Make tilt work with the supervisor app and add more uninstall testing
- Also continue renaming things related to the concierge app - Enhance the uninstall test to also test uninstalling the supervisor and local-user-authenticator apps
This commit is contained in:
parent
72b2d02777
commit
34549b779b
@ -109,7 +109,7 @@ docker build .
|
||||
1. Create a local Kubernetes cluster using `kind`:
|
||||
|
||||
```bash
|
||||
kind create cluster --image kindest/node:v1.18.8
|
||||
./hack/kind-up.sh
|
||||
```
|
||||
|
||||
1. Install Pinniped and supporting dependencies using `tilt`:
|
||||
@ -123,11 +123,11 @@ docker build .
|
||||
1. Run the Pinniped integration tests:
|
||||
|
||||
```bash
|
||||
source ./hack/lib/tilt/integration-test.env && go test -v -count 1 ./test/integration
|
||||
source /tmp/integration-test-env && go test -v -count 1 ./test/integration
|
||||
```
|
||||
|
||||
To uninstall the test environment, run `./hack/tilt-down.sh`.
|
||||
To destroy the local Kubernetes cluster, run `kind delete cluster`.
|
||||
To destroy the local Kubernetes cluster, run `./hack/kind-down.sh`.
|
||||
|
||||
### Observing Tests on the Continuous Integration Environment
|
||||
|
||||
|
@ -4,8 +4,8 @@
|
||||
#@data/values
|
||||
---
|
||||
|
||||
app_name: pinniped
|
||||
namespace: pinniped
|
||||
app_name: pinniped-concierge
|
||||
namespace: pinniped-concierge
|
||||
|
||||
#! Specify how many replicas of the Pinniped server to run.
|
||||
replicas: 2
|
||||
|
11
hack/kind-down.sh
Executable file
11
hack/kind-down.sh
Executable file
@ -0,0 +1,11 @@
|
||||
#!/usr/bin/env bash
|
||||
|
||||
# Copyright 2020 the Pinniped contributors. All Rights Reserved.
|
||||
# SPDX-License-Identifier: Apache-2.0
|
||||
|
||||
set -euo pipefail
|
||||
ROOT="$( cd "$( dirname "${BASH_SOURCE[0]}" )/.." && pwd )"
|
||||
|
||||
cd "${ROOT}"
|
||||
|
||||
kind delete cluster --name pinniped
|
12
hack/kind-up.sh
Executable file
12
hack/kind-up.sh
Executable file
@ -0,0 +1,12 @@
|
||||
#!/usr/bin/env bash
|
||||
|
||||
# Copyright 2020 the Pinniped contributors. All Rights Reserved.
|
||||
# SPDX-License-Identifier: Apache-2.0
|
||||
|
||||
set -euo pipefail
|
||||
ROOT="$( cd "$( dirname "${BASH_SOURCE[0]}" )/.." && pwd )"
|
||||
|
||||
cd "${ROOT}"
|
||||
|
||||
# To choose a specific version of kube, add this option to the command below: `--image kindest/node:v1.18.8`
|
||||
kind create cluster --config "hack/lib/kind-config/single-node.yaml" --name pinniped
|
@ -15,6 +15,10 @@ local_resource(
|
||||
deps=['../../../cmd', '../../../internal', '../../../pkg', '../../../generated'],
|
||||
)
|
||||
|
||||
#
|
||||
# local-user-authenticator app
|
||||
#
|
||||
|
||||
# Build a container image for local-user-authenticator, with live-update enabled.
|
||||
docker_build_with_restart('image/local-user-auth', '.',
|
||||
dockerfile='local-user-authenticator.Dockerfile',
|
||||
@ -39,59 +43,106 @@ k8s_resource(
|
||||
'local-user-authenticator:namespace',
|
||||
'local-user-authenticator:serviceaccount',
|
||||
'local-user-authenticator:role',
|
||||
'local-user-authenticator:rolebinding',
|
||||
'local-user-authenticator:rolebinding'
|
||||
],
|
||||
)
