feat: add dev-env

Author: matthieuJacquot-voodoo

.gitignore

@@ -1,4 +1,3 @@
-_dev-env
 irsa-operator 
 
 # Binaries for programs and plugins

_dev-env/.gitignore

@@ -0,0 +1,2 @@
+k8s-pki
+webhook

_dev-env/Makefile

@@ -0,0 +1,25 @@
+start_kind:
+	sudo rm -rf ./k8s-pki
+	mkdir ./k8s-pki
+	kind create cluster --config ./kind-config.yml
+	sudo chmod 644 ./k8s-pki/sa.* 
+
+start_docker_compose:
+	USER_ID=$(shell id -u) GROUP_ID=$(shell id -g) docker-compose up -d 
+
+register_oidc:
+	AWS_ACCESS_KEY_ID=test AWS_SECRET_ACCESS_KEY=test AWS_REGION=us-east-1 aws --endpoint-url=http://localhost:4566 iam create-open-id-connect-provider --url https://hydra.local:4444 --client-id-list sts.amazonaws.com --thumbprint-list $(shell ./get-hydra-thumbprint.sh) 
+
+check:
+	AWS_ACCESS_KEY_ID=test AWS_SECRET_ACCESS_KEY=test AWS_REGION=us-east-1 PAGER= aws --no-cli-pager --endpoint-url=http://localhost:4566 iam list-open-id-connect-providers
+
+wait_for_localstack:
+	./wait-for-localstack.sh
+	echo "localstack ready"
+
+start: start_kind start_docker_compose wait_for_localstack register_oidc
+
+tear_down:
+	kind delete clusters irsa-operator
+	USER_ID=$(shell id -u) GROUP_ID=$(shell id -g) docker-compose down
+	sudo rm -rf ./k8s-pki

_dev-env/README.md

@@ -0,0 +1,130 @@
+# dev env 
+
+## caveats
+- localstack (community edition) doesn't enforce IAM
+- k8s version compatibility issue with
+
+## clean up
+```
+sudo rm -rf ./k8s-pki
+mkdir ./k8s-pki
+```
+
+## start the k8s cluster 
+
+```
+kind create cluster --config ./kind-config.yml
+sudo chmod 644 ./k8s-pki/sa.* 
+```
+
+- it will create the kubernetes cluster, the `kind` docker network we'll join later, populate the `./k8s-pki/` folder with all the kubernetes pki keys.
+- `kubectl get nodes` should return a `Ready` node.
+
+
+## start the other services 
+
+we'll start 3 other services : 
+- aws localstack to fake aws 
+- hydra to have an oidc provider 
+- a local container registry (accessible from the outside at `localhost:5000`, from inside the `kind` network at `local-registry:5000`)
+
+```
+docker-compose up -d 
+```
+
+2 short-lived containers will :
+- setup hydra's sqlite 
+- load the serviceaccount `sa` keys in hydra
+
+### check
+
+a `docker ps` should only return only 3 containers : `hydra`, `aws-localstack` & `kind`
+
+if you see one of the 2 other ones restarting, they have a problem, check their logs :
+- `hydra-db-migrate` logs should print `Successfully applied migrations!`
+- `hydra-add-keys` logs should print `JSON Web Key Set successfully imported!`
+
+```
+curl https://localhost:4444/.well-known/openid-configuration -k
+curl https://localhost:4444/.well-known/jwks.json -k
+```
+
+should return no error
+
+## register the oidc provider on aws 
+
+register hydra as an oidc provider
+
+```
+export AWS_ACCESS_KEY_ID=test
+export AWS_SECRET_ACCESS_KEY=test
+export AWS_REGION=us-east-1
+aws --endpoint-url=http://localhost:4566 iam create-open-id-connect-provider --url https://hydra.local:4444 --client-id-list sts.amazonaws.com --thumbprint-list $(./get-hydra-thumbprint.sh) 
+```
+
+NB : with set the client-id used by AWS to a value provided to the api-server (see ./kind-config.yml)
+
+### check
+```
+aws --endpoint-url=http://localhost:4566 iam list-open-id-connect-providers
+```
+should return 
+
+```
+{
+    "OpenIDConnectProviderList": [
+        {
+            "Arn": "arn:aws:iam::000000000000:oidc-provider/hydra.local:4444"
+        }
+    ]
+}
+```
+
+you can also get details using 
+```
+aws --endpoint-url=http://localhost:4566 iam get-open-id-connect-provider --open-id-connect-provider-arn arn:aws:iam::000000000000:oidc-provider/hydra.local:4444
+```
+
+## aws setup
+create : s3 bucket, upload this README, full-access to s3 bucket policy, role with the oidc provider, attach policy to role 
+
+```
+aws --endpoint-url=http://localhost:4566 s3api create-bucket --bucket irsa-test
+aws --endpoint-url=http://localhost:4566 s3 cp ./README.md s3://irsa-test
+aws --endpoint-url=http://localhost:4566 iam create-policy --policy-name my-test-policy --policy-document file://./test/policy.json
+aws --endpoint-url=http://localhost:4566 iam create-role --role-name my-app-role --assume-role-policy-document file://./test/trust-role.json
+aws --endpoint-url=http://localhost:4566 iam attach-role-policy --role-name my-app-role --policy-arn arn:aws:iam::000000000000:policy/my-test-policy
+```
+
+## setup the webhook
+
+```
+cd ./webhook
+./deploy.sh
+cd ..
+```
+
+## deploy irsa-tester
+```
+kubectl create -f ./test/irsa-tester.yml
+```
+
+### check
+```
+k exec irsa-tester -- env | grep AWS
+```
+
+should return
+```
+AWS_ROLE_ARN=arn:aws:iam::000000000000:role/my-app-role
+AWS_WEB_IDENTITY_TOKEN_FILE=/var/run/secrets/eks.amazonaws.com/serviceaccount/token
+```
+
+
+## resources
+
+https://blog.mikesir87.io/2020/09/eks-pod-identity-webhook-deep-dive/
+
+https://www.eksworkshop.com/beginner/110_irsa/
+
+https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_create_oidc_verify-thumbprint.html

