djpbessems/ContainerImage.Pinniped
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
268e1108d1
ContainerImage.Pinniped/internal/config/supervisor/config_test.go

528 lines
14 KiB
Go
Raw Normal View History

HTTP listener: default disabled and may only bind to loopback interfaces
2022-03-24 22:46:10 +00:00
// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.
Supervisor controllers apply custom labels to JWKS secrets Signed-off-by: Ryan Richard <richardry@vmware.com>
2020-10-15 19:40:56 +00:00
// SPDX-License-Identifier: Apache-2.0
package supervisor
import (
Switch to go.uber.org/zap for JSON formatted logging Signed-off-by: Monis Khan <mok@vmware.com>
2022-04-16 02:43:53 +00:00
"context"
HTTP listener: default disabled and may only bind to loopback interfaces
2022-03-24 22:46:10 +00:00
"fmt"
Supervisor controllers apply custom labels to JWKS secrets Signed-off-by: Ryan Richard <richardry@vmware.com>
2020-10-15 19:40:56 +00:00
"io/ioutil"
"os"
"testing"
"github.com/stretchr/testify/require"
HTTP listener: default disabled and may only bind to loopback interfaces
2022-03-24 22:46:10 +00:00
"k8s.io/utils/pointer"
Supervisor controllers apply custom labels to JWKS secrets Signed-off-by: Ryan Richard <richardry@vmware.com>
2020-10-15 19:40:56 +00:00
"go.pinniped.dev/internal/here"
Switch to go.uber.org/zap for JSON formatted logging Signed-off-by: Monis Khan <mok@vmware.com>
2022-04-16 02:43:53 +00:00
"go.pinniped.dev/internal/plog"
Supervisor controllers apply custom labels to JWKS secrets Signed-off-by: Ryan Richard <richardry@vmware.com>
2020-10-15 19:40:56 +00:00
)
func TestFromPath(t *testing.T) {
tests := []struct {
name string
yaml string
wantConfig *Config
Configure name of the supervisor default TLS cert secret via ConfigMap Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-10-28 18:56:50 +00:00
wantError string
Supervisor controllers apply custom labels to JWKS secrets Signed-off-by: Ryan Richard <richardry@vmware.com>
2020-10-15 19:40:56 +00:00
}{
{
name: "Happy",
yaml: here.Doc(`
---
internal/config: wire API group suffix through to server components Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2021-01-19 15:52:12 +00:00
apiGroupSuffix: some.suffix.com
Supervisor controllers apply custom labels to JWKS secrets Signed-off-by: Ryan Richard <richardry@vmware.com>
2020-10-15 19:40:56 +00:00
labels:
myLabelKey1: myLabelValue1
myLabelKey2: myLabelValue2
Configure name of the supervisor default TLS cert secret via ConfigMap Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-10-28 18:56:50 +00:00
names:
defaultTLSCertificateSecret: my-secret-name
Allow configuration of supervisor endpoints This change allows configuration of the http and https listeners used by the supervisor. TCP (IPv4 and IPv6 with any interface and port) and Unix domain socket based listeners are supported. Listeners may also be disabled. Binding the http listener to TCP addresses other than 127.0.0.1 or ::1 is deprecated. The deployment now uses https health checks. The supervisor is always able to complete a TLS connection with the use of a bootstrap certificate that is signed by an in-memory certificate authority. To support sidecar containers used by service meshes, Unix domain socket based listeners include ACLs that allow writes to the socket file from any runAsUser specified in the pod's containers. Signed-off-by: Monis Khan <mok@vmware.com>
2021-12-15 20:48:55 +00:00
endpoints:
https:
network: unix
address: :1234
http:
HTTP listener: default disabled and may only bind to loopback interfaces
2022-03-24 22:46:10 +00:00
network: tcp
address: 127.0.0.1:1234
Change to camel-case for insecureAcceptExternalUnencryptedHttpRequests - Use camel-case in the static configmap - Parse the value into a boolean in the go struct instead of a string - Add test for when unsupported value is used in the configmap - Run the config_test.go tests in parallel - Update some paragraphs in configure-supervisor.md for clarity
2022-03-31 23:23:45 +00:00
insecureAcceptExternalUnencryptedHttpRequests: false
Switch to go.uber.org/zap for JSON formatted logging Signed-off-by: Monis Khan <mok@vmware.com>
2022-04-16 02:43:53 +00:00
logLevel: trace
Supervisor controllers apply custom labels to JWKS secrets Signed-off-by: Ryan Richard <richardry@vmware.com>
2020-10-15 19:40:56 +00:00
`),
wantConfig: &Config{
Replace all usages of strPtr() with pointer.StringPtr()
2021-05-12 20:20:00 +00:00
APIGroupSuffix: pointer.StringPtr("some.suffix.com"),
Supervisor controllers apply custom labels to JWKS secrets Signed-off-by: Ryan Richard <richardry@vmware.com>
2020-10-15 19:40:56 +00:00
Labels: map[string]string{
"myLabelKey1": "myLabelValue1",
"myLabelKey2": "myLabelValue2",
},
Configure name of the supervisor default TLS cert secret via ConfigMap Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-10-28 18:56:50 +00:00
NamesConfig: NamesConfigSpec{
DefaultTLSCertificateSecret: "my-secret-name",
},
