Commit Graph

1930 Commits

Author SHA1 Message Date
Matt Moyer
01c0514057
Upgrade github.com/pkg/browser.
This some some kind of improvement on Windows.

Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-05-21 10:00:19 -05:00
Matt Moyer
0d42c1e9fe
Update to Kubernetes 1.21.1 runtime components.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-05-21 09:57:41 -05:00
Ryan Richard
1307c49212
Merge pull request #620 from vmware-tanzu/ldap_starttls
Support `StartTLS` for `LDAPIdentityProvider`s
2021-05-20 16:16:37 -07:00
Ryan Richard
b01665386d Use latest container image of our fork of bitnami-docker-openldap 2021-05-20 15:49:34 -07:00
Ryan Richard
901ddd1870 Merge branch 'main' into ldap_starttls 2021-05-20 13:40:56 -07:00
Ryan Richard
8b549f66d4 Add integration test for LDAP StartTLS 2021-05-20 13:39:48 -07:00
Ryan Richard
4780c39640
Merge pull request #618 from vmware-tanzu/initial_ldap_group_support
Initial support for upstream LDAP group membership
2021-05-20 13:10:23 -07:00
Ryan Richard
7e76b66639 LDAP upstream watcher controller tries using both TLS and StartTLS
- Automatically try to fall back to using StartTLS when using TLS
  doesn't work. Only complain when both don't work.
- Remember (in-memory) which one worked and keeping using that one
  in the future (unless the pod restarts).
2021-05-20 12:46:33 -07:00
Ryan Richard
fff90ed2ca
Merge branch 'main' into initial_ldap_group_support 2021-05-20 12:36:04 -07:00
Matt Moyer
562942cdbf
Merge pull request #627 from mattmoyer/use-informers-for-credentialissuer-updates
Create CredentialIssuer at install, not runtime.
2021-05-20 10:13:41 -05:00
Ryan Richard
025b37f839 upstreamldap.New() now supports a StartTLS config option
- This enhances our LDAP client code to make it possible to optionally
  dial an LDAP server without TLS and then use StartTLS to upgrade
  the connection to TLS.
- The controller for LDAPIdentityProviders is not using this option
  yet. That will come in a future commit.
2021-05-19 17:17:44 -07:00
Matt Moyer
657488fe90
Create CredentialIssuer at install, not runtime.
Previously, our controllers would automatically create a CredentialIssuer with a singleton name. The helpers we had for this also used "raw" client access and did not take advantage of the informer cache pattern.

With this change, the CredentialIssuer is always created at install time in the ytt YAML. The controllers now only update the existing CredentialIssuer status, and they do so using the informer cache as much as possible.

This change is targeted at only the kubecertagent controller to start. The impersonatorconfig controller will be updated in a following PR along with other changes.

Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-05-19 17:15:25 -05:00
Ryan Richard
94d6b76958 Merge branch 'initial_ldap_group_support' into ldap_starttls 2021-05-19 13:12:56 -07:00
Ryan Richard
424c112bbc Merge branch 'main' into initial_ldap_group_support 2021-05-19 13:12:17 -07:00
Ryan Richard
b5063e59ab Merge branch 'initial_ldap_group_support' into ldap_starttls 2021-05-18 16:39:59 -07:00
Ryan Richard
a6f95cfff1 Configure openldap to disallow non-TLS clients
- For testing purposes, we would like to ensure that when we connect
  to the LDAP server we cannot accidentally avoid using TLS or StartTLS.
- Also enabled the openldap `memberOf` overlay in case we want to
  support group search using `memberOf` in the future.
- This required changes to the docker.io/bitnami/openldap container
  image, so we're using our own fork for now. Will submit a PR to
  bitnami/openldap to see if they will accept it (or something similar)
  upstream.
2021-05-18 16:38:12 -07:00
Matt Moyer
efeb25b8eb
Merge pull request #619 from vmware-tanzu/dependabot/go_modules/github.com/creack/pty-1.1.12
Bump github.com/creack/pty from 1.1.11 to 1.1.12
2021-05-18 09:16:27 -05:00
dependabot[bot]
f595e81dbb
Bump github.com/creack/pty from 1.1.11 to 1.1.12
Bumps [github.com/creack/pty](https://github.com/creack/pty) from 1.1.11 to 1.1.12.
- [Release notes](https://github.com/creack/pty/releases)
- [Commits](https://github.com/creack/pty/compare/v1.1.11...v1.1.12)

