2020-09-10 15:30:15 +00:00
|
|
|
#!/usr/bin/env bash
|
|
|
|
|
2023-05-26 18:47:54 +00:00
|
|
|
# Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
|
2021-03-31 18:39:10 +00:00
|
|
|
# SPDX-License-Identifier: Apache-2.0
|
|
|
|
|
|
|
|
#
|
2020-09-10 15:30:15 +00:00
|
|
|
# This script can be used to prepare a kind cluster and deploy the app.
|
|
|
|
# You can call this script again to redeploy the app.
|
2020-09-11 00:36:22 +00:00
|
|
|
# It will also output instructions on how to run the integration.
|
2021-03-31 18:39:10 +00:00
|
|
|
#
|
2020-09-10 15:30:15 +00:00
|
|
|
|
|
|
|
set -euo pipefail
|
|
|
|
|
2020-09-11 00:36:22 +00:00
|
|
|
#
|
|
|
|
# Helper functions
|
|
|
|
#
|
2020-09-10 15:30:15 +00:00
|
|
|
function log_note() {
|
|
|
|
GREEN='\033[0;32m'
|
|
|
|
NC='\033[0m'
|
2020-10-14 23:58:43 +00:00
|
|
|
if [[ ${COLORTERM:-unknown} =~ ^(truecolor|24bit)$ ]]; then
|
2020-09-10 20:37:25 +00:00
|
|
|
echo -e "${GREEN}$*${NC}"
|
2020-09-10 15:30:15 +00:00
|
|
|
else
|
2020-09-10 20:37:25 +00:00
|
|
|
echo "$*"
|
2020-09-10 15:30:15 +00:00
|
|
|
fi
|
|
|
|
}
|
|
|
|
|
|
|
|
function log_error() {
|
|
|
|
RED='\033[0;31m'
|
|
|
|
NC='\033[0m'
|
2020-10-14 23:58:43 +00:00
|
|
|
if [[ ${COLORTERM:-unknown} =~ ^(truecolor|24bit)$ ]]; then
|
2020-09-10 20:37:25 +00:00
|
|
|
echo -e "🙁${RED} Error: $* ${NC}"
|
2020-09-10 15:30:15 +00:00
|
|
|
else
|
2020-09-10 20:37:25 +00:00
|
|
|
echo ":( Error: $*"
|
2020-09-10 15:30:15 +00:00
|
|
|
fi
|
|
|
|
}
|
|
|
|
|
2020-09-11 15:19:49 +00:00
|
|
|
function check_dependency() {
|
|
|
|
if ! command -v "$1" >/dev/null; then
|
|
|
|
log_error "Missing dependency..."
|
|
|
|
log_error "$2"
|
|
|
|
exit 1
|
|
|
|
fi
|
|
|
|
}
|
|
|
|
|
2020-09-11 00:36:22 +00:00
|
|
|
#
|
|
|
|
# Handle argument parsing and help message
|
|
|
|
#
|
2020-09-10 15:30:15 +00:00
|
|
|
help=no
|
|
|
|
skip_build=no
|
2020-10-07 00:53:29 +00:00
|
|
|
clean_kind=no
|
2021-02-03 20:07:13 +00:00
|
|
|
api_group_suffix="pinniped.dev" # same default as in the values.yaml ytt file
|
2022-03-29 23:58:41 +00:00
|
|
|
dockerfile_path=""
|
2021-07-22 17:13:38 +00:00
|
|
|
get_active_directory_vars="" # specify a filename for a script to get AD related env variables
|
2022-02-19 14:08:59 +00:00
|
|
|
alternate_deploy="undefined"
|
2023-08-31 19:02:24 +00:00
|
|
|
alternate_deploy_supervisor="undefined"
|
|
|
|
alternate_deploy_concierge="undefined"
|
|
|
|
alternate_deploy_local_user_authenticator="undefined"
|
|
|
|
|
|
|
|
# supported variable style:
|
|
|
|
# --dockerfile-path ./foo.sh
|
|
|
|
# unsupported variable style (using = will fail the script):
|
|
|
|
# --dockerfile-path=./foo.sh
|
2020-09-10 15:30:15 +00:00
|
|
|
while (("$#")); do
|
|
|
|
case "$1" in
|
|
|
|
-h | --help)
|
|
|
|
help=yes
|
|
|
|
shift
|
|
|
|
;;
|
|
|
|
-s | --skip-build)
|
|
|
|
skip_build=yes
|
|
|
|
shift
|
|
|
|
;;
|
2020-10-07 00:53:29 +00:00
|
|
|
-c | --clean)
|
|
|
|
clean_kind=yes
|
|
|
|
shift
|
|
|
|
;;
|
2021-02-03 20:07:13 +00:00
|
|
|
-g | --api-group-suffix)
|
|
|
|
shift
|
|
|
|
# If there are no more command line arguments, or there is another command line argument but it starts with a dash, then error
|
|
|
|
if [[ "$#" == "0" || "$1" == -* ]]; then
|
|
|
|
log_error "-g|--api-group-suffix requires a group name to be specified"
|
|
|
|
exit 1
|
|
|
|
fi
|
|
|
|
api_group_suffix=$1
|
|
|
|
shift
|
|
|
|
;;
|
2023-08-31 19:02:24 +00:00
|
|
|
-a | --get-active-directory-vars)
|
2021-07-22 17:13:38 +00:00
|
|
|
shift
|
|
|
|
# If there are no more command line arguments, or there is another command line argument but it starts with a dash, then error
|
|
|
|
if [[ "$#" == "0" || "$1" == -* ]]; then
|
2021-07-26 23:03:12 +00:00
|
|
|
log_error "--get-active-directory-vars requires a script name to be specified"
|
2021-07-22 17:13:38 +00:00
|
|
|
exit 1
|
|
|
|
fi
|
|
|
|
get_active_directory_vars=$1
|
2021-07-08 22:00:04 +00:00
|
|
|
shift
|
|
|
|
;;
|
2022-03-29 23:58:41 +00:00
|
|
|
--dockerfile-path)
|
|
|
|
shift
|
|
|
|
# If there are no more command line arguments, or there is another command line argument but it starts with a dash, then error
|
|
|
|
if [[ "$#" == "0" || "$1" == -* ]]; then
|
|
|
|
