Merge pull request #5 from jumpstarter-dev/oidc-login

Author: mangelajo

.github/workflows/selftest.yml

@@ -6,7 +6,9 @@ jobs:
     runs-on: ubuntu-24.04
     steps:
       - uses: actions/checkout@v4
-      - uses: ./
+        with:
+          path: e2e
+      - uses: ./e2e
         with:
           controller-ref: main
           jumpstarter-ref: main

action.yml

@@ -30,7 +30,16 @@ runs:
     - name: Deploy jumpstarter controller
       shell: bash
       run: |
+        cp "$GITHUB_ACTION_PATH"/values.kind.yaml ./controller/deploy/helm/jumpstarter/values.kind.yaml
+        cp "$GITHUB_ACTION_PATH"/kind_cluster.yaml ./controller/hack/kind_cluster.yaml
         make -C controller deploy
+    - name: Deploy dex
+      shell: bash
+      run: |
+        kubectl create namespace dex
+        kubectl apply -f "$GITHUB_ACTION_PATH"/dex.yaml
+        helm repo add dex https://charts.dexidp.io
+        helm install --namespace dex --wait -f "$GITHUB_ACTION_PATH"/dex.values.yaml dex dex/dex
     - name: Install jumpstarter
       shell: bash
       run: |
@@ -43,47 +52,57 @@ runs:
     - name: Run jumpstarter
       shell: bash
       run: |
+        sudo cp "$GITHUB_ACTION_PATH"/minica.pem /usr/local/share/ca-certificates/minica.crt
+        sudo update-ca-certificates
+
+        echo "127.0.0.1 dex.dex.svc.cluster.local" | sudo tee -a /etc/hosts
+
+        ENDPOINT=$(helm get values jumpstarter --output json | jq -r '."jumpstarter-controller".grpc.endpoint')
+
         sudo mkdir -p /etc/jumpstarter/exporters
         sudo chown $USER /etc/jumpstarter/exporters
 
         . .venv/bin/activate
 
         export JUMPSTARTER_GRPC_INSECURE=1
 
-        jmp admin create client   test-client-1   --save --unsafe
-        jmp admin create exporter test-exporter-1 --save
-        jmp admin create exporter test-exporter-2 --save
+        jmp admin create client   test-client-oidc     --unsafe --out /dev/null --oidc-username dex:test-client-oidc
+        jmp admin create client   test-client-legacy   --unsafe --save
+        jmp admin create exporter test-exporter-oidc   --out /dev/null --oidc-username dex:test-exporter-oidc \
+          --label example.com/board oidc
+        jmp admin create exporter test-exporter-legacy --save \
+          --label example.com/board legacy
 
-        cat <<EOF >> /etc/jumpstarter/exporters/test-exporter-1.yaml
-        export:
-          power:
-            type: jumpstarter_driver_power.driver.MockPower
-        EOF
-
-        kubectl -n default patch exporters.jumpstarter.dev test-exporter-1 \
-          --type=merge --patch '{"metadata":{"labels":{"example.com/board":"rpi4"}}}'
+        jmp client   list-configs
+        jmp exporter list-configs
 
-        cat <<EOF >> /etc/jumpstarter/exporters/test-exporter-2.yaml
-        export:
-          storage:
-            type: jumpstarter_driver_opendal.driver.MockStorageMux
-        EOF
+        jmp client   login test-client-oidc \
+          --endpoint "$ENDPOINT" --namespace default --name test-client-oidc \
+          --issuer https://dex.dex.svc.cluster.local:5556 \
+          --username test-client-oidc@example.com --password password --unsafe
+        jmp exporter login test-exporter-oidc \
+          --endpoint "$ENDPOINT" --namespace default --name test-exporter-oidc \
+          --issuer https://dex.dex.svc.cluster.local:5556 \
+          --username test-exporter-oidc@example.com --password password
 