_dev-env/docker-compose.yml

@@ -0,0 +1,88 @@
+version: '3.7'
+
+services:
+  local-registry:
+    image: registry:2
+    ports:
+      - "5000:5000" 
+    restart: unless-stopped
+
+  # AWS 
+  aws-local:
+    image: localstack/localstack:0.12.12
+    ports:
+      - "4566:4566" 
+    environment:
+      - SERVICES=iam,s3,sts
+      - DEBUG=1
+
+  # OIDC
+  hydra.local:
+    image: oryd/hydra:v1.9.0-alpha.3-sqlite
+    ports:
+      - "4444:4444" # Public port
+      - "4445:4445" # Admin port
+      - "5555:5555" # Port for hydra token user
+    environment:
+      - DSN=sqlite:///var/lib/sqlite/db.sqlite?_fk=true
+      - SERVE_TLS_KEY_PATH=/etc/config/certs/hydra.local.key
+      - SERVE_TLS_CERT_PATH=/etc/config/certs/hydra.local.crt
+    user: "${USER_ID}:${GROUP_ID}"
+    command:
+      serve -c /etc/config/hydra.yml all
+    volumes:
+      - type: volume
+        source: hydra-sqlite
+        target: /var/lib/sqlite
+        read_only: false
+      - type: bind
+        source: ./oidc-provider/hydra.yml
+        target: /etc/config/hydra.yml
+      - type: bind
+        source: ./oidc-provider/tls
+        target: /etc/config/certs
+    restart: unless-stopped
+    depends_on:
+      - hydra-migrate-db
+
+  hydra-migrate-db:
+    image: oryd/hydra:v1.9.0-alpha.3-sqlite
+    environment:
+      - DSN=sqlite:///var/lib/sqlite/db.sqlite?_fk=true
+    user: "${USER_ID}:${GROUP_ID}"
+    command:
+      migrate -c /etc/config/hydra.yml sql -e --yes 
+    volumes:
+      - type: volume
+        source: hydra-sqlite
+        target: /var/lib/sqlite
+        read_only: false
+      - type: bind
+        source: ./oidc-provider/hydra.yml
+        target: /etc/config/hydra.yml
+    restart: on-failure
+
+  hydra-add-keys:
+    image: oryd/hydra:v1.9.0-alpha.3-sqlite
+    environment:
+      - DSN=sqlite:///var/lib/sqlite/db.sqlite?_fk=true
+      - HYDRA_ADMIN_URL=https://hydra.local:4445
+    user: "${USER_ID}:${GROUP_ID}"
+    command:
+      keys import my-set /etc/pki/sa.key /etc/pki/sa.pub --skip-tls-verify
+    volumes:
+      - type: bind
+        source: ./k8s-pki
+        target: /etc/pki
+    restart: on-failure
+    depends_on:
+      - hydra.local
+
+
+volumes:
+  hydra-sqlite:
+
+networks:
+  default:
+    external:
+      name: kind

