Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

small improvements to some hack scripts #2024

Merged
merged 1 commit into from
Aug 1, 2024
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
5 changes: 1 addition & 4 deletions hack/debug-ldapidentityprovider.sh
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
#!/usr/bin/env bash

# Copyright 2023 the Pinniped contributors. All Rights Reserved.
# Copyright 2023-2024 the Pinniped contributors. All Rights Reserved.
# SPDX-License-Identifier: Apache-2.0

set -euo pipefail
Expand Down Expand Up @@ -62,9 +62,6 @@ while (("$#")); do
;;
-*)
log_error "Unsupported flag $1" >&2
if [[ "$1" == *"active-directory"* ]]; then
log_error "Did you mean --get-active-directory-vars?"
fi
exit 1
;;
*)
Expand Down
6 changes: 3 additions & 3 deletions hack/prepare-for-integration-tests.sh
Original file line number Diff line number Diff line change
Expand Up @@ -15,6 +15,9 @@
# For example, to alternatively build and deploy Pinniped as a Carvel package, use:
# PINNIPED_USE_LOCAL_KIND_REGISTRY=1 ./hack/prepare-for-integration-tests.sh --clean --pre-install ./hack/lib/carvel_packages/build.sh --alternate-deploy ./hack/lib/carvel_packages/deploy.sh
#
# Set PINNIPED_USE_CONTOUR=1 when running this script to cause the kind cluster created by this script to be
# ready for using PINNIPED_USE_CONTOUR=1 with subsequent hack scripts, e.g. prepare-supervisor-on-kind.sh.
#
set -euo pipefail

pinniped_path="$(cd "$(dirname "${BASH_SOURCE[0]}")/.." && pwd)"
Expand Down Expand Up @@ -109,9 +112,6 @@ while (("$#")); do
;;
-*)
log_error "Unsupported flag $1" >&2
if [[ "$1" == *"active-directory"* ]]; then
log_error "Did you mean --get-active-directory-vars?"
fi
exit 1
;;
*)
Expand Down
25 changes: 13 additions & 12 deletions hack/prepare-supervisor-on-kind.sh
Original file line number Diff line number Diff line change
Expand Up @@ -28,7 +28,7 @@
# PINNIPED_USE_CONTOUR=1 hack/prepare-for-integration-tests.sh -c
# PINNIPED_USE_CONTOUR=1 hack/prepare-supervisor-on-kind.sh --oidc --ldap
#
# Depends on `step` which can be installed by `brew install step` on MacOS.
# This script depends on `step` which can be installed by `brew install step` on MacOS.
#

set -euo pipefail
Expand Down Expand Up @@ -69,11 +69,11 @@ while (("$#")); do
shift
;;
--github)
# This assumes that you used the --get-github-vars flag with hack/prepare-for-integration-tests.sh.
use_github_upstream=yes
shift
;;
--ad)
# Use an ActiveDirectoryIdentityProvider.
# This assumes that you used the --get-active-directory-vars flag with hack/prepare-for-integration-tests.sh.
use_ad_upstream=yes
shift
Expand Down Expand Up @@ -499,6 +499,7 @@ fi

# Make a JWTAuthenticator which respects JWTs from the Supervisor's issuer.
# The issuer URL must be accessible from within the cluster for OIDC discovery.
echo "Creating JWTAuthenticator..."
cat <<EOF | kubectl apply -f -
apiVersion: authentication.concierge.pinniped.dev/v1alpha1
kind: JWTAuthenticator
Expand All @@ -511,9 +512,8 @@ spec:
certificateAuthorityData: $certificateAuthorityData
EOF

echo "Waiting for JWTAuthenticator to initialize or update..."
# Sleeping is a race, but that's probably good enough for the purposes of this script.
sleep 5
echo "Waiting for JWTAuthenticator to be ready..."
kubectl wait --for=condition=Ready jwtauthenticator my-jwt-authenticator --timeout 60s

