diff --git a/hack/prepare-supervisor-on-kind.sh b/hack/prepare-supervisor-on-kind.sh index 8b6d5969..9c17d26c 100755 --- a/hack/prepare-supervisor-on-kind.sh +++ b/hack/prepare-supervisor-on-kind.sh @@ -1,12 +1,17 @@ #!/usr/bin/env bash -# Copyright 2021 the Pinniped contributors. All Rights Reserved. +# Copyright 2021-2022 the Pinniped contributors. All Rights Reserved. # SPDX-License-Identifier: Apache-2.0 # # A script to perform the setup required to manually test using the supervisor on a kind cluster. # Assumes that you installed the apps already using hack/prepare-for-integration-tests.sh. # +# This script is a little hacky to avoid setting up any kind of ingress or load balancer on Kind. +# It uses an http proxy server and port forwarding to route the requests into the cluster. +# This is only intended for quick manual testing of features by contributors and is not a +# representation of how to really deploy or configure Pinniped. +# # This uses the Supervisor and Concierge in the same cluster. Usually the Supervisor would be # deployed in one cluster while each workload cluster would have a Concierge. All the workload # cluster Concierge configurations would be similar to each other, all trusting the same Supervisor. @@ -22,6 +27,7 @@ cd "$ROOT" use_oidc_upstream=no use_ldap_upstream=no +use_ad_upstream=no while (("$#")); do case "$1" in --ldap) @@ -32,6 +38,12 @@ while (("$#")); do use_oidc_upstream=yes shift ;; + --ad) + # Use an ActiveDirectoryIdentityProvider. + # This assumes that you used the --get-active-directory-vars flag with hack/prepare-for-integration-tests.sh. + use_ad_upstream=yes + shift + ;; -*) log_error "Unsupported flag $1" >&2 exit 1 @@ -43,8 +55,8 @@ while (("$#")); do esac done -if [[ "$use_oidc_upstream" == "no" && "$use_ldap_upstream" == "no" ]]; then - echo "Error: Please use --oidc or --ldap to specify which type of upstream identity provider(s) you would like" +if [[ "$use_oidc_upstream" == "no" && "$use_ldap_upstream" == "no" && "$use_ad_upstream" == "no" ]]; then + echo "Error: Please use --oidc, --ldap, or --ad to specify which type of upstream identity provider(s) you would like" exit 1 fi @@ -95,6 +107,7 @@ spec: EOF echo "Waiting for FederationDomain to initialize..." +# Sleeping is a race, but that's probably good enough for the purposes of this script. sleep 5 # Test that the federation domain is working before we proceed. @@ -152,6 +165,10 @@ spec: certificateAuthorityData: "$PINNIPED_TEST_LDAP_LDAPS_CA_BUNDLE" bind: secretName: my-ldap-service-account + groupSearch: + base: "$PINNIPED_TEST_LDAP_GROUPS_SEARCH_BASE" + attributes: + groupName: "cn" userSearch: base: "$PINNIPED_TEST_LDAP_USERS_SEARCH_BASE" filter: "cn={}" @@ -178,6 +195,39 @@ EOF --dry-run=client --output yaml | kubectl apply -f - fi +if [[ "$use_ad_upstream" == "yes" ]]; then + # Make an ActiveDirectoryIdentityProvider. + cat <kubeconfig @@ -224,14 +281,21 @@ if [[ "$use_ldap_upstream" == "yes" ]]; then echo " Password: $PINNIPED_TEST_LDAP_USER_PASSWORD" fi +if [[ "$use_ad_upstream" == "yes" ]]; then + echo + echo "When prompted for username and password by the CLI, use these values:" + echo " Username: $PINNIPED_TEST_AD_USER_USER_PRINCIPAL_NAME" + echo " Password: $PINNIPED_TEST_AD_USER_PASSWORD" +fi + # Perform a login using the kubectl plugin. This should print the URL to be followed for the Dex login page # if using an OIDC upstream, or should prompt on the CLI for username/password if using an LDAP upstream. echo -echo "Running: https_proxy=\"$PINNIPED_TEST_PROXY\" no_proxy=\"127.0.0.1\" kubectl --kubeconfig ./kubeconfig get pods -A" -https_proxy="$PINNIPED_TEST_PROXY" no_proxy="127.0.0.1" kubectl --kubeconfig ./kubeconfig get pods -A +echo "Running: PINNIPED_DEBUG=true https_proxy=\"$PINNIPED_TEST_PROXY\" no_proxy=\"127.0.0.1\" kubectl --kubeconfig ./kubeconfig get pods -A" +PINNIPED_DEBUG=true https_proxy="$PINNIPED_TEST_PROXY" no_proxy="127.0.0.1" kubectl --kubeconfig ./kubeconfig get pods -A # Print the identity of the currently logged in user. The CLI has cached your tokens, and will automatically refresh # your short-lived credentials whenever they expire, so you should not be prompted to log in again for the rest of the day. echo -echo "Running: https_proxy=\"$PINNIPED_TEST_PROXY\" no_proxy=\"127.0.0.1\" ./pinniped whoami --kubeconfig ./kubeconfig" -https_proxy="$PINNIPED_TEST_PROXY" no_proxy="127.0.0.1" ./pinniped whoami --kubeconfig ./kubeconfig +echo "Running: PINNIPED_DEBUG=true https_proxy=\"$PINNIPED_TEST_PROXY\" no_proxy=\"127.0.0.1\" ./pinniped whoami --kubeconfig ./kubeconfig" +PINNIPED_DEBUG=true https_proxy="$PINNIPED_TEST_PROXY" no_proxy="127.0.0.1" ./pinniped whoami --kubeconfig ./kubeconfig