github/pinniped
1
0
Fork 0
mirror of https://github.com/vmware-tanzu/pinniped.git synced 2026-02-14 10:00:05 +00:00
Code Issues Packages Projects Releases Wiki Activity

small improvements to some hack scripts

Browse Source
This commit is contained in:
Ryan Richard
2024-08-01 10:00:27 -07:00
parent 76f3430c68
commit f0cac8c5d3
4 changed files with 33 additions and 24 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
hack/debug-ldapidentityprovider.sh
View File

@@ -1,6 +1,6 @@
#!/usr/bin/env bash #!/usr/bin/env bash
# Copyright 2023 the Pinniped contributors. All Rights Reserved. # Copyright 2023-2024 the Pinniped contributors. All Rights Reserved.
# SPDX-License-Identifier: Apache-2.0 # SPDX-License-Identifier: Apache-2.0
set -euo pipefail set -euo pipefail
@@ -62,9 +62,6 @@ while (("$#")); do
;; ;;
-*) -*)
log_error "Unsupported flag $1" >&2 log_error "Unsupported flag $1" >&2
if [[ "$1" == *"active-directory"* ]]; then
log_error "Did you mean --get-active-directory-vars?"
fi
exit 1 exit 1
;; ;;
*) *)

6
hack/prepare-for-integration-tests.sh
View File

@@ -15,6 +15,9 @@
# For example, to alternatively build and deploy Pinniped as a Carvel package, use: # For example, to alternatively build and deploy Pinniped as a Carvel package, use:
# PINNIPED_USE_LOCAL_KIND_REGISTRY=1 ./hack/prepare-for-integration-tests.sh --clean --pre-install ./hack/lib/carvel_packages/build.sh --alternate-deploy ./hack/lib/carvel_packages/deploy.sh # PINNIPED_USE_LOCAL_KIND_REGISTRY=1 ./hack/prepare-for-integration-tests.sh --clean --pre-install ./hack/lib/carvel_packages/build.sh --alternate-deploy ./hack/lib/carvel_packages/deploy.sh
# #
# Set PINNIPED_USE_CONTOUR=1 when running this script to cause the kind cluster created by this script to be
# ready for using PINNIPED_USE_CONTOUR=1 with subsequent hack scripts, e.g. prepare-supervisor-on-kind.sh.
#
set -euo pipefail set -euo pipefail
pinniped_path="$(cd "$(dirname "${BASH_SOURCE[0]}")/.." && pwd)" pinniped_path="$(cd "$(dirname "${BASH_SOURCE[0]}")/.." && pwd)"
@@ -109,9 +112,6 @@ while (("$#")); do
;; ;;
-*) -*)
log_error "Unsupported flag $1" >&2 log_error "Unsupported flag $1" >&2
if [[ "$1" == *"active-directory"* ]]; then
log_error "Did you mean --get-active-directory-vars?"
fi
exit 1 exit 1
;; ;;
*) *)