log_error "--dockerfile-path requires a script name to be specified"
|
|
|
|
exit 1
|
|
|
|
fi
|
|
|
|
dockerfile_path=$1
|
|
|
|
shift
|
|
|
|
;;
|
2023-09-27 19:32:49 +00:00
|
|
|
--alternate-deploy)
|
2022-02-19 14:08:59 +00:00
|
|
|
shift
|
|
|
|
if [[ "$#" == "0" || "$1" == -* ]]; then
|
|
|
|
log_error "--alternate-deploy requires a script path to be specified"
|
|
|
|
exit 1
|
|
|
|
fi
|
|
|
|
alternate_deploy=$1
|
|
|
|
shift
|
|
|
|
;;
|
2023-09-27 19:32:49 +00:00
|
|
|
--alternate-deploy-supervisor)
|
2023-08-31 19:02:24 +00:00
|
|
|
shift
|
|
|
|
if [[ "$#" == "0" || "$1" == -* ]]; then
|
|
|
|
log_error "--alternate-deploy-supervisor requires a script path to be specified"
|
|
|
|
exit 1
|
|
|
|
fi
|
|
|
|
alternate_deploy_supervisor=$1
|
|
|
|
shift
|
|
|
|
;;
|
2023-09-27 19:32:49 +00:00
|
|
|
--alternate-deploy-concierge)
|
2023-08-31 19:02:24 +00:00
|
|
|
shift
|
|
|
|
if [[ "$#" == "0" || "$1" == -* ]]; then
|
|
|
|
log_error "--alternate-deploy-concierge requires a script path to be specified"
|
|
|
|
exit 1
|
|
|
|
fi
|
|
|
|
alternate_deploy_concierge=$1
|
|
|
|
shift
|
|
|
|
;;
|
2023-09-27 19:32:49 +00:00
|
|
|
--alternate-deploy-local-user-authenticator)
|
2023-08-31 19:02:24 +00:00
|
|
|
shift
|
|
|
|
if [[ "$#" == "0" || "$1" == -* ]]; then
|
|
|
|
log_error "--alternate-deploy-local-user-authenticator requires a script path to be specified"
|
|
|
|
exit 1
|
|
|
|
fi
|
|
|
|
alternate_deploy_local_user_authenticator=$1
|
|
|
|
shift
|
|
|
|
;;
|
2020-09-10 15:30:15 +00:00
|
|
|
-*)
|
|
|
|
log_error "Unsupported flag $1" >&2
|
2021-10-26 23:25:34 +00:00
|
|
|
if [[ "$1" == *"active-directory"* ]]; then
|
|
|
|
log_error "Did you mean --get-active-directory-vars?"
|
|
|
|
fi
|
2020-09-10 15:30:15 +00:00
|
|
|
exit 1
|
|
|
|
;;
|
|
|
|
*)
|
2020-09-11 15:19:49 +00:00
|
|
|
log_error "Unsupported positional arg $1" >&2
|
|
|
|
exit 1
|
2020-09-10 15:30:15 +00:00
|
|
|
;;
|
|
|
|
esac
|
|
|
|
done
|
|
|
|
|
|
|
|
if [[ "$help" == "yes" ]]; then
|
|
|
|
me="$(basename "${BASH_SOURCE[0]}")"
|
2020-09-11 15:19:49 +00:00
|
|
|
log_note "Usage:"
|
|
|
|
log_note " $me [flags]"
|
|
|
|
log_note
|
|
|
|
log_note "Flags:"
|
2023-08-31 19:02:24 +00:00
|
|
|
log_note " -h, --help: print this usage"
|
|
|
|
log_note " -c, --clean: destroy the current kind cluster and make a new one"
|
|
|
|
log_note " -g, --api-group-suffix: deploy Pinniped with an alternate API group suffix"
|
|
|
|
log_note " -s, --skip-build: reuse the most recently built image of the app instead of building"
|
|
|
|
log_note " -a, --get-active-directory-vars: specify a script that exports active directory environment variables"
|
2023-09-27 19:32:49 +00:00
|
|
|
log_note " --alternate-deploy: specify an alternate deploy script to install all components of Pinniped"
|
|
|
|
log_note " --alternate-deploy-supervisor: specify an alternate deploy script to install Pinniped Supervisor"
|
|
|
|
log_note " --alternate-deploy-concierge: specify an alternate deploy script to install Pinniped Concierge"
|
|
|
|
log_note " --alternate-deploy-local-user-authenticator: specify an alternate deploy script to install Pinniped local-user-authenticator"
|
2020-09-10 15:30:15 +00:00
|
|
|
exit 1
|
|
|
|
fi
|
|
|
|
|
2020-09-11 15:19:49 +00:00
|
|
|
pinniped_path="$(cd "$(dirname "${BASH_SOURCE[0]}")/.." && pwd)"
|
|
|
|
cd "$pinniped_path" || exit 1
|
2020-09-10 15:30:15 +00:00
|
|
|
|
2020-09-11 00:36:22 +00:00
|
|
|
#
|
|
|
|
# Check for dependencies
|
|
|
|
#
|
2020-09-11 15:19:49 +00:00
|
|
|
check_dependency docker "Please install docker. See https://docs.docker.com/get-docker"
|
|
|
|
check_dependency kind "Please install kind. e.g. 'brew install kind' for MacOS"
|
2022-04-05 14:43:22 +00:00
|
|
|
check_dependency ytt "Please install ytt. e.g. 'brew tap vmware-tanzu/carvel && brew install ytt' for MacOS"
|
|
|
|
check_dependency kapp "Please install kapp. e.g. 'brew tap vmware-tanzu/carvel && brew install kapp' for MacOS"
|
2020-09-11 15:19:49 +00:00
|
|
|
check_dependency kubectl "Please install kubectl. e.g. 'brew install kubectl' for MacOS"
|
|
|
|
check_dependency htpasswd "Please install htpasswd. Should be pre-installed on MacOS. Usually found in 'apache2-utils' package for linux."
