ContainerImage.Pinniped/test/deploy/tools/cert-issuer.yaml

#! Copyright 2020-2021 the Pinniped contributors. All Rights Reserved.
#! SPDX-License-Identifier: Apache-2.0

#@ load("@ytt:data", "data")

---
apiVersion: v1
kind: ServiceAccount
metadata:
  name: cert-issuer
  namespace: tools
  labels:
    app: cert-issuer
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: cert-issuer
  namespace: tools
  labels:
    app: cert-issuer
rules:
  - apiGroups: [""]
    resources: [secrets]
    verbs: [create, get, patch, update, watch, delete]
---
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: cert-issuer
  namespace: tools
  labels:
    app: cert-issuer
subjects:
  - kind: ServiceAccount
    name: cert-issuer
    namespace: tools
roleRef:
  kind: Role
  name: cert-issuer
  apiGroup: rbac.authorization.k8s.io
---
apiVersion: batch/v1
kind: Job
metadata:
  name: cert-issuer
  namespace: tools
  labels:
    app: cert-issuer
spec:
  template:
    spec:
      serviceAccountName: cert-issuer
      initContainers:
      - name: generate-certs
        image: #@ data.values.cfssl_image
        imagePullPolicy: IfNotPresent
        command: ["/bin/bash"]
        args:
        - -c
        - |
          cd /var/certs
          cfssl print-defaults config > /tmp/cfssl-default.json
          echo '{"CN": "Pinniped Test","hosts": [],"key": {"algo": "ecdsa","size": 256},"names": [{}]}' > /tmp/csr.json

          echo "generating CA key..."
          cfssl genkey \
            -config /tmp/cfssl-default.json \
            -initca /tmp/csr.json \
            | cfssljson -bare ca

          echo "generating Dex server certificate..."
          cfssl gencert \
            -ca ca.pem -ca-key ca-key.pem \
            -config /tmp/cfssl-default.json \
            -profile www \
            -cn "dex.tools.svc.cluster.local" \
            -hostname "dex.tools.svc.cluster.local" \
            /tmp/csr.json \
            | cfssljson -bare dex

          # Cheat and add 127.0.0.1 as an IP SAN so we can use the ldaps port through port forwarding.
          # Also allow the server to be accessed by multiple Service names to different Services
          # can provide/hide different ports.
          echo "generating LDAP server certificate..."
          cfssl gencert \
            -ca ca.pem -ca-key ca-key.pem \
            -config /tmp/cfssl-default.json \
            -profile www \
            -cn "ldap.tools.svc.cluster.local" \
            -hostname "ldap.tools.svc.cluster.local,ldaps.tools.svc.cluster.local,ldapstarttls.tools.svc.cluster.local,127.0.0.1" \
            /tmp/csr.json \
            | cfssljson -bare ldap

          chmod -R 777 /var/certs

          echo
          echo "generated certificates:"
          ls -l /var/certs
          echo
          echo "CA cert..."
          cat ca.pem | openssl x509 -text
          echo
          echo "Dex cert..."
          cat dex.pem | openssl x509 -text
          echo
          echo "LDAP cert..."
          cat ldap.pem | openssl x509 -text
        volumeMounts:
        - name: certs
          mountPath: /var/certs
      containers:
      - name: save-certs
        image: #@ data.values.kubectl_image
        imagePullPolicy: IfNotPresent
        command: ["/bin/bash"]
        args:
        - -c
        - |
          kubectl create secret generic -n tools certs --from-file=/var/certs \
            --dry-run=client --output yaml | kubectl apply -f -
        volumeMounts:
        - name: certs
          mountPath: /var/certs
      volumes:
      - name: certs
        emptyDir: {}
      restartPolicy: Never
Rename dex namespace, add new ytt value to deploy/tools, and remove Tilt - Rename the test/deploy/dex directory to test/deploy/tools - Rename the dex namespace to tools - Add a new ytt value called `pinny_ldap_password` for the tools ytt templates - This new value is not used on main at this time. We intend to use it in the forthcoming ldap branch. We're defining it on main so that the CI scripts can use it across all branches and PRs. Signed-off-by: Ryan Richard <richardry@vmware.com> 2021-04-05 22:01:17 +00:00			`#! Copyright 2020-2021 the Pinniped contributors. All Rights Reserved.`
Refactor certificate generation for integration test Dex. Before, we did this in an init container, which meant if the Dex pod restarted we would have fresh certs, but our Tilt/bash setup didn't account for this. Now, the certs are generated by a Job which runs once and saves the generated files into a Secret. This should be a bit more stable. Signed-off-by: Matt Moyer <moyerm@vmware.com> 2020-11-17 17:24:38 +00:00			`#! SPDX-License-Identifier: Apache-2.0`
Parameterize our test images in ytt. These are images we use for local and some CI testing. Signed-off-by: Matt Moyer <moyerm@vmware.com> 2021-06-03 18:24:26 +00:00
			`#@ load("@ytt:data", "data")`