|
||||
|
||||
# Build a container image for the Pinniped server, with live-update enabled.
|
||||
docker_build_with_restart('image/pinniped', '.',
|
||||
dockerfile='pinniped.Dockerfile',
|
||||
entrypoint=['/usr/local/bin/pinniped-server'],
|
||||
live_update=[sync('./build/pinniped-server', '/usr/local/bin/pinniped-server')],
|
||||
only=['./build/pinniped-server'],
|
||||
#
|
||||
# Supervisor app
|
||||
#
|
||||
|
||||
# Build a container image for supervisor, with live-update enabled.
|
||||
docker_build_with_restart('image/supervisor', '.',
|
||||
dockerfile='supervisor.Dockerfile',
|
||||
entrypoint=['/usr/local/bin/pinniped-supervisor'],
|
||||
live_update=[sync('./build/pinniped-supervisor', '/usr/local/bin/pinniped-supervisor')],
|
||||
only=['./build/pinniped-supervisor'],
|
||||
)
|
||||
|
||||
# Render the Pinniped server installation manifest using ytt.
|
||||
# Render the supervisor installation manifest using ytt.
|
||||
k8s_yaml(local([
|
||||
'ytt',
|
||||
'--file', '../../../deploy/supervisor',
|
||||
'--data-value', 'image_repo=image/supervisor',
|
||||
'--data-value', 'image_tag=tilt-dev',
|
||||
'--data-value-yaml', 'replicas=1'
|
||||
]))
|
||||
|
||||
# Collect all the deployed supervisor resources under a "supervisor" resource tab.
|
||||
k8s_resource(
|
||||
workload='pinniped-supervisor',
|
||||
new_name='supervisor',
|
||||
objects=[
|
||||
'oidcproviderconfigs.config.pinniped.dev:customresourcedefinition',
|
||||
'pinniped-supervisor-static-config:configmap',
|
||||
'pinniped-supervisor:namespace',
|
||||
'pinniped-supervisor:role',
|
||||
'pinniped-supervisor:rolebinding',
|
||||
'pinniped-supervisor:serviceaccount',
|
||||
],
|
||||
)
|
||||
|
||||
# Build a container image for the Concierge server, with live-update enabled.
|
||||
docker_build_with_restart('image/concierge', '.',
|
||||
dockerfile='concierge.Dockerfile',
|
||||
entrypoint=['/usr/local/bin/pinniped-concierge'],
|
||||
live_update=[sync('./build/pinniped-concierge', '/usr/local/bin/pinniped-concierge')],
|
||||
only=['./build/pinniped-concierge'],
|
||||
)
|
||||
|
||||
k8s_yaml('nodeport.yaml')
|
||||
|
||||
#
|
||||
# Concierge app
|
||||
#
|
||||
|
||||
# Render the Concierge server installation manifest using ytt.
|
||||
k8s_yaml(local([
|
||||
'sh', '-c',
|
||||
'ytt --file ../../../deploy/concierge ' +
|
||||
'--data-value app_name=pinniped-concierge ' +
|
||||
'--data-value namespace=integration ' +
|
||||
'--data-value image_repo=image/pinniped ' +
|
||||
'--data-value image_repo=image/concierge ' +
|
||||
'--data-value image_tag=tilt-dev ' +
|
||||
'--data-value kube_cert_agent_image=debian:10.5-slim ' +
|
||||
'--data-value discovery_url=$(TERM=dumb kubectl cluster-info | awk \'/Kubernetes master/ {print $NF}\') ' +
|
||||
'--data-value-yaml replicas=1'
|
||||
]))
