Commit Graph

174 Commits

Author SHA1 Message Date
Matt Moyer
0f25657a35
Rename WebhookIdentityProvider to WebhookAuthenticator.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-10-30 15:11:53 -05:00
Matt Moyer
e69183aa8a
Rename idp.concierge.pinniped.dev to authentication.concierge.pinniped.dev.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-10-30 14:07:40 -05:00
Matt Moyer
81390bba89
Rename idp.pinniped.dev to idp.concierge.pinniped.dev.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-10-30 14:07:39 -05:00
Matt Moyer
f0320dfbd8
Rename login API to login.concierge.pinniped.dev.
This is the first of a few related changes that re-organize our API after the big recent changes that introduced the supervisor component.

Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-10-30 09:58:28 -05:00
Ryan Richard
8ff64d4c1a Require https scheme for OIDCProviderConfig Issuer field
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-10-28 12:49:41 -07:00
Ryan Richard
29e0ce5662 Configure name of the supervisor default TLS cert secret via ConfigMap
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-10-28 11:56:50 -07:00
Ryan Richard
170d3a3993 Forgot to commit some test fixtures in a prior commit 2020-10-27 17:00:00 -07:00
Ryan Richard
38802c2184 Add a way to set a default supervisor TLS cert for when SNI won't work
- Setting a Secret in the supervisor's namespace with a special name
  will cause it to get picked up and served as the supervisor's TLS
  cert for any request which does not have a matching SNI cert.
- This is especially useful for when there is no DNS record for an
  issuer and the user will be accessing it via IP address. This
  is not how we would expect it to be used in production, but it
  might be useful for other cases.
- Includes a new integration test
- Also suppress all of the warnings about ignoring the error returned by
  Close() in lines like `defer x.Close()` to make GoLand happier
2020-10-27 16:33:08 -07:00
Ryan Richard
eeb110761e Rename secretName to SNICertificateSecretName in OIDCProviderConfig 2020-10-26 17:25:45 -07:00
Ryan Richard
8b7c30cfbd Supervisor listens for HTTPS on port 443 with configurable TLS certs
- TLS certificates can be configured on the OIDCProviderConfig using
  the `secretName` field.
- When listening for incoming TLS connections, choose the TLS cert
  based on the SNI hostname of the incoming request.
- Because SNI hostname information on incoming requests does not include
  the port number of the request, we add a validation that
  OIDCProviderConfigs where the issuer hostnames (not including port
  number) are the same must use the same `secretName`.
- Note that this approach does not yet support requests made to an
  IP address instead of a hostname. Also note that `localhost` is
  considered a hostname by SNI.
- Add port 443 as a container port to the pod spec.
- A new controller watches for TLS secrets and caches them in memory.
  That same in-memory cache is used while servicing incoming connections
  on the TLS port.
- Make it easy to configure both port 443 and/or port 80 for various
  Service types using our ytt templates for the supervisor.
- When deploying to kind, add another nodeport and forward it to the
  host on another port to expose our new HTTPS supervisor port to the
  host.
2020-10-26 17:03:26 -07:00
Ryan Richard
25a91019c2 Add spec.secretName to OPC and handle case-insensitive hostnames
- When two different Issuers have the same host (i.e. they differ
  only by path) then they must have the same secretName. This is because
  it wouldn't make sense for there to be two different TLS certificates
  for one host. Find any that do not have the same secret name to
  put an error status on them and to avoid serving OIDC endpoints for
  them. The host comparison is case-insensitive.
- Issuer hostnames should be treated as case-insensitive, because
  DNS hostnames are case-insensitive. So https://me.com and
  https://mE.cOm are duplicate issuers. However, paths are
  case-sensitive, so https://me.com/A and https://me.com/a are
  different issuers. Fixed this in the issuer validations and in the
  OIDC Manager's request router logic.
2020-10-23 16:25:44 -07:00
Andrew Keesler
110c72a5d4
dynamiccertauthority: fix cert expiration test failure
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-10-23 15:34:25 -04:00
Matt Moyer
3508a28369
Implement refresh flow in ./internal/oidcclient package.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-10-22 17:54:31 -05:00
Matt Moyer
e919ef6582
Add a file-based session cache.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-10-21 14:28:05 -05:00
Matt Moyer
e8113e3770
Add basic caching framework to ./internal/oidclient package.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-10-21 13:14:16 -05:00
Matt Moyer
7f6a82aa91
Refactor and rename ./internal/oidcclient/login to ./internal/oidcclient. 2020-10-21 13:07:21 -05:00
Ryan Richard
d9d76726c2 Implement per-issuer OIDC JWKS endpoint 2020-10-16 17:51:40 -07:00
Andrew Keesler
617c5608ca Supervisor controllers apply custom labels to JWKS secrets
Signed-off-by: Ryan Richard <richardry@vmware.com>
2020-10-15 12:40:56 -07:00
Ryan Richard
f8e461dfc3 Merge branch 'main' into label_every_resource 2020-10-15 10:19:03 -07:00
Ryan Richard
94f20e57b1 Concierge controllers add labels to all created resources 2020-10-15 10:14:23 -07:00
Andrew Keesler
e05213f9dd
supervisor-generate-key: use EC keys intead of RSA
EC keys are smaller and take less time to generate. Our integration
tests were super flakey because generating an RSA key would take up to
10 seconds *gasp*. The main token verifier that we care about is
Kubernetes, which supports P256, so hopefully it won't be that much of
an issue that our default signing key type is EC. The OIDC spec seems
kinda squirmy when it comes to using non-RSA signing algorithms...

Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-10-15 11:33:08 -04:00
Andrew Keesler
fbcce700dc
Fix whitespace/spelling nits in JWKS controller
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-10-15 09:22:17 -04:00
Andrew Keesler
31225ac7ae
test/integration: reuse CreateTestOIDCProvider helper
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-10-15 09:09:49 -04:00
Andrew Keesler
76e89b523b
Merge remote-tracking branch 'upstream/main' into generate-jwk-key 2020-10-14 17:40:17 -04:00
Andrew Keesler
c030551af0
supervisor-generate-key: unit and integration tests
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-10-14 16:41:16 -04:00
Andrew Keesler
6aed025c79
supervisor-generate-key: initial spike
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-10-14 09:47:34 -04:00
Matt Moyer
67b692b11f
Implement the rest of an OIDC client CLI library.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-10-12 16:41:46 -05:00
Andrew Keesler
c555c14ccb
supervisor-oidc: add OIDCProviderConfig.Status.LastUpdateTime
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-10-09 11:54:50 -04:00
Andrew Keesler
bb015adf4e
Backfill tests to OIDCProviderConfig controller
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-10-09 10:39:17 -04:00
Andrew Keesler
fac4d074d0
internal/multierror: add tests
Signed-off-by: Andrew Keesler <ankeesler1@gmail.com>
2020-10-09 08:00:41 -04:00
Ryan Richard
b74486f305 Start back-filling unit tests for OIDCProviderConfigWatcherController
- Left some TODOs for more things that it should test
2020-10-08 17:40:58 -07:00
Andrew Keesler
05141592f8 Refactor provider.Manager
- And also handle when an issuer's path is a subpath of another issuer

Signed-off-by: Ryan Richard <richardry@vmware.com>
2020-10-08 14:40:56 -07:00
Ryan Richard
8b7d96f42c Several small refactors related to OIDC providers 2020-10-08 11:28:21 -07:00
Andrew Keesler
da00fc708f
supervisor-oidc: checkpoint: add status to provider CRD
Signed-off-by: Ryan Richard <richardry@vmware.com>
2020-10-08 13:27:45 -04:00
Ryan Richard
6b653fc663 Creation and deletion of OIDC Provider discovery endpoints from config
- The OIDCProviderConfigWatcherController synchronizes the
  OIDCProviderConfig settings to dynamically mount and unmount the
  OIDC discovery endpoints for each provider
- Integration test passes but unit tests need to be added still
2020-10-07 19:18:34 -07:00
Andrew Keesler
f48a4e445e
Fix linting and unit tests
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-10-07 11:48:21 -04:00
Andrew Keesler
20ce142f90
Merge remote-tracking branch 'upstream/main' into supervisor-with-discovery 2020-10-07 11:37:33 -04:00
Andrew Keesler
c49ebf4b57
supervisor-oidc: int test passes, but impl needs refactor
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-10-07 11:33:50 -04:00
Andrew Keesler
019f44982c
supervisor-oidc: checkpoint: controller watches OIDCProviderConfig
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-10-07 10:54:56 -04:00
Ryan Richard
5b3dd5fc7d
Rename pinniped-server -> pinniped-concierge
Do we like this? We don't know yet.

Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-10-06 14:59:03 -04:00
Matt Moyer
38501ff763
Add initial "pinniped alpha login oidc" partial implementation.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-10-06 12:42:29 -05:00
Andrew Keesler
fd6a7f5892
supervisor-oidc: hoist OIDC discovery handler for testing
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-10-06 11:16:57 -04:00
Ryan Richard
76bd462cf8 Implement very rough skeleton of the start of a supervisor server
- This is just stab at a starting place because it felt easier to
  put something down on paper than to keep staring at a blank page
2020-10-05 17:28:19 -07:00
Andrew Keesler
b21b43c654
Fix expected CIC status message on non-hosted control planes 2020-09-24 17:56:55 -04:00
Andrew Keesler
9e0195e024
kubecertagent: use initial event for when key can't be found
This should fix integration tests running on clusters that don't have
visible controller manager pods (e.g., GKE). Pinniped should boot, not
find any controller manager pods, but still post a status in the CIC.

I also updated a test helper so that we could tell the difference
between when an event was not added and when an event was added with
an empty key.

Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-09-24 16:54:20 -04:00
Andrew Keesler
d853cbc7ff
Plumb through ImagePullSecrets to agent pod
Right now in the YTT templates we assume that the agent pods are gonna use
the same image as the main Pinniped deployment, so we can use the same logic
for the image pull secrets.

Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-09-24 15:52:05 -04:00
Andrew Keesler
fab36c55f5
inernal/controller/kubecertagent: fix some godoc's
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-09-24 13:53:06 -04:00
Ryan Richard
3f06be2246 Remove kubecertauthority pkg
All of its functionality was refactored to move elsewhere or to not
be needed anymore by previous commits
2020-09-24 09:23:29 -07:00
Andrew Keesler
69137fb6b9 kube_config_info_publisher.go no longer watches cic's with an informer
Simplifies the implementation, makes it more consistent with other
updaters of the cic (CredentialIssuerConfig), and also retries on
update conflicts

Signed-off-by: Ryan Richard <richardry@vmware.com>
2020-09-24 09:19:57 -07:00
Ryan Richard
253d3bb36f Remove an accidentally committed it.Focus 2020-09-24 08:15:10 -07:00