Commit Graph

303 Commits

Author SHA1 Message Date
Matt Moyer
5290aac66f
Adjust "/bin/killall sleep" in new test to be less flaky in CI.
Sometimes the container runtime detects the exiting PID 1 very quickly and shuts down the entire container while the `killall` process is still running.
When this happens, we see it as exit code 137 (SIGKILL).

This never failed for me in Kind locally, but fails pretty often in CI (probably due to timing differences).

Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-04-22 14:51:55 -05:00
Matt Moyer
c1b1082c55
Fix some minor linter style warnings.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-04-22 11:47:05 -05:00
Matt Moyer
24c8bdef44
Add a test to verify that the kube-cert-agent recovers when a pod becomes unhealthy.
This required some small adjustments to the produciton code to make it more feasible to test.

The new test takes an existing agent pod and terminates the `sleep` process, causing the pod to go into an `Error` status.
The agent controllers _should_ respond to this by deleting and recreating that failed pod, but the current code just gets stuck.

This is meant to replicate the situation when a cluster is suspended and resumed, which also causes the agent pod to be in this terminal error state.

Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-04-21 16:48:00 -05:00
Matt Moyer
6a0dc1e2bb
Fix an issue in TestE2EFullIntegration groups assertions.
The group claims read from the session cache file are loaded as `[]interface{}` (slice of empty interfaces) so when we previously did a `groups, _ := idTokenClaims[oidc.DownstreamGroupsClaim].([]string)`, then `groups` would always end up nil.

The solution I tried here was to convert the expected value to also be `[]interface{}` so that `require.Equal(t, ...)` does the right thing.

This bug only showed up in our acceptance environnment against Okta, since we don't have any other integration test coverage with IDPs that pass a groups claim.

Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-01-14 21:06:02 -06:00
Andrew Keesler
6fce1bd6bb
Allow arrays of type interface
and always set the groups claim to an
array in the downstream token

Signed-off-by: Margo Crawford <margaretc@vmware.com>
2021-01-14 17:21:41 -05:00
Andrew Keesler
8a916ce8ae
test/integration: add test helper to avoid race conditions
We were seeing a race in this test code since the require.NoError() and
require.Eventually() would write to the same testing.T state on separate
goroutines. Hopefully this helper function should cover the cases when we want
to require.NoError() inside a require.Eventually() without causing a race.

Signed-off-by: Andrew Keesler <akeesler@vmware.com>
Co-authored-by: Margo Crawford <margaretc@vmware.com>
Co-authored-by: Monis Khan <i@monis.app>
2021-01-14 10:19:35 -05:00
Andrew Keesler
a0546942b8
test/integration: skip part of test to avoid Kube 1.20 GC bug
See comment.

Signed-off-by: Andrew Keesler <akeesler@vmware.com>
Co-authored-by: Margo Crawford <margaretc@vmware.com>
Co-authored-by: Monis Khan <i@monis.app>
2021-01-14 10:19:26 -05:00
Monis Khan
3c3da9e75d
Wire in new env vars for user info testing
Signed-off-by: Monis Khan <mok@vmware.com>
2021-01-12 11:23:25 -05:00
Margo Crawford
6f04613aed Merge branch 'main' of github.com:vmware-tanzu/pinniped into kubernetes-1.20 2021-01-08 13:22:31 -08:00
Margo Crawford
5611212ea9 Changing references from 1.19 to 1.20 2021-01-07 15:25:47 -08:00
Monis Khan
bba0f3a230
Always set an owner ref back to our deployment
This change updates our clients to always set an owner ref when:

1. The operation is a create
2. The object does not already have an owner ref set

Signed-off-by: Monis Khan <mok@vmware.com>
2021-01-07 15:25:40 -05:00
Andrew Keesler
3d8616e75f
test/integration: fix intermittent failures on GKE
See comment. This is at least a first step to make our GKE acceptance
environment greener. Previously, this test assumed that the Pinniped-under-test
had been deployed in (roughly) the last 10 minutes, which is not an assumption
that we make anywhere else in the integration test suite.

Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2021-01-06 12:09:11 -05:00
aram price
cc5af1a810 Fix lint error
Signed-off-by: Ryan Richard <richardry@vmware.com>
2020-12-18 15:28:56 -08:00
Ryan Richard
2f518b8b7c TLSCertObserverController Syncs less often by adjusting its filters
- Only watches Secrets of type "kubernetes.io/tls"

