Create a deployment for test-webhook

- For now, build the test-webhook binary in the same container image as
  the pinniped-server binary, to make it easier to distribute
- Also fix lots of bugs from the first draft of the test-webhook's
  `/authenticate` implementation from the previous commit
- Add a detailed README for the new deploy-test-webhook directory
This commit is contained in:
Ryan Richard 2020-09-09 19:06:39 -07:00
parent 3ee7a0d881
commit 2565f67824
8 changed files with 542 additions and 238 deletions

View File

@ -19,13 +19,16 @@ COPY tools ./tools
COPY hack ./hack
# Build the executable binary (CGO_ENABLED=0 means static linking)
RUN mkdir out && CGO_ENABLED=0 GOOS=linux GOARCH=amd64 go build -ldflags "$(hack/get-ldflags.sh)" -o out ./cmd/pinniped-server/...
RUN mkdir out \
&& CGO_ENABLED=0 GOOS=linux GOARCH=amd64 go build -ldflags "$(hack/get-ldflags.sh)" -o out ./cmd/pinniped-server/... \
&& CGO_ENABLED=0 GOOS=linux GOARCH=amd64 go build -o out ./cmd/test-webhook/...
# Use a runtime image based on Debian slim
FROM debian:10.5-slim
# Copy the binary from the build-env stage
# Copy the binaries from the build-env stage
COPY --from=build-env /work/out/pinniped-server /usr/local/bin/pinniped-server
COPY --from=build-env /work/out/test-webhook /usr/local/bin/test-webhook
# Document the port
EXPOSE 443

