
|
|
|
export PINNIPED_TEST_LDAP_USER_CN="pinny"
|
|
|
|
export PINNIPED_TEST_LDAP_USER_PASSWORD=${ldap_test_password}
|
2021-04-15 00:26:12 +00:00
|
|
|
export PINNIPED_TEST_LDAP_USER_UNIQUE_ID_ATTRIBUTE_NAME="uidNumber"
|
|
|
|
export PINNIPED_TEST_LDAP_USER_UNIQUE_ID_ATTRIBUTE_VALUE="1000"
|
2021-04-05 22:01:17 +00:00
|
|
|
export PINNIPED_TEST_LDAP_USER_EMAIL_ATTRIBUTE_NAME="mail"
|
|
|
|
export PINNIPED_TEST_LDAP_USER_EMAIL_ATTRIBUTE_VALUE="pinny.ldap@example.com"
|
|
|
|
export PINNIPED_TEST_LDAP_EXPECTED_DIRECT_GROUPS_DN="cn=ball-game-players,ou=beach-groups,ou=groups,dc=pinniped,dc=dev;cn=seals,ou=groups,dc=pinniped,dc=dev"
|
|
|
|
export PINNIPED_TEST_LDAP_EXPECTED_INDIRECT_GROUPS_DN="cn=pinnipeds,ou=groups,dc=pinniped,dc=dev;cn=mammals,ou=groups,dc=pinniped,dc=dev"
|
|
|
|
export PINNIPED_TEST_LDAP_EXPECTED_DIRECT_GROUPS_CN="ball-game-players;seals"
|
2023-05-26 18:47:54 +00:00
|
|
|
export PINNIPED_TEST_LDAP_EXPECTED_DIRECT_POSIX_GROUPS_CN="ball-game-players-posix;seals-posix"
|
2021-04-05 22:01:17 +00:00
|
|
|
export PINNIPED_TEST_LDAP_EXPECTED_INDIRECT_GROUPS_CN="pinnipeds;mammals"
|
|
|
|
export PINNIPED_TEST_CLI_OIDC_ISSUER=https://dex.tools.svc.cluster.local/dex
|
2021-04-27 17:10:02 +00:00
|
|
|
export PINNIPED_TEST_CLI_OIDC_ISSUER_CA_BUNDLE="${test_ca_bundle_pem}"
|
2020-10-13 21:09:13 +00:00
|
|
|
export PINNIPED_TEST_CLI_OIDC_CLIENT_ID=pinniped-cli
|
2020-11-19 21:05:31 +00:00
|
|
|
export PINNIPED_TEST_CLI_OIDC_CALLBACK_URL=http://127.0.0.1:48095/callback
|
2020-10-13 21:09:13 +00:00
|
|
|
export PINNIPED_TEST_CLI_OIDC_USERNAME=pinny@example.com
|
2021-03-25 22:12:17 +00:00
|
|
|
export PINNIPED_TEST_CLI_OIDC_PASSWORD=${dex_test_password}
|
2021-04-05 22:01:17 +00:00
|
|
|
export PINNIPED_TEST_SUPERVISOR_UPSTREAM_OIDC_ISSUER=https://dex.tools.svc.cluster.local/dex
|
2021-04-27 17:10:02 +00:00
|
|
|
export PINNIPED_TEST_SUPERVISOR_UPSTREAM_OIDC_ISSUER_CA_BUNDLE="${test_ca_bundle_pem}"
|
2021-10-19 19:25:51 +00:00
|
|
|
export PINNIPED_TEST_SUPERVISOR_UPSTREAM_OIDC_ADDITIONAL_SCOPES="offline_access,email"
|
2021-01-11 19:58:07 +00:00
|
|
|
export PINNIPED_TEST_SUPERVISOR_UPSTREAM_OIDC_USERNAME_CLAIM=email
|
|
|
|
export PINNIPED_TEST_SUPERVISOR_UPSTREAM_OIDC_GROUPS_CLAIM=groups
|
2020-11-19 21:05:31 +00:00
|
|
|
export PINNIPED_TEST_SUPERVISOR_UPSTREAM_OIDC_CLIENT_ID=pinniped-supervisor
|
|
|
|
export PINNIPED_TEST_SUPERVISOR_UPSTREAM_OIDC_CLIENT_SECRET=pinniped-supervisor-secret
|
2020-12-02 16:47:01 +00:00
|
|
|
export PINNIPED_TEST_SUPERVISOR_UPSTREAM_OIDC_CALLBACK_URL=https://pinniped-supervisor-clusterip.supervisor.svc.cluster.local/some/path/callback
|
2020-11-19 21:05:31 +00:00
|
|
|
export PINNIPED_TEST_SUPERVISOR_UPSTREAM_OIDC_USERNAME=pinny@example.com
|
2021-03-25 22:12:17 +00:00
|
|
|
export PINNIPED_TEST_SUPERVISOR_UPSTREAM_OIDC_PASSWORD=${dex_test_password}
|
2021-01-11 19:58:07 +00:00
|
|
|
export PINNIPED_TEST_SUPERVISOR_UPSTREAM_OIDC_EXPECTED_GROUPS= # Dex's local user store does not let us configure groups.
