Switched to custom kind image with webhook image loaded in

Makefile

@@ -1,7 +1,7 @@
 # Image URL to use all building/pushing image targets
 IMG ?= cedar-webhook:latest
 # ENVTEST_K8S_VERSION refers to the version of kubebuilder assets to be downloaded by envtest binary.
-ENVTEST_K8S_VERSION = 1.31.0
+ENVTEST_K8S_VERSION = 1.31.1
 
 # Get the currently used golang install path (in GOPATH/bin, unless GOBIN is set)
 ifeq (,$(shell go env GOBIN))
@@ -24,29 +24,25 @@ SHELL = /usr/bin/env bash -o pipefail
 
 ##@ Demo
 
-.PHONY: authz-webhoook-container
-authz-webhook-container: ## Start the authorization webhook server
-	$(CONTAINER_TOOL) run \
-		-d \
-		--name cedar-authorizer \
-		-v ./mount/policies:/cedar-authorizer/policies/:ro \
-		-v ./mount/certs/:/var/run/cedar-authorizer/certs \
-		--network kind \
-		-p 10288:10288 \
-		-p 10289:10289 \
-		-e KUBECONFIG=/cedar-authorizer/policies/cedar-kubeconfig.yaml \
-		$(IMG) \
-		    -v 4 \
-			--bind-address 0.0.0.0
-
-.PHONY: clean-authz-webhook
-clean-authz-webhook: ## Tear down and clean up the authorization webhook
-	$(CONTAINER_TOOL) kill cedar-authorizer
-	$(CONTAINER_TOOL) rm cedar-authorizer
-	rm ./mount/certs/cedar-authorizer-server.crt ./mount/certs/cedar-authorizer-server.key
+WEBHOOK_TARBALL = webhook.image.tar
+KIND_NODE_IMG = cedar-kind-node:latest
+
+# Once kind supports easily building node images with additional container images baked in, we'll just switch to that.
+# https://github.com/kubernetes-sigs/kind/pull/3634
+# We'll drop the node dockerfile and build the custom image in the `kind-image` target like:
+#     kind build add-image cedar-webhook:latest --image cedar-kind-node:latest
+
+.PHONY: kind-image
+kind-image: image-build ## Build the kind node image
+	$(CONTAINER_TOOL) image save $(IMG) -o scratch/$(WEBHOOK_TARBALL)
+	$(CONTAINER_TOOL) build \
+		-t $(KIND_NODE_IMG) \
+		-f ./scratch/Dockerfile \
+		--build-arg BASE_IMAGE=kindest/node:v$(ENVTEST_K8S_VERSION) \
+		./scratch
 
 .PHONY: kind
-kind: ## Start a kind cluster configured to use the local authorization webhook
+kind: kind-image ## Start a kind cluster configured to use the local authorization webhook
 	$(FINCH_FEATURE) kind create cluster --config kind.yaml -v2
 	kubectl apply -f config/crd/bases/cedar.k8s.aws_policies.yaml
 	kubectl apply -f demo/authorization-policy.yaml
@@ -61,6 +57,16 @@ kind: ## Start a kind cluster configured to use the local authorization webhook
 		sed -e "s/CA_BUNDLE_CONTENT/$(shell cat mount/certs/cedar-authorizer-server.crt | base64)/" | \
 		kubectl apply -f -
 
+.PHONY: clean-kind
+clean-kind: ## Delete the kind cluster and clean up genereated files
+	$(FINCH_FEATURE) kind delete cluster --name cedar-authz-cluster
+	rm \
+		./mount/policies/cedar-kubeconfig.yaml \
+		./mount/*-user-kubeconfig.yaml \
+		./mount/logs/kube-apiserver-audit* \
+		./mount/certs/cedar-authorizer-server.* \
+		./scratch/webhook.image.tar
+
 .PHONY: sample-user-kubeconfig
 sample-user-kubeconfig: ## Create a user 'sample-user' in the groups 'sample-group' and 'requires-labels'
 	# Create a sample user kubeconfig so devs have an alternate identity to test things with
@@ -85,24 +91,12 @@ test-user-kubeconfig: ## Create a user 'test-user' in the groups 'test-group' an
 	# Set the test user kubeconfig's server URL to something useable from the developer's desktop
 	kubectl --kubeconfig ./mount/test-user-kubeconfig.yaml config set clusters.kubernetes.server $(shell kubectl config view --minify -o jsonpath="{.clusters[0].cluster.server}")
 
-.PHONY: clean-kind
-clean-kind: ## Delete the kind cluster and clean up genereated files
-	$(FINCH_FEATURE) kind delete cluster --name cedar-authz-cluster
-	rm ./mount/policies/cedar-kubeconfig.yaml ./mount/*-user-kubeconfig.yaml ./mount/logs/kube-apiserver-audit*
-
 .PHONY: admission-webhook
 admission-webhook: ## Install the Cedar validatingwebhookconfiguration
 	cat manifests/admission-webhook.yaml | \
 		sed -e "s/CA_BUNDLE_CONTENT/$(shell cat mount/certs/cedar-authorizer-server.crt | base64)/" | \
 		kubectl apply -f -
 
-WEBHOOK_TARBALL = scratch/webhook.image.tar
-
-.PHONY: load-webhook-image
-load-webhook-image:  ## Load the webhook image into the kind cluster
-	$(CONTAINER_TOOL) image save $(IMG) -o $(WEBHOOK_TARBALL)
-	$(FINCH_FEATURE) kind load image-archive $(WEBHOOK_TARBALL) --name cedar-authz-cluster
-
 ##@ Cedar Schema
 
