Commit Graph

185 Commits

Author SHA1 Message Date
Ryan Richard
185bcb6c8c Add identity transformation packages idtransform and celformer
Implements Supervisor identity transformations helpers using CEL.
2023-02-06 16:53:08 -08:00
Ryan Richard
aa57a5150e Add package starformer, uses Starlark for user-defined authn filters 2023-02-01 10:49:38 -08:00
Joshua Casey
b9c8e359ab Use sync/atomic instead of go.uber.org/atomic 2023-01-31 10:10:44 -06:00
Joshua Casey
0d4a4fd2bf Bump to go 1.18 semantics 2023-01-31 10:09:55 -06:00
dependabot[bot]
efeb9a9de0 Bump k8s.io/klog/v2 from 2.80.1 to 2.90.0
Bumps [k8s.io/klog/v2](https://github.com/kubernetes/klog) from 2.80.1 to 2.90.0.
- [Release notes](https://github.com/kubernetes/klog/releases)
- [Changelog](https://github.com/kubernetes/klog/blob/main/RELEASE.md)
- [Commits](https://github.com/kubernetes/klog/compare/v2.80.1...v2.90.0)

---
updated-dependencies:
- dependency-name: k8s.io/klog/v2
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-01-25 09:02:36 -06:00
Ryan Richard
c6e4133c5e Accept both old and new cert error strings on MacOS in test assertions
Used this as an opportunity to refactor how some tests were
making assertions about error strings.

New test helpers make it easy for an error string to be expected as an
exact string, as a string built using sprintf, as a regexp, or as a
string built to include the platform-specific x509 error string.

All of these helpers can be used in a single `wantErr` field of a test
table. They can be used for both unit tests and integration tests.

Co-authored-by: Benjamin A. Petersen <ben@benjaminapetersen.me>
2023-01-20 15:01:36 -08:00
Ryan Richard
8cad5ea3c9 Update Kube deps to 0.26.1
Co-authored-by: Ryan Richard <richardry@vmware.com>
Co-authored-by: Joshua Casey <joshuatcasey@gmail.com>
2023-01-19 14:03:37 -08:00
Joshua Casey
a430f4b730 Bump K8s deps to 0.26 and add codegen for 0.26 2023-01-18 13:41:06 -08:00
Ryan Richard
9aafff78f1 bump two more direct deps 2023-01-18 08:26:55 -08:00
Joshua Casey
f9e2212882 Bump all deps except K8s
Resolves:
- #1360
- #1361
- #1362
- #1363
- #1364
- #1365
2023-01-17 21:11:39 -06:00
Ryan Richard
e1a0367b03 Upgrade project Go dependencies
Most of the changes in this commit are because of these fosite PRs
which changed behavior and/or APIs in fosite:
- https://github.com/ory/fosite/pull/667
- https://github.com/ory/fosite/pull/679 (from me!)
- https://github.com/ory/fosite/pull/675
- https://github.com/ory/fosite/pull/688

Due to the changes in fosite PR #688, we need to bump our storage
version for anything which stores the DefaultSession struct as JSON.
2022-12-14 08:47:16 -08:00
dependabot[bot]
e122e65b0a
Bump github.com/tdewolff/minify/v2 from 2.12.1 to 2.12.2
Bumps [github.com/tdewolff/minify/v2](https://github.com/tdewolff/minify) from 2.12.1 to 2.12.2.
- [Release notes](https://github.com/tdewolff/minify/releases)
- [Commits](https://github.com/tdewolff/minify/compare/v2.12.1...v2.12.2)

---
updated-dependencies:
- dependency-name: github.com/tdewolff/minify/v2
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-09-26 01:34:52 +00:00
Ryan Richard
bad95c072e Upgrade project dependencies to latest
- Upgrade Go used in CI from 1.19.0 to 1.19.1
- Upgrade all go.mod direct dependencies to latest available versions
- Upgrade distroless base image to latest available version
- Upgrade Go fips compiler to to latest available version

Note that upgrading the go-oidc library changed an error message
returned by that library, so update the places where tests were
expecting that error message.
2022-09-23 14:41:54 -07:00
Ryan Richard
af01c3aeb6 Make kubectl explain work for Pinniped aggregated APIs
- Change update-codegen.sh script to also generated openapi code for the
  aggregated API types
- Update both aggregated API servers' configuration to make them serve
  the openapi docs for the aggregated APIs
- Add new integration test which runs `kubectl explain` for all Pinniped
  API resources, and all fields and subfields of those resources
- Update some the comments on the API structs
- Change some names of the tmpl files to make the filename better match
  the struct names
2022-09-21 15:15:37 -07:00
Ryan Richard
c1ebf5b737 Run go mod tidy -compat=1.17 2022-08-24 10:06:56 -07:00
Ryan Richard
dd7902faa0 bump golang deps 2022-08-24 10:03:09 -07:00
Ryan Richard
2c048bcb4f
Bump all deps to latest
Signed-off-by: Monis Khan <mok@vmware.com>
2022-06-07 15:26:30 -04:00
Ryan Richard
e78c7d4e0e
update kube codegen versions and add 1.24 codegen
Signed-off-by: Monis Khan <mok@vmware.com>
2022-06-07 15:26:30 -04:00
Ryan Richard
7751c0bf59
Bump project deps, including kube 0.23.6->0.24.1 and Go 1.18.1->1.18.3
Several API changes in Kube required changes in Pinniped code.