|
2021-03-18 18:20:33 +00:00
|
|
|
check_dependency openssl "Please install openssl. Should be pre-installed on MacOS."
|
2021-10-20 11:59:24 +00:00
|
|
|
check_dependency nmap "Please install nmap. e.g. 'brew install nmap' for MacOS"
|
2020-09-10 15:30:15 +00:00
|
|
|
|
2023-08-28 21:57:43 +00:00
|
|
|
# Require kubectl >= 1.21.x.
|
|
|
|
if [ "$(kubectl version --client=true -o=json | grep gitVersion | cut -d '.' -f 2)" -lt 21 ]; then
|
|
|
|
log_error "kubectl >= 1.21.x is required, you have $(kubectl version --client=true --short | cut -d ':' -f2)"
|
2020-09-13 17:22:27 +00:00
|
|
|
exit 1
|
|
|
|
fi
|
|
|
|
|
2021-10-20 11:59:24 +00:00
|
|
|
# Require nmap >= 7.92.x
|
|
|
|
if [ "$(nmap -V | grep 'Nmap version' | cut -d ' ' -f 3 | cut -d '.' -f 2)" -lt 92 ]; then
|
|
|
|
log_error "nmap >= 7.92.x is required, you have $(nmap -V | grep 'Nmap version' | cut -d ' ' -f 3)"
|
|
|
|
exit 1
|
|
|
|
fi
|
|
|
|
|
2021-04-05 22:01:17 +00:00
|
|
|
if [[ "$clean_kind" == "yes" ]]; then
|
|
|
|
log_note "Deleting running kind cluster to prepare from a clean slate..."
|
|
|
|
./hack/kind-down.sh
|
|
|
|
fi
|
2020-09-10 15:30:15 +00:00
|
|
|
|
2021-04-05 22:01:17 +00:00
|
|
|
#
|
|
|
|
# Setup kind and build the app
|
|
|
|
#
|
|
|
|
log_note "Checking for running kind cluster..."
|
|
|
|
if ! kind get clusters | grep -q -e '^pinniped$'; then
|
|
|
|
log_note "Creating a kind cluster..."
|
2022-03-29 00:03:23 +00:00
|
|
|
# Our kind config exposes node port 31243 as 127.0.0.1:12344 and 31235 as 127.0.0.1:12346
|
2021-04-05 22:01:17 +00:00
|
|
|
./hack/kind-up.sh
|
|
|
|
else
|
|
|
|
if ! kubectl cluster-info | grep -E '(master|control plane)' | grep -q 127.0.0.1; then
|
|
|
|
log_error "Seems like your kubeconfig is not targeting a local cluster."
|
|
|
|
log_error "Exiting to avoid accidentally running tests against a real cluster."
|
|
|
|
exit 1
|
2020-09-10 15:30:15 +00:00
|
|
|
fi
|
2021-04-05 22:01:17 +00:00
|
|
|
fi
|
2020-09-10 15:30:15 +00:00
|
|
|
|
2023-09-28 18:48:06 +00:00
|
|
|
# NOW CHANGE THIS SO WE PUSH TO THE REGISTRY?
|
|
|
|
# registry="pinniped.local"
|
|
|
|
registry="kind-registry.local:5000"
|
2021-04-05 22:01:17 +00:00
|
|
|
repo="test/build"
|
2023-09-28 18:48:06 +00:00
|
|
|
# TODO: can we force HTTP here? HTTPS is problematic.
|
2021-04-05 22:01:17 +00:00
|
|
|
registry_repo="$registry/$repo"
|
|
|
|
tag=$(uuidgen) # always a new tag to force K8s to reload the image on redeploy
|
|
|
|
|
|
|
|
if [[ "$skip_build" == "yes" ]]; then
|
|
|
|
most_recent_tag=$(docker images "$registry/$repo" --format "{{.Tag}}" | head -1)
|
|
|
|
if [[ -n "$most_recent_tag" ]]; then
|
|
|
|
tag="$most_recent_tag"
|
|
|
|
do_build=no
|
2020-09-10 15:30:15 +00:00
|
|
|
else
|
2021-04-05 22:01:17 +00:00
|
|
|
# Oops, there was no previous build. Need to build anyway.
|
2020-09-10 15:30:15 +00:00
|
|
|
do_build=yes
|
|
|
|
fi
|
2021-04-05 22:01:17 +00:00
|
|
|
else
|
|
|
|
do_build=yes
|
|
|
|
fi
|
2020-09-10 15:30:15 +00:00
|
|
|
|
2021-04-05 22:01:17 +00:00
|
|
|
registry_repo_tag="${registry_repo}:${tag}"
|
2020-09-10 15:30:15 +00:00
|
|
|
|
2021-04-05 22:01:17 +00:00
|
|
|
if [[ "$do_build" == "yes" ]]; then
|
|
|
|
# Rebuild the code
|
2023-08-30 00:58:23 +00:00
|
|
|
testing_version="${KUBE_GIT_VERSION:-}"
|
2022-03-29 23:58:41 +00:00
|
|
|
if [[ "$dockerfile_path" != "" ]]; then
|
2023-08-30 00:58:23 +00:00
|
|
|
log_note "Docker building the app with dockerfile $dockerfile_path and KUBE_GIT_VERSION='$testing_version'"
|
2023-08-29 22:31:22 +00:00
|
|
|
DOCKER_BUILDKIT=1 docker build . --tag "$registry_repo_tag" --file "$dockerfile_path" --build-arg "KUBE_GIT_VERSION=$testing_version"
|
2022-03-29 23:58:41 +00:00
|
|
|
else
|
2023-08-30 00:58:23 +00:00
|
|
|
log_note "Docker building the app with KUBE_GIT_VERSION='$testing_version'"
|
2022-03-29 23:58:41 +00:00
|
|
|
# DOCKER_BUILDKIT=1 is optional on MacOS but required on linux.
|
2023-08-29 22:31:22 +00:00
|
|
|
DOCKER_BUILDKIT=1 docker build . --tag "$registry_repo_tag" --build-arg "KUBE_GIT_VERSION=$testing_version"
|
2022-03-29 23:58:41 +00:00
|
|
|
fi
|
2021-04-05 22:01:17 +00:00
|
|
|
fi
|
2020-09-10 15:30:15 +00:00
|
|
|
|
2021-04-05 22:01:17 +00:00
|
|
|
# Load it into the cluster
|
2023-09-28 18:48:06 +00:00
|
|
|
log_note "Loading the app's container image into the local registry ($registry)..."
|
|
|
|
# TODO: now we don't want to direct load anymore, we want to docker push to our new local registry.
|
|
|
|
# and then be sure that it pulls?
|
|
|
|
# kind load docker-image "$registry_repo_tag" --name pinniped
|
|
|
|
docker push "$registry_repo_tag"
|
2020-09-10 15:30:15 +00:00
|
|
|
|
2021-04-05 22:01:17 +00:00
|
|
|
#
|
|
|
|
# Deploy local-user-authenticator
|
|
|
|
#
|
2022-02-19 14:08:59 +00:00
|
|
|
manifest=/tmp/pinniped-local-user-authenticator.yaml
|
2020-09-11 00:36:22 +00:00
|
|
|
|
2023-08-31 19:02:24 +00:00
|
|
|
if [ "$alternate_deploy" != "undefined" ] || [ "$alternate_deploy_local_user_authenticator" != "undefined" ] ; then
|
|
|
|
if [ "$alternate_deploy" != "undefined" ]; then
|
|
|
|
log_note "The Pinniped local-user-authenticator will be deployed with $alternate_deploy local-user-authenticator $tag..."
|
|
|
|
$alternate_deploy local-user-authenticator $tag
|
|
|
|
fi
|
|
|
|
if [ "$alternate_deploy_local_user_authenticator" != "undefined" ]; then
|
|
|
|
log_note "The Pinniped local-user-authenticator will be deployed with $alternate_deploy_local_user_authenticator local-user-authenticator $tag..."
|
|
|
|
$alternate_deploy_local_user_authenticator local-user-authenticator $tag
|
|
|
|
fi
|
2022-02-19 14:08:59 +00:00
|
|
|
else
|
|
|
|
log_note "Deploying the local-user-authenticator app to the cluster using kapp..."
|
2023-08-31 19:02:24 +00:00
|
|
|
pushd deploy/local-user-authenticator >/dev/null
|
2022-02-19 14:08:59 +00:00
|
|
|
ytt --file . \
|
2022-02-25 16:26:53 +00:00
|
|
|
--data-value "image_repo=$registry_repo" \
|
|
|
|
--data-value "image_tag=$tag" >"$manifest"
|
2022-02-19 14:08:59 +00:00
|
|
|
|
|
|
|
kapp deploy --yes --app local-user-authenticator --diff-changes --file "$manifest"
|
|
|
|
kubectl apply --dry-run=client -f "$manifest" # Validate manifest schema.
|
2023-08-31 19:02:24 +00:00
|
|
|
popd >/dev/null
|
2022-02-19 14:08:59 +00:00
|
|
|
fi
|
2020-09-11 00:36:22 +00:00
|
|
|
|
2021-04-05 22:01:17 +00:00
|
|
|
#
|
|
|
|
# Deploy Tools
|
|
|
|
#
|
2022-02-19 14:08:59 +00:00
|
|
|
manifest=/tmp/pinniped-tools.yaml
|
2021-04-05 22:01:17 +00:00
|
|
|
dex_test_password="$(openssl rand -hex 16)"
|
|
|
|
ldap_test_password="$(openssl rand -hex 16)"
|
|
|
|
pushd test/deploy/tools >/dev/null
|
2020-10-13 21:09:13 +00:00
|
|
|
|
2021-04-05 22:01:17 +00:00
|
|
|
log_note "Deploying Tools to the cluster..."
|
|
|
|
ytt --file . \
|
|
|
|
--data-value-yaml "supervisor_redirect_uris=[https://pinniped-supervisor-clusterip.supervisor.svc.cluster.local/some/path/callback]" \
|
|
|
|
--data-value "pinny_ldap_password=$ldap_test_password" \
|
|
|
|
--data-value "pinny_bcrypt_passwd_hash=$(htpasswd -nbBC 10 x "$dex_test_password" | sed -e "s/^x://")" \
|
|
|
|
>"$manifest"
|
2020-12-03 18:45:56 +00:00
|
|
|
|
2021-04-05 22:01:17 +00:00
|
|
|
kapp deploy --yes --app tools --diff-changes --file "$manifest"
|
2021-09-02 21:53:49 +00:00
|
|
|
kubectl apply --dry-run=client -f "$manifest" # Validate manifest schema.
|
2020-10-13 21:09:13 +00:00
|
|
|
|
2021-04-05 22:01:17 +00:00
|
|
|
popd >/dev/null
|
2020-09-11 00:36:22 +00:00
|
|
|
|
|
|
|
test_username="test-username"
|
|
|
|
test_groups="test-group-0,test-group-1"
|
2021-03-18 18:20:33 +00:00
|
|
|
test_password="$(openssl rand -hex 16)"
|
2020-09-11 14:09:13 +00:00
|
|
|
log_note "Creating test user '$test_username'..."
