djpbessems/ContainerImage.Pinniped
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
1,170 Commits 30 Branches 34 Tags 22 MiB
1056cef384
Commit Graph

1170 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Ryan Richard
1056cef384 Sync garbage collector controller less often by adjusting its filters 
- Only sync on add/update of secrets in the same namespace which
  have the "storage.pinniped.dev/garbage-collect-after" annotation, and
  also during a full resync of the informer whenever secrets in the
  same namespace with that annotation exist.
- Ignore deleted secrets to avoid having this controller trigger itself
  unnecessarily when it deletes a secret. This controller is never
  interested in deleted secrets, since its only job is to delete
  existing secrets.
- No change to the self-imposed rate limit logic. That still applies
  because secrets with this annotation will be created and updated
  regularly while the system is running (not just during rare system
  configuration steps).
 2020-12-18 09:36:28 -08:00
Ryan Richard
6c210b67d4
Merge pull request #301 from vmware-tanzu/typed-secrets 
Put a Type on all of the Secrets that we create in the supervisor
 2020-12-17 17:42:20 -08:00
Ryan Richard
3a4405659e
Merge branch 'main' into typed-secrets 2020-12-17 17:42:04 -08:00
aram price
187bd9060c All FederationDomain Secrets have distinct Types 
Signed-off-by: Ryan Richard <richardry@vmware.com>
 2020-12-17 17:07:38 -08:00
Matt Moyer
7a98900b28
Merge pull request #302 from mattmoyer/switch-registry-references 
Move our main image references to the VMware Harbor registry.
 2020-12-17 18:23:12 -06:00
Matt Moyer
e0b94f4780
Move our main image references to the VMware Harbor registry. 
Signed-off-by: Matt Moyer <moyerm@vmware.com>
 2020-12-17 17:51:09 -06:00
aram price
587cced768 Add extra type info where SecretType is used 2020-12-17 15:43:20 -08:00
Ryan Richard
50964c6677 Supervisor CSRF Secret has unique Type 
Signed-off-by: aram price <pricear@vmware.com>
 2020-12-17 15:30:26 -08:00
Matt Moyer
81eb0735d1
Merge pull request #299 from mattmoyer/update-go-dependencies 
Update dependencies before v0.3.0 release.
 2020-12-17 17:28:40 -06:00
Matt Moyer
c7931bc6d5
Remove our main module dependency on golangci-lint. 
We will still pin this in CI via an image dependency.

Signed-off-by: Matt Moyer <moyerm@vmware.com>
 2020-12-17 17:01:32 -06:00
Ryan Richard
b27e3e1a89 Put a Type on the Secrets that we create for FederationDomain JWKS 
Signed-off-by: Aram Price <pricear@vmware.com>
 2020-12-17 14:48:49 -08:00
Matt Moyer
8db9331fed
Update ExpectedAuthorizeCodeSessionJSONFromFuzzing. 
We stared at this very carefully and we don't think there are any structural changes. Maybe something small happened to get the RNG off by one?

Signed-off-by: Matt Moyer <moyerm@vmware.com>
 2020-12-17 16:31:08 -06:00
Matt Moyer
3e15e184ef
Update test assertions related to spf13/cobra. 
It now correctly prints errors to stderr (https://github.com/spf13/cobra/pull/894).