25
hack/prepare-supervisor-on-kind.sh
View File

@@ -28,7 +28,7 @@
# PINNIPED_USE_CONTOUR=1 hack/prepare-for-integration-tests.sh -c # PINNIPED_USE_CONTOUR=1 hack/prepare-for-integration-tests.sh -c
# PINNIPED_USE_CONTOUR=1 hack/prepare-supervisor-on-kind.sh --oidc --ldap # PINNIPED_USE_CONTOUR=1 hack/prepare-supervisor-on-kind.sh --oidc --ldap
# #
# Depends on `step` which can be installed by `brew install step` on MacOS. # This script depends on `step` which can be installed by `brew install step` on MacOS.
# #
set -euo pipefail set -euo pipefail
@@ -69,11 +69,11 @@ while (("$#")); do
shift shift
;; ;;
--github) --github)
# This assumes that you used the --get-github-vars flag with hack/prepare-for-integration-tests.sh.
use_github_upstream=yes use_github_upstream=yes
shift shift
;; ;;
--ad) --ad)
# Use an ActiveDirectoryIdentityProvider.
# This assumes that you used the --get-active-directory-vars flag with hack/prepare-for-integration-tests.sh. # This assumes that you used the --get-active-directory-vars flag with hack/prepare-for-integration-tests.sh.
use_ad_upstream=yes use_ad_upstream=yes
shift shift
@@ -499,6 +499,7 @@ fi
# Make a JWTAuthenticator which respects JWTs from the Supervisor's issuer. # Make a JWTAuthenticator which respects JWTs from the Supervisor's issuer.
# The issuer URL must be accessible from within the cluster for OIDC discovery. # The issuer URL must be accessible from within the cluster for OIDC discovery.
echo "Creating JWTAuthenticator..."
cat <<EOF | kubectl apply -f - cat <<EOF | kubectl apply -f -
apiVersion: authentication.concierge.pinniped.dev/v1alpha1 apiVersion: authentication.concierge.pinniped.dev/v1alpha1
kind: JWTAuthenticator kind: JWTAuthenticator
@@ -511,9 +512,8 @@ spec:
certificateAuthorityData: $certificateAuthorityData certificateAuthorityData: $certificateAuthorityData
EOF EOF
echo "Waiting for JWTAuthenticator to initialize or update..." echo "Waiting for JWTAuthenticator to be ready..."
# Sleeping is a race, but that's probably good enough for the purposes of this script. kubectl wait --for=condition=Ready jwtauthenticator my-jwt-authenticator --timeout 60s
sleep 5
# Compile the CLI. # Compile the CLI.
echo "Building the Pinniped CLI..." echo "Building the Pinniped CLI..."
@@ -566,11 +566,12 @@ if [[ "${PINNIPED_USE_CONTOUR:-}" == "" && ("$use_oidc_upstream" == "yes" || "$u
echo " open -a \"Google Chrome\" --args --proxy-server=\"$proxy_server\"" echo " open -a \"Google Chrome\" --args --proxy-server=\"$proxy_server\""
echo "Note that Chrome must be fully quit before being started with --proxy-server." echo "Note that Chrome must be fully quit before being started with --proxy-server."
echo "Then open the login URL shown below in that new Chrome window." echo "Then open the login URL shown below in that new Chrome window."
echo
echo "When prompted for username and password, use these values:"
echo
fi fi
echo
echo "When prompted for username and password, use these values:"
echo
if [[ "$use_oidc_upstream" == "yes" ]]; then if [[ "$use_oidc_upstream" == "yes" ]]; then
echo " OIDC Username: $PINNIPED_TEST_SUPERVISOR_UPSTREAM_OIDC_USERNAME" echo " OIDC Username: $PINNIPED_TEST_SUPERVISOR_UPSTREAM_OIDC_USERNAME"
echo " OIDC Password: $PINNIPED_TEST_SUPERVISOR_UPSTREAM_OIDC_PASSWORD" echo " OIDC Password: $PINNIPED_TEST_SUPERVISOR_UPSTREAM_OIDC_PASSWORD"
@@ -599,22 +600,22 @@ fi
# Once the CLI has cached your tokens, it will automatically refresh your short-lived credentials whenever # Once the CLI has cached your tokens, it will automatically refresh your short-lived credentials whenever
# they expire, so you should not be prompted to log in again for the rest of the day. # they expire, so you should not be prompted to log in again for the rest of the day.
if [[ "$use_oidc_upstream" == "yes" ]]; then if [[ "$use_oidc_upstream" == "yes" ]]; then
echo "To log in using OIDC, run:" echo "To log in using OIDC:"
echo "PINNIPED_DEBUG=true ${proxy_env_vars}./pinniped whoami --kubeconfig ./kubeconfig-oidc.yaml" echo "PINNIPED_DEBUG=true ${proxy_env_vars}./pinniped whoami --kubeconfig ./kubeconfig-oidc.yaml"
echo echo
fi fi
if [[ "$use_ldap_upstream" == "yes" ]]; then if [[ "$use_ldap_upstream" == "yes" ]]; then
echo "To log in using LDAP, run:" echo "To log in using LDAP:"
echo "PINNIPED_DEBUG=true ${proxy_env_vars}./pinniped whoami --kubeconfig ./kubeconfig-ldap.yaml" echo "PINNIPED_DEBUG=true ${proxy_env_vars}./pinniped whoami --kubeconfig ./kubeconfig-ldap.yaml"
echo echo
fi fi
if [[ "$use_ad_upstream" == "yes" ]]; then if [[ "$use_ad_upstream" == "yes" ]]; then
echo "To log in using AD, run:" echo "To log in using AD:"
echo "PINNIPED_DEBUG=true ${proxy_env_vars}./pinniped whoami --kubeconfig ./kubeconfig-ad.yaml" echo "PINNIPED_DEBUG=true ${proxy_env_vars}./pinniped whoami --kubeconfig ./kubeconfig-ad.yaml"
echo echo
fi fi
if [[ "$use_github_upstream" == "yes" ]]; then if [[ "$use_github_upstream" == "yes" ]]; then
echo "To log in using GitHub, run:" echo "To log in using GitHub:"
echo "PINNIPED_DEBUG=true ${proxy_env_vars}./pinniped whoami --kubeconfig ./kubeconfig-github.yaml" echo "PINNIPED_DEBUG=true ${proxy_env_vars}./pinniped whoami --kubeconfig ./kubeconfig-github.yaml"
echo echo
fi fi

