Create webhooks per-test and explicitly in demo.md instead of with ytt in ./deploy.

Signed-off-by: Matt Moyer <moyerm@vmware.com>

deploy/values.yaml

@@ -21,10 +21,6 @@ image_tag: latest
 #! Optional.
 image_pull_dockerconfigjson: #! e.g. {"auths":{"https://registry.example.com":{"username":"USERNAME","password":"PASSWORD","auth":"BASE64_ENCODED_USERNAME_COLON_PASSWORD"}}}
 
-#! Configure a webhook identity provider.
-webhook_url: #! e.g., https://example.com
-webhook_ca_bundle: #! Must be a base64 encoded PEM certificate. e.g., LS0tLS1CRUdJTiBDRVJUSUZJQ0F...
-
 #! Pinniped will try to guess the right K8s API URL for sharing that information with potential clients.
 #! This settings allows the guess to be overridden.
 #! Optional.

deploy/webhook.yaml

@@ -1,16 +0,0 @@
-#! Copyright 2020 the Pinniped contributors. All Rights Reserved.
-#! SPDX-License-Identifier: Apache-2.0
-
-#@ load("@ytt:data", "data")
-
-apiVersion: idp.pinniped.dev/v1alpha1
-kind: WebhookIdentityProvider
-metadata:
-  name: #@ data.values.app_name + "-webhook"
-  namespace: #@ data.values.namespace
-  labels:
-    app: #@ data.values.app_name
-spec:
-  endpoint: #@ data.values.webhook_url
-  tls:
-    certificateAuthorityData: #@ data.values.webhook_ca_bundle

doc/demo.md

@@ -83,12 +83,24 @@
 
    ```bash
     cd /tmp/pinniped/deploy
-    ytt --file . \
+    ytt --file . | kapp deploy --yes --app pinniped --diff-changes --file -
-      --data-value "webhook_url=https://local-user-authenticator.local-user-authenticator.svc/authenticate" \
-      --data-value "webhook_ca_bundle=$(cat /tmp/local-user-authenticator-ca-base64-encoded)" \
-      | kapp deploy --yes --app pinniped --diff-changes --file -
    ```
 
+1. Create a `WebhookIdentityProvider` object to configure Pinniped to authenticate using `local-user-authenticator`
+
+    ```bash
+    cat <<EOF | kubectl create --namespace pinniped -f -
+    apiVersion: idp.pinniped.dev/v1alpha1
+    kind: WebhookIdentityProvider
+    metadata:
+      name: local-user-authenticator
+    spec:
+      endpoint: https://local-user-authenticator.local-user-authenticator.svc/authenticate
+      tls:
+        certificateAuthorityData: $(cat /tmp/local-user-authenticator-ca-base64-encoded)
+    EOF
+    ```
+
 1. Download the latest version of the Pinniped CLI binary for your platform
    from [Pinniped's github Releases page](https://github.com/vmware-tanzu/pinniped/releases/latest).
 
@@ -99,7 +111,7 @@
    allow you to authenticate as the user that you created above.
 
    ```bash
-   pinniped get-kubeconfig --token "pinny-the-seal:password123" > /tmp/pinniped-kubeconfig
+   pinniped get-kubeconfig --token "pinny-the-seal:password123" --idp-type webhook --idp-name local-user-authenticator > /tmp/pinniped-kubeconfig
    ```
 
    Note that the above command will print a warning to the screen. You can ignore this warning.

hack/prepare-for-integration-tests.sh

@@ -191,8 +191,6 @@ ytt --file . \
   --data-value "namespace=$namespace" \
   --data-value "image_repo=$registry_repo" \
   --data-value "image_tag=$tag" \
-  --data-value "webhook_url=$webhook_url" \
-  --data-value "webhook_ca_bundle=$webhook_ca_bundle" \
   --data-value "discovery_url=$discovery_url" >"$manifest"
 
 kapp deploy --yes --app "$app_name" --diff-changes --file "$manifest"
@@ -212,6 +210,8 @@ export PINNIPED_APP_NAME=${app_name}
 export PINNIPED_TEST_USER_USERNAME=${test_username}
 export PINNIPED_TEST_USER_GROUPS=${test_groups}
 export PINNIPED_TEST_USER_TOKEN=${test_username}:${test_password}
+export PINNIPED_TEST_WEBHOOK_ENDPOINT=${webhook_url}
+export PINNIPED_TEST_WEBHOOK_CA_BUNDLE=${webhook_ca_bundle}
 
 read -r -d '' PINNIPED_CLUSTER_CAPABILITY_YAML << PINNIPED_CLUSTER_CAPABILITY_YAML_EOF || true
 ${pinniped_cluster_capability_file_content}

test/integration/cli_test.go

@@ -27,6 +27,12 @@ func TestCLI(t *testing.T) {
 		strings.ReplaceAll(library.GetEnv(t, "PINNIPED_TEST_USER_GROUPS"), " ", ""), ",",
 	)
 