Refactor certificate generation for integration test Dex. Before, we did this in an init container, which meant if the Dex pod restarted we would have fresh certs, but our Tilt/bash setup didn't account for this. Now, the certs are generated by a Job which runs once and saves the generated files into a Secret. This should be a bit more stable. Signed-off-by: Matt Moyer <moyerm@vmware.com> 2020-11-17 17:24:38 +00:00			`---`
			`apiVersion: v1`
			`kind: ServiceAccount`
			`metadata:`
			`name: cert-issuer`
Rename dex namespace, add new ytt value to deploy/tools, and remove Tilt - Rename the test/deploy/dex directory to test/deploy/tools - Rename the dex namespace to tools - Add a new ytt value called `pinny_ldap_password` for the tools ytt templates - This new value is not used on main at this time. We intend to use it in the forthcoming ldap branch. We're defining it on main so that the CI scripts can use it across all branches and PRs. Signed-off-by: Ryan Richard <richardry@vmware.com> 2021-04-05 22:01:17 +00:00			`namespace: tools`
Refactor certificate generation for integration test Dex. Before, we did this in an init container, which meant if the Dex pod restarted we would have fresh certs, but our Tilt/bash setup didn't account for this. Now, the certs are generated by a Job which runs once and saves the generated files into a Secret. This should be a bit more stable. Signed-off-by: Matt Moyer <moyerm@vmware.com> 2020-11-17 17:24:38 +00:00			`labels:`
			`app: cert-issuer`
			`---`
			`apiVersion: rbac.authorization.k8s.io/v1`
			`kind: Role`
			`metadata:`
			`name: cert-issuer`
Rename dex namespace, add new ytt value to deploy/tools, and remove Tilt - Rename the test/deploy/dex directory to test/deploy/tools - Rename the dex namespace to tools - Add a new ytt value called `pinny_ldap_password` for the tools ytt templates - This new value is not used on main at this time. We intend to use it in the forthcoming ldap branch. We're defining it on main so that the CI scripts can use it across all branches and PRs. Signed-off-by: Ryan Richard <richardry@vmware.com> 2021-04-05 22:01:17 +00:00			`namespace: tools`
Refactor certificate generation for integration test Dex. Before, we did this in an init container, which meant if the Dex pod restarted we would have fresh certs, but our Tilt/bash setup didn't account for this. Now, the certs are generated by a Job which runs once and saves the generated files into a Secret. This should be a bit more stable. Signed-off-by: Matt Moyer <moyerm@vmware.com> 2020-11-17 17:24:38 +00:00			`labels:`
			`app: cert-issuer`
			`rules:`
			`- apiGroups: [""]`
			`resources: [secrets]`
			`verbs: [create, get, patch, update, watch, delete]`
			`---`
			`kind: RoleBinding`
			`apiVersion: rbac.authorization.k8s.io/v1`
			`metadata:`
			`name: cert-issuer`
Rename dex namespace, add new ytt value to deploy/tools, and remove Tilt - Rename the test/deploy/dex directory to test/deploy/tools - Rename the dex namespace to tools - Add a new ytt value called `pinny_ldap_password` for the tools ytt templates - This new value is not used on main at this time. We intend to use it in the forthcoming ldap branch. We're defining it on main so that the CI scripts can use it across all branches and PRs. Signed-off-by: Ryan Richard <richardry@vmware.com> 2021-04-05 22:01:17 +00:00			`namespace: tools`
Refactor certificate generation for integration test Dex. Before, we did this in an init container, which meant if the Dex pod restarted we would have fresh certs, but our Tilt/bash setup didn't account for this. Now, the certs are generated by a Job which runs once and saves the generated files into a Secret. This should be a bit more stable. Signed-off-by: Matt Moyer <moyerm@vmware.com> 2020-11-17 17:24:38 +00:00			`labels:`
