djpbessems
/
ContainerImage.Pinniped
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
ContainerImage.Pinniped/internal/controller/supervisorconfig/oidcproviderconfig_watcher.go

212 lines
6.9 KiB
Go
Raw Normal View History

Creation and deletion of OIDC Provider discovery endpoints from config - The OIDCProviderConfigWatcherController synchronizes the OIDCProviderConfig settings to dynamically mount and unmount the OIDC discovery endpoints for each provider - Integration test passes but unit tests need to be added still
2020-10-08 02:18:34 +00:00
// Copyright 2020 the Pinniped contributors. All Rights Reserved.
// SPDX-License-Identifier: Apache-2.0
package supervisorconfig
import (
supervisor-oidc: checkpoint: add status to provider CRD Signed-off-by: Ryan Richard <richardry@vmware.com>
2020-10-08 17:27:45 +00:00
"context"
"fmt"
Add `spec.secretName` to OPC and handle case-insensitive hostnames - When two different Issuers have the same host (i.e. they differ only by path) then they must have the same secretName. This is because it wouldn't make sense for there to be two different TLS certificates for one host. Find any that do not have the same secret name to put an error status on them and to avoid serving OIDC endpoints for them. The host comparison is case-insensitive. - Issuer hostnames should be treated as case-insensitive, because DNS hostnames are case-insensitive. So https://me.com and https://mE.cOm are duplicate issuers. However, paths are case-sensitive, so https://me.com/A and https://me.com/a are different issuers. Fixed this in the issuer validations and in the OIDC Manager's request router logic.
2020-10-23 23:25:44 +00:00
"net/url"
"strings"
Several small refactors related to OIDC providers
2020-10-08 18:28:21 +00:00
supervisor-oidc: checkpoint: add status to provider CRD Signed-off-by: Ryan Richard <richardry@vmware.com>
2020-10-08 17:27:45 +00:00
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
Creation and deletion of OIDC Provider discovery endpoints from config - The OIDCProviderConfigWatcherController synchronizes the OIDCProviderConfig settings to dynamically mount and unmount the OIDC discovery endpoints for each provider - Integration test passes but unit tests need to be added still
2020-10-08 02:18:34 +00:00
"k8s.io/apimachinery/pkg/labels"
supervisor-oidc: checkpoint: add status to provider CRD Signed-off-by: Ryan Richard <richardry@vmware.com>
2020-10-08 17:27:45 +00:00
"k8s.io/apimachinery/pkg/util/clock"
"k8s.io/client-go/util/retry"
Creation and deletion of OIDC Provider discovery endpoints from config - The OIDCProviderConfigWatcherController synchronizes the OIDCProviderConfig settings to dynamically mount and unmount the OIDC discovery endpoints for each provider - Integration test passes but unit tests need to be added still
2020-10-08 02:18:34 +00:00
"k8s.io/klog/v2"
Split the config CRDs into two API groups. Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-10-30 20:09:14 +00:00
configv1alpha1 "go.pinniped.dev/generated/1.19/apis/supervisor/config/v1alpha1"
pinnipedclientset "go.pinniped.dev/generated/1.19/client/supervisor/clientset/versioned"
configinformers "go.pinniped.dev/generated/1.19/client/supervisor/informers/externalversions/config/v1alpha1"
Creation and deletion of OIDC Provider discovery endpoints from config - The OIDCProviderConfigWatcherController synchronizes the OIDCProviderConfig settings to dynamically mount and unmount the OIDC discovery endpoints for each provider - Integration test passes but unit tests need to be added still
2020-10-08 02:18:34 +00:00
pinnipedcontroller "go.pinniped.dev/internal/controller"
"go.pinniped.dev/internal/controllerlib"
Reduce log spam Signed-off-by: Monis Khan <mok@vmware.com>
2020-11-10 15:22:16 +00:00
"go.pinniped.dev/internal/multierror"
Creation and deletion of OIDC Provider discovery endpoints from config - The OIDCProviderConfigWatcherController synchronizes the OIDCProviderConfig settings to dynamically mount and unmount the OIDC discovery endpoints for each provider - Integration test passes but unit tests need to be added still
2020-10-08 02:18:34 +00:00
"go.pinniped.dev/internal/oidc/provider"
Reduce log spam Signed-off-by: Monis Khan <mok@vmware.com>
2020-11-10 15:22:16 +00:00
"go.pinniped.dev/internal/plog"
Creation and deletion of OIDC Provider discovery endpoints from config - The OIDCProviderConfigWatcherController synchronizes the OIDCProviderConfig settings to dynamically mount and unmount the OIDC discovery endpoints for each provider - Integration test passes but unit tests need to be added still
2020-10-08 02:18:34 +00:00
)
// ProvidersSetter can be notified of all known valid providers with its SetIssuer function.
