From 34549b779bd44c22788dc2f4cbaaa1207e439345 Mon Sep 17 00:00:00 2001 From: Ryan Richard Date: Fri, 9 Oct 2020 14:25:34 -0700 Subject: [PATCH] Make tilt work with the supervisor app and add more uninstall testing - Also continue renaming things related to the concierge app - Enhance the uninstall test to also test uninstalling the supervisor and local-user-authenticator apps --- CONTRIBUTING.md | 6 +- deploy/concierge/values.yaml | 4 +- hack/kind-down.sh | 11 ++ hack/kind-up.sh | 12 ++ hack/lib/tilt/Tiltfile | 103 +++++++++++++----- ...nniped.Dockerfile => concierge.Dockerfile} | 4 +- hack/lib/tilt/nodeport.yaml | 13 +++ hack/lib/tilt/supervisor.Dockerfile | 14 +++ hack/prepare-for-integration-tests.sh | 53 +++++---- hack/tilt-up.sh | 4 +- pkg/config/config_test.go | 18 +-- .../concierge_api_serving_certs_test.go | 3 +- ...ery_test.go => kube_api_discovery_test.go} | 0 13 files changed, 173 insertions(+), 72 deletions(-) create mode 100755 hack/kind-down.sh create mode 100755 hack/kind-up.sh rename hack/lib/tilt/{pinniped.Dockerfile => concierge.Dockerfile} (68%) create mode 100644 hack/lib/tilt/nodeport.yaml create mode 100644 hack/lib/tilt/supervisor.Dockerfile rename test/integration/{concierge_api_discovery_test.go => kube_api_discovery_test.go} (100%) diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md index 29e4d7ce..553a8745 100644 --- a/CONTRIBUTING.md +++ b/CONTRIBUTING.md @@ -109,7 +109,7 @@ docker build . 1. Create a local Kubernetes cluster using `kind`: ```bash - kind create cluster --image kindest/node:v1.18.8 + ./hack/kind-up.sh ``` 1. Install Pinniped and supporting dependencies using `tilt`: @@ -123,11 +123,11 @@ docker build . 1. Run the Pinniped integration tests: ```bash - source ./hack/lib/tilt/integration-test.env && go test -v -count 1 ./test/integration + source /tmp/integration-test-env && go test -v -count 1 ./test/integration ``` To uninstall the test environment, run `./hack/tilt-down.sh`. -To destroy the local Kubernetes cluster, run `kind delete cluster`. +To destroy the local Kubernetes cluster, run `./hack/kind-down.sh`. ### Observing Tests on the Continuous Integration Environment diff --git a/deploy/concierge/values.yaml b/deploy/concierge/values.yaml index 0a25f7ee..49271f0f 100644 --- a/deploy/concierge/values.yaml +++ b/deploy/concierge/values.yaml @@ -4,8 +4,8 @@ #@data/values --- -app_name: pinniped -namespace: pinniped +app_name: pinniped-concierge +namespace: pinniped-concierge #! Specify how many replicas of the Pinniped server to run. replicas: 2 diff --git a/hack/kind-down.sh b/hack/kind-down.sh new file mode 100755 index 00000000..7c96dca8 --- /dev/null +++ b/hack/kind-down.sh @@ -0,0 +1,11 @@ +#!/usr/bin/env bash + +# Copyright 2020 the Pinniped contributors. All Rights Reserved. +# SPDX-License-Identifier: Apache-2.0 + +set -euo pipefail +ROOT="$( cd "$( dirname "${BASH_SOURCE[0]}" )/.." && pwd )" + +cd "${ROOT}" + +kind delete cluster --name pinniped diff --git a/hack/kind-up.sh b/hack/kind-up.sh new file mode 100755 index 00000000..72da2d6d --- /dev/null +++ b/hack/kind-up.sh @@ -0,0 +1,12 @@ +#!