djpbessems/ContainerImage.Pinniped
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Rename test-webhook to local-user-authenticator

Browse Source 
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
This commit is contained in:
Ryan Richard 2020-09-10 15:20:02 -07:00 committed by Andrew Keesler
parent 9baea83066
commit b7bdb7f3b1
9 changed files with 62 additions and 62 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
Dockerfile
View File

@ -21,14 +21,14 @@ COPY hack ./hack
# Build the executable binary (CGO_ENABLED=0 means static linking) # Build the executable binary (CGO_ENABLED=0 means static linking)
RUN mkdir out \ RUN mkdir out \
&& CGO_ENABLED=0 GOOS=linux GOARCH=amd64 go build -ldflags "$(hack/get-ldflags.sh)" -o out ./cmd/pinniped-server/... \ && CGO_ENABLED=0 GOOS=linux GOARCH=amd64 go build -ldflags "$(hack/get-ldflags.sh)" -o out ./cmd/pinniped-server/... \
&& CGO_ENABLED=0 GOOS=linux GOARCH=amd64 go build -o out ./cmd/test-webhook/... && CGO_ENABLED=0 GOOS=linux GOARCH=amd64 go build -o out ./cmd/local-user-authenticator/...
# Use a runtime image based on Debian slim # Use a runtime image based on Debian slim
FROM debian:10.5-slim FROM debian:10.5-slim
# Copy the binaries from the build-env stage # Copy the binaries from the build-env stage
COPY --from=build-env /work/out/pinniped-server /usr/local/bin/pinniped-server COPY --from=build-env /work/out/pinniped-server /usr/local/bin/pinniped-server
COPY --from=build-env /work/out/test-webhook /usr/local/bin/test-webhook COPY --from=build-env /work/out/local-user-authenticator /usr/local/bin/local-user-authenticator
# Document the port # Document the port
EXPOSE 443 EXPOSE 443

6
cmd/test-webhook/main.go → cmd/local-user-authenticator/main.go
View File

@ -42,9 +42,9 @@ import (
const ( const (
// This string must match the name of the Namespace declared in the deployment yaml. // This string must match the name of the Namespace declared in the deployment yaml.
namespace = "test-webhook" namespace = "local-user-authenticator"
// This string must match the name of the Service declared in the deployment yaml. // This string must match the name of the Service declared in the deployment yaml.
serviceName = "test-webhook" serviceName = "local-user-authenticator"
// TODO there must be a better way to get this specific json result string without needing to hardcode it // TODO there must be a better way to get this specific json result string without needing to hardcode it
unauthenticatedResponse = `{"apiVersion":"authentication.k8s.io/v1beta1","kind":"TokenReview","status":{"authenticated":false}}` unauthenticatedResponse = `{"apiVersion":"authentication.k8s.io/v1beta1","kind":"TokenReview","status":{"authenticated":false}}`
@ -268,7 +268,7 @@ func startControllers(
controllerlib.WithInformer, controllerlib.WithInformer,
controllerlib.WithInitialEvent, controllerlib.WithInitialEvent,
aVeryLongTime, aVeryLongTime,
"test-webhook CA", "local-user-authenticator CA",
serviceName, serviceName,
), ),
singletonWorker, singletonWorker,

10
cmd/test-webhook/main_test.go → cmd/local-user-authenticator/main_test.go
View File

@ -66,7 +66,7 @@ func TestWebhook(t *testing.T) {
ObjectMeta: metav1.ObjectMeta{ ObjectMeta: metav1.ObjectMeta{
UID: types.UID(passwordUndefinedUID), UID: types.UID(passwordUndefinedUID),
Name: passwordUndefinedUser, Name: passwordUndefinedUser,
Namespace: "test-webhook", Namespace: "local-user-authenticator",
}, },
Data: map[string][]byte{ Data: map[string][]byte{
"groups": []byte(groups), "groups": []byte(groups),
@ -80,7 +80,7 @@ func TestWebhook(t *testing.T) {
ObjectMeta: metav1.ObjectMeta{ ObjectMeta: metav1.ObjectMeta{
UID: types.UID(underfinedGroupsUID), UID: types.UID(underfinedGroupsUID),
Name: underfinedGroupsUser, Name: underfinedGroupsUser,