|
||||
|
||||
# Collect all the deployed local-user-authenticator resources under a "deploy/pinniped" resource tab.
|
||||
# Collect all the deployed local-user-authenticator resources under a "concierge" resource tab.
|
||||
k8s_resource(
|
||||
workload='pinniped',
|
||||
workload='pinniped-concierge',
|
||||
new_name='concierge',
|
||||
objects=[
|
||||
'integration:namespace',
|
||||
'pinniped-concierge-aggregated-api-server:clusterrole',
|
||||
'pinniped-concierge-aggregated-api-server:clusterrolebinding',
|
||||
'pinniped-concierge-aggregated-api-server:role',
|
||||
'pinniped-concierge-aggregated-api-server:rolebinding',
|
||||
'pinniped-concierge-cluster-info-lister-watcher:role',
|
||||
'pinniped-concierge-cluster-info-lister-watcher:rolebinding',
|
||||
'pinniped-concierge-config:configmap',
|
||||
'pinniped-concierge-create-token-credential-requests:clusterrole',
|
||||
'pinniped-concierge-create-token-credential-requests:clusterrolebinding',
|
||||
'pinniped-concierge-extension-apiserver-authentication-reader:rolebinding',
|
||||
'pinniped-concierge-kube-system-pod-read:role',
|
||||
'pinniped-concierge-kube-system-pod-read:rolebinding',
|
||||
'pinniped-concierge:clusterrolebinding',
|
||||
'pinniped-concierge:serviceaccount',
|
||||
'credentialissuerconfigs.config.pinniped.dev:customresourcedefinition',
|
||||
'webhookidentityproviders.idp.pinniped.dev:customresourcedefinition',
|
||||
'pinniped:serviceaccount',
|
||||
'pinniped-aggregated-api-server:role',
|
||||
'pinniped-kube-system-pod-read:role',
|
||||
'pinniped-cluster-info-lister-watcher:role',
|
||||
'pinniped-aggregated-api-server:clusterrole',
|
||||
'pinniped-create-token-credential-requests:clusterrole',
|
||||
'pinniped-aggregated-api-server:rolebinding',
|
||||
'pinniped-kube-system-pod-read:rolebinding',
|
||||
'pinniped-extension-apiserver-authentication-reader:rolebinding',
|
||||
'pinniped-cluster-info-lister-watcher:rolebinding',
|
||||
'pinniped-aggregated-api-server:clusterrolebinding',
|
||||
'pinniped-create-token-credential-requests:clusterrolebinding',
|
||||
'pinniped:clusterrolebinding',
|
||||
'pinniped-config:configmap',
|
||||
'v1alpha1.login.pinniped.dev:apiservice',
|
||||
],
|
||||
)
|
||||
|
||||
#
|
||||
# Finish setting up cluster and creating integration test env file
|
||||
#
|
||||
|
||||
# Collect environment variables needed to run our integration test suite.
|
||||
local_resource(
|
||||
'test-env',
|
||||
'TILT_MODE=yes ../../prepare-for-integration-tests.sh',
|
||||
resource_deps=['local-user-auth', 'pinniped'],
|
||||
resource_deps=['local-user-auth', 'concierge', 'supervisor'],
|
||||
deps=['../../prepare-for-integration-tests.sh'],
|
||||
)
|
||||
|
@ -5,10 +5,10 @@
|
||||
FROM debian:10.5-slim
|
||||
|
||||
# Copy the binary which was built outside the container.
|
||||
COPY build/pinniped-server /usr/local/bin/pinniped-server
|
||||
COPY build/pinniped-concierge /usr/local/bin/pinniped-concierge
|
||||
|
||||
# Document the port
|
||||
EXPOSE 443
|
||||
|
||||
# Set the entrypoint
|
||||
ENTRYPOINT ["/usr/local/bin/pinniped-server"]
|
||||
ENTRYPOINT ["/usr/local/bin/pinniped-concierge"]
|
13
hack/lib/tilt/nodeport.yaml
Normal file
13
hack/lib/tilt/nodeport.yaml
Normal file
@ -0,0 +1,13 @@
|
||||
apiVersion: v1
|
||||
kind: Service
|
||||
metadata:
|
||||
name: pinniped-supervisor-node-port
|
||||
namespace: pinniped-supervisor
|
||||
spec:
|
||||
type: NodePort
|
||||
selector:
|
||||
app: pinniped-supervisor
|
||||
ports:
|
||||
- port: 80
|
||||
targetPort: 80
|
||||
nodePort: 31234
|
14
hack/lib/tilt/supervisor.Dockerfile
Normal file
14
hack/lib/tilt/supervisor.Dockerfile
Normal file
@ -0,0 +1,14 @@
|
||||
# Copyright 2020 VMware, Inc.
|
||||
# SPDX-License-Identifier: Apache-2.0
|
||||
|
||||
# Use a runtime image based on Debian slim
|
||||
FROM debian:10.5-slim
|
||||
|
||||
# Copy the binary which was built outside the container.
|
||||
COPY build/pinniped-supervisor /usr/local/bin/pinniped-supervisor
|
||||
|
||||
# Document the port
|
||||
EXPOSE 443
|
||||
|
||||
# Set the entrypoint
|
||||
ENTRYPOINT ["/usr/local/bin/pinniped-supervisor"]
|
@ -110,17 +110,17 @@ fi
|
||||
if ! tilt_mode; then
|
||||
if [[ "$clean_kind" == "yes" ]]; then
|
||||
log_note "Deleting running kind clusters to prepare from a clean slate..."
