Merge pull request #223 from mattmoyer/refactor-cert-gen

Refactor certificate generation for integration test Dex.
This commit is contained in:
Matt Moyer 2020-11-17 12:45:20 -06:00 committed by GitHub
commit 428b9f2758
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
4 changed files with 118 additions and 44 deletions

View File

@ -19,23 +19,25 @@ local_resource(
) )
##################################################################################################### #####################################################################################################
# Dex # Test IDP (Dex + cert generation + squid proxy)
# #
# Render the Dex installation manifest using ytt. # Render the IDP installation manifest using ytt.
k8s_yaml(local(['ytt','--file', '../../../test/deploy/dex'])) k8s_yaml(local(['ytt','--file', '../../../test/deploy/dex']))
# Tell tilt to watch all of those files for changes. # Tell tilt to watch all of those files for changes.
watch_file('../../../test/deploy/dex') watch_file('../../../test/deploy/dex')
# Collect all the deployed Dex resources under a "dex" resource tab. k8s_resource(objects=['dex:namespace'], new_name='dex-ns')
k8s_resource( k8s_resource(workload='cert-issuer', resource_deps=['dex-ns'], objects=[
workload='dex', # this is the deployment name 'cert-issuer:serviceaccount',
objects=[ 'cert-issuer:role',
# these are the objects that would otherwise appear in the "uncategorized" tab in the tilt UI 'cert-issuer:rolebinding',
'dex:namespace', ])
k8s_resource(workload='proxy', resource_deps=['dex-ns'])
k8s_resource(workload='dex', resource_deps=['dex-ns', 'cert-issuer'], objects=[
'dex-config:configmap', 'dex-config:configmap',
], ])
)
##################################################################################################### #####################################################################################################
# Local-user-authenticator app # Local-user-authenticator app
@ -186,6 +188,6 @@ k8s_resource(
local_resource( local_resource(
'test-env', 'test-env',
'TILT_MODE=yes ../../prepare-for-integration-tests.sh', 'TILT_MODE=yes ../../prepare-for-integration-tests.sh',
resource_deps=['local-user-auth', 'concierge', 'supervisor'], resource_deps=['local-user-auth', 'concierge', 'supervisor', 'dex', 'proxy'],
deps=['../../prepare-for-integration-tests.sh'], deps=['../../prepare-for-integration-tests.sh'],
) )

View File

@ -268,7 +268,7 @@ fi
# #
# Download the test CA bundle that was generated in the Dex pod. # Download the test CA bundle that was generated in the Dex pod.
# #
test_ca_bundle_pem="$(kubectl exec -n dex deployment/dex -- cat /var/certs/ca.pem)" test_ca_bundle_pem="$(kubectl get secrets -n dex certs -o go-template='{{index .data "ca.pem" | base64decode}}')"
# #
# Create the environment file # Create the environment file

View File

@ -0,0 +1,101 @@
#! Copyright 2020 the Pinniped contributors. All Rights Reserved.
#! SPDX-License-Identifier: Apache-2.0
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: cert-issuer
namespace: dex
labels:
app: cert-issuer
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: cert-issuer
namespace: dex
labels:
app: cert-issuer
rules:
- apiGroups: [""]
resources: [secrets]
verbs: [create, get, patch, update, watch, delete]
---
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: cert-issuer
namespace: dex
labels:
app: cert-issuer
subjects:
- kind: ServiceAccount
name: cert-issuer
namespace: dex
roleRef:
kind: Role
name: cert-issuer
apiGroup: rbac.authorization.k8s.io
---
apiVersion: batch/v1
kind: Job
metadata:
name: cert-issuer
namespace: dex
labels:
app: cert-issuer
spec:
template:
spec:
serviceAccountName: cert-issuer
initContainers:
- name: generate-certs
image: cfssl/cfssl:1.5.0
imagePullPolicy: IfNotPresent
command: ["/bin/bash"]
args:
- -c
- |
cd /var/certs
cfssl print-defaults config > /tmp/cfssl-default.json
echo '{"CN": "Pinniped Test","hosts": [],"key": {"algo": "ecdsa","size": 256},"names": [{}]}' > /tmp/csr.json
echo "generating CA key..."
cfssl genkey \
-config /tmp/cfssl-default.json \
-initca /tmp/csr.json \
| cfssljson -bare ca
echo "generating Dex server certificate..."
cfssl gencert \
-ca ca.pem -ca-key ca-key.pem \
-config /tmp/cfssl-default.json \
-profile www \
-cn "dex.dex.svc.cluster.local" \
-hostname "dex.dex.svc.cluster.local" \
/tmp/csr.json \
| cfssljson -bare dex
chmod -R 777 /var/certs
echo "generated certificates:"
ls -l /var/certs
volumeMounts:
- name: certs
mountPath: /var/certs
containers:
- name: save-certs
image: bitnami/kubectl
command: ["/bin/bash"]
args:
- -c
- |
kubectl get secrets -n dex certs -o jsonpath='created: {.metadata.creationTimestamp}' || \
kubectl create secret generic certs --from-file=/var/certs
volumeMounts:
- name: certs
mountPath: /var/certs
volumes:
- name: certs
emptyDir: {}
restartPolicy: Never

View File

@ -69,36 +69,6 @@ spec:
annotations: annotations:
dexConfigHash: #@ sha256.sum(yaml.encode(dexConfig())) dexConfigHash: #@ sha256.sum(yaml.encode(dexConfig()))
spec: spec:
initContainers:
- name: generate-certs
image: cfssl/cfssl:1.5.0
imagePullPolicy: IfNotPresent
command: ["/bin/bash"]
args:
- -c
- |
cd /var/certs
cfssl print-defaults config > /tmp/cfssl-default.json
echo '{"CN": "Pinniped Test","hosts": [],"key": {"algo": "ecdsa","size": 256},"names": [{}]}' > csr.json
echo "generating CA key..."
cfssl genkey \
-config /tmp/cfssl-default.json \
-initca csr.json \
| cfssljson -bare ca
echo "generating Dex server certificate..."
cfssl gencert \
-ca ca.pem -ca-key ca-key.pem \
-config /tmp/cfssl-default.json \
-profile www \
-cn "dex.dex.svc.cluster.local" \
-hostname "dex.dex.svc.cluster.local" \
csr.json \
| cfssljson -bare dex
volumeMounts:
- name: certs
mountPath: /var/certs
containers: containers:
- name: dex - name: dex
image: quay.io/dexidp/dex:v2.10.0 image: quay.io/dexidp/dex:v2.10.0
@ -121,7 +91,8 @@ spec:
configMap: configMap:
name: dex-config name: dex-config
- name: certs - name: certs
emptyDir: {} secret:
secretName: certs
--- ---
apiVersion: v1 apiVersion: v1
kind: Service kind: Service