+	// Create a test webhook configuration to use with the CLI.
+	ctx, cancelFunc := context.WithTimeout(context.Background(), 30*time.Second)
+	defer cancelFunc()
+
+	idp := library.CreateTestWebhookIDP(ctx, t)
+
 	// Remove all Pinniped environment variables for the remainder of this test
 	// because some of their names clash with the env vars expected by our
 	// kubectl exec plugin. We would like this test to prove that the exec
@@ -56,14 +62,11 @@ func TestCLI(t *testing.T) {
 	defer cleanupFunc()
 
 	// Run pinniped CLI to get kubeconfig.
-	kubeConfigYAML := runPinnipedCLI(t, pinnipedExe, token, namespaceName)
+	kubeConfigYAML := runPinnipedCLI(t, pinnipedExe, token, namespaceName, "webhook", idp.Name)
-
-	adminClient := library.NewClientset(t)
-	ctx, cancelFunc := context.WithTimeout(context.Background(), time.Second*3)
-	defer cancelFunc()
 
 	// In addition to the client-go based testing below, also try the kubeconfig
 	// with kubectl to validate that it works.
+	adminClient := library.NewClientset(t)
 	t.Run(
 		"access as user with kubectl",
 		accessAsUserWithKubectlTest(ctx, adminClient, kubeConfigYAML, testUsername, namespaceName),
@@ -108,7 +111,7 @@ func buildPinnipedCLI(t *testing.T) (string, func()) {
 	}
 }
 
-func runPinnipedCLI(t *testing.T, pinnipedExe, token, namespaceName string) string {
+func runPinnipedCLI(t *testing.T, pinnipedExe, token, namespaceName, idpType, idpName string) string {
 	t.Helper()
 
 	output, err := exec.Command(
@@ -116,6 +119,8 @@ func runPinnipedCLI(t *testing.T, pinnipedExe, token, namespaceName string) stri
 		"get-kubeconfig",
 		"--token", token,
 		"--pinniped-namespace", namespaceName,
+		"--idp-type", idpType,
+		"--idp-name", idpName,
 	).CombinedOutput()
 	require.NoError(t, err, string(output))
 

test/integration/client_test.go

@@ -10,9 +10,7 @@ import (
 	"time"
 
 	"github.com/stretchr/testify/require"
-	corev1 "k8s.io/api/core/v1"
 
-	idpv1alpha1 "go.pinniped.dev/generated/1.19/apis/idp/v1alpha1"
 	"go.pinniped.dev/internal/client"
 	"go.pinniped.dev/internal/here"
 	"go.pinniped.dev/test/library"
@@ -63,6 +61,8 @@ func TestClient(t *testing.T) {
 	ctx, cancel := context.WithTimeout(context.Background(), 30*time.Second)
 	defer cancel()
 
+	idp := library.CreateTestWebhookIDP(ctx, t)
+
 	// Use an invalid certificate/key to validate that the ServerVersion API fails like we assume.
 	invalidClient := library.NewClientsetWithCertAndKey(t, testCert, testKey)
 	_, err := invalidClient.Discovery().ServerVersion()
@@ -71,11 +71,6 @@ func TestClient(t *testing.T) {
 	// Using the CA bundle and host from the current (admin) kubeconfig, do the token exchange.
 	clientConfig := library.NewClientConfig(t)
 
-	idp := corev1.TypedLocalObjectReference{
-		APIGroup: &idpv1alpha1.SchemeGroupVersion.Group,
-		Kind:     "WebhookIdentityProvider",
-		Name:     "pinniped-webhook",
-	}
 	resp, err := client.ExchangeToken(ctx, namespace, idp, token, string(clientConfig.CAData), clientConfig.Host)
 	require.NoError(t, err)
 	require.NotNil(t, resp.Status.ExpirationTimestamp)

test/integration/credentialrequest_test.go

@@ -12,6 +12,7 @@ import (
 	"time"
 