View File

@ -8,7 +8,7 @@ SPDX-License-Identifier: Apache-2.0
// This webhook is meant to be used in demo settings to play around with
// Pinniped. As well, it can come in handy in integration tests.
//
// This webhook is NOT meant for production settings.
// This webhook is NOT meant for use in production systems.
package main
import (
@ -34,14 +34,24 @@ import (
restclient "k8s.io/client-go/rest"
"k8s.io/klog/v2"
"github.com/suzerain-io/pinniped/internal/controller/apicerts"
"github.com/suzerain-io/pinniped/internal/controllerlib"
"github.com/suzerain-io/pinniped/internal/provider"
)
const (
// namespace is the assumed namespace of this webhook. It is hardcoded now for
// simplicity, but should probably be made configurable in the future.
// This string must match the name of the Namespace declared in the deployment yaml.
namespace = "test-webhook"
// This string must match the name of the Service declared in the deployment yaml.
serviceName = "test-webhook"
// TODO there must be a better way to get this specific json result string without needing to hardcode it
unauthenticatedResponse = `{"apiVersion":"authentication.k8s.io/v1beta1","kind":"TokenReview","status":{"authenticated":false}}`
// TODO there must be a better way to get this specific json result string without needing to hardcode it
authenticatedResponseTemplate = `{"apiVersion":"authentication.k8s.io/v1beta1","kind":"TokenReview","status":{"authenticated":true,"user":{"username":"%s","uid":"%s","groups":%s}}}`
singletonWorker = 1
defaultResyncInterval = 3 * time.Minute
)
@ -153,17 +163,21 @@ func (w *webhook) ServeHTTP(rsp http.ResponseWriter, req *http.Request) {
) == nil
if !passwordMatches {
respondWithUnauthenticated(rsp)
return
}
groups := []string{}
groupsBuf := bytes.NewBuffer(secret.Data["groups"])
gr := csv.NewReader(groupsBuf)
groups, err := gr.Read()
if groupsBuf.Len() > 0 {
groupsCSVReader := csv.NewReader(groupsBuf)
groups, err = groupsCSVReader.Read()
if err != nil {
klog.InfoS("could not read groups", "err", err)
rsp.WriteHeader(http.StatusInternalServerError)
return
}
trimSpace(groups)
trimLeadingAndTrailingWhitespace(groups)
}
respondWithAuthenticated(rsp, secret.ObjectMeta.Name, string(secret.UID), groups)
}
@ -177,7 +191,7 @@ func contains(ss []string, s string) bool {
return false
}
func trimSpace(ss []string) {
func trimLeadingAndTrailingWhitespace(ss []string) {
for i := range ss {
ss[i] = strings.TrimSpace(ss[i])
}
@ -185,16 +199,7 @@ func trimSpace(ss []string) {
func respondWithUnauthenticated(rsp http.ResponseWriter) {
rsp.Header().Add("Content-Type", "application/json")
body := authenticationv1.TokenReview{
Status: authenticationv1.TokenReviewStatus{
Authenticated: false,
},
}
if err := json.NewEncoder(rsp).Encode(body); err != nil {
klog.InfoS("could not encode response", "err", err)
rsp.WriteHeader(http.StatusInternalServerError)
}
_, _ = rsp.Write([]byte(unauthenticatedResponse))
}
func respondWithAuthenticated(
@ -203,21 +208,14 @@ func respondWithAuthenticated(
groups []string,
) {
rsp.Header().Add("Content-Type", "application/json")
body := authenticationv1.TokenReview{
Status: authenticationv1.TokenReviewStatus{
Authenticated: true,
User: authenticationv1.UserInfo{
Username: username,
UID: uid,
Groups: groups,
},
},
}
if err := json.NewEncoder(rsp).Encode(body); err != nil {
groupsJSONBytes, err := json.Marshal(groups)
if err != nil {
klog.InfoS("could not encode response", "err", err)
rsp.WriteHeader(http.StatusInternalServerError)
return
}
jsonBody := fmt.Sprintf(authenticatedResponseTemplate, username, uid, groupsJSONBytes)
_, _ = rsp.Write([]byte(jsonBody))
}
func newK8sClient() (kubernetes.Interface, error) {
@ -235,19 +233,52 @@ func newK8sClient() (kubernetes.Interface, error) {
return kubeClient, nil
}
func startControllers(ctx context.Context) error {
return nil
func startControllers(
ctx context.Context,
dynamicCertProvider provider.DynamicTLSServingCertProvider,
kubeClient kubernetes.Interface,
kubeInformers kubeinformers.SharedInformerFactory,
) {
aVeryLongTime := time.Hour * 24 * 365 * 100
// Create controller manager.
controllerManager := controllerlib.
NewManager().
WithController(
apicerts.NewCertsManagerController(
namespace,
kubeClient,
kubeInformers.Core().V1().Secrets(),
controllerlib.WithInformer,
controllerlib.WithInitialEvent,
aVeryLongTime,
"test-webhook CA",
serviceName,
),
singletonWorker,
).
WithController(
apicerts.NewCertsObserverController(
namespace,
dynamicCertProvider,
kubeInformers.Core().V1().Secrets(),
controllerlib.WithInformer,
),
singletonWorker,
)
kubeInformers.Start(ctx.Done())
go controllerManager.Start(ctx)
}
func startWebhook(
ctx context.Context,
l net.Listener,
dynamicCertProvider provider.DynamicTLSServingCertProvider,
secretInformer corev1informers.SecretInformer,
) error {
return newWebhook(
provider.NewDynamicTLSServingCertProvider(),
secretInformer,
).start(ctx, l)
return newWebhook(dynamicCertProvider, secretInformer).start(ctx, l)
}
func waitForSignal() os.Signal {
@ -271,28 +302,26 @@ func run() error {
kubeinformers.WithNamespace(namespace),
)
if err := startControllers(ctx); err != nil {
return fmt.Errorf("cannot start controllers: %w", err)
}
dynamicCertProvider := provider.NewDynamicTLSServingCertProvider()
startControllers(ctx, dynamicCertProvider, kubeClient, kubeInformers)
klog.InfoS("controllers are ready")
l, err := net.Listen("tcp", "127.0.0.1:443")
//nolint: gosec
l, err := net.Listen("tcp", ":443")
if err != nil {
return fmt.Errorf("cannot create listener: %w", err)
}
defer l.Close()
if err := startWebhook(
ctx,
l,
kubeInformers.Core().V1().Secrets(),
); err != nil {
err = startWebhook(ctx, l, dynamicCertProvider, kubeInformers.Core().V1().Secrets())
if err != nil {
return fmt.Errorf("cannot start webhook: %w", err)
}
klog.InfoS("webhook is ready", "address", l.Addr().String())
signal := waitForSignal()
klog.InfoS("webhook exiting", "signal", signal)
gotSignal := waitForSignal()
klog.InfoS("webhook exiting", "signal", gotSignal)
return nil
}

