Add more logging to test-webhook's endpoint

- Also correct the webhook url setting in prepare-for-integration-tests.sh
- Change the bcrypt count to 10, because 16 is way too slow on old laptops

Signed-off-by: Ryan Richard <richardry@vmware.com>
This commit is contained in:
Andrew Keesler 2020-09-10 13:37:25 -07:00 committed by Ryan Richard
parent b506ac5823
commit 56be4a6761
3 changed files with 22 additions and 14 deletions

View File

@ -111,20 +111,24 @@ func (w *webhook) ServeHTTP(rsp http.ResponseWriter, req *http.Request) {
defer req.Body.Close() defer req.Body.Close()
if req.URL.Path != "/authenticate" { if req.URL.Path != "/authenticate" {
klog.InfoS("received request path other than /authenticate", "path", req.URL.Path)
rsp.WriteHeader(http.StatusNotFound) rsp.WriteHeader(http.StatusNotFound)
return return
} }
if req.Method != http.MethodPost { if req.Method != http.MethodPost {
klog.InfoS("received request method other than post", "method", req.Method)
rsp.WriteHeader(http.StatusMethodNotAllowed) rsp.WriteHeader(http.StatusMethodNotAllowed)
return return
} }
if !contains(req.Header.Values("Content-Type"), "application/json") { if !contains(req.Header.Values("Content-Type"), "application/json") {
klog.InfoS("wrong content type", "Content-Type", req.Header.Values("Content-Type"))
rsp.WriteHeader(http.StatusUnsupportedMediaType) rsp.WriteHeader(http.StatusUnsupportedMediaType)
return return
} }
if !contains(req.Header.Values("Accept"), "application/json") { if !contains(req.Header.Values("Accept"), "application/json") {
klog.InfoS("wrong accept type", "Accept", req.Header.Values("Accept"))
rsp.WriteHeader(http.StatusUnsupportedMediaType) rsp.WriteHeader(http.StatusUnsupportedMediaType)
return return
} }
@ -138,6 +142,7 @@ func (w *webhook) ServeHTTP(rsp http.ResponseWriter, req *http.Request) {
tokenSegments := strings.SplitN(body.Spec.Token, ":", 2) tokenSegments := strings.SplitN(body.Spec.Token, ":", 2)
if len(tokenSegments) != 2 { if len(tokenSegments) != 2 {
klog.InfoS("bad token format in request")
rsp.WriteHeader(http.StatusBadRequest) rsp.WriteHeader(http.StatusBadRequest)
return return
} }
@ -153,6 +158,7 @@ func (w *webhook) ServeHTTP(rsp http.ResponseWriter, req *http.Request) {
} }
if notFound { if notFound {
klog.InfoS("user not found")
respondWithUnauthenticated(rsp) respondWithUnauthenticated(rsp)
return return
} }
@ -162,6 +168,7 @@ func (w *webhook) ServeHTTP(rsp http.ResponseWriter, req *http.Request) {
[]byte(password), []byte(password),
) == nil ) == nil
if !passwordMatches { if !passwordMatches {
klog.InfoS("invalid password in request")
respondWithUnauthenticated(rsp) respondWithUnauthenticated(rsp)
return return
} }
@ -179,6 +186,7 @@ func (w *webhook) ServeHTTP(rsp http.ResponseWriter, req *http.Request) {
trimLeadingAndTrailingWhitespace(groups) trimLeadingAndTrailingWhitespace(groups)
} }
klog.InfoS("successful authentication")
respondWithAuthenticated(rsp, secret.ObjectMeta.Name, string(secret.UID), groups) respondWithAuthenticated(rsp, secret.ObjectMeta.Name, string(secret.UID), groups)
} }

