Rename test-webhook to local-user-authenticator

Signed-off-by: Andrew Keesler <akeesler@vmware.com>

Dockerfile

@@ -21,14 +21,14 @@ COPY hack ./hack
 # Build the executable binary (CGO_ENABLED=0 means static linking)
 RUN mkdir out \
   && CGO_ENABLED=0 GOOS=linux GOARCH=amd64 go build -ldflags "$(hack/get-ldflags.sh)" -o out ./cmd/pinniped-server/... \
-  && CGO_ENABLED=0 GOOS=linux GOARCH=amd64 go build -o out ./cmd/test-webhook/...
+  && CGO_ENABLED=0 GOOS=linux GOARCH=amd64 go build -o out ./cmd/local-user-authenticator/...
 
 # Use a runtime image based on Debian slim
 FROM debian:10.5-slim
 
 # Copy the binaries from the build-env stage
 COPY --from=build-env /work/out/pinniped-server /usr/local/bin/pinniped-server
-COPY --from=build-env /work/out/test-webhook /usr/local/bin/test-webhook
+COPY --from=build-env /work/out/local-user-authenticator /usr/local/bin/local-user-authenticator
 
 # Document the port
 EXPOSE 443

cmd/local-user-authenticator/main.go

@@ -42,9 +42,9 @@ import (
 
 const (
 	// This string must match the name of the Namespace declared in the deployment yaml.
-	namespace = "test-webhook"
+	namespace = "local-user-authenticator"
 	// This string must match the name of the Service declared in the deployment yaml.
-	serviceName = "test-webhook"
+	serviceName = "local-user-authenticator"
 
 	// TODO there must be a better way to get this specific json result string without needing to hardcode it
 	unauthenticatedResponse = `{"apiVersion":"authentication.k8s.io/v1beta1","kind":"TokenReview","status":{"authenticated":false}}`
@@ -268,7 +268,7 @@ func startControllers(
 				controllerlib.WithInformer,
 				controllerlib.WithInitialEvent,
 				aVeryLongTime,
-				"test-webhook CA",
+				"local-user-authenticator CA",
 				serviceName,
 			),
 			singletonWorker,

cmd/local-user-authenticator/main_test.go

@@ -66,7 +66,7 @@ func TestWebhook(t *testing.T) {
 		ObjectMeta: metav1.ObjectMeta{
 			UID:       types.UID(passwordUndefinedUID),
 			Name:      passwordUndefinedUser,
-			Namespace: "test-webhook",
+			Namespace: "local-user-authenticator",
 		},
 		Data: map[string][]byte{
 			"groups": []byte(groups),
@@ -80,7 +80,7 @@ func TestWebhook(t *testing.T) {
 		ObjectMeta: metav1.ObjectMeta{
 			UID:       types.UID(underfinedGroupsUID),
 			Name:      underfinedGroupsUser,
-			Namespace: "test-webhook",
+			Namespace: "local-user-authenticator",
 		},
 		Data: map[string][]byte{
 			"passwordHash": undefinedGroupsUserPasswordHash,
@@ -389,10 +389,10 @@ func createSecretInformer(t *testing.T, kubeClient kubernetes.Interface) corev1i
 func newCertProvider(t *testing.T) (provider.DynamicTLSServingCertProvider, []byte, string) {
 	t.Helper()
 
-	ca, err := certauthority.New(pkix.Name{CommonName: "test-webhook CA"}, time.Hour*24)
+	ca, err := certauthority.New(pkix.Name{CommonName: "local-user-authenticator CA"}, time.Hour*24)
 	require.NoError(t, err)
 
-	serverName := "test-webhook"
+	serverName := "local-user-authenticator"
 	cert, err := ca.Issue(
 		pkix.Name{CommonName: serverName},
 		[]string{},
@@ -482,7 +482,7 @@ func addSecretToFakeClientTracker(t *testing.T, kubeClient *kubernetesfake.Clien
 		ObjectMeta: metav1.ObjectMeta{
 			UID:       types.UID(uid),
 			Name:      username,
-			Namespace: "test-webhook",
+			Namespace: "local-user-authenticator",
 		},
 		Data: map[string][]byte{
 			"passwordHash": passwordHash,

deploy-local-user-authenticator/README.md

@@ -1,13 +1,13 @@
-# Deploying `test-webhook`
+# Deploying `local-user-authenticator`
 
-## What is `test-webhook`?
+## What is `local-user-authenticator`?
 
-The `test-webhook` app is an identity provider used for integration testing and demos.
+The `local-user-authenticator` app is an identity provider used for integration testing and demos.
 If you would like to demo Pinniped, but you don't have a compatible identity provider handy,
-you can use Pinniped's `test-webhook` identity provider. Note that this is not recommended for
+you can use Pinniped's `local-user-authenticator` identity provider. Note that this is not recommended for
 production use.
 
-The `test-webhook` is a Kubernetes Deployment which runs a webhook server that implements the Kubernetes
+The `local-user-authenticator` is a Kubernetes Deployment which runs a webhook server that implements the Kubernetes
 [Webhook Token Authentication interface](https://kubernetes.io/docs/reference/access-authn-authz/authentication/#webhook-token-authentication).
 
