From 7bb5657c4d5e592237bfdc508183e3842977b88b Mon Sep 17 00:00:00 2001 From: Ryan Richard Date: Wed, 31 Mar 2021 11:39:10 -0700 Subject: [PATCH] Add hack/prepare-supervisor-on-kind.sh A demo of running the Supervisor and Concierge on a kind cluster. Can be used to quickly set up an environment for manual testing. Also added some missing copyright headers to other hack scripts. --- hack/prepare-for-integration-tests.sh | 5 + hack/prepare-impersonator-on-kind.sh | 5 + hack/prepare-supervisor-on-kind.sh | 156 ++++++++++++++++++++++++++ 3 files changed, 166 insertions(+) create mode 100755 hack/prepare-supervisor-on-kind.sh diff --git a/hack/prepare-for-integration-tests.sh b/hack/prepare-for-integration-tests.sh index 6c6d522d..5446e85e 100755 --- a/hack/prepare-for-integration-tests.sh +++ b/hack/prepare-for-integration-tests.sh @@ -1,8 +1,13 @@ #!/usr/bin/env bash +# Copyright 2020-2021 the Pinniped contributors. All Rights Reserved. +# SPDX-License-Identifier: Apache-2.0 + +# # This script can be used to prepare a kind cluster and deploy the app. # You can call this script again to redeploy the app. # It will also output instructions on how to run the integration. +# set -euo pipefail diff --git a/hack/prepare-impersonator-on-kind.sh b/hack/prepare-impersonator-on-kind.sh index aae4f459..3734f16f 100755 --- a/hack/prepare-impersonator-on-kind.sh +++ b/hack/prepare-impersonator-on-kind.sh @@ -1,7 +1,12 @@ #!/usr/bin/env bash +# Copyright 2021 the Pinniped contributors. All Rights Reserved. +# SPDX-License-Identifier: Apache-2.0 + +# # A script to perform the setup required to manually test using the impersonation proxy on a kind cluster. # Assumes that you installed the apps already using hack/prepare-for-integration-tests.sh. +# set -euo pipefail diff --git a/hack/prepare-supervisor-on-kind.sh b/hack/prepare-supervisor-on-kind.sh new file mode 100755 index 00000000..d2645de8 --- /dev/null +++ b/hack/prepare-supervisor-on-kind.sh @@ -0,0 +1,156 @@ +#!/usr/bin/env bash + +# Copyright 2021 the Pinniped contributors. All Rights Reserved. +# SPDX-License-Identifier: Apache-2.0 + +# +# A script to perform the setup required to manually test using the supervisor on a kind cluster. +# Assumes that you installed the apps already using hack/prepare-for-integration-tests.sh. +# +# This uses the Supervisor and Concierge in the same cluster. Usually the Supervisor would be +# deployed in one cluster while each workload cluster would have a Concierge. All the workload +# cluster Concierge configurations would be similar to each other, all trusting the same Supervisor. +# +# Depends on `step` which can be installed by `brew install step` on MacOS. +# + +set -euo pipefail + +# Change working directory to the top of the repo. +ROOT="$(cd "$(dirname "${BASH_SOURCE[0]}")/.." && pwd)" +cd "$ROOT" + +# Read the env vars output by hack/prepare-for-integration-tests.sh +source /tmp/integration-test-env + +# Choose some filenames. +root_ca_crt_path=root_ca.crt +root_ca_key_path=root_ca.key +tls_crt_path=tls.crt +tls_key_path=tls.key + +# Choose an audience name for the Concierge. +audience="my-workload-cluster-$(openssl rand -hex 4)" + +# These settings align with how the Dex redirect URI is configured by hack/prepare-for-integration-tests.sh. +# Note that this hostname can only be resolved inside the cluster, so we will use a web proxy running inside +# the cluster whenever we want to be able to connect to it. +issuer_host="pinniped-supervisor-clusterip.supervisor.svc.cluster.local" +issuer="https://$issuer_host/some/path" + +# Create a CA and TLS serving certificates for the Supervisor. +step certificate create \ + "Supervisor CA" "$root_ca_crt_path" "$root_ca_key_path" \ + --profile root-ca \ + --no-password --insecure --force +step certificate create \ + "$issuer_host" "$tls_crt_path" "$tls_key_path" \ + --profile leaf \ + --not-after 8760h \ + --ca "$root_ca_crt_path" --ca-key "$root_ca_key_path" \ + --no-password --insecure --force + +# Put the TLS certificate into a Secret for the Supervisor. +kubectl create secret tls -n "$PINNIPED_TEST_SUPERVISOR_NAMESPACE" my-federation-domain-tls --cert "$tls_crt_path" --key "$tls_key_path" \ + --dry-run=client --output yaml | kubectl apply -f - + +# Make a FederationDomain using the TLS Secret from above. +cat <kubeconfig + +# Clear the local CLI cache to ensure that the kubectl command below will need to perform a fresh login. +rm -f "$HOME"/.config/pinniped/sessions.yaml + +echo +echo "Ready! 🚀" +echo "To be able to access the login URL shown below, start Chrome like this:" +echo " open -a \"Google Chrome\" --args --proxy-server=\"$PINNIPED_TEST_PROXY\"" +echo "Then use these credentials at the Dex login page:" +echo " Username: $PINNIPED_TEST_SUPERVISOR_UPSTREAM_OIDC_USERNAME" +echo " Password: $PINNIPED_TEST_SUPERVISOR_UPSTREAM_OIDC_PASSWORD" + +# Perform a login using the kubectl plugin. This should print the URL to be followed for the Dex login page. +echo +echo "Running: https_proxy=\"$PINNIPED_TEST_PROXY\" no_proxy=\"127.0.0.1\" kubectl --kubeconfig ./kubeconfig get pods -A" +https_proxy="$PINNIPED_TEST_PROXY" no_proxy="127.0.0.1" kubectl --kubeconfig ./kubeconfig get pods -A + +# Print the identity of the currently logged in user. The CLI has cached your tokens, and will automatically refresh +# your short-lived credentials whenever they expire, so you should not be prompted to log in again for the rest of the day. +echo +echo "Running: https_proxy=\"$PINNIPED_TEST_PROXY\" no_proxy=\"127.0.0.1\" ./pinniped whoami --kubeconfig ./kubeconfig" +https_proxy="$PINNIPED_TEST_PROXY" no_proxy="127.0.0.1" ./pinniped whoami --kubeconfig ./kubeconfig