Commit Graph

532 Commits

Author SHA1 Message Date
Andrew Keesler
ebd5e45fa6
test/integration: wait for convergence at end of impersonation test
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2021-03-19 12:54:37 -04:00
Andrew Keesler
6154883855
test/integration: add temporary debug 'kubectl attach' logging
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2021-03-19 10:42:11 -04:00
Andrew Keesler
ebe01a5aef
test/integration: catch early 'kubectl attach' return
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2021-03-19 09:59:24 -04:00
Andrew Keesler
1a9922d050
test/integration: poll more quickly in f2a48aee
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2021-03-18 17:53:14 -04:00
Andrew Keesler
f2a48aee2b
test/integration: increase timeout to a minute to see if it helps
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2021-03-18 17:48:00 -04:00
Andrew Keesler
14a28bec24
test/integration: fix second assertion from dae62929
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2021-03-18 16:34:30 -04:00
Andrew Keesler
dae62929e0
test/integration: error assertions pass w/ and w/o middleware
In the case where we are using middleware (e.g., when the api group is
different) in our kubeclient, these error messages have a "...middleware request
for..." bit in the middle.

Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2021-03-18 15:35:31 -04:00
Ryan Richard
bd8c243636 concierge_impersonation_proxy_test.go: small refactor 2021-03-18 10:46:27 -07:00
Monis Khan
120e46b5f7
test/integration: fix race condition
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2021-03-18 11:27:52 -04:00
Andrew Keesler
257d69045d
Reuse internal/concierge/scheme
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2021-03-18 10:40:59 -04:00
Andrew Keesler
05a188d4cd
Merge remote-tracking branch 'upstream/main' into impersonation-proxy
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2021-03-18 10:36:28 -04:00
Andrew Keesler
cc8f0b623c
test/integration: add pinniped whoami tests
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2021-03-18 08:56:35 -04:00
Matt Moyer
74df6d138b
Memoize library.IntegrationEnv so it's only constructed once per test.
This is probably a good idea regardless, but it also avoids an infinite recursion from IntegrationEnv() -> assertNoRestartsDuringTest() -> NewKubeclient() -> IntegrationEnv() -> ...

Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-03-17 13:37:48 -05:00
Matt Moyer
0dd2b358fb
Extend assertNoRestartsDuringTest to dump logs from containers that restarted.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-03-17 13:37:47 -05:00
Matt Moyer
6520c5a3a1
Extend library.DumpLogs() to dump logs from the previous container, if one exists.
This is important in case the container has crashed and has been restarted.

Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-03-17 11:46:40 -05:00
Matt Moyer
5a43a5d53a
Remove library.AssertNoRestartsDuringTest and make that assertion implicit in library.IntegrationEnv.
This means we (hopefully) can't forget to include these assertions in any integration test.

Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-03-17 11:18:10 -05:00
Margo Crawford
897340860b Small refactor to impersonation proxy integration test 2021-03-16 16:57:46 -07:00
Matt Moyer
4d2035ab2a
Merge branch 'main' of github.com:vmware-tanzu/pinniped into impersonation-proxy 2021-03-16 18:19:40 -05:00
Matt Moyer
30a392b900
Improve the reliability of TestGetPinnipedCategory.
This test could flake in some rare scenarios. This change adds a bunch of retries, improves the debugging output if the tests fail, and puts all of the subtests in parallel which saves ~10s on my local machine.

Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-03-16 17:39:02 -05:00
Matt Moyer
2515b2d710
Make TestAPIServingCertificateAutoCreationAndRotation more reliable.
This test has occasionally flaked because it only waited for the APIService GET to finish, but did not wait for the controller to successfully update the target object.

The new code should be more patient and allow the controller up to 10s to perform the expected action.

Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-03-16 15:14:24 -05:00
Matt Moyer
10a1e29e15
Merge branch 'main' of github.com:vmware-tanzu/pinniped into impersonation-proxy
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-03-16 14:35:07 -05:00
Matt Moyer
2319606cd2
Fix some nits from the previous commit that I accidentally merged before fixing.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-03-16 14:24:13 -05:00
Matt Moyer
c5b784465b
Describe "anonymousAuthenticationSupported" test cluster capability and add more managed cluster types.
This new capability describes whether a cluster is expected to allow anonymous requests (most do since k8s 1.6.x, but AKS has it disabled).