Signed-off-by: Monis Khan <mok@vmware.com>
2022-06-07 15:26:30 -04:00
Monis Khan
0674215ef3
Switch to go.uber.org/zap for JSON formatted logging
Signed-off-by: Monis Khan <mok@vmware.com>
2022-05-24 11:17:42 -04:00
Monis Khan
2cdb55e7da
Bump deps to latest and go mod compat to 1.17
Signed-off-by: Monis Khan <mok@vmware.com>
2022-04-28 15:37:51 -04:00
Ryan Richard
cab9ac8368 bump kube deps from v0.23.5 to v0.23.6 2022-04-21 09:17:24 -07:00
dependabot[bot]
cd982655a2
Bump k8s.io/klog/v2 from 2.40.1 to 2.60.1
Bumps [k8s.io/klog/v2](https://github.com/kubernetes/klog) from 2.40.1 to 2.60.1.
- [Release notes](https://github.com/kubernetes/klog/releases)
- [Changelog](https://github.com/kubernetes/klog/blob/main/RELEASE.md)
- [Commits](https://github.com/kubernetes/klog/compare/v2.40.1...v2.60.1)

---
updated-dependencies:
- dependency-name: k8s.io/klog/v2
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-04-19 20:33:38 +00:00
Ryan Richard
5b9831d319 bump the kube direct deps 2022-04-19 11:13:52 -07:00
Ryan Richard
fb8083d024 bump some direct deps 2022-04-19 11:09:24 -07:00
Ryan Richard
48c5a625a5 Remove our direct dependency on ory/x
ory/x has new releases very often, sometimes multiple times per week,
causing a lot of noise from dependabot. We were barely using it
directly, so replace our direct usages with equivalent code.
2022-03-24 10:24:54 -07:00
Monis Khan
8179a7e802
Bump kube to v0.23.4, rest to latest
Signed-off-by: Monis Khan <mok@vmware.com>
2022-03-01 09:25:56 -05:00
Monis Khan
4be2dd3b2a
Bump Kube to v0.23.3 and rest to latest
Signed-off-by: Monis Khan <mok@vmware.com>
2022-02-10 16:15:26 -05:00
Monis Khan
d55ae3f8bb
Bump all deps to latest
Signed-off-by: Monis Khan <mok@vmware.com>
2022-01-21 11:25:56 -05:00
Ryan Richard
e85a6c09f6
Merge pull request #953 from vmware-tanzu/dependabot/go_modules/github.com/tdewolff/minify/v2-2.9.29
Bump github.com/tdewolff/minify/v2 from 2.9.26 to 2.9.29
2022-01-20 14:16:05 -08:00
Ryan Richard
652797ba0b
Merge branch 'main' into dependabot/go_modules/github.com/tdewolff/minify/v2-2.9.29 2022-01-20 12:23:02 -08:00
Ryan Richard
89c40259f3 Use latest github.com/ory/x v0.0.336 2022-01-20 12:21:19 -08:00
dependabot[bot]
cd3d1333de
Bump github.com/ory/x from 0.0.331 to 0.0.334
Bumps [github.com/ory/x](https://github.com/ory/x) from 0.0.331 to 0.0.334.
- [Release notes](https://github.com/ory/x/releases)
- [Commits](https://github.com/ory/x/compare/v0.0.331...v0.0.334)

---
updated-dependencies:
- dependency-name: github.com/ory/x
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-01-19 22:07:18 +00:00
dependabot[bot]
4ce2f9db50
Bump github.com/tdewolff/minify/v2 from 2.9.26 to 2.9.29
Bumps [github.com/tdewolff/minify/v2](https://github.com/tdewolff/minify) from 2.9.26 to 2.9.29.
- [Release notes](https://github.com/tdewolff/minify/releases)
- [Commits](https://github.com/tdewolff/minify/compare/v2.9.26...v2.9.29)

---
updated-dependencies:
- dependency-name: github.com/tdewolff/minify/v2
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-01-19 01:05:43 +00:00
dependabot[bot]
b2bdf01152
Bump github.com/ory/fosite from 0.41.0 to 0.42.0
Bumps [github.com/ory/fosite](https://github.com/ory/fosite) from 0.41.0 to 0.42.0.
- [Release notes](https://github.com/ory/fosite/releases)
- [Changelog](https://github.com/ory/fosite/blob/master/CHANGELOG.md)
- [Commits](https://github.com/ory/fosite/compare/v0.41.0...v0.42.0)

---
updated-dependencies:
- dependency-name: github.com/ory/fosite
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-01-18 23:53:34 +00:00
Monis Khan
1e1789f6d1
Allow configuration of supervisor endpoints
This change allows configuration of the http and https listeners
used by the supervisor.