// If there are no longer any valid issuers, then it can be called with no arguments.
// Implementations of this type should be thread-safe to support calls from multiple goroutines.
type ProvidersSetter interface {
SetProviders(oidcProviders ...*provider.OIDCProvider)
}
Rename OIDCProviderConfig to OIDCProvider. Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-11-02 22:24:55 +00:00
type oidcProviderWatcherController struct {
Creation and deletion of OIDC Provider discovery endpoints from config - The OIDCProviderConfigWatcherController synchronizes the OIDCProviderConfig settings to dynamically mount and unmount the OIDC discovery endpoints for each provider - Integration test passes but unit tests need to be added still
2020-10-08 02:18:34 +00:00
providerSetter ProvidersSetter
supervisor-oidc: checkpoint: add status to provider CRD Signed-off-by: Ryan Richard <richardry@vmware.com>
2020-10-08 17:27:45 +00:00
clock clock.Clock
client pinnipedclientset.Interface
Rename OIDCProviderConfig to OIDCProvider. Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-11-02 22:24:55 +00:00
opcInformer configinformers.OIDCProviderInformer
Creation and deletion of OIDC Provider discovery endpoints from config - The OIDCProviderConfigWatcherController synchronizes the OIDCProviderConfig settings to dynamically mount and unmount the OIDC discovery endpoints for each provider - Integration test passes but unit tests need to be added still
2020-10-08 02:18:34 +00:00
}
Rename OIDCProviderConfig to OIDCProvider. Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-11-02 22:24:55 +00:00
// NewOIDCProviderWatcherController creates a controllerlib.Controller that watches
// OIDCProvider objects and notifies a callback object of the collection of provider configs.
func NewOIDCProviderWatcherController(
supervisor-oidc: checkpoint: add status to provider CRD Signed-off-by: Ryan Richard <richardry@vmware.com>
2020-10-08 17:27:45 +00:00
providerSetter ProvidersSetter,
clock clock.Clock,
client pinnipedclientset.Interface,
Rename OIDCProviderConfig to OIDCProvider. Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-11-02 22:24:55 +00:00
opcInformer configinformers.OIDCProviderInformer,
Creation and deletion of OIDC Provider discovery endpoints from config - The OIDCProviderConfigWatcherController synchronizes the OIDCProviderConfig settings to dynamically mount and unmount the OIDC discovery endpoints for each provider - Integration test passes but unit tests need to be added still
2020-10-08 02:18:34 +00:00
withInformer pinnipedcontroller.WithInformerOptionFunc,
) controllerlib.Controller {
return controllerlib.New(
controllerlib.Config{
Rename OIDCProviderConfig to OIDCProvider. Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-11-02 22:24:55 +00:00
Name: "OIDCProviderWatcherController",
Syncer: &oidcProviderWatcherController{
supervisor-oidc: checkpoint: add status to provider CRD Signed-off-by: Ryan Richard <richardry@vmware.com>
2020-10-08 17:27:45 +00:00
providerSetter: providerSetter,
clock: clock,
client: client,
Creation and deletion of OIDC Provider discovery endpoints from config - The OIDCProviderConfigWatcherController synchronizes the OIDCProviderConfig settings to dynamically mount and unmount the OIDC discovery endpoints for each provider - Integration test passes but unit tests need to be added still
2020-10-08 02:18:34 +00:00
opcInformer: opcInformer,
},
},
withInformer(
opcInformer,
Use parent func to indicate when the controller queue is a singleton This prevents unnecessary sync loop runs when the controller is running with a single worker. When the controller is running with more than one worker, it prevents subtle bugs that can cause the controller to go "back in time." Signed-off-by: Monis Khan <mok@vmware.com> Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-10-02 17:22:18 +00:00
pinnipedcontroller.MatchAnythingFilter(pinnipedcontroller.SingletonQueue()),
Creation and deletion of OIDC Provider discovery endpoints from config - The OIDCProviderConfigWatcherController synchronizes the OIDCProviderConfig settings to dynamically mount and unmount the OIDC discovery endpoints for each provider - Integration test passes but unit tests need to be added still
2020-10-08 02:18:34 +00:00
controllerlib.InformerOption{},
),
)
}
// Sync implements controllerlib.Syncer.