Signed-off-by: Matt Moyer <moyerm@vmware.com>
 2020-12-17 16:31:08 -06:00
Matt Moyer
6a457466df
Update generated k8s code for 1.19.5. 
Signed-off-by: Matt Moyer <moyerm@vmware.com>
 2020-12-17 16:31:08 -06:00
Matt Moyer
3a81fbd1b4
Update fosite error usage. 
Signed-off-by: Matt Moyer <moyerm@vmware.com>
 2020-12-17 16:31:08 -06:00
Matt Moyer
421c17c421
Update all modules. 
Signed-off-by: Matt Moyer <moyerm@vmware.com>
 2020-12-17 16:31:08 -06:00
Ryan Richard
780d236d89
Merge pull request #300 from vmware-tanzu/even-more-opc-renames 
Even more "op" and "opc" local variable renames
 2020-12-17 13:51:54 -08:00
Aram Price
55483b726b More "op" and "opc" local variable renames 
Signed-off-by: Ryan Richard <richardry@vmware.com>
 2020-12-17 13:49:53 -08:00
Ryan Richard
32602f579b
Merge pull request #298 from vmware-tanzu/more-opc-rename 
Rename all "op" and "opc" usages
 2020-12-17 12:31:52 -08:00
Ryan Richard
65e7df1417
Merge branch 'main' into more-opc-rename 2020-12-17 12:10:19 -08:00
Ryan Richard
b96d49df0f Rename all "op" and "opc" usages 
Signed-off-by: Aram Price <pricear@vmware.com>
 2020-12-17 11:34:49 -08:00
Matt Moyer
9183c3897f
Merge pull request #281 from mattmoyer/upgrade-dex 
Upgrade the Dex we use for local testing to v2.27.0.
 2020-12-17 12:50:36 -06:00
Andrew Keesler
b009cee877
Add Margo and Mo as maintainers of Pinniped 
Signed-off-by: Margo Crawford <margaretc@vmware.com>
 2020-12-17 13:37:20 -05:00
Matt Moyer
41832369fd
Upgrade the Dex we use for local testing to v2.27.0. 
Signed-off-by: Matt Moyer <moyerm@vmware.com>
 2020-12-17 12:04:09 -06:00
Matt Moyer
cc5cb394e0
Merge pull request #143 from enj/enj/i/cache_mutation_detector_unit 
Enable cache mutation detector in unit tests
 2020-12-17 10:09:02 -06:00
Matt Moyer
b60542f0d1
Clean this test up a trivial amount using require.Implementsf(). 
Signed-off-by: Matt Moyer <moyerm@vmware.com>
 2020-12-17 08:38:16 -06:00
Monis Khan
dc8e7a2f39
Enable cache mutation detector in unit tests 
Signed-off-by: Monis Khan <mok@vmware.com>
 2020-12-17 08:38:15 -06:00
Matt Moyer
34e6e7567f
Merge pull request #295 from ankeesler/fix-secret-status 
Only set single secret status field in FederationDomainSecretsController
 2020-12-17 08:26:23 -06:00
Andrew Keesler
04d54e622a
Only set single secret status field in FederationDomainSecretsController 
This implementation is janky because I wanted to make the smallest change
possible to try to get the code back to stable so we can release.

Also deep copy an object so we aren't mutating the cache.

