ContainerImage.Pinniped/hack/prepare-impersonator-on-kind.sh

#!/usr/bin/env bash

# A script to perform the setup required to manually test using the impersonation proxy on a kind cluster.
# Assumes that you installed the apps already using hack/prepare-for-integration-tests.sh.

set -euo pipefail

# The name of the namespace in which the concierge is installed.
CONCIERGE_NAMESPACE=concierge
# The name of the concierge app's Deployment.
CONCIERGE_DEPLOYMENT=pinniped-concierge
# The namespace in which the local-user-authenticator app is installed.
LOCAL_USER_AUTHENTICATOR_NAMESPACE=local-user-authenticator
# The port on which the impersonation proxy runs in the concierge pods.
IMPERSONATION_PROXY_PORT=8444
# The port that we will use to access the impersonator from outside the cluster via `kubectl port-forward`.
LOCAL_PORT=8777
LOCAL_HOST="127.0.0.1:${LOCAL_PORT}"

# Change working directory to the top of the repo.
ROOT="$(cd "$(dirname "${BASH_SOURCE[0]}")/.." && pwd)"
cd "$ROOT"

# Build the CLI for use later in the script.
go build ./cmd/pinniped

# Create a test user and password.
if ! kubectl get secret pinny-the-seal --namespace $LOCAL_USER_AUTHENTICATOR_NAMESPACE; then
  kubectl create secret generic pinny-the-seal --namespace $LOCAL_USER_AUTHENTICATOR_NAMESPACE \
    --from-literal=groups=group1,group2 \
    --from-literal=passwordHash="$(htpasswd -nbBC 10 x password123 | sed -e "s/^x://")"
fi

# Get the CA of the local-user-authenticator.
LOCAL_USER_AUTHENTICATOR_CA=$(kubectl get secret local-user-authenticator-tls-serving-certificate \
  --namespace $LOCAL_USER_AUTHENTICATOR_NAMESPACE \
  -o jsonpath=\{.data.caCertificate\})

# Create a WebhookAuthenticator which points at the local-user-authenticator.
cat <<EOF | kubectl apply -f -
apiVersion: authentication.concierge.pinniped.dev/v1alpha1
kind: WebhookAuthenticator
metadata:
  name: local-user-authenticator
spec:
  endpoint: https://local-user-authenticator.local-user-authenticator.svc/authenticate
  tls:
    certificateAuthorityData: $LOCAL_USER_AUTHENTICATOR_CA
EOF

# Create an RBAC rule to allow the test user to do most things.
cat <<EOF | kubectl apply -f -
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name:  pinny-the-seal-can-edit
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: edit
subjects:
- kind: User
  name: pinny-the-seal
EOF

# Create a configmap to enable the impersonation proxy and set the endpoint to match the
# host and port that we will use the access the impersonation proxy (via the port-forwarded port).
cat <<EOF | kubectl apply -f -
apiVersion: v1
kind: ConfigMap
metadata:
  name: pinniped-concierge-impersonation-proxy-config
  namespace: $CONCIERGE_NAMESPACE
data:
  config.yaml: |
    endpoint: ${LOCAL_HOST}
    mode: enabled
EOF

# Wait for the CredentialIssuer's impersonator status to update to be successful.
while [[ -z "$(kubectl get credentialissuer pinniped-concierge-config -o json |
  jq '.status.strategies[] | select((.type=="ImpersonationProxy") and (.status=="Success"))')" ]]; do
  echo "Waiting for a successful ImpersonationProxy strategy on CredentialIssuer..."
  sleep 2
done
echo "Impersonator is available on https://${LOCAL_HOST}"

# Make the impersonation proxy's port from the inside the cluster available locally.
kubectl port-forward -n $CONCIERGE_NAMESPACE deployment/$CONCIERGE_DEPLOYMENT ${LOCAL_PORT}:${IMPERSONATION_PROXY_PORT} &
port_forward_pid=$!

# Kill the kubectl port-forward command whenever the script is control-c cancelled or otherwise ends.
function cleanup() {
  echo
  echo "Cleaning up cluster resources..."
  kubectl delete secret -n $LOCAL_USER_AUTHENTICATOR_NAMESPACE pinny-the-seal
  kubectl delete configmap -n $CONCIERGE_NAMESPACE pinniped-concierge-impersonation-proxy-config
  kubectl delete clusterrolebinding pinny-the-seal-can-edit
  kubectl delete webhookauthenticator local-user-authenticator
  echo "Stopping kubectl port-forward and exiting..."
  # It may have already shut down, so ignore errors.
  kill -9 $port_forward_pid &> /dev/null || true
}
trap cleanup EXIT

# Get a working kubeconfig that will send requests through the impersonation proxy.
./pinniped get kubeconfig \
  --static-token "pinny-the-seal:password123" \
  --concierge-mode ImpersonationProxy >/tmp/kubeconfig

echo
echo 'Ready. In another tab, use "kubectl --kubeconfig /tmp/kubeconfig <cmd>" to make requests through the impersonation proxy.'
echo "When done, cancel with ctrl-C to clean up."
wait $port_forward_pid
Add prepare-impersonator-on-kind.sh for manually starting impersonator It takes a lot of manual steps to get ready to manually test the impersonation proxy on a kind cluster, which makes it error prone, so encapsulate them into a script to make it easier. 2021-03-15 23:08:42 +00:00			`#!/usr/bin/env bash`

			`# A script to perform the setup required to manually test using the impersonation proxy on a kind cluster.`
			`# Assumes that you installed the apps already using hack/prepare-for-integration-tests.sh.`