Rename OIDCProviderConfig to OIDCProvider. Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-11-02 22:24:55 +00:00
func (c *oidcProviderWatcherController) Sync(ctx controllerlib.Context) error {
Creation and deletion of OIDC Provider discovery endpoints from config - The OIDCProviderConfigWatcherController synchronizes the OIDCProviderConfig settings to dynamically mount and unmount the OIDC discovery endpoints for each provider - Integration test passes but unit tests need to be added still
2020-10-08 02:18:34 +00:00
all, err := c.opcInformer.Lister().List(labels.Everything())
if err != nil {
return err
}
Add `spec.secretName` to OPC and handle case-insensitive hostnames - When two different Issuers have the same host (i.e. they differ only by path) then they must have the same secretName. This is because it wouldn't make sense for there to be two different TLS certificates for one host. Find any that do not have the same secret name to put an error status on them and to avoid serving OIDC endpoints for them. The host comparison is case-insensitive. - Issuer hostnames should be treated as case-insensitive, because DNS hostnames are case-insensitive. So https://me.com and https://mE.cOm are duplicate issuers. However, paths are case-sensitive, so https://me.com/A and https://me.com/a are different issuers. Fixed this in the issuer validations and in the OIDC Manager's request router logic.
2020-10-23 23:25:44 +00:00
// Make a map of issuer strings -> count of how many times we saw that issuer string.
// This will help us complain when there are duplicate issuer strings.
// Also make a helper function for forming keys into this map.
supervisor-oidc: checkpoint: add status to provider CRD Signed-off-by: Ryan Richard <richardry@vmware.com>
2020-10-08 17:27:45 +00:00
issuerCounts := make(map[string]int)
Add `spec.secretName` to OPC and handle case-insensitive hostnames - When two different Issuers have the same host (i.e. they differ only by path) then they must have the same secretName. This is because it wouldn't make sense for there to be two different TLS certificates for one host. Find any that do not have the same secret name to put an error status on them and to avoid serving OIDC endpoints for them. The host comparison is case-insensitive. - Issuer hostnames should be treated as case-insensitive, because DNS hostnames are case-insensitive. So https://me.com and https://mE.cOm are duplicate issuers. However, paths are case-sensitive, so https://me.com/A and https://me.com/a are different issuers. Fixed this in the issuer validations and in the OIDC Manager's request router logic.
2020-10-23 23:25:44 +00:00
issuerURLToIssuerKey := func(issuerURL *url.URL) string {
return fmt.Sprintf("%s://%s%s", issuerURL.Scheme, strings.ToLower(issuerURL.Host), issuerURL.Path)
}
Supervisor listens for HTTPS on port 443 with configurable TLS certs - TLS certificates can be configured on the OIDCProviderConfig using the `secretName` field. - When listening for incoming TLS connections, choose the TLS cert based on the SNI hostname of the incoming request. - Because SNI hostname information on incoming requests does not include the port number of the request, we add a validation that OIDCProviderConfigs where the issuer hostnames (not including port number) are the same must use the same `secretName`. - Note that this approach does not yet support requests made to an IP address instead of a hostname. Also note that `localhost` is considered a hostname by SNI. - Add port 443 as a container port to the pod spec. - A new controller watches for TLS secrets and caches them in memory. That same in-memory cache is used while servicing incoming connections on the TLS port. - Make it easy to configure both port 443 and/or port 80 for various Service types using our ytt templates for the supervisor. - When deploying to kind, add another nodeport and forward it to the host on another port to expose our new HTTPS supervisor port to the host.
2020-10-27 00:03:26 +00:00
// Make a map of issuer hostnames -> set of unique secret names. This will help us complain when
Rename OIDCProviderConfig to OIDCProvider. Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-11-02 22:24:55 +00:00
// multiple OIDCProviders have the same issuer hostname (excluding port) but specify
Add `spec.secretName` to OPC and handle case-insensitive hostnames - When two different Issuers have the same host (i.e. they differ only by path) then they must have the same secretName. This is because it wouldn't make sense for there to be two different TLS certificates for one host. Find any that do not have the same secret name to put an error status on them and to avoid serving OIDC endpoints for them. The host comparison is case-insensitive. - Issuer hostnames should be treated as case-insensitive, because DNS hostnames are case-insensitive. So https://me.com and https://mE.cOm are duplicate issuers. However, paths are case-sensitive, so https://me.com/A and https://me.com/a are different issuers. Fixed this in the issuer validations and in the OIDC Manager's request router logic.