Signed-off-by: dependabot[bot] <support@github.com>
2021-05-18 05:56:45 +00:00
Mo Khan
0f5f72829b
Merge pull request #594 from enj/enj/i/tcr_strict_user_info
cred req: disallow lossy user info translations
2021-05-17 19:28:21 -04:00
Monis Khan
f40fd29c7c
local-user-authenticator: stop setting UID
Signed-off-by: Monis Khan <mok@vmware.com>
2021-05-17 19:03:45 -04:00
Monis Khan
35479e2978
cred req: disallow lossy user info translations
Signed-off-by: Monis Khan <mok@vmware.com>
2021-05-17 19:03:44 -04:00
Ryan Richard
742b70d6a4 Merge branch 'main' into initial_ldap_group_support 2021-05-17 14:24:56 -07:00
Ryan Richard
dab5ff3788 ldap_client_test.go: Forgot to change an assertion related to groups 2021-05-17 14:21:57 -07:00
Ryan Richard
99099fd32f Yet more debugging of tests which only fail in main CI 2021-05-17 14:20:41 -07:00
Ryan Richard
65cab53a11 Merge branch 'main' into initial_ldap_group_support 2021-05-17 14:12:20 -07:00
Ryan Richard
8c660f09bc More debugging of tests which only fail in main CI 2021-05-17 13:53:17 -07:00
Ryan Richard
ac431ddc6d Add more to failure message in test which only fails in main CI 2021-05-17 12:57:34 -07:00
Ryan Richard
3e1e8880f7 Initial support for upstream LDAP group membership
Reflect the upstream group membership into the Supervisor's
downstream tokens, so they can be added to the user's
identity on the workload clusters.

LDAP group search is configurable on the
LDAPIdentityProvider resource.
2021-05-17 11:10:26 -07:00
Ryan Richard
14b8fcc472
Merge pull request #555 from vmware-tanzu/initial_ldap
Initial `LDAPIdentityProvider` support for the Supervisor and CLI
2021-05-17 10:40:50 -07:00
Ryan Richard
20b1c41bf5 Experiment to see if we can ignore read /dev/ptmx: input/output error
This error seems to always happen on linux, but never on MacOS.
2021-05-13 16:02:24 -07:00
Ryan Richard
f5bf8978a3 Cache ResourceVersion of the validated bind Secret in memory
...instead of caching it in the text of the Condition message
2021-05-13 15:22:36 -07:00
Ryan Richard
514ee5b883 Merge branch 'main' into initial_ldap 2021-05-13 14:24:10 -07:00
Margo Crawford
39d7f8b6eb
Merge pull request #614 from vmware-tanzu/gc-bug-tests
Tests for garbage collection behavior for access and refresh tokens
2021-05-13 13:08:07 -07:00
Ryan Richard
609883c49e Update TestSupervisorOIDCDiscovery for versioned IDP discovery endpoint 2021-05-13 13:07:31 -07:00
Ryan Richard
f15fc66e06 pinniped get kubeconfig refactor to use oidc.NewProvider for discovery
- Note that this adds an extra check of the response, which is that
  the issuer string in the response must match issuer of the requested
  URL.
- Some of the error messages also changed to match the errors provided
  by oidc.NewProvider
2021-05-13 12:27:42 -07:00
Margo Crawford
6479015caf Remove timeout so this test doesnt take forever 2021-05-13 10:23:44 -07:00
Ryan Richard
67dca688d7 Add an API version to the Supervisor IDP discovery endpoint
Also rename one of the new functional opts in login.go to more
accurately reflect the intention of the opt.
2021-05-13 10:05:56 -07:00
Margo Crawford
b391d5ae02 Also check that the authcode storage is around for a while 2021-05-12 14:22:14 -07:00
Ryan Richard
29ca8acab4 oidc_upstream_watcher.go: two methods become private funcs 2021-05-12 14:05:08 -07:00
Ryan Richard
1ae3c6a1ad Split package upstreamwatchers into four packages 2021-05-12 14:00:39 -07:00
Ryan Richard
22092e9aed Missed a usage of int64Ptr in previous commit 2021-05-12 14:00:26 -07:00
Margo Crawford
874f938fc7 unit test for garbage collection time for refresh and access tokens 2021-05-12 13:55:54 -07:00
Ryan Richard
4804c837d4 Insignificant change in ldap_upstream_watcher_test.go 2021-05-12 13:37:01 -07:00
Ryan Richard
f0652c1ce1 Replace all usages of strPtr() with pointer.StringPtr() 2021-05-12 13:20:00 -07:00
Ryan Richard
044443f315 Rename X-Pinniped-Idp-* headers to Pinniped-*
See RFC6648 which asks that people stop using `X-` on header names.
Also Matt preferred not mentioning "IDP" in the header name.

Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-05-12 13:06:08 -07:00
Ryan Richard
9ca72fcd30 login.go: Respect overallTimeout for LDAP login-related http requests
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-05-12 12:57:10 -07:00
Ryan Richard
3008d1a85c Log slow LDAP authentication attempts for debugging purposes 2021-05-12 11:59:48 -07:00
Ryan Richard
6c2a775c9b Use proxy for pinniped get kubeconfig in hack/prepare-supervisor-on-kind.sh
Because the command now calls the discovery endpoint,
so it needs to go through the proxy to resolve the
hostname.
2021-05-12 11:34:16 -07:00
Ryan Richard
41d3e3b6ec Fix lint error in e2e_test.go 2021-05-12 11:24:00 -07:00
Ryan Richard
20b86ac0a9
Merge pull request #589 from vmware-tanzu/ldap-get-kubeconfig
WIP: Support for Supervisor upstream LDAP IDPs in `pinniped get kubeconfig`
2021-05-12 10:10:49 -07:00