Commit Graph

3556 Commits

Author SHA1 Message Date
Ryan Richard
65cab53a11 Merge branch 'main' into initial_ldap_group_support 2021-05-17 14:12:20 -07:00
Ryan Richard
8c660f09bc More debugging of tests which only fail in main CI 2021-05-17 13:53:17 -07:00
Ryan Richard
ac431ddc6d Add more to failure message in test which only fails in main CI 2021-05-17 12:57:34 -07:00
Ryan Richard
3e1e8880f7 Initial support for upstream LDAP group membership
Reflect the upstream group membership into the Supervisor's
downstream tokens, so they can be added to the user's
identity on the workload clusters.

LDAP group search is configurable on the
LDAPIdentityProvider resource.
2021-05-17 11:10:26 -07:00
Ryan Richard
14b8fcc472
Merge pull request #555 from vmware-tanzu/initial_ldap
Initial `LDAPIdentityProvider` support for the Supervisor and CLI
2021-05-17 10:40:50 -07:00
Ryan Richard
20b1c41bf5 Experiment to see if we can ignore read /dev/ptmx: input/output error
This error seems to always happen on linux, but never on MacOS.
2021-05-13 16:02:24 -07:00
Ryan Richard
f5bf8978a3 Cache ResourceVersion of the validated bind Secret in memory
...instead of caching it in the text of the Condition message
2021-05-13 15:22:36 -07:00
Ryan Richard
514ee5b883 Merge branch 'main' into initial_ldap 2021-05-13 14:24:10 -07:00
Margo Crawford
39d7f8b6eb
Merge pull request #614 from vmware-tanzu/gc-bug-tests
Tests for garbage collection behavior for access and refresh tokens
2021-05-13 13:08:07 -07:00
Ryan Richard
609883c49e Update TestSupervisorOIDCDiscovery for versioned IDP discovery endpoint 2021-05-13 13:07:31 -07:00
Ryan Richard
f15fc66e06 pinniped get kubeconfig refactor to use oidc.NewProvider for discovery
- Note that this adds an extra check of the response, which is that
  the issuer string in the response must match issuer of the requested
  URL.
- Some of the error messages also changed to match the errors provided
  by oidc.NewProvider
2021-05-13 12:27:42 -07:00
Margo Crawford
6479015caf Remove timeout so this test doesnt take forever 2021-05-13 10:23:44 -07:00
Ryan Richard
67dca688d7 Add an API version to the Supervisor IDP discovery endpoint
Also rename one of the new functional opts in login.go to more
accurately reflect the intention of the opt.
2021-05-13 10:05:56 -07:00
Margo Crawford
b391d5ae02 Also check that the authcode storage is around for a while 2021-05-12 14:22:14 -07:00
Ryan Richard
29ca8acab4 oidc_upstream_watcher.go: two methods become private funcs 2021-05-12 14:05:08 -07:00
Ryan Richard
1ae3c6a1ad Split package upstreamwatchers into four packages 2021-05-12 14:00:39 -07:00
Ryan Richard
22092e9aed Missed a usage of int64Ptr in previous commit 2021-05-12 14:00:26 -07:00
Margo Crawford
874f938fc7 unit test for garbage collection time for refresh and access tokens 2021-05-12 13:55:54 -07:00
Ryan Richard
4804c837d4 Insignificant change in ldap_upstream_watcher_test.go 2021-05-12 13:37:01 -07:00
Ryan Richard
f0652c1ce1 Replace all usages of strPtr() with pointer.StringPtr() 2021-05-12 13:20:00 -07:00
Ryan Richard
044443f315 Rename X-Pinniped-Idp-* headers to Pinniped-*
See RFC6648 which asks that people stop using `X-` on header names.
Also Matt preferred not mentioning "IDP" in the header name.

Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-05-12 13:06:08 -07:00
Ryan Richard
9ca72fcd30 login.go: Respect overallTimeout for LDAP login-related http requests
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-05-12 12:57:10 -07:00
Ryan Richard
3008d1a85c Log slow LDAP authentication attempts for debugging purposes 2021-05-12 11:59:48 -07:00
Ryan Richard
6c2a775c9b Use proxy for pinniped get kubeconfig in hack/prepare-supervisor-on-kind.sh
Because the command now calls the discovery endpoint,
so it needs to go through the proxy to resolve the
hostname.
2021-05-12 11:34:16 -07:00
Ryan Richard
41d3e3b6ec Fix lint error in e2e_test.go 2021-05-12 11:24:00 -07:00
Ryan Richard
20b86ac0a9
Merge pull request #589 from vmware-tanzu/ldap-get-kubeconfig
WIP: Support for Supervisor upstream LDAP IDPs in `pinniped get kubeconfig`
2021-05-12 10:10:49 -07:00
Margo Crawford
df0e715bb7 Add integration test that waits for access token expiry 2021-05-12 09:05:13 -07:00
Ryan Richard
6723ed9fd8 Add end-to-end integration test for CLI-based LDAP login 2021-05-11 13:55:46 -07:00
Ryan Richard
f98aa96ed3 Merge branch 'initial_ldap' into ldap-get-kubeconfig 2021-05-11 11:10:25 -07:00
Ryan Richard
675bbb2aba Merge branch 'main' into initial_ldap 2021-05-11 11:09:37 -07:00
Ryan Richard
e25eb05450 Move Supervisor IDP discovery to its own new endpoint 2021-05-11 10:31:33 -07:00
Pinny
dbde150c38 Update CLI docs for v0.8.0 release 2021-05-10 22:01:16 +00:00
Ryan Richard
c0fcd27594
Fix typo in test/integration/e2e_test.go
Co-authored-by: Mo Khan <i@monis.app>
2021-05-10 12:51:56 -07:00
Mo Khan
1ddc85495f
Merge pull request #610 from enj/enj/t/eks_extra_nested_impersonation
impersonation proxy test: handle admin users with mixed case extra keys
2021-05-10 13:49:24 -04:00
Monis Khan
716659b74a
impersonation proxy test: handle admin users with mixed case extra keys
Signed-off-by: Monis Khan <mok@vmware.com>
2021-05-10 13:22:51 -04:00
Mo Khan
696c2b9133
Merge pull request #609 from enj/enj/t/eks_uid_nested_impersonation
impersonation proxy test: handle admin users with UID such as on EKS
2021-05-10 10:35:26 -04:00
Mo Khan
0770682bf9
impersonation proxy test: handle admin users with UID such as on EKS
Signed-off-by: Mo Khan <mok@vmware.com>
2021-05-10 09:21:45 -04:00
Mo Khan
88ff3164a2
Merge pull request #608 from enj/enj/i/discovery_keep_oidc_err
upstreamwatcher: do not truncate explicit oidc errors
2021-05-10 09:18:13 -04:00
Mo Khan
56d316e8d3
upstreamwatcher: do not truncate explicit oidc errors
This change makes it easier to understand misconfigurations caused
by issuers with extraneous trailing slashes.

Signed-off-by: Mo Khan <mok@vmware.com>
2021-05-10 01:45:19 -04:00
Matt Moyer
9fc7f43245
Merge pull request #607 from mattmoyer/fix-eks-nested-impersonation-tests
Fix TestImpersonationProxy on EKS.
2021-05-07 16:46:40 -05:00
Matt Moyer
47f5e822d0
Fix TestImpersonationProxy on EKS.
The admin kubeconfigs we have on EKS clusters are a bit different from others, because there is no certificate/key (EKS does not use certificate auth).

This code didn't quite work correctly in that case. The fix is to allow the case where `tlsConfig.GetClientCertificate` is non-nil, but returns a value with no certificates.

Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-05-07 16:22:08 -05:00
Mo Khan
cc99d9aeb4
Merge pull request #606 from enj/enj/i/log_discovery_err
upstreamwatcher: preserve oidc discovery error
2021-05-07 16:56:52 -04:00
Mo Khan
7ece196893
upstreamwatcher: preserve oidc discovery error
Signed-off-by: Mo Khan <mok@vmware.com>
2021-05-07 16:35:12 -04:00
Matt Moyer
a08a28d67b
Merge pull request #603 from vmware-tanzu/dependabot/docker/golang-1.16.4
Bump golang from 1.16.3 to 1.16.4
2021-05-07 06:58:13 -05:00
dependabot[bot]
2634c9f04a
Bump golang from 1.16.3 to 1.16.4
Bumps golang from 1.16.3 to 1.16.4.

Signed-off-by: dependabot[bot] <support@github.com>
2021-05-07 05:49:58 +00:00
Margo Crawford
29a1ca5168
Merge pull request #602 from vmware-tanzu/access-token-lifetime
Change access token storage lifetime to be the same as the refresh token's
2021-05-06 14:39:52 -07:00
Margo Crawford
5240f5e84a Change access token storage lifetime to be the same as the refresh token's
to avoid garbage collection breaking the refresh flow
Also changed the access token lifetime to be 2 minutes instead of 15
since we now have cert caching.
2021-05-06 13:14:20 -07:00
Matt Moyer
a8bccc5432
Merge pull request #599 from mattmoyer/docs-tweak-configure-supervisor-with-gitlab
Do some minor copyediting on "configure-supervisor-with-gitlab.md".
2021-05-04 17:32:14 -05:00
Matt Moyer
f167a075dd
Clean up this language in configure-supervisor-with-gitlab.md a bit more.
This was duplicitive.

Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-05-04 15:49:45 -05:00
Matt Moyer
8136c787a7
More adjustments to configure-supervisor-with-gitlab.md.
- Use `nickname` claim as an example, which means we only need the `openid` scope.
  This is also more stable since emails can change over time.

- Put the OIDCIdentityProvider and Secret into one YAML blob, since they will likely be copy-pasted together anyway.

- Add a separate section for using alternate claims.

- Add a separate section for using a private GitLab instance.

Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-05-04 15:49:45 -05:00