-        kubectl -n default patch exporters.jumpstarter.dev test-exporter-2 \
-          --type=merge --patch '{"metadata":{"labels":{"example.com/board":"rpi5"}}}'
+        go run github.com/mikefarah/yq/v4@latest -i ". * load(\"$GITHUB_ACTION_PATH/exporter.yaml\")" \
+          /etc/jumpstarter/exporters/test-exporter-oidc.yaml
+        go run github.com/mikefarah/yq/v4@latest -i ". * load(\"$GITHUB_ACTION_PATH/exporter.yaml\")" \
+          /etc/jumpstarter/exporters/test-exporter-legacy.yaml
 
-        jmp client list-configs
+        jmp client   list-configs
         jmp exporter list-configs
 
-        jmp exporter run test-exporter-1 &
-        jmp exporter run test-exporter-2 &
+        jmp exporter run test-exporter-oidc &
+        jmp exporter run test-exporter-legacy &
 
-        sleep 5
+        kubectl -n default wait --for=condition=Registered exporters.jumpstarter.dev/test-exporter-oidc
+        kubectl -n default wait --for=condition=Registered exporters.jumpstarter.dev/test-exporter-legacy
 
-        jmp client shell test-client-1 --label example.com/board rpi4 <<EOF
-        j power
+        jmp client shell test-client-oidc --label example.com/board oidc <<EOF
+        j power on
         EOF
 
-        jmp client shell test-client-1 --label example.com/board rpi5 <<EOF
-        j storage
+        jmp client shell test-client-legacy --label example.com/board legacy <<EOF
+        j power on
         EOF

dex.values.yaml

@@ -0,0 +1,43 @@
+https:
+  enabled: true
+config:
+  issuer: https://dex.dex.svc.cluster.local:5556
+  web:
+    tlsCert: /etc/dex/tls/tls.crt
+    tlsKey: /etc/dex/tls/tls.key
+  storage:
+    type: kubernetes
+    config:
+      inCluster: true
+  staticClients:
+    - id: jumpstarter-cli
+      name: Jumpstarter CLI
+      public: true
+  oauth2:
+    responseTypes: ["code", "token", "id_token", "id_token token"]
+    passwordConnector: local
+  enablePasswordDB: true
+  staticPasswords:
+    - email: "test-client-oidc@example.com"
+      hash: "$2a$10$2b2cU8CPhOTaGrs1HRQuAueS7JTT5ZHsHSzYiFPm1leZck7Mc8T4W" # password
+      username: "test-client-oidc"
+      userID: "73bca0b9-9be6-4e73-a8fb-347c2ac23255"
+    - email: "test-exporter-oidc@example.com"
+      hash: "$2a$10$2b2cU8CPhOTaGrs1HRQuAueS7JTT5ZHsHSzYiFPm1leZck7Mc8T4W" # password
+      username: "test-exporter-oidc"
+      userID: "a4cb4de2-4467-4e5c-a42a-33be8783649d"
+volumes:
+  - name: tls
+    secret:
+      secretName: dex-tls
+volumeMounts:
+  - name: tls
+    mountPath: /etc/dex/tls
+service:
+  type: NodePort
+  ports:
+    http:
+      port: 5554
+    https:
+      port: 5556
+      nodePort: 32000

