First pass at migration scaffolding, enough to do GUID -> DN lookups

There is still much work to do, but at the very least we can read
the relevant auth configuration details from k8s and use those
details to make LDAP queries, and that's nearly all of what we need
to perform the migration.

cleanup/ad-guid-unmigration.sh

@@ -0,0 +1,69 @@
+#!/bin/bash
+# set -x
+set -e
+
+CLEAR='\033[0m'
+RED='\033[0;31m'
+
+# Location of the yaml to use to deploy the cleanup job
+yaml_url=https://raw.githubusercontent.com/rancher/rancher/master/cleanup/ad-guid-unmigration.yaml
+
+# 120 is equal to a minute as the sleep is half a second
+timeout=120
+
+# Agent image to use in the yaml file
+agent_image="$1"
+
+show_usage() {
+  if [ -n "$1" ]; then
+    echo -e "${RED}👉 $1${CLEAR}\n";
+  fi
+	echo -e "Usage: $0 [AGENT_IMAGE] [FLAGS]"
+	echo "AGENT_IMAGE is a required argument"
+	echo ""
+	echo "Flags:"
+	echo -e "\t-dry-run Display the resources that would will be updated without making changes"
+}
+
+if [ $# -lt 1 ]
+then
+	show_usage "AGENT_IMAGE is a required argument"
+	exit 1
+fi
+
+if [[ $1 == "-h" ||$1 == "--help" ]]
+then
+	show_usage
+	exit 0
+fi
+
+# Pull the yaml and replace the agent_image holder with the passed in image
+# yaml=$(curl --insecure -sfL $yaml_url | sed -e 's=agent_image='"$agent_image"'=')
+# Except it isn't pushed anywhere useful yet, so instead read the local file
+yaml=$(cat ad-guid-unmigration.yaml | sed -e 's=agent_image='"$agent_image"'=')
+
+if [ "$2" = "-dry-run" ]
+then
+    # Uncomment the env var for dry-run mode
+    yaml=$(sed -e 's/# // ' <<< "$yaml")
+fi
+
+echo "$yaml" | kubectl apply -f -
+
+# Get the pod ID to tail the logs
+pod_id=$(kubectl get pod -l job-name=cattle-cleanup-job -o jsonpath="{.items[0].metadata.name}")
+
+declare -i count=0
+until kubectl logs $pod_id -f
+do
+    if [ $count -gt $timeout ]
+    then
+        echo "Timout reached, check the job by running kubectl get jobs"
+        exit 1
+    fi
+    sleep 0.5
+    count+=1
+done
+
+# Cleanup after it completes successfully
+echo "$yaml" | kubectl delete -f -

cleanup/ad-guid-unmigration.yaml

@@ -0,0 +1,94 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: cattle-cleanup-sa
+  namespace: default
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: cattle-cleanup-binding
+  namespace: default
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: cattle-cleanup-role
+subjects:
+  - kind: ServiceAccount
+    name: cattle-cleanup-sa
+    namespace: default
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: cattle-cleanup-job
+  namespace: default
+  labels:
+    rancher-cleanup: "true"
+spec:
+  backoffLimit: 6
+  completions: 1
+  parallelism: 1
+  selector:
+  template:
+    metadata:
+      creationTimestamp: null
+    spec:
+      containers:
+        - env:
+            - name: AD_GUID_CLEANUP
+              value: "true"
+            # - name: DRY_RUN
+              # value: "true"
+          image: agent_image
+          imagePullPolicy: Always
+          command: ["agent"]
+          name: cleanup-agent
+          resources: {}
+          terminationMessagePath: /dev/termination-log
+          terminationMessagePolicy: File
+      dnsPolicy: ClusterFirst
+      restartPolicy: OnFailure
+      schedulerName: default-scheduler
+      securityContext: {}
+      serviceAccountName: cattle-cleanup-sa
+      terminationGracePeriodSeconds: 30
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: cattle-cleanup-role
+  namespace: default
+rules:
+  - apiGroups:
+      - ''
+    resources:
+      - secrets
+    verbs:
+      - get
+  - apiGroups:
+      - management.cattle.io
+    resources:
+      - authconfigs
+      - clusterroletemplatebindings
+      - projectroletemplatebindings
+      - users
+    verbs:
+      - '*'
+  - apiGroups:
+      - rbac.authorization.k8s.io
+    resources:
+      - rolebindings
+      - clusterrolebindings
+    verbs:
+      - list
+      - get
+      - delete
+  - apiGroups:
+      - batch
+    resources:
+      - jobs
+    verbs:
+      - list
+      - get
+      - delete

cmd/agent/main.go

@@ -80,6 +80,8 @@ func main() {
 				bindingErr = multierror.Append(bindingErr, err)
 			}
 			err = bindingErr
+		} else if os.Getenv("AD_GUID_CLEANUP") == "true" {
+			err = clean.ListAdUsers(nil)
 		} else {
 			err = run(ctx)
 		}