Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Configure OIDC #12

Draft
wants to merge 4 commits into
base: main
Choose a base branch
from
Draft

Configure OIDC #12

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
736602d
add keycloak with HTTPS and local URL
filariow Nov 26, 2024
5698238
configure in-cluster keycloak as oidc provider
filariow Nov 26, 2024
a55656f
cleanup kind config
filariow Nov 26, 2024
29af605
update makefile
filariow Nov 27, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions acceptance/.gitignore
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
tmp/
68 changes: 65 additions & 3 deletions acceptance/Makefile
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -19,13 +19,71 @@ kind-create:
load-image:
kind load docker-image --name namespace-lister namespace-lister:latest

.PHONY: patch-coredns
patch-coredns:
kubectl apply -f ./dependencies/coredns/configmap.yaml

.PHONY: deploy-test-infra
deploy-test-infra:
deploy-test-infra: deploy-cert-manager deploy-test-ingress deploy-idp
@:

.PHONY: deploy-test-ingress
deploy-test-ingress:
kubectl apply -f https://kind.sigs.k8s.io/examples/ingress/deploy-ingress-nginx.yaml
for i in {1..5}; do kubectl get -n ingress-nginx pod --selector 'app.kubernetes.io/component=controller' && break || sleep 2; done
kubectl rollout status deployment --namespace ingress-nginx \
--selector=app.kubernetes.io/component=controller \
--timeout=90s

.PHONY: deploy-cert-manager
deploy-cert-manager: $(TMPDIR)
kubectl apply -k ./dependencies/cert-manager/
sleep 5
kubectl wait --for=condition=Ready --timeout=300s -l 'app.kubernetes.io/instance=cert-manager' -n cert-manager pod
( \
docker exec namespace-lister-control-plane cat /etc/kubernetes/pki/ca.crt > $(TMP_DIR)/ca.crt; \
docker exec namespace-lister-control-plane cat /etc/kubernetes/pki/ca.key > $(TMP_DIR)/ca.key ; \
kubectl create secret tls kube-root-ca \
--namespace cert-manager \
--cert=$(TMP_DIR)/ca.crt \
--key=$(TMP_DIR)/ca.key \
-o yaml --dry-run=client | kubectl apply -f -; \
)
for i in {1..5}; do kubectl get -n cert-manager deployment --selector 'app.kubernetes.io/instance=cert-manager' && break || sleep 2; done
kubectl rollout status deployment -n cert-manager \
--selector 'app.kubernetes.io/instance=cert-manager' \
--timeout=300s
kubectl apply -k ./dependencies/cluster-issuer/

.PHONY: build-user1-kubeconfig
build-user1-kubeconfig:
@kubectl rollout status -n keycloak statefulset keycloak --timeout=90s 1>&2
@( \
tkn=$$( \
curl -f -s -k -L -X POST 'https://idp.namespacelister.localtest.me/idp/realms/redhat-external/protocol/openid-connect/token' \
-H 'Content-Type: application/x-www-form-urlencoded' \
--data-urlencode 'client_id=cloud-services' \
--data-urlencode 'client_secret=client-secret' \
--data-urlencode 'grant_type=password' \
--data-urlencode 'scope=openid' \
--data-urlencode 'username=user1' \
--data-urlencode 'password=password' | jq '.access_token' -r ); \
kind get kubeconfig --name namespace-lister | \
yq '.users[0].user={"token":"'$${tkn}'"}' | \
yq 'del(.clusters[0].cluster.certificate-authority-data)' \
)

.PHONY: deploy-idp
deploy-idp:
kubectl apply -k ./dependencies/keycloak/crd/
kubectl apply -k ./dependencies/keycloak/deployment/
for i in {1..10}; do kubectl get -n keycloak deployment keycloak-operator && break || sleep 2; done
kubectl rollout status --namespace keycloak \
deployment keycloak-operator \
--timeout=300s
for i in {1..10}; do kubectl get -n keycloak statefulset keycloak && break || sleep 2; done
kubectl rollout status --namespace keycloak \
statefulset keycloak \
--timeout=90s

.PHONY: deploy-test-proxy
deploy-test-proxy:
kubectl apply -k ./config/proxy/
Expand Down Expand Up @@ -55,6 +113,7 @@ clean:

.PHONY: wip
wip: vet clean create-test-identity export-test-identity-kubeconfig
# kubectl rollout status deployment -n keycloak -l 'app=sso'
kubectl rollout status deployment -n namespace-lister namespace-lister
kubectl rollout status deployment -n namespace-lister namespace-lister-proxy
KUBECONFIG=/tmp/namespace-lister-acceptance-tests-user.kcfg \
Expand All @@ -76,6 +135,7 @@ ROOT_DIR := $(shell dirname $(realpath $(firstword $(MAKEFILE_LIST))))
LOCALBIN := $(ROOT_DIR)/bin

OUTDIR := $(ROOT_DIR)/out
TMP_DIR := $(ROOT_DIR)/tmp

GO ?= go

Expand All @@ -86,6 +146,8 @@ $(LOCALBIN):
mkdir $(LOCALBIN)
$(OUTDIR):
@mkdir $(OUTDIR)
$(TMP_DIR):
@mkdir $(TMP_DIR)

.PHONY: lint
lint: ## Run go linter.
Expand Down
Loading