dex.yaml

@@ -0,0 +1,28 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  name: dex-tls
+  namespace: dex
+type: Opaque
+stringData:
+  tls.crt: |
+    -----BEGIN CERTIFICATE-----
+    MIIB/jCCAYWgAwIBAgIIGiIRZdsY1ZswCgYIKoZIzj0EAwMwIDEeMBwGA1UEAxMV
+    bWluaWNhIHJvb3QgY2EgNzI5MGI2MB4XDTI1MDIxMzE5MjQzNloXDTI3MDMxNTE4
+    MjQzNlowJDEiMCAGA1UEAxMZZGV4LmRleC5zdmMuY2x1c3Rlci5sb2NhbDB2MBAG
+    ByqGSM49AgEGBSuBBAAiA2IABOXOUhakYrIsNnmWSrDNk0VAB3HLjlxIvDBKt/As
+    7kEFZyi3Q+6kPwDGZlYS/CLBQz7MleB57xV+BTXeU4C9JJ2VYfUzrzUWMI9U2a+/
+    XAWc1L2GDw6TrLV2COFJQ7njlqOBhzCBhDAOBgNVHQ8BAf8EBAMCBaAwHQYDVR0l
+    BBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMAwGA1UdEwEB/wQCMAAwHwYDVR0jBBgw
+    FoAUmUQQlLj97WtsbH451iI74L8+H6IwJAYDVR0RBB0wG4IZZGV4LmRleC5zdmMu
+    Y2x1c3Rlci5sb2NhbDAKBggqhkjOPQQDAwNnADBkAjAr3xJ+MuSx1IsabimAlaIC
+    FvzA7VqtukdJ4ycZ5ndZlC3BOAHw8LEotgYHQpBItjQCMF7x/LkdBThU1nCChoA6
+    r5F8RrqBNPeHeaItjnPpYq6sT3dDqGQF9Rm7bbaG6ExhKA==
+    -----END CERTIFICATE-----
+  tls.key: |
+    -----BEGIN PRIVATE KEY-----
+    MIG2AgEAMBAGByqGSM49AgEGBSuBBAAiBIGeMIGbAgEBBDDMWWagdOx7Neqeeg2g
+    ofPS9ipeeliiTUv6B/9+oiTMGlTRMPHu4ruSqS7kiw3oBQuhZANiAATlzlIWpGKy
+    LDZ5lkqwzZNFQAdxy45cSLwwSrfwLO5BBWcot0PupD8AxmZWEvwiwUM+zJXgee8V
+    fgU13lOAvSSdlWH1M681FjCPVNmvv1wFnNS9hg8Ok6y1dgjhSUO545Y=
+    -----END PRIVATE KEY-----

exporter.yaml

@@ -0,0 +1,5 @@
+export:
+  power:
+    type: jumpstarter_driver_power.driver.MockPower
+  storage:
+    type: jumpstarter_driver_opendal.driver.MockStorageMux

kind_cluster.yaml

@@ -0,0 +1,37 @@
+kind: Cluster
+apiVersion: kind.x-k8s.io/v1alpha4
+kubeadmConfigPatches:
+- |
+  kind: ClusterConfiguration
+  apiServer:
+    extraArgs:
+      "service-node-port-range": "3000-32767"
+- |
+  kind: InitConfiguration
+  nodeRegistration:
+    kubeletExtraArgs:
+      node-labels: "ingress-ready=true"
+nodes:
+- role: control-plane
+  extraPortMappings:
+  - containerPort: 80 # ingress controller
+    hostPort: 5080
+    protocol: TCP
+  - containerPort: 30010 # grpc nodeport
+    hostPort: 8082
+    protocol: TCP
+  - containerPort: 30011 # grpc router nodeport
+    hostPort: 8083
+    protocol: TCP
+  - containerPort: 32000 # dex nodeport
+    hostPort: 5556
+    protocol: TCP
+
+  - containerPort: 443
+    hostPort: 5443
+    protocol: TCP
+# if we needed to mount a hostPath volume into the kind cluster, we can do it like this
+#  extraMounts:
+#  - hostPath: ./bin/e2e-certs
+#    containerPath: /tmp/e2e-certs
+  

minica-key.pem

@@ -0,0 +1,6 @@
+-----BEGIN PRIVATE KEY-----
+MIG2AgEAMBAGByqGSM49AgEGBSuBBAAiBIGeMIGbAgEBBDC2m+wWKd8N0puHKcgF
+i9qE6zqk+0gnPSQYoYdO/faf9wenw2AYSi8mTMiFmwIO6MuhZANiAAQzezKJ4My3
+5HPeoJvvzTjhS2uJMBYrYfrs5csxZjiyq8ORrHM539XhWlA6sVZODhzcF2KL4mC9
+xKz/yIrsws+LKsIWNHGGmIPEKFYnHBGwVBGeARvhpzZP/9frJXAN/8c=
+-----END PRIVATE KEY-----

