#!/usr/bin/env bash # Copyright 2021 the Pinniped contributors. All Rights Reserved. # SPDX-License-Identifier: Apache-2.0 # # A script to perform the setup required to manually test using the impersonation proxy on a kind cluster. # Assumes that you installed the apps already using hack/prepare-for-integration-tests.sh. # set -euo pipefail # The name of the namespace in which the concierge is installed. CONCIERGE_NAMESPACE=concierge # The name of the concierge app's Deployment. CONCIERGE_DEPLOYMENT=pinniped-concierge # The namespace in which the local-user-authenticator app is installed. LOCAL_USER_AUTHENTICATOR_NAMESPACE=local-user-authenticator # The port on which the impersonation proxy runs in the concierge pods. IMPERSONATION_PROXY_PORT=8444 # The port that we will use to access the impersonator from outside the cluster via `kubectl port-forward`. LOCAL_PORT=8777 LOCAL_HOST="127.0.0.1:${LOCAL_PORT}" # Change working directory to the top of the repo. ROOT="$(cd "$(dirname "${BASH_SOURCE[0]}")/.." && pwd)" cd "$ROOT" # Build the CLI for use later in the script. go build ./cmd/pinniped # Create a test user and password. if ! kubectl get secret pinny-the-seal --namespace $LOCAL_USER_AUTHENTICATOR_NAMESPACE; then kubectl create secret generic pinny-the-seal --namespace $LOCAL_USER_AUTHENTICATOR_NAMESPACE \ --from-literal=groups=group1,group2 \ --from-literal=passwordHash="$(htpasswd -nbBC 10 x password123 | sed -e "s/^x://")" fi # Get the CA of the local-user-authenticator. LOCAL_USER_AUTHENTICATOR_CA=$(kubectl get secret local-user-authenticator-tls-serving-certificate \ --namespace $LOCAL_USER_AUTHENTICATOR_NAMESPACE \ -o jsonpath=\{.data.caCertificate\}) # Create a WebhookAuthenticator which points at the local-user-authenticator. cat < /dev/null || true } trap cleanup EXIT # Get a working kubeconfig that will send requests through the impersonation proxy. ./pinniped get kubeconfig \ --static-token "pinny-the-seal:password123" \ --concierge-mode ImpersonationProxy >/tmp/kubeconfig echo echo 'Ready. In another tab, use "kubectl --kubeconfig /tmp/kubeconfig " to make requests through the impersonation proxy.' echo "When done, cancel with ctrl-C to clean up." wait $port_forward_pid