Signed-off-by: Aram Price <pricear@vmware.com>
2020-12-18 15:10:48 -08:00
Ryan Richard
1056cef384 Sync garbage collector controller less often by adjusting its filters
- Only sync on add/update of secrets in the same namespace which
  have the "storage.pinniped.dev/garbage-collect-after" annotation, and
  also during a full resync of the informer whenever secrets in the
  same namespace with that annotation exist.
- Ignore deleted secrets to avoid having this controller trigger itself
  unnecessarily when it deletes a secret. This controller is never
  interested in deleted secrets, since its only job is to delete
  existing secrets.
- No change to the self-imposed rate limit logic. That still applies
  because secrets with this annotation will be created and updated
  regularly while the system is running (not just during rare system
  configuration steps).
2020-12-18 09:36:28 -08:00
Ryan Richard
3a4405659e
Merge branch 'main' into typed-secrets 2020-12-17 17:42:04 -08:00
aram price
187bd9060c All FederationDomain Secrets have distinct Types
Signed-off-by: Ryan Richard <richardry@vmware.com>
2020-12-17 17:07:38 -08:00
Matt Moyer
e0b94f4780
Move our main image references to the VMware Harbor registry.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-12-17 17:51:09 -06:00
aram price
587cced768 Add extra type info where SecretType is used 2020-12-17 15:43:20 -08:00
Ryan Richard
50964c6677 Supervisor CSRF Secret has unique Type
Signed-off-by: aram price <pricear@vmware.com>
2020-12-17 15:30:26 -08:00
Ryan Richard
b27e3e1a89 Put a Type on the Secrets that we create for FederationDomain JWKS
Signed-off-by: Aram Price <pricear@vmware.com>
2020-12-17 14:48:49 -08:00
Aram Price
55483b726b More "op" and "opc" local variable renames
Signed-off-by: Ryan Richard <richardry@vmware.com>
2020-12-17 13:49:53 -08:00
Ryan Richard
65e7df1417
Merge branch 'main' into more-opc-rename 2020-12-17 12:10:19 -08:00
Ryan Richard
b96d49df0f Rename all "op" and "opc" usages
Signed-off-by: Aram Price <pricear@vmware.com>
2020-12-17 11:34:49 -08:00
Matt Moyer
41832369fd
Upgrade the Dex we use for local testing to v2.27.0.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-12-17 12:04:09 -06:00
Ryan Richard
4c6e1e5fb3 supervisor_login_test.go: wait for the /jwks.json endpoint to be ready
- Also fail in a more obvious way if the token exchanged failed by
  adding an assertion about its status code
2020-12-16 17:59:39 -08:00
Ryan Richard
b2b906f4fe supervisor_discovery_test.go: make test timeouts longer to avoid flakes 2020-12-16 15:13:02 -08:00
Margo Crawford
196e43aa48 Rename off of main
Signed-off-by: Ryan Richard <richardry@vmware.com>
2020-12-16 14:27:09 -08:00
Matt Moyer
7dae166a69
Merge branch 'main' into username-and-subject-claims 2020-12-16 15:23:19 -06:00
Matt Moyer
72ce69410e
Merge pull request #273 from vmware-tanzu/secret-generation
Generate secrets for Pinniped Supervisor
2020-12-16 15:22:23 -06:00
Matt Moyer
7bb0d649c0
Merge pull request #290 from mattmoyer/rename-token-exchange-scope
Rename the "pinniped.sts.unrestricted" scope to "pinniped:request-audience".
2020-12-16 15:22:05 -06:00
Matt Moyer
111f6513ac
Upgrade base images to Debian 10.7-slim.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-12-16 15:16:31 -06:00
Andrew Keesler
095ba14cc8
Merge remote-tracking branch 'upstream/main' into secret-generation 2020-12-16 15:40:34 -05:00
Matt Moyer
8527c363bb
Rename the "pinniped.sts.unrestricted" scope to "pinniped:request-audience".
This is a bit more clear. We're changing this now because it is a non-backwards-compatible change that we can make now since none of this RFC8693 token exchange stuff has been released yet.

There is also a small typo fix in some flag usages (s/RF8693/RFC8693/)

Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-12-16 14:24:13 -06:00
Matt Moyer
24c01d3e54
Add an integration test to verify security headers on the supervisor authorize endpoint.
It would be great to do this for the supervisor's callback endpoint as well, but it's difficult to get at those since the request happens inside the spawned browser.

Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-12-16 12:41:06 -06:00
Ryan Richard
dcb19150fc Nest claim configs one level deeper in JWTAuthenticatorSpec
Signed-off-by: Margo Crawford <margaretc@vmware.com>
2020-12-16 09:42:19 -08:00
Andrew Keesler
fec80113c7
Revert "Retry a couple of times if we fail to get a token from the Supervisor"
This reverts commit be4e34d0c0.

Roll back this change that was supposed to make the test more robust. If we
retry multiple token exchanges with the same auth code, of course we are going
to get failures on the second try onwards because the auth code was invalidated
on the first try.

Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-12-16 09:04:29 -05:00
Andrew Keesler
5bdbfe1bc6
test/integration: more verbosity to try to track down flakes...
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-12-16 09:04:25 -05:00
aram price
78df80f128 Tests ensure OIDCProvider secrets exist
... whenever one is successfully created.
2020-12-15 18:26:27 -08:00
Ryan Richard
40c6a67631 Merge branch 'main' into username-and-subject-claims 2020-12-15 18:09:44 -08:00
Ryan Richard
91af51d38e Fix integration tests to work with the username and sub claims
Signed-off-by: Margo Crawford <margaretc@vmware.com>
2020-12-15 17:16:08 -08:00
Andrew Keesler
0758ecfea8 Tests wait for OIDCProvider secrets to be set
Signed-off-by: aram price <pricear@vmware.com>
2020-12-15 15:46:55 -08:00
Aram Price
0bd428e45d
test/integration: more logging to track down flakes
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-12-15 16:52:57 -05:00
Andrew Keesler
056afc17bd
Merge remote-tracking branch 'upstream/main' into secret-generation 2020-12-15 15:55:46 -05:00
Matt Moyer
0b38d6c763
Add TestE2EFullIntegration test which combines supervisor, concierge, and CLI.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-12-15 12:34:50 -06:00
Matt Moyer
ff49647de4
Add some missing test logs in test/library/client.go.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-12-15 12:34:50 -06:00
Matt Moyer
e0eba9d5a6
Refactor library.CreateTestJWTAuthenticator() so we can also use the supervisor as an upstream.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-12-15 12:34:50 -06:00
Matt Moyer
5ad3c65ae1
Close the right pipe output in runPinnipedLoginOIDC.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-12-15 12:34:50 -06:00
Matt Moyer
aca9af748b
Cleanup TestSuccessfulCredentialRequest and TestCLILoginOIDC a little.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-12-15 12:34:49 -06:00
Matt Moyer
8cdcb89cef
Add a library.PinnipedCLIPath() test helper, with caching.
Caching saves us a little bit of time now that we're using the CLI in more and more tests.

Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-12-15 12:34:49 -06:00