# Compile the CLI.
echo "Building the Pinniped CLI..."
Expand Down Expand Up @@ -566,11 +566,12 @@ if [[ "${PINNIPED_USE_CONTOUR:-}" == "" && ("$use_oidc_upstream" == "yes" || "$u
echo " open -a \"Google Chrome\" --args --proxy-server=\"$proxy_server\""
echo "Note that Chrome must be fully quit before being started with --proxy-server."
echo "Then open the login URL shown below in that new Chrome window."
echo
echo "When prompted for username and password, use these values:"
echo
fi

echo
echo "When prompted for username and password, use these values:"
echo

if [[ "$use_oidc_upstream" == "yes" ]]; then
echo " OIDC Username: $PINNIPED_TEST_SUPERVISOR_UPSTREAM_OIDC_USERNAME"
echo " OIDC Password: $PINNIPED_TEST_SUPERVISOR_UPSTREAM_OIDC_PASSWORD"
Expand Down Expand Up @@ -599,22 +600,22 @@ fi
# Once the CLI has cached your tokens, it will automatically refresh your short-lived credentials whenever
# they expire, so you should not be prompted to log in again for the rest of the day.
if [[ "$use_oidc_upstream" == "yes" ]]; then
echo "To log in using OIDC, run:"
echo "To log in using OIDC:"
echo "PINNIPED_DEBUG=true ${proxy_env_vars}./pinniped whoami --kubeconfig ./kubeconfig-oidc.yaml"
echo
fi
if [[ "$use_ldap_upstream" == "yes" ]]; then
echo "To log in using LDAP, run:"
echo "To log in using LDAP:"
echo "PINNIPED_DEBUG=true ${proxy_env_vars}./pinniped whoami --kubeconfig ./kubeconfig-ldap.yaml"
echo
fi
if [[ "$use_ad_upstream" == "yes" ]]; then
echo "To log in using AD, run:"
echo "To log in using AD:"
echo "PINNIPED_DEBUG=true ${proxy_env_vars}./pinniped whoami --kubeconfig ./kubeconfig-ad.yaml"
echo
fi
if [[ "$use_github_upstream" == "yes" ]]; then
echo "To log in using GitHub, run:"
echo "To log in using GitHub:"
echo "PINNIPED_DEBUG=true ${proxy_env_vars}./pinniped whoami --kubeconfig ./kubeconfig-github.yaml"
echo
fi
21 changes: 16 additions & 5 deletions hack/prepare-webhook-on-kind.sh
Original file line number Diff line number Diff line change
Expand Up @@ -19,22 +19,33 @@ cd "$ROOT"
source /tmp/integration-test-env

# Create WebhookAuthenticator.
echo "Creating WebhookAuthenticator..."
cat <<EOF | kubectl apply -f - 1>&2
kind: WebhookAuthenticator
apiVersion: authentication.concierge.pinniped.dev/v1alpha1
metadata:
name: my-webhook
name: my-webhook-authenticator
spec:
endpoint: ${PINNIPED_TEST_WEBHOOK_ENDPOINT}
tls:
certificateAuthorityData: ${PINNIPED_TEST_WEBHOOK_CA_BUNDLE}
EOF

echo "Waiting for WebhookAuthenticator to be ready..."
kubectl wait --for=condition=Ready webhookauthenticator my-webhook-authenticator --timeout 60s

# Compile the CLI.
echo "Building the Pinniped CLI..."
go build ./cmd/pinniped

# Use the CLI to get a kubeconfig that will use this WebhookAuthenticator.
go build -o /tmp/pinniped ./cmd/pinniped
echo "Generating webhook kubeconfig..."
/tmp/pinniped get kubeconfig \
--concierge-authenticator-type webhook \
--concierge-authenticator-name my-webhook \
--static-token "$PINNIPED_TEST_USER_TOKEN" >/tmp/kubeconfig-with-webhook-auth.yaml
--concierge-authenticator-name my-webhook-authenticator \
--static-token "$PINNIPED_TEST_USER_TOKEN" >kubeconfig-webhook.yaml

echo "export KUBECONFIG=/tmp/kubeconfig-with-webhook-auth.yaml"
echo
echo "To log in using webhook:"
echo "PINNIPED_DEBUG=true ./pinniped whoami --kubeconfig ./kubeconfig-webhook.yaml"
echo
Loading