Commit Graph

83 Commits

Author SHA1 Message Date
Margo Crawford
019750a292 Update kube versions to latest patch
Signed-off-by: Margo Crawford <margaretc@vmware.com>
2022-04-19 11:19:24 -07:00
Ryan Richard
488f08dd6e Provide a way to override the new HTTP loopback-only validation
Add new deprecated_insecure_accept_external_unencrypted_http_requests
value in values.yaml. Allow it to be a boolean or a string to make it
easier to use (both --data-value and --data-value-yaml will work).

Also:
- Consider "ip6-localhost" and "ip6-loopback" to be loopback addresses
  for the validation
- Remove unused env.SupervisorHTTPAddress var
- Deprecate the `service_http_*` values in values.yaml by renaming them
  and causing a ytt render error when the old names are used
2022-03-28 17:03:23 -07:00
Ryan Richard
e465056943 Use both kubeadm.k8s.io/v1beta2 and v1beta3 to allow old versions of K8s
You can use an older version of K8s on your development workstation
by temporarily editing kind-up.sh to add the `--image` flag. By defining
both v1beta2 and v1beta3 you should continue to be able to use old
versions of K8s in this way with Kind v0.12.0.
2022-03-15 15:09:39 -07:00
Ryan Richard
16c4c67af1 Use kubeadm.k8s.io/v1beta3 instead of v1beta2 for kind config
It appears that kind completely ignores kubeadm.k8s.io/v1beta2 config
starting in Kind v0.12.0.

You can observe the config being ignored or used by adding `-v 10` to
the command-line arguments of `kind create cluster` in kind-up.sh.
2022-03-15 09:37:27 -07:00
Ryan Richard
0ec5b31c40 Regenerate code after updating controller-gen to v0.8.0
- Note that v0.8.0 no longer supports the "trivialVersions=true"
  command-line option, so remove that from update-codegen.sh.
  It doesn't seem to impact the output (our generated CRD yaml files).
2022-03-08 11:27:05 -08:00
Margo Crawford
60d2b852ae Corresponds with making our CI use the head of the master branch of crd-ref-docs
This fixes #906

Signed-off-by: Margo Crawford <margaretc@vmware.com>
2022-03-02 14:31:58 -08:00
Ryan Richard
bf7457db59 expose env var for debug level of codegen 2022-03-01 10:01:49 -08:00
Ryan Richard
f501c76acc Add generated code for Kube 1.21, 1.22, and 1.23
Also:
- Make our code generator script work with Go 1.17
- Make our update.sh script work on linux
- Update the patch versions of the old Kube versions that we were using
  to generate code (see kube-versions.txt)
- Use our container images from ghcr instead of
  projects.registry.vmware.com for codegen purposes
- Make it easier to debug in the future by passing "-v" to the Kube
  codegen scripts
- Updated copyright years to make commit checks pass
2022-02-28 17:58:48 -08:00
Monis Khan
316e6171d4
Enable aggregator routing on kind clusters
This should make it easier for us to to notice if something is wrong
with our service (especially in any future kubectl tests we add).

Signed-off-by: Monis Khan <mok@vmware.com>
2021-09-15 15:09:15 -04:00
Matt Moyer
fd9d9b8c73
Stop generating zz_generated.openapi.go files.
It turns out we no longer need these and can skip this bit of code generation.

Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-05-21 11:16:59 -05:00
Andrew Keesler
c53507809d Rename dex namespace, add new ytt value to deploy/tools, and remove Tilt
- Rename the test/deploy/dex directory to test/deploy/tools
- Rename the dex namespace to tools
- Add a new ytt value called `pinny_ldap_password` for the tools
  ytt templates
- This new value is not used on main at this time. We intend to use
  it in the forthcoming ldap branch. We're defining it on main so
  that the CI scripts can use it across all branches and PRs.

Signed-off-by: Ryan Richard <richardry@vmware.com>
2021-04-05 15:01:49 -07:00
Matt Moyer
476cc98e5a
Fix missing "v".
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-03-31 15:41:44 -05:00
Matt Moyer
e4e4e686f6
Use "0.0.0" as our fake version instead of "?.?.?" to avoid a panic.
These values need to pass the validation in k8s.io/component-base/metrics: https://github.com/kubernetes/component-base/blob/v0.20.5/metrics/version_parser.go#L28-L50

Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-03-31 15:03:40 -05:00
Monis Khan
abc941097c
Add WhoAmIRequest Aggregated Virtual REST API
This change adds a new virtual aggregated API that can be used by
any user to echo back who they are currently authenticated as.  This
has general utility to end users and can be used in tests to
validate if authentication was successful.