 	"github.com/stretchr/testify/require"
+	corev1 "k8s.io/api/core/v1"
 	"k8s.io/apimachinery/pkg/api/errors"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 
@@ -26,8 +27,12 @@ func TestSuccessfulCredentialRequest(t *testing.T) {
 	expectedTestUserGroups := strings.Split(
 		strings.ReplaceAll(library.GetEnv(t, "PINNIPED_TEST_USER_GROUPS"), " ", ""), ",",
 	)
+	ctx, cancel := context.WithTimeout(context.Background(), 20*time.Second)
+	defer cancel()
 
-	response, err := makeRequest(t, validCredentialRequestSpecWithRealToken(t))
+	testWebhook := library.CreateTestWebhookIDP(ctx, t)
+
+	response, err := makeRequest(ctx, t, validCredentialRequestSpecWithRealToken(t, testWebhook))
 	require.NoError(t, err)
 
 	require.NotNil(t, response.Status.Credential)
@@ -41,9 +46,6 @@ func TestSuccessfulCredentialRequest(t *testing.T) {
 	require.NotNil(t, response.Status.Credential.ExpirationTimestamp)
 	require.InDelta(t, time.Until(response.Status.Credential.ExpirationTimestamp.Time), 1*time.Hour, float64(3*time.Minute))
 
-	ctx, cancel := context.WithTimeout(context.Background(), 20*time.Second)
-	defer cancel()
-
 	// Create a client using the admin kubeconfig.
 	adminClient := library.NewClientset(t)
 
@@ -71,7 +73,7 @@ func TestFailedCredentialRequestWhenTheRequestIsValidButTheTokenDoesNotAuthentic
 	library.SkipUnlessIntegration(t)
 	library.SkipUnlessClusterHasCapability(t, library.ClusterSigningKeyIsAvailable)
 
-	response, err := makeRequest(t, v1alpha1.TokenCredentialRequestSpec{Token: "not a good token"})
+	response, err := makeRequest(context.Background(), t, v1alpha1.TokenCredentialRequestSpec{Token: "not a good token"})
 
 	require.NoError(t, err)
 
@@ -84,7 +86,7 @@ func TestCredentialRequest_ShouldFailWhenRequestDoesNotIncludeToken(t *testing.T
 	library.SkipUnlessIntegration(t)
 	library.SkipUnlessClusterHasCapability(t, library.ClusterSigningKeyIsAvailable)
 
-	response, err := makeRequest(t, v1alpha1.TokenCredentialRequestSpec{Token: ""})
+	response, err := makeRequest(context.Background(), t, v1alpha1.TokenCredentialRequestSpec{Token: ""})
 
 	require.Error(t, err)
 	statusError, isStatus := err.(*errors.StatusError)
@@ -104,7 +106,12 @@ func TestCredentialRequest_OtherwiseValidRequestWithRealTokenShouldFailWhenTheCl
 	library.SkipUnlessIntegration(t)
 	library.SkipWhenClusterHasCapability(t, library.ClusterSigningKeyIsAvailable)
 
-	response, err := makeRequest(t, validCredentialRequestSpecWithRealToken(t))
+	ctx, cancel := context.WithTimeout(context.Background(), 20*time.Second)
+	defer cancel()
+
+	testWebhook := library.CreateTestWebhookIDP(ctx, t)
+
+	response, err := makeRequest(ctx, t, validCredentialRequestSpecWithRealToken(t, testWebhook))
 
 	require.NoError(t, err)
 
@@ -113,24 +120,27 @@ func TestCredentialRequest_OtherwiseValidRequestWithRealTokenShouldFailWhenTheCl
 	require.Equal(t, stringPtr("authentication failed"), response.Status.Message)
 }
 
-func makeRequest(t *testing.T, spec v1alpha1.TokenCredentialRequestSpec) (*v1alpha1.TokenCredentialRequest, error) {
+func makeRequest(ctx context.Context, t *testing.T, spec v1alpha1.TokenCredentialRequestSpec) (*v1alpha1.TokenCredentialRequest, error) {
 	t.Helper()
 
 	client := library.NewAnonymousPinnipedClientset(t)
 
-	ctx, cancel := context.WithTimeout(context.Background(), 10*time.Second)
+	ctx, cancel := context.WithTimeout(ctx, 10*time.Second)
 	defer cancel()
 
 	ns := library.GetEnv(t, "PINNIPED_NAMESPACE")
 	return client.LoginV1alpha1().TokenCredentialRequests(ns).Create(ctx, &v1alpha1.TokenCredentialRequest{
 		TypeMeta:   metav1.TypeMeta{},
-		ObjectMeta: metav1.ObjectMeta{},
+		ObjectMeta: metav1.ObjectMeta{Namespace: ns},
 		Spec:       spec,
 	}, metav1.CreateOptions{})
 }
 