View File

@ -19,6 +19,7 @@ import (
"net/http"
"net/url"
"reflect"
"strings"
"testing"
"time"
@ -43,60 +44,48 @@ func TestWebhook(t *testing.T) {
ctx, cancel := context.WithCancel(context.Background())
defer cancel()
uid, otherUID, colonUID := "some-uid", "some-other-uid", "some-colon-uid"
user, otherUser, colonUser := "some-user", "some-other-user", "some-colon-user"
password, otherPassword, colonPassword := "some-password", "some-other-password", "some-:-password"
user, otherUser, colonUser, noGroupUser, oneGroupUser, passwordUndefinedUser, emptyPasswordUser, underfinedGroupsUser :=
"some-user", "other-user", "colon-user", "no-group-user", "one-group-user", "password-undefined-user", "empty-password-user", "undefined-groups-user"
uid, otherUID, colonUID, noGroupUID, oneGroupUID, passwordUndefinedUID, emptyPasswordUID, underfinedGroupsUID :=
"some-uid", "other-uid", "colon-uid", "no-group-uid", "one-group-uid", "password-undefined-uid", "empty-password-uid", "undefined-groups-uid"
password, otherPassword, colonPassword, noGroupPassword, oneGroupPassword, undefinedGroupsPassword :=
"some-password", "other-password", "some-:-password", "no-group-password", "one-group-password", "undefined-groups-password"
group0, group1 := "some-group-0", "some-group-1"
passwordHash, err := bcrypt.GenerateFromPassword([]byte(password), bcrypt.MinCost)
require.NoError(t, err)
otherPasswordHash, err := bcrypt.GenerateFromPassword([]byte(otherPassword), bcrypt.MinCost)
require.NoError(t, err)
colonPasswordHash, err := bcrypt.GenerateFromPassword([]byte(colonPassword), bcrypt.MinCost)
require.NoError(t, err)
groups := group0 + " , " + group1
userSecret := &corev1.Secret{
ObjectMeta: metav1.ObjectMeta{
UID: types.UID(uid),
Name: user,
Namespace: "test-webhook",
},
Data: map[string][]byte{
"passwordHash": passwordHash,
"groups": []byte(groups),
},
}
otherUserSecret := &corev1.Secret{
ObjectMeta: metav1.ObjectMeta{
UID: types.UID(otherUID),
Name: otherUser,
Namespace: "test-webhook",
},
Data: map[string][]byte{
"passwordHash": otherPasswordHash,
"groups": []byte(groups),
},
}
colonUserSecret := &corev1.Secret{
ObjectMeta: metav1.ObjectMeta{
UID: types.UID(colonUID),
Name: colonUser,
Namespace: "test-webhook",
},
Data: map[string][]byte{
"passwordHash": colonPasswordHash,
"groups": []byte(groups),
},
}
kubeClient := kubernetesfake.NewSimpleClientset()
require.NoError(t, kubeClient.Tracker().Add(userSecret))
require.NoError(t, kubeClient.Tracker().Add(otherUserSecret))
require.NoError(t, kubeClient.Tracker().Add(colonUserSecret))
addSecretToFakeClientTracker(t, kubeClient, user, uid, password, groups)
addSecretToFakeClientTracker(t, kubeClient, otherUser, otherUID, otherPassword, groups)
addSecretToFakeClientTracker(t, kubeClient, colonUser, colonUID, colonPassword, groups)
addSecretToFakeClientTracker(t, kubeClient, noGroupUser, noGroupUID, noGroupPassword, "")
addSecretToFakeClientTracker(t, kubeClient, oneGroupUser, oneGroupUID, oneGroupPassword, group0)
addSecretToFakeClientTracker(t, kubeClient, emptyPasswordUser, emptyPasswordUID, "", groups)
require.NoError(t, kubeClient.Tracker().Add(&corev1.Secret{
ObjectMeta: metav1.ObjectMeta{
UID: types.UID(passwordUndefinedUID),
Name: passwordUndefinedUser,
Namespace: "test-webhook",
},
Data: map[string][]byte{
"groups": []byte(groups),
},
}))
undefinedGroupsUserPasswordHash, err := bcrypt.GenerateFromPassword([]byte(undefinedGroupsPassword), bcrypt.MinCost)
require.NoError(t, err)
require.NoError(t, kubeClient.Tracker().Add(&corev1.Secret{
ObjectMeta: metav1.ObjectMeta{
UID: types.UID(underfinedGroupsUID),
Name: underfinedGroupsUser,
Namespace: "test-webhook",
},
Data: map[string][]byte{
"passwordHash": undefinedGroupsUserPasswordHash,
},
}))
secretInformer := createSecretInformer(t, kubeClient)
@ -110,6 +99,12 @@ func TestWebhook(t *testing.T) {
client := newClient(caBundle, serverName)
goodURL := fmt.Sprintf("https://%s/authenticate", l.Addr().String())
goodRequestHeaders := map[string][]string{