Namespace: "test-webhook", Namespace: "local-user-authenticator",
}, },
Data: map[string][]byte{ Data: map[string][]byte{
"passwordHash": undefinedGroupsUserPasswordHash, "passwordHash": undefinedGroupsUserPasswordHash,
@ -389,10 +389,10 @@ func createSecretInformer(t *testing.T, kubeClient kubernetes.Interface) corev1i
func newCertProvider(t *testing.T) (provider.DynamicTLSServingCertProvider, []byte, string) { func newCertProvider(t *testing.T) (provider.DynamicTLSServingCertProvider, []byte, string) {
t.Helper() t.Helper()
ca, err := certauthority.New(pkix.Name{CommonName: "test-webhook CA"}, time.Hour*24) ca, err := certauthority.New(pkix.Name{CommonName: "local-user-authenticator CA"}, time.Hour*24)
require.NoError(t, err) require.NoError(t, err)
serverName := "test-webhook" serverName := "local-user-authenticator"
cert, err := ca.Issue( cert, err := ca.Issue(
pkix.Name{CommonName: serverName}, pkix.Name{CommonName: serverName},
[]string{}, []string{},
@ -482,7 +482,7 @@ func addSecretToFakeClientTracker(t *testing.T, kubeClient *kubernetesfake.Clien
ObjectMeta: metav1.ObjectMeta{ ObjectMeta: metav1.ObjectMeta{
UID: types.UID(uid), UID: types.UID(uid),
Name: username, Name: username,
Namespace: "test-webhook", Namespace: "local-user-authenticator",
}, },
Data: map[string][]byte{ Data: map[string][]byte{
"passwordHash": passwordHash, "passwordHash": passwordHash,

38
deploy-test-webhook/README.md → deploy-local-user-authenticator/README.md
View File

@ -1,13 +1,13 @@
# Deploying `test-webhook` # Deploying `local-user-authenticator`
## What is `test-webhook`? ## What is `local-user-authenticator`?
The `test-webhook` app is an identity provider used for integration testing and demos. The `local-user-authenticator` app is an identity provider used for integration testing and demos.
If you would like to demo Pinniped, but you don't have a compatible identity provider handy, If you would like to demo Pinniped, but you don't have a compatible identity provider handy,
you can use Pinniped's `test-webhook` identity provider. Note that this is not recommended for you can use Pinniped's `local-user-authenticator` identity provider. Note that this is not recommended for
production use. production use.
The `test-webhook` is a Kubernetes Deployment which runs a webhook server that implements the Kubernetes The `local-user-authenticator` is a Kubernetes Deployment which runs a webhook server that implements the Kubernetes
[Webhook Token Authentication interface](https://kubernetes.io/docs/reference/access-authn-authz/authentication/#webhook-token-authentication). [Webhook Token Authentication interface](https://kubernetes.io/docs/reference/access-authn-authz/authentication/#webhook-token-authentication).
User accounts can be created and edited dynamically using `kubectl` commands (see below). User accounts can be created and edited dynamically using `kubectl` commands (see below).
@ -26,43 +26,43 @@ apache2-utils`).
1. The configuration options are in [values.yml](values.yaml). Fill in the values in that file, or override those values 1. The configuration options are in [values.yml](values.yaml). Fill in the values in that file, or override those values
using `ytt` command-line options in the command below. using `ytt` command-line options in the command below.
2. In a terminal, cd to this `deploy-test-webhook` directory 2. In a terminal, cd to this `deploy-local-user-authenticator` directory
3. To generate the final YAML files, run: `ytt --file .` 3. To generate the final YAML files, run: `ytt --file .`
4. Deploy the generated YAML using your preferred deployment tool, such as `kubectl` or [`kapp`](https://get-kapp.io/). 4. Deploy the generated YAML using your preferred deployment tool, such as `kubectl` or [`kapp`](https://get-kapp.io/).
