Commit Graph

756 Commits

Author SHA1 Message Date
Mo Khan
3077034b2d
Merge branch 'main' into oidc_password_grant 2021-08-24 12:23:52 -04:00
Monis Khan
132ec0d2ad
leader election test: fix flake related to invalid assumption
Even though a client may hold the leader election lock in the Kube
lease API, that does not mean it has had a chance to update its
internal state to reflect that.  Thus we retry the checks in
checkOnlyLeaderCanWrite a few times to allow the client to catch up.

Signed-off-by: Monis Khan <mok@vmware.com>
2021-08-20 17:04:26 -04:00
Monis Khan
c356710f1f
Add leader election middleware
Signed-off-by: Monis Khan <mok@vmware.com>
2021-08-20 12:18:25 -04:00
Margo Crawford
5e9087263d Increase timeout for activedirectoryidentityprovider to be loaded 2021-08-18 16:24:05 -07:00
Margo Crawford
a20aee5f18 Update test assertions to reflect userPrincipalName as username 2021-08-18 13:18:53 -07:00
Margo Crawford
1c5da35527 Merge remote-tracking branch 'origin' into active-directory-identity-provider 2021-08-18 12:44:12 -07:00
Margo Crawford
26c47d564f Make new combined sAMAccountName@domain attribute the group name
Also change default username attribute to userPrincipalName
2021-08-17 16:53:26 -07:00
Ryan Richard
62c6d53a21 Merge branch 'main' into oidc_password_grant 2021-08-17 15:23:29 -07:00
Monis Khan
cf25c308cd
test/integration: ignore restarts associated with test pods
Signed-off-by: Monis Khan <mok@vmware.com>
2021-08-17 12:57:41 -04:00
Ryan Richard
3fb683f64e Update expected error message in e2e integration test 2021-08-16 15:40:34 -07:00
Ryan Richard
52409f86e8 Merge branch 'main' into oidc_password_grant 2021-08-16 15:17:55 -07:00
Monis Khan
7a812ac5ed
impersonatorconfig: only unload dynamiccert when proxy is disabled
In the upstream dynamiccertificates package, we rely on two pieces
of code:

1. DynamicServingCertificateController.newTLSContent which calls
   - clientCA.CurrentCABundleContent
   - servingCert.CurrentCertKeyContent
2. unionCAContent.VerifyOptions which calls
   - unionCAContent.CurrentCABundleContent

This results in calls to our tlsServingCertDynamicCertProvider and
impersonationSigningCertProvider.  If we Unset these providers, we
subtly break these consumers.  At best this results in test slowness
and flakes while we wait for reconcile loops to converge.  At worst,
it results in actual errors during runtime.  For example, we
previously would Unset the impersonationSigningCertProvider on any
sync loop error (even a transient one caused by a network blip or
a conflict between writes from different replicas of the concierge).
This would cause us to transiently fail to issue new certificates
from the token credential require API.  It would also cause us to
transiently fail to authenticate previously issued client certs
(which results in occasional Unauthorized errors in CI).

Signed-off-by: Monis Khan <mok@vmware.com>
2021-08-16 16:07:46 -04:00
Ryan Richard
5b96d014b4 Merge branch 'main' into oidc_password_grant 2021-08-12 11:12:57 -07:00
Ryan Richard
84c3c3aa9c Optionally allow OIDC password grant for CLI-based login experience
- Add `AllowPasswordGrant` boolean field to OIDCIdentityProvider's spec
- The oidc upstream watcher controller copies the value of
  `AllowPasswordGrant` into the configuration of the cached provider
- Add password grant to the UpstreamOIDCIdentityProviderI interface
  which is implemented by the cached provider instance for use in the
  authorization endpoint
- Enhance the IDP discovery endpoint to return the supported "flows"
  for each IDP ("cli_password" and/or "browser_authcode")
- Enhance `pinniped get kubeconfig` to help the user choose the desired
  flow for the selected IDP, and to write the flow into the resulting
  kubeconfg
- Enhance `pinniped login oidc` to have a flow flag to tell it which
  client-side flow it should use for auth (CLI-based or browser-based)
- In the Dex config, allow the resource owner password grant, which Dex
  implements to also return ID tokens, for use in integration tests
- Enhance the authorize endpoint to perform password grant when
  requested by the incoming headers. This commit does not include unit
  tests for the enhancements to the authorize endpoint, which will come
  in the next commit
- Extract some shared helpers from the callback endpoint to share the
  code with the authorize endpoint
- Add new integration tests
2021-08-12 10:45:39 -07:00
Monis Khan
34fd0ea2e2
impersonation proxy: assert nested UID impersonation is disallowed
Signed-off-by: Monis Khan <mok@vmware.com>
2021-08-10 00:03:33 -04:00
Monis Khan
724acdca1d
Update tests for new CSR duration code
Signed-off-by: Monis Khan <mok@vmware.com>
2021-08-09 19:16:50 -04:00
Matt Moyer
58bbffded4
Switch to a slimmer distroless base image.
At a high level, it switches us to a distroless base container image, but that also includes several related bits:

- Add a writable /tmp but make the rest of our filesystems read-only at runtime.

- Condense our main server binaries into a single pinniped-server binary. This saves a bunch of space in
  the image due to duplicated library code. The correct behavior is dispatched based on `os.Args[0]`, and
  the `pinniped-server` binary is symlinked to `pinniped-concierge` and `pinniped-supervisor`.

- Strip debug symbols from our binaries. These aren't really useful in a distroless image anyway and all the
  normal stuff you'd expect to work, such as stack traces, still does.

- Add a separate `pinniped-concierge-kube-cert-agent` binary with "sleep" and "print" functionality instead of
  using builtin /bin/sleep and /bin/cat for the kube-cert-agent. This is split from the main server binary
  because the loading/init time of the main server binary was too large for the tiny resource footprint we
  established in our kube-cert-agent PodSpec. Using a separate binary eliminates this issue and the extra
  binary adds only around 1.5MiB of image size.

- Switch the kube-cert-agent code to use a JSON `{"tls.crt": "<b64 cert>", "tls.key": "<b64 key>"}` format.
  This is more robust to unexpected input formatting than the old code, which simply concatenated the files
  with some extra newlines and split on whitespace.

- Update integration tests that made now-invalid assumptions about the `pinniped-server` image.

Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-08-09 15:05:13 -04:00
Monis Khan
ac7d65c4a8
concierge_impersonation_proxy_test: run slowly for EKS
Signed-off-by: Monis Khan <mok@vmware.com>
2021-08-01 18:19:53 -04:00
Matt Moyer
1e32530d7b
Fix broken TTY after manual auth code prompt.
This may be a temporary fix. It switches the manual auth code prompt to use `promptForValue()` instead of `promptForSecret()`. The `promptForSecret()` function no longer supports cancellation (the v0.9.2 behavior) and the method of cancelling in `promptForValue()` is now based on running the blocking read in a background goroutine, which is allowed to block forever or leak (which is not important for our CLI use case).

This means that the authorization code is now visible in the user's terminal, but this is really not a big deal because of PKCE and the limited lifetime of an auth code.

The main goroutine now correctly waits for the "manual prompt" goroutine to clean up, which now includes printing the extra newline that would normally have been entered by the user in the manual flow.

The text of the manual login prompt is updated to be more concise and less scary (don't use the word "fail").

Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-07-30 12:45:44 -05:00
Monis Khan
22be97eeda
concierge_impersonation_proxy_test: check all forms of DNS
Signed-off-by: Monis Khan <mok@vmware.com>
2021-07-29 13:35:37 -04:00
Ryan Richard
d73093a694 Avoid failures due to impersonation Service having unrelated annotations 2021-07-28 14:19:14 -07:00
Matt Moyer
b42b1c1110
Relax the timeout for TestLegacyPodCleaner a bit.
This test is asynchronously waiting for the controller to do something, and in some of our test environments it will take a bit longer than we'd previously allowed.

Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-07-28 13:08:57 -05:00
Matt Moyer
48c8fabb5c
Fix backwards condition in E2E test assertion.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-07-28 12:40:07 -05:00
Margo Crawford
474266f918 Merge branch 'main' of github.com:vmware-tanzu/pinniped into active-directory-identity-provider 2021-07-27 15:06:58 -07:00
Ryan Richard
71cae75758
Merge branch 'main' into merge_impersonator_service_annotations 2021-07-27 11:57:16 -07:00
Ryan Richard
58ab57201f Suppress lint errors 2021-07-26 17:20:49 -07:00
Margo Crawford
53b58f65b2 Add integration test for wrong password with ldap 2021-07-26 16:32:46 -07:00
Margo Crawford
cc3875f048 PR feedback 2021-07-26 16:03:12 -07:00
Ryan Richard
9e27c28b39 Fix TestImpersonationProxy integration test changes from previous commit
Forgot to account for our new booking annotation on the impersonator's
Service.
2021-07-23 14:23:24 -07:00
Margo Crawford
1050f39789 Integration test deactivated ad account 2021-07-23 13:01:41 -07:00
Margo Crawford
91085e68f9 Refactoring defaulting logic 2021-07-23 13:01:41 -07:00
Margo Crawford
cb0ee07b51 Fetch AD search base from defaultNamingContext when not specified 2021-07-23 13:01:41 -07:00
Margo Crawford
5d8d7246c2 Refactor active directory and ldap controllers to share almost everything
Signed-off-by: Ryan Richard <richardry@vmware.com>
2021-07-23 13:01:41 -07:00
Ryan Richard
3b4f521596 Changed TestLDAPUpstream.TestUsernameAttributeName back to TestUserMailAttributeName
Also added TestUserSAMAccountNameValue

Signed-off-by: Margo Crawford <margaretc@vmware.com>
2021-07-23 13:01:40 -07:00
Ryan Richard
aaa4861373 Custom API Group overlay for AD
Signed-off-by: Margo Crawford <margaretc@vmware.com>
2021-07-23 13:01:40 -07:00
Margo Crawford
b3d0b28bd0 Integration test fixes, fixing objectGUID handling 2021-07-23 13:01:40 -07:00
Margo Crawford
5c283d941c Helper script for running active directory tests 2021-07-23 13:01:40 -07:00
Margo Crawford
be6f9f83ce RBAC rules for activedirectoryidentityprovider 2021-07-23 13:01:40 -07:00
Margo Crawford
3b8edb84a5 WIP on active directory integration test 2021-07-23 13:01:40 -07:00
Margo Crawford
8fb35c6569 Active Directory cli options 2021-07-23 13:01:40 -07:00
Ryan Richard
ac4bc02817 Enhance integration test for CredentialIssuer spec annotations 2021-07-23 09:46:40 -07:00
Ryan Richard
deb699a84a e2e test: PINNIPED_USERNAME/PINNIPED_PASSWORD env vars during LDAP login 2021-07-19 17:08:52 -07:00
Ryan Richard
b3208f0ca6 wait for lb dns to resolve in the impersonation proxy integration test
this will hopefully fix some flakes where aws provisioned a host for the
load balancer but the tests weren't able to resolve it.

Signed-off-by: Margo Crawford <margaretc@vmware.com>
2021-07-15 16:39:15 -07:00
Ryan Richard
48b58e2fad Clear the browser cookies between each TestE2EFullIntegration test
It seems like page.ClearCookies() only clears cookies for the current
domain, so there doesn't seem to be a function to clear all browser
cookies. Instead, we'll just start a whole new browser each test.
They start fast enough that it shouldn't be a problem.
2021-07-13 16:20:02 -07:00
Ryan Richard
33461ddc14
Merge branch 'main' into deflake-serving-certificate-rotation-test 2021-07-13 14:04:34 -07:00
Matt Moyer
5527566a36
Fix TestCLILoginOIDC when running directly against Okta.
Our actual CLI code behaved correctly, but this test made some invalid assumptions about the "upstream" IDP we're testing. It assumed that the upstream didn't support `response_mode=form_post`, but Okta does. This means that when we end up on the localhost callback page, there are no URL query parameters.

Adjusting this regex makes the test pass as expected.

Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-07-09 16:29:42 -05:00
Matt Moyer
43f66032a9
Extend TestE2EFullIntegration to test manual OIDC flow.
Using the same fake TTY trick we used to test LDAP login, this new subtest runs through the "manual"/"jump box" login flow. It runs the login with a `--skip-listen` flag set, causing the CLI to skip opening the localhost listener. We can then wait for the login URL to be printed, visit it with the browser and log in, and finally simulate "manually" copying the auth code from the browser and entering it into the waiting CLI prompt.

Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-07-09 12:08:45 -05:00
Matt Moyer
d0b37a7c90
Adjust TestFormPostHTML to work on Linux chromedriver.
For some reason our headless Chrome test setup behaves slightly differently on Linux and macOS hosts. On Linux, the emoji characters are not recognized as valid text, so they are URL encoded. This change updates the test to cope with both cases correctly.

Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-07-09 12:08:44 -05:00
Matt Moyer
5029495fdb
Add manual paste flow to pinniped login oidc command.
This adds a new login flow that allows manually pasting the authorization code instead of receiving a browser-based callback.

Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-07-09 12:08:44 -05:00
Matt Moyer
9fba8d2203
Adjust TestE2EFullIntegration for new form_post flow.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-07-09 12:08:44 -05:00
Matt Moyer
71d4e05fb6
Add custom response_mode=form_post HTML template.
This is a new pacakge internal/oidc/provider/formposthtml containing a number of static files embedded using the relatively recent Go "//go:embed" functionality introduced in Go 1.16 (https://blog.golang.org/go1.16).

The Javascript and CSS files are minifiied and injected to make a single self-contained HTML response. There is a special Content-Security-Policy helper to calculate hash-based script-src and style-src rules.

This new code is covered by a new integration test that exercises the JS/HTML functionality in a real browser outside of the rest of the Supervisor.

Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-07-09 12:08:43 -05:00
Matt Moyer
2823d4d1e3
Add "response_modes_supported" to Supervisor discovery response.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-07-09 12:08:43 -05:00
Matt Moyer
3a840cee76
Make TestAPIServingCertificateAutoCreationAndRotation less flaky.
This test would occasionally flake for me when running locally. This change moves more of the assertions into the "eventually" loop, so they can temporarily fail as long as they converge on the expected values.

Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-07-09 11:29:02 -05:00
Matt Moyer
04e9897d51
Make TestImpersonationProxy less flaky.
This test did not tolerate this connection failing, which can happen for any number of flaky networking-related reasons. This change moves the connection setup into an "eventually" retry loop so it's allowed to fail temporarily as long as it eventually connects.

Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-07-09 11:28:33 -05:00
Ryan Richard
74f3ce5dcd
Merge branch 'main' into ldap-client-int-tests-only-on-kind 2021-07-08 12:54:56 -07:00
Ryan Richard
2f7dbed321 Try increasing the "eventually" timeouts in one integration test
There were 10 second timeouts in
`TestAPIServingCertificateAutoCreationAndRotation` which fail often
on CI. Maybe increasing the timeouts will help?
2021-07-08 11:17:22 -07:00
Ryan Richard
709c10227f Run the LDAP client's integration tests only on Kind
TestSimultaneousLDAPRequestsOnSingleProvider proved to be unreliable
on AKS due to some kind of kubectl port-forward issue, so only
run the LDAP client's integration tests on Kind. They are testing
the integration between the client code and the OpenLDAP test server,
not testing anything about Kubernetes, so running only on Kind should
give us sufficient test coverage.
2021-07-08 11:10:53 -07:00
Monis Khan
d78b845575
Fix bad test package name
Signed-off-by: Monis Khan <mok@vmware.com>
2021-06-22 11:23:19 -04:00
Matt Moyer
3efa7bdcc2
Improve our integration test "Eventually" assertions.
This fixes some rare test flakes caused by a data race inherent in the way we use `assert.Eventually()` with extra variables for followup assertions. This function is tricky to use correctly because it runs the passed function in a separate goroutine, and you have no guarantee that any shared variables are in a coherent state when the `assert.Eventually()` call returns. Even if you add manual mutexes, it's tricky to get the semantics right. This has been a recurring pain point and the cause of several test flakes.

This change introduces a new `library.RequireEventually()` that works by internally constructing a per-loop `*require.Assertions` and running everything on a single goroutine (using `wait.PollImmediate()`). This makes it very easy to write eventual assertions.

Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-06-17 16:56:03 -05:00
Monis Khan
524ff21b7f
TestServiceAccountPermissions: handle extra permissions on EKS
Signed-off-by: Monis Khan <mok@vmware.com>
2021-06-15 11:17:59 -04:00
Monis Khan
269db6b7c2
impersonator: always authorize every request
This change updates the impersonator to always authorize every
request instead of relying on the Kuberentes API server to perform
the check on the impersonated request.  This protects us from
scenarios where we fail to correctly impersonate the user due to
some bug in our proxy logic.  We still rely completely on the API
server to perform admission checks on the impersonated requests.

Signed-off-by: Monis Khan <mok@vmware.com>
2021-06-14 12:53:09 -04:00
Monis Khan
898f2bf942
impersonator: run as a distinct SA with minimal permissions
This change updates the impersonation proxy code to run as a
distinct service account that only has permission to impersonate
identities.  Thus any future vulnerability that causes the
impersonation headers to be dropped will fail closed instead of
escalating to the concierge's default service account which has
significantly more permissions.

Signed-off-by: Monis Khan <mok@vmware.com>
2021-06-11 12:13:53 -04:00
Benjamin A. Petersen
492f6cfddf
impersonator: honor anonymous authentication being disabled
When anonymous authentication is disabled, the impersonation proxy
will no longer authenticate anonymous requests other than calls to
the token credential request API (this API is used to retrieve
credentials and thus must be accessed anonymously).

Signed-off-by: Benjamin A. Petersen <ben@benjaminapetersen.me>
Signed-off-by: Monis Khan <mok@vmware.com>
2021-06-04 09:00:56 -04:00
Matt Moyer
500b444bad
Merge pull request #657 from vmware-tanzu/fix-ldap-supervisor-login-test-flake
Avoid a rare flake in TestSupervisorLogin.
2021-06-03 13:31:15 -05:00
Matt Moyer
5686591420
Avoid a rare flake in TestSupervisorLogin.
There was nothing to guarantee that _all_ Supervisor pods would be ready to handle this request. We saw a rare test flake where the LDAPIdentityProvider was marked as ready but one of the Supervisor pods didn't have it loaded yet and returned an HTTP 422 error (`Unprocessable Entity: No upstream providers are configured`).

Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-06-03 12:13:56 -05:00
Matt Moyer
6903196c18
Fix a data race in TestImpersonationProxy.
The `require.Eventually()` function runs the body of the check in a separate goroutine, so it's not safe to use other `require` assertions as we did here. Our `library.RequireEventuallyWithoutError()` function does not spawn a goroutine, so it's safer to use here.

Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-06-03 12:07:19 -05:00
Matt Moyer
0e66b0b165
Remove an invalid test assertion in TestCredentialIssuer.
The LastUpdateTime is no longer updated on every resync. It only changes if the underlying status has changed, so that it effectively shows when the transition happened.

This change happened in ab750f48aa, but we missed this test. It only fails when it has been more than ten minutes since the CredentialIssuer transitioned into a healthy state, but that can happen in our long-running CI environments.

Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-06-02 12:05:02 -05:00
Matt Moyer
2ee3cec5ed
Refactor TestImpersonationProxy "apply annotation" test for clarity.
This test felt overly complex and some of the cleanup logic wasn't 100% correct (it didn't clean up in all cases).

The new code is essentially the same flow but hopefully easier to read.

Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-06-01 15:50:51 -05:00
Matt Moyer
75d92079e4
Allow some flexibility in "kubectl logs --tail=10" test.
We see that occasionally kubectl returns 11 lines (probably related to https://github.com/kubernetes/kubernetes/issues/72628).

This test doesn't need to be so picky, so now it allows +/- one line from the expected count.

Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-06-01 15:50:51 -05:00
Matt Moyer
f62c6e806d
In TestImpersonationProxy tests, avoid mutating anything in parallel block of tests.
We had this one test that mutated the CredentialIssuer, which could cause the impersonation proxy to blip on one or both of the running concierge pods. This would sometimes break other concurrently running tests.

Instead, this bit of code is split into a separate non-concurrent test.

Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-06-01 14:02:27 -05:00
Ryan Richard
79e3980f1f Fix nil function deference in an integration test from previous commit 2021-05-28 17:06:01 -07:00
Ryan Richard
5263e0bae5
Merge branch 'main' into do-not-log-usernames-that-might-be-passwords 2021-05-28 16:16:01 -07:00
Ryan Richard
b8205006ca Enable skipping of LDAP int tests when a firewall will block them 2021-05-28 16:13:20 -07:00
Matt Moyer
7ee1f8c441
In LDAP, do not log username until we know the user exists.
This prevents accidentally logging a password if the user enters it into the username field by mistake.

Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-05-28 16:57:48 -05:00
Ryan Richard
cedbe82bbb Default groupSearch.attributes.groupName to "dn" instead of "cn"
- DNs are more unique than CNs, so it feels like a safer default
2021-05-28 13:27:11 -07:00
Matt Moyer
e25de9e559
Update ID token tests for latest Fosite.
The new version has different behavior for the `nonce` claim, which is now omitted if it would be empty (see https://github.com/ory/fosite/pull/570).

Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-05-28 12:53:37 -05:00
Ryan Richard
4722422aae Fix OIDC assertion bug in TestSupervisorLogin introduced by LDAP branch 2021-05-28 10:37:46 -07:00
Matt Moyer
a69fe68362
Merge branch 'main' of github.com:vmware-tanzu/pinniped into credentialissuer-spec-api 2021-05-27 17:11:40 -05:00
Ryan Richard
d2251d2ea7 Use base64 binary-encoded value as UID for LDAP
This is to allow the use of binary LDAP entry attributes as the UID.
For example, a user might like to configure AD’s objectGUID or maybe
objectSid attributes as the UID attribute.

