feat(e2e): add minimal e2e to the module

- Add minimal e2e tests that check that the packages can be deployed and
come up properly, using Kapp.
- There' still work to do for the tests to be useful, for example you
can see that pomerium is logging some errors because it can't talk to
dex because we don't setup anything regarding ingresses, but at least we
get a very first check that the stuff comes up.

katalog/tests/dex/kustomization.yaml

@@ -0,0 +1,15 @@
+# Copyright (c) 2017-present SIGHUP s.r.l All rights reserved.
+# Use of this source code is governed by a BSD-style
+# license that can be found in the LICENSE file.
+
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+resources:
+  - ../../dex
+
+secretGenerator:
+  - name: dex
+    namespace: kube-system
+    files:
+      - config.yml=secrets/config.yml

katalog/tests/dex/secrets/config.yml

@@ -0,0 +1,53 @@
+# Copyright (c) 2017-present SIGHUP s.r.l All rights reserved.
+# Use of this source code is governed by a BSD-style
+# license that can be found in the LICENSE file.
+
+issuer: https://dex.sighup.io
+frontend:
+  dir: /app/web
+  theme: dark
+storage:
+  type: kubernetes
+  config:
+    inCluster: true
+web:
+  http: 0.0.0.0:5556
+telemetry:
+  http: 0.0.0.0:5558
+connectors:
+  - type: ldap
+    id: ldap
+    name: LDAP
+    config:
+      host: server.ldap.svc:389
+      insecureNoSSL: true
+      bindDN: CN=admin,DC=sighup,DC=io
+      bindPW: HatFriday
+      userSearch:
+        baseDN: ou=people,DC=sighup,DC=io
+        filter: "(objectClass=person)"
+        username: cn
+        idAttr: cn
+        emailAttr: mail
+        nameAttr: displayName
+      groupSearch:
+        baseDN: DC=sighup,DC=io
+        filter: "(objectClass=groupOfNames)"
+        userMatchers:
+          - userAttr: DN
+            groupAttr: member
+        nameAttr: cn
+oauth2:
+  skipApprovalScreen: true
+staticClients:
+  - id: pomerium
+    redirectURIs:
+      - http://pomerium.127.0.0.1.nip.io
+    name: "Pomerium in-cluster SSO"
+    secret: pomerium
+  - id: gangplank
+    redirectURIs:
+      - http://gangplank.127.0.0.1.nip.io/callback
+    name: "In cluster LOGIN"
+    secret: gangplank
+enablePasswordDB: false

katalog/tests/gangplank/kustomization.yaml

@@ -0,0 +1,15 @@
+# Copyright (c) 2017-present SIGHUP s.r.l All rights reserved.
+# Use of this source code is governed by a BSD-style
+# license that can be found in the LICENSE file.
+
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+resources:
+  - ../../gangplank
+
+secretGenerator:
+  - name: gangplank
+    namespace: kube-system
+    files:
+      - gangplank.yml=secrets/gangplank.yml

katalog/tests/gangplank/secrets/gangplank.yml

@@ -0,0 +1,15 @@
+# Copyright (c) 2017-present SIGHUP s.r.l All rights reserved.
+# Use of this source code is governed by a BSD-style
+# license that can be found in the LICENSE file.
+
+clusterName: auth-e2e
+apiServerURL: "api-e2e.127.0.0.1.nip.io"
+authorizeURL: "https://dex.127.0.0.1.nip.io/auth"
+tokenURL: "https://dex.127.0.0.1.nip.io/token"
+clientID: "gangplank"
+clientSecret: "gangplank"
+redirectURL: "https://gangplank.127.0.0.1.nip.io/callback"
+scopes: ["openid", "profile", "email", "offline_access", "groups"]
+usernameClaim: "email"
+emailClaim: "email"
+sessionSecurityKey: "fakey"