For example: `ytt --file . | kapp deploy --yes --app test-webhook --diff-changes --file -` For example: `ytt --file . | kapp deploy --yes --app local-user-authenticator --diff-changes --file -`
## Configuring After Installing ## Configuring After Installing
### Create Users ### Create Users
Use `kubectl` to create, edit, and delete user accounts by creating a `Secret` for each user account in the same Use `kubectl` to create, edit, and delete user accounts by creating a `Secret` for each user account in the same
namespace where `test-webhook` is deployed. The name of the `Secret` resource is the username. namespace where `local-user-authenticator` is deployed. The name of the `Secret` resource is the username.
Store the user's group membership and `bcrypt` encrypted password as the contents of the `Secret`. Store the user's group membership and `bcrypt` encrypted password as the contents of the `Secret`.
For example, to create a user named `ryan` with the password `password123` For example, to create a user named `ryan` with the password `password123`
who belongs to the groups `group1` and `group2`, use: who belongs to the groups `group1` and `group2`, use:
```bash ```bash
kubectl create secret generic ryan \ kubectl create secret generic ryan \
--namespace test-webhook \ --namespace local-user-authenticator \
--from-literal=groups=group1,group2 \ --from-literal=groups=group1,group2 \
--from-literal=passwordHash=$(htpasswd -nbBC 10 x password123 | sed -e "s/^x://") --from-literal=passwordHash=$(htpasswd -nbBC 10 x password123 | sed -e "s/^x://")
``` ```
### Get the `test-webhook` App's Auto-Generated Certificate Authority Bundle ### Get the `local-user-authenticator` App's Auto-Generated Certificate Authority Bundle
Fetch the auto-generated CA bundle for the `test-webhook`'s HTTP TLS endpoint. Fetch the auto-generated CA bundle for the `local-user-authenticator`'s HTTP TLS endpoint.
```bash ```bash
kubectl get secret api-serving-cert --namespace test-webhook \ kubectl get secret api-serving-cert --namespace local-user-authenticator \
-o jsonpath={.data.caCertificate} \ -o jsonpath={.data.caCertificate} \
| base64 -d \ | base64 -d \
| tee /tmp/test-webhook-ca | tee /tmp/local-user-authenticator-ca
``` ```
### Configuring Pinniped to Use `test-webhook` as an Identity Provider ### Configuring Pinniped to Use `local-user-authenticator` as an Identity Provider
When installing Pinniped on the same cluster, configure `test-webhook` as an Identity Provider for Pinniped When installing Pinniped on the same cluster, configure `local-user-authenticator` as an Identity Provider for Pinniped
using the webhook URL `https://test-webhook.test-webhook.svc/authenticate` using the webhook URL `https://local-user-authenticator.local-user-authenticator.svc/authenticate`
along with the CA bundle fetched by the above command. along with the CA bundle fetched by the above command.
### Optional: Manually Test the Webhook Endpoint ### Optional: Manually Test the Webhook Endpoint
@ -76,14 +76,14 @@ along with the CA bundle fetched by the above command.
1. Copy the CA bundle that was fetched above onto the new pod. 1. Copy the CA bundle that was fetched above onto the new pod.
```bash ```bash
kubectl cp /tmp/test-webhook-ca curlpod:/tmp/test-webhook-ca kubectl cp /tmp/local-user-authenticator-ca curlpod:/tmp/local-user-authenticator-ca
``` ```
1. Run a `curl` command to try to authenticate as the user created above. 1. Run a `curl` command to try to authenticate as the user created above.