This negatively impacts the readability of the UID when it did not come
from a binary value, but we're considering this an okay trade-off to
keep things simple for now. In the future, we may offer more
customizable encoding options for binary attributes.

These UIDs are currently only used in the downstream OIDC `sub` claim.
They do not effect the user's identity on the Kubernetes cluster,
which is only based on their mapped username and group memberships from
the upstream identity provider. We are not currently supporting any
special encoding for those username and group name LDAP attributes, so
their values in the LDAP entry must be ASCII or UTF-8 in order for them
to be interpreted correctly.
2021-05-27 13:47:10 -07:00
Matt Moyer
af2af567be
Merge branch 'main' of github.com:vmware-tanzu/pinniped into credentialissuer-spec-api 2021-05-27 15:13:36 -05:00
Matt Moyer
67d5c91713
Wait for successful TCR in TestImpersonationProxy.
This test setup should tolerate when the TokenCredentialRequest API isn't quite ready to authenticate the user or issue a cert.

Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-05-27 13:03:07 -05:00
Matt Moyer
349d3dad83
Make temporary errors return Pending in impersonatorconfig.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-05-27 11:13:10 -05:00
Matt Moyer
049abfb94c
Remove a "fail fast" check from TestImpersonationProxy.
This check is no longer valid, because there can be ephemeral, recoverable errors that show as ErrorDuringSetup.

Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-05-27 09:22:47 -05:00
Ryan Richard
033e1f0399 Add user search base to downstream subject for upstream LDAP
- Also add some tests about UTF-8 characters in LDAP attributes
2021-05-26 17:04:20 -07:00
Margo Crawford
d2d0dae4ed Wait for credentialissuer to be updated and always use proxy on clusterip test 2021-05-26 15:58:46 -07:00
Matt Moyer
c970dd1fb0
Merge branch 'main' of github.com:vmware-tanzu/pinniped into credentialissuer-spec-api 2021-05-25 17:32:58 -05:00
Matt Moyer
89eff28549
Convert LDAP code to use endpointaddr package.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-05-25 16:17:27 -05:00
Margo Crawford
75dd98a965 Integration test for impersonation proxy cluster ip 2021-05-25 13:50:50 -07:00
Matt Moyer
fabc08b01b
Merge branch 'main' of github.com:vmware-tanzu/pinniped into credentialissuer-spec-api 2021-05-24 15:49:13 -05:00
Margo Crawford
722aa72206 Integration test tests update functionality 2021-05-21 10:19:33 -07:00
Ryan Richard
901ddd1870 Merge branch 'main' into ldap_starttls 2021-05-20 13:40:56 -07:00
Ryan Richard
8b549f66d4 Add integration test for LDAP StartTLS 2021-05-20 13:39:48 -07:00
Ryan Richard
fff90ed2ca
Merge branch 'main' into initial_ldap_group_support 2021-05-20 12:36:04 -07:00
Matt Moyer
e4dd83887a
Merge remote-tracking branch 'origin/main' into credentialissuer-spec-api 2021-05-20 10:53:53 -05:00
Ryan Richard
025b37f839 upstreamldap.New() now supports a StartTLS config option
- This enhances our LDAP client code to make it possible to optionally
  dial an LDAP server without TLS and then use StartTLS to upgrade
  the connection to TLS.
- The controller for LDAPIdentityProviders is not using this option
  yet. That will come in a future commit.
2021-05-19 17:17:44 -07:00
Matt Moyer
657488fe90
Create CredentialIssuer at install, not runtime.
Previously, our controllers would automatically create a CredentialIssuer with a singleton name. The helpers we had for this also used "raw" client access and did not take advantage of the informer cache pattern.

With this change, the CredentialIssuer is always created at install time in the ytt YAML. The controllers now only update the existing CredentialIssuer status, and they do so using the informer cache as much as possible.

This change is targeted at only the kubecertagent controller to start. The impersonatorconfig controller will be updated in a following PR along with other changes.

Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-05-19 17:15:25 -05:00
Margo Crawford
3bb95f1de2 Give kubeclient_test some default values for credentialissuer spec 2021-05-19 11:56:54 -07:00
Matt Moyer
297a484948
Add more validation and update tests for impersonationProxy as pointer.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-05-19 12:42:31 -05:00
Margo Crawford
94c370ac85 Annotations for impersonation load balancer 2021-05-18 16:54:59 -07:00
Matt Moyer
9af3cb1115 Change impersonation integration test to use CredentialIssuer spec
rather than a configmap

Signed-off-by: Margo Crawford <margaretc@vmware.com>
2021-05-18 09:51:11 -07:00
Ryan Richard
742b70d6a4 Merge branch 'main' into initial_ldap_group_support 2021-05-17 14:24:56 -07:00
Ryan Richard
dab5ff3788 ldap_client_test.go: Forgot to change an assertion related to groups 2021-05-17 14:21:57 -07:00
Ryan Richard
99099fd32f Yet more debugging of tests which only fail in main CI 2021-05-17 14:20:41 -07:00
Ryan Richard
3e1e8880f7 Initial support for upstream LDAP group membership
Reflect the upstream group membership into the Supervisor's
downstream tokens, so they can be added to the user's
identity on the workload clusters.

LDAP group search is configurable on the
LDAPIdentityProvider resource.
2021-05-17 11:10:26 -07:00
Ryan Richard
20b1c41bf5 Experiment to see if we can ignore read /dev/ptmx: input/output error
This error seems to always happen on linux, but never on MacOS.
2021-05-13 16:02:24 -07:00
Ryan Richard
514ee5b883 Merge branch 'main' into initial_ldap 2021-05-13 14:24:10 -07:00
Margo Crawford
39d7f8b6eb
Merge pull request #614 from vmware-tanzu/gc-bug-tests
Tests for garbage collection behavior for access and refresh tokens
2021-05-13 13:08:07 -07:00
Ryan Richard
609883c49e Update TestSupervisorOIDCDiscovery for versioned IDP discovery endpoint 2021-05-13 13:07:31 -07:00
Margo Crawford
6479015caf Remove timeout so this test doesnt take forever 2021-05-13 10:23:44 -07:00
Ryan Richard
f0652c1ce1 Replace all usages of strPtr() with pointer.StringPtr() 2021-05-12 13:20:00 -07:00
Ryan Richard
044443f315 Rename X-Pinniped-Idp-* headers to Pinniped-*
See RFC6648 which asks that people stop using `X-` on header names.
Also Matt preferred not mentioning "IDP" in the header name.

Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-05-12 13:06:08 -07:00
Ryan Richard
41d3e3b6ec Fix lint error in e2e_test.go 2021-05-12 11:24:00 -07:00
Margo Crawford
df0e715bb7 Add integration test that waits for access token expiry 2021-05-12 09:05:13 -07:00
Ryan Richard
6723ed9fd8 Add end-to-end integration test for CLI-based LDAP login 2021-05-11 13:55:46 -07:00
Ryan Richard
f98aa96ed3 Merge branch 'initial_ldap' into ldap-get-kubeconfig 2021-05-11 11:10:25 -07:00
Ryan Richard
675bbb2aba Merge branch 'main' into initial_ldap 2021-05-11 11:09:37 -07:00
Ryan Richard
c0fcd27594
Fix typo in test/integration/e2e_test.go
Co-authored-by: Mo Khan <i@monis.app>
2021-05-10 12:51:56 -07:00
Monis Khan
716659b74a
impersonation proxy test: handle admin users with mixed case extra keys
Signed-off-by: Monis Khan <mok@vmware.com>
2021-05-10 13:22:51 -04:00
Mo Khan
0770682bf9
impersonation proxy test: handle admin users with UID such as on EKS
Signed-off-by: Mo Khan <mok@vmware.com>
2021-05-10 09:21:45 -04:00
Mo Khan
56d316e8d3
upstreamwatcher: do not truncate explicit oidc errors
This change makes it easier to understand misconfigurations caused
by issuers with extraneous trailing slashes.