 SCHEMA_DIR = cedarschema

docs/Setup.md

@@ -31,51 +31,22 @@ finch vm start
 
 ## Local Quickstart
 
-<!--
-Once kind supports easily building node images with additional container images baked in, we'll just switch to that.
-https://github.com/kubernetes-sigs/kind/pull/3634
-
-This will reduce the steps to essentially:
-    make image-build
-    make kind
-
-We'll build the custom image in the `make kind` target like:
-    kind build add-image cedar-webhook:latest --image cedar-kind-node:latest
-    kind create cluster ...
-
-with an edit to kind.yaml to reference our image
-```yaml
-nodes:
-- role: control-plane
-  image: cedar-kind-node:latest
-```
-
-Then we won't rely on the concurrent image loading, and can have kind e2e tests in CI
- -->
-
 1. For an optional local build of the binaries, you can run:
     ```bash
     make build
     ```
-2. Build the authorizer/admission webhook container by running:
-    ```bash
-    make image-build
-    ```
-3. Start the Kind cluster. This cluster is configured to authorize requests via the cedar webhook
+2. Start the Kind cluster
+    This will build the webhook image, the Kind image, and create the Kind cluster. 
+    This cluster is configured to authorize and validate requests via the Cedar webhook:
    ```bash
    make kind
    ```
-4. While the Kind Kubernetes control plane is coming up, in another terminal you'll need to side-load the cedar container image into the kind cluster. You have about 20 seconds to do this after running `make kind` before the kind cluster will fail. 
-    If you miss the window, just run `make clean-kind` before trying `make kind` again.
-    ```bash
-    make load-webhook-image
-    ```
-5. Create policies. There's an example in `demo/authorization-policy.yaml` that is auto-created, but feel free to modify it or create more
+3. Create policies. There's an example in `demo/authorization-policy.yaml` that is auto-created, but feel free to modify it or create more
    ```bash
    # edit demo/authorization-policy.yaml
    kubectl apply -f demo/authorization-policy.yaml
    ```
-6. Now you can make requests! You'll need use the generated kubeconfig `./mount/test-user-kubeconfig.yam` created in step 6. The user has the name `test-user` with the group `test-group`. Your default kubeconfig (`~/.kube/config`) will be auto-configured by kind with a cluster administrator identity, so `kubectl` without specifying a kubeconfig should always just work.
+4. Now you can make requests! You'll need use the generated kubeconfig `./mount/test-user-kubeconfig.yam` created in step 6. The user has the name `test-user` with the group `test-group`. Your default kubeconfig (`~/.kube/config`) will be auto-configured by kind with a cluster administrator identity, so `kubectl` without specifying a kubeconfig should always just work.
     ```bash
     # Lookup the username you are testing
     KUBECONFIG=./mount/test-user-kubeconfig.yaml kubectl auth whoami
@@ -95,19 +66,19 @@ Then we won't rely on the concurrent image loading, and can have kind e2e tests
     KUBECONFIG=./mount/test-user-kubeconfig.yaml kubectl get service \
         --as system:serviceaccount:default:service-manager
     ```
-7. Try out admission policies:
+5. Try out admission policies:
     ```bash
     # (Optional) Update the validating webhook API groups/versions/resources you want validated
-    # by edting demo/admission-webhook.yaml and then re-applying the webhook
+    # by edting manifests/admission-webhook.yaml and then re-applying the webhook
     # $ make admission-webhook
 
+    # Apply an example admission policy
+    kubectl apply -f demo/admission-policy.yaml
+
     # Create sample user in requires-labels group
     make sample-user-kubeconfig
     KUBECONFIG=./mount/sample-user-kubeconfig.yaml kubectl auth whoami
 
-    # Apply an example admission policy
-    kubectl apply -f demo/admission-policy.yaml
-
     # Try to create a configmap without labels as the sample user
     KUBECONFIG=./mount/sample-user-kubeconfig.yaml kubectl create configmap test-config --from-literal=k1=v1
     KUBECONFIG=./mount/sample-user-kubeconfig.yaml kubectl get configmap

kind.yaml

@@ -23,8 +23,9 @@ kubeadmConfigPatches:
         name: api-server-cedar-authorizer-files
 nodes:
 - role: control-plane
+  image: cedar-kind-node:latest
   extraMounts:
   - hostPath: "./mount"
     containerPath: "/cedar-authorizer"
-  - hostPath: "./manifests/cedar-webhook.yaml"
-    containerPath: "/etc/kubernetes/manifests/cedar-webhook.yaml"
+  - hostPath: "./manifests/cedar-authorization-webhook.yaml"
+    containerPath: "/etc/kubernetes/manifests/cedar-authorization-webhook.yaml"

scratch/Dockerfile

@@ -0,0 +1,11 @@
+# Dockerfile for Kind node
+ARG BASE_IMAGE=kindest/node:v1.31.1
+
+FROM ${BASE_IMAGE} AS builder
+
+COPY webhook.image.tar /kind/images/webhook.image.tar
+RUN containerd & ctr -n k8s.io i import /kind/images/webhook.image.tar || echo "success"
+
+FROM ${BASE_IMAGE}
+
+COPY --from=builder /var/lib/containerd /var/lib/containerd