Allow configuration of supervisor endpoints This change allows configuration of the http and https listeners used by the supervisor. TCP (IPv4 and IPv6 with any interface and port) and Unix domain socket based listeners are supported. Listeners may also be disabled. Binding the http listener to TCP addresses other than 127.0.0.1 or ::1 is deprecated. The deployment now uses https health checks. The supervisor is always able to complete a TLS connection with the use of a bootstrap certificate that is signed by an in-memory certificate authority. To support sidecar containers used by service meshes, Unix domain socket based listeners include ACLs that allow writes to the socket file from any runAsUser specified in the pod's containers. Signed-off-by: Monis Khan <mok@vmware.com>
2021-12-15 20:48:55 +00:00
Endpoints: &Endpoints{
HTTPS: &Endpoint{
Network: "unix",
Address: ":1234",
},
HTTP: &Endpoint{
HTTP listener: default disabled and may only bind to loopback interfaces
2022-03-24 22:46:10 +00:00
Network: "tcp",
Address: "127.0.0.1:1234",
Allow configuration of supervisor endpoints This change allows configuration of the http and https listeners used by the supervisor. TCP (IPv4 and IPv6 with any interface and port) and Unix domain socket based listeners are supported. Listeners may also be disabled. Binding the http listener to TCP addresses other than 127.0.0.1 or ::1 is deprecated. The deployment now uses https health checks. The supervisor is always able to complete a TLS connection with the use of a bootstrap certificate that is signed by an in-memory certificate authority. To support sidecar containers used by service meshes, Unix domain socket based listeners include ACLs that allow writes to the socket file from any runAsUser specified in the pod's containers. Signed-off-by: Monis Khan <mok@vmware.com>
2021-12-15 20:48:55 +00:00
},
},
Change to camel-case for insecureAcceptExternalUnencryptedHttpRequests - Use camel-case in the static configmap - Parse the value into a boolean in the go struct instead of a string - Add test for when unsupported value is used in the configmap - Run the config_test.go tests in parallel - Update some paragraphs in configure-supervisor.md for clarity
2022-03-31 23:23:45 +00:00
AllowExternalHTTP: false,
Switch to go.uber.org/zap for JSON formatted logging Signed-off-by: Monis Khan <mok@vmware.com>
2022-04-16 02:43:53 +00:00
LogLevel: func(level plog.LogLevel) *plog.LogLevel { return &level }(plog.LevelTrace),
Log: plog.LogSpec{
Level: plog.LevelTrace,
},
},
},
{
name: "Happy with new log field",
yaml: here.Doc(`
---
apiGroupSuffix: some.suffix.com
labels:
myLabelKey1: myLabelValue1
myLabelKey2: myLabelValue2
names:
defaultTLSCertificateSecret: my-secret-name
endpoints:
https:
network: unix
address: :1234
http:
network: tcp
address: 127.0.0.1:1234
insecureAcceptExternalUnencryptedHttpRequests: false
log:
level: info
format: text
`),
wantConfig: &Config{
APIGroupSuffix: pointer.StringPtr("some.suffix.com"),
Labels: map[string]string{
"myLabelKey1": "myLabelValue1",
"myLabelKey2": "myLabelValue2",
},
NamesConfig: NamesConfigSpec{
DefaultTLSCertificateSecret: "my-secret-name",
},
Endpoints: &Endpoints{
HTTPS: &Endpoint{
Network: "unix",
Address: ":1234",
},
HTTP: &Endpoint{
Network: "tcp",
Address: "127.0.0.1:1234",
},
},
AllowExternalHTTP: false,
Log: plog.LogSpec{
Level: plog.LevelInfo,
Format: plog.FormatText,
},
},
},
{
name: "Happy with old and new log field",
yaml: here.Doc(`
---
apiGroupSuffix: some.suffix.com
labels:
myLabelKey1: myLabelValue1
myLabelKey2: myLabelValue2
names:
defaultTLSCertificateSecret: my-secret-name
endpoints:
https:
network: unix
address: :1234
http:
network: tcp
address: 127.0.0.1:1234
insecureAcceptExternalUnencryptedHttpRequests: false
logLevel: trace
log:
level: info
format: text
`),
wantConfig: &Config{
APIGroupSuffix: pointer.StringPtr("some.suffix.com"),
Labels: map[string]string{
"myLabelKey1": "myLabelValue1",
"myLabelKey2": "myLabelValue2",
},
NamesConfig: NamesConfigSpec{
DefaultTLSCertificateSecret: "my-secret-name",
},
Endpoints: &Endpoints{
HTTPS: &Endpoint{
Network: "unix",
Address: ":1234",
},
HTTP: &Endpoint{
Network: "tcp",
Address: "127.0.0.1:1234",
},
},
AllowExternalHTTP: false,
LogLevel: func(level plog.LogLevel) *plog.LogLevel { return &level }(plog.LevelTrace),
Log: plog.LogSpec{
Level: plog.LevelTrace,
Format: plog.FormatText,
},
Supervisor controllers apply custom labels to JWKS secrets Signed-off-by: Ryan Richard <richardry@vmware.com>
2020-10-15 19:40:56 +00:00
},
},
Switch to go.uber.org/zap for JSON formatted logging Signed-off-by: Monis Khan <mok@vmware.com>
2022-04-16 02:43:53 +00:00
{
name: "bad log format",
yaml: here.Doc(`
---
names:
defaultTLSCertificateSecret: my-secret-name
log:
level: info
format: cli
`),
wantError: "decode yaml: error unmarshaling JSON: while decoding JSON: invalid log format, valid choices are the empty string, json and text",
},