_dev-env/get-hydra-thumbprint.sh

@@ -0,0 +1 @@
+openssl s_client -connect localhost:4444 < /dev/null 2>/dev/null | openssl x509 -fingerprint -noout -in /dev/stdin | sed 's/.*=\|://g' 

_dev-env/kind-config.yml

@@ -0,0 +1,24 @@
+kind: Cluster
+apiVersion: kind.x-k8s.io/v1alpha4
+name: irsa-operator
+kubeadmConfigPatches:
+  - |
+    kind: ClusterConfiguration
+    apiServer:
+      extraArgs:
+        service-account-issuer: "https://hydra.local:4444"
+        service-account-key-file: "/etc/kubernetes/pki/sa.pub"
+        service-account-signing-key-file: "/etc/kubernetes/pki/sa.key"
+        api-audiences: "sts.amazonaws.com"
+
+containerdConfigPatches:
+- |-
+  [plugins."io.containerd.grpc.v1.cri".registry.mirrors."localhost:5000"]
+  endpoint = ["http://local-registry:5000"]
+
+nodes:
+- role: control-plane
+  image: kindest/node:v1.20.7
+  extraMounts:
+  - hostPath: ./k8s-pki/
+    containerPath: /etc/kubernetes/pki

_dev-env/oidc-provider/hydra.yml

@@ -0,0 +1,25 @@
+serve:
+  cookies:
+    same_site_mode: Lax
+
+urls:
+  self:
+    issuer: https://hydra.local:4444
+
+secrets:
+  system:
+    - youReallyNeedToChangeThis
+
+oidc:
+  subject_identifiers:
+    supported_types:
+      - pairwise
+      - public
+    pairwise:
+      salt: youReallyNeedToChangeThis
+
+webfinger:
+  oidc_discovery:
+    supported_claims:
+    - sub
+    - iss

_dev-env/oidc-provider/tls/README.md

@@ -0,0 +1,14 @@
+key & cert used for ory tls (mandatory to be added as an oidc provider on aws)
+
+
+```
+openssl genrsa -out hydra.local.key 4096
+openssl req -new -key hydra.local -out hydra.local.csr
+
+openssl req -new -x509 -sha256 -key key.pem -out cert.crt -days 365 -subj "/CN=hydra" 
+```
+
+(old school, should use SAN instead [https://geekflare.com/san-ssl-certificate/](https://geekflare.com/san-ssl-certificate/) )
+
+## todo
+CN should include port ? (`4444`)