2020-10-23 23:25:44 +00:00
// different TLS serving Secrets. Doesn't make sense to have the one address use more than one
Supervisor listens for HTTPS on port 443 with configurable TLS certs - TLS certificates can be configured on the OIDCProviderConfig using the `secretName` field. - When listening for incoming TLS connections, choose the TLS cert based on the SNI hostname of the incoming request. - Because SNI hostname information on incoming requests does not include the port number of the request, we add a validation that OIDCProviderConfigs where the issuer hostnames (not including port number) are the same must use the same `secretName`. - Note that this approach does not yet support requests made to an IP address instead of a hostname. Also note that `localhost` is considered a hostname by SNI. - Add port 443 as a container port to the pod spec. - A new controller watches for TLS secrets and caches them in memory. That same in-memory cache is used while servicing incoming connections on the TLS port. - Make it easy to configure both port 443 and/or port 80 for various Service types using our ytt templates for the supervisor. - When deploying to kind, add another nodeport and forward it to the host on another port to expose our new HTTPS supervisor port to the host.
2020-10-27 00:03:26 +00:00
// TLS cert. Ignore ports because SNI information on the incoming requests is not going to include
// port numbers. Also make a helper function for forming keys into this map.
Add `spec.secretName` to OPC and handle case-insensitive hostnames - When two different Issuers have the same host (i.e. they differ only by path) then they must have the same secretName. This is because it wouldn't make sense for there to be two different TLS certificates for one host. Find any that do not have the same secret name to put an error status on them and to avoid serving OIDC endpoints for them. The host comparison is case-insensitive. - Issuer hostnames should be treated as case-insensitive, because DNS hostnames are case-insensitive. So https://me.com and https://mE.cOm are duplicate issuers. However, paths are case-sensitive, so https://me.com/A and https://me.com/a are different issuers. Fixed this in the issuer validations and in the OIDC Manager's request router logic.
2020-10-23 23:25:44 +00:00
uniqueSecretNamesPerIssuerAddress := make(map[string]map[string]bool)
Supervisor listens for HTTPS on port 443 with configurable TLS certs - TLS certificates can be configured on the OIDCProviderConfig using the `secretName` field. - When listening for incoming TLS connections, choose the TLS cert based on the SNI hostname of the incoming request. - Because SNI hostname information on incoming requests does not include the port number of the request, we add a validation that OIDCProviderConfigs where the issuer hostnames (not including port number) are the same must use the same `secretName`. - Note that this approach does not yet support requests made to an IP address instead of a hostname. Also note that `localhost` is considered a hostname by SNI. - Add port 443 as a container port to the pod spec. - A new controller watches for TLS secrets and caches them in memory. That same in-memory cache is used while servicing incoming connections on the TLS port. - Make it easy to configure both port 443 and/or port 80 for various Service types using our ytt templates for the supervisor. - When deploying to kind, add another nodeport and forward it to the host on another port to expose our new HTTPS supervisor port to the host.
2020-10-27 00:03:26 +00:00
issuerURLToHostnameKey := lowercaseHostWithoutPort
Add `spec.secretName` to OPC and handle case-insensitive hostnames - When two different Issuers have the same host (i.e. they differ only by path) then they must have the same secretName. This is because it wouldn't make sense for there to be two different TLS certificates for one host. Find any that do not have the same secret name to put an error status on them and to avoid serving OIDC endpoints for them. The host comparison is case-insensitive. - Issuer hostnames should be treated as case-insensitive, because DNS hostnames are case-insensitive. So https://me.com and https://mE.cOm are duplicate issuers. However, paths are case-sensitive, so https://me.com/A and https://me.com/a are different issuers. Fixed this in the issuer validations and in the OIDC Manager's request router logic.
2020-10-23 23:25:44 +00:00
supervisor-oidc: checkpoint: add status to provider CRD Signed-off-by: Ryan Richard <richardry@vmware.com>
2020-10-08 17:27:45 +00:00
for _, opc := range all {
Add `spec.secretName` to OPC and handle case-insensitive hostnames - When two different Issuers have the same host (i.e. they differ only by path) then they must have the same secretName. This is because it wouldn't make sense for there to be two different TLS certificates for one host. Find any that do not have the same secret name to put an error status on them and to avoid serving OIDC endpoints for them. The host comparison is case-insensitive. - Issuer hostnames should be treated as case-insensitive, because DNS hostnames are case-insensitive. So https://me.com and https://mE.cOm are duplicate issuers. However, paths are case-sensitive, so https://me.com/A and https://me.com/a are different issuers. Fixed this in the issuer validations and in the OIDC Manager's request router logic.