Supervisor controllers apply custom labels to JWKS secrets Signed-off-by: Ryan Richard <richardry@vmware.com>
2020-10-15 19:40:56 +00:00
{
name: "When only the required fields are present, causes other fields to be defaulted",
yaml: here.Doc(`
---
Configure name of the supervisor default TLS cert secret via ConfigMap Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-10-28 18:56:50 +00:00
names:
defaultTLSCertificateSecret: my-secret-name
Supervisor controllers apply custom labels to JWKS secrets Signed-off-by: Ryan Richard <richardry@vmware.com>
2020-10-15 19:40:56 +00:00
`),
wantConfig: &Config{
Replace all usages of strPtr() with pointer.StringPtr()
2021-05-12 20:20:00 +00:00
APIGroupSuffix: pointer.StringPtr("pinniped.dev"),
internal/config: wire API group suffix through to server components Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2021-01-19 15:52:12 +00:00
Labels: map[string]string{},
Configure name of the supervisor default TLS cert secret via ConfigMap Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-10-28 18:56:50 +00:00
NamesConfig: NamesConfigSpec{
DefaultTLSCertificateSecret: "my-secret-name",
},
Allow configuration of supervisor endpoints This change allows configuration of the http and https listeners used by the supervisor. TCP (IPv4 and IPv6 with any interface and port) and Unix domain socket based listeners are supported. Listeners may also be disabled. Binding the http listener to TCP addresses other than 127.0.0.1 or ::1 is deprecated. The deployment now uses https health checks. The supervisor is always able to complete a TLS connection with the use of a bootstrap certificate that is signed by an in-memory certificate authority. To support sidecar containers used by service meshes, Unix domain socket based listeners include ACLs that allow writes to the socket file from any runAsUser specified in the pod's containers. Signed-off-by: Monis Khan <mok@vmware.com>
2021-12-15 20:48:55 +00:00
Endpoints: &Endpoints{
HTTPS: &Endpoint{
Network: "tcp",
Address: ":8443",
},
HTTP: &Endpoint{
HTTP listener: default disabled and may only bind to loopback interfaces
2022-03-24 22:46:10 +00:00
Network: "disabled",
Allow configuration of supervisor endpoints This change allows configuration of the http and https listeners used by the supervisor. TCP (IPv4 and IPv6 with any interface and port) and Unix domain socket based listeners are supported. Listeners may also be disabled. Binding the http listener to TCP addresses other than 127.0.0.1 or ::1 is deprecated. The deployment now uses https health checks. The supervisor is always able to complete a TLS connection with the use of a bootstrap certificate that is signed by an in-memory certificate authority. To support sidecar containers used by service meshes, Unix domain socket based listeners include ACLs that allow writes to the socket file from any runAsUser specified in the pod's containers. Signed-off-by: Monis Khan <mok@vmware.com>
2021-12-15 20:48:55 +00:00
},
},
Change to camel-case for insecureAcceptExternalUnencryptedHttpRequests - Use camel-case in the static configmap - Parse the value into a boolean in the go struct instead of a string - Add test for when unsupported value is used in the configmap - Run the config_test.go tests in parallel - Update some paragraphs in configure-supervisor.md for clarity
2022-03-31 23:23:45 +00:00
AllowExternalHTTP: false,
Supervisor controllers apply custom labels to JWKS secrets Signed-off-by: Ryan Richard <richardry@vmware.com>
2020-10-15 19:40:56 +00:00
},
},
Allow configuration of supervisor endpoints This change allows configuration of the http and https listeners used by the supervisor. TCP (IPv4 and IPv6 with any interface and port) and Unix domain socket based listeners are supported. Listeners may also be disabled. Binding the http listener to TCP addresses other than 127.0.0.1 or ::1 is deprecated. The deployment now uses https health checks. The supervisor is always able to complete a TLS connection with the use of a bootstrap certificate that is signed by an in-memory certificate authority. To support sidecar containers used by service meshes, Unix domain socket based listeners include ACLs that allow writes to the socket file from any runAsUser specified in the pod's containers. Signed-off-by: Monis Khan <mok@vmware.com>
2021-12-15 20:48:55 +00:00
{
name: "all endpoints disabled",
yaml: here.Doc(`
---
names:
defaultTLSCertificateSecret: my-secret-name
endpoints:
https:
network: disabled
http:
network: disabled
`),
wantError: "validate endpoints: all endpoints are disabled",
},
{
name: "invalid https endpoint",
yaml: here.Doc(`
---
names:
defaultTLSCertificateSecret: my-secret-name
endpoints:
https:
network: foo
http:
network: disabled
`),
wantError: `validate https endpoint: unknown network "foo"`,
},
{
name: "invalid http endpoint",
yaml: here.Doc(`
---
names:
defaultTLSCertificateSecret: my-secret-name
endpoints:
https:
network: disabled