			`set -euo pipefail`

			`# The name of the namespace in which the concierge is installed.`
			`CONCIERGE_NAMESPACE=concierge`
			`# The name of the concierge app's Deployment.`
			`CONCIERGE_DEPLOYMENT=pinniped-concierge`
			`# The namespace in which the local-user-authenticator app is installed.`
			`LOCAL_USER_AUTHENTICATOR_NAMESPACE=local-user-authenticator`
			`# The port on which the impersonation proxy runs in the concierge pods.`
			`IMPERSONATION_PROXY_PORT=8444`
			# The port that we will use to access the impersonator from outside the cluster via `kubectl port-forward`.
			`LOCAL_PORT=8777`
			`LOCAL_HOST="127.0.0.1:${LOCAL_PORT}"`

			`# Change working directory to the top of the repo.`
			`ROOT="$(cd "$(dirname "${BASH_SOURCE[0]}")/.." && pwd)"`
			`cd "$ROOT"`

			`# Build the CLI for use later in the script.`
			`go build ./cmd/pinniped`

			`# Create a test user and password.`
			`if ! kubectl get secret pinny-the-seal --namespace $LOCAL_USER_AUTHENTICATOR_NAMESPACE; then`
			`kubectl create secret generic pinny-the-seal --namespace $LOCAL_USER_AUTHENTICATOR_NAMESPACE \`
			`--from-literal=groups=group1,group2 \`
			`--from-literal=passwordHash="$(htpasswd -nbBC 10 x password123 \| sed -e "s/^x://")"`
			`fi`

			`# Get the CA of the local-user-authenticator.`
			`LOCAL_USER_AUTHENTICATOR_CA=$(kubectl get secret local-user-authenticator-tls-serving-certificate \`
			`--namespace $LOCAL_USER_AUTHENTICATOR_NAMESPACE \`
			`-o jsonpath=\{.data.caCertificate\})`

			`# Create a WebhookAuthenticator which points at the local-user-authenticator.`
			`cat <<EOF \| kubectl apply -f -`
			`apiVersion: authentication.concierge.pinniped.dev/v1alpha1`
			`kind: WebhookAuthenticator`
			`metadata:`
			`name: local-user-authenticator`
			`spec:`
			`endpoint: https://local-user-authenticator.local-user-authenticator.svc/authenticate`
			`tls:`
			`certificateAuthorityData: $LOCAL_USER_AUTHENTICATOR_CA`
			`EOF`

			`# Create an RBAC rule to allow the test user to do most things.`
			`cat <<EOF \| kubectl apply -f -`
			`apiVersion: rbac.authorization.k8s.io/v1`
			`kind: ClusterRoleBinding`
			`metadata:`
			`name: pinny-the-seal-can-edit`
			`roleRef:`
			`apiGroup: rbac.authorization.k8s.io`
			`kind: ClusterRole`
			`name: edit`
			`subjects:`
			`- kind: User`
			`name: pinny-the-seal`
			`EOF`

			`# Create a configmap to enable the impersonation proxy and set the endpoint to match the`
			`# host and port that we will use the access the impersonation proxy (via the port-forwarded port).`
			`cat <<EOF \| kubectl apply -f -`
			`apiVersion: v1`
			`kind: ConfigMap`
			`metadata:`
			`name: pinniped-concierge-impersonation-proxy-config`
			`namespace: $CONCIERGE_NAMESPACE`
			`data:`
			`config.yaml: \|`
			`endpoint: ${LOCAL_HOST}`
			`mode: enabled`
			`EOF`

			`# Wait for the CredentialIssuer's impersonator status to update to be successful.`
			`while [[ -z "$(kubectl get credentialissuer pinniped-concierge-config -o json \|`
			`jq '.status.strategies[] \| select((.type=="ImpersonationProxy") and (.status=="Success"))')" ]]; do`
			`echo "Waiting for a successful ImpersonationProxy strategy on CredentialIssuer..."`
			`sleep 2`
			`done`
			`echo "Impersonator is available on https://${LOCAL_HOST}"`

			`# Make the impersonation proxy's port from the inside the cluster available locally.`
			`kubectl port-forward -n $CONCIERGE_NAMESPACE deployment/$CONCIERGE_DEPLOYMENT ${LOCAL_PORT}:${IMPERSONATION_PROXY_PORT} &`
			`port_forward_pid=$!`

			`# Kill the kubectl port-forward command whenever the script is control-c cancelled or otherwise ends.`
			`function cleanup() {`
			`echo`
			`echo "Cleaning up cluster resources..."`
			`kubectl delete secret -n $LOCAL_USER_AUTHENTICATOR_NAMESPACE pinny-the-seal`
			`kubectl delete configmap -n $CONCIERGE_NAMESPACE pinniped-concierge-impersonation-proxy-config`
			`kubectl delete clusterrolebinding pinny-the-seal-can-edit`
			`kubectl delete webhookauthenticator local-user-authenticator`
			`echo "Stopping kubectl port-forward and exiting..."`
			`# It may have already shut down, so ignore errors.`
			`kill -9 $port_forward_pid &> /dev/null \|\| true`
			`}`
			`trap cleanup EXIT`

			`# Get a working kubeconfig that will send requests through the impersonation proxy.`
			`./pinniped get kubeconfig \`
			`--static-token "pinny-the-seal:password123" \`
			`--concierge-mode ImpersonationProxy >/tmp/kubeconfig`

			`echo`
			`echo 'Ready. In another tab, use "kubectl --kubeconfig /tmp/kubeconfig <cmd>" to make requests through the impersonation proxy.'`
			`echo "When done, cancel with ctrl-C to clean up."`
			`wait $port_forward_pid`