Signed-off-by: Andrew Keesler <akeesler@vmware.com>
 2020-12-17 07:41:53 -05:00
Ryan Richard
4c6e1e5fb3 supervisor_login_test.go: wait for the /jwks.json endpoint to be ready 
- Also fail in a more obvious way if the token exchanged failed by
  adding an assertion about its status code
 2020-12-16 17:59:39 -08:00
Ryan Richard
b2b906f4fe supervisor_discovery_test.go: make test timeouts longer to avoid flakes 2020-12-16 15:13:02 -08:00
Margo Crawford
40586b255c
Merge pull request #293 from vmware-tanzu/rename-oidcprovider-and-upstreamoidcprovider 
Rename OIDCProvider -> FederationDomain and UpstreamOIDCProvider -> OIDCIdentityProvider
 2020-12-16 14:58:33 -08:00
Margo Crawford
196e43aa48 Rename off of main 
Signed-off-by: Ryan Richard <richardry@vmware.com>
 2020-12-16 14:27:09 -08:00
Matt Moyer
fbe1a202c2
Merge pull request #283 from vmware-tanzu/username-and-subject-claims 
Adjust subject and username claims
 2020-12-16 15:23:34 -06:00
Matt Moyer
7dae166a69
Merge branch 'main' into username-and-subject-claims 2020-12-16 15:23:19 -06:00
Matt Moyer
72ce69410e
Merge pull request #273 from vmware-tanzu/secret-generation 
Generate secrets for Pinniped Supervisor
 2020-12-16 15:22:23 -06:00
Matt Moyer
7bb0d649c0
Merge pull request #290 from mattmoyer/rename-token-exchange-scope 
Rename the "pinniped.sts.unrestricted" scope to "pinniped:request-audience".
 2020-12-16 15:22:05 -06:00
Matt Moyer
c110e173ac
Merge pull request #286 from mattmoyer/upgrade-debian-base-image 
Upgrade base images to Debian 10.7-slim.
 2020-12-16 15:21:31 -06:00
Matt Moyer
111f6513ac
Upgrade base images to Debian 10.7-slim. 
Signed-off-by: Matt Moyer <moyerm@vmware.com>
 2020-12-16 15:16:31 -06:00
Matt Moyer
5367fd9fcb
Trigger CI 2020-12-16 15:13:28 -06:00
Andrew Keesler
095ba14cc8
Merge remote-tracking branch 'upstream/main' into secret-generation 2020-12-16 15:40:34 -05:00
Andrew Keesler
446863ad96
Merge pull request #292 from ankeesler/golang-debian-bump 
Upgrade golang (1.15.5 -> 1.15.6)
 2020-12-16 15:38:12 -05:00
Matt Moyer
8527c363bb
Rename the "pinniped.sts.unrestricted" scope to "pinniped:request-audience". 
This is a bit more clear. We're changing this now because it is a non-backwards-compatible change that we can make now since none of this RFC8693 token exchange stuff has been released yet.

There is also a small typo fix in some flag usages (s/RF8693/RFC8693/)

Signed-off-by: Matt Moyer <moyerm@vmware.com>
 2020-12-16 14:24:13 -06:00
Matt Moyer
05127f4cfb
Merge pull request #291 from mattmoyer/tweak-oidcclient-timeouts 
Tweak timeouts in oidcclient package.
 2020-12-16 14:23:32 -06:00
Ryan Richard
653224c2ad types_jwt.go.tmpl: Replace spaces with tabs 2020-12-16 12:21:30 -08:00
Margo Crawford
406fc95501 Empty commit to trigger CI 
Signed-off-by: Ryan Richard <richardry@vmware.com>
 2020-12-16 11:49:59 -08:00
Matt Moyer
01b6bf7850
Tweak timeouts in oidcclient package. 
- The overall timeout for logins is increased to 90 minutes.
- The timeout for token refresh is increased from 30 seconds to 60 seconds to be a bit more tolerant of extremely slow networks.
- A new, matching timeout of 60 seconds has been added for the OIDC discovery, auth code exchange, and RFC8693 token exchange operations.

The new code uses the `http.Client.Timeout` field rather than managing contexts on individual requests. This is easier because the OIDC package stores a context at creation time and tries to use it later when performing key refresh operations.

Signed-off-by: Matt Moyer <moyerm@vmware.com>
 2020-12-16 13:47:08 -06:00
Matt Moyer
2840e4e152
Merge pull request #288 from mattmoyer/fixup-securityheaders 
Fix a regression in securityheaders package and add tests.
 2020-12-16 13:46:28 -06:00
Matt Moyer
3948bb76d8
Be more lax in some of our test assertions. 
Fosite overrides the `Cache-Control` header we set, which is basically fine even though it's not exactly what we want.

Signed-off-by: Matt Moyer <moyerm@vmware.com>
 2020-12-16 13:15:38 -06:00
Matt Moyer
24c01d3e54
Add an integration test to verify security headers on the supervisor authorize endpoint. 
It would be great to do this for the supervisor's callback endpoint as well, but it's difficult to get at those since the request happens inside the spawned browser.

Signed-off-by: Matt Moyer <moyerm@vmware.com>
 2020-12-16 12:41:06 -06:00