"Content-Type": {"application/json"},
"Accept": {"application/json"},
}
tests := []struct {
name string
url string
@ -119,126 +114,153 @@ func TestWebhook(t *testing.T) {
wantStatus int
wantHeaders map[string][]string
wantBody *authenticationv1.TokenReview
wantBody *string
}{
{
name: "success",
url: fmt.Sprintf("https://%s/authenticate", l.Addr().String()),
name: "success for a user who belongs to multiple groups",
url: goodURL,
method: http.MethodPost,
headers: map[string][]string{
"Content-Type": []string{"application/json"},
"Accept": []string{"application/json"},
},
headers: goodRequestHeaders,
body: func() (io.ReadCloser, error) {
return newTokenReviewBody(user + ":" + password)
},
wantStatus: http.StatusOK,
wantHeaders: map[string][]string{
"Content-Type": []string{"application/json"},
"Content-Type": {"application/json"},
},
wantBody: &authenticationv1.TokenReview{
Status: authenticationv1.TokenReviewStatus{
Authenticated: true,
User: authenticationv1.UserInfo{
Username: user,
UID: uid,
Groups: []string{group0, group1},
wantBody: authenticatedResponseJSON(user, uid, []string{group0, group1}),
},
{
name: "success for a user who belongs to one groups",
url: goodURL,
method: http.MethodPost,
headers: goodRequestHeaders,
body: func() (io.ReadCloser, error) {
return newTokenReviewBody(oneGroupUser + ":" + oneGroupPassword)
},
wantStatus: http.StatusOK,
wantHeaders: map[string][]string{
"Content-Type": {"application/json"},
},
wantBody: authenticatedResponseJSON(oneGroupUser, oneGroupUID, []string{group0}),
},
{
name: "success for a user who belongs to no groups",
url: goodURL,
method: http.MethodPost,
headers: goodRequestHeaders,
body: func() (io.ReadCloser, error) {
return newTokenReviewBody(noGroupUser + ":" + noGroupPassword)
},
wantStatus: http.StatusOK,
wantHeaders: map[string][]string{
"Content-Type": {"application/json"},
},
wantBody: authenticatedResponseJSON(noGroupUser, noGroupUID, []string{}),
},
{
name: "wrong username for password",
url: fmt.Sprintf("https://%s/authenticate", l.Addr().String()),
url: goodURL,
method: http.MethodPost,
headers: map[string][]string{
"Content-Type": []string{"application/json"},
"Accept": []string{"application/json"},
},
headers: goodRequestHeaders,
body: func() (io.ReadCloser, error) {
return newTokenReviewBody(otherUser + ":" + password)
},
wantStatus: http.StatusOK,
wantHeaders: map[string][]string{
"Content-Type": []string{"application/json"},
"Content-Type": {"application/json"},
},
wantBody: &authenticationv1.TokenReview{
Status: authenticationv1.TokenReviewStatus{
Authenticated: false,
wantBody: unauthenticatedResponseJSON(),
},
{
name: "when a user has no password hash in the secret",
url: goodURL,
method: http.MethodPost,
headers: goodRequestHeaders,
body: func() (io.ReadCloser, error) {
return newTokenReviewBody(passwordUndefinedUser + ":foo")
},
wantStatus: http.StatusOK,
wantHeaders: map[string][]string{
"Content-Type": {"application/json"},
},
wantBody: unauthenticatedResponseJSON(),
},
{
name: "success for a user has no groups defined in the secret",
url: goodURL,
method: http.MethodPost,
headers: goodRequestHeaders,
body: func() (io.ReadCloser, error) {
return newTokenReviewBody(underfinedGroupsUser + ":" + undefinedGroupsPassword)
},
wantStatus: http.StatusOK,
wantHeaders: map[string][]string{
"Content-Type": {"application/json"},
},
wantBody: authenticatedResponseJSON(underfinedGroupsUser, underfinedGroupsUID, []string{}),
},
{
name: "when a user has empty string as their password",
url: goodURL,
method: http.MethodPost,
headers: goodRequestHeaders,
body: func() (io.ReadCloser, error) {
return newTokenReviewBody(passwordUndefinedUser + ":foo")
},
wantStatus: http.StatusOK,
wantHeaders: map[string][]string{
"Content-Type": {"application/json"},
},
wantBody: unauthenticatedResponseJSON(),
},
{
name: "wrong password for username",
url: fmt.Sprintf("https://%s/authenticate", l.Addr().String()),
url: goodURL,
method: http.MethodPost,
headers: map[string][]string{
"Content-Type": []string{"application/json"},