Signed-off-by: Monis Khan <mok@vmware.com>
2021-02-22 20:02:41 -05:00
Monis Khan
7786c83b0d
Bump kube deps to v0.20.4
Signed-off-by: Monis Khan <mok@vmware.com>
2021-02-19 10:26:53 -05:00
Matt Moyer
45f4a0528c
Upgrade Debian base images from 10.7 to 10.8.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-02-10 15:57:16 -06:00
Ryan Richard
b5cbe018e3
Allow passing multiple redirect URIs to Dex
We need this in CI when we want to configure Dex with the redirect URI for both
primary and secondary deploys at one time (since we only stand up Dex once).

Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2021-01-20 17:06:50 -05:00
Andrew Keesler
af11d8cd58
Run Tilt images as root for faster reload
Previously, when triggering a Tilt reload via a *.go file change, a reload would
take ~13 seconds and we would see this error message in the Tilt logs for each
component.

  Live Update failed with unexpected error:
    command terminated with exit code 2
  Falling back to a full image build + deploy

Now, Tilt should reload images a lot faster (~3 seconds) since we are running
the images as root.

Note! Reloading the Concierge component still takes ~13 seconds because there
are 2 containers running in the Concierge namespace that use the Concierge
image: the main Concierge app and the kube cert agent pod. Tilt can't live
reload both of these at once, so the reload takes longer and we see this error
message.

  Will not perform Live Update because:
    Error retrieving container info: can only get container info for a single pod; image target image:image/concierge has 2 pods
  Falling back to a full image build + deploy

Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2021-01-15 11:34:53 -05:00
Margo Crawford
6f04613aed Merge branch 'main' of github.com:vmware-tanzu/pinniped into kubernetes-1.20 2021-01-08 13:22:31 -08:00
Margo Crawford
da1bf06764 Add kubernetes 1.20 to kube-versions.txt 2021-01-07 09:51:45 -08:00
Matt Moyer
6a457466df
Update generated k8s code for 1.19.5.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-12-17 16:31:08 -06:00
Margo Crawford
196e43aa48 Rename off of main
Signed-off-by: Ryan Richard <richardry@vmware.com>
2020-12-16 14:27:09 -08:00
Matt Moyer
111f6513ac
Upgrade base images to Debian 10.7-slim.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-12-16 15:16:31 -06:00
Andrew Keesler
93cfd8c93a
Fix prepare-for-integration-tests.sh and Tiltfile for kubectl 1.20
kubectl 1.20 prints "Kubernetes control plane" instead of "Kubernetes master".

Signed-off-by: Andrew Keesler <akeesler@vmware.com>

Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-12-09 10:15:34 -05:00
Matt Moyer
408fbe4f76
Parameterize the supervisor_redirect_uri in the test env Dex.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-12-03 12:45:56 -06:00
Matt Moyer
fe0481c304
In integration test env, deploy a ClusterIP service and register that with Dex.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-12-02 15:55:33 -06:00
Matt Moyer
0d1ad6e1df
Fix some broken resource grouping/ordering in Tiltfile.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-11-17 12:21:15 -06:00
Matt Moyer
6ce2f109bf
Refactor certificate generation for integration test Dex.
Before, we did this in an init container, which meant if the Dex pod restarted we would have fresh certs, but our Tilt/bash setup didn't account for this.

Now, the certs are generated by a Job which runs once and saves the generated files into a Secret. This should be a bit more stable.

Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-11-17 11:36:36 -06:00
Matt Moyer
cbd71df574
Add "upstream-watcher" controller to supervisor.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-11-13 12:30:38 -06:00
Matt Moyer
bac3c19bec
Add UpstreamOIDCProvider API type definition.
This is essentially just a copy of Andrew's work from https://github.com/vmware-tanzu/pinniped/pull/135.

Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-11-13 11:38:49 -06:00
Matt Moyer
821190004c
Remove extraneous internal packages for CRD APIs.
These only really make sense for aggregated API types where we need `conversion-gen` to do version conversion.

Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-11-12 14:04:53 -06:00
Andrew Keesler
83a156d72b
Enable debug logging in all testing scenarios
It is really helpful to have verbose logs during test debugging.

Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-11-11 09:01:43 -05:00
Ryan Richard
01941d6b2a Run Tilt containers as root because live-reload breaks otherwise 2020-11-10 09:27:44 -08:00
Ryan Richard
036845deee
Merge pull request #184 from vmware-tanzu/bump_golang_and_slim
Upgrade golang patch release to 1.15.3 and debian 10.5-slim -> 10.6-slim
2020-11-02 17:08:48 -08:00
Ryan Richard
5a0e7fd358 Upgrade golang patch release to 1.15.3 and debian 10.5-slim -> 10.6-slim 2020-11-02 16:17:15 -08:00
Matt Moyer
2b8773aa54
Rename OIDCProviderConfig to OIDCProvider.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-11-02 17:40:39 -06:00
Matt Moyer
59263ea733
Rename CredentialIssuerConfig to CredentialIssuer.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-11-02 17:39:42 -06:00
Ryan Richard
2e50e8f01b
hack/lib/tilt: run Tilt images with non-root user
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-11-02 16:32:50 -05:00
Andrew Keesler
fcea48c8f9
Run as non-root
I tried to follow a principle of encapsulation here - we can still default to
peeps making connections to 80/443 on a Service object, but internally we will
use 8080/8443.

Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-11-02 12:51:15 -05:00
Matt Moyer
9e1922f1ed
Split the config CRDs into two API groups.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-10-30 19:22:46 -05:00
Matt Moyer
0f25657a35
Rename WebhookIdentityProvider to WebhookAuthenticator.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-10-30 15:11:53 -05:00
Matt Moyer
e69183aa8a
Rename idp.concierge.pinniped.dev to authentication.concierge.pinniped.dev.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-10-30 14:07:40 -05:00
Matt Moyer
81390bba89
Rename idp.pinniped.dev to idp.concierge.pinniped.dev.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-10-30 14:07:39 -05:00
Matt Moyer
f0320dfbd8
Rename login API to login.concierge.pinniped.dev.
This is the first of a few related changes that re-organize our API after the big recent changes that introduced the supervisor component.

Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-10-30 09:58:28 -05:00
Ryan Richard
8b7c30cfbd Supervisor listens for HTTPS on port 443 with configurable TLS certs
- TLS certificates can be configured on the OIDCProviderConfig using
  the `secretName` field.
- When listening for incoming TLS connections, choose the TLS cert
  based on the SNI hostname of the incoming request.
- Because SNI hostname information on incoming requests does not include
  the port number of the request, we add a validation that
  OIDCProviderConfigs where the issuer hostnames (not including port
  number) are the same must use the same `secretName`.
- Note that this approach does not yet support requests made to an
  IP address instead of a hostname. Also note that `localhost` is
  considered a hostname by SNI.
- Add port 443 as a container port to the pod spec.
- A new controller watches for TLS secrets and caches them in memory.
  That same in-memory cache is used while servicing incoming connections
  on the TLS port.
- Make it easy to configure both port 443 and/or port 80 for various
  Service types using our ytt templates for the supervisor.
- When deploying to kind, add another nodeport and forward it to the
  host on another port to expose our new HTTPS supervisor port to the
  host.
2020-10-26 17:03:26 -07:00
Ryan Richard
397ec61e57 Specify the supervisor NodePort Service's port and nodePort separately
When using kind we forward the node's port to the host, so we only
really care about the `nodePort` value. For acceptance clusters,
we put an Ingress in front of a NodePort Service, so we only really
care about the `port` value.
2020-10-22 15:37:35 -07:00
Ryan Richard
8ae04605ca
Add comments for magic 31234 port
Also delete hack/lib/kind-config/multi-node.yaml since we don't think we will
use it...

Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-10-22 17:54:35 -04:00
Ryan Richard
94f20e57b1 Concierge controllers add labels to all created resources 2020-10-15 10:14:23 -07:00
Ryan Richard
84a0084703 Tilefile watches for changes in ytt templates
- When using `local()` in the Tiltfile it will not know
  to watch those files for changes, so each time we use
  `local()` we now also use `watch_file()`
- As a result, editing a ytt template file now causes
  an immediate `kubectl apply` of the results
2020-10-14 16:21:40 -07:00
Matt Moyer
33fcc74417
Add Dex to our integration test environment and use it to test the CLI.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-10-13 16:50:38 -05:00