_dev-env/oidc-provider/tls/hydra.local.crt

@@ -0,0 +1,31 @@
+-----BEGIN CERTIFICATE-----
+MIIFPTCCAyUCFGapjFo1S6WfW2F+Ldv8EZlXj64SMA0GCSqGSIb3DQEBCwUAMFsx
+CzAJBgNVBAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEwHwYDVQQKDBhJbnRl
+cm5ldCBXaWRnaXRzIFB0eSBMdGQxFDASBgNVBAMMC2h5ZHJhLmxvY2FsMB4XDTIw
+MTIyMzIwMjEzMFoXDTIxMTIyMzIwMjEzMFowWzELMAkGA1UEBhMCQVUxEzARBgNV
+BAgMClNvbWUtU3RhdGUxITAfBgNVBAoMGEludGVybmV0IFdpZGdpdHMgUHR5IEx0
+ZDEUMBIGA1UEAwwLaHlkcmEubG9jYWwwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAw
+ggIKAoICAQDD1xNXxGDUhO03+hHm3XKcu5WldW5LWUw75z/0qzXrjPUfDSyieCi6
+9YcU5jstWU9zApvIU0pw75MZgdoh+KRELfrprnAJIkNtnAN2AHUVqplTE9uyvkGc
+trMVHzZe6GZJdosSKFZvwzEhbBek1JLHFB+1FCydVhxzagK3SK1YzW9ZoMP3e58f
+Bbg6UvKFgJe+h17jbarbLCvxj5+HdPV6QI4+pJSZYU3jPlxhTGG4c9p39BMv24SD
+9Kkx0GM/4gW+pM+GZgYpDyr3nJi8wV8/Cv3kBy8hRwpKy0vqoa2kZ669PoUKO0Mc
+mLFMCvvMPkuL3/40/Qo3BUmRx0exqC/C/bKg3uhZ8Zm5q2gO5SAjeWrO5xJfdd6w
+E/pAjdTQ8Syqp3DKbY7Roz9VQOKtoLJdcVaozUOQ5ET0ESOZVVgSeP6MzCb52RQk
+h/JAtSFnd1xopjquVGJUm9K9FGiyufI2Uv7e18Yeq74Yh/HEI1pWVmtO/niEmwui
+HODElQV5aRCX0BRLcYegFlFlnFp5ti+wxH7KgGalVvykc68fXO1NKf2qWw5G/mJ2
+mKWm5pOpPLLYjhowHc9nDOQaehhNVlA3ZRaYRJwmPPpAVkjwr8pCnkvI28Im5ZQX
+wGBAB4sbelIUyDn5/Jd72ZsGT5QGuaTLT07pBtVzmCSKkk3rqOla0wIDAQABMA0G
+CSqGSIb3DQEBCwUAA4ICAQC2v9hbOvrU4yj5lXrpcZIyWDHOg1jjMuolVIWLnWkp
+io2FwuAAAzu87WDLaS4xHHveWFI5KgAK3MPJvewPZqhxOdp8MlcGKQTpc2OlXbcQ
+dMUHw1rqJaip4nr6uBy3qp1rJz+luPCqAcC50AUb3F7EyIbIFD/OuR36ZkdVN2+R
+CxBnstQyRLigvq3juAE5wDw6io1062Y4/3lEqIBLybKZft/WR4BnCcamCY0Wo/w6
+7y05JQ3knkCos8SZ+OLW4tK8jlALiB51fKtZdkPpK4wA5KgcuJ2aYIW7iCwK31sU
+DnwYyHrBUWS91d15MnmgYtpiKlHDrWaUqO+2FmbtN12nyc2fFFlESwGQSInZuzZ/
+Z9eTYeq9cSIa1vOlmGDcunHOvDnRqYbNTHlGXdQ13B5RjtQQTliIQ1DZHuyrpJIi
+Yb/QZRvm0C6+ZI7N1I9sxwL6mZoTBEggU621XYfC7J4mjWGEsg2/WYe69pWMaOmV
+v0XUS0SnnmsJtllvLY3mbgNWz7kWW+JQeHi3x7HDSNhj9ZE3VuY9mjZAsa7kRrkW
+OoWT1TH9tNWkqjTQU2fto3rQFl/DbaEvRnXNhx5jngm7I5i0MP1dM2XCEBs3vMkm
+zdTtmADjuMmk6fgBz0C5dPklVzOTkhvanMzLY0vaa8jBfih3AUcxILl+V3XbsQxt
+2Q==
+-----END CERTIFICATE-----