```bash ```bash
kubectl -it exec curlpod -- curl https://test-webhook.test-webhook.svc/authenticate \ kubectl -it exec curlpod -- curl https://local-user-authenticator.local-user-authenticator.svc/authenticate \
--cacert /tmp/test-webhook-ca \ --cacert /tmp/local-user-authenticator-ca \
-H 'Content-Type: application/json' -H 'Accept: application/json' -d ' -H 'Content-Type: application/json' -H 'Accept: application/json' -d '
{ {
"apiVersion": "authentication.k8s.io/v1beta1", "apiVersion": "authentication.k8s.io/v1beta1",

32
deploy-test-webhook/deployment.yaml → deploy-local-user-authenticator/deployment.yaml
View File

@ -7,36 +7,36 @@
apiVersion: v1 apiVersion: v1
kind: Namespace kind: Namespace
metadata: metadata:
name: test-webhook name: local-user-authenticator
labels: labels:
name: test-webhook name: local-user-authenticator
--- ---
apiVersion: v1 apiVersion: v1
kind: ServiceAccount kind: ServiceAccount
metadata: metadata:
name: test-webhook-service-account name: local-user-authenticator-service-account
namespace: test-webhook namespace: local-user-authenticator
--- ---
apiVersion: apps/v1 apiVersion: apps/v1
kind: Deployment kind: Deployment
metadata: metadata:
name: test-webhook name: local-user-authenticator
namespace: test-webhook namespace: local-user-authenticator
labels: labels:
app: test-webhook app: local-user-authenticator
spec: spec:
replicas: 1 replicas: 1
selector: selector:
matchLabels: matchLabels:
app: test-webhook app: local-user-authenticator
template: template:
metadata: metadata:
labels: labels:
app: test-webhook app: local-user-authenticator
spec: spec:
serviceAccountName: test-webhook-service-account serviceAccountName: local-user-authenticator-service-account
containers: containers:
- name: test-webhook - name: local-user-authenticator
#@ if data.values.image_digest: #@ if data.values.image_digest:
image: #@ data.values.image_repo + "@" + data.values.image_digest image: #@ data.values.image_repo + "@" + data.values.image_digest
#@ else: #@ else:
@ -44,19 +44,19 @@ spec:
#@ end #@ end
imagePullPolicy: IfNotPresent imagePullPolicy: IfNotPresent
command: #! override the default entrypoint command: #! override the default entrypoint
- /usr/local/bin/test-webhook - /usr/local/bin/local-user-authenticator
--- ---
apiVersion: v1 apiVersion: v1
kind: Service kind: Service
metadata: metadata:
name: test-webhook name: local-user-authenticator
namespace: test-webhook namespace: local-user-authenticator
labels: labels:
app: test-webhook app: local-user-authenticator
spec: spec:
type: ClusterIP type: ClusterIP
selector: selector:
app: test-webhook app: local-user-authenticator
ports: ports:
- protocol: TCP - protocol: TCP
port: 443 port: 443

14
deploy-test-webhook/rbac.yaml → deploy-local-user-authenticator/rbac.yaml
View File

@ -8,8 +8,8 @@
apiVersion: rbac.authorization.k8s.io/v1 apiVersion: rbac.authorization.k8s.io/v1
kind: Role kind: Role
metadata: metadata:
name: test-webhook-aggregated-api-server-role name: local-user-authenticator-aggregated-api-server-role
namespace: test-webhook namespace: local-user-authenticator
rules: rules:
- apiGroups: [""] - apiGroups: [""]
resources: [secrets] resources: [secrets]
@ -18,13 +18,13 @@ rules:
kind: RoleBinding kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1 apiVersion: rbac.authorization.k8s.io/v1
metadata: metadata:
name: test-webhook-aggregated-api-server-role-binding name: local-user-authenticator-aggregated-api-server-role-binding
namespace: test-webhook namespace: local-user-authenticator
subjects: subjects:
- kind: ServiceAccount - kind: ServiceAccount
name: test-webhook-service-account name: local-user-authenticator-service-account
namespace: test-webhook namespace: local-user-authenticator
roleRef: roleRef:
kind: Role kind: Role
name: test-webhook-aggregated-api-server-role name: local-user-authenticator-aggregated-api-server-role
apiGroup: rbac.authorization.k8s.io apiGroup: rbac.authorization.k8s.io

0
deploy-test-webhook/values.yaml → deploy-local-user-authenticator/values.yaml
View File

2
deploy/README.md
View File

@ -4,7 +4,7 @@
If you would like to try Pinniped, but you don't have a compatible identity provider, If you would like to try Pinniped, but you don't have a compatible identity provider,
you can use Pinniped's test identity provider. you can use Pinniped's test identity provider.