"Accept": []string{"application/json"},
},
headers: goodRequestHeaders,
body: func() (io.ReadCloser, error) {
return newTokenReviewBody(user + ":" + otherPassword)
},
wantStatus: http.StatusOK,
wantHeaders: map[string][]string{
"Content-Type": []string{"application/json"},
},
wantBody: &authenticationv1.TokenReview{
Status: authenticationv1.TokenReviewStatus{
Authenticated: false,
},
"Content-Type": {"application/json"},
},
wantBody: unauthenticatedResponseJSON(),
},
{
name: "non-existent password for username",
url: fmt.Sprintf("https://%s/authenticate", l.Addr().String()),
url: goodURL,
method: http.MethodPost,
headers: map[string][]string{
"Content-Type": []string{"application/json"},
"Accept": []string{"application/json"},
},
headers: goodRequestHeaders,
body: func() (io.ReadCloser, error) {
return newTokenReviewBody(user + ":" + "some-non-existent-password")
},
wantStatus: http.StatusOK,
wantHeaders: map[string][]string{
"Content-Type": []string{"application/json"},
},
wantBody: &authenticationv1.TokenReview{
Status: authenticationv1.TokenReviewStatus{
Authenticated: false,
},
"Content-Type": {"application/json"},
},
wantBody: unauthenticatedResponseJSON(),
},
{
name: "non-existent username",
url: fmt.Sprintf("https://%s/authenticate", l.Addr().String()),
url: goodURL,
method: http.MethodPost,
headers: map[string][]string{
"Content-Type": []string{"application/json"},
"Accept": []string{"application/json"},
},
headers: goodRequestHeaders,
body: func() (io.ReadCloser, error) {
return newTokenReviewBody("some-non-existent-user" + ":" + password)
},
wantStatus: http.StatusOK,
wantHeaders: map[string][]string{
"Content-Type": []string{"application/json"},
},
wantBody: &authenticationv1.TokenReview{
Status: authenticationv1.TokenReviewStatus{
Authenticated: false,
},
"Content-Type": {"application/json"},
},
wantBody: unauthenticatedResponseJSON(),
},
{
name: "invalid token (missing colon)",
url: fmt.Sprintf("https://%s/authenticate", l.Addr().String()),
name: "bad token format (missing colon)",
url: goodURL,
method: http.MethodPost,
headers: map[string][]string{
"Content-Type": []string{"application/json"},
"Accept": []string{"application/json"},
},
headers: goodRequestHeaders,
body: func() (io.ReadCloser, error) {
return newTokenReviewBody(user)
},
@ -246,38 +268,23 @@ func TestWebhook(t *testing.T) {
},
{
name: "password contains colon",
url: fmt.Sprintf("https://%s/authenticate", l.Addr().String()),
url: goodURL,
method: http.MethodPost,
headers: map[string][]string{
"Content-Type": []string{"application/json"},
"Accept": []string{"application/json"},
},
headers: goodRequestHeaders,
body: func() (io.ReadCloser, error) {
return newTokenReviewBody(colonUser + ":" + colonPassword)
},
wantStatus: http.StatusOK,
wantHeaders: map[string][]string{
"Content-Type": []string{"application/json"},
},
wantBody: &authenticationv1.TokenReview{
Status: authenticationv1.TokenReviewStatus{
Authenticated: true,
User: authenticationv1.UserInfo{
Username: colonUser,
UID: colonUID,
Groups: []string{group0, group1},
},
},
"Content-Type": {"application/json"},
},
wantBody: authenticatedResponseJSON(colonUser, colonUID, []string{group0, group1}),
},
{
name: "bad path",
url: fmt.Sprintf("https://%s/tuna", l.Addr().String()),
method: http.MethodPost,
headers: map[string][]string{
"Content-Type": []string{"application/json"},
"Accept": []string{"application/json"},
},
headers: goodRequestHeaders,
body: func() (io.ReadCloser, error) {
return newTokenReviewBody("some-token")
},
@ -285,12 +292,9 @@ func TestWebhook(t *testing.T) {
},
{
name: "bad method",
url: fmt.Sprintf("https://%s/authenticate", l.Addr().String()),
url: goodURL,
method: http.MethodGet,
headers: map[string][]string{
"Content-Type": []string{"application/json"},
"Accept": []string{"application/json"},
},
headers: goodRequestHeaders,
body: func() (io.ReadCloser, error) {
return newTokenReviewBody("some-token")
},
@ -298,11 +302,11 @@ func TestWebhook(t *testing.T) {
},