View File

@ -45,7 +45,7 @@ who belongs to the groups `group1` and `group2`, use:
kubectl create secret generic ryan \ kubectl create secret generic ryan \
--namespace test-webhook \ --namespace test-webhook \
--from-literal=groups=group1,group2 \ --from-literal=groups=group1,group2 \
--from-literal=passwordHash=$(htpasswd -nbBC 16 x password123 | sed -e "s/^x://") --from-literal=passwordHash=$(htpasswd -nbBC 10 x password123 | sed -e "s/^x://")
``` ```
### Get the `test-webhook` App's Auto-Generated Certificate Authority Bundle ### Get the `test-webhook` App's Auto-Generated Certificate Authority Bundle

View File

@ -44,9 +44,9 @@ function log_note() {
GREEN='\033[0;32m' GREEN='\033[0;32m'
NC='\033[0m' NC='\033[0m'
if [[ $COLORTERM =~ ^(truecolor|24bit)$ ]]; then if [[ $COLORTERM =~ ^(truecolor|24bit)$ ]]; then
echo -e " ${GREEN}:)${NC} Note: $*" echo -e "${GREEN}$*${NC}"
else else
echo " :) Note: $*" echo "$*"
fi fi
} }
@ -54,9 +54,9 @@ function log_warning() {
YELLOW='\033[0;33m' YELLOW='\033[0;33m'
NC='\033[0m' NC='\033[0m'
if [[ $COLORTERM =~ ^(truecolor|24bit)$ ]]; then if [[ $COLORTERM =~ ^(truecolor|24bit)$ ]]; then
echo -e " ${YELLOW}:/${NC} Warning: $*" echo -e "😒${YELLOW} Warning: $* ${NC}"
else else
echo " :/ Warning: $*" echo ":/ Warning: $*"
fi fi
} }
@ -64,9 +64,9 @@ function log_error() {
RED='\033[0;31m' RED='\033[0;31m'
NC='\033[0m' NC='\033[0m'
if [[ $COLORTERM =~ ^(truecolor|24bit)$ ]]; then if [[ $COLORTERM =~ ^(truecolor|24bit)$ ]]; then
echo -e " ${RED}:(${NC} Error: $*" echo -e "🙁${RED} Error: $* ${NC}"
else else
echo " :( Error: $*" echo ":( Error: $*"
fi fi
} }
@ -235,21 +235,21 @@ else
log_note "Creating test user 'test-username'..." log_note "Creating test user 'test-username'..."
test_username="test-username" test_username="test-username"
# TODO AUTO-GENERATE PASSWORD
test_password="test-password" test_password="test-password"
test_groups="test-group-0,test-group-1" test_groups="test-group-0,test-group-1"
kubectl create secret generic "$test_username" \ kubectl create secret generic "$test_username" \
--namespace test-webhook \ --namespace test-webhook \
--from-literal=groups="$test_groups" \ --from-literal=groups="$test_groups" \
--from-literal=passwordHash=$(htpasswd -nbBC 16 x "$test_password" | sed -e "s/^x://") \ --from-literal=passwordHash="$(htpasswd -nbBC 10 x "$test_password" | sed -e "s/^x://")" \
--dry-run=client \ --dry-run=client \
--output yaml \ --output yaml \
| kubectl apply -f - | kubectl apply -f -
app_name="pinniped" app_name="pinniped"
namespace="integration" namespace="integration"
webhook_url="test-webhook.test-webhook.svc" webhook_url="https://test-webhook.test-webhook.svc/authenticate"
webhook_ca_bundle="$(kubectl get secret api-serving-cert --namespace test-webhook \ webhook_ca_bundle="$(kubectl get secret api-serving-cert --namespace test-webhook -o 'jsonpath={.data.caCertificate}')"
-o jsonpath={.data.caCertificate})"
discovery_url="$(TERM=dumb kubectl cluster-info | awk '/Kubernetes master/ {print $NF}')" discovery_url="$(TERM=dumb kubectl cluster-info | awk '/Kubernetes master/ {print $NF}')"
# #
@ -295,6 +295,8 @@ PINNIPED_CLUSTER_CAPABILITY_YAML_EOF
export PINNIPED_CLUSTER_CAPABILITY_YAML export PINNIPED_CLUSTER_CAPABILITY_YAML
EOF EOF
goland_vars=$(grep -v '^#' /tmp/integration-test-env | grep -E '^export .+=' | sed 's/export //g' | tr '\n' ';')
log_note "Done!" log_note "Done!"
log_note log_note
log_note "Ready to run integration tests. For example, you could run all tests using the following commands..." log_note "Ready to run integration tests. For example, you could run all tests using the following commands..."
@ -303,9 +305,7 @@ EOF
log_note ' (cd test && go test -count 1 ./...)' log_note ' (cd test && go test -count 1 ./...)'
log_note log_note
log_note '"Environment" setting for GoLand run configurations:' log_note '"Environment" setting for GoLand run configurations:'
log_note -n ' ' log_note " ${goland_vars}PINNIPED_CLUSTER_CAPABILITY_FILE=${kind_capabilities_file}"
goland_vars=$(grep -v '^#' /tmp/integration-test-env | grep -E '^export .+=' | sed 's/export //g' | tr '\n' ';')
log_note "${goland_vars}PINNIPED_CLUSTER_CAPABILITY_FILE=${kind_capabilities_file}"
log_note log_note
log_note log_note
log_note "You can run this script again to deploy local production code changes while you are working." log_note "You can run this script again to deploy local production code changes while you are working."