From 9beb3855b5e32f9aca31f134d617581e0fad8c21 Mon Sep 17 00:00:00 2001 From: Matt Moyer Date: Mon, 21 Sep 2020 19:55:04 -0500 Subject: [PATCH] Create webhooks per-test and explicitly in `demo.md` instead of with ytt in `./deploy`. Signed-off-by: Matt Moyer --- deploy/values.yaml | 4 -- deploy/webhook.yaml | 16 -------- doc/demo.md | 22 +++++++--- hack/prepare-for-integration-tests.sh | 4 +- test/integration/cli_test.go | 17 +++++--- test/integration/client_test.go | 9 +---- test/integration/credentialrequest_test.go | 34 ++++++++++------ test/library/client.go | 47 ++++++++++++++++++++++ 8 files changed, 101 insertions(+), 52 deletions(-) delete mode 100644 deploy/webhook.yaml diff --git a/deploy/values.yaml b/deploy/values.yaml index bae0dabd..b579a212 100644 --- a/deploy/values.yaml +++ b/deploy/values.yaml @@ -21,10 +21,6 @@ image_tag: latest #! Optional. image_pull_dockerconfigjson: #! e.g. {"auths":{"https://registry.example.com":{"username":"USERNAME","password":"PASSWORD","auth":"BASE64_ENCODED_USERNAME_COLON_PASSWORD"}}} -#! Configure a webhook identity provider. -webhook_url: #! e.g., https://example.com -webhook_ca_bundle: #! Must be a base64 encoded PEM certificate. e.g., LS0tLS1CRUdJTiBDRVJUSUZJQ0F... - #! Pinniped will try to guess the right K8s API URL for sharing that information with potential clients. #! This settings allows the guess to be overridden. #! Optional. diff --git a/deploy/webhook.yaml b/deploy/webhook.yaml deleted file mode 100644 index 4dd08e08..00000000 --- a/deploy/webhook.yaml +++ /dev/null @@ -1,16 +0,0 @@ -#! Copyright 2020 the Pinniped contributors. All Rights Reserved. -#! SPDX-License-Identifier: Apache-2.0 - -#@ load("@ytt:data", "data") - -apiVersion: idp.pinniped.dev/v1alpha1 -kind: WebhookIdentityProvider -metadata: - name: #@ data.values.app_name + "-webhook" - namespace: #@ data.values.namespace - labels: - app: #@ data.values.app_name -spec: - endpoint: #@ data.values.webhook_url - tls: - certificateAuthorityData: #@ data.values.webhook_ca_bundle diff --git a/doc/demo.md b/doc/demo.md index 7fb2feb2..74152243 100644 --- a/doc/demo.md +++ b/doc/demo.md @@ -83,12 +83,24 @@ ```bash cd /tmp/pinniped/deploy - ytt --file . \ - --data-value "webhook_url=https://local-user-authenticator.local-user-authenticator.svc/authenticate" \ - --data-value "webhook_ca_bundle=$(cat /tmp/local-user-authenticator-ca-base64-encoded)" \ - | kapp deploy --yes --app pinniped --diff-changes --file - + ytt --file . | kapp deploy --yes --app pinniped --diff-changes --file - ``` +1. Create a `WebhookIdentityProvider` object to configure Pinniped to authenticate using `local-user-authenticator` + + ```bash + cat < /tmp/pinniped-kubeconfig + pinniped get-kubeconfig --token "pinny-the-seal:password123" --idp-type webhook --idp-name local-user-authenticator > /tmp/pinniped-kubeconfig ``` Note that the above command will print a warning to the screen. You can ignore this warning. diff --git a/hack/prepare-for-integration-tests.sh b/hack/prepare-for-integration-tests.sh index e22fc2fd..8340f2e4 100755 --- a/hack/prepare-for-integration-tests.sh +++ b/hack/prepare-for-integration-tests.sh @@ -191,8 +191,6 @@ ytt --file . \ --data-value "namespace=$namespace" \ --data-value "image_repo=$registry_repo" \ --data-value "image_tag=$tag" \ - --data-value "webhook_url=$webhook_url" \ - --data-value "webhook_ca_bundle=$webhook_ca_bundle" \ --data-value "discovery_url=$discovery_url" >"$manifest" kapp deploy --yes --app "$app_name" --diff-changes --file "$manifest" @@ -212,6 +210,8 @@ export PINNIPED_APP_NAME=${app_name} export PINNIPED_TEST_USER_USERNAME=${test_username} export