{
name: "bad content type",
url: fmt.Sprintf("https://%s/authenticate", l.Addr().String()),
url: goodURL,
method: http.MethodPost,
headers: map[string][]string{
"Content-Type": []string{"application/xml"},
"Accept": []string{"application/json"},
"Content-Type": {"application/xml"},
"Accept": {"application/json"},
},
body: func() (io.ReadCloser, error) {
return newTokenReviewBody("some-token")
@ -311,11 +315,11 @@ func TestWebhook(t *testing.T) {
},
{
name: "bad accept",
url: fmt.Sprintf("https://%s/authenticate", l.Addr().String()),
url: goodURL,
method: http.MethodPost,
headers: map[string][]string{
"Content-Type": []string{"application/json"},
"Accept": []string{"application/xml"},
"Content-Type": {"application/json"},
"Accept": {"application/xml"},
},
body: func() (io.ReadCloser, error) {
return newTokenReviewBody("some-token")
@ -324,22 +328,20 @@ func TestWebhook(t *testing.T) {
},
{
name: "bad body",
url: fmt.Sprintf("https://%s/authenticate", l.Addr().String()),
url: goodURL,
method: http.MethodPost,
headers: map[string][]string{
"Content-Type": []string{"application/json"},
"Accept": []string{"application/json"},
},
headers: goodRequestHeaders,
body: func() (io.ReadCloser, error) {
return ioutil.NopCloser(bytes.NewBuffer([]byte("invalid body"))), nil
},
wantStatus: http.StatusBadRequest,
},
}
for _, test := range tests {
test := test
t.Run(test.name, func(t *testing.T) {
url, err := url.Parse(test.url)
parsedURL, err := url.Parse(test.url)
require.NoError(t, err)
body, err := test.body()
@ -347,25 +349,28 @@ func TestWebhook(t *testing.T) {
rsp, err := client.Do(&http.Request{
Method: test.method,
URL: url,
URL: parsedURL,
Header: test.headers,
Body: body,
})
require.NoError(t, err)
defer rsp.Body.Close()
if test.wantStatus != 0 {
require.Equal(t, test.wantStatus, rsp.StatusCode)
}
if test.wantHeaders != nil {
for k, v := range test.wantHeaders {
require.Equal(t, v, rsp.Header.Values(k))
}
}
if test.wantBody != nil {
rspBody, err := newTokenReview(rsp.Body)
responseBody, err := ioutil.ReadAll(rsp.Body)
require.NoError(t, err)
require.Equal(t, test.wantBody, rspBody)
if test.wantBody != nil {
require.NoError(t, err)
require.JSONEq(t, *test.wantBody, string(responseBody))
} else {
require.Empty(t, responseBody)
}
})
}
@ -448,10 +453,57 @@ func newTokenReviewBody(token string) (io.ReadCloser, error) {
return ioutil.NopCloser(buf), err
}
// newTokenReview reads a JSON-encoded authenticationv1.TokenReview from an
// io.Reader.
func newTokenReview(body io.Reader) (*authenticationv1.TokenReview, error) {
var tr authenticationv1.TokenReview
err := json.NewDecoder(body).Decode(&tr)
return &tr, err
func unauthenticatedResponseJSON() *string {
// Very specific expected result. Avoid using json package so we know exactly what we're asserting.
s := `{
"apiVersion": "authentication.k8s.io/v1beta1",
"kind": "TokenReview",
"status": {
"authenticated": false
}
}`
return &s
}
func authenticatedResponseJSON(user, uid string, groups []string) *string {
var quotedGroups []string
for _, group := range groups {
quotedGroups = append(quotedGroups, `"`+group+`"`)
}
// Very specific expected result. Avoid using json package so we know exactly what we're asserting.
authenticatedJSONTemplate := `{
"apiVersion": "authentication.k8s.io/v1beta1",
"kind": "TokenReview",
"status": {
"authenticated": true,
"user": {
"username": "%s",
"uid": "%s",
"groups": [%s]
}
}
}`
s := fmt.Sprintf(authenticatedJSONTemplate, user, uid, strings.Join(quotedGroups, ","))
return &s
}
func addSecretToFakeClientTracker(t *testing.T, kubeClient *kubernetesfake.Clientset, username, uid, password, groups string) {
passwordHash, err := bcrypt.GenerateFromPassword([]byte(password), bcrypt.MinCost)
require.NoError(t, err)
secret := &corev1.Secret{
ObjectMeta: metav1.ObjectMeta{
UID: types.UID(uid),
Name: username,
Namespace: "test-webhook",
},
Data: map[string][]byte{
"passwordHash": passwordHash,
"groups": []byte(groups),
},
}
require.NoError(t, kubeClient.Tracker().Add(secret))
}

