Convert CLI tests to work through an HTTP forward proxy.

This change deploys a small Squid-based proxy into the `dex` namespace in our integration test environment. This lets us use the cluster-local DNS name (`http://dex.dex.svc.cluster.local/dex`) as the OIDC issuer. It will make generating certificates easier, and most importantly it will mean that our CLI can see Dex at the same name/URL as the supervisor running inside the cluster.

Signed-off-by: Matt Moyer <moyerm@vmware.com>

test/deploy/dex/dex.yaml

@@ -6,13 +6,13 @@
 #@ load("@ytt:yaml", "yaml")
 
 #@ def dexConfig():
-issuer: #@ "http://127.0.0.1:" + str(data.values.ports.local) + "/dex"
+issuer: http://dex.dex.svc.cluster.local/dex
 storage:
   type: sqlite3
   config:
     file: ":memory:"
 web:
-  http: 0.0.0.0:5556
+  http: 0.0.0.0:80
 oauth2:
   skipApprovalScreen: true
 staticClients:
@@ -77,7 +77,7 @@ spec:
           - /etc/dex/cfg/config.yaml
           ports:
           - name: http
-            containerPort: 5556
+            containerPort: 80
           volumeMounts:
           - name: config
             mountPath: /etc/dex/cfg
@@ -94,9 +94,8 @@ metadata:
   labels:
     app: dex
 spec:
-  type: NodePort
+  type: ClusterIP
   selector:
     app: dex
   ports:
-    - port: 5556
-      nodePort: #@ data.values.ports.node
+    - port: 80

test/deploy/dex/proxy.yaml

@@ -0,0 +1,58 @@
+#! Copyright 2020 the Pinniped contributors. All Rights Reserved.
+#! SPDX-License-Identifier: Apache-2.0
+
+#@ load("@ytt:data", "data")
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: proxy
+  namespace: dex
+  labels:
+    app: proxy
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: proxy
+  template:
+    metadata:
+      labels:
+        app: proxy
+    spec:
+      containers:
+        - name: proxy
+          image: docker.io/getpinniped/test-forward-proxy
+          imagePullPolicy: Always
+          ports:
+          - name: http
+            containerPort: 3128
+          resources:
+            requests:
+              cpu: "10m"
+              memory: "64Mi"
+            limits:
+              cpu: "10m"
+              memory: "64Mi"
+          readinessProbe:
+            tcpSocket:
+              port: http
+            initialDelaySeconds: 5
+            timeoutSeconds: 5
+            periodSeconds: 5
+            failureThreshold: 2
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: proxy
+  namespace: dex
+  labels:
+    app: proxy
+spec:
+  type: NodePort
+  selector:
+    app: proxy
+  ports:
+    - port: 3128
+      nodePort: #@ data.values.ports.node

test/deploy/dex/values.yaml

@@ -8,10 +8,10 @@ ports:
   #! Used in the Dex configuration to form the valid redirect URIs for our test client.
   cli: 48095
 
-  #! Kubernetes NodePort that should be forwarded to the Dex service.
+  #! Kubernetes NodePort that should be forwarded to the proxy service.
   #! Used to create a Service of type: NodePort
   node: 31235
 
-  #! External port where Dex ends up exposed on localhost during tests. This value comes from our
-  #! Kind configuration which maps 127.0.0.1:12346 to port 31235 on the Kind worker node.
+  #! External port where the proxy ends up exposed on localhost during tests. This value comes from
+  #! our Kind configuration which maps 127.0.0.1:12346 to port 31235 on the Kind worker node.
   local: 12346