Benjamin A. Petersen
013030041a
Add helper for happy/sad conditions to federation_domain_watcher_test.go
...
Co-authored-by: Ryan Richard <richardry@vmware.com>
2023-09-11 11:14:05 -07:00
Ryan Richard
617f57e1c9
Validate transforms const names in federation_domain_watcher.go
2023-09-11 11:14:05 -07:00
Ryan Richard
8e169f9702
Validate IDP objectRef kind names in federation_domain_watcher.go
...
Co-authored-by: Benjamin A. Petersen <ben@benjaminapetersen.me>
2023-09-11 11:14:05 -07:00
Ryan Richard
32063db46e
Validate apiGroup names are valid in federation_domain_watcher.go
2023-09-11 11:14:05 -07:00
Ryan Richard
31d67a1af3
Validate display names are unique in federation_domain_watcher.go
2023-09-11 11:14:05 -07:00
Ryan Richard
a9f2f672c7
Handle some unexpected errors in federation_domain_watcher.go
2023-09-11 11:14:05 -07:00
Ryan Richard
76709892bc
Refactor: extract helper functions in federation_domain_watcher.go
...
Co-authored-by: Benjamin A. Petersen <ben@benjaminapetersen.me>
2023-09-11 11:14:05 -07:00
Ryan Richard
a38fb16295
Load FederationDomain endpoints before updating its status
...
- Avoid a possible race condition where the status says "Ready" but
the endpoints take another moment to become available, potentially
casing a fast client to get a 404 after observing that the status
is "Ready" and then immediately trying to use the endpoints.
Co-authored-by: Benjamin A. Petersen <ben@benjaminapetersen.me>
2023-09-11 11:14:05 -07:00
Ryan Richard
e334ad6f7e
Fix lint errors in federation_domain_watcher.go, and adjust unit test
2023-09-11 11:14:05 -07:00
Ryan Richard
97a374c00b
Refactor federation_domain_watcher_test.go and add new test to its table
2023-09-11 11:14:05 -07:00
Benjamin A. Petersen
fe9364c58b
Expand IdentityProvidersFound condition in federation_domain_watcher
...
Co-authored-by: Ryan Richard <richardry@vmware.com>
2023-09-11 11:14:05 -07:00
Benjamin A. Petersen
e9fb4242d5
Update federation_domain_watcher with new IdentityProviderFound
...
- adds the truthy condition
- TODOs for falsy conditions
- addiional notes for other conditions
- tests updated to pass with the new condition
Co-authored-by: Ryan Richard <richardry@vmware.com>
2023-09-11 11:14:04 -07:00
Ryan Richard
48e44e13c6
Change federation_domain_watcher_test.go to use a test table style
2023-09-11 11:14:04 -07:00
Ryan Richard
5e2f98af65
Update informers unit test for FederationDomainWatcherController
2023-09-11 11:14:04 -07:00
Ryan Richard
0b408f4fc0
Change FederationDomain.Status to use Phase and Conditions
2023-09-11 11:14:02 -07:00
Ryan Richard
86c791b8a6
reorganize federation domain packages to be more intuitive
...
Co-authored-by: Benjamin A. Petersen <ben@benjaminapetersen.me>
2023-09-11 11:11:52 -07:00
Benjamin A. Petersen
3160b5bad1
Reorganized FederationDomain packages to avoid circular dependency
...
Co-authored-by: Ryan Richard <richardry@vmware.com>
2023-09-11 11:09:50 -07:00
Benjamin A. Petersen
5c0425fb71
refactor: rename "provider" to "federationdomain" when appropriate
...
Co-authored-by: Ryan Richard <richardry@vmware.com>
2023-09-11 11:09:50 -07:00
Ryan Richard
96098841dd
Get tests to compile again and fix lint errors
2023-09-11 11:09:50 -07:00
Ryan Richard
32aa015d5b
Fixup unit tests for the previous commit
2023-09-11 11:09:50 -07:00
Ryan Richard
7af75dfe3c
First draft of implementation of multiple IDPs support
2023-09-11 11:09:49 -07:00
Joshua Casey
64f1bff13f
Use Conditions from apimachinery, specifically k8s.io/apimachinery/pkg/apis/meta/v1.Conditions
2023-09-11 10:13:39 -07:00
Ryan Richard
ce567c481b
Improve pod logs related to Supervisor TLS certificate problems
2023-09-11 09:13:21 -07:00
Joshua Casey
cd91edf26c
[LDAP] move attributeUnchangedSinceLogin from upstreamldap to activedirectoryupstreamwatcher
2023-09-06 14:52:01 -05:00
Joshua Casey
8fd55a1d81
Adjust test expectations for compilation differences with 1.21
...
