diff --git a/hack/prepare-jwtauthenticator-on-kind.sh b/hack/prepare-jwtauthenticator-on-kind.sh new file mode 100755 index 000000000..8c70a4d80 --- /dev/null +++ b/hack/prepare-jwtauthenticator-on-kind.sh @@ -0,0 +1,108 @@ +#!/usr/bin/env bash + +# Copyright 2024 the Pinniped contributors. All Rights Reserved. +# SPDX-License-Identifier: Apache-2.0 + +# +# This script deploys a JWTAuthenticator to use for manual testing. +# The JWTAuthenticator will be configured to use Dex as the issuer. +# +# This is for manually testing using the Concierge with a JWTAuthenticator +# that points at some issuer other than the Pinniped Supervisor, as described in +# https://pinniped.dev/docs/howto/concierge/configure-concierge-jwt/ +# +# This script assumes that you have run the following command first: +# PINNIPED_USE_CONTOUR=1 hack/prepare-for-integration-tests.sh +# Contour is used to provide ingress for Dex, so the web browser +# on your workstation can connect to Dex running inside the kind cluster. +# + +set -euo pipefail + +# Change working directory to the top of the repo. +ROOT="$(cd "$(dirname "${BASH_SOURCE[0]}")/.." && pwd)" +cd "$ROOT" + +# Read the env vars output by hack/prepare-for-integration-tests.sh. +source /tmp/integration-test-env + +# Install Contour. +kubectl apply -f https://projectcontour.io/quickstart/contour.yaml + +# Wait for its pods to be ready. +echo "Waiting for Contour to be ready..." +kubectl wait --for 'jsonpath={.status.phase}=Succeeded' pods -l 'app=contour-certgen' -n projectcontour --timeout 60s +kubectl wait --for 'jsonpath={.status.phase}=Running' pods -l 'app!=contour-certgen' -n projectcontour --timeout 60s + +# Capture just the hostname from a string that looks like https://host.name/foo. +dex_host=$(echo "$PINNIPED_TEST_CLI_OIDC_ISSUER" | sed -E 's#^https://([^/]+)/.*#\1#') + +# Create an ingress for Dex which uses TLS passthrough to allow Dex to terminate TLS. +cat <> /etc/hosts\"" + log_error "When you are finished with your Kind cluster, you can remove these lines from /etc/hosts." + exit 1 +fi + +# Create the JWTAuthenticator. +cat <&2 +kind: JWTAuthenticator +apiVersion: authentication.concierge.pinniped.dev/v1alpha1 +metadata: + name: my-jwt-authenticator +spec: + issuer: $PINNIPED_TEST_CLI_OIDC_ISSUER + tls: + certificateAuthorityData: $PINNIPED_TEST_CLI_OIDC_ISSUER_CA_BUNDLE + audience: $PINNIPED_TEST_CLI_OIDC_CLIENT_ID + claims: + username: $PINNIPED_TEST_SUPERVISOR_UPSTREAM_OIDC_USERNAME_CLAIM + groups: $PINNIPED_TEST_SUPERVISOR_UPSTREAM_OIDC_GROUPS_CLAIM +EOF + +# Clear the local CLI cache to ensure that commands run after this script will need to perform a fresh login. +rm -f "$HOME/.config/pinniped/sessions.yaml" +rm -f "$HOME/.config/pinniped/credentials.yaml" + +# Build the CLI. +go build ./cmd/pinniped + +# Use the CLI to get a kubeconfig that will use this JWTAuthenticator. +# Note that port 48095 is configured in Dex as part of the allowed redirect URI for this client. +./pinniped get kubeconfig \ + --oidc-client-id "$PINNIPED_TEST_CLI_OIDC_CLIENT_ID" \ + --oidc-scopes "openid,offline_access,$PINNIPED_TEST_SUPERVISOR_UPSTREAM_OIDC_USERNAME_CLAIM,$PINNIPED_TEST_SUPERVISOR_UPSTREAM_OIDC_GROUPS_CLAIM" \ + --oidc-listen-port 48095 \ + >kubeconfig-jwtauthenticator.yaml + +echo "When prompted for username and password, use these values:" +echo " OIDC Username: $PINNIPED_TEST_CLI_OIDC_USERNAME" +echo " OIDC Password: $PINNIPED_TEST_CLI_OIDC_PASSWORD" +echo + +echo "To log in using OIDC, run:" +echo "PINNIPED_DEBUG=true ./pinniped whoami --kubeconfig ./kubeconfig-jwtauthenticator.yaml" +echo