PINNIPED_TEST_USER_GROUPS=${test_groups} export PINNIPED_TEST_USER_TOKEN=${test_username}:${test_password} +export PINNIPED_TEST_WEBHOOK_ENDPOINT=${webhook_url} +export PINNIPED_TEST_WEBHOOK_CA_BUNDLE=${webhook_ca_bundle} read -r -d '' PINNIPED_CLUSTER_CAPABILITY_YAML << PINNIPED_CLUSTER_CAPABILITY_YAML_EOF || true ${pinniped_cluster_capability_file_content} diff --git a/test/integration/cli_test.go b/test/integration/cli_test.go index 43eec1a4..738e6bef 100644 --- a/test/integration/cli_test.go +++ b/test/integration/cli_test.go @@ -27,6 +27,12 @@ func TestCLI(t *testing.T) { strings.ReplaceAll(library.GetEnv(t, "PINNIPED_TEST_USER_GROUPS"), " ", ""), ",", ) + // Create a test webhook configuration to use with the CLI. + ctx, cancelFunc := context.WithTimeout(context.Background(), 30*time.Second) + defer cancelFunc() + + idp := library.CreateTestWebhookIDP(ctx, t) + // Remove all Pinniped environment variables for the remainder of this test // because some of their names clash with the env vars expected by our // kubectl exec plugin. We would like this test to prove that the exec @@ -56,14 +62,11 @@ func TestCLI(t *testing.T) { defer cleanupFunc() // Run pinniped CLI to get kubeconfig. - kubeConfigYAML := runPinnipedCLI(t, pinnipedExe, token, namespaceName) - - adminClient := library.NewClientset(t) - ctx, cancelFunc := context.WithTimeout(context.Background(), time.Second*3) - defer cancelFunc() + kubeConfigYAML := runPinnipedCLI(t, pinnipedExe, token, namespaceName, "webhook", idp.Name) // In addition to the client-go based testing below, also try the kubeconfig // with kubectl to validate that it works. + adminClient := library.NewClientset(t) t.Run( "access as user with kubectl", accessAsUserWithKubectlTest(ctx, adminClient, kubeConfigYAML, testUsername, namespaceName), @@ -108,7 +111,7 @@ func buildPinnipedCLI(t *testing.T) (string, func()) { } } -func runPinnipedCLI(t *testing.T, pinnipedExe, token, namespaceName string) string { +func runPinnipedCLI(t *testing.T, pinnipedExe, token, namespaceName, idpType, idpName string) string { t.Helper() output, err := exec.Command( @@ -116,6 +119,8 @@ func runPinnipedCLI(t *testing.T, pinnipedExe, token, namespaceName string) stri "get-kubeconfig", "--token", token, "--pinniped-namespace", namespaceName, + "--idp-type", idpType, + "--idp-name", idpName, ).CombinedOutput() require.NoError(t, err, string(output)) diff --git a/test/integration/client_test.go b/test/integration/client_test.go index 1c451e2d..1482e278 100644 --- a/test/integration/client_test.go +++ b/test/integration/client_test.go @@ -10,9 +10,7 @@ import ( "time" "github.com/stretchr/testify/require" - corev1 "k8s.io/api/core/v1" - idpv1alpha1 "go.pinniped.dev/generated/1.19/apis/idp/v1alpha1" "go.pinniped.dev/internal/client" "go.pinniped.dev/internal/here" "go.pinniped.dev/test/library" @@ -63,6 +61,8 @@ func TestClient(t *testing.T) { ctx, cancel := context.WithTimeout(context.Background(), 30*time.Second) defer cancel() + idp := library.CreateTestWebhookIDP(ctx, t) + // Use an invalid certificate/key to validate that the ServerVersion API fails like we assume. invalidClient := library.NewClientsetWithCertAndKey(t, testCert, testKey) _, err := invalidClient.Discovery().ServerVersion() @@ -71,11 +71,6 @@ func TestClient(t *testing.T) { // Using the CA bundle and host from the current (admin) kubeconfig, do the token exchange. clientConfig := library.NewClientConfig(t) - idp := corev1.TypedLocalObjectReference{ - APIGroup: &idpv1alpha1.SchemeGroupVersion.Group, - Kind: "WebhookIdentityProvider", - Name: "pinniped-webhook", - } resp, err := client.ExchangeToken(ctx, namespace, idp, token, string(clientConfig.CAData), clientConfig.Host) require.NoError(t, err) require.NotNil(t, resp.Status.ExpirationTimestamp) diff --git a/test/integration/credentialrequest_test.go b/test/integration/credentialrequest_test.go index 8a3a5751..da2512bd 100644 --- a/test/integration/credentialrequest_test.go +++ b/test/integration/credentialrequest_test.go @@ -12,6 +12,7 @@ import ( "time" "github.com/stretchr/testify/require" + corev1 "k8s.io/api/core/v1" "k8s.io/apimachinery/pkg/api/errors" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" @@ -26,8 +27,12 @@ func TestSuccessfulCredentialRequest(t *testing.T) { expectedTestUserGroups := strings.Split( strings.ReplaceAll(library.GetEnv(t, "PINNIPED_TEST_USER_GROUPS"), " ", ""), ",", ) + ctx, cancel := context.WithTimeout(context.Background(), 20*time.Second) + defer cancel() - response, err := makeRequest(t, validCredentialRequestSpecWithRealToken(t)) + testWebhook := library.CreateTestWebhookIDP(ctx, t) + + response, err := makeRequest(ctx, t, validCredentialRequestSpecWithRealToken(t, testWebhook)) require.NoError(t, err) require.NotNil(t, response.Status.Credential) @@ -41,9 +46,6 @@ func TestSuccessfulCredentialRequest(t *testing.T) { require.NotNil(t, response.Status.Credential.ExpirationTimestamp) require.InDelta(t, time.Until(response.Status.Credential.ExpirationTimestamp.Time), 1*time.Hour, float64(3*time.Minute)) - ctx, cancel := context.WithTimeout(context.Background(), 20*time.Second) - defer cancel() - // Create a client using the admin kubeconfig. adminClient := library.NewClientset(t) @@ -71,7 +73,7 @@ func TestFailedCredentialRequestWhenTheRequestIsValidButTheTokenDoesNotAuthentic library.SkipUnlessIntegration(t) library.SkipUnlessClusterHasCapability(t, library.ClusterSigningKeyIsAvailable) - response, err := makeRequest(t, v1alpha1.TokenCredentialRequestSpec{Token: "not a good token"}) + response, err := makeRequest(context.Background(), t, v1alpha1.TokenCredentialRequestSpec{Token: "not a good token"}) require.NoError(t, err) @@ -84,7 +86,7 @@ func TestCredentialRequest_ShouldFailWhenRequestDoesNotIncludeToken(t *testing.T library.SkipUnlessIntegration(t) library.SkipUnlessClusterHasCapability(t, library.ClusterSigningKeyIsAvailable) - response, err := makeRequest(t, v1alpha1.TokenCredentialRequestSpec{Token: ""}) + response, err := makeRequest(context.Background(), t, v1alpha1.TokenCredentialRequestSpec{Token: ""}) require.Error(t, err) statusError, isStatus := err.(*errors.StatusError) @@ -104,7 +106,12 @@ func TestCredentialRequest_OtherwiseValidRequestWithRealTokenShouldFailWhenTheCl library.SkipUnlessIntegration(t) library.SkipWhenClusterHasCapability(t, library.ClusterSigningKeyIsAvailable) - response, err := makeRequest(t, validCredentialRequestSpecWithRealToken(t)) + ctx, cancel := context.WithTimeout(context.Background(), 20*time.Second) + defer cancel() + + testWebhook := library.CreateTestWebhookIDP(ctx, t) + + response, err := makeRequest(ctx, t, validCredentialRequestSpecWithRealToken(t, testWebhook)) require.NoError(t, err) @@ -113,24 +120,27 @@ func TestCredentialRequest_OtherwiseValidRequestWithRealTokenShouldFailWhenTheCl require.Equal(t, stringPtr("authentication failed"), response.Status.Message) } -func makeRequest(t *testing.T, spec v1alpha1.TokenCredentialRequestSpec) (*v1alpha1.TokenCredentialRequest, error) { +func makeRequest(ctx context.Context, t *testing.T, spec v1alpha1.TokenCredentialRequestSpec) (*v1alpha1.TokenCredentialRequest, error) { t.Helper() client := library.NewAnonymousPinnipedClientset(t) - ctx, cancel := context.WithTimeout(context.Background(), 10*time.Second) + ctx, cancel := context.WithTimeout(ctx, 10*time.Second) defer cancel() ns := library.GetEnv(t, "PINNIPED_NAMESPACE") return client.LoginV1alpha1().TokenCredentialRequests(ns).Create(ctx, &v1alpha1.TokenCredentialRequest{ TypeMeta: metav1.TypeMeta{}, - ObjectMeta: metav1.ObjectMeta{}, + ObjectMeta: metav1.ObjectMeta{Namespace: ns}, Spec: spec, }, metav1.CreateOptions{}) } -func validCredentialRequestSpecWithRealToken(t *testing.T) v1alpha1.TokenCredentialRequestSpec { - return v1alpha1.TokenCredentialRequestSpec{Token: library.GetEnv(t, "PINNIPED_TEST_USER_TOKEN")} +func validCredentialRequestSpecWithRealToken(t *testing.T, idp corev1.TypedLocalObjectReference) v1alpha1.TokenCredentialRequestSpec { + return v1alpha1.TokenCredentialRequestSpec{ + Token: library.GetEnv(t, "PINNIPED_TEST_USER_TOKEN"), + IdentityProvider: idp, + } } func stringPtr(s string) *string { diff --git a/test/library/client.go b/test/library/client.go index 8249c647..49599ba8 100644 --- a/test/library/client.go +++ b/test/library/client.go @@ -4,17 +4,22 @@ package library import ( + "context" "io/ioutil" "os" "testing" + "time" "github.com/stretchr/testify/require" + corev1 "k8s.io/api/core/v1" + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/client-go/kubernetes" "k8s.io/client-go/rest" "k8s.io/client-go/tools/clientcmd" clientcmdapi "k8s.io/client-go/tools/clientcmd/api" aggregatorclient "k8s.io/kube-aggregator/pkg/client/clientset_generated/clientset" + idpv1alpha1 "go.pinniped.dev/generated/1.19/apis/idp/v1alpha1" pinnipedclientset "go.pinniped.dev/generated/1.19/client/clientset/versioned" // Import to initialize client auth plugins - the kubeconfig that we use for @@ -136,3 +141,45 @@ func newAnonymousClientRestConfigWithCertAndKeyAdded(t *testing.T, clientCertifi config.KeyData = []byte(clientKeyData) return config } + +// CreateTestWebhookIDP creates and returns a test WebhookIdentityProvider in $PINNIPED_NAMESPACE, which will be +// automatically deleted at the end of the current test's lifetime. It returns a corev1.TypedLocalObjectReference which +// descibes the test IDP within the test namespace. +func CreateTestWebhookIDP(ctx context.Context, t *testing.T) corev1.TypedLocalObjectReference { + t.Helper() + + namespace := GetEnv(t, "PINNIPED_NAMESPACE") + endpoint := GetEnv(t, "PINNIPED_TEST_WEBHOOK_ENDPOINT") + caBundle := GetEnv(t, "PINNIPED_TEST_WEBHOOK_CA_BUNDLE") + client := NewPinnipedClientset(t) + webhooks := client.IDPV1alpha1().WebhookIdentityProviders(namespace) + + createContext, cancel := context.WithTimeout(ctx, 5*time.Second) + defer cancel() + idp, err := webhooks.Create(createContext, &idpv1alpha1.WebhookIdentityProvider{ + ObjectMeta: metav1.ObjectMeta{ + GenerateName: "test-webhook-", + Labels: map[string]string{"pinniped.dev/test": t.Name()}, + }, + Spec: idpv1alpha1.WebhookIdentityProviderSpec{ + Endpoint: endpoint, + TLS: &idpv1alpha1.TLSSpec{CertificateAuthorityData: caBundle}, + }, + }, metav1.CreateOptions{}) + require.NoError(t, err, "could not create test WebhookIdentityProvider") + t.Logf("created test WebhookIdentityProvider %s/%s", idp.Namespace, idp.Name) + + t.Cleanup(func() { + t.Logf("cleaning up test WebhookIdentityProvider %s/%s", idp.Namespace, idp.Name) + deleteCtx, cancel := context.WithTimeout(context.Background(), 5*time.Second) + defer cancel() + err := webhooks.Delete(deleteCtx, idp.Name, metav1.DeleteOptions{}) + require.NoErrorf(t, err, "could not cleanup test WebhookIdentityProvider %s/%s", idp.Namespace, idp.Name) + }) + + return corev1.TypedLocalObjectReference{ + APIGroup: &idpv1alpha1.SchemeGroupVersion.Group, + Kind: "WebhookIdentityProvider", + Name: idp.Name, + } +}