|
2020-09-11 00:36:22 +00:00
|
|
|
kubectl create secret generic "$test_username" \
|
|
|
|
--namespace local-user-authenticator \
|
|
|
|
--from-literal=groups="$test_groups" \
|
|
|
|
--from-literal=passwordHash="$(htpasswd -nbBC 10 x "$test_password" | sed -e "s/^x://")" \
|
|
|
|
--dry-run=client \
|
|
|
|
--output yaml |
|
|
|
|
kubectl apply -f -
|
|
|
|
|
2020-10-06 00:28:19 +00:00
|
|
|
#
|
|
|
|
# Deploy the Pinniped Supervisor
|
|
|
|
#
|
2022-02-19 14:08:59 +00:00
|
|
|
manifest=/tmp/pinniped-supervisor.yaml
|
2020-10-07 00:53:29 +00:00
|
|
|
supervisor_app_name="pinniped-supervisor"
|
2020-10-09 23:00:11 +00:00
|
|
|
supervisor_namespace="supervisor"
|
2020-10-15 17:14:23 +00:00
|
|
|
supervisor_custom_labels="{mySupervisorCustomLabelName: mySupervisorCustomLabelValue}"
|
2022-02-19 14:08:59 +00:00
|
|
|
log_level="debug"
|
|
|
|
service_https_nodeport_port="443"
|
|
|
|
service_https_nodeport_nodeport="31243"
|
|
|
|
service_https_clusterip_port="443"
|
|
|
|
|
2023-08-31 19:02:24 +00:00
|
|
|
if [ "$alternate_deploy" != "undefined" ] || [ "$alternate_deploy_supervisor" != "undefined" ] ; then
|
|
|
|
if [ "$alternate_deploy" != "undefined" ]; then
|
|
|
|
log_note "The Pinniped Supervisor will be deployed with $alternate_deploy pinniped-supervisor $tag..."
|
|
|
|
$alternate_deploy pinniped-supervisor $tag
|
|
|
|
fi
|
|
|
|
if [ "$alternate_deploy_supervisor" != "undefined" ]; then
|
|
|
|
log_note "The Pinniped Supervisor will be deployed with $alternate_deploy_supervisor pinniped-supervisor $tag..."
|
|
|
|
$alternate_deploy_supervisor pinniped-supervisor $tag
|
|
|
|
fi
|
2022-02-19 14:08:59 +00:00
|
|
|
else
|
|
|
|
log_note "Deploying the Pinniped Supervisor app to the cluster using kapp..."
|
2023-08-31 19:02:24 +00:00
|
|
|
pushd deploy/supervisor >/dev/null
|
2022-02-19 14:08:59 +00:00
|
|
|
ytt --file . \
|
2022-02-25 16:26:53 +00:00
|
|
|
--data-value "app_name=$supervisor_app_name" \
|
|
|
|
--data-value "namespace=$supervisor_namespace" \
|
2022-02-19 14:08:59 +00:00
|
|
|
--data-value "api_group_suffix=$api_group_suffix" \
|
2022-02-25 16:26:53 +00:00
|
|
|
--data-value "image_repo=$registry_repo" \
|
|
|
|
--data-value "image_tag=$tag" \
|
2022-02-19 14:08:59 +00:00
|
|
|
--data-value "log_level=$log_level" \
|
2022-02-25 16:26:53 +00:00
|
|
|
--data-value-yaml "custom_labels=$supervisor_custom_labels" \
|
2022-02-19 14:08:59 +00:00
|
|
|
--data-value-yaml "service_https_nodeport_port=$service_https_nodeport_port" \
|
|
|
|
--data-value-yaml "service_https_nodeport_nodeport=$service_https_nodeport_nodeport" \
|
|
|
|
--data-value-yaml "service_https_clusterip_port=$service_https_clusterip_port" \
|
|
|
|
>"$manifest"
|
|
|
|
|
|
|
|
kapp deploy --yes --app "$supervisor_app_name" --diff-changes --file "$manifest"
|
|
|
|
kubectl apply --dry-run=client -f "$manifest" # Validate manifest schema.
|
2023-08-31 19:02:24 +00:00
|
|
|
popd >/dev/null
|
2022-02-19 14:08:59 +00:00
|
|
|
fi
|
2021-04-05 22:01:17 +00:00
|
|
|
|
2020-10-06 00:28:19 +00:00
|
|
|
#
|
2020-10-15 17:14:23 +00:00
|
|
|
# Deploy the Pinniped Concierge
|
2020-10-06 00:28:19 +00:00
|
|
|
#
|
2022-02-19 14:08:59 +00:00
|
|
|
manifest=/tmp/pinniped-concierge.yaml
|
2020-10-09 21:25:34 +00:00
|
|
|
concierge_app_name="pinniped-concierge"
|
2020-10-09 23:00:11 +00:00
|
|
|
concierge_namespace="concierge"
|
2020-09-11 00:36:22 +00:00
|
|
|
webhook_url="https://local-user-authenticator.local-user-authenticator.svc/authenticate"
|
Rename many of resources that are created in Kubernetes by Pinniped
New resource naming conventions:
- Do not repeat the Kind in the name,
e.g. do not call it foo-cluster-role-binding, just call it foo
- Names will generally start with a prefix to identify our component,
so when a user lists all objects of that kind, they can tell to which
component it is related,
e.g. `kubectl get configmaps` would list one named "pinniped-config"
- It should be possible for an operator to make the word "pinniped"
mostly disappear if they choose, by specifying the app_name in
values.yaml, to the extent that is practical (but not from APIService
names because those are hardcoded in golang)
- Each role/clusterrole and its corresponding binding have the same name
- Pinniped resource names that must be known by the server golang code
are passed to the code at run time via ConfigMap, rather than
hardcoded in the golang code. This also allows them to be prepended
with the app_name from values.yaml while creating the ConfigMap.