			`app: cert-issuer`
			`subjects:`
			`- kind: ServiceAccount`
			`name: cert-issuer`
Rename dex namespace, add new ytt value to deploy/tools, and remove Tilt - Rename the test/deploy/dex directory to test/deploy/tools - Rename the dex namespace to tools - Add a new ytt value called `pinny_ldap_password` for the tools ytt templates - This new value is not used on main at this time. We intend to use it in the forthcoming ldap branch. We're defining it on main so that the CI scripts can use it across all branches and PRs. Signed-off-by: Ryan Richard <richardry@vmware.com> 2021-04-05 22:01:17 +00:00			`namespace: tools`
Refactor certificate generation for integration test Dex. Before, we did this in an init container, which meant if the Dex pod restarted we would have fresh certs, but our Tilt/bash setup didn't account for this. Now, the certs are generated by a Job which runs once and saves the generated files into a Secret. This should be a bit more stable. Signed-off-by: Matt Moyer <moyerm@vmware.com> 2020-11-17 17:24:38 +00:00			`roleRef:`
			`kind: Role`
			`name: cert-issuer`
			`apiGroup: rbac.authorization.k8s.io`
			`---`
			`apiVersion: batch/v1`
			`kind: Job`
			`metadata:`
			`name: cert-issuer`
Rename dex namespace, add new ytt value to deploy/tools, and remove Tilt - Rename the test/deploy/dex directory to test/deploy/tools - Rename the dex namespace to tools - Add a new ytt value called `pinny_ldap_password` for the tools ytt templates - This new value is not used on main at this time. We intend to use it in the forthcoming ldap branch. We're defining it on main so that the CI scripts can use it across all branches and PRs. Signed-off-by: Ryan Richard <richardry@vmware.com> 2021-04-05 22:01:17 +00:00			`namespace: tools`
Refactor certificate generation for integration test Dex. Before, we did this in an init container, which meant if the Dex pod restarted we would have fresh certs, but our Tilt/bash setup didn't account for this. Now, the certs are generated by a Job which runs once and saves the generated files into a Secret. This should be a bit more stable. Signed-off-by: Matt Moyer <moyerm@vmware.com> 2020-11-17 17:24:38 +00:00			`labels:`
			`app: cert-issuer`
			`spec:`
			`template:`
			`spec:`
			`serviceAccountName: cert-issuer`
			`initContainers:`
			`- name: generate-certs`
Parameterize our test images in ytt. These are images we use for local and some CI testing. Signed-off-by: Matt Moyer <moyerm@vmware.com> 2021-06-03 18:24:26 +00:00			`image: #@ data.values.cfssl_image`
Switch to GHCR tools images for local tests, with `imagePullPolicy: IfNotPresent`. This is more consistent with our CI environment. Signed-off-by: Matt Moyer <moyerm@vmware.com> 2021-07-21 14:17:24 +00:00			`imagePullPolicy: IfNotPresent`
Refactor certificate generation for integration test Dex. Before, we did this in an init container, which meant if the Dex pod restarted we would have fresh certs, but our Tilt/bash setup didn't account for this. Now, the certs are generated by a Job which runs once and saves the generated files into a Secret. This should be a bit more stable. Signed-off-by: Matt Moyer <moyerm@vmware.com> 2020-11-17 17:24:38 +00:00			`command: ["/bin/bash"]`
			`args:`
			`- -c`
			`- \|`
			`cd /var/certs`
			`cfssl print-defaults config > /tmp/cfssl-default.json`
			`echo '{"CN": "Pinniped Test","hosts": [],"key": {"algo": "ecdsa","size": 256},"names": [{}]}' > /tmp/csr.json`