http:
network: bar
`),
wantError: `validate http endpoint: unknown network "bar"`,
},
HTTP listener: default disabled and may only bind to loopback interfaces
2022-03-24 22:46:10 +00:00
{
Change to camel-case for insecureAcceptExternalUnencryptedHttpRequests - Use camel-case in the static configmap - Parse the value into a boolean in the go struct instead of a string - Add test for when unsupported value is used in the configmap - Run the config_test.go tests in parallel - Update some paragraphs in configure-supervisor.md for clarity
2022-03-31 23:23:45 +00:00
name: "http endpoint uses tcp but binds to more than only loopback interfaces with insecureAcceptExternalUnencryptedHttpRequests missing",
HTTP listener: default disabled and may only bind to loopback interfaces
2022-03-24 22:46:10 +00:00
yaml: here.Doc(`
---
names:
defaultTLSCertificateSecret: my-secret-name
endpoints:
https:
network: disabled
http:
network: tcp
address: :8080
`),
wantError: `validate http endpoint: http listener address ":8080" for "tcp" network may only bind to loopback interfaces`,
},
Provide a way to override the new HTTP loopback-only validation Add new deprecated_insecure_accept_external_unencrypted_http_requests value in values.yaml. Allow it to be a boolean or a string to make it easier to use (both --data-value and --data-value-yaml will work). Also: - Consider "ip6-localhost" and "ip6-loopback" to be loopback addresses for the validation - Remove unused env.SupervisorHTTPAddress var - Deprecate the `service_http_*` values in values.yaml by renaming them and causing a ytt render error when the old names are used
2022-03-29 00:03:23 +00:00
{
Change to camel-case for insecureAcceptExternalUnencryptedHttpRequests - Use camel-case in the static configmap - Parse the value into a boolean in the go struct instead of a string - Add test for when unsupported value is used in the configmap - Run the config_test.go tests in parallel - Update some paragraphs in configure-supervisor.md for clarity
2022-03-31 23:23:45 +00:00
name: "http endpoint uses tcp but binds to more than only loopback interfaces with insecureAcceptExternalUnencryptedHttpRequests set to boolean false",
Provide a way to override the new HTTP loopback-only validation Add new deprecated_insecure_accept_external_unencrypted_http_requests value in values.yaml. Allow it to be a boolean or a string to make it easier to use (both --data-value and --data-value-yaml will work). Also: - Consider "ip6-localhost" and "ip6-loopback" to be loopback addresses for the validation - Remove unused env.SupervisorHTTPAddress var - Deprecate the `service_http_*` values in values.yaml by renaming them and causing a ytt render error when the old names are used
2022-03-29 00:03:23 +00:00
yaml: here.Doc(`
---
names:
defaultTLSCertificateSecret: my-secret-name
endpoints:
https:
network: disabled
http:
network: tcp
address: :8080
Change to camel-case for insecureAcceptExternalUnencryptedHttpRequests - Use camel-case in the static configmap - Parse the value into a boolean in the go struct instead of a string - Add test for when unsupported value is used in the configmap - Run the config_test.go tests in parallel - Update some paragraphs in configure-supervisor.md for clarity
2022-03-31 23:23:45 +00:00
insecureAcceptExternalUnencryptedHttpRequests: false
Provide a way to override the new HTTP loopback-only validation Add new deprecated_insecure_accept_external_unencrypted_http_requests value in values.yaml. Allow it to be a boolean or a string to make it easier to use (both --data-value and --data-value-yaml will work). Also: - Consider "ip6-localhost" and "ip6-loopback" to be loopback addresses for the validation - Remove unused env.SupervisorHTTPAddress var - Deprecate the `service_http_*` values in values.yaml by renaming them and causing a ytt render error when the old names are used
2022-03-29 00:03:23 +00:00
`),
wantError: `validate http endpoint: http listener address ":8080" for "tcp" network may only bind to loopback interfaces`,
},
{
Change to camel-case for insecureAcceptExternalUnencryptedHttpRequests - Use camel-case in the static configmap - Parse the value into a boolean in the go struct instead of a string - Add test for when unsupported value is used in the configmap - Run the config_test.go tests in parallel - Update some paragraphs in configure-supervisor.md for clarity
2022-03-31 23:23:45 +00:00
name: "http endpoint uses tcp but binds to more than only loopback interfaces with insecureAcceptExternalUnencryptedHttpRequests set to unsupported value",
yaml: here.Doc(`
---
names:
defaultTLSCertificateSecret: my-secret-name
insecureAcceptExternalUnencryptedHttpRequests: "garbage" # this will be treated as the default, which is false
`),
wantError: `decode yaml: error unmarshaling JSON: while decoding JSON: invalid value for boolean`,
},
{
name: "http endpoint uses tcp but binds to more than only loopback interfaces with insecureAcceptExternalUnencryptedHttpRequests set to string false",
