Add prepare-impersonator-on-kind.sh for manually starting impersonator
It takes a lot of manual steps to get ready to manually test the impersonation proxy on a kind cluster, which makes it error prone, so encapsulate them into a script to make it easier.
This commit is contained in:
parent
939ea30030
commit
1b31489347
114
hack/prepare-impersonator-on-kind.sh
Executable file
114
hack/prepare-impersonator-on-kind.sh
Executable file
@ -0,0 +1,114 @@
|
||||
#!/usr/bin/env bash
|
||||
|
||||
# A script to perform the setup required to manually test using the impersonation proxy on a kind cluster.
|
||||
# Assumes that you installed the apps already using hack/prepare-for-integration-tests.sh.
|
||||
|
||||
set -euo pipefail
|
||||
|
||||
# The name of the namespace in which the concierge is installed.
|
||||
CONCIERGE_NAMESPACE=concierge
|
||||
# The name of the concierge app's Deployment.
|
||||
CONCIERGE_DEPLOYMENT=pinniped-concierge
|
||||
# The namespace in which the local-user-authenticator app is installed.
|
||||
LOCAL_USER_AUTHENTICATOR_NAMESPACE=local-user-authenticator
|
||||
# The port on which the impersonation proxy runs in the concierge pods.
|
||||
IMPERSONATION_PROXY_PORT=8444
|
||||
# The port that we will use to access the impersonator from outside the cluster via `kubectl port-forward`.
|
||||
LOCAL_PORT=8777
|
||||
LOCAL_HOST="127.0.0.1:${LOCAL_PORT}"
|
||||
|
||||
# Change working directory to the top of the repo.
|
||||
ROOT="$(cd "$(dirname "${BASH_SOURCE[0]}")/.." && pwd)"
|
||||
cd "$ROOT"
|
||||
|
||||
# Build the CLI for use later in the script.
|
||||
go build ./cmd/pinniped
|
||||
|
||||
# Create a test user and password.
|
||||
if ! kubectl get secret pinny-the-seal --namespace $LOCAL_USER_AUTHENTICATOR_NAMESPACE; then
|
||||
kubectl create secret generic pinny-the-seal --namespace $LOCAL_USER_AUTHENTICATOR_NAMESPACE \
|
||||
--from-literal=groups=group1,group2 \
|
||||
--from-literal=passwordHash="$(htpasswd -nbBC 10 x password123 | sed -e "s/^x://")"
|
||||
fi
|
||||
|
||||
# Get the CA of the local-user-authenticator.
|
||||
LOCAL_USER_AUTHENTICATOR_CA=$(kubectl get secret local-user-authenticator-tls-serving-certificate \
|
||||
--namespace $LOCAL_USER_AUTHENTICATOR_NAMESPACE \
|
||||
-o jsonpath=\{.data.caCertificate\})
|
||||
|
||||
# Create a WebhookAuthenticator which points at the local-user-authenticator.
|
||||
cat <<EOF | kubectl apply -f -
|
||||
apiVersion: authentication.concierge.pinniped.dev/v1alpha1
|
||||
kind: WebhookAuthenticator
|
||||
metadata:
|
||||
name: local-user-authenticator
|
||||
spec:
|
||||
endpoint: https://local-user-authenticator.local-user-authenticator.svc/authenticate
|
||||
tls:
|
||||
certificateAuthorityData: $LOCAL_USER_AUTHENTICATOR_CA
|
||||
EOF
|
||||
|
||||
# Create an RBAC rule to allow the test user to do most things.
|
||||
cat <<EOF | kubectl apply -f -
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: ClusterRoleBinding
|
||||
metadata:
|
||||
name: pinny-the-seal-can-edit
|
||||
roleRef:
|
||||
apiGroup: rbac.authorization.k8s.io
|
||||
kind: ClusterRole
|
||||
name: edit
|
||||
subjects:
|
||||
- kind: User
|
||||
name: pinny-the-seal
|
||||
EOF
|
||||
|
||||
# Create a configmap to enable the impersonation proxy and set the endpoint to match the
|
||||
# host and port that we will use the access the impersonation proxy (via the port-forwarded port).
|
||||
cat <<EOF | kubectl apply -f -
|
||||
apiVersion: v1
|
||||
kind: ConfigMap
|
||||
metadata:
|
||||
name: pinniped-concierge-impersonation-proxy-config
|
||||
namespace: $CONCIERGE_NAMESPACE
|
||||
data:
|
||||
config.yaml: |
|
||||
endpoint: ${LOCAL_HOST}
|
||||
mode: enabled
|
||||
EOF
|
||||
|
||||
# Wait for the CredentialIssuer's impersonator status to update to be successful.
|
||||
while [[ -z "$(kubectl get credentialissuer pinniped-concierge-config -o json |
|
||||
jq '.status.strategies[] | select((.type=="ImpersonationProxy") and (.status=="Success"))')" ]]; do
|
||||
echo "Waiting for a successful ImpersonationProxy strategy on CredentialIssuer..."
|
||||
sleep 2
|
||||
done
|
||||
echo "Impersonator is available on https://${LOCAL_HOST}"
|
||||
|
||||
# Make the impersonation proxy's port from the inside the cluster available locally.
|
||||
kubectl port-forward -n $CONCIERGE_NAMESPACE deployment/$CONCIERGE_DEPLOYMENT ${LOCAL_PORT}:${IMPERSONATION_PROXY_PORT} &
|
||||
port_forward_pid=$!
|
||||
|
||||
# Kill the kubectl port-forward command whenever the script is control-c cancelled or otherwise ends.
|
||||
function cleanup() {
|
||||
echo
|
||||
echo "Cleaning up cluster resources..."
|
||||
kubectl delete secret -n $LOCAL_USER_AUTHENTICATOR_NAMESPACE pinny-the-seal
|
||||
kubectl delete configmap -n $CONCIERGE_NAMESPACE pinniped-concierge-impersonation-proxy-config
|
||||
kubectl delete clusterrolebinding pinny-the-seal-can-edit
|
||||
kubectl delete webhookauthenticator local-user-authenticator
|
||||
echo "Stopping kubectl port-forward and exiting..."
|
||||
# It may have already shut down, so ignore errors.
|
||||
kill -9 $port_forward_pid &> /dev/null || true
|
||||
}
|
||||
trap cleanup EXIT
|
||||
|
||||
# Get a working kubeconfig that will send requests through the impersonation proxy.
|
||||
./pinniped get kubeconfig \
|
||||
--static-token "pinny-the-seal:password123" \
|
||||
--concierge-mode ImpersonationProxy >/tmp/kubeconfig
|
||||
|
||||
echo
|
||||
echo 'Ready. In another tab, use "kubectl --kubeconfig /tmp/kubeconfig <cmd>" to make requests through the impersonation proxy.'
|
||||
echo "When done, cancel with ctrl-C to clean up."
|
||||
wait $port_forward_pid
|
Loading…
Reference in New Issue
Block a user