katalog/tests/install-kapp.sh

@@ -0,0 +1,47 @@
+#!/bin/bash
+# Copyright (c) 2017-present SIGHUP s.r.l All rights reserved.
+# Use of this source code is governed by a BSD-style
+# license that can be found in the LICENSE file.
+
+set -e
+
+echo "> Checking for Kapp and installing if missing"
+
+# Check if kapp is already installed
+if command -v kapp &> /dev/null; then
+    echo "Nothing to do. Kapp is already installed."
+    exit 0
+fi
+
+# Define the kapp version
+KAPP_VERSION="v0.63.3"
+# Determine OS and architecture
+OS=$(uname -s)
+ARCH=$(uname -m)
+echo "Detected operating system: ${OS}"
+echo "Detected architecture: ${ARCH}"
+
+# Prepare the download URL based on OS and architecture
+URL=""
+case "${OS}" in
+    Linux|Darwin)
+        case "${ARCH}" in
+            x86_64|amd64) SUFFIX="amd64" ;;
+            arm|arm64) SUFFIX="arm64" ;;
+            *) echo "Architecture ${ARCH} is not supported."; exit 1 ;;
+        esac
+        URL="https://github.com/carvel-dev/kapp/releases/download/${KAPP_VERSION}/kapp-${OS}-${SUFFIX}"
+        ;;
+    *)
+        echo "Operating system ${OS} is not supported."; exit 1 ;;
+esac
+
+# Download and setup kapp
+echo "Downloading kapp from ${URL}..."
+curl -LO "${URL}"
+
+# Move the binary in to your PATH
+mv "kapp-${OS}-${SUFFIX}" /usr/local/bin/kapp
+
+# Make the binary executable
+chmod +x /usr/local/bin/kapp

katalog/tests/ldap-server/kustomization.yaml

@@ -0,0 +1,16 @@
+# Copyright (c) 2017-present SIGHUP s.r.l All rights reserved.
+# Use of this source code is governed by a BSD-style
+# license that can be found in the LICENSE file.
+
+---
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+namespace: ldap
+resources:
+  - ns.yaml
+  - ldap-server.yaml
+
+configMapGenerator:
+  - files:
+      - ./sighup.io-groups.ldif
+    name: ldap-ldif

katalog/tests/ldap-server/ldap-server.yaml

@@ -0,0 +1,83 @@
+# Copyright (c) 2017-present SIGHUP s.r.l All rights reserved.
+# Use of this source code is governed by a BSD-style
+# license that can be found in the LICENSE file.
+
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  labels:
+    app: ldap-server
+  name: ldap
+stringData:
+  LDAP_ADMIN_PASSWORD: HatFriday
+---
+kind: ConfigMap
+metadata:
+  labels:
+    app: ldap-server
+  name: ldap
+apiVersion: v1
+data:
+  LDAP_ORGANISATION: SIGHUP
+  LDAP_DOMAIN: sighup.io
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: server
+spec:
+  ports:
+    - name: "tcp-389"
+      port: 389
+      protocol: TCP
+      targetPort: 389
+    - name: "tcp-363"
+      port: 636
+      protocol: TCP
+      targetPort: 636
+  selector:
+    app: ldap-server
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  labels:
+    app: ldap-server
+  name: ldap-server
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: ldap-server
+  strategy: {}
+  template:
+    metadata:
+      labels:
+        app: ldap-server
+    spec:
+      volumes:
+        - name: ldap-ldif
+          configMap:
+            name: ldap-ldif
+      containers:
+        - name: ldap-server
+          image: registry.sighup.io/fury/osixia/openldap:1.5.0
+          command:
+            - "sh"
+            - "-c"
+            - "cp -R /tmp/ldif /container/service/slapd/assets/config/bootstrap/ldif/custom && /container/tool/run"
+          envFrom:
+            - configMapRef:
+                name: ldap
+            - secretRef:
+                name: ldap
+          ports:
+            - containerPort: 389
+              name: "tcp-389"
+            - containerPort: 636
+              name: "tcp-636"
+          resources: {}
+          volumeMounts:
+            - name: ldap-ldif
+              mountPath: /tmp/ldif

katalog/tests/ldap-server/ns.yaml

@@ -0,0 +1,8 @@
+# Copyright (c) 2017-present SIGHUP s.r.l All rights reserved.
+# Use of this source code is governed by a BSD-style
+# license that can be found in the LICENSE file.
+
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: ldap

katalog/tests/ldap-server/sighup.io-groups.ldif

@@ -0,0 +1,43 @@
+version: 1
+
+dn: ou=groups,dc=sighup,dc=io
+objectClass: top
+objectClass: organizationalUnit
+ou: groups
+
+dn: ou=people,dc=sighup,dc=io
+objectClass: top
+objectClass: organizationalUnit
+ou: people
+
+dn: cn=user1,ou=people,dc=sighup,dc=io
+objectClass: top
+objectClass: person
+objectClass: inetOrgPerson
+cn: user
+sn: one
+mail: user.one@sighup.io
+displayName: "Player One"
+userPassword: userone
+
+dn: cn=user2,ou=people,dc=sighup,dc=io
+objectClass: top
+objectClass: person
+objectClass: inetOrgPerson
+cn: user
+sn: two
+mail: user.two@sighup.io
+displayName: "Player Two"
+userPassword: usertwo
+
+dn: cn=engineering,ou=groups,dc=sighup,dc=io
+objectClass: top
+objectClass: groupOfNames
+cn: engineering
+member: cn=user1,ou=people,dc=sighup,dc=io
+
+dn: cn=operations,ou=groups,dc=sighup,dc=io
+objectClass: top
+objectClass: groupOfNames
+cn: amministrazione
+member: cn=user2,ou=people,dc=sighup,dc=io