View File

@ -0,0 +1,110 @@
# Deploying `test-webhook`
## What is `test-webhook`?
The `test-webhook` app is an identity provider used for integration testing and demos.
If you would like to demo Pinniped, but you don't have a compatible identity provider handy,
you can use Pinniped's `test-webhook` identity provider. Note that this is not recommended for
production use.
The `test-webhook` is a Kubernetes Deployment which runs a webhook server that implements the Kubernetes
[Webhook Token Authentication interface](https://kubernetes.io/docs/reference/access-authn-authz/authentication/#webhook-token-authentication).
User accounts can be created and edited dynamically using `kubectl` commands (see below).
## Tools
This example deployment uses `ytt` from [Carvel](https://carvel.dev/) to template the YAML files.
Either [install `ytt`](https://get-ytt.io/) or use the [container image from Dockerhub](https://hub.docker.com/r/k14s/image/tags).
## Procedure
1. The configuration options are in [values.yml](values.yaml). Fill in the values in that file, or override those values
using `ytt` command-line options in the command below.
2. In a terminal, cd to this `deploy-test-webhook` directory
3. To generate the final YAML files, run: `ytt --file .`
4. Deploy the generated YAML using your preferred deployment tool, such as `kubectl` or [`kapp`](https://get-kapp.io/).
For example: `ytt --file . | kapp deploy --yes --app test-webhook --diff-changes --file -`
## Configuring After Installing
### Create Users
Use `kubectl` to create, edit, and delete user accounts by creating a `Secret` for each user account in the same
namespace where `test-webhook` is deployed. The name of the `Secret` resource is the username.
Store the user's group membership and `bcrypt` encrypted password as the contents of the `Secret`.
For example, to create a user named `ryan` with the password `password123`
who belongs to the groups `group1` and `group2`, use:
```bash
kubectl create secret generic ryan \
--namespace test-webhook \
--from-literal=groups=group1,group2 \
--from-literal=passwordHash=$(htpasswd -nbBC 16 x password123 | sed -e "s/^x://")
```
### Get the `test-webhook` App's Auto-Generated Certificate Authority Bundle
Fetch the auto-generated CA bundle for the `test-webhook`'s HTTP TLS endpoint.
```bash
kubectl get secret api-serving-cert --namespace test-webhook \
-o jsonpath={.data.caCertificate} \
| base64 -d \
| tee /tmp/test-webhook-ca
```
### Configuring Pinniped to Use `test-webhook` as an Identity Provider
When installing Pinniped on the same cluster, configure `test-webhook` as an Identity Provider for Pinniped
using the webhook URL `https://test-webhook.test-webhook.svc/authenticate`
along with the CA bundle fetched by the above command.
### Optional: Manually Test the Webhook Endpoint
1. Start a pod from which you can curl the endpoint from inside the cluster.
```bash
kubectl run curlpod --image=curlimages/curl --command -- /bin/sh -c "while true; do echo hi; sleep 120; done"
```
1. Copy the CA bundle that was fetched above onto the new pod.
```bash
kubectl cp /tmp/test-webhook-ca curlpod:/tmp/test-webhook-ca
```
1. Run a `curl` command to try to authenticate as the user created above.
```bash
kubectl -it exec curlpod -- curl https://test-webhook.test-webhook.svc/authenticate \
--cacert /tmp/test-webhook-ca \
-H 'Content-Type: application/json' -H 'Accept: application/json' -d '
{
"apiVersion": "authentication.k8s.io/v1beta1",
"kind": "TokenReview",
"spec": {
"token": "ryan:password123"
}
}'
```
When authentication is successful the above command should return some JSON similar to the following.
Note that the value of `authenticated` is `true` to indicate a successful authentication.
```json
{"apiVersion":"authentication.k8s.io/v1beta1","kind":"TokenReview","status":{"authenticated":true,"user":{"username":"ryan","uid":"19c433ec-8f58-44ca-9ef0-2d1081ccb876","groups":["group1","group2"]}}}
```
Trying the above `curl` command again with the wrong username or password in the body of the request
should result in a JSON response which indicates that the authentication failed.
```json
{"apiVersion":"authentication.k8s.io/v1beta1","kind":"TokenReview","status":{"authenticated":false}}
```
1. Remove the curl pod.
```bash
kubectl delete pod curlpod
```