TCP (IPv4 and IPv6 with any interface and port) and Unix domain
socket based listeners are supported.  Listeners may also be
disabled.

Binding the http listener to TCP addresses other than 127.0.0.1 or
::1 is deprecated.

The deployment now uses https health checks.  The supervisor is
always able to complete a TLS connection with the use of a bootstrap
certificate that is signed by an in-memory certificate authority.

To support sidecar containers used by service meshes, Unix domain
socket based listeners include ACLs that allow writes to the socket
file from any runAsUser specified in the pod's containers.

Signed-off-by: Monis Khan <mok@vmware.com>
2022-01-18 17:43:45 -05:00
dependabot[bot]
a7ff638f4c
Bump github.com/ory/x from 0.0.330 to 0.0.331
Bumps [github.com/ory/x](https://github.com/ory/x) from 0.0.330 to 0.0.331.
- [Release notes](https://github.com/ory/x/releases)
- [Commits](https://github.com/ory/x/compare/v0.0.330...v0.0.331)

---
updated-dependencies:
- dependency-name: github.com/ory/x
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-01-07 13:45:37 +00:00
Monis Khan
f90f173826
Bump all deps to latest
Ran:

go get -u ./... && go mod tidy

Pinned all go.opentelemetry.io deps to match k/k.
This is needed to make the go get command work.

Signed-off-by: Monis Khan <mok@vmware.com>
2022-01-03 17:48:59 -05:00
Monis Khan
9599ffcfb9
Update all deps to latest where possible, bump Kube deps to v0.23.1
Highlights from this dep bump:

1. Made a copy of the v0.4.0 github.com/go-logr/stdr implementation
   for use in tests.  We must bump this dep as Kube code uses a
   newer version now.  We would have to rewrite hundreds of test log
   assertions without this copy.
2. Use github.com/felixge/httpsnoop to undo the changes made by
   ory/fosite#636 for CLI based login flows.  This is required for
   backwards compatibility with older versions of our CLI.  A
   separate change after this will update the CLI to be more
   flexible (it is purposefully not part of this change to confirm
   that we did not break anything).  For all browser login flows, we
   now redirect using http.StatusSeeOther instead of http.StatusFound.
3. Drop plog.RemoveKlogGlobalFlags as klog no longer mutates global
   process flags
4. Only bump github.com/ory/x to v0.0.297 instead of the latest
   v0.0.321 because v0.0.298+ pulls in a newer version of
   go.opentelemetry.io/otel/semconv which breaks k8s.io/apiserver.
   We should update k8s.io/apiserver to use the newer code.
5. Migrate all code from k8s.io/apimachinery/pkg/util/clock to
   k8s.io/utils/clock and k8s.io/utils/clock/testing
6. Delete testutil.NewDeleteOptionsRecorder and migrate to the new
   kubetesting.NewDeleteActionWithOptions
7. Updated ExpectedAuthorizeCodeSessionJSONFromFuzzing caused by
   fosite's new rotated_secrets OAuth client field.  This new field
   is currently not relevant to us as we have no private clients.

Signed-off-by: Monis Khan <mok@vmware.com>
2021-12-16 21:15:27 -05:00
Ryan Richard
6bf67f44ef replace reflections in go.mod 2021-12-16 11:15:24 -08:00
Ryan Richard
29490ee665 ran go mod tidy 2021-12-03 16:40:01 -08:00
Ryan Richard
ddb23bd2ed Add upstream refresh related config to OIDCIdentityProvider CRD
Also update related docs.
2021-10-14 15:49:44 -07:00
Ryan Richard
0a31f45812 Update the AdditionalPrinterColumns of the CRDs, and add a test for it 2021-09-20 12:47:39 -07:00
Ryan Richard
85102b0118 ran go mod tidy 2021-09-15 09:21:46 -07:00
Margo Crawford
e5718351ba
Merge pull request #695 from vmware-tanzu/active-directory-identity-provider
Active directory identity provider
2021-08-27 08:39:12 -07:00
Monis Khan
a86949d0be
Use go 1.17 module lazy loading
See https://golang.org/doc/go1.17#go-command for details.

Signed-off-by: Monis Khan <mok@vmware.com>
2021-08-27 09:46:58 -04:00
Monis Khan
40d70bf1fc
Bump Kube to v0.22.1
Signed-off-by: Monis Khan <mok@vmware.com>
2021-08-27 07:36:12 -04:00
Margo Crawford
c590c8ff41 Merge branch 'main' of github.com:vmware-tanzu/pinniped into active-directory-identity-provider 2021-08-24 12:19:29 -07:00
Monis Khan
c356710f1f
Add leader election middleware
Signed-off-by: Monis Khan <mok@vmware.com>
2021-08-20 12:18:25 -04:00
Matt Moyer
03a8160a91
Remove replace directive for dgrijalva/jwt-go.
We no longer have a transitive dependency on this older repository, so we don't need the replace directive anymore.

There is a new fork of this that we should move to (https://github.com/golang-jwt/jwt), but we can't easily do that until a couple of our direct dependencies upgrade.

This is a revert of d162cb9adf.

Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-08-20 10:15:55 -05:00