katalog/tests/pomerium/kustomization.yaml

@@ -0,0 +1,25 @@
+# Copyright (c) 2017-present SIGHUP s.r.l All rights reserved.
+# Use of this source code is governed by a BSD-style
+# license that can be found in the LICENSE file.
+
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+resources:
+  - ../../pomerium
+
+configMapGenerator:
+  - name: pomerium
+    behavior: replace
+    envs:
+      - resources/pomerium-config.env
+  - name: pomerium-policy
+    behavior: replace
+    files:
+      - policy.yml=resources/pomerium-policy.yml
+
+secretGenerator:
+  - name: pomerium-env
+    behavior: replace
+    envs:
+      - secrets/pomerium.env

katalog/tests/pomerium/resources/pomerium-config.env

@@ -0,0 +1,15 @@
+# Copyright (c) 2017-present SIGHUP s.r.l All rights reserved.
+# Use of this source code is governed by a BSD-style
+# license that can be found in the LICENSE file.
+
+AUTHENTICATE_SERVICE_HOST=pomerium.127.0.0.1.nip.io
+AUTHENTICATE_SERVICE_URL=https://$(AUTHENTICATE_SERVICE_HOST)
+AUTOCERT=false
+FORWARD_AUTH_HOST=pomerium.127.0.0.1.nip.io
+FORWARD_AUTH_URL=https://$(FORWARD_AUTH_HOST)
+IDP_CLIENT_ID=pomerium
+IDP_PROVIDER=oidc
+IDP_PROVIDER_URL=https://dex.127.0.0.1.nip.io
+IDP_SCOPES="openid profile email groups"
+LOG_LEVEL=info
+POMERIUM_DEBUG=false

katalog/tests/pomerium/resources/pomerium-policy.yml

@@ -0,0 +1,21 @@
+# Copyright (c) 2017-present SIGHUP s.r.l All rights reserved.
+# Use of this source code is governed by a BSD-style
+# license that can be found in the LICENSE file.
+
+address: ":8080"
+metrics_address: ":9090"
+
+insecure_server: true
+autocert: false
+
+routes:
+  - from: https://grafana.127.0.0.1.nip.io
+    to: http://grafana.monitoring.svc.cluster.local:3000
+    allow_websockets: true
+    host_rewrite_header: true
+    preserve_host_header: true
+    pass_identity_headers: true
+    policy:
+      - allow:
+          and:
+            - authenticated_user: true

katalog/tests/pomerium/secrets/pomerium.env

@@ -0,0 +1,12 @@
+# Copyright (c) 2017-present SIGHUP s.r.l All rights reserved.
+# Use of this source code is governed by a BSD-style
+# license that can be found in the LICENSE file.
+
+# COOKIE_SECRET is obtained with  `head -c32 /dev/urandom | base64` see https://www.pomerium.io/reference/#cookie-secret
+COOKIE_SECRET=WmSD9CPtXLYWLs8kJgS8wDcOD5wv5KHsaOMXjougu/k=
+#IDP_CLIENT_SECRET is the secret configured in the pomerium Dex static client
+IDP_CLIENT_SECRET=pomerium
+# SHARED_SECRET is obtained with  `head -c32 /dev/urandom | base64` see https://www.pomerium.io/reference/#shared-secret
+SHARED_SECRET=2R6D4hroMwnxhDPwn03q+l7uImShSMK0KqQdQC5SrlU=
+# SIGNING_KEY is obtained with `openssl ecparam  -genkey  -name prime256v1  -noout  -out ec_private.pem` then `cat ec_private.pem | base64` see https://www.pomerium.com/docs/reference/signing-key
+SIGNING_KEY=LS0tLS1CRUdJTiBFQyBQUklWQVRFIEtFWS0tLS0tCk1IY0NBUUVFSUdyTjhwRmNKNWFSTXhZZDR5WVVaK1RPaHdramdLMC9Kb3kreWhpK1M1dDFvQW9HQ0NxR1NNNDkKQXdFSG9VUURRZ0FFN3ZuNk5Ibjd2alRVTU84aFhLckZTWHRvdXpyaENTU2NyS1plb2F1TjRzN1FHcEJqY0RpTgo4aGlGQ2FITEdWbEZpRnZXczd2RUd3YWxObWlLaTgxWEVnPT0KLS0tLS1FTkQgRUMgUFJJVkFURSBLRVktLS0tLQo=