djpbessems/ContainerImage.Pinniped
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Merge pull request #151 from vmware-tanzu/demo-screencast

Browse Source 
Add demo screencast and do some cleanup in demo.md
This commit is contained in:
Ryan Richard 2020-10-06 17:07:27 -07:00 committed by GitHub
commit 044b5c4d46
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 26 additions and 11 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

37
doc/demo.md
View File

@ -9,17 +9,15 @@
1. An identity provider of a type supported by Pinniped as described in [doc/architecture.md](../doc/architecture.md). 1. An identity provider of a type supported by Pinniped as described in [doc/architecture.md](../doc/architecture.md).
Don't have an identity provider of a type supported by Pinniped handy? Don't have an identity provider of a type supported by Pinniped handy? No problem, there is a demo identity provider
Start by installing `local-user-authenticator` on the same cluster where you would like to try Pinniped available. Start by installing local-user-authenticator on the same cluster where you would like to try Pinniped
by following the directions in [deploy-local-user-authenticator/README.md](../deploy-local-user-authenticator/README.md). by following the directions in [deploy-local-user-authenticator/README.md](../deploy-local-user-authenticator/README.md).
See below for an example of deploying this on kind. See below for an example of deploying this on kind.
1. A kubeconfig where the current context points to the cluster and has admin-like 1. A kubeconfig where the current context points to the cluster and has admin-like
privileges on that cluster. privileges on that cluster.
## Steps ## Overview
### Overview
Installing and trying Pinniped on any cluster will consist of the following general steps. See the next section below Installing and trying Pinniped on any cluster will consist of the following general steps. See the next section below
for a more specific example of installing onto a local kind cluster, including the exact commands to use for that case. for a more specific example of installing onto a local kind cluster, including the exact commands to use for that case.
@ -29,7 +27,23 @@ for a more specific example of installing onto a local kind cluster, including t
1. Generate a kubeconfig using the Pinniped CLI. Run `pinniped get-kubeconfig --help` for more information. 1. Generate a kubeconfig using the Pinniped CLI. Run `pinniped get-kubeconfig --help` for more information.
1. Run `kubectl` commands using the generated kubeconfig. Pinniped will automatically be used for authentication during those commands. 1. Run `kubectl` commands using the generated kubeconfig. Pinniped will automatically be used for authentication during those commands.
### Steps to Deploy the Latest Release on kind Using local-user-authenticator as the Identity Provider ## Example of Deploying on kind
[kind](https://kind.sigs.k8s.io) is a tool for creating and managing Kubernetes clusters on your local machine
which uses Docker containers as the cluster's "nodes". This is a convenient way to try out Pinniped on a local
non-production cluster.
The following steps will deploy the latest release of Pinniped on kind using the local-user-authenticator component
as the identity provider.
<!-- The following image was uploaded to GitHub's CDN using this awesome trick: https://gist.github.com/vinkla/dca76249ba6b73c5dd66a4e986df4c8d -->
<p align="center" width="100%">
<img
src="https://user-images.githubusercontent.com/25013435/95268445-3488f800-07ec-11eb-9f72-bbcc62a4e037.gif"
alt="Pinniped Installation Demo"
width="80%"
/>
</p>
1. Install the tools required for the following steps. 1. Install the tools required for the following steps.
@ -65,7 +79,8 @@ for a more specific example of installing onto a local kind cluster, including t
pinniped_version=v0.2.0 pinniped_version=v0.2.0
``` ```
1. Deploy the `local-user-authenticator` app. 1. Deploy the local-user-authenticator app. This is a demo identity provider. In production, you would use your
real identity provider, and therefore would not need to deploy or configure local-user-authenticator.
```bash ```bash
kubectl apply -f https://github.com/vmware-tanzu/pinniped/releases/download/$pinniped_version/install-local-user-authenticator.yaml kubectl apply -f https://github.com/vmware-tanzu/pinniped/releases/download/$pinniped_version/install-local-user-authenticator.yaml
@ -76,7 +91,7 @@ for a more specific example of installing onto a local kind cluster, including t
see [deploy-local-user-authenticator/README.md](../deploy-local-user-authenticator/README.md) see [deploy-local-user-authenticator/README.md](../deploy-local-user-authenticator/README.md)
for instructions on how to deploy using `ytt`. for instructions on how to deploy using `ytt`.
1. Create a test user. 1. Create a test user named `pinny-the-seal` in the local-user-authenticator identity provider.
```bash ```bash
kubectl create secret generic pinny-the-seal \ kubectl create secret generic pinny-the-seal \
@ -85,7 +100,7 @@ for a more specific example of installing onto a local kind cluster, including t
--from-literal=passwordHash=$(htpasswd -nbBC 10 x password123 | sed -e "s/^x://") --from-literal=passwordHash=$(htpasswd -nbBC 10 x password123 | sed -e "s/^x://")
``` ```
1. Fetch the auto-generated CA bundle for the `local-user-authenticator`'s HTTP TLS endpoint. 1. Fetch the auto-generated CA bundle for the local-user-authenticator's HTTP TLS endpoint.
```bash ```bash
kubectl get secret local-user-authenticator-tls-serving-certificate --namespace local-user-authenticator \ kubectl get secret local-user-authenticator-tls-serving-certificate --namespace local-user-authenticator \
@ -103,7 +118,7 @@ for a more specific example of installing onto a local kind cluster, including t
If you would prefer to customize the available options, please see [deploy/README.md](../deploy/README.md) If you would prefer to customize the available options, please see [deploy/README.md](../deploy/README.md)
for instructions on how to deploy using `ytt`. for instructions on how to deploy using `ytt`.
1. Create a `WebhookIdentityProvider` object to configure Pinniped to authenticate using `local-user-authenticator`. 1. Create a `WebhookIdentityProvider` object to configure Pinniped to authenticate using local-user-authenticator.
```bash ```bash
cat <<EOF | kubectl create --namespace pinniped -f - cat <<EOF | kubectl create --namespace pinniped -f -
@ -152,7 +167,7 @@ for a more specific example of installing onto a local kind cluster, including t
Because this user has no RBAC permissions on this cluster, the previous command Because this user has no RBAC permissions on this cluster, the previous command
results in the error `Error from server (Forbidden): pods is forbidden: User "pinny-the-seal" cannot list resource "pods" in API group "" in the namespace "pinniped"`. results in the error `Error from server (Forbidden): pods is forbidden: User "pinny-the-seal" cannot list resource "pods" in API group "" in the namespace "pinniped"`.
However, this does prove that you are authenticated and acting as the "pinny-the-seal" user. However, this does prove that you are authenticated and acting as the `pinny-the-seal` user.
1. As the admin user, create RBAC rules for the test user to give them permissions to perform actions on the cluster. 1. As the admin user, create RBAC rules for the test user to give them permissions to perform actions on the cluster.
For example, grant the test user permission to view all cluster resources. For example, grant the test user permission to view all cluster resources.