See [../deploy-test-webhook/README.md](../deploy-test-webhook/README.md) See [deploy-local-user-authenticator/README.md](../deploy-local-user-authenticator/README.md)
for details. for details.
## Tools ## Tools

18
hack/prepare-for-integration-tests.sh
View File

@ -212,24 +212,24 @@ else
manifest=/tmp/manifest.yaml manifest=/tmp/manifest.yaml
# #
# Deploy test-webhook # Deploy local-user-authenticator
# #
pushd deploy-test-webhook >/dev/null pushd deploy-local-user-authenticator >/dev/null
log_note "Deploying the test-webhook app to the cluster..." log_note "Deploying the local-user-authenticator app to the cluster..."
ytt --file . \ ytt --file . \
--data-value "image_repo=$registry_repo" \ --data-value "image_repo=$registry_repo" \
--data-value "image_tag=$tag" >"$manifest" --data-value "image_tag=$tag" >"$manifest"
echo echo
log_note "Full test-webhook app manifest with Secrets redacted..." log_note "Full local-user-authenticator app manifest with Secrets redacted..."
echo "--------------------------------------------------------------------------------" echo "--------------------------------------------------------------------------------"
print_redacted_manifest $manifest print_redacted_manifest $manifest
echo "--------------------------------------------------------------------------------" echo "--------------------------------------------------------------------------------"
echo echo
kubectl apply --dry-run=client -f "$manifest" # Validate manifest schema. kubectl apply --dry-run=client -f "$manifest" # Validate manifest schema.
kapp deploy --yes --app test-webhook --diff-changes --file "$manifest" kapp deploy --yes --app local-user-authenticator --diff-changes --file "$manifest"
popd >/dev/null popd >/dev/null
@ -239,7 +239,7 @@ else
test_password="test-password" test_password="test-password"
test_groups="test-group-0,test-group-1" test_groups="test-group-0,test-group-1"
kubectl create secret generic "$test_username" \ kubectl create secret generic "$test_username" \
--namespace test-webhook \ --namespace local-user-authenticator \
--from-literal=groups="$test_groups" \ --from-literal=groups="$test_groups" \
--from-literal=passwordHash="$(htpasswd -nbBC 10 x "$test_password" | sed -e "s/^x://")" \ --from-literal=passwordHash="$(htpasswd -nbBC 10 x "$test_password" | sed -e "s/^x://")" \
--dry-run=client \ --dry-run=client \
@ -248,8 +248,8 @@ else
app_name="pinniped" app_name="pinniped"
namespace="integration" namespace="integration"
webhook_url="https://test-webhook.test-webhook.svc/authenticate" webhook_url="https://local-user-authenticator.local-user-authenticator.svc/authenticate"
webhook_ca_bundle="$(kubectl get secret api-serving-cert --namespace test-webhook -o 'jsonpath={.data.caCertificate}')" webhook_ca_bundle="$(kubectl get secret api-serving-cert --namespace local-user-authenticator -o 'jsonpath={.data.caCertificate}')"
discovery_url="$(TERM=dumb kubectl cluster-info | awk '/Kubernetes master/ {print $NF}')" discovery_url="$(TERM=dumb kubectl cluster-info | awk '/Kubernetes master/ {print $NF}')"
# #
@ -312,5 +312,5 @@ EOF
log_note log_note
log_note "When you're finished, use 'kind delete cluster' to tear down the cluster." log_note "When you're finished, use 'kind delete cluster' to tear down the cluster."
log_note log_note
log_note "To delete the deployments, run 'kapp delete -a test-webhook -y && kapp delete -a pinniped -y'." log_note "To delete the deployments, run 'kapp delete -a local-user-authenticator -y && kapp delete -a pinniped -y'."
fi fi