/usr/bin/env bash + +# Copyright 2020 the Pinniped contributors. All Rights Reserved. +# SPDX-License-Identifier: Apache-2.0 + +set -euo pipefail +ROOT="$( cd "$( dirname "${BASH_SOURCE[0]}" )/.." && pwd )" + +cd "${ROOT}" + +# To choose a specific version of kube, add this option to the command below: `--image kindest/node:v1.18.8` +kind create cluster --config "hack/lib/kind-config/single-node.yaml" --name pinniped diff --git a/hack/lib/tilt/Tiltfile b/hack/lib/tilt/Tiltfile index 16b77077..be2c8792 100644 --- a/hack/lib/tilt/Tiltfile +++ b/hack/lib/tilt/Tiltfile @@ -15,6 +15,10 @@ local_resource( deps=['../../../cmd', '../../../internal', '../../../pkg', '../../../generated'], ) +# +# local-user-authenticator app +# + # Build a container image for local-user-authenticator, with live-update enabled. docker_build_with_restart('image/local-user-auth', '.', dockerfile='local-user-authenticator.Dockerfile', @@ -39,59 +43,106 @@ k8s_resource( 'local-user-authenticator:namespace', 'local-user-authenticator:serviceaccount', 'local-user-authenticator:role', - 'local-user-authenticator:rolebinding', + 'local-user-authenticator:rolebinding' ], ) -# Build a container image for the Pinniped server, with live-update enabled. -docker_build_with_restart('image/pinniped', '.', - dockerfile='pinniped.Dockerfile', - entrypoint=['/usr/local/bin/pinniped-server'], - live_update=[sync('./build/pinniped-server', '/usr/local/bin/pinniped-server')], - only=['./build/pinniped-server'], +# +# Supervisor app +# + +# Build a container image for supervisor, with live-update enabled. +docker_build_with_restart('image/supervisor', '.', + dockerfile='supervisor.Dockerfile', + entrypoint=['/usr/local/bin/pinniped-supervisor'], + live_update=[sync('./build/pinniped-supervisor', '/usr/local/bin/pinniped-supervisor')], + only=['./build/pinniped-supervisor'], ) -# Render the Pinniped server installation manifest using ytt. +# Render the supervisor installation manifest using ytt. +k8s_yaml(local([ + 'ytt', + '--file', '../../../deploy/supervisor', + '--data-value', 'image_repo=image/supervisor', + '--data-value', 'image_tag=tilt-dev', + '--data-value-yaml', 'replicas=1' +])) + +# Collect all the deployed supervisor resources under a "supervisor" resource tab. +k8s_resource( + workload='pinniped-supervisor', + new_name='supervisor', + objects=[ + 'oidcproviderconfigs.config.pinniped.dev:customresourcedefinition', + 'pinniped-supervisor-static-config:configmap', + 'pinniped-supervisor:namespace', + 'pinniped-supervisor:role', + 'pinniped-supervisor:rolebinding', + 'pinniped-supervisor:serviceaccount', + ], +) + +# Build a container image for the Concierge server, with live-update enabled. +docker_build_with_restart('image/concierge', '.', + dockerfile='concierge.Dockerfile', + entrypoint=['/usr/local/bin/pinniped-concierge'], + live_update=[sync('./build/pinniped-concierge', '/usr/local/bin/pinniped-concierge')], + only=['./build/pinniped-concierge'], +) + +k8s_yaml('nodeport.yaml') + +# +# Concierge app +# + +# Render the Concierge server installation manifest using ytt. k8s_yaml(local([ 'sh', '-c', 'ytt --file ../../../deploy/concierge ' + + '--data-value app_name=pinniped-concierge ' + '--data-value namespace=integration ' + - '--data-value image_repo=image/pinniped ' + + '--data-value image_repo=image/concierge ' + '--data-value image_tag=tilt-dev ' + '--data-value kube_cert_agent_image=debian:10.5-slim ' + '--data-value discovery_url=$(TERM=dumb kubectl cluster-info | awk \'/Kubernetes master/ {print $NF}\') ' + '--data-value-yaml