			`echo "generating CA key..."`
			`cfssl genkey \`
			`-config /tmp/cfssl-default.json \`
			`-initca /tmp/csr.json \`
			`\| cfssljson -bare ca`

			`echo "generating Dex server certificate..."`
			`cfssl gencert \`
			`-ca ca.pem -ca-key ca-key.pem \`
			`-config /tmp/cfssl-default.json \`
			`-profile www \`
Rename dex namespace, add new ytt value to deploy/tools, and remove Tilt - Rename the test/deploy/dex directory to test/deploy/tools - Rename the dex namespace to tools - Add a new ytt value called `pinny_ldap_password` for the tools ytt templates - This new value is not used on main at this time. We intend to use it in the forthcoming ldap branch. We're defining it on main so that the CI scripts can use it across all branches and PRs. Signed-off-by: Ryan Richard <richardry@vmware.com> 2021-04-05 22:01:17 +00:00			`-cn "dex.tools.svc.cluster.local" \`
			`-hostname "dex.tools.svc.cluster.local" \`
Refactor certificate generation for integration test Dex. Before, we did this in an init container, which meant if the Dex pod restarted we would have fresh certs, but our Tilt/bash setup didn't account for this. Now, the certs are generated by a Job which runs once and saves the generated files into a Secret. This should be a bit more stable. Signed-off-by: Matt Moyer <moyerm@vmware.com> 2020-11-17 17:24:38 +00:00			`/tmp/csr.json \`
			`\| cfssljson -bare dex`

ldap_client_test.go: refactor to use the LDAP server on the K8s cluster 2021-04-15 00:49:40 +00:00			`# Cheat and add 127.0.0.1 as an IP SAN so we can use the ldaps port through port forwarding.`
Configure openldap to disallow non-TLS clients - For testing purposes, we would like to ensure that when we connect to the LDAP server we cannot accidentally avoid using TLS or StartTLS. - Also enabled the openldap `memberOf` overlay in case we want to support group search using `memberOf` in the future. - This required changes to the docker.io/bitnami/openldap container image, so we're using our own fork for now. Will submit a PR to bitnami/openldap to see if they will accept it (or something similar) upstream. 2021-05-18 23:38:12 +00:00			`# Also allow the server to be accessed by multiple Service names to different Services`
			`# can provide/hide different ports.`
Rename dex namespace, add new ytt value to deploy/tools, and remove Tilt - Rename the test/deploy/dex directory to test/deploy/tools - Rename the dex namespace to tools - Add a new ytt value called `pinny_ldap_password` for the tools ytt templates - This new value is not used on main at this time. We intend to use it in the forthcoming ldap branch. We're defining it on main so that the CI scripts can use it across all branches and PRs. Signed-off-by: Ryan Richard <richardry@vmware.com> 2021-04-05 22:01:17 +00:00			`echo "generating LDAP server certificate..."`
			`cfssl gencert \`
			`-ca ca.pem -ca-key ca-key.pem \`
			`-config /tmp/cfssl-default.json \`
			`-profile www \`
			`-cn "ldap.tools.svc.cluster.local" \`
Configure openldap to disallow non-TLS clients - For testing purposes, we would like to ensure that when we connect to the LDAP server we cannot accidentally avoid using TLS or StartTLS. - Also enabled the openldap `memberOf` overlay in case we want to support group search using `memberOf` in the future. - This required changes to the docker.io/bitnami/openldap container image, so we're using our own fork for now. Will submit a PR to bitnami/openldap to see if they will accept it (or something similar) upstream. 2021-05-18 23:38:12 +00:00			`-hostname "ldap.tools.svc.cluster.local,ldaps.tools.svc.cluster.local,ldapstarttls.tools.svc.cluster.local,127.0.0.1" \`
Rename dex namespace, add new ytt value to deploy/tools, and remove Tilt - Rename the test/deploy/dex directory to test/deploy/tools - Rename the dex namespace to tools - Add a new ytt value called `pinny_ldap_password` for the tools ytt templates - This new value is not used on main at this time. We intend to use it in the forthcoming ldap branch. We're defining it on main so that the CI scripts can use it across all branches and PRs. Signed-off-by: Ryan Richard <richardry@vmware.com> 2021-04-05 22:01:17 +00:00			`/tmp/csr.json \`
			`\| cfssljson -bare ldap`