View File

@ -0,0 +1,63 @@
#! Copyright 2020 VMware, Inc.
#! SPDX-License-Identifier: Apache-2.0
#@ load("@ytt:data", "data")
---
apiVersion: v1
kind: Namespace
metadata:
name: test-webhook
labels:
name: test-webhook
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: test-webhook-service-account
namespace: test-webhook
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: test-webhook
namespace: test-webhook
labels:
app: test-webhook
spec:
replicas: 1
selector:
matchLabels:
app: test-webhook
template:
metadata:
labels:
app: test-webhook
spec:
serviceAccountName: test-webhook-service-account
containers:
- name: test-webhook
#@ if data.values.image_digest:
image: #@ data.values.image_repo + "@" + data.values.image_digest
#@ else:
image: #@ data.values.image_repo + ":" + data.values.image_tag
#@ end
imagePullPolicy: IfNotPresent
command: #! override the default entrypoint
- /usr/local/bin/test-webhook
---
apiVersion: v1
kind: Service
metadata:
name: test-webhook
namespace: test-webhook
labels:
app: test-webhook
spec:
type: ClusterIP
selector:
app: test-webhook
ports:
- protocol: TCP
port: 443
targetPort: 443

View File

@ -0,0 +1,30 @@
#! Copyright 2020 VMware, Inc.
#! SPDX-License-Identifier: Apache-2.0
#@ load("@ytt:data", "data")
#! Give permission to various objects within the app's own namespace
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: test-webhook-aggregated-api-server-role
namespace: test-webhook
rules:
- apiGroups: [""]
resources: [secrets]
verbs: [create, get, list, patch, update, watch]
---
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: test-webhook-aggregated-api-server-role-binding
namespace: test-webhook
subjects:
- kind: ServiceAccount
name: test-webhook-service-account
namespace: test-webhook
roleRef:
kind: Role
name: test-webhook-aggregated-api-server-role
apiGroup: rbac.authorization.k8s.io

View File

@ -0,0 +1,10 @@
#! Copyright 2020 VMware, Inc.
#! SPDX-License-Identifier: Apache-2.0
#@data/values
---
#! Specify either an image_digest or an image_tag. If both are given, only image_digest will be used.
image_repo: #! e.g. registry.example.com/your-project-name/repo-name
image_digest: #! e.g. sha256:f3c4fdfd3ef865d4b97a1fd295d94acc3f0c654c46b6f27ffad5cf80216903c8
image_tag: #! e.g. latest

View File

@ -1,5 +1,12 @@
# Deploying
## Connecting Pinniped to an Identity Provider
If you would like to try Pinniped, but you don't have a compatible identity provider,
you can use Pinniped's test identity provider.
See [../deplot-test-webhook/README.md](../deplot-test-webhook/README.md)
for details.
## Tools
This example deployment uses `ytt` from [Carvel](https://carvel.dev/) to template the YAML files.