 User accounts can be created and edited dynamically using `kubectl` commands (see below).
@@ -26,43 +26,43 @@ apache2-utils`).
 
 1. The configuration options are in [values.yml](values.yaml). Fill in the values in that file, or override those values
    using `ytt` command-line options in the command below.
-2. In a terminal, cd to this `deploy-test-webhook` directory
+2. In a terminal, cd to this `deploy-local-user-authenticator` directory
 3. To generate the final YAML files, run: `ytt --file .`
 4. Deploy the generated YAML using your preferred deployment tool, such as `kubectl` or [`kapp`](https://get-kapp.io/).
-   For example: `ytt --file . | kapp deploy --yes --app test-webhook --diff-changes --file -`
+   For example: `ytt --file . | kapp deploy --yes --app local-user-authenticator --diff-changes --file -`
 
 ## Configuring After Installing
 
 ### Create Users
 
 Use `kubectl` to create, edit, and delete user accounts by creating a `Secret` for each user account in the same
-namespace where `test-webhook` is deployed.  The name of the `Secret` resource is the username.
+namespace where `local-user-authenticator` is deployed.  The name of the `Secret` resource is the username.
 Store the user's group membership and `bcrypt` encrypted password as the contents of the `Secret`.
 For example, to create a user named `ryan` with the password `password123`
 who belongs to the groups `group1` and `group2`, use:
 
 ```bash
 kubectl create secret generic ryan \
-  --namespace test-webhook \
+  --namespace local-user-authenticator \
   --from-literal=groups=group1,group2 \
   --from-literal=passwordHash=$(htpasswd -nbBC 10 x password123 | sed -e "s/^x://")
 ```
 
-### Get the `test-webhook` App's Auto-Generated Certificate Authority Bundle
+### Get the `local-user-authenticator` App's Auto-Generated Certificate Authority Bundle
 
-Fetch the auto-generated CA bundle for the `test-webhook`'s HTTP TLS endpoint.
+Fetch the auto-generated CA bundle for the `local-user-authenticator`'s HTTP TLS endpoint.
 
 ```bash
-kubectl get secret api-serving-cert --namespace test-webhook \
+kubectl get secret api-serving-cert --namespace local-user-authenticator \
   -o jsonpath={.data.caCertificate} \
   | base64 -d \
-  | tee /tmp/test-webhook-ca
+  | tee /tmp/local-user-authenticator-ca
 ```
 
-### Configuring Pinniped to Use `test-webhook` as an Identity Provider
+### Configuring Pinniped to Use `local-user-authenticator` as an Identity Provider
 
-When installing Pinniped on the same cluster, configure `test-webhook` as an Identity Provider for Pinniped
-using the webhook URL `https://test-webhook.test-webhook.svc/authenticate`
+When installing Pinniped on the same cluster, configure `local-user-authenticator` as an Identity Provider for Pinniped
+using the webhook URL `https://local-user-authenticator.local-user-authenticator.svc/authenticate`
 along with the CA bundle fetched by the above command.
 
 ### Optional: Manually Test the Webhook Endpoint
@@ -76,14 +76,14 @@ along with the CA bundle fetched by the above command.
   1. Copy the CA bundle that was fetched above onto the new pod.
 
       ```bash
-      kubectl cp /tmp/test-webhook-ca curlpod:/tmp/test-webhook-ca
+      kubectl cp /tmp/local-user-authenticator-ca curlpod:/tmp/local-user-authenticator-ca
       ```
 
   1. Run a `curl` command to try to authenticate as the user created above.
 
       ```bash
-      kubectl -it exec curlpod -- curl https://test-webhook.test-webhook.svc/authenticate \
-        --cacert /tmp/test-webhook-ca \
+      kubectl -it exec curlpod -- curl https://local-user-authenticator.local-user-authenticator.svc/authenticate \
+        --cacert /tmp/local-user-authenticator-ca \
         -H 'Content-Type: application/json' -H 'Accept: application/json' -d '
       {
         "apiVersion": "authentication.k8s.io/v1beta1",

deploy-local-user-authenticator/deployment.yaml

@@ -7,36 +7,36 @@
 apiVersion: v1
 kind: Namespace
 metadata:
-  name: test-webhook
+  name: local-user-authenticator
   labels:
-    name: test-webhook
+    name: local-user-authenticator
 ---
 apiVersion: v1
 kind: ServiceAccount
 metadata:
-  name: test-webhook-service-account
-  namespace: test-webhook
+  name: local-user-authenticator-service-account
+  namespace: local-user-authenticator
 ---
 apiVersion: apps/v1
 kind: Deployment
 metadata:
-  name: test-webhook
-  namespace: test-webhook
+  name: local-user-authenticator
+  namespace: local-user-authenticator
   labels:
-    app: test-webhook
+    app: local-user-authenticator
 spec:
   replicas: 1
   selector:
     matchLabels:
-      app: test-webhook
+      app: local-user-authenticator
   template:
     metadata:
       labels:
-        app: test-webhook
+        app: local-user-authenticator
     spec:
-      serviceAccountName: test-webhook-service-account
+      serviceAccountName: local-user-authenticator-service-account
       containers:
-        - name: test-webhook
+        - name: local-user-authenticator
           #@ if data.values.image_digest:
           image:  #@ data.values.image_repo + "@" + data.values.image_digest
           #@ else:
@@ -44,19 +44,19 @@ spec:
           #@ end
           imagePullPolicy: IfNotPresent
           command: #! override the default entrypoint
-            - /usr/local/bin/test-webhook
+            - /usr/local/bin/local-user-authenticator
 ---
 apiVersion: v1
 kind: Service
 metadata:
-  name: test-webhook
-  namespace: test-webhook
+  name: local-user-authenticator
+  namespace: local-user-authenticator
   labels:
-    app: test-webhook
+    app: local-user-authenticator
 spec:
   type: ClusterIP
   selector:
-    app: test-webhook
+    app: local-user-authenticator
   ports:
     - protocol: TCP
       port: 443