2020-10-23 23:25:44 +00:00
issuerURL, err := url.Parse(opc.Spec.Issuer)
if err != nil {
continue // Skip url parse errors because they will be validated again below.
}
issuerCounts[issuerURLToIssuerKey(issuerURL)]++
Supervisor listens for HTTPS on port 443 with configurable TLS certs - TLS certificates can be configured on the OIDCProviderConfig using the `secretName` field. - When listening for incoming TLS connections, choose the TLS cert based on the SNI hostname of the incoming request. - Because SNI hostname information on incoming requests does not include the port number of the request, we add a validation that OIDCProviderConfigs where the issuer hostnames (not including port number) are the same must use the same `secretName`. - Note that this approach does not yet support requests made to an IP address instead of a hostname. Also note that `localhost` is considered a hostname by SNI. - Add port 443 as a container port to the pod spec. - A new controller watches for TLS secrets and caches them in memory. That same in-memory cache is used while servicing incoming connections on the TLS port. - Make it easy to configure both port 443 and/or port 80 for various Service types using our ytt templates for the supervisor. - When deploying to kind, add another nodeport and forward it to the host on another port to expose our new HTTPS supervisor port to the host.
2020-10-27 00:03:26 +00:00
setOfSecretNames := uniqueSecretNamesPerIssuerAddress[issuerURLToHostnameKey(issuerURL)]
Add `spec.secretName` to OPC and handle case-insensitive hostnames - When two different Issuers have the same host (i.e. they differ only by path) then they must have the same secretName. This is because it wouldn't make sense for there to be two different TLS certificates for one host. Find any that do not have the same secret name to put an error status on them and to avoid serving OIDC endpoints for them. The host comparison is case-insensitive. - Issuer hostnames should be treated as case-insensitive, because DNS hostnames are case-insensitive. So https://me.com and https://mE.cOm are duplicate issuers. However, paths are case-sensitive, so https://me.com/A and https://me.com/a are different issuers. Fixed this in the issuer validations and in the OIDC Manager's request router logic.
2020-10-23 23:25:44 +00:00
if setOfSecretNames == nil {
setOfSecretNames = make(map[string]bool)
Supervisor listens for HTTPS on port 443 with configurable TLS certs - TLS certificates can be configured on the OIDCProviderConfig using the `secretName` field. - When listening for incoming TLS connections, choose the TLS cert based on the SNI hostname of the incoming request. - Because SNI hostname information on incoming requests does not include the port number of the request, we add a validation that OIDCProviderConfigs where the issuer hostnames (not including port number) are the same must use the same `secretName`. - Note that this approach does not yet support requests made to an IP address instead of a hostname. Also note that `localhost` is considered a hostname by SNI. - Add port 443 as a container port to the pod spec. - A new controller watches for TLS secrets and caches them in memory. That same in-memory cache is used while servicing incoming connections on the TLS port. - Make it easy to configure both port 443 and/or port 80 for various Service types using our ytt templates for the supervisor. - When deploying to kind, add another nodeport and forward it to the host on another port to expose our new HTTPS supervisor port to the host.
2020-10-27 00:03:26 +00:00
uniqueSecretNamesPerIssuerAddress[issuerURLToHostnameKey(issuerURL)] = setOfSecretNames
Add `spec.secretName` to OPC and handle case-insensitive hostnames - When two different Issuers have the same host (i.e. they differ only by path) then they must have the same secretName. This is because it wouldn't make sense for there to be two different TLS certificates for one host. Find any that do not have the same secret name to put an error status on them and to avoid serving OIDC endpoints for them. The host comparison is case-insensitive. - Issuer hostnames should be treated as case-insensitive, because DNS hostnames are case-insensitive. So https://me.com and https://mE.cOm are duplicate issuers. However, paths are case-sensitive, so https://me.com/A and https://me.com/a are different issuers. Fixed this in the issuer validations and in the OIDC Manager's request router logic.