Provide a way to override the new HTTP loopback-only validation Add new deprecated_insecure_accept_external_unencrypted_http_requests value in values.yaml. Allow it to be a boolean or a string to make it easier to use (both --data-value and --data-value-yaml will work). Also: - Consider "ip6-localhost" and "ip6-loopback" to be loopback addresses for the validation - Remove unused env.SupervisorHTTPAddress var - Deprecate the `service_http_*` values in values.yaml by renaming them and causing a ytt render error when the old names are used
2022-03-29 00:03:23 +00:00
yaml: here.Doc(`
---
names:
defaultTLSCertificateSecret: my-secret-name
endpoints:
https:
network: disabled
http:
network: tcp
address: :8080
Change to camel-case for insecureAcceptExternalUnencryptedHttpRequests - Use camel-case in the static configmap - Parse the value into a boolean in the go struct instead of a string - Add test for when unsupported value is used in the configmap - Run the config_test.go tests in parallel - Update some paragraphs in configure-supervisor.md for clarity
2022-03-31 23:23:45 +00:00
insecureAcceptExternalUnencryptedHttpRequests: "false"
Provide a way to override the new HTTP loopback-only validation Add new deprecated_insecure_accept_external_unencrypted_http_requests value in values.yaml. Allow it to be a boolean or a string to make it easier to use (both --data-value and --data-value-yaml will work). Also: - Consider "ip6-localhost" and "ip6-loopback" to be loopback addresses for the validation - Remove unused env.SupervisorHTTPAddress var - Deprecate the `service_http_*` values in values.yaml by renaming them and causing a ytt render error when the old names are used
2022-03-29 00:03:23 +00:00
`),
wantError: `validate http endpoint: http listener address ":8080" for "tcp" network may only bind to loopback interfaces`,
},
{
Change to camel-case for insecureAcceptExternalUnencryptedHttpRequests - Use camel-case in the static configmap - Parse the value into a boolean in the go struct instead of a string - Add test for when unsupported value is used in the configmap - Run the config_test.go tests in parallel - Update some paragraphs in configure-supervisor.md for clarity
2022-03-31 23:23:45 +00:00
name: "http endpoint uses tcp but binds to more than only loopback interfaces with insecureAcceptExternalUnencryptedHttpRequests set to boolean true",
Provide a way to override the new HTTP loopback-only validation Add new deprecated_insecure_accept_external_unencrypted_http_requests value in values.yaml. Allow it to be a boolean or a string to make it easier to use (both --data-value and --data-value-yaml will work). Also: - Consider "ip6-localhost" and "ip6-loopback" to be loopback addresses for the validation - Remove unused env.SupervisorHTTPAddress var - Deprecate the `service_http_*` values in values.yaml by renaming them and causing a ytt render error when the old names are used
2022-03-29 00:03:23 +00:00
yaml: here.Doc(`
---
names:
defaultTLSCertificateSecret: my-secret-name
endpoints:
http:
network: tcp
address: :1234
Change to camel-case for insecureAcceptExternalUnencryptedHttpRequests - Use camel-case in the static configmap - Parse the value into a boolean in the go struct instead of a string - Add test for when unsupported value is used in the configmap - Run the config_test.go tests in parallel - Update some paragraphs in configure-supervisor.md for clarity
2022-03-31 23:23:45 +00:00
insecureAcceptExternalUnencryptedHttpRequests: true
Provide a way to override the new HTTP loopback-only validation Add new deprecated_insecure_accept_external_unencrypted_http_requests value in values.yaml. Allow it to be a boolean or a string to make it easier to use (both --data-value and --data-value-yaml will work). Also: - Consider "ip6-localhost" and "ip6-loopback" to be loopback addresses for the validation - Remove unused env.SupervisorHTTPAddress var - Deprecate the `service_http_*` values in values.yaml by renaming them and causing a ytt render error when the old names are used
2022-03-29 00:03:23 +00:00
`),
wantConfig: &Config{
APIGroupSuffix: pointer.StringPtr("pinniped.dev"),
Labels: map[string]string{},
NamesConfig: NamesConfigSpec{
DefaultTLSCertificateSecret: "my-secret-name",
},
Endpoints: &Endpoints{
HTTPS: &Endpoint{
Network: "tcp",
Address: ":8443",
},
HTTP: &Endpoint{
Network: "tcp",
Address: ":1234",
},
},
Change to camel-case for insecureAcceptExternalUnencryptedHttpRequests - Use camel-case in the static configmap - Parse the value into a boolean in the go struct instead of a string - Add test for when unsupported value is used in the configmap - Run the config_test.go tests in parallel - Update some paragraphs in configure-supervisor.md for clarity
2022-03-31 23:23:45 +00:00
AllowExternalHTTP: true,