replicas=1' ])) -# Collect all the deployed local-user-authenticator resources under a "deploy/pinniped" resource tab. +# Collect all the deployed local-user-authenticator resources under a "concierge" resource tab. k8s_resource( - workload='pinniped', + workload='pinniped-concierge', + new_name='concierge', objects=[ 'integration:namespace', + 'pinniped-concierge-aggregated-api-server:clusterrole', + 'pinniped-concierge-aggregated-api-server:clusterrolebinding', + 'pinniped-concierge-aggregated-api-server:role', + 'pinniped-concierge-aggregated-api-server:rolebinding', + 'pinniped-concierge-cluster-info-lister-watcher:role', + 'pinniped-concierge-cluster-info-lister-watcher:rolebinding', + 'pinniped-concierge-config:configmap', + 'pinniped-concierge-create-token-credential-requests:clusterrole', + 'pinniped-concierge-create-token-credential-requests:clusterrolebinding', + 'pinniped-concierge-extension-apiserver-authentication-reader:rolebinding', + 'pinniped-concierge-kube-system-pod-read:role', + 'pinniped-concierge-kube-system-pod-read:rolebinding', + 'pinniped-concierge:clusterrolebinding', + 'pinniped-concierge:serviceaccount', 'credentialissuerconfigs.config.pinniped.dev:customresourcedefinition', 'webhookidentityproviders.idp.pinniped.dev:customresourcedefinition', - 'pinniped:serviceaccount', - 'pinniped-aggregated-api-server:role', - 'pinniped-kube-system-pod-read:role', - 'pinniped-cluster-info-lister-watcher:role', - 'pinniped-aggregated-api-server:clusterrole', - 'pinniped-create-token-credential-requests:clusterrole', - 'pinniped-aggregated-api-server:rolebinding', - 'pinniped-kube-system-pod-read:rolebinding', - 'pinniped-extension-apiserver-authentication-reader:rolebinding', - 'pinniped-cluster-info-lister-watcher:rolebinding', - 'pinniped-aggregated-api-server:clusterrolebinding', - 'pinniped-create-token-credential-requests:clusterrolebinding', - 'pinniped:clusterrolebinding', - 'pinniped-config:configmap', 'v1alpha1.login.pinniped.dev:apiservice', ], ) +# +# Finish setting up cluster and creating integration test env file +# + # Collect environment variables needed to run our integration test suite. local_resource( 'test-env', 'TILT_MODE=yes ../../prepare-for-integration-tests.sh', - resource_deps=['local-user-auth', 'pinniped'], + resource_deps=['local-user-auth', 'concierge', 'supervisor'], deps=['../../prepare-for-integration-tests.sh'], ) diff --git a/hack/lib/tilt/pinniped.Dockerfile b/hack/lib/tilt/concierge.Dockerfile similarity index 68% rename from hack/lib/tilt/pinniped.Dockerfile rename to hack/lib/tilt/concierge.Dockerfile index 8bbc4d13..3ddf4033 100644 --- a/hack/lib/tilt/pinniped.Dockerfile +++ b/hack/lib/tilt/concierge.Dockerfile @@ -5,10 +5,10 @@ FROM debian:10.5-slim # Copy the binary which was built outside the container. -COPY build/pinniped-server /usr/local/bin/pinniped-server +COPY build/pinniped-concierge /usr/local/bin/pinniped-concierge # Document the port EXPOSE 443 # Set the entrypoint -ENTRYPOINT ["/usr/local/bin/pinniped-server"] +ENTRYPOINT ["/usr/local/bin/pinniped-concierge"] diff --git a/hack/lib/tilt/nodeport.yaml b/hack/lib/tilt/nodeport.yaml new file mode 100644 index 00000000..ddad9325 --- /dev/null +++ b/hack/lib/tilt/nodeport.yaml @@ -0,0 +1,13 @@ +apiVersion: v1 +kind: Service +metadata: + name: pinniped-supervisor-node-port + namespace: pinniped-supervisor +spec: + type: NodePort + selector: + app: pinniped-supervisor + ports: + - port: 80 + targetPort: 80 + nodePort: 31234 diff --git a/hack/lib/tilt/supervisor.Dockerfile b/hack/lib/tilt/supervisor.Dockerfile new file mode 100644 index 00000000..22d7e204 --- /dev/null +++ b/hack/lib/tilt/supervisor.Dockerfile @@ -0,0 +1,14 @@ +# Copyright 2020 VMware, Inc. +# SPDX-License-Identifier: Apache-2.0 + +# Use a runtime image based on Debian slim +FROM debian:10.5-slim + +# Copy the binary which was built outside the container. +COPY build/pinniped-supervisor /usr/local/bin/pinniped-supervisor + +# Document the port +EXPOSE 443 + +# Set the entrypoint +ENTRYPOINT ["/usr/local/bin/pinniped-supervisor"] diff --git a/hack/prepare-for-integration-tests.sh b/hack/prepare-for-integration-tests.sh index f792ce24..bf7c299d 100755 --- a/hack/prepare-for-integration-tests.sh +++ b/hack/prepare-for-integration-tests.sh @@ -110,17 +110,17 @@ fi if ! tilt_mode; then if [[ "$clean_kind" == "yes" ]]; then log_note "Deleting running kind clusters to prepare from a clean slate..." - kind delete cluster + kind delete cluster --name pinniped fi # # Setup kind and build the app # log_note "Checking for running kind clusters..." - if ! kind get clusters | grep -q -e '^kind$'; then + if ! kind get clusters | grep -q -e '^pinniped$'; then log_note "Creating a kind cluster..." # single-node.yaml exposes node port 31234 as localhost:12345 - kind create cluster --config "$pinniped_path/hack/lib/kind-config/single-node.yaml" + kind create cluster --config "$pinniped_path/hack/lib/kind-config/single-node.yaml" --name pinniped else if ! kubectl cluster-info | grep master | grep -q 127.0.0.1; then log_error "Seems like your kubeconfig is not targeting a local cluster." @@ -157,7 +157,7 @@ if ! tilt_mode; then # Load it into the cluster log_note "Loading the app's container image into the kind cluster..." - kind load docker-image "$registry_repo_tag" + kind load docker-image "$registry_repo_tag" --name pinniped manifest=/tmp/manifest.yaml @@ -178,7 +178,6 @@ if ! tilt_mode; then fi - test_username="test-username" test_groups="test-group-0,test-group-1" set +o pipefail @@ -203,18 +202,19 @@ kubectl create secret generic "$test_username" \ supervisor_app_name="pinniped-supervisor" supervisor_namespace="pinniped-supervisor" -pushd deploy/supervisor >/dev/null +if ! tilt_mode; then + pushd deploy/supervisor >/dev/null -log_note "Deploying the Pinniped Supervisor app to the cluster..." -ytt --file . \ - --data-value "app_name=$supervisor_app_name" \ - --data-value "namespace=$supervisor_namespace" \ - --data-value "image_repo=$registry_repo" \ - --data-value "image_tag=$tag" >"$manifest" + log_note "Deploying the Pinniped Supervisor app to the cluster..." + ytt --file . \ + --data-value "app_name=$supervisor_app_name" \ + --data-value "namespace=$supervisor_namespace" \ + --data-value "image_repo=$registry_repo" \ + --data-value "image_tag=$tag" >"$manifest" -kapp deploy --yes --app "pinniped-supervisor" --diff-changes --file "$manifest" + kapp deploy --yes --app "$supervisor_app_name" --diff-changes --file "$manifest" -log_note "Adding NodePort service to expose the Pinniped Supervisor app on the kind node..." + log_note "Adding NodePort service to expose the Pinniped Supervisor