diff --git a/hack/lib/tilt/Tiltfile b/hack/lib/tilt/Tiltfile index cc4d44d5..e657e967 100644 --- a/hack/lib/tilt/Tiltfile +++ b/hack/lib/tilt/Tiltfile @@ -19,23 +19,25 @@ local_resource( ) ##################################################################################################### -# Dex +# Test IDP (Dex + cert generation + squid proxy) # -# Render the Dex installation manifest using ytt. +# Render the IDP installation manifest using ytt. k8s_yaml(local(['ytt','--file', '../../../test/deploy/dex'])) # Tell tilt to watch all of those files for changes. watch_file('../../../test/deploy/dex') -# Collect all the deployed Dex resources under a "dex" resource tab. -k8s_resource( - workload='dex', # this is the deployment name - objects=[ - # these are the objects that would otherwise appear in the "uncategorized" tab in the tilt UI - 'dex:namespace', - 'dex-config:configmap', - ], -) +k8s_resource(objects=['dex:namespace'], new_name='dex-ns') +k8s_resource(workload='cert-issuer', resource_deps=['dex-ns'], objects=[ + 'cert-issuer:serviceaccount', + 'cert-issuer:role', + 'cert-issuer:rolebinding', +]) +k8s_resource(workload='proxy', resource_deps=['dex-ns']) +k8s_resource(workload='dex', resource_deps=['dex-ns', 'cert-issuer'], objects=[ + 'dex-config:configmap', +]) + ##################################################################################################### # Local-user-authenticator app @@ -186,6 +188,6 @@ k8s_resource( local_resource( 'test-env', 'TILT_MODE=yes ../../prepare-for-integration-tests.sh', - resource_deps=['local-user-auth', 'concierge', 'supervisor'], + resource_deps=['local-user-auth', 'concierge', 'supervisor', 'dex', 'proxy'], deps=['../../prepare-for-integration-tests.sh'], ) diff --git a/hack/prepare-for-integration-tests.sh b/hack/prepare-for-integration-tests.sh index 89b7f2f8..09155dbb 100755 --- a/hack/prepare-for-integration-tests.sh +++ b/hack/prepare-for-integration-tests.sh @@ -268,7 +268,7 @@ fi # # Download the test CA bundle that was generated in the Dex pod. # -test_ca_bundle_pem="$(kubectl exec -n dex deployment/dex -- cat /var/certs/ca.pem)" +test_ca_bundle_pem="$(kubectl get secrets -n dex certs -o go-template='{{index .data "ca.pem" | base64decode}}')" # # Create the environment file diff --git a/test/deploy/dex/cert-issuer.yaml b/test/deploy/dex/cert-issuer.yaml new file mode 100644 index 00000000..86eecc72 --- /dev/null +++ b/test/deploy/dex/cert-issuer.yaml @@ -0,0 +1,101 @@ +#! Copyright 2020 the Pinniped contributors. All Rights Reserved. +#! SPDX-License-Identifier: Apache-2.0 +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: cert-issuer + namespace: dex + labels: + app: cert-issuer +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: cert-issuer + namespace: dex + labels: + app: cert-issuer +rules: + - apiGroups: [""] + resources: [secrets] + verbs: [create, get, patch, update, watch, delete] +--- +kind: RoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: cert-issuer + namespace: dex + labels: + app: cert-issuer +subjects: + - kind: ServiceAccount + name: cert-issuer + namespace: dex +roleRef: + kind: Role + name: cert-issuer + apiGroup: rbac.authorization.k8s.io +--- +apiVersion: batch/v1 +kind: Job +metadata: + name: cert-issuer + namespace: dex + labels: + app: cert-issuer +spec: + template: + spec: + serviceAccountName: cert-issuer + initContainers: + - name: generate-certs + image: cfssl/cfssl:1.5.0 + imagePullPolicy: IfNotPresent + command: ["/bin/bash"] + args: + - -c + - | + cd /var/certs + cfssl print-defaults config > /tmp/cfssl-default.json + echo '{"CN": "Pinniped Test","hosts": [],"key": {"algo": "ecdsa","size": 256},"names": [{}]}' > /tmp/csr.json + + echo "generating CA key..." + cfssl genkey \ + -config /tmp/cfssl-default.json \ + -initca /tmp/csr.json \ + | cfssljson -bare ca + + echo "generating Dex server certificate..." + cfssl gencert \ + -ca ca.pem -ca-key ca-key.pem \ + -config /tmp/cfssl-default.json \ + -profile www \ + -cn "dex.dex.svc.cluster.local" \ + -hostname "dex.dex.svc.cluster.local" \ + /tmp/csr.json \ + | cfssljson -bare dex + + chmod -R 777 /var/certs + + echo "generated certificates:" + ls -l /var/certs + volumeMounts: + - name: certs + mountPath: /var/certs + containers: + - name: save-certs + image: bitnami/kubectl + command: ["/bin/bash"] + args: + - -c + - | + kubectl get secrets -n dex certs -o jsonpath='created: {.metadata.creationTimestamp}' || \ + kubectl create secret generic certs --from-file=/var/certs + volumeMounts: + - name: certs + mountPath: /var/certs + volumes: + - name: certs + emptyDir: {} + restartPolicy: Never \ No newline at end of file diff --git a/test/deploy/dex/dex.yaml b/test/deploy/dex/dex.yaml index 6372d49a..274fdf27 100644 --- a/test/deploy/dex/dex.yaml +++ b/test/deploy/dex/dex.yaml @@ -69,36 +69,6 @@ spec: annotations: dexConfigHash: #@ sha256.sum(yaml.encode(dexConfig())) spec: - initContainers: - - name: generate-certs - image: cfssl/cfssl:1.5.0 - imagePullPolicy: IfNotPresent - command: ["/bin/bash"] - args: - - -c - - | - cd /var/certs - cfssl print-defaults config > /tmp/cfssl-default.json - echo '{"CN": "Pinniped Test","hosts": [],"key": {"algo": "ecdsa","size": 256},"names": [{}]}' > csr.json - - echo "generating CA key..." - cfssl genkey \ - -config /tmp/cfssl-default.json \ - -initca csr.json \ - | cfssljson -bare ca - - echo "generating Dex server certificate..." - cfssl gencert \ - -ca ca.pem -ca-key ca-key.pem \ - -config /tmp/cfssl-default.json \ - -profile www \ - -cn "dex.dex.svc.cluster.local" \ - -hostname "dex.dex.svc.cluster.local" \ - csr.json \ - | cfssljson -bare dex - volumeMounts: - - name: certs - mountPath: /var/certs containers: - name: dex image: quay.io/dexidp/dex:v2.10.0 @@ -121,7 +91,8 @@ spec: configMap: name: dex-config - name: certs - emptyDir: {} + secret: + secretName: certs --- apiVersion: v1 kind: Service