Provide a way to override the new HTTP loopback-only validation Add new deprecated_insecure_accept_external_unencrypted_http_requests value in values.yaml. Allow it to be a boolean or a string to make it easier to use (both --data-value and --data-value-yaml will work). Also: - Consider "ip6-localhost" and "ip6-loopback" to be loopback addresses for the validation - Remove unused env.SupervisorHTTPAddress var - Deprecate the `service_http_*` values in values.yaml by renaming them and causing a ytt render error when the old names are used
2022-03-29 00:03:23 +00:00
},
},
{
Change to camel-case for insecureAcceptExternalUnencryptedHttpRequests - Use camel-case in the static configmap - Parse the value into a boolean in the go struct instead of a string - Add test for when unsupported value is used in the configmap - Run the config_test.go tests in parallel - Update some paragraphs in configure-supervisor.md for clarity
2022-03-31 23:23:45 +00:00
name: "http endpoint uses tcp but binds to more than only loopback interfaces with insecureAcceptExternalUnencryptedHttpRequests set to string true",
Provide a way to override the new HTTP loopback-only validation Add new deprecated_insecure_accept_external_unencrypted_http_requests value in values.yaml. Allow it to be a boolean or a string to make it easier to use (both --data-value and --data-value-yaml will work). Also: - Consider "ip6-localhost" and "ip6-loopback" to be loopback addresses for the validation - Remove unused env.SupervisorHTTPAddress var - Deprecate the `service_http_*` values in values.yaml by renaming them and causing a ytt render error when the old names are used
2022-03-29 00:03:23 +00:00
yaml: here.Doc(`
---
names:
defaultTLSCertificateSecret: my-secret-name
endpoints:
http:
network: tcp
address: :1234
Change to camel-case for insecureAcceptExternalUnencryptedHttpRequests - Use camel-case in the static configmap - Parse the value into a boolean in the go struct instead of a string - Add test for when unsupported value is used in the configmap - Run the config_test.go tests in parallel - Update some paragraphs in configure-supervisor.md for clarity
2022-03-31 23:23:45 +00:00
insecureAcceptExternalUnencryptedHttpRequests: "true"
Provide a way to override the new HTTP loopback-only validation Add new deprecated_insecure_accept_external_unencrypted_http_requests value in values.yaml. Allow it to be a boolean or a string to make it easier to use (both --data-value and --data-value-yaml will work). Also: - Consider "ip6-localhost" and "ip6-loopback" to be loopback addresses for the validation - Remove unused env.SupervisorHTTPAddress var - Deprecate the `service_http_*` values in values.yaml by renaming them and causing a ytt render error when the old names are used
2022-03-29 00:03:23 +00:00
`),
wantConfig: &Config{
APIGroupSuffix: pointer.StringPtr("pinniped.dev"),
Labels: map[string]string{},
NamesConfig: NamesConfigSpec{
DefaultTLSCertificateSecret: "my-secret-name",
},
Endpoints: &Endpoints{
HTTPS: &Endpoint{
Network: "tcp",
Address: ":8443",
},
HTTP: &Endpoint{
Network: "tcp",
Address: ":1234",
},
},
Change to camel-case for insecureAcceptExternalUnencryptedHttpRequests - Use camel-case in the static configmap - Parse the value into a boolean in the go struct instead of a string - Add test for when unsupported value is used in the configmap - Run the config_test.go tests in parallel - Update some paragraphs in configure-supervisor.md for clarity
2022-03-31 23:23:45 +00:00
AllowExternalHTTP: true,
Provide a way to override the new HTTP loopback-only validation Add new deprecated_insecure_accept_external_unencrypted_http_requests value in values.yaml. Allow it to be a boolean or a string to make it easier to use (both --data-value and --data-value-yaml will work). Also: - Consider "ip6-localhost" and "ip6-loopback" to be loopback addresses for the validation - Remove unused env.SupervisorHTTPAddress var - Deprecate the `service_http_*` values in values.yaml by renaming them and causing a ytt render error when the old names are used
2022-03-29 00:03:23 +00:00
},
},
Allow configuration of supervisor endpoints This change allows configuration of the http and https listeners used by the supervisor. TCP (IPv4 and IPv6 with any interface and port) and Unix domain socket based listeners are supported. Listeners may also be disabled. Binding the http listener to TCP addresses other than 127.0.0.1 or ::1 is deprecated. The deployment now uses https health checks. The supervisor is always able to complete a TLS connection with the use of a bootstrap certificate that is signed by an in-memory certificate authority. To support sidecar containers used by service meshes, Unix domain socket based listeners include ACLs that allow writes to the socket file from any runAsUser specified in the pod's containers. Signed-off-by: Monis Khan <mok@vmware.com>
2021-12-15 20:48:55 +00:00
{
name: "endpoint disabled with non-empty address",
yaml: here.Doc(`
---
names:
defaultTLSCertificateSecret: my-secret-name