|
||||
kind delete cluster
|
||||
kind delete cluster --name pinniped
|
||||
fi
|
||||
|
||||
#
|
||||
# Setup kind and build the app
|
||||
#
|
||||
log_note "Checking for running kind clusters..."
|
||||
if ! kind get clusters | grep -q -e '^kind$'; then
|
||||
if ! kind get clusters | grep -q -e '^pinniped$'; then
|
||||
log_note "Creating a kind cluster..."
|
||||
# single-node.yaml exposes node port 31234 as localhost:12345
|
||||
kind create cluster --config "$pinniped_path/hack/lib/kind-config/single-node.yaml"
|
||||
kind create cluster --config "$pinniped_path/hack/lib/kind-config/single-node.yaml" --name pinniped
|
||||
else
|
||||
if ! kubectl cluster-info | grep master | grep -q 127.0.0.1; then
|
||||
log_error "Seems like your kubeconfig is not targeting a local cluster."
|
||||
@ -157,7 +157,7 @@ if ! tilt_mode; then
|
||||
|
||||
# Load it into the cluster
|
||||
log_note "Loading the app's container image into the kind cluster..."
|
||||
kind load docker-image "$registry_repo_tag"
|
||||
kind load docker-image "$registry_repo_tag" --name pinniped
|
||||
|
||||
manifest=/tmp/manifest.yaml
|
||||
|
||||
@ -178,7 +178,6 @@ if ! tilt_mode; then
|
||||
|
||||
fi
|
||||
|
||||
|
||||
test_username="test-username"
|
||||
test_groups="test-group-0,test-group-1"
|
||||
set +o pipefail
|
||||
@ -203,18 +202,19 @@ kubectl create secret generic "$test_username" \
|
||||
supervisor_app_name="pinniped-supervisor"
|
||||
supervisor_namespace="pinniped-supervisor"
|
||||
|
||||
pushd deploy/supervisor >/dev/null
|
||||
if ! tilt_mode; then
|
||||
pushd deploy/supervisor >/dev/null
|
||||
|
||||
log_note "Deploying the Pinniped Supervisor app to the cluster..."
|
||||
ytt --file . \
|
||||
log_note "Deploying the Pinniped Supervisor app to the cluster..."
|
||||
ytt --file . \
|
||||
--data-value "app_name=$supervisor_app_name" \
|
||||
--data-value "namespace=$supervisor_namespace" \
|
||||
--data-value "image_repo=$registry_repo" \
|
||||
--data-value "image_tag=$tag" >"$manifest"
|
||||
|
||||
kapp deploy --yes --app "pinniped-supervisor" --diff-changes --file "$manifest"
|
||||
kapp deploy --yes --app "$supervisor_app_name" --diff-changes --file "$manifest"
|
||||
|
||||
log_note "Adding NodePort service to expose the Pinniped Supervisor app on the kind node..."
|
||||
log_note "Adding NodePort service to expose the Pinniped Supervisor app on the kind node..."
|
||||
cat <<EOF | kubectl apply -f -
|
||||
apiVersion: v1
|
||||
kind: Service
|
||||
@ -231,32 +231,30 @@ spec:
|
||||
nodePort: 31234
|
||||
EOF
|
||||
|
||||
popd >/dev/null
|
||||
popd >/dev/null
|
||||
fi
|
||||
|
||||
#
|
||||
# Deploy Pinniped
|
||||
#
|
||||
app_name="pinniped"
|
||||
namespace="integration"
|
||||
concierge_app_name="pinniped-concierge"
|
||||
concierge_namespace="integration"
|
||||
webhook_url="https://local-user-authenticator.local-user-authenticator.svc/authenticate"
|
||||
webhook_ca_bundle="$(kubectl get secret local-user-authenticator-tls-serving-certificate --namespace local-user-authenticator -o 'jsonpath={.data.caCertificate}')"
|
||||
discovery_url="$(TERM=dumb kubectl cluster-info | awk '/Kubernetes master/ {print $NF}')"
|
||||
|
||||
if ! tilt_mode; then
|
||||
#
|
||||
# Deploy Pinniped
|
||||
#
|
||||
pushd deploy/concierge >/dev/null
|
||||
|
||||
log_note "Deploying the Pinniped app to the cluster..."
