From 335ab6749625644631bd5f27568932bb1ab5dc34 Mon Sep 17 00:00:00 2001 From: "Benjamin A. Petersen" Date: Thu, 19 Oct 2023 14:44:56 -0400 Subject: [PATCH] simplify env vars again, create one well known /tmp/integration-test-env file again --- hack/build-carvel-packages.sh | 23 +-------- hack/integration-test-env-goland.sh | 9 +--- hack/noop.sh | 25 ---------- hack/prepare-for-integration-tests.sh | 71 +++++++++++++-------------- hack/prepare-supervisor-on-kind.sh | 15 +----- 5 files changed, 38 insertions(+), 105 deletions(-) diff --git a/hack/build-carvel-packages.sh b/hack/build-carvel-packages.sh index cd6a50e8..7c07db22 100755 --- a/hack/build-carvel-packages.sh +++ b/hack/build-carvel-packages.sh @@ -50,19 +50,8 @@ cd "$pinniped_path" || exit 1 # - app: unimportant, but always first # - tag: uuidgen in hack/prepare-for-integration-tests.sh # if this script is run standalone, then auto-fill with a unique value -# - env_file_name: the text file to write environment variables for integration tests, IDEs, etc. app=${1:-"undefined"} tag=${2:-$(uuidgen)} -# best if this is passed in by calling code to share the same file -env_file_name=${3:-"undefined"} - - -if [ "${env_file_name}" == "undefined" ]; then - env_file_name="$(mktemp /tmp/pinniped.integration.XXXXXXXX)" - log_note "env file name not passed, generating new environment file: ${env_file_name}" -else - log_note "appending to shared env file: ${env_file_name}" -fi # TODO: automate the version by release somehow. # the tag is the version in our build scripts, but we will want real versions for releases @@ -293,9 +282,6 @@ kubectl create secret generic "$test_username" \ --output yaml | kubectl apply -f - -# TODO: this is a race, we need to wait for this secret to exist, should we --wait? -webhook_ca_bundle="$(kubectl get secret local-user-authenticator-tls-serving-certificate --namespace local-user-authenticator -o 'jsonpath={.data.caCertificate}')" -# end local-user-authenticator # start concierge @@ -347,6 +333,7 @@ stringData: custom_labels: $concierge_custom_labels image_repo: $registry_repo image_tag: $tag + discovery_url: $discovery_url EOF KAPP_CONTROLLER_APP_NAME="${resource_name}-pkginstall" @@ -416,14 +403,6 @@ log_note "deploying ${KAPP_CONTROLLER_APP_NAME}..." kapp deploy --app "${KAPP_CONTROLLER_APP_NAME}" --file "${PACKAGE_INSTALL_FILE_NAME}" -y # end supervisor -log_note "writing to environment file: ${env_file_name}..." -echo "# carvel package script additions........." -echo "export PINNIPED_TEST_USER_USERNAME=${test_username}" >> "${env_file_name}" -echo "export PINNIPED_TEST_USER_GROUPS=${test_groups}" >> "${env_file_name}" -echo "export PINNIPED_TEST_USER_TOKEN=${test_username}:${test_password}" >> "${env_file_name}" -echo "export PINNIPED_TEST_WEBHOOK_CA_BUNDLE=${webhook_ca_bundle}" >> "${env_file_name}" -echo "# carvel package script additions end....." - log_note "verifying PackageInstall resources..." kubectl get PackageInstall -A | grep pinniped kubectl get secret -A | grep pinniped diff --git a/hack/integration-test-env-goland.sh b/hack/integration-test-env-goland.sh index 86fd1b90..cf06b612 100755 --- a/hack/integration-test-env-goland.sh +++ b/hack/integration-test-env-goland.sh @@ -11,15 +11,8 @@ set -euo pipefail ROOT="$( cd "$( dirname "${BASH_SOURCE[0]}" )/.." && pwd )" -env_file_name=${1:-"undefined"} -if [ "${env_file_name}" == "undefined" ] -then - echo "environment variable file name must be specified." - echo "hint: this is typically in the output of running hack/prepare-for-integration-tests.sh" - exit 1 -fi -source "${env_file_name}" +source "/tmp/integration-test-env" echo -n "PINNIPED_TEST_GOLAND_RUNNER=true;" diff --git a/hack/noop.sh b/hack/noop.sh index ff76a90f..19903763 100755 --- a/hack/noop.sh +++ b/hack/noop.sh @@ -40,31 +40,6 @@ function check_dependency() { fi } -## two vars will be received by this script: -## Received: local-user-authenticator -## Received: D00A4537-80F1-4AF2-A3B3-5F20BDBB9AEB app=${1} -## tag is fed in from the prepare-for-integration-tests.sh script, just uuidgen to identify a -## specific docker build of the pinniped-server image. tag=${2} -# env_file_name is where to write env vars, if necessary to contribute to the environment -env_file_name=${3} -#SCRIPT_DIR=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd ) -#log_note "noop.sh >>> script dir: ${SCRIPT_DIR}" log_note "noop.sh >>> app: ${app} tag: ${tag}" -## nothing else, this is a test. -# -#log_note "temporarily creating ns:local-user-authenticator as workaround..." -# -#local_user_authenticator_file="/tmp/install-local-user-authenticator-namespace.yaml" -#cat < "${local_user_authenticator_file}" -#--- -#apiVersion: v1 -#kind: Namespace -#metadata: -# name: local-user-authenticator -# labels: -# name: local-user-authenticator -#EOF -# -#kubectl apply -f "${local_user_authenticator_file}" diff --git a/hack/prepare-for-integration-tests.sh b/hack/prepare-for-integration-tests.sh index 7981be2e..c6f4cb72 100755 --- a/hack/prepare-for-integration-tests.sh +++ b/hack/prepare-for-integration-tests.sh @@ -232,10 +232,6 @@ else fi -# since we allow other scripts to write to the environment file, we need to create a new one every time -env_file_name="$(mktemp /tmp/pinniped.integration.XXXXXXXX)" -log_note "creating environment variable file: $env_file_name" - # registry="pinniped.local" registry="kind-registry.local:5000" # TODO: need to prompt the user to edit their /etc/hosts here, because otherwise @@ -280,18 +276,14 @@ docker push "$registry_repo_tag" # Deploy local-user-authenticator # manifest=/tmp/pinniped-local-user-authenticator.yaml -test_username="" -test_groups="" -test_password="" -webhook_ca_bundle="" if [ "$alternate_deploy" != "undefined" ] || [ "$alternate_deploy_local_user_authenticator" != "undefined" ] ; then if [ "$alternate_deploy" != "undefined" ]; then log_note "The Pinniped local-user-authenticator will be deployed with $alternate_deploy local-user-authenticator $tag..." - $alternate_deploy local-user-authenticator $tag $env_file_name + $alternate_deploy local-user-authenticator $tag fi if [ "$alternate_deploy_local_user_authenticator" != "undefined" ]; then log_note "The Pinniped local-user-authenticator will be deployed with $alternate_deploy_local_user_authenticator local-user-authenticator $tag..." - $alternate_deploy_local_user_authenticator local-user-authenticator $tag $env_file_name + $alternate_deploy_local_user_authenticator local-user-authenticator $tag fi else log_note "Deploying the local-user-authenticator app to the cluster using kapp..." @@ -303,26 +295,6 @@ else kapp deploy --yes --app local-user-authenticator --diff-changes --file "$manifest" kubectl apply --dry-run=client -f "$manifest" # Validate manifest schema. - - log_note "Creating test user '$test_username'..." - test_username="test-username" - test_groups="test-group-0,test-group-1" - test_password="$(openssl rand -hex 16)" - echo "export PINNIPED_TEST_USER_USERNAME=${test_username}" >> "${env_file_name}" - echo "export PINNIPED_TEST_USER_GROUPS=${test_groups}" >> "${env_file_name}" - echo "export PINNIPED_TEST_USER_TOKEN=${test_username}:${test_password}" >> "${env_file_name}" - - kubectl create secret generic "$test_username" \ - --namespace local-user-authenticator \ - --from-literal=groups="$test_groups" \ - --from-literal=passwordHash="$(htpasswd -nbBC 10 x "$test_password" | sed -e "s/^x://")" \ - --dry-run=client \ - --output yaml | - kubectl apply -f - - - # TODO: this is a race, we need to wait for this secret to exist, should we --wait? - webhook_ca_bundle="$(kubectl get secret local-user-authenticator-tls-serving-certificate --namespace local-user-authenticator -o 'jsonpath={.data.caCertificate}')" - echo "export PINNIPED_TEST_WEBHOOK_CA_BUNDLE=${webhook_ca_bundle}" >> "${env_file_name}" popd >/dev/null fi @@ -361,11 +333,11 @@ service_https_clusterip_port="443" if [ "$alternate_deploy" != "undefined" ] || [ "$alternate_deploy_supervisor" != "undefined" ] ; then if [ "$alternate_deploy" != "undefined" ]; then log_note "The Pinniped Supervisor will be deployed with $alternate_deploy pinniped-supervisor $tag..." - $alternate_deploy pinniped-supervisor $tag $env_file_name + $alternate_deploy pinniped-supervisor $tag fi if [ "$alternate_deploy_supervisor" != "undefined" ]; then log_note "The Pinniped Supervisor will be deployed with $alternate_deploy_supervisor pinniped-supervisor $tag..." - $alternate_deploy_supervisor pinniped-supervisor $tag $env_file_name + $alternate_deploy_supervisor pinniped-supervisor $tag fi else log_note "Deploying the Pinniped Supervisor app to the cluster using kapp..." @@ -402,11 +374,11 @@ log_level="debug" if [ "$alternate_deploy" != "undefined" ] || [ "$alternate_deploy_concierge" != "undefined" ] ; then if [ "$alternate_deploy" != "undefined" ]; then log_note "The Pinniped Concierge will be deployed with $alternate_deploy pinniped-concierge $tag..." - $alternate_deploy pinniped-concierge $tag $env_file_name + $alternate_deploy pinniped-concierge $tag fi if [ "$alternate_deploy_concierge" != "undefined" ]; then log_note "The Pinniped Concierge will be deployed with $alternate_deploy_concierge pinniped-concierge $tag..." - $alternate_deploy_concierge pinniped-concierge $tag $env_file_name + $alternate_deploy_concierge pinniped-concierge $tag fi else log_note "Deploying the Pinniped Concierge app to the cluster using kapp..." @@ -433,9 +405,31 @@ fi # running it after the above also allows appending to the environment variable file if [ "$post_install" != "undefined" ] ; then log_note "The post-install script will be called with $tag..." - $post_install post-install-script $tag $env_file_name + $post_install post-install-script $tag fi +# +# Test user for the authenticator +# the authenticator may be deployed in alternative ways (ex. carvel package) but regardless we need a test user. +# +log_note "Creating test user for local-user-authenticator..." +test_username="test-username" +test_groups="test-group-0,test-group-1" +test_password="$(openssl rand -hex 16)" + +kubectl create secret generic "$test_username" \ + --namespace local-user-authenticator \ + --from-literal=groups="$test_groups" \ + --from-literal=passwordHash="$(htpasswd -nbBC 10 x "$test_password" | sed -e "s/^x://")" \ + --dry-run=client \ + --output yaml | + kubectl apply -f - + +# +# Regardless of how the local-user-authenticator is installed, we need the webhook bundle in the environment file. +# +webhook_ca_bundle="$(kubectl get secret local-user-authenticator-tls-serving-certificate --namespace local-user-authenticator -o 'jsonpath={.data.caCertificate}')" + # # Download the test CA bundle that was generated in the Dex pod. # Note that this returns a base64 encoded value. @@ -452,14 +446,19 @@ test_ca_bundle_pem="$(kubectl get secrets -n tools certs -o go-template='{{index kind_capabilities_file="$pinniped_path/test/cluster_capabilities/kind.yaml" pinniped_cluster_capability_file_content=$(cat "$kind_capabilities_file") +env_file_name="/tmp/integration-test-env" -cat <>"$env_file_name" +cat <"$env_file_name" # The following env vars should be set before running 'go test -v -count 1 -timeout 0 ./test/integration' export PINNIPED_TEST_TOOLS_NAMESPACE="tools" export PINNIPED_TEST_CONCIERGE_NAMESPACE=${concierge_namespace} export PINNIPED_TEST_CONCIERGE_APP_NAME=${concierge_app_name} export PINNIPED_TEST_CONCIERGE_CUSTOM_LABELS='${concierge_custom_labels}' +export PINNIPED_TEST_USER_USERNAME=${test_username} +export PINNIPED_TEST_USER_GROUPS=${test_groups} +export PINNIPED_TEST_USER_TOKEN=${test_username}:${test_password} export PINNIPED_TEST_WEBHOOK_ENDPOINT=${webhook_url} +export PINNIPED_TEST_WEBHOOK_CA_BUNDLE=${webhook_ca_bundle} export PINNIPED_TEST_SUPERVISOR_NAMESPACE=${supervisor_namespace} export PINNIPED_TEST_SUPERVISOR_APP_NAME=${supervisor_app_name} export PINNIPED_TEST_SUPERVISOR_CUSTOM_LABELS='${supervisor_custom_labels}' diff --git a/hack/prepare-supervisor-on-kind.sh b/hack/prepare-supervisor-on-kind.sh index 9425b50b..ea474eee 100755 --- a/hack/prepare-supervisor-on-kind.sh +++ b/hack/prepare-supervisor-on-kind.sh @@ -51,7 +51,6 @@ use_oidc_upstream=no use_ldap_upstream=no use_ad_upstream=no use_flow="" -env_file_name="" while (("$#")); do case "$1" in --flow) @@ -82,13 +81,6 @@ while (("$#")); do use_ad_upstream=yes shift ;; - --env) - shift - # Use an ActiveDirectoryIdentityProvider. - # This assumes that you used the --get-active-directory-vars flag with hack/prepare-for-integration-tests.sh. - env_file_name=$1 - shift - ;; -*) log_error "Unsupported flag $1" >&2 exit 1 @@ -105,13 +97,8 @@ if [[ "$use_oidc_upstream" == "no" && "$use_ldap_upstream" == "no" && "$use_ad_u exit 1 fi -if [[ "$env_file_name" == "" ]]; then - log_error "Error: Please provide --env file, typically printed in the output of ./hack/prepare-for-integration-tests.sh" - exit 1 -fi - # Read the env vars output by hack/prepare-for-integration-tests.sh -source $env_file_name +source "/tmp/integration-test-env" # Choose some filenames. root_ca_crt_path=root_ca.crt