Update the demo; most importantly remove the base64 decoding of the CA

- The `webhook_ca_bundle` ytt value should be base64 encoded
This commit is contained in:
Ryan Richard 2020-09-17 16:08:45 -07:00
parent eabe51c446
commit 2d497cbd36

View File

@ -77,8 +77,7 @@
```bash ```bash
kubectl get secret api-serving-cert --namespace local-user-authenticator \ kubectl get secret api-serving-cert --namespace local-user-authenticator \
-o jsonpath={.data.caCertificate} \ -o jsonpath={.data.caCertificate} \
| base64 -d \ | tee /tmp/local-user-authenticator-ca-base64-encoded
| tee /tmp/local-user-authenticator-ca
``` ```
1. Deploy Pinniped. 1. Deploy Pinniped.
@ -86,7 +85,7 @@
cd /tmp/pinniped/deploy cd /tmp/pinniped/deploy
ytt --file . \ ytt --file . \
--data-value "webhook_url=https://local-user-authenticator.local-user-authenticator.svc/authenticate" \ --data-value "webhook_url=https://local-user-authenticator.local-user-authenticator.svc/authenticate" \
--data-value "webhook_ca_bundle=$(cat /tmp/local-user-authenticator-ca)" \ --data-value "webhook_ca_bundle=$(cat local-user-authenticator-ca-base64-encoded)" \
| kapp deploy --yes --app pinniped --diff-changes --file - | kapp deploy --yes --app pinniped --diff-changes --file -
``` ```
@ -96,12 +95,24 @@
1. Move the Pinniped CLI binary to your preferred directory and add the executable bit, 1. Move the Pinniped CLI binary to your preferred directory and add the executable bit,
e.g. `chmod +x /usr/local/bin/pinniped`. e.g. `chmod +x /usr/local/bin/pinniped`.
1. Generate a kubeconfig. 1. Generate a kubeconfig for the current cluster. Use `--token` to include a token which should
allow you to authenticate as the user that you created above.
```bash ```bash
pinniped get-kubeconfig --token "pinny-the-seal:password123" > /tmp/pinniped-kubeconfig pinniped get-kubeconfig --token "pinny-the-seal:password123" > /tmp/pinniped-kubeconfig
``` ```
1. Try using the generated kubeconfig to issue arbitrary `kubectl` commands as
the `pinny-the-seal` user.
```bash
kubectl --kubeconfig /tmp/pinniped-kubeconfig get pods -n pinniped
```
Because this user has no RBAC permissions on this cluster, the previous command
results in the error `Error from server (Forbidden): pods is forbidden: User "pinny-the-seal" cannot list resource "pods" in API group "" in the namespace "pinniped"`.
However, this does prove that you are authenticated and acting as the "pinny-the-seal" user.
1. Create RBAC rules for the test user to give them permissions to perform actions on the cluster. 1. Create RBAC rules for the test user to give them permissions to perform actions on the cluster.
For example, grant the test user permission to view all cluster resources. For example, grant the test user permission to view all cluster resources.
@ -114,3 +125,5 @@
```bash ```bash
kubectl --kubeconfig /tmp/pinniped-kubeconfig get pods -n pinniped kubectl --kubeconfig /tmp/pinniped-kubeconfig get pods -n pinniped
``` ```
The user has permission to list pods, so the command succeeds! 🎉