2020-10-23 23:25:44 +00:00
}
Replace the OIDCProvider field SNICertificateSecretName with a TLS.SecretName field. Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-11-02 22:55:29 +00:00
if opc.Spec.TLS != nil {
setOfSecretNames[opc.Spec.TLS.SecretName] = true
}
supervisor-oidc: checkpoint: add status to provider CRD Signed-off-by: Ryan Richard <richardry@vmware.com>
2020-10-08 17:27:45 +00:00
}
Several small refactors related to OIDC providers
2020-10-08 18:28:21 +00:00
errs := multierror.New()
supervisor-oidc: checkpoint: add status to provider CRD Signed-off-by: Ryan Richard <richardry@vmware.com>
2020-10-08 17:27:45 +00:00
Creation and deletion of OIDC Provider discovery endpoints from config - The OIDCProviderConfigWatcherController synchronizes the OIDCProviderConfig settings to dynamically mount and unmount the OIDC discovery endpoints for each provider - Integration test passes but unit tests need to be added still
2020-10-08 02:18:34 +00:00
oidcProviders := make([]*provider.OIDCProvider, 0)
for _, opc := range all {
Add `spec.secretName` to OPC and handle case-insensitive hostnames - When two different Issuers have the same host (i.e. they differ only by path) then they must have the same secretName. This is because it wouldn't make sense for there to be two different TLS certificates for one host. Find any that do not have the same secret name to put an error status on them and to avoid serving OIDC endpoints for them. The host comparison is case-insensitive. - Issuer hostnames should be treated as case-insensitive, because DNS hostnames are case-insensitive. So https://me.com and https://mE.cOm are duplicate issuers. However, paths are case-sensitive, so https://me.com/A and https://me.com/a are different issuers. Fixed this in the issuer validations and in the OIDC Manager's request router logic.
2020-10-23 23:25:44 +00:00
issuerURL, urlParseErr := url.Parse(opc.Spec.Issuer)
// Skip url parse errors because they will be validated below.
if urlParseErr == nil {
if issuerCount := issuerCounts[issuerURLToIssuerKey(issuerURL)]; issuerCount > 1 {
if err := c.updateStatus(
ctx.Context,
opc.Namespace,
opc.Name,
Rename OIDCProviderConfig to OIDCProvider. Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-11-02 22:24:55 +00:00
configv1alpha1.DuplicateOIDCProviderStatusCondition,
Add `spec.secretName` to OPC and handle case-insensitive hostnames - When two different Issuers have the same host (i.e. they differ only by path) then they must have the same secretName. This is because it wouldn't make sense for there to be two different TLS certificates for one host. Find any that do not have the same secret name to put an error status on them and to avoid serving OIDC endpoints for them. The host comparison is case-insensitive. - Issuer hostnames should be treated as case-insensitive, because DNS hostnames are case-insensitive. So https://me.com and https://mE.cOm are duplicate issuers. However, paths are case-sensitive, so https://me.com/A and https://me.com/a are different issuers. Fixed this in the issuer validations and in the OIDC Manager's request router logic.
2020-10-23 23:25:44 +00:00
"Duplicate issuer: "+opc.Spec.Issuer,
); err != nil {
errs.Add(fmt.Errorf("could not update status: %w", err))
}
continue
}
}
// Skip url parse errors because they will be validated below.
Supervisor listens for HTTPS on port 443 with configurable TLS certs - TLS certificates can be configured on the OIDCProviderConfig using the `secretName` field. - When listening for incoming TLS connections, choose the TLS cert based on the SNI hostname of the incoming request. - Because SNI hostname information on incoming requests does not include the port number of the request, we add a validation that OIDCProviderConfigs where the issuer hostnames (not including port number) are the same must use the same `secretName`. - Note that this approach does not yet support requests made to an IP address instead of a hostname. Also note that `localhost` is considered a hostname by SNI. - Add port 443 as a container port to the pod spec. - A new controller watches for TLS secrets and caches them in memory. That same in-memory cache is used while servicing incoming connections on the TLS port. - Make it easy to configure both port 443 and/or port 80 for various Service types using our ytt templates for the supervisor. - When deploying to kind, add another nodeport and forward it to the host on another port to expose our new HTTPS supervisor port to the host.