|
2021-02-03 20:07:13 +00:00
|
|
|
export PINNIPED_TEST_API_GROUP_SUFFIX='${api_group_suffix}'
|
2021-08-25 22:12:07 +00:00
|
|
|
# PINNIPED_TEST_SHELL_CONTAINER_IMAGE should be a container which includes bash and sleep, used by some tests.
|
|
|
|
export PINNIPED_TEST_SHELL_CONTAINER_IMAGE="ghcr.io/pinniped-ci-bot/test-kubectl:latest"
|
2020-09-10 15:30:15 +00:00
|
|
|
|
2021-07-22 17:13:38 +00:00
|
|
|
# We can't set up an in-cluster active directory instance, but
|
|
|
|
# if you have an active directory instance that you wish to run the tests against,
|
|
|
|
# specify a script to set the ad-related environment variables.
|
|
|
|
# You will need to set the environment variables that start with "PINNIPED_TEST_AD_"
|
|
|
|
# found in pinniped/test/testlib/env.go.
|
|
|
|
if [[ "$get_active_directory_vars" != "" ]]; then
|
|
|
|
source $get_active_directory_vars
|
2021-07-08 22:00:04 +00:00
|
|
|
fi
|
|
|
|
|
2020-10-09 17:11:47 +00:00
|
|
|
read -r -d '' PINNIPED_TEST_CLUSTER_CAPABILITY_YAML << PINNIPED_TEST_CLUSTER_CAPABILITY_YAML_EOF || true
|
2020-09-10 15:30:15 +00:00
|
|
|
${pinniped_cluster_capability_file_content}
|
2020-10-09 17:11:47 +00:00
|
|
|
PINNIPED_TEST_CLUSTER_CAPABILITY_YAML_EOF
|
2020-09-10 15:30:15 +00:00
|
|
|
|
2020-10-09 17:11:47 +00:00
|
|
|
export PINNIPED_TEST_CLUSTER_CAPABILITY_YAML
|
2020-09-10 15:30:15 +00:00
|
|
|
EOF
|
|
|
|
|
2023-10-03 16:28:00 +00:00
|
|
|
|
2020-09-11 00:36:22 +00:00
|
|
|
#
|
2021-04-15 00:26:12 +00:00
|
|
|
# Print instructions for next steps.
|
2020-09-11 00:36:22 +00:00
|
|
|
#
|
|
|
|
log_note
|
2020-09-11 15:19:49 +00:00
|
|
|
log_note "🚀 Ready to run integration tests! For example..."
|
2020-09-11 00:36:22 +00:00
|
|
|
log_note " cd $pinniped_path"
|
2022-02-15 19:19:49 +00:00
|
|
|
log_note " ulimit -n 512"
|
2023-10-12 15:23:47 +00:00
|
|
|
log_note " source $env_file_name && go test -v -race -count 1 -timeout 0 ./test/integration"
|
2020-09-11 00:36:22 +00:00
|
|
|
log_note
|
2021-04-15 00:26:12 +00:00
|
|
|
log_note "Using GoLand? Paste the result of this command into GoLand's run configuration \"Environment\"."
|
|
|
|
log_note " hack/integration-test-env-goland.sh | pbcopy"
|
2020-09-11 00:36:22 +00:00
|
|
|
log_note
|
2021-04-05 22:01:17 +00:00
|
|
|
log_note "You can rerun this script to redeploy local production code changes while you are working."
|
|
|
|
log_note
|
|
|
|
log_note "To delete the deployments, run:"
|
|
|
|
log_note " kapp delete -a local-user-authenticator -y && kapp delete -a $concierge_app_name -y && kapp delete -a $supervisor_app_name -y"
|
|
|
|
log_note "When you're finished, use './hack/kind-down.sh' to tear down the cluster."
|
2023-09-28 18:48:06 +00:00
|
|
|
log_note
|
|
|
|
# TODO: come back and check the /etc/hosts file for the existence of
|
|
|
|
# the correct lines, just like is done in prepare-supervisor-on-kind.sh
|
|
|
|
log_note "Please run these commands to edit /etc/hosts, and then run this script again with the same options."
|
|
|
|
log_note " sudo bash -c \"echo '127.0.0.1 kind-registry.local' >> /etc/hosts\""
|
|
|
|
log_note "When you are finished with your Kind cluster, you can remove these lines from /etc/hosts."
|