Refactor certificate generation for integration test Dex. Before, we did this in an init container, which meant if the Dex pod restarted we would have fresh certs, but our Tilt/bash setup didn't account for this. Now, the certs are generated by a Job which runs once and saves the generated files into a Secret. This should be a bit more stable. Signed-off-by: Matt Moyer <moyerm@vmware.com> 2020-11-17 17:24:38 +00:00			`chmod -R 777 /var/certs`

ldap_client_test.go: refactor to use the LDAP server on the K8s cluster 2021-04-15 00:49:40 +00:00			`echo`
Refactor certificate generation for integration test Dex. Before, we did this in an init container, which meant if the Dex pod restarted we would have fresh certs, but our Tilt/bash setup didn't account for this. Now, the certs are generated by a Job which runs once and saves the generated files into a Secret. This should be a bit more stable. Signed-off-by: Matt Moyer <moyerm@vmware.com> 2020-11-17 17:24:38 +00:00			`echo "generated certificates:"`
			`ls -l /var/certs`
ldap_client_test.go: refactor to use the LDAP server on the K8s cluster 2021-04-15 00:49:40 +00:00			`echo`
			`echo "CA cert..."`
			`cat ca.pem \| openssl x509 -text`
			`echo`
			`echo "Dex cert..."`
			`cat dex.pem \| openssl x509 -text`
			`echo`
			`echo "LDAP cert..."`
			`cat ldap.pem \| openssl x509 -text`
Refactor certificate generation for integration test Dex. Before, we did this in an init container, which meant if the Dex pod restarted we would have fresh certs, but our Tilt/bash setup didn't account for this. Now, the certs are generated by a Job which runs once and saves the generated files into a Secret. This should be a bit more stable. Signed-off-by: Matt Moyer <moyerm@vmware.com> 2020-11-17 17:24:38 +00:00			`volumeMounts:`
			`- name: certs`
			`mountPath: /var/certs`
			`containers:`
			`- name: save-certs`
Parameterize our test images in ytt. These are images we use for local and some CI testing. Signed-off-by: Matt Moyer <moyerm@vmware.com> 2021-06-03 18:24:26 +00:00			`image: #@ data.values.kubectl_image`
Switch to GHCR tools images for local tests, with `imagePullPolicy: IfNotPresent`. This is more consistent with our CI environment. Signed-off-by: Matt Moyer <moyerm@vmware.com> 2021-07-21 14:17:24 +00:00			`imagePullPolicy: IfNotPresent`
Refactor certificate generation for integration test Dex. Before, we did this in an init container, which meant if the Dex pod restarted we would have fresh certs, but our Tilt/bash setup didn't account for this. Now, the certs are generated by a Job which runs once and saves the generated files into a Secret. This should be a bit more stable. Signed-off-by: Matt Moyer <moyerm@vmware.com> 2020-11-17 17:24:38 +00:00			`command: ["/bin/bash"]`
			`args:`
			`- -c`
			`- \|`
ldap_client_test.go: refactor to use the LDAP server on the K8s cluster 2021-04-15 00:49:40 +00:00			`kubectl create secret generic -n tools certs --from-file=/var/certs \`
			`--dry-run=client --output yaml \| kubectl apply -f -`
Refactor certificate generation for integration test Dex. Before, we did this in an init container, which meant if the Dex pod restarted we would have fresh certs, but our Tilt/bash setup didn't account for this. Now, the certs are generated by a Job which runs once and saves the generated files into a Secret. This should be a bit more stable. Signed-off-by: Matt Moyer <moyerm@vmware.com> 2020-11-17 17:24:38 +00:00			`volumeMounts:`
			`- name: certs`
			`mountPath: /var/certs`
			`volumes:`
			`- name: certs`
			`emptyDir: {}`
Rename dex namespace, add new ytt value to deploy/tools, and remove Tilt - Rename the test/deploy/dex directory to test/deploy/tools - Rename the dex namespace to tools - Add a new ytt value called `pinny_ldap_password` for the tools ytt templates - This new value is not used on main at this time. We intend to use it in the forthcoming ldap branch. We're defining it on main so that the CI scripts can use it across all branches and PRs. Signed-off-by: Ryan Richard <richardry@vmware.com> 2021-04-05 22:01:17 +00:00			`restartPolicy: Never`