_dev-env/oidc-provider/tls/hydra.local.csr

@@ -0,0 +1,27 @@
+-----BEGIN CERTIFICATE REQUEST-----
+MIIEoDCCAogCAQAwWzELMAkGA1UEBhMCQVUxEzARBgNVBAgMClNvbWUtU3RhdGUx
+ITAfBgNVBAoMGEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDEUMBIGA1UEAwwLaHlk
+cmEubG9jYWwwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQDD1xNXxGDU
+hO03+hHm3XKcu5WldW5LWUw75z/0qzXrjPUfDSyieCi69YcU5jstWU9zApvIU0pw
+75MZgdoh+KRELfrprnAJIkNtnAN2AHUVqplTE9uyvkGctrMVHzZe6GZJdosSKFZv
+wzEhbBek1JLHFB+1FCydVhxzagK3SK1YzW9ZoMP3e58fBbg6UvKFgJe+h17jbarb
+LCvxj5+HdPV6QI4+pJSZYU3jPlxhTGG4c9p39BMv24SD9Kkx0GM/4gW+pM+GZgYp
+Dyr3nJi8wV8/Cv3kBy8hRwpKy0vqoa2kZ669PoUKO0McmLFMCvvMPkuL3/40/Qo3
+BUmRx0exqC/C/bKg3uhZ8Zm5q2gO5SAjeWrO5xJfdd6wE/pAjdTQ8Syqp3DKbY7R
+oz9VQOKtoLJdcVaozUOQ5ET0ESOZVVgSeP6MzCb52RQkh/JAtSFnd1xopjquVGJU
+m9K9FGiyufI2Uv7e18Yeq74Yh/HEI1pWVmtO/niEmwuiHODElQV5aRCX0BRLcYeg
+FlFlnFp5ti+wxH7KgGalVvykc68fXO1NKf2qWw5G/mJ2mKWm5pOpPLLYjhowHc9n
+DOQaehhNVlA3ZRaYRJwmPPpAVkjwr8pCnkvI28Im5ZQXwGBAB4sbelIUyDn5/Jd7
+2ZsGT5QGuaTLT07pBtVzmCSKkk3rqOla0wIDAQABoAAwDQYJKoZIhvcNAQELBQAD
+ggIBAI6wLFUBfAqIkGrvFIWhy7PeoDKSK4wSrBgAxa8rvnLdRluiYNKITW56ay0h
+WRyntGjmR/4JJ9PZXQSDpZAvajtoO8UOkTjxZgc1IvS3GTbM0BIrl2sADWba9kSm
+HjNd9qemzkJ4JwWBq8k0GpwK5uWckEXKtPaDpiNnerqsge9p5e7hLCjL41n+aGVQ
+0LjzwUm/nvzxMEx6elHrxREhVZPxnqUzU7LQO4DrizbCJZ5p2WlbX8P7Xbm4mUtz
+s0NPW/TYmJH8NIVIzd6+6A75KRQrMtNSuIWIgfokFy7/fEJc9L+COFMAQGTKGiGO
+BHcXhvcNVRm+h10q7WwR0KdeAC60/QtgAl763G2zS1/QkN3Oe2eCSfEW1L3Bi3cA
+czL1E4iXH2G2YiAEfRe2UbSMcq1ydppMipUs9aXg4XQ88pgSOwqw7Pphz8zKZGjl
++fVcgdMPQRYUs+xpmHZ2BMP/hesUzdp43+EY3kFf5sez6r/uw7DvGL/ojk6A7tBT
+uhF4Ok0ocR5PmXMijaSQvi9k/wnSJbMaJRXOavicCShw7gDqrBTyDoSUIX39IqXl
+BigpRXuxCEFNqgiKbR8R1647tCLMoqRtiuDKfQXnyBb/3ik9n93Tv+lZtQLbY1oC
+B32HQAvftNpAS0DZij1FyBl2Mj9raaW8mI9RR3GIUOCzx5D+
+-----END CERTIFICATE REQUEST-----