This commit also contains new capability YAML files for AKS and EKS, mostly to document publicly how we expect our tests to function in those environments.

Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-03-16 13:54:29 -05:00
Margo Crawford
64e0dbb481 Sleep for 1 minute 10 seconds instead of a minute in timeout test 2021-03-15 16:33:47 -07:00
Margo Crawford
939ea30030 Make all tests but disable test parallelized
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2021-03-15 14:34:41 -07:00
Andrew Keesler
efd973fa17 Test waiting for a minute and keeping connection open
Signed-off-by: Margo Crawford <margaretc@vmware.com>
2021-03-15 14:34:41 -07:00
Monis Khan
4f671f5dca
dynamiccert: unit test with DynamicServingCertificateController
Signed-off-by: Monis Khan <mok@vmware.com>
2021-03-15 17:23:37 -04:00
Ryan Richard
8065a8d2e6 TestKubeCertAgent waits for CredentialIssuer strategy to be successful
At the end of the test, wait for the KubeClusterSigningCertificate
strategy on the CredentialIssuer to go back to being healthy, to avoid
polluting other integration tests which follow this one.
2021-03-15 11:43:12 -07:00
Ryan Richard
e22ad6171a Fix a race detector warning by re-declaring err in a t.Cleanup() 2021-03-15 11:43:12 -07:00
Monis Khan
b530cef3b1
impersonator: encode proper API status on failure
Signed-off-by: Monis Khan <mok@vmware.com>
2021-03-13 20:25:23 -05:00
Ryan Richard
c82f568b2c certauthority.go: Refactor issuing client versus server certs
We were previously issuing both client certs and server certs with
both extended key usages included. Split the Issue*() methods into
separate methods for issuing server certs versus client certs so
they can have different extended key usages tailored for each use
case.

Also took the opportunity to clean up the parameters of the Issue*()
methods and New() methods to more closely match how we prefer to call
them. We were always only passing the common name part of the
pkix.Name to New(), so now the New() method just takes the common name
as a string. When making a server cert, we don't need to set the
deprecated common name field, so remove that param. When making a client
cert, we're always making it in the format expected by the Kube API
server, so just accept the username and group as parameters directly.
2021-03-12 16:09:37 -08:00
Margo Crawford
d509e7012e Add eventually loop to port-forward test
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2021-03-12 10:44:11 -08:00
Andrew Keesler
5b1dc0abdf
test/integration: add some more debugging to kubectl impersonation test
I think this is nondeterministic...

Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2021-03-12 10:45:36 -05:00
Andrew Keesler
253e0f8e9a
test/integration: TestImpersonationProxy/websocket_client passes on my machine now
I'm kinda surprised this is working with our current implementation of the
impersonator, but regardless this seems like a step forward.

Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2021-03-12 09:54:59 -05:00
Ryan Richard
f77c92560f Rewrite impersonator_test.go, add missing argument to IssuePEM()
The impersonator_test.go unit test now starts the impersonation
server and makes real HTTP requests against it using client-go.
It is backed by a fake Kube API server.

