Ryan Richard
1056cef384
Sync garbage collector controller less often by adjusting its filters
...
- Only sync on add/update of secrets in the same namespace which
have the "storage.pinniped.dev/garbage-collect-after" annotation, and
also during a full resync of the informer whenever secrets in the
same namespace with that annotation exist.
- Ignore deleted secrets to avoid having this controller trigger itself
unnecessarily when it deletes a secret. This controller is never
interested in deleted secrets, since its only job is to delete
existing secrets.
- No change to the self-imposed rate limit logic. That still applies
because secrets with this annotation will be created and updated
regularly while the system is running (not just during rare system
configuration steps).
2020-12-18 09:36:28 -08:00
Ryan Richard
6c210b67d4
Merge pull request #301 from vmware-tanzu/typed-secrets
...
Put a Type on all of the Secrets that we create in the supervisor
2020-12-17 17:42:20 -08:00
Ryan Richard
3a4405659e
Merge branch 'main' into typed-secrets
2020-12-17 17:42:04 -08:00
aram price
187bd9060c
All FederationDomain Secrets have distinct Types
...
Signed-off-by: Ryan Richard <richardry@vmware.com>
2020-12-17 17:07:38 -08:00
Matt Moyer
7a98900b28
Merge pull request #302 from mattmoyer/switch-registry-references
...
Move our main image references to the VMware Harbor registry.
2020-12-17 18:23:12 -06:00
Matt Moyer
e0b94f4780
Move our main image references to the VMware Harbor registry.
...
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-12-17 17:51:09 -06:00
aram price
587cced768
Add extra type info where SecretType is used
2020-12-17 15:43:20 -08:00
Ryan Richard
50964c6677
Supervisor CSRF Secret has unique Type
...
Signed-off-by: aram price <pricear@vmware.com>
2020-12-17 15:30:26 -08:00
Matt Moyer
81eb0735d1
Merge pull request #299 from mattmoyer/update-go-dependencies
...
Update dependencies before v0.3.0 release.
2020-12-17 17:28:40 -06:00
Matt Moyer
c7931bc6d5
Remove our main module dependency on golangci-lint.
...
We will still pin this in CI via an image dependency.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-12-17 17:01:32 -06:00
Ryan Richard
b27e3e1a89
Put a Type on the Secrets that we create for FederationDomain JWKS
...
Signed-off-by: Aram Price <pricear@vmware.com>
2020-12-17 14:48:49 -08:00
Matt Moyer
8db9331fed
Update ExpectedAuthorizeCodeSessionJSONFromFuzzing.
...
We stared at this very carefully and we don't think there are any structural changes. Maybe something small happened to get the RNG off by one?
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-12-17 16:31:08 -06:00
Matt Moyer
3e15e184ef
Update test assertions related to spf13/cobra.
...
It now correctly prints errors to stderr (https://github.com/spf13/cobra/pull/894 ).
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-12-17 16:31:08 -06:00
Matt Moyer
6a457466df
Update generated k8s code for 1.19.5.
...
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-12-17 16:31:08 -06:00
Matt Moyer
3a81fbd1b4
Update fosite error usage.
...
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-12-17 16:31:08 -06:00
Matt Moyer
421c17c421
Update all modules.
...
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-12-17 16:31:08 -06:00
Ryan Richard
780d236d89
Merge pull request #300 from vmware-tanzu/even-more-opc-renames
...
Even more "op" and "opc" local variable renames
2020-12-17 13:51:54 -08:00
Aram Price
55483b726b
More "op" and "opc" local variable renames
...
Signed-off-by: Ryan Richard <richardry@vmware.com>
2020-12-17 13:49:53 -08:00
Ryan Richard
32602f579b
Merge pull request #298 from vmware-tanzu/more-opc-rename
...
Rename all "op" and "opc" usages
2020-12-17 12:31:52 -08:00
Ryan Richard
65e7df1417
Merge branch 'main' into more-opc-rename
2020-12-17 12:10:19 -08:00
Ryan Richard
b96d49df0f
Rename all "op" and "opc" usages
...
Signed-off-by: Aram Price <pricear@vmware.com>
2020-12-17 11:34:49 -08:00
Matt Moyer
9183c3897f
Merge pull request #281 from mattmoyer/upgrade-dex
...
Upgrade the Dex we use for local testing to v2.27.0.
2020-12-17 12:50:36 -06:00
Andrew Keesler
b009cee877
Add Margo and Mo as maintainers of Pinniped
...
Signed-off-by: Margo Crawford <margaretc@vmware.com>
2020-12-17 13:37:20 -05:00
Matt Moyer
41832369fd
Upgrade the Dex we use for local testing to v2.27.0.
...
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-12-17 12:04:09 -06:00
Matt Moyer
cc5cb394e0
Merge pull request #143 from enj/enj/i/cache_mutation_detector_unit
...
Enable cache mutation detector in unit tests
2020-12-17 10:09:02 -06:00
Matt Moyer
b60542f0d1
Clean this test up a trivial amount using require.Implementsf()
.
...
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-12-17 08:38:16 -06:00
Monis Khan
dc8e7a2f39
Enable cache mutation detector in unit tests
...