Signed-off-by: Mo Khan <mok@vmware.com>
2021-05-10 01:45:19 -04:00
Matt Moyer
47f5e822d0
Fix TestImpersonationProxy on EKS.
The admin kubeconfigs we have on EKS clusters are a bit different from others, because there is no certificate/key (EKS does not use certificate auth).

This code didn't quite work correctly in that case. The fix is to allow the case where `tlsConfig.GetClientCertificate` is non-nil, but returns a value with no certificates.

Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-05-07 16:22:08 -05:00
Mo Khan
7ece196893
upstreamwatcher: preserve oidc discovery error
Signed-off-by: Mo Khan <mok@vmware.com>
2021-05-07 16:35:12 -04:00
Margo Crawford
1a2940c278
Merge pull request #560 from vmware-tanzu/client-debug-logging
Client debug logging
2021-05-04 13:46:47 -07:00
Monis Khan
4ce77c4837
supervisor gc: use singleton queue
The supervisor treats all events the same hence it must use a
singleton queue.

Updated the integration test to remove the data race caused by
calling methods on testing.T outside of the main test go routine.

Signed-off-by: Monis Khan <mok@vmware.com>
2021-05-04 14:44:55 -04:00
Margo Crawford
778c194cc4 Autodetection with multiple idps in discovery document
Signed-off-by: Ryan Richard <richardry@vmware.com>
2021-04-30 17:14:28 -07:00
Monis Khan
62785674c3
impersonator: add support for service account token authentication
This change updates the impersonator logic to pass through requests
that authenticated via a bearer token that asserts a UID.  This
allows us to support service account tokens (as well as any other
form of token based authentication).

Signed-off-by: Monis Khan <mok@vmware.com>
2021-04-29 17:30:35 -04:00
Ryan Richard
10c4cb4493 Merge branch 'initial_ldap' into ldap-get-kubeconfig 2021-04-28 14:28:32 -07:00
Ryan Richard
36819989a3 Remove DryRunAuthenticationUsername from LDAPIdentityProviderSpec
Signed-off-by: Margo Crawford <margaretc@vmware.com>
2021-04-28 14:26:57 -07:00
Ryan Richard
4bd83add35 Add Supervisor upstream IDP discovery on the server-side 2021-04-28 13:14:21 -07:00
Ryan Richard
263a33cc85 Some updates based on PR review 2021-04-27 12:43:09 -07:00
Ryan Richard
b3b108500a Merge branch 'main' into initial_ldap 2021-04-27 10:12:43 -07:00
Matt Moyer
e532a88647
Add a new "legacy pod cleaner" controller.
This controller is responsible for cleaning up kube-cert-agent pods that were deployed by previous versions.

They are easily identified because they use a different `kube-cert-agent.pinniped.dev` label compared to the new agent pods (`true` vs. `v2`).

Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-04-26 08:19:45 -06:00
Matt Moyer
2843c4f8cb
Refactor kube-cert-agent controllers to use a Deployment.
This is a relatively large rewrite of much of the kube-cert-agent controllers. Instead of managing raw Pod objects, they now create a single Deployment and let the builtin k8s controller handle it from there.

This reduces the amount of code we need and should handle a number of edge cases better, especially those where a Pod becomes "wedged" and needs to be recreated.

Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-04-26 08:19:45 -06:00
Matt Moyer
638d9235a2
Remove unneeded OIDC-related sleeps in tests.
Now that we have the fix from https://github.com/kubernetes/kubernetes/pull/97693, we no longer need these sleeps.
The underlying authenticator initialization is still asynchronous, but should happen within a few milliseconds.

Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-04-22 10:25:44 -05:00
Margo Crawford
5f3eab2538 Fix expected number of log lines in TestCLILoginOIDC 2021-04-21 13:05:32 -07:00
Margo Crawford
45e4695444 Unset pinniped debug environment variable at end of integration test
Also log when setting the debug log level fails
2021-04-21 09:02:45 -07:00
Margo Crawford
6a21499ed3 Add check for number of log lines. 2021-04-21 09:02:45 -07:00
Margo Crawford
211d4fd0b6 Add more logging, integration test checks that debug flag works. 2021-04-21 09:02:45 -07:00
Monis Khan
73716f1b91
Ignore client-side throttling in kubectl stderr
Signed-off-by: Monis Khan <mok@vmware.com>
2021-04-19 15:52:47 -04:00
Monis Khan
521adffb17
impersonation proxy: add nested impersonation support
This change updates the impersonator logic to use the delegated
authorizer for all non-rest verbs such as impersonate.  This allows
it to correctly perform authorization checks for incoming requests
that set impersonation headers while not performing unnecessary
checks that are already handled by KAS.

The audit layer is enabled to track the original user who made the
request.  This information is then included in a reserved extra
field original-user-info.impersonation-proxy.concierge.pinniped.dev
as a JSON blob.

Signed-off-by: Monis Khan <mok@vmware.com>
2021-04-19 15:52:46 -04:00
Ryan Richard
e9d5743845 Add authentication dry run validation to LDAPIdentityProvider
Also force the LDAP server pod to restart whenever the LDIF file
changes, so whenever you redeploy the tools deployment with a new test
user password the server will be updated.
2021-04-16 14:04:05 -07:00
Ryan Richard
e6e6497022 Introduce upstreamldap.New to prevent changes to the underlying config
Makes it easier to support using the same upstreamldap.Provider from
multiple goroutines safely.
2021-04-15 10:25:35 -07:00
Ryan Richard
5c28d36c9b Redact some params of URLs in logs to avoid printing sensitive info 2021-04-15 07:59:38 -07:00
Ryan Richard
939b6b12cc ldap_client_test.go: refactor to use the LDAP server on the K8s cluster 2021-04-14 17:49:40 -07:00
Ryan Richard
8d75825635 Merge branch 'main' into initial_ldap 2021-04-14 17:47:26 -07:00
Ryan Richard
a6e1a949d2 ldap_client_test.go: mark as integration test so units skip it 2021-04-14 08:12:15 -07:00
Ryan Richard
47b66ceaa7 Passing integration test for LDAP login! 🚀 2021-04-13 18:11:16 -07:00
Ryan Richard
51263a0f07 Return unauthenticated instead of error for bad username or password
- Bad usernames and passwords aren't really errors, since they are
  based on end-user input.
- Other kinds of authentication failures are caused by bad configuration
  so still treat those as errors.
- Empty usernames and passwords are already prevented by our endpoint
  handler, but just to be safe make sure they cause errors inside the
  authenticator too.
2021-04-13 16:22:13 -07:00
Ryan Richard
fec3d92f26 Add integration test for upstreamldap.Provider
- The unit tests for upstreamldap.Provider need to mock the LDAP server,
  so add an integration test which allows us to get fast feedback for
  this code against a real LDAP server.
- Automatically wrap the user search filter in parenthesis if it is not
  already wrapped in parens.
- More special handling for using "dn" as the username or UID attribute
  name.
- Also added some more comments to types_ldapidentityprovider.go.tmpl
2021-04-13 15:23:14 -07:00
Matt Moyer
b59a4f3fec
Use a temporary directory for credential cache in CLI tests.
This avoids polluting the main cache directory on developer machines.

Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-04-08 18:14:21 -05:00
Ryan Richard
1f5978aa1a Supervisor pre-factor to make room for upstream LDAP identity providers 2021-04-07 16:12:13 -07:00
Ryan Richard
1c55c857f4 Start to fill out LDAPIdentityProvider's fields and TestSupervisorLogin
- Add some fields to LDAPIdentityProvider that we will need to be able
  to search for users during login
- Enhance TestSupervisorLogin to test logging in using an upstream LDAP
  identity provider. Part of this new test is skipped for now because
  we haven't written the corresponding production code to make it
  pass yet.
- Some refactoring and enhancement to env.go and the corresponding env
  vars to support the new upstream LDAP provider integration tests.
- Use docker.io/bitnami/openldap for our test LDAP server instead of our
  own fork now that they have fixed the bug that we reported.

Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2021-04-07 12:56:09 -07:00
Ryan Richard
2b6859b161
Add stub LDAP API type and integration test
The goal here was to start on an integration test to get us closer to the red
test that we want so we can start working on LDAP.

Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2021-04-06 13:10:01 -04:00
Ryan Richard
9450048acf Fix lint error from previous commit 2021-04-05 15:14:24 -07:00
Andrew Keesler
c53507809d Rename dex namespace, add new ytt value to deploy/tools, and remove Tilt
- Rename the test/deploy/dex directory to test/deploy/tools
- Rename the dex namespace to tools
- Add a new ytt value called `pinny_ldap_password` for the tools
  ytt templates
- This new value is not used on main at this time. We intend to use
  it in the forthcoming ldap branch. We're defining it on main so
  that the CI scripts can use it across all branches and PRs.

Signed-off-by: Ryan Richard <richardry@vmware.com>
2021-04-05 15:01:49 -07:00
Matt Moyer
d4baeff94e
Merge pull request #534 from mattmoyer/deflake-categories-test-rate-limiting
Deflake TestGetPinnipedCategory.
2021-03-30 13:46:55 -07:00
Matt Moyer
4ebd0f5f12
Deflake TestImpersonationProxy (especially on EKS).
This test could flake if the load balancer hostname was provisioned but is not yet resolving in DNS from the test process.

The fix is to retry this step for up to 5 minutes.

Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-03-30 13:48:53 -05:00
Matt Moyer
f02b39b80f
Deflake TestGetPinnipedCategory.
This test could fail when the cluster was under heavy load. This could cause kubectl to emit "Throttling request took [...]" logs that triggered a failure in the test.

The fix is to ignore these innocuous warnings.

Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-03-30 13:38:33 -05:00
Margo Crawford
d8baa43903 Add new non-idle timeout integration test for impersonation proxy
Signed-off-by: Ryan Richard <richardry@vmware.com>
2021-03-29 09:30:51 -07:00
Matt Moyer
391202c253
Merge pull request #517 from mattmoyer/deflake-supervisor-oidc-discovery-test
Tweak some assertions in TestSupervisorOIDCDiscovery.
2021-03-29 07:35:58 -07:00
Ryan Richard
95bb4c4be5 Fix concierge_impersonation_proxy_test.go on AKS
Also send the correct instance of `t` into a helper function which
makes assertions.
2021-03-26 19:32:46 -07:00
Matt Moyer
defad3cdd7
Remove library.DumpLogs test helper.
We had this code that printed out pod logs when certain tests failed, but it is a bit cumbersome. We're removing it because we added a CI task that exports all pod logs after every CI run, which accomplishes the same thing and provides us a bunch more data.

Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-03-26 16:43:02 -05:00
Matt Moyer
c6d7724b67
In TestImpersonationProxy, instead of failing in this case just skip the test.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-03-26 16:28:33 -05:00
Ryan Richard
3359311228 concierge_impersonation_proxy_test.go: fix typo in previous commit 2021-03-26 09:49:49 -07:00
Ryan Richard
7e16619146 concierge_impersonation_proxy_test.go: handle TKGS test clusters
Handle any test cluster which supports load balancers but should
not automatically start the impersonator, e.g. TKGS clusters.
2021-03-26 09:28:42 -07:00
Margo Crawford
b6e217e13a Hardcode type "webhook" in concierge_impersonation_proxy_test.go
Signed-off-by: Ryan Richard <richardry@vmware.com>
2021-03-25 17:19:47 -07:00
Margo Crawford
6f2882b831 Explicitly set the correct authenticator for impersonator test
Signed-off-by: Ryan Richard <richardry@vmware.com>
2021-03-25 16:57:37 -07:00
Matt Moyer
c0d32f10b2
Add some test debug logging when running the CLI.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-03-23 12:07:34 -05:00
Matt Moyer
9501168265
Simplify TestCLIGetKubeconfigStaticToken now that there's only a single table case.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-03-23 10:26:04 -05:00
Margo Crawford
d90398815b Nothing in parallel in the impersonation proxy integration test 2021-03-22 10:48:09 -07:00
Margo Crawford
7683a98792 Unparallelize run all the verbs and port-forward tests 2021-03-22 09:45:51 -07:00
Margo Crawford
d7e9568137 Unparallelize a couple 2021-03-22 09:43:40 -07:00
Matt Moyer
5e95c25d4f
Tweak some assertions in TestSupervisorOIDCDiscovery.
We've seen some test flakes caused by this test. Some small changes:

- Use a 30s timeout for each iteration of the test loop (so each iteration needs to check or fail more quickly).
- Log a bit more during the checks so we can diagnose what's going on.
- Increase the overall timeout from one minute to five minutes

Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-03-22 11:33:02 -05:00
Ryan Richard
3e50b4e129 Add -sS to the curl command in concierge_impersonation_proxy_test.go 2021-03-19 13:23:28 -07:00
Ryan Richard
d856221f56 Edit some comments in concierge_impersonation_proxy_test.go 2021-03-19 13:19:17 -07:00
Andrew Keesler
2749044625
test/integration: unparallelize impersonation kubectl test
Maybe this will cut down on flakes we see in CI?

Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2021-03-19 13:31:28 -04:00
Andrew Keesler
ebd5e45fa6
test/integration: wait for convergence at end of impersonation test
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2021-03-19 12:54:37 -04:00
Andrew Keesler
6154883855
test/integration: add temporary debug 'kubectl attach' logging
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2021-03-19 10:42:11 -04:00
Andrew Keesler
ebe01a5aef
test/integration: catch early 'kubectl attach' return
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2021-03-19 09:59:24 -04:00
Andrew Keesler
1a9922d050
test/integration: poll more quickly in f2a48aee
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2021-03-18 17:53:14 -04:00
Andrew Keesler
f2a48aee2b
test/integration: increase timeout to a minute to see if it helps
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2021-03-18 17:48:00 -04:00
Andrew Keesler
14a28bec24
test/integration: fix second assertion from dae62929
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2021-03-18 16:34:30 -04:00
Andrew Keesler
dae62929e0
test/integration: error assertions pass w/ and w/o middleware
In the case where we are using middleware (e.g., when the api group is
different) in our kubeclient, these error messages have a "...middleware request
for..." bit in the middle.

Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2021-03-18 15:35:31 -04:00
Ryan Richard
bd8c243636 concierge_impersonation_proxy_test.go: small refactor 2021-03-18 10:46:27 -07:00
Monis Khan
120e46b5f7
test/integration: fix race condition
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2021-03-18 11:27:52 -04:00
Andrew Keesler
257d69045d
Reuse internal/concierge/scheme
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2021-03-18 10:40:59 -04:00
Andrew Keesler
05a188d4cd
Merge remote-tracking branch 'upstream/main' into impersonation-proxy
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2021-03-18 10:36:28 -04:00
Andrew Keesler
cc8f0b623c
test/integration: add pinniped whoami tests
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2021-03-18 08:56:35 -04:00
Matt Moyer
5a43a5d53a
Remove library.AssertNoRestartsDuringTest and make that assertion implicit in library.IntegrationEnv.
This means we (hopefully) can't forget to include these assertions in any integration test.

Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-03-17 11:18:10 -05:00
Margo Crawford
897340860b Small refactor to impersonation proxy integration test 2021-03-16 16:57:46 -07:00
Matt Moyer
4d2035ab2a
Merge branch 'main' of github.com:vmware-tanzu/pinniped into impersonation-proxy 2021-03-16 18:19:40 -05:00
Matt Moyer
30a392b900
Improve the reliability of TestGetPinnipedCategory.
This test could flake in some rare scenarios. This change adds a bunch of retries, improves the debugging output if the tests fail, and puts all of the subtests in parallel which saves ~10s on my local machine.

Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-03-16 17:39:02 -05:00
Matt Moyer
2515b2d710
Make TestAPIServingCertificateAutoCreationAndRotation more reliable.
This test has occasionally flaked because it only waited for the APIService GET to finish, but did not wait for the controller to successfully update the target object.

The new code should be more patient and allow the controller up to 10s to perform the expected action.

Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-03-16 15:14:24 -05:00
Matt Moyer
10a1e29e15
Merge branch 'main' of github.com:vmware-tanzu/pinniped into impersonation-proxy
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-03-16 14:35:07 -05:00
Matt Moyer
2319606cd2
Fix some nits from the previous commit that I accidentally merged before fixing.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-03-16 14:24:13 -05:00
Matt Moyer
c5b784465b
Describe "anonymousAuthenticationSupported" test cluster capability and add more managed cluster types.
This new capability describes whether a cluster is expected to allow anonymous requests (most do since k8s 1.6.x, but AKS has it disabled).

This commit also contains new capability YAML files for AKS and EKS, mostly to document publicly how we expect our tests to function in those environments.

Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-03-16 13:54:29 -05:00
Margo Crawford
64e0dbb481 Sleep for 1 minute 10 seconds instead of a minute in timeout test 2021-03-15 16:33:47 -07:00
Margo Crawford
939ea30030 Make all tests but disable test parallelized
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2021-03-15 14:34:41 -07:00
Andrew Keesler
efd973fa17 Test waiting for a minute and keeping connection open
Signed-off-by: Margo Crawford <margaretc@vmware.com>
2021-03-15 14:34:41 -07:00
Monis Khan
4f671f5dca
dynamiccert: unit test with DynamicServingCertificateController
Signed-off-by: Monis Khan <mok@vmware.com>
2021-03-15 17:23:37 -04:00
Ryan Richard
8065a8d2e6 TestKubeCertAgent waits for CredentialIssuer strategy to be successful
At the end of the test, wait for the KubeClusterSigningCertificate
strategy on the CredentialIssuer to go back to being healthy, to avoid
polluting other integration tests which follow this one.
2021-03-15 11:43:12 -07:00
Ryan Richard
e22ad6171a Fix a race detector warning by re-declaring err in a t.Cleanup() 2021-03-15 11:43:12 -07:00
Monis Khan
b530cef3b1
impersonator: encode proper API status on failure
Signed-off-by: Monis Khan <mok@vmware.com>
2021-03-13 20:25:23 -05:00
Ryan Richard
c82f568b2c certauthority.go: Refactor issuing client versus server certs
We were previously issuing both client certs and server certs with
both extended key usages included. Split the Issue*() methods into
separate methods for issuing server certs versus client certs so
they can have different extended key usages tailored for each use
case.

Also took the opportunity to clean up the parameters of the Issue*()
methods and New() methods to more closely match how we prefer to call
them. We were always only passing the common name part of the
pkix.Name to New(), so now the New() method just takes the common name
as a string. When making a server cert, we don't need to set the
deprecated common name field, so remove that param. When making a client
cert, we're always making it in the format expected by the Kube API
server, so just accept the username and group as parameters directly.
2021-03-12 16:09:37 -08:00
Margo Crawford
d509e7012e Add eventually loop to port-forward test
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2021-03-12 10:44:11 -08:00
Andrew Keesler
5b1dc0abdf
test/integration: add some more debugging to kubectl impersonation test
I think this is nondeterministic...

Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2021-03-12 10:45:36 -05:00
Andrew Keesler
253e0f8e9a
test/integration: TestImpersonationProxy/websocket_client passes on my machine now
I'm kinda surprised this is working with our current implementation of the
impersonator, but regardless this seems like a step forward.

Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2021-03-12 09:54:59 -05:00
Ryan Richard
f77c92560f Rewrite impersonator_test.go, add missing argument to IssuePEM()
The impersonator_test.go unit test now starts the impersonation
server and makes real HTTP requests against it using client-go.
It is backed by a fake Kube API server.

The CA IssuePEM() method was missing the argument to allow a slice
of IP addresses to be passed in.
2021-03-11 16:27:16 -08:00
Ryan Richard
c12a23725d Fix lint errors from a previous commit 2021-03-11 16:21:40 -08:00
Andrew Keesler
71712b2d00 Add test for http2
Signed-off-by: Margo Crawford <margaretc@vmware.com>
2021-03-11 15:49:49 -08:00
Matt Moyer
a64786a728
Fix TestCLIGetKubeconfigStaticToken for new CLI log output.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-03-11 15:48:04 -06:00
Matt Moyer
78fdc59d2d
Merge branch 'main' of github.com:vmware-tanzu/pinniped into impersonation-proxy 2021-03-11 14:56:11 -06:00
Ryan Richard
29d7f406f7 Test double impersonation as the cluster admin 2021-03-11 12:53:27 -08:00
Margo Crawford
22ca2da1ff
test/integration: add "kubectl attach" test to TestImpersonationProxy
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2021-03-11 15:10:16 -05:00
Matt Moyer
e98c6dfdd8
Add retries to TestSupervisorTLSTerminationWithSNI and TestSupervisorOIDCDiscovery.
These tests occasionally flake because of a conflict error such as:

```
    supervisor_discovery_test.go:105:
        	Error Trace:	supervisor_discovery_test.go:587
        	            				supervisor_discovery_test.go:105
        	Error:      	Received unexpected error:
        	            	Operation cannot be fulfilled on federationdomains.config.supervisor.pinniped.dev "test-oidc-provider-lvjfw": the object has been modified; please apply your changes to the latest version and try again
        	Test:       	TestSupervisorOIDCDiscovery
```

These retries should improve the reliability of the tests.

Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-03-11 13:18:15 -06:00
Andrew Keesler
fcd8c585c3
test/integration: update "kubectl port-forward" test to use non-privileged port
This was failing on our laptops because 443 is a privileged port.

