def check_user_grant(): "verify that user-grant and its kubeconfigs work" config = configuration.get_config() # because we don't yet have load balancing, we have to somehow get *inside the cluster* to test this. # that means figuring out the IP address for the user-grant service, uploading the local user cert to the master # node, and then authenticating to user-grant via curl on the master node. bluh. # TODO: once load balancing is ready, make this whole thing much simpler # we use a master node so we're confident we aren't connecting to the node where user-grant is hosted. there's # nothing about this that otherwise requires it; usually we'd choose a worker node to avoid running unnecessary code # on the master nodes, but this is entirely for testing in non-production clusters, so it doesn't matter. proxy_node = config.get_any_node("master") service_ip = get_service_ip("user-grant") user_key, user_cert = authority.get_local_grant_user_paths() remote_key, remote_cert = "/etc/homeworld/testing/usergrant.key", "/etc/homeworld/testing/usergrant.pem" ssh.check_ssh(proxy_node, "rm", "-f", remote_key, remote_cert) ssh.check_ssh(proxy_node, "mkdir", "-p", "/etc/homeworld/testing") ssh.check_scp_up(proxy_node, user_key, remote_key) ssh.check_scp_up(proxy_node, user_cert, remote_cert) setup.modify_temporary_dns(proxy_node, {config.user_grant_domain: service_ip}) try: kubeconfig = ssh.check_ssh_output( proxy_node, "curl", "--key", remote_key, "--cert", remote_cert, "https://%s/" % config.user_grant_domain).decode() finally: setup.modify_temporary_dns(proxy_node, {}) magic_phrase = "it allows authenticating to the Hyades cluster as you" if magic_phrase not in kubeconfig: command.fail( "invalid kubeconfig: did not see phrase " + repr(magic_phrase), "kubeconfig received read as follows: " + repr(kubeconfig)) print("successfully retrieved kubeconfig from user-grant!") # at this point, we have a kubeconfig generated by user-grant, and now we want to confirm that it works. # we'll confirm that the kubeconfig works by checking that the auto-created rolebinding passes the sniff test. with tempfile.TemporaryDirectory() as workdir: kubeconfig_path = os.path.join(workdir, "granted-kubeconfig") util.writefile(kubeconfig_path, kubeconfig.encode()) rolebinding = json.loads( subprocess.check_output([ "hyperkube", "kubectl", "--kubeconfig", kubeconfig_path, "-o", "json", "get", "rolebindings", "auto-grant-" + authority.UPSTREAM_USER_NAME ]).decode()) if rolebinding.get("roleRef", {}).get("name") != "admin": command.fail("rolebinding for user was not admin in %s" % repr(rolebinding)) print("autogenerated rolebinding for user", repr(authority.UPSTREAM_USER_NAME), "passed basic check!")
def ssh_upload_path(ops, name: str, node: configuration.Node, source_path: str, dest_path: str) -> None: ops.add_operation(name.replace('@HOST', node.hostname), lambda: ssh.check_scp_up(node, source_path, dest_path))
def ssh_upload_path(self, name: str, node: configuration.Node, source_path: str, dest_path: str) -> None: self.add_operation( name, lambda: ssh.check_scp_up(node, source_path, dest_path), node=node)