Signed-off-by: Monis Khan <mok@vmware.com>
2020-12-17 08:38:15 -06:00
Matt Moyer
34e6e7567f
Merge pull request #295 from ankeesler/fix-secret-status
...
Only set single secret status field in FederationDomainSecretsController
2020-12-17 08:26:23 -06:00
Andrew Keesler
04d54e622a
Only set single secret status field in FederationDomainSecretsController
...
This implementation is janky because I wanted to make the smallest change
possible to try to get the code back to stable so we can release.
Also deep copy an object so we aren't mutating the cache.
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-12-17 07:41:53 -05:00
Ryan Richard
4c6e1e5fb3
supervisor_login_test.go: wait for the /jwks.json
endpoint to be ready
...
- Also fail in a more obvious way if the token exchanged failed by
adding an assertion about its status code
2020-12-16 17:59:39 -08:00
Ryan Richard
b2b906f4fe
supervisor_discovery_test.go: make test timeouts longer to avoid flakes
2020-12-16 15:13:02 -08:00
Margo Crawford
40586b255c
Merge pull request #293 from vmware-tanzu/rename-oidcprovider-and-upstreamoidcprovider
...
Rename OIDCProvider -> FederationDomain and UpstreamOIDCProvider -> OIDCIdentityProvider
2020-12-16 14:58:33 -08:00
Margo Crawford
196e43aa48
Rename off of main
...
Signed-off-by: Ryan Richard <richardry@vmware.com>
2020-12-16 14:27:09 -08:00
Matt Moyer
fbe1a202c2
Merge pull request #283 from vmware-tanzu/username-and-subject-claims
...
Adjust subject and username claims
2020-12-16 15:23:34 -06:00
Matt Moyer
7dae166a69
Merge branch 'main' into username-and-subject-claims
2020-12-16 15:23:19 -06:00
Matt Moyer
72ce69410e
Merge pull request #273 from vmware-tanzu/secret-generation
...
Generate secrets for Pinniped Supervisor
2020-12-16 15:22:23 -06:00
Matt Moyer
7bb0d649c0
Merge pull request #290 from mattmoyer/rename-token-exchange-scope
...
Rename the "pinniped.sts.unrestricted" scope to "pinniped:request-audience".
2020-12-16 15:22:05 -06:00
Matt Moyer
c110e173ac
Merge pull request #286 from mattmoyer/upgrade-debian-base-image
...
Upgrade base images to Debian 10.7-slim.
2020-12-16 15:21:31 -06:00
Matt Moyer
111f6513ac
Upgrade base images to Debian 10.7-slim.
...
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-12-16 15:16:31 -06:00
Matt Moyer
5367fd9fcb
Trigger CI
2020-12-16 15:13:28 -06:00
Andrew Keesler
095ba14cc8
Merge remote-tracking branch 'upstream/main' into secret-generation
2020-12-16 15:40:34 -05:00
Andrew Keesler
446863ad96
Merge pull request #292 from ankeesler/golang-debian-bump
...
Upgrade golang (1.15.5 -> 1.15.6)
2020-12-16 15:38:12 -05:00
Matt Moyer
8527c363bb
Rename the "pinniped.sts.unrestricted" scope to "pinniped:request-audience".
...
This is a bit more clear. We're changing this now because it is a non-backwards-compatible change that we can make now since none of this RFC8693 token exchange stuff has been released yet.
There is also a small typo fix in some flag usages (s/RF8693/RFC8693/)
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-12-16 14:24:13 -06:00
Matt Moyer
05127f4cfb
Merge pull request #291 from mattmoyer/tweak-oidcclient-timeouts
...
Tweak timeouts in oidcclient package.
2020-12-16 14:23:32 -06:00
Ryan Richard
653224c2ad
types_jwt.go.tmpl: Replace spaces with tabs
2020-12-16 12:21:30 -08:00
Margo Crawford
406fc95501
Empty commit to trigger CI
...
Signed-off-by: Ryan Richard <richardry@vmware.com>
2020-12-16 11:49:59 -08:00
Matt Moyer
01b6bf7850
Tweak timeouts in oidcclient package.
...
- The overall timeout for logins is increased to 90 minutes.
- The timeout for token refresh is increased from 30 seconds to 60 seconds to be a bit more tolerant of extremely slow networks.
- A new, matching timeout of 60 seconds has been added for the OIDC discovery, auth code exchange, and RFC8693 token exchange operations.
The new code uses the `http.Client.Timeout` field rather than managing contexts on individual requests. This is easier because the OIDC package stores a context at creation time and tries to use it later when performing key refresh operations.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-12-16 13:47:08 -06:00
Matt Moyer
2840e4e152
Merge pull request #288 from mattmoyer/fixup-securityheaders
...
Fix a regression in securityheaders package and add tests.
2020-12-16 13:46:28 -06:00
Matt Moyer
3948bb76d8
Be more lax in some of our test assertions.
...
Fosite overrides the `Cache-Control` header we set, which is basically fine even though it's not exactly what we want.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-12-16 13:15:38 -06:00
Matt Moyer
24c01d3e54
Add an integration test to verify security headers on the supervisor authorize endpoint.
...
It would be great to do this for the supervisor's callback endpoint as well, but it's difficult to get at those since the request happens inside the spawned browser.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-12-16 12:41:06 -06:00