Signed-off-by: Margo Crawford <margaretc@vmware.com>
2021-03-11 13:05:26 -05:00
Ryan Richard
a918e9fb97 concierge_impersonation_proxy_test.go: Fix lint error in previous commit 2021-03-11 10:04:24 -08:00
Ryan Richard
34accc3dee Test using a service account token to auth to the impersonator
Also make each t.Run use its own namespace to slight reduce the
interdependency between them.

Use t.Cleanup instead of defer in whoami_test.go just to be consistent
with other integration tests.
2021-03-11 10:01:17 -08:00
Ryan Richard
61d64fc4c6 Use ioutil.ReadFile instead of os.ReadFile
Because it works on older golang versions too.
2021-03-11 08:58:54 -08:00
Andrew Keesler
b793b9a17e
test/integration: add 'kubectl logs' test to TestImpersonationProxy
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2021-03-11 10:42:28 -05:00
Andrew Keesler
32b038c639
test/integration: add 'kubectl cp' test to TestImpersonationProxy
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2021-03-11 10:07:16 -05:00
Ryan Richard
d13bb07b3e Add integration test for using WhoAmIRequest through impersonator 2021-03-10 16:57:15 -08:00
Margo Crawford
24396b6af1 Use gorilla websocket library so squid proxy works 2021-03-10 16:03:52 -08:00
Ryan Richard
006dc8aa79 Small test refactor 2021-03-10 14:50:46 -08:00
Ryan Richard
2a2e2f532b Remove an integration test that is covered elsewhere now
The same coverage that was supplied by
TestCredentialRequest_OtherwiseValidRequestWithRealTokenShouldFailWhenTheClusterIsNotCapable
is now provided by an assertion at the end of TestImpersonationProxy,
so delete the duplicate test which was failing on GKE because the
impersonation proxy is now active by default on GKE.
2021-03-10 14:17:20 -08:00
Ryan Richard
1078bf4dfb Don't pass credentials when testing impersonation proxy port is closed
When testing that the impersonation proxy port was closed there
is no need to include credentials in the request. At the point when
we want to test that the impersonation proxy port is closed, it is
possible that we cannot perform a TokenCredentialRequest to get a
credential either.

Also add a new assertion that the TokenCredentialRequest stops handing
out credentials on clusters which have no successful strategies.

Signed-off-by: Monis Khan <mok@vmware.com>
2021-03-10 13:08:15 -08:00
Ryan Richard
0b300cbe42 Use TokenCredentialRequest instead of base64 token with impersonator
To make an impersonation request, first make a TokenCredentialRequest
to get a certificate. That cert will either be issued by the Kube
API server's CA or by a new CA specific to the impersonator. Either
way, you can then make a request to the impersonator and present
that client cert for auth and the impersonator will accept it and
make the impesonation call on your behalf.

The impersonator http handler now borrows some Kube library code
to handle request processing. This will allow us to more closely
mimic the behavior of a real API server, e.g. the client cert
auth will work exactly like the real API server.

Signed-off-by: Monis Khan <mok@vmware.com>
2021-03-10 10:30:06 -08:00
Margo Crawford
c853707889 Added integration test for using websockets via the impersonation proxy
Tested that this test passed when using the kube api server directly,
so it's just the impersonation proxy that must be improved.
2021-03-09 17:00:30 -08:00
Matt Moyer
0cb1538b39
Fix linter warnings, including a bit of refactoring.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-03-09 15:16:46 -06:00
Margo Crawford
883b90923d Add integration test for kubectl port-forward with impersonation 2021-03-09 11:32:50 -08:00
Matt Moyer
29d5e43220
Fix minor typo in e2e_test.go.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-03-09 12:12:52 -06:00
Matt Moyer
a58b460bcb
Switch TestImpersonationProxy to get clients from library.NewKubeclient instead of directly from kubernetes.NewForConfig.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-03-08 15:03:34 -06:00
Ryan Richard
49ec16038c Add integration test for using "kubectl exec" through the impersonator
Signed-off-by: Margo Crawford <margaretc@vmware.com>
2021-03-05 16:14:45 -08:00
Matt Moyer
4750d7d7d2
The stderr from "pinniped get kubeconfig" is no longer empty.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-03-05 16:57:24 -06:00
Matt Moyer
ba0dc3bf52
Remove this test retry loop since the "get kubeconfig" step should now wait.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-03-05 16:39:57 -06:00
Matt Moyer
52f58477b8
Wait for the ELB to become available _before_ starting the kubectl command.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-03-05 09:32:49 -06:00
Matt Moyer
d848499176
Close this HTTP response body in TestE2EFullIntegration.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-03-05 08:45:25 -06:00
Matt Moyer
c3b7d21037
Be less picky about what error code is returned here.
The thing we're waiting for is mostly that DNS is resolving, the ELB is listening, and connections are making it to the proxy.

Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-03-05 08:40:29 -06:00
Ryan Richard
ec133b9743 Resolve some new linter errors 2021-03-04 17:44:01 -08:00
Ryan Richard
d8c6894cbc All controller unit tests should not cancel context until test is over
All controller unit tests were accidentally using a timeout context
for the informers, instead of a cancel context which stays alive until
each test is completely finished. There is no reason to risk
unpredictable behavior of a timeout being reached during an individual
test, even though with the previous 3 second timeout it could only be
reached on a machine which is running orders of magnitude slower than
usual, since each test usually runs in about 100-300 ms. Unfortunately,
sometimes our CI workers might get that slow.

This sparked a review of other usages of timeout contexts in other
tests, and all of them were increased to a minimum value of 1 minute,
under the rule of thumb that our tests will be more reliable on slow
machines if they "pass fast and fail slow".
2021-03-04 17:26:01 -08:00
Matt Moyer
16163b989b
Use regular http.Client in this test.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-03-04 17:18:24 -06:00
Matt Moyer
165fce67af
Use the unversioned REST client for this check.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-03-04 16:23:39 -06:00
Matt Moyer
d24cf4b8a7
Go back to testing entirely through the proxy, but add a retry loop during the first connection.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-03-04 16:05:56 -06:00
Matt Moyer
9dfbe60253
Do the kubeconfig proxy environment injection, but actually render back out the YAML.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-03-04 14:41:20 -06:00
Matt Moyer
1734280a19
Merge branch 'main' of github.com:vmware-tanzu/pinniped into impersonation-proxy 2021-03-04 12:38:00 -06:00
Matt Moyer
9a0f75980d
Set a special proxy environment just for the "pinniped login oidc" command in the E2E test.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-03-04 12:35:29 -06:00
Matt Moyer
03f09c6870
Allow TestE2EFullIntegration to run on clusters where only the impersonation proxy works (again).
This time, don't use the Squid proxy if the cluster supports real external load balancers (as in EKS/GKE/AKS).

Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-03-04 12:04:52 -06:00
Ryan Richard
5697adc36a Revert "Allow TestE2EFullIntegration to run on clusters where only the impersonation proxy works."
This reverts commit 7c9aff3278.
2021-03-03 17:24:10 -08:00
Ryan Richard
9c1c760f56 Always clean up the ConfigMap at the end of the impersonator int test
Signed-off-by: Margo Crawford <margaretc@vmware.com>
2021-03-03 16:23:07 -08:00
Ryan Richard
48f2ae9eb4 Fix a typo in concierge_impersonation_proxy_test.go 2021-03-03 15:18:01 -08:00