minica.pem

@@ -0,0 +1,13 @@
+-----BEGIN CERTIFICATE-----
+MIIB/DCCAYKgAwIBAgIIcpC2uS+SjEIwCgYIKoZIzj0EAwMwIDEeMBwGA1UEAxMV
+bWluaWNhIHJvb3QgY2EgNzI5MGI2MCAXDTI1MDIwMzE5MzMyNVoYDzIxMjUwMjAz
+MTkzMzI1WjAgMR4wHAYDVQQDExVtaW5pY2Egcm9vdCBjYSA3MjkwYjYwdjAQBgcq
+hkjOPQIBBgUrgQQAIgNiAAQzezKJ4My35HPeoJvvzTjhS2uJMBYrYfrs5csxZjiy
+q8ORrHM539XhWlA6sVZODhzcF2KL4mC9xKz/yIrsws+LKsIWNHGGmIPEKFYnHBGw
+VBGeARvhpzZP/9frJXAN/8ejgYYwgYMwDgYDVR0PAQH/BAQDAgKEMB0GA1UdJQQW
+MBQGCCsGAQUFBwMBBggrBgEFBQcDAjASBgNVHRMBAf8ECDAGAQH/AgEAMB0GA1Ud
+DgQWBBSZRBCUuP3ta2xsfjnWIjvgvz4fojAfBgNVHSMEGDAWgBSZRBCUuP3ta2xs
+fjnWIjvgvz4fojAKBggqhkjOPQQDAwNoADBlAjADql5Ks5wh181iUa1ZBnx4XOVe
+l0l7I+mwlwJSPmkZHxruWZTx7gQU4tfDCr+UuzUCMQC2aDXRb17cphipK4gzbExv
+EDLExjhHAqMPrKDmT0jHIi7Bbos38/1tyZ/IoKjLnv0=
+-----END CERTIFICATE-----

values.kind.yaml

@@ -0,0 +1,35 @@
+global:
+  baseDomain: jumpstarter.127.0.0.1.nip.io
+  metrics:
+    enabled: false
+
+jumpstarter-controller:
+  grpc:
+    mode: "ingress"
+  authenticationConfig: |
+    apiVersion: jumpstarter.dev/v1alpha1
+    kind: AuthenticationConfiguration
+    jwt:
+    - issuer:
+        url: https://dex.dex.svc.cluster.local:5556
+        audiences:
+        - jumpstarter-cli
+        audienceMatchPolicy: MatchAny
+        certificateAuthority: |
+          -----BEGIN CERTIFICATE-----
+          MIIB/DCCAYKgAwIBAgIIcpC2uS+SjEIwCgYIKoZIzj0EAwMwIDEeMBwGA1UEAxMV
+          bWluaWNhIHJvb3QgY2EgNzI5MGI2MCAXDTI1MDIwMzE5MzMyNVoYDzIxMjUwMjAz
+          MTkzMzI1WjAgMR4wHAYDVQQDExVtaW5pY2Egcm9vdCBjYSA3MjkwYjYwdjAQBgcq
+          hkjOPQIBBgUrgQQAIgNiAAQzezKJ4My35HPeoJvvzTjhS2uJMBYrYfrs5csxZjiy
+          q8ORrHM539XhWlA6sVZODhzcF2KL4mC9xKz/yIrsws+LKsIWNHGGmIPEKFYnHBGw
+          VBGeARvhpzZP/9frJXAN/8ejgYYwgYMwDgYDVR0PAQH/BAQDAgKEMB0GA1UdJQQW
+          MBQGCCsGAQUFBwMBBggrBgEFBQcDAjASBgNVHRMBAf8ECDAGAQH/AgEAMB0GA1Ud
+          DgQWBBSZRBCUuP3ta2xsfjnWIjvgvz4fojAfBgNVHSMEGDAWgBSZRBCUuP3ta2xs
+          fjnWIjvgvz4fojAKBggqhkjOPQQDAwNoADBlAjADql5Ks5wh181iUa1ZBnx4XOVe
+          l0l7I+mwlwJSPmkZHxruWZTx7gQU4tfDCr+UuzUCMQC2aDXRb17cphipK4gzbExv
+          EDLExjhHAqMPrKDmT0jHIi7Bbos38/1tyZ/IoKjLnv0=
+          -----END CERTIFICATE-----
+      claimMappings:
+        username:
+          claim: "name"
+          prefix: "dex:"