- Requires some production code changes, to use pointers to function variables instead of pointers to functions
2023-09-06 14:52:01 -05:00
Joshua Casey
1707995378
Fix #1582 by not double-decoding the ca.crt field in external TLS secrets for the impersonation proxy
2023-08-08 20:17:21 -05:00
Joshua Casey
dc61d132cf
Address PR feedback, especially to check that the CA bundle is some kind of valid cert
2023-08-03 14:57:21 -05:00
Joshua Casey
959f18b67b
Add integration test to verify that the impersonation proxy will use an external TLS serving cert
2023-08-03 14:57:21 -05:00
Joshua Casey
ee75a63057
Test Refactor: use explicit names for mTLS signing cert
2023-08-03 14:57:21 -05:00
Joshua Casey
bd035a180e
Impersonation proxy detects when the user has configured an externally provided TLS secret to serve TLS
...
- https://github.com/vmware-tanzu/pinniped/tree/main/proposals/1547_impersonation-proxy-external-certs
- https://joshuatcasey.medium.com/k8s-mtls-auth-with-tls-passthrough-1bc25e750f52
2023-08-03 14:57:21 -05:00
Joshua Casey
3e57716f0e
The impersonation controller should sync when any secret of type kubernetes.io/tls changes in the namespace
2023-08-03 14:57:21 -05:00
Joshua Casey
63b5f921e1
Use k8s.io/utils/ptr instead of k8s.io/utils/pointer, which is deprecated
2023-07-28 09:16:02 -05:00
Ryan Richard
743cb2d250
kube cert agent pod requests 0 cpu to avoid scheduling failures
2023-07-25 10:09:30 -07:00
Joshua Casey
39912060f7
Remove untested comments
2023-07-19 15:50:12 -05:00
Joshua Casey
c142c52258
Do not name return variables
2023-07-19 15:49:22 -05:00
Joshua Casey
183c771d4e
Mark untested code paths
2023-07-19 15:47:48 -05:00
Joshua Casey
3d7eb55fc2
Pass caBundle instead of an object
2023-07-19 15:47:48 -05:00
Ryan Richard
600d002a35
Use groupSearch.userAttributeForFilter during ActiveDirectory group searches
...
- Load the setting in the controller.
- The LDAP auth code is shared between AD and LDAP,
so no new changes there in this commit.
2023-05-31 11:17:40 -07:00
Ryan Richard
c187474499
Use groupSearch.userAttributeForFilter during LDAP group searches
...
Load the setting in the controller.
Use the setting during authentication and during refreshes.
2023-05-25 14:25:17 -07:00
Ryan Richard
a1a99b9eeb
Replace usages of deprecated funcs from the wait pkg
2023-05-10 11:41:11 -07:00
Joshua Casey
fc0f9d959a
Bump golangci-lint to 1.51.2 and fix lint issues
2023-03-16 14:55:37 -05:00
Joshua Casey
1c8ab72f4f
Update test asserts for Golang 1.19 and 1.20 TLS error messages
2023-03-07 12:25:10 -06:00
Ryan Richard
c6e4133c5e
Accept both old and new cert error strings on MacOS in test assertions
...
Used this as an opportunity to refactor how some tests were
making assertions about error strings.
New test helpers make it easy for an error string to be expected as an
exact string, as a string built using sprintf, as a regexp, or as a
string built to include the platform-specific x509 error string.
All of these helpers can be used in a single `wantErr` field of a test
table. They can be used for both unit tests and integration tests.
Co-authored-by: Benjamin A. Petersen <ben@benjaminapetersen.me>
2023-01-20 15:01:36 -08:00
Ryan Richard
7ff3b3d9cb
Code changes to support Kube 0.26 deps
2023-01-18 14:39:22 -08:00
Ryan Richard
2f9b8b105d
update copyright to 2023 in files changed by this PR
2023-01-17 15:54:16 -08:00
Ryan Richard
8ff6ef32e9
Allow additional claims to map into an ID token issued by the supervisor
...
- Specify mappings on OIDCIdentityProvider.spec.claims.additionalClaimMappings
- Advertise additionalClaims in the OIDC discovery endpoint under claims_supported
Co-authored-by: Ryan Richard <richardry@vmware.com>
Co-authored-by: Joshua Casey <joshuatcasey@gmail.com>
2023-01-13 14:59:50 -08:00
Ryan Richard
976035115e
Stop using pointer pkg functions that were deprecated by dependency bump
2022-12-14 08:47:16 -08:00
Ryan Richard
e1a0367b03
Upgrade project Go dependencies
...
Most of the changes in this commit are because of these fosite PRs
which changed behavior and/or APIs in fosite:
- https://github.com/ory/fosite/pull/667
- https://github.com/ory/fosite/pull/679 (from me!)
- https://github.com/ory/fosite/pull/675
- https://github.com/ory/fosite/pull/688
Due to the changes in fosite PR #688 , we need to bump our storage
version for anything which stores the DefaultSession struct as JSON.
2022-12-14 08:47:16 -08:00
Ryan Richard
110681cdb8
Fix the name of the API Service updater controller in the log messages
2022-09-26 12:37:34 -07:00
Ryan Richard
1c296e5c4c
Implement the OIDCClientSecretRequest API
...
This commit is a WIP commit because it doesn't include many tests
for the new feature.
Co-authored-by: Ryan Richard <richardry@vmware.com>
Co-authored-by: Benjamin A. Petersen <ben@benjaminapetersen.me>
2022-09-21 15:15:07 -07:00