deploy-local-user-authenticator/rbac.yaml

@@ -8,8 +8,8 @@
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
-  name: test-webhook-aggregated-api-server-role
-  namespace: test-webhook
+  name: local-user-authenticator-aggregated-api-server-role
+  namespace: local-user-authenticator
 rules:
   - apiGroups: [""]
     resources: [secrets]
@@ -18,13 +18,13 @@ rules:
 kind: RoleBinding
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
-  name: test-webhook-aggregated-api-server-role-binding
-  namespace: test-webhook
+  name: local-user-authenticator-aggregated-api-server-role-binding
+  namespace: local-user-authenticator
 subjects:
   - kind: ServiceAccount
-    name: test-webhook-service-account
-    namespace: test-webhook
+    name: local-user-authenticator-service-account
+    namespace: local-user-authenticator
 roleRef:
   kind: Role
-  name: test-webhook-aggregated-api-server-role
+  name: local-user-authenticator-aggregated-api-server-role
   apiGroup: rbac.authorization.k8s.io

deploy/README.md

@@ -4,7 +4,7 @@
 
 If you would like to try Pinniped, but you don't have a compatible identity provider,
 you can use Pinniped's test identity provider.
-See [../deploy-test-webhook/README.md](../deploy-test-webhook/README.md)
+See [deploy-local-user-authenticator/README.md](../deploy-local-user-authenticator/README.md)
 for details.
 
 ## Tools

hack/prepare-for-integration-tests.sh

@@ -212,24 +212,24 @@ else
   manifest=/tmp/manifest.yaml
 
   #
-  # Deploy test-webhook
+  # Deploy local-user-authenticator
   #
-  pushd deploy-test-webhook >/dev/null
+  pushd deploy-local-user-authenticator >/dev/null
 
-  log_note "Deploying the test-webhook app to the cluster..."
+  log_note "Deploying the local-user-authenticator app to the cluster..."
   ytt --file . \
     --data-value "image_repo=$registry_repo" \
     --data-value "image_tag=$tag" >"$manifest"
 
   echo
-  log_note "Full test-webhook app manifest with Secrets redacted..."
+  log_note "Full local-user-authenticator app manifest with Secrets redacted..."
   echo "--------------------------------------------------------------------------------"
   print_redacted_manifest $manifest
   echo "--------------------------------------------------------------------------------"
   echo
 
   kubectl apply --dry-run=client -f "$manifest" # Validate manifest schema.
-  kapp deploy --yes --app test-webhook --diff-changes --file "$manifest"
+  kapp deploy --yes --app local-user-authenticator --diff-changes --file "$manifest"
 
   popd >/dev/null
 
@@ -239,7 +239,7 @@ else
   test_password="test-password"
   test_groups="test-group-0,test-group-1"
   kubectl create secret generic "$test_username" \
-    --namespace test-webhook \
+    --namespace local-user-authenticator \
     --from-literal=groups="$test_groups" \
     --from-literal=passwordHash="$(htpasswd -nbBC 10 x "$test_password" | sed -e "s/^x://")" \
     --dry-run=client \
@@ -248,8 +248,8 @@ else
 
   app_name="pinniped"
   namespace="integration"
-  webhook_url="https://test-webhook.test-webhook.svc/authenticate"
-  webhook_ca_bundle="$(kubectl get secret api-serving-cert --namespace test-webhook -o 'jsonpath={.data.caCertificate}')"
+  webhook_url="https://local-user-authenticator.local-user-authenticator.svc/authenticate"
+  webhook_ca_bundle="$(kubectl get secret api-serving-cert --namespace local-user-authenticator -o 'jsonpath={.data.caCertificate}')"
   discovery_url="$(TERM=dumb kubectl cluster-info | awk '/Kubernetes master/ {print $NF}')"
 
   #
@@ -312,5 +312,5 @@ EOF
   log_note
   log_note "When you're finished, use 'kind delete cluster' to tear down the cluster."
   log_note
-  log_note "To delete the deployments, run 'kapp delete -a test-webhook -y && kapp delete -a pinniped -y'."
+  log_note "To delete the deployments, run 'kapp delete -a local-user-authenticator -y && kapp delete -a pinniped -y'."
 fi