-func validCredentialRequestSpecWithRealToken(t *testing.T) v1alpha1.TokenCredentialRequestSpec {
+func validCredentialRequestSpecWithRealToken(t *testing.T, idp corev1.TypedLocalObjectReference) v1alpha1.TokenCredentialRequestSpec {
-	return v1alpha1.TokenCredentialRequestSpec{Token: library.GetEnv(t, "PINNIPED_TEST_USER_TOKEN")}
+	return v1alpha1.TokenCredentialRequestSpec{
+		Token:            library.GetEnv(t, "PINNIPED_TEST_USER_TOKEN"),
+		IdentityProvider: idp,
+	}
 }
 
 func stringPtr(s string) *string {

test/library/client.go

@@ -4,17 +4,22 @@
 package library
 
 import (
+	"context"
 	"io/ioutil"
 	"os"
 	"testing"
+	"time"
 
 	"github.com/stretchr/testify/require"
+	corev1 "k8s.io/api/core/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/client-go/kubernetes"
 	"k8s.io/client-go/rest"
 	"k8s.io/client-go/tools/clientcmd"
 	clientcmdapi "k8s.io/client-go/tools/clientcmd/api"
 	aggregatorclient "k8s.io/kube-aggregator/pkg/client/clientset_generated/clientset"
 
+	idpv1alpha1 "go.pinniped.dev/generated/1.19/apis/idp/v1alpha1"
 	pinnipedclientset "go.pinniped.dev/generated/1.19/client/clientset/versioned"
 
 	// Import to initialize client auth plugins - the kubeconfig that we use for
@@ -136,3 +141,45 @@ func newAnonymousClientRestConfigWithCertAndKeyAdded(t *testing.T, clientCertifi
 	config.KeyData = []byte(clientKeyData)
 	return config
 }
+
+// CreateTestWebhookIDP creates and returns a test WebhookIdentityProvider in $PINNIPED_NAMESPACE, which will be
+// automatically deleted at the end of the current test's lifetime. It returns a corev1.TypedLocalObjectReference which
+// descibes the test IDP within the test namespace.
+func CreateTestWebhookIDP(ctx context.Context, t *testing.T) corev1.TypedLocalObjectReference {
+	t.Helper()
+
+	namespace := GetEnv(t, "PINNIPED_NAMESPACE")
+	endpoint := GetEnv(t, "PINNIPED_TEST_WEBHOOK_ENDPOINT")
+	caBundle := GetEnv(t, "PINNIPED_TEST_WEBHOOK_CA_BUNDLE")
+	client := NewPinnipedClientset(t)
+	webhooks := client.IDPV1alpha1().WebhookIdentityProviders(namespace)
+
+	createContext, cancel := context.WithTimeout(ctx, 5*time.Second)
+	defer cancel()
+	idp, err := webhooks.Create(createContext, &idpv1alpha1.WebhookIdentityProvider{
+		ObjectMeta: metav1.ObjectMeta{
+			GenerateName: "test-webhook-",
+			Labels:       map[string]string{"pinniped.dev/test": t.Name()},
+		},
+		Spec: idpv1alpha1.WebhookIdentityProviderSpec{
+			Endpoint: endpoint,
+			TLS:      &idpv1alpha1.TLSSpec{CertificateAuthorityData: caBundle},
+		},
+	}, metav1.CreateOptions{})
+	require.NoError(t, err, "could not create test WebhookIdentityProvider")
+	t.Logf("created test WebhookIdentityProvider %s/%s", idp.Namespace, idp.Name)
+
+	t.Cleanup(func() {
+		t.Logf("cleaning up test WebhookIdentityProvider %s/%s", idp.Namespace, idp.Name)
+		deleteCtx, cancel := context.WithTimeout(context.Background(), 5*time.Second)
+		defer cancel()
+		err := webhooks.Delete(deleteCtx, idp.Name, metav1.DeleteOptions{})
+		require.NoErrorf(t, err, "could not cleanup test WebhookIdentityProvider %s/%s", idp.Namespace, idp.Name)
+	})
+
+	return corev1.TypedLocalObjectReference{
+		APIGroup: &idpv1alpha1.SchemeGroupVersion.Group,
+		Kind:     "WebhookIdentityProvider",
+		Name:     idp.Name,
+	}
+}