Rename dex namespace, add new ytt value to deploy/tools, and remove Tilt

- Rename the test/deploy/dex directory to test/deploy/tools - Rename the dex namespace to tools - Add a new ytt value called `pinny_ldap_password` for the tools ytt templates - This new value is not used on main at this time. We intend to use it in the forthcoming ldap branch. We're defining it on main so that the CI scripts can use it across all branches and PRs. Signed-off-by: Ryan Richard <richardry@vmware.com>
2026-01-05 04:56:11 +00:00 · 2021-04-05 15:01:17 -07:00
parent 9cd2b6e855
commit c53507809d
20 changed files with 181 additions and 591 deletions
--- a/test/deploy/tools/cert-issuer.yaml
+++ b/test/deploy/tools/cert-issuer.yaml
@@ -0,0 +1,111 @@
+#! Copyright 2020-2021 the Pinniped contributors. All Rights Reserved.
+#! SPDX-License-Identifier: Apache-2.0
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: cert-issuer
+  namespace: tools
+  labels:
+    app: cert-issuer
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: cert-issuer
+  namespace: tools
+  labels:
+    app: cert-issuer
+rules:
+  - apiGroups: [""]
+    resources: [secrets]
+    verbs: [create, get, patch, update, watch, delete]
+---
+kind: RoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: cert-issuer
+  namespace: tools
+  labels:
+    app: cert-issuer
+subjects:
+  - kind: ServiceAccount
+    name: cert-issuer
+    namespace: tools
+roleRef:
+  kind: Role
+  name: cert-issuer
+  apiGroup: rbac.authorization.k8s.io
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: cert-issuer
+  namespace: tools
+  labels:
+    app: cert-issuer
+spec:
+  template:
+    spec:
+      serviceAccountName: cert-issuer
+      initContainers:
+      - name: generate-certs
+        image: cfssl/cfssl:1.5.0
+        imagePullPolicy: IfNotPresent
+        command: ["/bin/bash"]
+        args:
+        - -c
+        - |
+          cd /var/certs
+          cfssl print-defaults config > /tmp/cfssl-default.json
+          echo '{"CN": "Pinniped Test","hosts": [],"key": {"algo": "ecdsa","size": 256},"names": [{}]}' > /tmp/csr.json
+
+          echo "generating CA key..."
+          cfssl genkey \
+            -config /tmp/cfssl-default.json \
+            -initca /tmp/csr.json \
+            | cfssljson -bare ca
+
+          echo "generating Dex server certificate..."
+          cfssl gencert \
+            -ca ca.pem -ca-key ca-key.pem \
+            -config /tmp/cfssl-default.json \
+            -profile www \
+            -cn "dex.tools.svc.cluster.local" \
+            -hostname "dex.tools.svc.cluster.local" \
+            /tmp/csr.json \
+            | cfssljson -bare dex
+
+          echo "generating LDAP server certificate..."
+          cfssl gencert \
+            -ca ca.pem -ca-key ca-key.pem \
+            -config /tmp/cfssl-default.json \
+            -profile www \
+            -cn "ldap.tools.svc.cluster.local" \
+            -hostname "ldap.tools.svc.cluster.local" \
+            /tmp/csr.json \
+            | cfssljson -bare ldap
+
+          chmod -R 777 /var/certs
+
+          echo "generated certificates:"
+          ls -l /var/certs
+        volumeMounts:
+        - name: certs
+          mountPath: /var/certs
+      containers:
+      - name: save-certs
+        image: bitnami/kubectl
+        command: ["/bin/bash"]
+        args:
+        - -c
+        - |
+          kubectl get secrets -n tools certs -o jsonpath='created: {.metadata.creationTimestamp}' || \
+            kubectl create secret generic -n tools certs --from-file=/var/certs
+        volumeMounts:
+        - name: certs
+          mountPath: /var/certs
+      volumes:
+      - name: certs
+        emptyDir: {}
+      restartPolicy: Never
--- a/test/deploy/tools/dex.yaml
+++ b/test/deploy/tools/dex.yaml
@@ -0,0 +1,108 @@
+#! Copyright 2020-2021 the Pinniped contributors. All Rights Reserved.
