From b7bdb7f3b163e78fa44b1ea7e54aada940d5cdb0 Mon Sep 17 00:00:00 2001 From: Ryan Richard Date: Thu, 10 Sep 2020 15:20:02 -0700 Subject: [PATCH] Rename `test-webhook` to `local-user-authenticator` Signed-off-by: Andrew Keesler --- Dockerfile | 4 +- .../main.go | 6 +-- .../main_test.go | 10 ++--- .../README.md | 38 +++++++++---------- .../deployment.yaml | 32 ++++++++-------- .../rbac.yaml | 14 +++---- .../values.yaml | 0 deploy/README.md | 2 +- hack/prepare-for-integration-tests.sh | 18 ++++----- 9 files changed, 62 insertions(+), 62 deletions(-) rename cmd/{test-webhook => local-user-authenticator}/main.go (98%) rename cmd/{test-webhook => local-user-authenticator}/main_test.go (98%) rename {deploy-test-webhook => deploy-local-user-authenticator}/README.md (68%) rename {deploy-test-webhook => deploy-local-user-authenticator}/deployment.yaml (57%) rename {deploy-test-webhook => deploy-local-user-authenticator}/rbac.yaml (58%) rename {deploy-test-webhook => deploy-local-user-authenticator}/values.yaml (100%) diff --git a/Dockerfile b/Dockerfile index eba31050..8992730b 100644 --- a/Dockerfile +++ b/Dockerfile @@ -21,14 +21,14 @@ COPY hack ./hack # Build the executable binary (CGO_ENABLED=0 means static linking) RUN mkdir out \ && CGO_ENABLED=0 GOOS=linux GOARCH=amd64 go build -ldflags "$(hack/get-ldflags.sh)" -o out ./cmd/pinniped-server/... \ - && CGO_ENABLED=0 GOOS=linux GOARCH=amd64 go build -o out ./cmd/test-webhook/... + && CGO_ENABLED=0 GOOS=linux GOARCH=amd64 go build -o out ./cmd/local-user-authenticator/... # Use a runtime image based on Debian slim FROM debian:10.5-slim # Copy the binaries from the build-env stage COPY --from=build-env /work/out/pinniped-server /usr/local/bin/pinniped-server -COPY --from=build-env /work/out/test-webhook /usr/local/bin/test-webhook +COPY --from=build-env /work/out/local-user-authenticator /usr/local/bin/local-user-authenticator # Document the port EXPOSE 443 diff --git a/cmd/test-webhook/main.go b/cmd/local-user-authenticator/main.go similarity index 98% rename from cmd/test-webhook/main.go rename to cmd/local-user-authenticator/main.go index 9214ad0d..b5d1400e 100644 --- a/cmd/test-webhook/main.go +++ b/cmd/local-user-authenticator/main.go @@ -42,9 +42,9 @@ import ( const ( // This string must match the name of the Namespace declared in the deployment yaml. - namespace = "test-webhook" + namespace = "local-user-authenticator" // This string must match the name of the Service declared in the deployment yaml. - serviceName = "test-webhook" + serviceName = "local-user-authenticator" // TODO there must be a better way to get this specific json result string without needing to hardcode it unauthenticatedResponse = `{"apiVersion":"authentication.k8s.io/v1beta1","kind":"TokenReview","status":{"authenticated":false}}` @@ -268,7 +268,7 @@ func startControllers( controllerlib.WithInformer, controllerlib.WithInitialEvent, aVeryLongTime, - "test-webhook CA", + "local-user-authenticator CA", serviceName, ), singletonWorker, diff --git a/cmd/test-webhook/main_test.go b/cmd/local-user-authenticator/main_test.go similarity index 98% rename from cmd/test-webhook/main_test.go rename to cmd/local-user-authenticator/main_test.go index 66de0aa0..4ac44fa6 100644 --- a/cmd/test-webhook/main_test.go +++ b/cmd/local-user-authenticator/main_test.go @@ -66,7 +66,7 @@ func TestWebhook(t *testing.T) { ObjectMeta: metav1.ObjectMeta{ UID: types.UID(passwordUndefinedUID), Name: passwordUndefinedUser, - Namespace: "test-webhook", + Namespace: "local-user-authenticator", }, Data: map[string][]byte{ "groups": []byte(groups), @@ -80,7 +80,7 @@ func TestWebhook(t *testing.T) { ObjectMeta: metav1.ObjectMeta{ UID: types.UID(underfinedGroupsUID), Name: underfinedGroupsUser, - Namespace: "test-webhook", + Namespace: "local-user-authenticator", }, Data: map[string][]byte{ "passwordHash": undefinedGroupsUserPasswordHash, @@ -389,10 +389,10 @@ func createSecretInformer(t *testing.T, kubeClient kubernetes.Interface) corev1i func newCertProvider(t *testing.T) (provider.DynamicTLSServingCertProvider, []byte, string) { t.Helper() - ca, err := certauthority.New(pkix.Name{CommonName: "test-webhook CA"}, time.Hour*24) + ca, err := certauthority.New(pkix.Name{CommonName: "local-user-authenticator CA"}, time.Hour*24) require.NoError(t, err) - serverName := "test-webhook" + serverName := "local-user-authenticator" cert, err := ca.Issue( pkix.Name{CommonName: serverName}, []string{}, @@ -482,7 +482,7 @@ func addSecretToFakeClientTracker(t *testing.T, kubeClient *kubernetesfake.Clien ObjectMeta: metav1.ObjectMeta{ UID: types.UID(uid), Name: username, - Namespace: "test-webhook", + Namespace: "local-user-authenticator", }, Data: map[string][]byte{ "passwordHash": passwordHash, diff --git a/deploy-test-webhook/README.md b/deploy-local-user-authenticator/README.md similarity index 68% rename from deploy-test-webhook/README.md rename to deploy-local-user-authenticator/README.md index 6aaac5bf..a4f4b88f 100644 --- a/deploy-test-webhook/README.md +++ b/deploy-local-user-authenticator/README.md @@ -1,13 +1,13 @@ -# Deploying `test-webhook` +# Deploying `local-user-authenticator` -## What is `test-webhook`? +## What is `local-user-authenticator`? -The `test-webhook` app is an identity provider used for integration testing and demos. +The `local-user-authenticator` app is an identity provider used for integration testing and demos. If you would like to demo Pinniped, but you don't have a compatible identity provider handy, -you can use Pinniped's `test-webhook` identity provider. Note that this is not recommended for +you can use Pinniped's `local-user-authenticator` identity provider. Note that this is not recommended for production use. -The `test-webhook` is a Kubernetes Deployment which runs a webhook server that implements the Kubernetes +The `local-user-authenticator` is a Kubernetes Deployment which runs a webhook server that implements the Kubernetes [Webhook Token Authentication interface](https://kubernetes.io/docs/reference/access-authn-authz/authentication/#webhook-token-authentication). User accounts can be created and edited dynamically using `kubectl` commands (see below). @@ -26,43 +26,43 @@ apache2-utils`). 1. The configuration options are in [values.yml](values.yaml). Fill in the values in that file, or override those values using `ytt` command-line options in the command below. -2. In a terminal, cd to this `deploy-test-webhook` directory +2. In a terminal, cd to this `deploy-local-user-authenticator` directory 3. To generate the final YAML files, run: `ytt --file .` 4. Deploy the generated YAML using your preferred deployment tool, such as `kubectl` or [`kapp`](https://get-kapp.io/). - For example: `ytt --file . | kapp deploy --yes --app test-webhook --diff-changes --file -` + For example: `ytt --file . | kapp deploy --yes --app local-user-authenticator --diff-changes --file -` ## Configuring After Installing ### Create Users Use `kubectl` to create, edit, and delete user accounts by creating a `Secret` for each user account in the same -namespace where `test-webhook` is deployed. The name of the `Secret` resource is the username. +namespace where `local-user-authenticator` is deployed. The name of the `Secret` resource is the username. Store the user's group membership and `bcrypt` encrypted password as the contents of the `Secret`. For example, to create a user named `ryan` with the password `password123` who belongs to the groups `group1` and `group2`, use: ```bash kubectl create secret generic ryan \ - --namespace test-webhook \ + --namespace local-user-authenticator \ --from-literal=groups=group1,group2 \ --from-literal=passwordHash=$(htpasswd -nbBC 10 x password123 | sed -e "s/^x://") ``` -### Get the `test-webhook` App's Auto-Generated Certificate Authority Bundle +### Get the `local-user-authenticator` App's Auto-Generated Certificate Authority Bundle -Fetch the auto-generated CA bundle for the `test-webhook`'s HTTP TLS endpoint. +Fetch the auto-generated CA bundle for the `local-user-authenticator`'s HTTP TLS endpoint. ```bash -kubectl get secret