- Since the CLI `get-kubeconfig` command cannot guess the name of the
CredentialIssuerConfig resource in advance anymore, it lists all
CredentialIssuerConfig in the app's namespace and returns an error
if there is not exactly one found, and then uses that one regardless
of its name
2020-09-18 22:56:50 +00:00
|
|
|
webhook_ca_bundle="$(kubectl get secret local-user-authenticator-tls-serving-certificate --namespace local-user-authenticator -o 'jsonpath={.data.caCertificate}')"
|
2020-12-09 14:50:50 +00:00
|
|
|
discovery_url="$(TERM=dumb kubectl cluster-info | awk '/master|control plane/ {print $NF}')"
|
2020-10-15 17:14:23 +00:00
|
|
|
concierge_custom_labels="{myConciergeCustomLabelName: myConciergeCustomLabelValue}"
|
2022-02-25 16:26:53 +00:00
|
|
|
log_level="debug"
|
2020-09-11 00:36:22 +00:00
|
|
|
|
2023-08-31 19:02:24 +00:00
|
|
|
if [ "$alternate_deploy" != "undefined" ] || [ "$alternate_deploy_concierge" != "undefined" ] ; then
|
|
|
|
if [ "$alternate_deploy" != "undefined" ]; then
|
|
|
|
log_note "The Pinniped Concierge will be deployed with $alternate_deploy pinniped-concierge $tag..."
|
|
|
|
$alternate_deploy pinniped-concierge $tag
|
|
|
|
fi
|
|
|
|
if [ "$alternate_deploy_concierge" != "undefined" ]; then
|
|
|
|
log_note "The Pinniped Concierge will be deployed with $alternate_deploy_concierge pinniped-concierge $tag..."
|
|
|
|
$alternate_deploy_concierge pinniped-concierge $tag
|
|
|
|
fi
|
2022-02-19 14:08:59 +00:00
|
|
|
else
|
|
|
|
log_note "Deploying the Pinniped Concierge app to the cluster using kapp..."
|
2023-08-31 19:02:24 +00:00
|
|
|
pushd deploy/concierge >/dev/null
|
2022-02-19 14:08:59 +00:00
|
|
|
ytt --file . \
|
2022-02-25 16:26:53 +00:00
|
|
|
--data-value "app_name=$concierge_app_name" \
|
|
|
|
--data-value "namespace=$concierge_namespace" \
|
2022-02-19 14:08:59 +00:00
|
|
|
--data-value "api_group_suffix=$api_group_suffix" \
|
|
|
|
--data-value "log_level=$log_level" \
|
2022-02-25 16:26:53 +00:00
|
|
|
--data-value-yaml "custom_labels=$concierge_custom_labels" \
|
2022-03-10 14:08:40 +00:00
|
|
|
--data-value "image_repo=$registry_repo" \
|
2022-02-25 16:26:53 +00:00
|
|
|
--data-value "image_tag=$tag" \
|
2022-02-19 14:08:59 +00:00
|
|
|
--data-value "discovery_url=$discovery_url" >"$manifest"
|
|
|
|
|
|
|
|
kapp deploy --yes --app "$concierge_app_name" --diff-changes --file "$manifest"
|
|
|
|
kubectl apply --dry-run=client -f "$manifest" # Validate manifest schema.
|
2023-08-31 19:02:24 +00:00
|
|
|
popd >/dev/null
|
2022-02-19 14:08:59 +00:00
|
|
|
fi
|
2020-09-11 00:36:22 +00:00
|
|
|
|
2020-11-16 20:04:08 +00:00
|
|
|
#
|
|
|
|
# Download the test CA bundle that was generated in the Dex pod.
|
2021-04-27 17:10:02 +00:00
|
|
|
# Note that this returns a base64 encoded value.
|
2020-11-16 20:04:08 +00:00
|
|
|
#
|
2021-04-27 17:10:02 +00:00
|
|
|
test_ca_bundle_pem="$(kubectl get secrets -n tools certs -o go-template='{{index .data "ca.pem"}}')"