endpoints:
https:
network: disabled
address: wee
`),
wantError: `validate https endpoint: address set to "wee" when disabled, should be empty`,
},
{
name: "endpoint tcp with empty address",
yaml: here.Doc(`
---
names:
defaultTLSCertificateSecret: my-secret-name
endpoints:
http:
network: tcp
`),
wantError: `validate http endpoint: address must be set with "tcp" network`,
},
{
name: "endpoint unix with empty address",
yaml: here.Doc(`
---
names:
defaultTLSCertificateSecret: my-secret-name
endpoints:
https:
network: unix
`),
wantError: `validate https endpoint: address must be set with "unix" network`,
},
Configure name of the supervisor default TLS cert secret via ConfigMap Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-10-28 18:56:50 +00:00
{
name: "Missing defaultTLSCertificateSecret name",
yaml: here.Doc(`
---
`),
wantError: "validate names: missing required names: defaultTLSCertificateSecret",
},
Allow multiple Pinnipeds to work on same cluster Yes, this is a huge commit. The middleware allows you to customize the API groups of all of the *.pinniped.dev API groups. Some notes about other small things in this commit: - We removed the internal/client package in favor of pkg/conciergeclient. The two packages do basically the same thing. I don't think we use the former anymore. - We re-enabled cluster-scoped owner assertions in the integration tests. This code was added in internal/ownerref. See a0546942 for when this assertion was removed. - Note: the middlware code is in charge of restoring the GV of a request object, so we should never need to write mutations that do that. - We updated the supervisor secret generation to no longer manually set an owner reference to the deployment since the middleware code now does this. I think we still need some way to make an initial event for the secret generator controller, which involves knowing the namespace and the name of the generated secret, so I still wired the deployment through. We could use a namespace/name tuple here, but I was lazy. Signed-off-by: Andrew Keesler <akeesler@vmware.com> Co-authored-by: Ryan Richard <richardry@vmware.com>
2021-01-13 01:27:41 +00:00
{
name: "apiGroupSuffix is prefixed with '.'",
yaml: here.Doc(`
---
apiGroupSuffix: .starts.with.dot
names:
defaultTLSCertificateSecret: my-secret-name
`),
Migrate callers to k8s.io/apimachinery/pkg/util/errors.NewAggregate Signed-off-by: Monis Khan <mok@vmware.com>
2021-02-05 17:56:05 +00:00
wantError: "validate apiGroupSuffix: a lowercase RFC 1123 subdomain must consist of lower case alphanumeric characters, '-' or '.', and must start and end with an alphanumeric character (e.g. 'example.com', regex used for validation is '[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*')",
Allow multiple Pinnipeds to work on same cluster Yes, this is a huge commit. The middleware allows you to customize the API groups of all of the *.pinniped.dev API groups. Some notes about other small things in this commit: - We removed the internal/client package in favor of pkg/conciergeclient. The two packages do basically the same thing. I don't think we use the former anymore. - We re-enabled cluster-scoped owner assertions in the integration tests. This code was added in internal/ownerref. See a0546942 for when this assertion was removed. - Note: the middlware code is in charge of restoring the GV of a request object, so we should never need to write mutations that do that. - We updated the supervisor secret generation to no longer manually set an owner reference to the deployment since the middleware code now does this. I think we still need some way to make an initial event for the secret generator controller, which involves knowing the namespace and the name of the generated secret, so I still wired the deployment through. We could use a namespace/name tuple here, but I was lazy. Signed-off-by: Andrew Keesler <akeesler@vmware.com> Co-authored-by: Ryan Richard <richardry@vmware.com>
2021-01-13 01:27:41 +00:00
},
Supervisor controllers apply custom labels to JWKS secrets Signed-off-by: Ryan Richard <richardry@vmware.com>
2020-10-15 19:40:56 +00:00
}
for _, test := range tests {
test := test
t.Run(test.name, func(t *testing.T) {
Switch to go.uber.org/zap for JSON formatted logging Signed-off-by: Monis Khan <mok@vmware.com>
2022-04-16 02:43:53 +00:00
// this is a serial test because it sets the global logger
Change to camel-case for insecureAcceptExternalUnencryptedHttpRequests - Use camel-case in the static configmap - Parse the value into a boolean in the go struct instead of a string - Add test for when unsupported value is used in the configmap - Run the config_test.go tests in parallel - Update some paragraphs in configure-supervisor.md for clarity
2022-03-31 23:23:45 +00:00
Supervisor controllers apply custom labels to JWKS secrets Signed-off-by: Ryan Richard <richardry@vmware.com>
2020-10-15 19:40:56 +00:00
// Write yaml to temp file
f, err := ioutil.TempFile("", "pinniped-test-config-yaml-*")
require.NoError(t, err)
defer func() {
err := os.Remove(f.Name())
require.NoError(t, err)
}()
_, err = f.WriteString(test.yaml)
require.NoError(t, err)
err = f.Close()
require.NoError(t, err)
// Test FromPath()
Switch to go.uber.org/zap for JSON formatted logging Signed-off-by: Monis Khan <mok@vmware.com>
2022-04-16 02:43:53 +00:00
ctx, cancel := context.WithCancel(context.Background())
t.Cleanup(cancel)
config, err := FromPath(ctx, f.Name())
Supervisor controllers apply custom labels to JWKS secrets Signed-off-by: Ryan Richard <richardry@vmware.com>
2020-10-15 19:40:56 +00:00
Configure name of the supervisor default TLS cert secret via ConfigMap Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-10-28 18:56:50 +00:00
if test.wantError != "" {
require.EqualError(t, err, test.wantError)
} else {
require.NoError(t, err)
require.Equal(t, test.wantConfig, config)
}
Supervisor controllers apply custom labels to JWKS secrets Signed-off-by: Ryan Richard <richardry@vmware.com>
2020-10-15 19:40:56 +00:00
})
}
}
HTTP listener: default disabled and may only bind to loopback interfaces
2022-03-24 22:46:10 +00:00
func TestAddrIsOnlyOnLoopback(t *testing.T) {
tests := []struct {
addr string
want bool
}{
{addr: "localhost:", want: true},
{addr: "localhost:0", want: true},
{addr: "localhost:80", want: true},
{addr: "localhost:http", want: true},
Provide a way to override the new HTTP loopback-only validation Add new deprecated_insecure_accept_external_unencrypted_http_requests value in values.yaml. Allow it to be a boolean or a string to make it easier to use (both --data-value and --data-value-yaml will work). Also: - Consider "ip6-localhost" and "ip6-loopback" to be loopback addresses for the validation - Remove unused env.SupervisorHTTPAddress var - Deprecate the `service_http_*` values in values.yaml by renaming them and causing a ytt render error when the old names are used
2022-03-29 00:03:23 +00:00
{addr: "ip6-localhost:", want: true},
{addr: "ip6-localhost:0", want: true},
{addr: "ip6-localhost:80", want: true},
{addr: "ip6-localhost:http", want: true},
{addr: "ip6-loopback:", want: true},
{addr: "ip6-loopback:0", want: true},
{addr: "ip6-loopback:80", want: true},
{addr: "ip6-loopback:http", want: true},
HTTP listener: default disabled and may only bind to loopback interfaces
2022-03-24 22:46:10 +00:00
{addr: "127.0.0.1:", want: true},
{addr: "127.0.0.1:0", want: true},
{addr: "127.0.0.1:80", want: true},
{addr: "127.0.0.1:http", want: true},
{addr: "[::1]:", want: true},
{addr: "[::1]:0", want: true},
{addr: "[::1]:80", want: true},
{addr: "[::1]:http", want: true},
{addr: "[0:0:0:0:0:0:0:1]:", want: true},
{addr: "[0:0:0:0:0:0:0:1]:0", want: true},
{addr: "[0:0:0:0:0:0:0:1]:80", want: true},
{addr: "[0:0:0:0:0:0:0:1]:http", want: true},
{addr: "", want: false}, // illegal input, can't be empty
{addr: "host", want: false}, // illegal input, need colon
{addr: "localhost", want: false}, // illegal input, need colon
{addr: "127.0.0.1", want: false}, // illegal input, need colon
{addr: ":", want: false}, // illegal input, need either host or port
{addr: "2001:db8::1:80", want: false}, // illegal input, forgot square brackets
{addr: ":0", want: false},
{addr: ":80", want: false},
{addr: ":http", want: false},
{addr: "notlocalhost:", want: false},
{addr: "notlocalhost:0", want: false},
{addr: "notlocalhost:80", want: false},
{addr: "notlocalhost:http", want: false},
{addr: "0.0.0.0:", want: false},
{addr: "0.0.0.0:0", want: false},
{addr: "0.0.0.0:80", want: false},
{addr: "0.0.0.0:http", want: false},
{addr: "[::]:", want: false},
{addr: "[::]:0", want: false},
{addr: "[::]:80", want: false},
{addr: "[::]:http", want: false},
{addr: "42.42.42.42:", want: false},
{addr: "42.42.42.42:0", want: false},
{addr: "42.42.42.42:80", want: false},
{addr: "42.42.42.42:http", want: false},
{addr: "[2001:db8::1]:", want: false},
{addr: "[2001:db8::1]:0", want: false},
{addr: "[2001:db8::1]:80", want: false},
{addr: "[2001:db8::1]:http", want: false},
{addr: "[fe80::1%zone]:", want: false},
{addr: "[fe80::1%zone]:0", want: false},
{addr: "[fe80::1%zone]:80", want: false},
{addr: "[fe80::1%zone]:http", want: false},
}
for _, test := range tests {
tt := test
t.Run(fmt.Sprintf("address %s should be %t", tt.addr, tt.want), func(t *testing.T) {
Change to camel-case for insecureAcceptExternalUnencryptedHttpRequests - Use camel-case in the static configmap - Parse the value into a boolean in the go struct instead of a string - Add test for when unsupported value is used in the configmap - Run the config_test.go tests in parallel - Update some paragraphs in configure-supervisor.md for clarity
2022-03-31 23:23:45 +00:00
t.Parallel()
HTTP listener: default disabled and may only bind to loopback interfaces
2022-03-24 22:46:10 +00:00
require.Equal(t, tt.want, addrIsOnlyOnLoopback(tt.addr))
})
}
}
Reference in New Issue Copy Permalink