2020-10-27 00:03:26 +00:00
if urlParseErr == nil && len(uniqueSecretNamesPerIssuerAddress[issuerURLToHostnameKey(issuerURL)]) > 1 {
supervisor-oidc: checkpoint: add status to provider CRD Signed-off-by: Ryan Richard <richardry@vmware.com>
2020-10-08 17:27:45 +00:00
if err := c.updateStatus(
ctx.Context,
opc.Namespace,
opc.Name,
Rename OIDCProviderConfig to OIDCProvider. Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-11-02 22:24:55 +00:00
configv1alpha1.SameIssuerHostMustUseSameSecretOIDCProviderStatusCondition,
Supervisor listens for HTTPS on port 443 with configurable TLS certs - TLS certificates can be configured on the OIDCProviderConfig using the `secretName` field. - When listening for incoming TLS connections, choose the TLS cert based on the SNI hostname of the incoming request. - Because SNI hostname information on incoming requests does not include the port number of the request, we add a validation that OIDCProviderConfigs where the issuer hostnames (not including port number) are the same must use the same `secretName`. - Note that this approach does not yet support requests made to an IP address instead of a hostname. Also note that `localhost` is considered a hostname by SNI. - Add port 443 as a container port to the pod spec. - A new controller watches for TLS secrets and caches them in memory. That same in-memory cache is used while servicing incoming connections on the TLS port. - Make it easy to configure both port 443 and/or port 80 for various Service types using our ytt templates for the supervisor. - When deploying to kind, add another nodeport and forward it to the host on another port to expose our new HTTPS supervisor port to the host.
2020-10-27 00:03:26 +00:00
"Issuers with the same DNS hostname (address not including port) must use the same secretName: "+issuerURLToHostnameKey(issuerURL),
supervisor-oidc: checkpoint: add status to provider CRD Signed-off-by: Ryan Richard <richardry@vmware.com>
2020-10-08 17:27:45 +00:00
); err != nil {
Several small refactors related to OIDC providers
2020-10-08 18:28:21 +00:00
errs.Add(fmt.Errorf("could not update status: %w", err))
supervisor-oidc: checkpoint: add status to provider CRD Signed-off-by: Ryan Richard <richardry@vmware.com>
2020-10-08 17:27:45 +00:00
}
continue
}
Add `spec.secretName` to OPC and handle case-insensitive hostnames - When two different Issuers have the same host (i.e. they differ only by path) then they must have the same secretName. This is because it wouldn't make sense for there to be two different TLS certificates for one host. Find any that do not have the same secret name to put an error status on them and to avoid serving OIDC endpoints for them. The host comparison is case-insensitive. - Issuer hostnames should be treated as case-insensitive, because DNS hostnames are case-insensitive. So https://me.com and https://mE.cOm are duplicate issuers. However, paths are case-sensitive, so https://me.com/A and https://me.com/a are different issuers. Fixed this in the issuer validations and in the OIDC Manager's request router logic.
2020-10-23 23:25:44 +00:00
oidcProvider, err := provider.NewOIDCProvider(opc.Spec.Issuer) // This validates the Issuer URL.
Creation and deletion of OIDC Provider discovery endpoints from config - The OIDCProviderConfigWatcherController synchronizes the OIDCProviderConfig settings to dynamically mount and unmount the OIDC discovery endpoints for each provider - Integration test passes but unit tests need to be added still
2020-10-08 02:18:34 +00:00
if err != nil {
supervisor-oidc: checkpoint: add status to provider CRD Signed-off-by: Ryan Richard <richardry@vmware.com>
2020-10-08 17:27:45 +00:00
if err := c.updateStatus(
ctx.Context,
opc.Namespace,
opc.Name,
Rename OIDCProviderConfig to OIDCProvider. Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-11-02 22:24:55 +00:00
configv1alpha1.InvalidOIDCProviderStatusCondition,
Several small refactors related to OIDC providers
2020-10-08 18:28:21 +00:00
"Invalid: "+err.Error(),
supervisor-oidc: checkpoint: add status to provider CRD Signed-off-by: Ryan Richard <richardry@vmware.com>
2020-10-08 17:27:45 +00:00
); err != nil {
Several small refactors related to OIDC providers
2020-10-08 18:28:21 +00:00
errs.Add(fmt.Errorf("could not update status: %w", err))
supervisor-oidc: checkpoint: add status to provider CRD Signed-off-by: Ryan Richard <richardry@vmware.com>
2020-10-08 17:27:45 +00:00
}
Creation and deletion of OIDC Provider discovery endpoints from config - The OIDCProviderConfigWatcherController synchronizes the OIDCProviderConfig settings to dynamically mount and unmount the OIDC discovery endpoints for each provider - Integration test passes but unit tests need to be added still
2020-10-08 02:18:34 +00:00
continue
}
supervisor-oidc: checkpoint: add status to provider CRD Signed-off-by: Ryan Richard <richardry@vmware.com>
2020-10-08 17:27:45 +00:00
if err := c.updateStatus(
ctx.Context,
opc.Namespace,
opc.Name,
Rename OIDCProviderConfig to OIDCProvider. Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-11-02 22:24:55 +00:00
configv1alpha1.SuccessOIDCProviderStatusCondition,
supervisor-oidc: checkpoint: add status to provider CRD Signed-off-by: Ryan Richard <richardry@vmware.com>
2020-10-08 17:27:45 +00:00
"Provider successfully created",
); err != nil {
Several small refactors related to OIDC providers
2020-10-08 18:28:21 +00:00
errs.Add(fmt.Errorf("could not update status: %w", err))
Backfill tests to OIDCProviderConfig controller Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-10-09 14:39:17 +00:00
continue
supervisor-oidc: checkpoint: add status to provider CRD Signed-off-by: Ryan Richard <richardry@vmware.com>
2020-10-08 17:27:45 +00:00
}
Backfill tests to OIDCProviderConfig controller Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-10-09 14:39:17 +00:00
oidcProviders = append(oidcProviders, oidcProvider)
supervisor-oidc: checkpoint: add status to provider CRD Signed-off-by: Ryan Richard <richardry@vmware.com>
2020-10-08 17:27:45 +00:00
}
c.providerSetter.SetProviders(oidcProviders...)