|
2020-11-16 20:04:08 +00:00
|
|
|
|
2020-09-11 00:36:22 +00:00
|
|
|
#
|
2021-04-15 00:26:12 +00:00
|
|
|
# Create the environment file.
|
|
|
|
#
|
|
|
|
# Note that all values should not contains newlines, except for PINNIPED_TEST_CLUSTER_CAPABILITY_YAML,
|
|
|
|
# so that the environment can also be used in tools like GoLand. Therefore, multi-line values,
|
|
|
|
# such as PEM-formatted certificates, should be base64 encoded.
|
2020-09-11 00:36:22 +00:00
|
|
|
#
|
|
|
|
kind_capabilities_file="$pinniped_path/test/cluster_capabilities/kind.yaml"
|
|
|
|
pinniped_cluster_capability_file_content=$(cat "$kind_capabilities_file")
|
|
|
|
|
|
|
|
cat <<EOF >/tmp/integration-test-env
|
2021-03-03 20:08:40 +00:00
|
|
|
# The following env vars should be set before running 'go test -v -count 1 -timeout 0 ./test/integration'
|
2021-04-15 00:26:12 +00:00
|
|
|
export PINNIPED_TEST_TOOLS_NAMESPACE="tools"
|
2020-10-09 21:25:34 +00:00
|
|
|
export PINNIPED_TEST_CONCIERGE_NAMESPACE=${concierge_namespace}
|
|
|
|
export PINNIPED_TEST_CONCIERGE_APP_NAME=${concierge_app_name}
|
2020-10-15 17:14:23 +00:00
|
|
|
export PINNIPED_TEST_CONCIERGE_CUSTOM_LABELS='${concierge_custom_labels}'
|
2020-09-11 00:10:27 +00:00
|
|
|
export PINNIPED_TEST_USER_USERNAME=${test_username}
|
|
|
|
export PINNIPED_TEST_USER_GROUPS=${test_groups}
|
|
|
|
export PINNIPED_TEST_USER_TOKEN=${test_username}:${test_password}
|
2020-09-22 00:55:04 +00:00
|
|
|
export PINNIPED_TEST_WEBHOOK_ENDPOINT=${webhook_url}
|
|
|
|
export PINNIPED_TEST_WEBHOOK_CA_BUNDLE=${webhook_ca_bundle}
|
2020-10-09 17:11:47 +00:00
|
|
|
export PINNIPED_TEST_SUPERVISOR_NAMESPACE=${supervisor_namespace}
|
|
|
|
export PINNIPED_TEST_SUPERVISOR_APP_NAME=${supervisor_app_name}
|
2020-10-15 17:14:23 +00:00
|
|
|
export PINNIPED_TEST_SUPERVISOR_CUSTOM_LABELS='${supervisor_custom_labels}'
|
2020-10-27 21:57:25 +00:00
|
|
|
export PINNIPED_TEST_SUPERVISOR_HTTPS_ADDRESS="localhost:12344"
|
2020-11-16 16:40:18 +00:00
|
|
|
export PINNIPED_TEST_PROXY=http://127.0.0.1:12346
|
2021-04-15 00:26:12 +00:00
|
|
|
export PINNIPED_TEST_LDAP_HOST=ldap.tools.svc.cluster.local
|
2021-05-20 20:39:48 +00:00
|
|
|
export PINNIPED_TEST_LDAP_STARTTLS_ONLY_HOST=ldapstarttls.tools.svc.cluster.local
|
2021-04-27 17:10:02 +00:00
|
|
|
export PINNIPED_TEST_LDAP_LDAPS_CA_BUNDLE="${test_ca_bundle_pem}"
|
2021-04-05 22:01:17 +00:00
|
|
|
export PINNIPED_TEST_LDAP_BIND_ACCOUNT_USERNAME="cn=admin,dc=pinniped,dc=dev"
|
|
|
|
export PINNIPED_TEST_LDAP_BIND_ACCOUNT_PASSWORD=password
|
|
|
|
export PINNIPED_TEST_LDAP_USERS_SEARCH_BASE="ou=users,dc=pinniped,dc=dev"
|
|
|
|
export PINNIPED_TEST_LDAP_GROUPS_SEARCH_BASE="ou=groups,dc=pinniped,dc=dev"
|
|
|
|
export PINNIPED_TEST_LDAP_USER_DN="cn=pinny,ou=users,dc=pinniped,dc=dev"
|
|
|
|
export PINNIPED_TEST_LDAP_USER_CN="pinny"
|
|
|
|
export PINNIPED_TEST_LDAP_USER_PASSWORD=${ldap_test_password}
|
2021-04-15 00:26:12 +00:00
|
|
|
export PINNIPED_TEST_LDAP_USER_UNIQUE_ID_ATTRIBUTE_NAME="uidNumber"
|
|
|
|
export PINNIPED_TEST_LDAP_USER_UNIQUE_ID_ATTRIBUTE_VALUE="1000"
|
2021-04-05 22:01:17 +00:00
|
|
|
export PINNIPED_TEST_LDAP_USER_EMAIL_ATTRIBUTE_NAME="mail"
|
|
|
|
export PINNIPED_TEST_LDAP_USER_EMAIL_ATTRIBUTE_VALUE="pinny.ldap@example.com"
|
|
|
|
export PINNIPED_TEST_LDAP_EXPECTED_DIRECT_GROUPS_DN="cn=ball-game-players,ou=beach-groups,ou=groups,dc=pinniped,dc=dev;cn=seals,ou=groups,dc=pinniped,dc=dev"
|
|
|
|
export PINNIPED_TEST_LDAP_EXPECTED_INDIRECT_GROUPS_DN="cn=pinnipeds,ou=groups,dc=pinniped,dc=dev;cn=mammals,ou=groups,dc=pinniped,dc=dev"
|
|
|
|
export PINNIPED_TEST_LDAP_EXPECTED_DIRECT_GROUPS_CN="ball-game-players;seals"
|
2023-05-26 18:47:54 +00:00
|
|
|
export PINNIPED_TEST_LDAP_EXPECTED_DIRECT_POSIX_GROUPS_CN="ball-game-players-posix;seals-posix"
|
2021-04-05 22:01:17 +00:00
|
|
|
export PINNIPED_TEST_LDAP_EXPECTED_INDIRECT_GROUPS_CN="pinnipeds;mammals"
|
|
|
|
export PINNIPED_TEST_CLI_OIDC_ISSUER=https://dex.tools.svc.cluster.local/dex
|
2021-04-27 17:10:02 +00:00
|
|
|
export PINNIPED_TEST_CLI_OIDC_ISSUER_CA_BUNDLE="${test_ca_bundle_pem}"
|
2020-10-13 21:09:13 +00:00
|
|
|
export PINNIPED_TEST_CLI_OIDC_CLIENT_ID=pinniped-cli
|
2020-11-19 21:05:31 +00:00
|
|
|
export PINNIPED_TEST_CLI_OIDC_CALLBACK_URL=http://127.0.0.1:48095/callback
|
2020-10-13 21:09:13 +00:00
|
|
|
export PINNIPED_TEST_CLI_OIDC_USERNAME=pinny@example.com
|
2021-03-25 22:12:17 +00:00
|
|
|
export PINNIPED_TEST_CLI_OIDC_PASSWORD=${dex_test_password}
|
2021-04-05 22:01:17 +00:00
|
|
|
export PINNIPED_TEST_SUPERVISOR_UPSTREAM_OIDC_ISSUER=https://dex.tools.svc.cluster.local/dex
|
2021-04-27 17:10:02 +00:00
|
|
|
export PINNIPED_TEST_SUPERVISOR_UPSTREAM_OIDC_ISSUER_CA_BUNDLE="${test_ca_bundle_pem}"
|
2021-10-19 19:25:51 +00:00
|
|
|
export PINNIPED_TEST_SUPERVISOR_UPSTREAM_OIDC_ADDITIONAL_SCOPES="offline_access,email"
|
2021-01-11 19:58:07 +00:00
|
|
|
export PINNIPED_TEST_SUPERVISOR_UPSTREAM_OIDC_USERNAME_CLAIM=email
|
|
|
|
export PINNIPED_TEST_SUPERVISOR_UPSTREAM_OIDC_GROUPS_CLAIM=groups
|
2020-11-19 21:05:31 +00:00
|
|
|
export PINNIPED_TEST_SUPERVISOR_UPSTREAM_OIDC_CLIENT_ID=pinniped-supervisor
|
|
|
|
export PINNIPED_TEST_SUPERVISOR_UPSTREAM_OIDC_CLIENT_SECRET=pinniped-supervisor-secret
|
2020-12-02 16:47:01 +00:00
|
|
|
export PINNIPED_TEST_SUPERVISOR_UPSTREAM_OIDC_CALLBACK_URL=https://pinniped-supervisor-clusterip.supervisor.svc.cluster.local/some/path/callback
|
2020-11-19 21:05:31 +00:00
|
|
|
export PINNIPED_TEST_SUPERVISOR_UPSTREAM_OIDC_USERNAME=pinny@example.com
|
2021-03-25 22:12:17 +00:00
|
|
|
export PINNIPED_TEST_SUPERVISOR_UPSTREAM_OIDC_PASSWORD=${dex_test_password}
|
2021-01-11 19:58:07 +00:00
|
|
|
export PINNIPED_TEST_SUPERVISOR_UPSTREAM_OIDC_EXPECTED_GROUPS= # Dex's local user store does not let us configure groups.