21
hack/prepare-webhook-on-kind.sh
View File

@@ -19,22 +19,33 @@ cd "$ROOT"
source /tmp/integration-test-env source /tmp/integration-test-env
# Create WebhookAuthenticator. # Create WebhookAuthenticator.
echo "Creating WebhookAuthenticator..."
cat <<EOF | kubectl apply -f - 1>&2 cat <<EOF | kubectl apply -f - 1>&2
kind: WebhookAuthenticator kind: WebhookAuthenticator
apiVersion: authentication.concierge.pinniped.dev/v1alpha1 apiVersion: authentication.concierge.pinniped.dev/v1alpha1
metadata: metadata:
name: my-webhook name: my-webhook-authenticator
spec: spec:
endpoint: ${PINNIPED_TEST_WEBHOOK_ENDPOINT} endpoint: ${PINNIPED_TEST_WEBHOOK_ENDPOINT}
tls: tls:
certificateAuthorityData: ${PINNIPED_TEST_WEBHOOK_CA_BUNDLE} certificateAuthorityData: ${PINNIPED_TEST_WEBHOOK_CA_BUNDLE}
EOF EOF
echo "Waiting for WebhookAuthenticator to be ready..."
kubectl wait --for=condition=Ready webhookauthenticator my-webhook-authenticator --timeout 60s
# Compile the CLI.
echo "Building the Pinniped CLI..."
go build ./cmd/pinniped
# Use the CLI to get a kubeconfig that will use this WebhookAuthenticator. # Use the CLI to get a kubeconfig that will use this WebhookAuthenticator.
go build -o /tmp/pinniped ./cmd/pinniped echo "Generating webhook kubeconfig..."
/tmp/pinniped get kubeconfig \ /tmp/pinniped get kubeconfig \
--concierge-authenticator-type webhook \ --concierge-authenticator-type webhook \
--concierge-authenticator-name my-webhook \ --concierge-authenticator-name my-webhook-authenticator \
--static-token "$PINNIPED_TEST_USER_TOKEN" >/tmp/kubeconfig-with-webhook-auth.yaml --static-token "$PINNIPED_TEST_USER_TOKEN" >kubeconfig-webhook.yaml
echo "export KUBECONFIG=/tmp/kubeconfig-with-webhook-auth.yaml" echo
echo "To log in using webhook:"
echo "PINNIPED_DEBUG=true ./pinniped whoami --kubeconfig ./kubeconfig-webhook.yaml"
echo