Several small refactors related to OIDC providers
2020-10-08 18:28:21 +00:00
return errs.ErrOrNil()
supervisor-oidc: checkpoint: add status to provider CRD Signed-off-by: Ryan Richard <richardry@vmware.com>
2020-10-08 17:27:45 +00:00
}
Rename OIDCProviderConfig to OIDCProvider. Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-11-02 22:24:55 +00:00
func (c *oidcProviderWatcherController) updateStatus(
supervisor-oidc: checkpoint: add status to provider CRD Signed-off-by: Ryan Richard <richardry@vmware.com>
2020-10-08 17:27:45 +00:00
ctx context.Context,
namespace, name string,
Rename OIDCProviderConfig to OIDCProvider. Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-11-02 22:24:55 +00:00
status configv1alpha1.OIDCProviderStatusCondition,
supervisor-oidc: checkpoint: add status to provider CRD Signed-off-by: Ryan Richard <richardry@vmware.com>
2020-10-08 17:27:45 +00:00
message string,
) error {
return retry.RetryOnConflict(retry.DefaultRetry, func() error {
Rename OIDCProviderConfig to OIDCProvider. Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-11-02 22:24:55 +00:00
opc, err := c.client.ConfigV1alpha1().OIDCProviders(namespace).Get(ctx, name, metav1.GetOptions{})
supervisor-oidc: checkpoint: add status to provider CRD Signed-off-by: Ryan Richard <richardry@vmware.com>
2020-10-08 17:27:45 +00:00
if err != nil {
return fmt.Errorf("get failed: %w", err)
}
if opc.Status.Status == status && opc.Status.Message == message {
return nil
}
Reduce log spam Signed-off-by: Monis Khan <mok@vmware.com>
2020-11-10 15:22:16 +00:00
plog.Debug(
supervisor-oidc: checkpoint: add status to provider CRD Signed-off-by: Ryan Richard <richardry@vmware.com>
2020-10-08 17:27:45 +00:00
"attempting status update",
"openidproviderconfig",
klog.KRef(namespace, name),
"status",
status,
"message",
message,
Creation and deletion of OIDC Provider discovery endpoints from config - The OIDCProviderConfigWatcherController synchronizes the OIDCProviderConfig settings to dynamically mount and unmount the OIDC discovery endpoints for each provider - Integration test passes but unit tests need to be added still
2020-10-08 02:18:34 +00:00
)
supervisor-oidc: checkpoint: add status to provider CRD Signed-off-by: Ryan Richard <richardry@vmware.com>
2020-10-08 17:27:45 +00:00
opc.Status.Status = status
opc.Status.Message = message
supervisor-oidc: add OIDCProviderConfig.Status.LastUpdateTime Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-10-09 15:54:50 +00:00
opc.Status.LastUpdateTime = timePtr(metav1.NewTime(c.clock.Now()))
Rename OIDCProviderConfig to OIDCProvider. Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-11-02 22:24:55 +00:00
_, err = c.client.ConfigV1alpha1().OIDCProviders(namespace).Update(ctx, opc, metav1.UpdateOptions{})
supervisor-oidc: checkpoint: add status to provider CRD Signed-off-by: Ryan Richard <richardry@vmware.com>
2020-10-08 17:27:45 +00:00
return err
})
}
supervisor-oidc: add OIDCProviderConfig.Status.LastUpdateTime Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-10-09 15:54:50 +00:00
func timePtr(t metav1.Time) *metav1.Time { return &t }