+#! SPDX-License-Identifier: Apache-2.0
+
+#@ load("@ytt:data", "data")
+#@ load("@ytt:sha256", "sha256")
+#@ load("@ytt:yaml", "yaml")
+
+#@ def dexConfig():
+issuer: https://dex.tools.svc.cluster.local/dex
+storage:
+  type: sqlite3
+  config:
+    file: ":memory:"
+web:
+  https: 0.0.0.0:8443
+  tlsCert: /var/certs/dex.pem
+  tlsKey: /var/certs/dex-key.pem
+oauth2:
+  skipApprovalScreen: true
+staticClients:
+- id: pinniped-cli
+  name: 'Pinniped CLI'
+  public: true
+  redirectURIs:
+  - #@ "http://127.0.0.1:" + str(data.values.ports.cli) + "/callback"
+  - #@ "http://[::1]:" + str(data.values.ports.cli) + "/callback"
+- id: pinniped-supervisor
+  name: 'Pinniped Supervisor'
+  secret: pinniped-supervisor-secret
+  redirectURIs: #@ data.values.supervisor_redirect_uris
+enablePasswordDB: true
+staticPasswords:
+- username: "pinny"
+  email: "pinny@example.com"
+  hash: #@ data.values.pinny_bcrypt_passwd_hash
+  userID: "061d23d1-fe1e-4777-9ae9-59cd12abeaaa"
+#@ end
+
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: dex-config
+  namespace: tools
+  labels:
+    app: dex
+data:
+  config.yaml: #@ yaml.encode(dexConfig())
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: dex
+  namespace: tools
+  labels:
+    app: dex
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: dex
+  template:
+    metadata:
+      labels:
+        app: dex
+      annotations:
+        dexConfigHash: #@ sha256.sum(yaml.encode(dexConfig()))
+    spec:
+      containers:
+      - name: dex
+        image: ghcr.io/dexidp/dex:v2.27.0
+        imagePullPolicy: IfNotPresent
+        command:
+        - /usr/local/bin/dex
+        - serve
+        - /etc/dex/cfg/config.yaml
+        ports:
+        - name: https
+          containerPort: 8443
+        volumeMounts:
+        - name: dex-config
+          mountPath: /etc/dex/cfg
+        - name: certs
+          mountPath: /var/certs
+          readOnly: true
+      volumes:
+      - name: dex-config
+        configMap:
+          name: dex-config
+      - name: certs
+        secret:
+          secretName: certs
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: dex
+  namespace: tools
+  labels:
+    app: dex
+spec:
+  type: ClusterIP
+  selector:
+    app: dex
+  ports:
+  - name: https
+    port: 443
+    targetPort: 8443
--- a/test/deploy/tools/namespace.yaml
+++ b/test/deploy/tools/namespace.yaml
@@ -0,0 +1,8 @@
+#! Copyright 2020-2021 the Pinniped contributors. All Rights Reserved.
+#! SPDX-License-Identifier: Apache-2.0
+
+---
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: tools
--- a/test/deploy/tools/proxy.yaml
+++ b/test/deploy/tools/proxy.yaml
@@ -0,0 +1,74 @@
+#! Copyright 2020-2021 the Pinniped contributors. All Rights Reserved.
+#! SPDX-License-Identifier: Apache-2.0
+
+#@ load("@ytt:data", "data")
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: proxy
+  namespace: tools
+  labels:
+    app: proxy
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: proxy
+  template:
+    metadata:
+      labels:
+        app: proxy
+    spec:
+      volumes:
+        - name: log-dir
+          emptyDir: {}
+      containers:
+        - name: proxy
+          image: projects.registry.vmware.com/pinniped/test-forward-proxy
+          imagePullPolicy: Always
+          ports:
+          - name: http
+            containerPort: 3128
+          resources:
+            requests:
+              cpu: "10m"
+              memory: "64Mi"
+            limits:
+              cpu: "10m"
+              memory: "64Mi"
+          volumeMounts:
+            - name: log-dir
+              mountPath: "/var/log/squid/"
+          readinessProbe:
+            tcpSocket:
+              port: http
+            initialDelaySeconds: 5
+            timeoutSeconds: 5
+            periodSeconds: 5
+            failureThreshold: 2
+        - name: accesslogs
+          image: debian:10.8-slim
+          command:
+            - "/bin/sh"
+            - "-c"
+          args:
+            - tail -F /var/log/squid/access.log
+          volumeMounts:
+            - name: log-dir
+              mountPath: "/var/log/squid/"
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: proxy
+  namespace: tools
+  labels:
+    app: proxy
+spec:
+  type: NodePort
+  selector:
+    app: proxy
+  ports:
+    - port: 3128
+      nodePort: #@ data.values.ports.node
--- a/test/deploy/tools/values.yaml
+++ b/test/deploy/tools/values.yaml
@@ -0,0 +1,27 @@
+#! Copyright 2020-2021 the Pinniped contributors. All Rights Reserved.
+#! SPDX-License-Identifier: Apache-2.0
+
+#@data/values
+---
+ports:
+  #! Port on which the Pinniped CLI is listening for a callback (`--listen-port` flag value)
+  #! Used in the Dex configuration to form the valid redirect URIs for our test client.
+  cli: 48095
+
+  #! Kubernetes NodePort that should be forwarded to the proxy service.
+  #! Used to create a Service of type: NodePort
+  node: 31235
+
+  #! External port where the proxy ends up exposed on localhost during tests. This value comes from
+  #! our Kind configuration which maps 127.0.0.1:12346 to port 31235 on the Kind worker node.
+  local: 12346
+
+#! supervisor_redirect_uris is an array of redirect uris that dex will use for its pinniped-supervisor client.
+#! usage: --data-value-yaml "supervisor_redirect_uris=[some-redirect.com,some-other-redirect.com]"
+supervisor_redirect_uris: []
+
+#! The bcrypt-hashed password of the pinny test user account.
+pinny_bcrypt_passwd_hash:
+
+#! The plaintext password of the LDAP test account user.
+pinny_ldap_password: