Merge pull request #223 from mattmoyer/refactor-cert-gen
Refactor certificate generation for integration test Dex.
This commit is contained in:
commit
428b9f2758
@ -19,23 +19,25 @@ local_resource(
|
|||||||
)
|
)
|
||||||
|
|
||||||
#####################################################################################################
|
#####################################################################################################
|
||||||
# Dex
|
# Test IDP (Dex + cert generation + squid proxy)
|
||||||
#
|
#
|
||||||
|
|
||||||
# Render the Dex installation manifest using ytt.
|
# Render the IDP installation manifest using ytt.
|
||||||
k8s_yaml(local(['ytt','--file', '../../../test/deploy/dex']))
|
k8s_yaml(local(['ytt','--file', '../../../test/deploy/dex']))
|
||||||
# Tell tilt to watch all of those files for changes.
|
# Tell tilt to watch all of those files for changes.
|
||||||
watch_file('../../../test/deploy/dex')
|
watch_file('../../../test/deploy/dex')
|
||||||
|
|
||||||
# Collect all the deployed Dex resources under a "dex" resource tab.
|
k8s_resource(objects=['dex:namespace'], new_name='dex-ns')
|
||||||
k8s_resource(
|
k8s_resource(workload='cert-issuer', resource_deps=['dex-ns'], objects=[
|
||||||
workload='dex', # this is the deployment name
|
'cert-issuer:serviceaccount',
|
||||||
objects=[
|
'cert-issuer:role',
|
||||||
# these are the objects that would otherwise appear in the "uncategorized" tab in the tilt UI
|
'cert-issuer:rolebinding',
|
||||||
'dex:namespace',
|
])
|
||||||
|
k8s_resource(workload='proxy', resource_deps=['dex-ns'])
|
||||||
|
k8s_resource(workload='dex', resource_deps=['dex-ns', 'cert-issuer'], objects=[
|
||||||
'dex-config:configmap',
|
'dex-config:configmap',
|
||||||
],
|
])
|
||||||
)
|
|
||||||
|
|
||||||
#####################################################################################################
|
#####################################################################################################
|
||||||
# Local-user-authenticator app
|
# Local-user-authenticator app
|
||||||
@ -186,6 +188,6 @@ k8s_resource(
|
|||||||
local_resource(
|
local_resource(
|
||||||
'test-env',
|
'test-env',
|
||||||
'TILT_MODE=yes ../../prepare-for-integration-tests.sh',
|
'TILT_MODE=yes ../../prepare-for-integration-tests.sh',
|
||||||
resource_deps=['local-user-auth', 'concierge', 'supervisor'],
|
resource_deps=['local-user-auth', 'concierge', 'supervisor', 'dex', 'proxy'],
|
||||||
deps=['../../prepare-for-integration-tests.sh'],
|
deps=['../../prepare-for-integration-tests.sh'],
|
||||||
)
|
)
|
||||||
|
@ -268,7 +268,7 @@ fi
|
|||||||
#
|
#
|
||||||
# Download the test CA bundle that was generated in the Dex pod.
|
# Download the test CA bundle that was generated in the Dex pod.
|
||||||
#
|
#
|
||||||
test_ca_bundle_pem="$(kubectl exec -n dex deployment/dex -- cat /var/certs/ca.pem)"
|
test_ca_bundle_pem="$(kubectl get secrets -n dex certs -o go-template='{{index .data "ca.pem" | base64decode}}')"
|
||||||
|
|
||||||
#
|
#
|
||||||
# Create the environment file
|
# Create the environment file
|
||||||
|
101
test/deploy/dex/cert-issuer.yaml
Normal file
101
test/deploy/dex/cert-issuer.yaml
Normal file
@ -0,0 +1,101 @@
|
|||||||
|
#! Copyright 2020 the Pinniped contributors. All Rights Reserved.
|
||||||
|
#! SPDX-License-Identifier: Apache-2.0
|
||||||
|
---
|
||||||
|
apiVersion: v1
|
||||||
|
kind: ServiceAccount
|
||||||
|
metadata:
|
||||||
|
name: cert-issuer
|
||||||
|
namespace: dex
|
||||||
|
labels:
|
||||||
|
app: cert-issuer
|
||||||
|
---
|
||||||
|
apiVersion: rbac.authorization.k8s.io/v1
|
||||||
|
kind: Role
|
||||||
|
metadata:
|
||||||
|
name: cert-issuer
|
||||||
|
namespace: dex
|
||||||
|
labels:
|
||||||
|
app: cert-issuer
|
||||||
|
rules:
|
||||||
|
- apiGroups: [""]
|
||||||
|
resources: [secrets]
|
||||||
|
verbs: [create, get, patch, update, watch, delete]
|
||||||
|
---
|
||||||
|
kind: RoleBinding
|
||||||
|
apiVersion: rbac.authorization.k8s.io/v1
|
||||||
|
metadata:
|
||||||
|
name: cert-issuer
|
||||||
|
namespace: dex
|
||||||
|
labels:
|
||||||
|
app: cert-issuer
|
||||||
|
subjects:
|
||||||
|
- kind: ServiceAccount
|
||||||
|
name: cert-issuer
|
||||||
|
namespace: dex
|
||||||
|
roleRef:
|
||||||
|
kind: Role
|
||||||
|
name: cert-issuer
|
||||||
|
apiGroup: rbac.authorization.k8s.io
|
||||||
|
---
|
||||||
|
apiVersion: batch/v1
|
||||||
|
kind: Job
|
||||||
|
metadata:
|
||||||
|
name: cert-issuer
|
||||||
|
namespace: dex
|
||||||
|
labels:
|
||||||
|
app: cert-issuer
|
||||||
|
spec:
|
||||||
|
template:
|
||||||
|
spec:
|
||||||
|
serviceAccountName: cert-issuer
|
||||||
|
initContainers:
|
||||||
|
- name: generate-certs
|
||||||
|
image: cfssl/cfssl:1.5.0
|
||||||
|
imagePullPolicy: IfNotPresent
|
||||||
|
command: ["/bin/bash"]
|
||||||
|
args:
|
||||||
|
- -c
|
||||||
|
- |
|
||||||
|
cd /var/certs
|
||||||
|
cfssl print-defaults config > /tmp/cfssl-default.json
|
||||||
|
echo '{"CN": "Pinniped Test","hosts": [],"key": {"algo": "ecdsa","size": 256},"names": [{}]}' > /tmp/csr.json
|
||||||
|
|
||||||
|
echo "generating CA key..."
|
||||||
|
cfssl genkey \
|
||||||
|
-config /tmp/cfssl-default.json \
|
||||||
|
-initca /tmp/csr.json \
|
||||||
|
| cfssljson -bare ca
|
||||||
|
|
||||||
|
echo "generating Dex server certificate..."
|
||||||
|
cfssl gencert \
|
||||||
|
-ca ca.pem -ca-key ca-key.pem \
|
||||||
|
-config /tmp/cfssl-default.json \
|
||||||
|
-profile www \
|
||||||
|
-cn "dex.dex.svc.cluster.local" \
|
||||||
|
-hostname "dex.dex.svc.cluster.local" \
|
||||||
|
/tmp/csr.json \
|
||||||
|
| cfssljson -bare dex
|
||||||
|
|
||||||
|
chmod -R 777 /var/certs
|
||||||
|
|
||||||
|
echo "generated certificates:"
|
||||||
|
ls -l /var/certs
|
||||||
|
volumeMounts:
|
||||||
|
- name: certs
|
||||||
|
mountPath: /var/certs
|
||||||
|
containers:
|
||||||
|
- name: save-certs
|
||||||
|
image: bitnami/kubectl
|
||||||
|
command: ["/bin/bash"]
|
||||||
|
args:
|
||||||
|
- -c
|
||||||
|
- |
|
||||||
|
kubectl get secrets -n dex certs -o jsonpath='created: {.metadata.creationTimestamp}' || \
|
||||||
|
kubectl create secret generic certs --from-file=/var/certs
|
||||||
|
volumeMounts:
|
||||||
|
- name: certs
|
||||||
|
mountPath: /var/certs
|
||||||
|
volumes:
|
||||||
|
- name: certs
|
||||||
|
emptyDir: {}
|
||||||
|
restartPolicy: Never
|
@ -69,36 +69,6 @@ spec:
|
|||||||
annotations:
|
annotations:
|
||||||
dexConfigHash: #@ sha256.sum(yaml.encode(dexConfig()))
|
dexConfigHash: #@ sha256.sum(yaml.encode(dexConfig()))
|
||||||
spec:
|
spec:
|
||||||
initContainers:
|
|
||||||
- name: generate-certs
|
|
||||||
image: cfssl/cfssl:1.5.0
|
|
||||||
imagePullPolicy: IfNotPresent
|
|
||||||
command: ["/bin/bash"]
|
|
||||||
args:
|
|
||||||
- -c
|
|
||||||
- |
|
|
||||||
cd /var/certs
|
|
||||||
cfssl print-defaults config > /tmp/cfssl-default.json
|
|
||||||
echo '{"CN": "Pinniped Test","hosts": [],"key": {"algo": "ecdsa","size": 256},"names": [{}]}' > csr.json
|
|
||||||
|
|
||||||
echo "generating CA key..."
|
|
||||||
cfssl genkey \
|
|
||||||
-config /tmp/cfssl-default.json \
|
|
||||||
-initca csr.json \
|
|
||||||
| cfssljson -bare ca
|
|
||||||
|
|
||||||
echo "generating Dex server certificate..."
|
|
||||||
cfssl gencert \
|
|
||||||
-ca ca.pem -ca-key ca-key.pem \
|
|
||||||
-config /tmp/cfssl-default.json \
|
|
||||||
-profile www \
|
|
||||||
-cn "dex.dex.svc.cluster.local" \
|
|
||||||
-hostname "dex.dex.svc.cluster.local" \
|
|
||||||
csr.json \
|
|
||||||
| cfssljson -bare dex
|
|
||||||
volumeMounts:
|
|
||||||
- name: certs
|
|
||||||
mountPath: /var/certs
|
|
||||||
containers:
|
containers:
|
||||||
- name: dex
|
- name: dex
|
||||||
image: quay.io/dexidp/dex:v2.10.0
|
image: quay.io/dexidp/dex:v2.10.0
|
||||||
@ -121,7 +91,8 @@ spec:
|
|||||||
configMap:
|
configMap:
|
||||||
name: dex-config
|
name: dex-config
|
||||||
- name: certs
|
- name: certs
|
||||||
emptyDir: {}
|
secret:
|
||||||
|
secretName: certs
|
||||||
---
|
---
|
||||||
apiVersion: v1
|
apiVersion: v1
|
||||||
kind: Service
|
kind: Service
|
||||||
|
Loading…
Reference in New Issue
Block a user