app on the kind node..." cat </dev/null + popd >/dev/null +fi # # Deploy Pinniped # -app_name="pinniped" -namespace="integration" +concierge_app_name="pinniped-concierge" +concierge_namespace="integration" webhook_url="https://local-user-authenticator.local-user-authenticator.svc/authenticate" webhook_ca_bundle="$(kubectl get secret local-user-authenticator-tls-serving-certificate --namespace local-user-authenticator -o 'jsonpath={.data.caCertificate}')" discovery_url="$(TERM=dumb kubectl cluster-info | awk '/Kubernetes master/ {print $NF}')" if ! tilt_mode; then - # - # Deploy Pinniped - # pushd deploy/concierge >/dev/null log_note "Deploying the Pinniped app to the cluster..." ytt --file . \ - --data-value "app_name=$app_name" \ - --data-value "namespace=$namespace" \ + --data-value "app_name=$concierge_app_name" \ + --data-value "namespace=$concierge_namespace" \ --data-value "image_repo=$registry_repo" \ --data-value "image_tag=$tag" \ --data-value "discovery_url=$discovery_url" >"$manifest" - kapp deploy --yes --app "$app_name" --diff-changes --file "$manifest" + kapp deploy --yes --app "$concierge_app_name" --diff-changes --file "$manifest" popd >/dev/null fi @@ -269,8 +267,8 @@ pinniped_cluster_capability_file_content=$(cat "$kind_capabilities_file") cat </tmp/integration-test-env # The following env vars should be set before running 'go test -v -count 1 ./test/...' -export PINNIPED_TEST_CONCIERGE_NAMESPACE=${namespace} -export PINNIPED_TEST_CONCIERGE_APP_NAME=${app_name} +export PINNIPED_TEST_CONCIERGE_NAMESPACE=${concierge_namespace} +export PINNIPED_TEST_CONCIERGE_APP_NAME=${concierge_app_name} export PINNIPED_TEST_USER_USERNAME=${test_username} export PINNIPED_TEST_USER_GROUPS=${test_groups} export PINNIPED_TEST_USER_TOKEN=${test_username}:${test_password} @@ -304,6 +302,7 @@ log_note if ! tilt_mode; then log_note "You can rerun this script to redeploy local production code changes while you are working." log_note - log_note "To delete the deployments, run 'kapp delete -a local-user-authenticator -y && kapp delete -a pinniped -y'." - log_note "When you're finished, use 'kind delete cluster' to tear down the cluster." + log_note "To delete the deployments, run:" + log_note " kapp delete -a local-user-authenticator -y && kapp delete -a $concierge_app_name -y && kapp delete -a $supervisor_app_name -y" + log_note "When you're finished, use 'kind delete cluster --name pinniped' to tear down the cluster." fi diff --git a/hack/tilt-up.sh b/hack/tilt-up.sh index acbf5a3f..85a7b8e4 100755 --- a/hack/tilt-up.sh +++ b/hack/tilt-up.sh @@ -5,5 +5,7 @@ set -euo pipefail ROOT="$( cd "$( dirname "${BASH_SOURCE[0]}" )/.." && pwd )" + cd "${ROOT}" -exec tilt up -f ./hack/lib/tilt/Tiltfile --stream + +exec tilt up -f ./hack/lib/tilt/Tiltfile diff --git a/pkg/config/config_test.go b/pkg/config/config_test.go index c641c515..8f9dd202 100644 --- a/pkg/config/config_test.go +++ b/pkg/config/config_test.go @@ -32,7 +32,7 @@ func TestFromPath(t *testing.T) { durationSeconds: 3600 renewBeforeSeconds: 2400 names: - servingCertificateSecret: pinniped-api-tls-serving-certificate + servingCertificateSecret: pinniped-concierge-api-tls-serving-certificate credentialIssuerConfig: pinniped-config apiService: pinniped-api kubeCertAgentPrefix: kube-cert-agent-prefix @@ -52,7 +52,7 @@ func TestFromPath(t *testing.T) { }, }, NamesConfig: api.NamesConfigSpec{ - ServingCertificateSecret: "pinniped-api-tls-serving-certificate", + ServingCertificateSecret: "pinniped-concierge-api-tls-serving-certificate", CredentialIssuerConfig: "pinniped-config", APIService: "pinniped-api", }, @@ -68,7 +68,7 @@ func TestFromPath(t *testing.T) { yaml: here.Doc(` --- names: - servingCertificateSecret: pinniped-api-tls-serving-certificate + servingCertificateSecret: pinniped-concierge-api-tls-serving-certificate credentialIssuerConfig: pinniped-config apiService: pinniped-api `), @@ -83,7 +83,7 @@ func TestFromPath(t *testing.T) { }, }, NamesConfig: api.NamesConfigSpec{ - ServingCertificateSecret: "pinniped-api-tls-serving-certificate", + ServingCertificateSecret: "pinniped-concierge-api-tls-serving-certificate", CredentialIssuerConfig: "pinniped-config", APIService: "pinniped-api", }, @@ -103,7 +103,7 @@ func TestFromPath(t *testing.T) { yaml: here.Doc(` --- names: - servingCertificateSecret: pinniped-api-tls-serving-certificate + servingCertificateSecret: pinniped-concierge-api-tls-serving-certificate credentialIssuerConfig: pinniped-config `), wantError: "validate names: missing required names: apiService", @@ -113,7 +113,7 @@ func TestFromPath(t *testing.T) { yaml: here.Doc(` --- names: - servingCertificateSecret: pinniped-api-tls-serving-certificate + servingCertificateSecret: pinniped-concierge-api-tls-serving-certificate apiService: pinniped-api `), wantError: "validate names: missing required names: credentialIssuerConfig", @@ -137,7 +137,7 @@ func TestFromPath(t *testing.T) { durationSeconds: 2400 renewBeforeSeconds: 3600 names: - servingCertificateSecret: pinniped-api-tls-serving-certificate + servingCertificateSecret: pinniped-concierge-api-tls-serving-certificate credentialIssuerConfig: pinniped-config apiService: pinniped-api `), @@ -152,7 +152,7 @@ func TestFromPath(t *testing.T) { durationSeconds: 2400 renewBeforeSeconds: -10 names: - servingCertificateSecret: pinniped-api-tls-serving-certificate + servingCertificateSecret: pinniped-concierge-api-tls-serving-certificate credentialIssuerConfig: pinniped-config apiService: pinniped-api `), @@ -167,7 +167,7 @@ func TestFromPath(t *testing.T) { durationSeconds: 2400 renewBeforeSeconds: -10 names: - servingCertificateSecret: pinniped-api-tls-serving-certificate + servingCertificateSecret: pinniped-concierge-api-tls-serving-certificate credentialIssuerConfig: pinniped-config apiService: pinniped-api `), diff --git a/test/integration/concierge_api_serving_certs_test.go b/test/integration/concierge_api_serving_certs_test.go index 42fb8d75..94f40e12 100644 --- a/test/integration/concierge_api_serving_certs_test.go +++ b/test/integration/concierge_api_serving_certs_test.go @@ -20,8 +20,7 @@ import ( func TestAPIServingCertificateAutoCreationAndRotation(t *testing.T) { env := library.IntegrationEnv(t) - - const defaultServingCertResourceName = "pinniped-api-tls-serving-certificate" + defaultServingCertResourceName := env.ConciergeAppName + "-api-tls-serving-certificate" tests := []struct { name string diff --git a/test/integration/concierge_api_discovery_test.go b/test/integration/kube_api_discovery_test.go similarity index 100% rename from test/integration/concierge_api_discovery_test.go rename to test/integration/kube_api_discovery_test.go