|
||||
ytt --file . \
|
||||
--data-value "app_name=$app_name" \
|
||||
--data-value "namespace=$namespace" \
|
||||
--data-value "app_name=$concierge_app_name" \
|
||||
--data-value "namespace=$concierge_namespace" \
|
||||
--data-value "image_repo=$registry_repo" \
|
||||
--data-value "image_tag=$tag" \
|
||||
--data-value "discovery_url=$discovery_url" >"$manifest"
|
||||
|
||||
kapp deploy --yes --app "$app_name" --diff-changes --file "$manifest"
|
||||
kapp deploy --yes --app "$concierge_app_name" --diff-changes --file "$manifest"
|
||||
|
||||
popd >/dev/null
|
||||
fi
|
||||
@ -269,8 +267,8 @@ pinniped_cluster_capability_file_content=$(cat "$kind_capabilities_file")
|
||||
|
||||
cat <<EOF >/tmp/integration-test-env
|
||||
# The following env vars should be set before running 'go test -v -count 1 ./test/...'
|
||||
export PINNIPED_TEST_CONCIERGE_NAMESPACE=${namespace}
|
||||
export PINNIPED_TEST_CONCIERGE_APP_NAME=${app_name}
|
||||
export PINNIPED_TEST_CONCIERGE_NAMESPACE=${concierge_namespace}
|
||||
export PINNIPED_TEST_CONCIERGE_APP_NAME=${concierge_app_name}
|
||||
export PINNIPED_TEST_USER_USERNAME=${test_username}
|
||||
export PINNIPED_TEST_USER_GROUPS=${test_groups}
|
||||
export PINNIPED_TEST_USER_TOKEN=${test_username}:${test_password}
|
||||
@ -304,6 +302,7 @@ log_note
|
||||
if ! tilt_mode; then
|
||||
log_note "You can rerun this script to redeploy local production code changes while you are working."
|
||||
log_note
|
||||
log_note "To delete the deployments, run 'kapp delete -a local-user-authenticator -y && kapp delete -a pinniped -y'."
|
||||
log_note "When you're finished, use 'kind delete cluster' to tear down the cluster."
|
||||
log_note "To delete the deployments, run:"
|
||||
log_note " kapp delete -a local-user-authenticator -y && kapp delete -a $concierge_app_name -y && kapp delete -a $supervisor_app_name -y"
|
||||
log_note "When you're finished, use 'kind delete cluster --name pinniped' to tear down the cluster."
|
||||
fi
|
||||
|
@ -5,5 +5,7 @@
|
||||
|
||||
set -euo pipefail
|
||||
ROOT="$( cd "$( dirname "${BASH_SOURCE[0]}" )/.." && pwd )"
|
||||
|
||||
cd "${ROOT}"
|
||||
exec tilt up -f ./hack/lib/tilt/Tiltfile --stream
|
||||
|
||||
exec tilt up -f ./hack/lib/tilt/Tiltfile
|
||||
|
@ -32,7 +32,7 @@ func TestFromPath(t *testing.T) {
|
||||
durationSeconds: 3600
|
||||
renewBeforeSeconds: 2400
|
||||
names:
|
||||
servingCertificateSecret: pinniped-api-tls-serving-certificate
|
||||
servingCertificateSecret: pinniped-concierge-api-tls-serving-certificate
|
||||
credentialIssuerConfig: pinniped-config
|
||||
apiService: pinniped-api
|
||||
kubeCertAgentPrefix: kube-cert-agent-prefix
|
||||
@ -52,7 +52,7 @@ func TestFromPath(t *testing.T) {
|
||||
},
|
||||
},
|
||||
NamesConfig: api.NamesConfigSpec{
|
||||
ServingCertificateSecret: "pinniped-api-tls-serving-certificate",
|
||||
ServingCertificateSecret: "pinniped-concierge-api-tls-serving-certificate",
|
||||
CredentialIssuerConfig: "pinniped-config",
|
||||
APIService: "pinniped-api",
|
||||
},
|
||||