api-serving-cert --namespace test-webhook \ +kubectl get secret api-serving-cert --namespace local-user-authenticator \ -o jsonpath={.data.caCertificate} \ | base64 -d \ - | tee /tmp/test-webhook-ca + | tee /tmp/local-user-authenticator-ca ``` -### Configuring Pinniped to Use `test-webhook` as an Identity Provider +### Configuring Pinniped to Use `local-user-authenticator` as an Identity Provider -When installing Pinniped on the same cluster, configure `test-webhook` as an Identity Provider for Pinniped -using the webhook URL `https://test-webhook.test-webhook.svc/authenticate` +When installing Pinniped on the same cluster, configure `local-user-authenticator` as an Identity Provider for Pinniped +using the webhook URL `https://local-user-authenticator.local-user-authenticator.svc/authenticate` along with the CA bundle fetched by the above command. ### Optional: Manually Test the Webhook Endpoint @@ -76,14 +76,14 @@ along with the CA bundle fetched by the above command. 1. Copy the CA bundle that was fetched above onto the new pod. ```bash - kubectl cp /tmp/test-webhook-ca curlpod:/tmp/test-webhook-ca + kubectl cp /tmp/local-user-authenticator-ca curlpod:/tmp/local-user-authenticator-ca ``` 1. Run a `curl` command to try to authenticate as the user created above. ```bash - kubectl -it exec curlpod -- curl https://test-webhook.test-webhook.svc/authenticate \ - --cacert /tmp/test-webhook-ca \ + kubectl -it exec curlpod -- curl https://local-user-authenticator.local-user-authenticator.svc/authenticate \ + --cacert /tmp/local-user-authenticator-ca \ -H 'Content-Type: application/json' -H 'Accept: application/json' -d ' { "apiVersion": "authentication.k8s.io/v1beta1", diff --git a/deploy-test-webhook/deployment.yaml b/deploy-local-user-authenticator/deployment.yaml similarity index 57% rename from deploy-test-webhook/deployment.yaml rename to deploy-local-user-authenticator/deployment.yaml index b9a794a2..aed4257b 100644 --- a/deploy-test-webhook/deployment.yaml +++ b/deploy-local-user-authenticator/deployment.yaml @@ -7,36 +7,36 @@ apiVersion: v1 kind: Namespace metadata: - name: test-webhook + name: local-user-authenticator labels: - name: test-webhook + name: local-user-authenticator --- apiVersion: v1 kind: ServiceAccount metadata: - name: test-webhook-service-account - namespace: test-webhook + name: local-user-authenticator-service-account + namespace: local-user-authenticator --- apiVersion: apps/v1 kind: Deployment metadata: - name: test-webhook - namespace: test-webhook + name: local-user-authenticator + namespace: local-user-authenticator labels: - app: test-webhook + app: local-user-authenticator spec: replicas: 1 selector: matchLabels: - app: test-webhook + app: local-user-authenticator template: metadata: labels: - app: test-webhook + app: local-user-authenticator spec: - serviceAccountName: test-webhook-service-account + serviceAccountName: local-user-authenticator-service-account containers: - - name: test-webhook + - name: local-user-authenticator #@ if data.values.image_digest: image: #@ data.values.image_repo + "@" + data.values.image_digest #@ else: @@ -44,19 +44,19 @@ spec: #@ end imagePullPolicy: IfNotPresent command: #! override the default entrypoint - - /usr/local/bin/test-webhook + - /usr/local/bin/local-user-authenticator --- apiVersion: v1 kind: Service metadata: - name: test-webhook - namespace: test-webhook + name: local-user-authenticator + namespace: local-user-authenticator labels: - app: test-webhook + app: local-user-authenticator spec: type: ClusterIP selector: - app: test-webhook + app: local-user-authenticator ports: - protocol: TCP port: 443 diff --git a/deploy-test-webhook/rbac.yaml b/deploy-local-user-authenticator/rbac.yaml similarity index 58% rename from deploy-test-webhook/rbac.yaml rename to deploy-local-user-authenticator/rbac.yaml index a111c5a1..27ad1c2f 100644 --- a/deploy-test-webhook/rbac.yaml +++ b/deploy-local-user-authenticator/rbac.yaml @@ -8,8 +8,8 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: - name: test-webhook-aggregated-api-server-role - namespace: test-webhook + name: local-user-authenticator-aggregated-api-server-role + namespace: local-user-authenticator rules: - apiGroups: [""] resources: [secrets] @@ -18,13 +18,13 @@ rules: kind: RoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: - name: test-webhook-aggregated-api-server-role-binding - namespace: test-webhook + name: local-user-authenticator-aggregated-api-server-role-binding + namespace: local-user-authenticator subjects: - kind: ServiceAccount - name: test-webhook-service-account - namespace: test-webhook + name: local-user-authenticator-service-account + namespace: local-user-authenticator roleRef: kind: Role - name: test-webhook-aggregated-api-server-role + name: local-user-authenticator-aggregated-api-server-role apiGroup: rbac.authorization.k8s.io diff --git a/deploy-test-webhook/values.yaml b/deploy-local-user-authenticator/values.yaml similarity index 100% rename from deploy-test-webhook/values.yaml rename to deploy-local-user-authenticator/values.yaml diff --git a/deploy/README.md b/deploy/README.md index ba16679f..96b0c344 100644 --- a/deploy/README.md +++ b/deploy/README.md @@ -4,7 +4,7 @@ If you would like to try Pinniped, but you don't have a compatible identity provider, you can use Pinniped's test identity provider. -See [../deploy-test-webhook/README.md](../deploy-test-webhook/README.md) +See [deploy-local-user-authenticator/README.md](../deploy-local-user-authenticator/README.md) for details. ## Tools diff --git a/hack/prepare-for-integration-tests.sh b/hack/prepare-for-integration-tests.sh index db885112..d7f2c777 100755 --- a/hack/prepare-for-integration-tests.sh +++ b/hack/prepare-for-integration-tests.sh @@ -212,24 +212,24 @@ else manifest=/tmp/manifest.yaml # - # Deploy test-webhook + # Deploy local-user-authenticator # - pushd deploy-test-webhook >/dev/null + pushd deploy-local-user-authenticator >/dev/null - log_note "Deploying the test-webhook app to the cluster..." + log_note "Deploying the local-user-authenticator app to the cluster..." ytt --file . \ --data-value "image_repo=$registry_repo" \ --data-value "image_tag=$tag" >"$manifest" echo - log_note "Full test-webhook app manifest with Secrets redacted..." + log_note "Full local-user-authenticator app manifest with Secrets redacted..." echo "--------------------------------------------------------------------------------" print_redacted_manifest $manifest echo "--------------------------------------------------------------------------------" echo kubectl apply --dry-run=client -f "$manifest" # Validate manifest schema. - kapp deploy --yes --app test-webhook --diff-changes --file "$manifest" + kapp deploy --yes --app local-user-authenticator --diff-changes --file "$manifest" popd >/dev/null @@ -239,7 +239,7 @@ else test_password="test-password" test_groups="test-group-0,test-group-1" kubectl create secret generic "$test_username" \ - --namespace test-webhook \ + --namespace local-user-authenticator \ --from-literal=groups="$test_groups" \ --from-literal=passwordHash="$(htpasswd -nbBC 10 x "$test_password" | sed -e "s/^x://")" \ --dry-run=client \ @@ -248,8 +248,8 @@ else app_name="pinniped" namespace="integration" - webhook_url="https://test-webhook.test-webhook.svc/authenticate" - webhook_ca_bundle="$(kubectl get secret api-serving-cert --namespace test-webhook -o 'jsonpath={.data.caCertificate}')" + webhook_url="https://local-user-authenticator.local-user-authenticator.svc/authenticate" + webhook_ca_bundle="$(kubectl get secret api-serving-cert --namespace local-user-authenticator -o 'jsonpath={.data.caCertificate}')" discovery_url="$(TERM=dumb kubectl cluster-info | awk '/Kubernetes master/ {print $NF}')" # @@ -312,5 +312,5 @@ EOF log_note log_note "When you're finished, use 'kind delete cluster' to tear down the cluster." log_note - log_note "To delete the deployments, run 'kapp delete -a test-webhook -y && kapp delete -a pinniped -y'." + log_note "To delete the deployments, run 'kapp delete -a local-user-authenticator -y && kapp delete -a pinniped -y'." fi