|
2021-02-03 20:07:13 +00:00
|
|
|
export PINNIPED_TEST_API_GROUP_SUFFIX='${api_group_suffix}'
|
2021-08-25 22:12:07 +00:00
|
|
|
# PINNIPED_TEST_SHELL_CONTAINER_IMAGE should be a container which includes bash and sleep, used by some tests.
|
|
|
|
export PINNIPED_TEST_SHELL_CONTAINER_IMAGE="ghcr.io/pinniped-ci-bot/test-kubectl:latest"
|
2020-09-10 15:30:15 +00:00
|
|
|
|
2021-07-22 17:13:38 +00:00
|
|
|
# We can't set up an in-cluster active directory instance, but
|
|
|
|
# if you have an active directory instance that you wish to run the tests against,
|
|
|
|
# specify a script to set the ad-related environment variables.
|
|
|
|
# You will need to set the environment variables that start with "PINNIPED_TEST_AD_"
|
|
|
|
# found in pinniped/test/testlib/env.go.
|
|
|
|
if [[ "$get_active_directory_vars" != "" ]]; then
|
|
|
|
source $get_active_directory_vars
|
2021-07-08 22:00:04 +00:00
|
|
|
fi
|
|
|
|
|
2020-10-09 17:11:47 +00:00
|
|
|
read -r -d '' PINNIPED_TEST_CLUSTER_CAPABILITY_YAML << PINNIPED_TEST_CLUSTER_CAPABILITY_YAML_EOF || true
|
2020-09-10 15:30:15 +00:00
|
|
|
${pinniped_cluster_capability_file_content}
|
2020-10-09 17:11:47 +00:00
|
|
|
PINNIPED_TEST_CLUSTER_CAPABILITY_YAML_EOF
|
2020-09-10 15:30:15 +00:00
|
|
|
|
2020-10-09 17:11:47 +00:00
|
|
|
export PINNIPED_TEST_CLUSTER_CAPABILITY_YAML
|
2020-09-10 15:30:15 +00:00
|
|
|
EOF
|
|
|
|
|
2020-09-11 00:36:22 +00:00
|
|
|
#
|
2021-04-15 00:26:12 +00:00
|
|
|
# Print instructions for next steps.
|
2020-09-11 00:36:22 +00:00
|
|
|
#
|
|
|
|
log_note
|
2020-09-11 15:19:49 +00:00
|
|
|
log_note "🚀 Ready to run integration tests! For example..."
|
2020-09-11 00:36:22 +00:00
|
|
|
log_note " cd $pinniped_path"
|
2022-02-15 19:19:49 +00:00
|
|
|
log_note " ulimit -n 512"
|
2021-03-03 20:08:40 +00:00
|
|
|
log_note ' source /tmp/integration-test-env && go test -v -race -count 1 -timeout 0 ./test/integration'
|
2020-09-11 00:36:22 +00:00
|
|
|
log_note
|
2021-04-15 00:26:12 +00:00
|
|
|
log_note "Using GoLand? Paste the result of this command into GoLand's run configuration \"Environment\"."
|
|
|
|
log_note " hack/integration-test-env-goland.sh | pbcopy"
|
2020-09-11 00:36:22 +00:00
|
|
|
log_note
|
2021-04-05 22:01:17 +00:00
|
|
|
log_note "You can rerun this script to redeploy local production code changes while you are working."
|
|
|
|
log_note
|
|
|
|
log_note "To delete the deployments, run:"
|
|
|
|
log_note " kapp delete -a local-user-authenticator -y && kapp delete -a $concierge_app_name -y && kapp delete -a $supervisor_app_name -y"
|
|
|
|
log_note "When you're finished, use './hack/kind-down.sh' to tear down the cluster."
|
2023-09-28 18:48:06 +00:00
|
|
|
log_note
|
|
|
|
# TODO: come back and check the /etc/hosts file for the existence of
|
|
|
|
# the correct lines, just like is done in prepare-supervisor-on-kind.sh
|
|
|
|
log_note "Please run these commands to edit /etc/hosts, and then run this script again with the same options."
|
|
|
|
log_note " sudo bash -c \"echo '127.0.0.1 kind-registry.local' >> /etc/hosts\""
|
|
|
|
log_note "When you are finished with your Kind cluster, you can remove these lines from /etc/hosts."
|