@ -68,7 +68,7 @@ func TestFromPath(t *testing.T) {
|
||||
yaml: here.Doc(`
|
||||
---
|
||||
names:
|
||||
servingCertificateSecret: pinniped-api-tls-serving-certificate
|
||||
servingCertificateSecret: pinniped-concierge-api-tls-serving-certificate
|
||||
credentialIssuerConfig: pinniped-config
|
||||
apiService: pinniped-api
|
||||
`),
|
||||
@ -83,7 +83,7 @@ func TestFromPath(t *testing.T) {
|
||||
},
|
||||
},
|
||||
NamesConfig: api.NamesConfigSpec{
|
||||
ServingCertificateSecret: "pinniped-api-tls-serving-certificate",
|
||||
ServingCertificateSecret: "pinniped-concierge-api-tls-serving-certificate",
|
||||
CredentialIssuerConfig: "pinniped-config",
|
||||
APIService: "pinniped-api",
|
||||
},
|
||||
@ -103,7 +103,7 @@ func TestFromPath(t *testing.T) {
|
||||
yaml: here.Doc(`
|
||||
---
|
||||
names:
|
||||
servingCertificateSecret: pinniped-api-tls-serving-certificate
|
||||
servingCertificateSecret: pinniped-concierge-api-tls-serving-certificate
|
||||
credentialIssuerConfig: pinniped-config
|
||||
`),
|
||||
wantError: "validate names: missing required names: apiService",
|
||||
@ -113,7 +113,7 @@ func TestFromPath(t *testing.T) {
|
||||
yaml: here.Doc(`
|
||||
---
|
||||
names:
|
||||
servingCertificateSecret: pinniped-api-tls-serving-certificate
|
||||
servingCertificateSecret: pinniped-concierge-api-tls-serving-certificate
|
||||
apiService: pinniped-api
|
||||
`),
|
||||
wantError: "validate names: missing required names: credentialIssuerConfig",
|
||||
@ -137,7 +137,7 @@ func TestFromPath(t *testing.T) {
|
||||
durationSeconds: 2400
|
||||
renewBeforeSeconds: 3600
|
||||
names:
|
||||
servingCertificateSecret: pinniped-api-tls-serving-certificate
|
||||
servingCertificateSecret: pinniped-concierge-api-tls-serving-certificate
|
||||
credentialIssuerConfig: pinniped-config
|
||||
apiService: pinniped-api
|
||||
`),
|
||||
@ -152,7 +152,7 @@ func TestFromPath(t *testing.T) {
|
||||
durationSeconds: 2400
|
||||
renewBeforeSeconds: -10
|
||||
names:
|
||||
servingCertificateSecret: pinniped-api-tls-serving-certificate
|
||||
servingCertificateSecret: pinniped-concierge-api-tls-serving-certificate
|
||||
credentialIssuerConfig: pinniped-config
|
||||
apiService: pinniped-api
|
||||
`),
|
||||
@ -167,7 +167,7 @@ func TestFromPath(t *testing.T) {
|
||||
durationSeconds: 2400
|
||||
renewBeforeSeconds: -10
|
||||
names:
|
||||
servingCertificateSecret: pinniped-api-tls-serving-certificate
|
||||
servingCertificateSecret: pinniped-concierge-api-tls-serving-certificate
|
||||
credentialIssuerConfig: pinniped-config
|
||||
apiService: pinniped-api
|
||||
`),
|
||||
|
@ -20,8 +20,7 @@ import (
|
||||
|
||||
func TestAPIServingCertificateAutoCreationAndRotation(t *testing.T) {
|
||||
env := library.IntegrationEnv(t)
|
||||
|
||||
const defaultServingCertResourceName = "pinniped-api-tls-serving-certificate"
|
||||
defaultServingCertResourceName := env.ConciergeAppName + "-api-tls-serving-certificate"
|
||||
|
||||
tests := []struct {
|
||||
name string
|
||||
|
Loading…
Reference in New Issue
Block a user