The CA IssuePEM() method was missing the argument to allow a slice
of IP addresses to be passed in.
2021-03-11 16:27:16 -08:00
Ryan Richard
c12a23725d Fix lint errors from a previous commit 2021-03-11 16:21:40 -08:00
Andrew Keesler
71712b2d00 Add test for http2
Signed-off-by: Margo Crawford <margaretc@vmware.com>
2021-03-11 15:49:49 -08:00
Matt Moyer
a64786a728
Fix TestCLIGetKubeconfigStaticToken for new CLI log output.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-03-11 15:48:04 -06:00
Matt Moyer
78fdc59d2d
Merge branch 'main' of github.com:vmware-tanzu/pinniped into impersonation-proxy 2021-03-11 14:56:11 -06:00
Ryan Richard
29d7f406f7 Test double impersonation as the cluster admin 2021-03-11 12:53:27 -08:00
Margo Crawford
22ca2da1ff
test/integration: add "kubectl attach" test to TestImpersonationProxy
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2021-03-11 15:10:16 -05:00
Matt Moyer
e98c6dfdd8
Add retries to TestSupervisorTLSTerminationWithSNI and TestSupervisorOIDCDiscovery.
These tests occasionally flake because of a conflict error such as:

```
    supervisor_discovery_test.go:105:
        	Error Trace:	supervisor_discovery_test.go:587
        	            				supervisor_discovery_test.go:105
        	Error:      	Received unexpected error:
        	            	Operation cannot be fulfilled on federationdomains.config.supervisor.pinniped.dev "test-oidc-provider-lvjfw": the object has been modified; please apply your changes to the latest version and try again
        	Test:       	TestSupervisorOIDCDiscovery
```

These retries should improve the reliability of the tests.

Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-03-11 13:18:15 -06:00
Andrew Keesler
fcd8c585c3
test/integration: update "kubectl port-forward" test to use non-privileged port
This was failing on our laptops because 443 is a privileged port.

Signed-off-by: Margo Crawford <margaretc@vmware.com>
2021-03-11 13:05:26 -05:00
Ryan Richard
a918e9fb97 concierge_impersonation_proxy_test.go: Fix lint error in previous commit 2021-03-11 10:04:24 -08:00
Ryan Richard
34accc3dee Test using a service account token to auth to the impersonator
Also make each t.Run use its own namespace to slight reduce the
interdependency between them.

Use t.Cleanup instead of defer in whoami_test.go just to be consistent
with other integration tests.
2021-03-11 10:01:17 -08:00
Ryan Richard
61d64fc4c6 Use ioutil.ReadFile instead of os.ReadFile
Because it works on older golang versions too.
2021-03-11 08:58:54 -08:00
Andrew Keesler
b793b9a17e
test/integration: add 'kubectl logs' test to TestImpersonationProxy
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2021-03-11 10:42:28 -05:00
Andrew Keesler
32b038c639
test/integration: add 'kubectl cp' test to TestImpersonationProxy
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2021-03-11 10:07:16 -05:00
Ryan Richard
d13bb07b3e Add integration test for using WhoAmIRequest through impersonator 2021-03-10 16:57:15 -08:00
Margo Crawford
24396b6af1 Use gorilla websocket library so squid proxy works 2021-03-10 16:03:52 -08:00
Ryan Richard
006dc8aa79 Small test refactor 2021-03-10 14:50:46 -08:00
Ryan Richard
2a2e2f532b Remove an integration test that is covered elsewhere now
The same coverage that was supplied by
TestCredentialRequest_OtherwiseValidRequestWithRealTokenShouldFailWhenTheClusterIsNotCapable
is now provided by an assertion at the end of TestImpersonationProxy,
so delete the duplicate test which was failing on GKE because the
impersonation proxy is now active by default on GKE.
2021-03-10 14:17:20 -08:00
Ryan Richard
1078bf4dfb Don't pass credentials when testing impersonation proxy port is closed
When testing that the impersonation proxy port was closed there
is no need to include credentials in the request. At the point when
we want to test that the impersonation proxy port is closed, it is
possible that we cannot perform a TokenCredentialRequest to get a
credential either.

Also add a new assertion that the TokenCredentialRequest stops handing
out credentials on clusters which have no successful strategies.

Signed-off-by: Monis Khan <mok@vmware.com>
2021-03-10 13:08:15 -08:00
Ryan Richard
0b300cbe42 Use TokenCredentialRequest instead of base64 token with impersonator
To make an impersonation request, first make a TokenCredentialRequest
to get a certificate. That cert will either be issued by the Kube
API server's CA or by a new CA specific to the impersonator. Either
way, you can then make a request to the impersonator and present
that client cert for auth and the impersonator will accept it and
make the impesonation call on your behalf.

The impersonator http handler now borrows some Kube library code
to handle request processing. This will allow us to more closely
mimic the behavior of a real API server, e.g. the client cert
auth will work exactly like the real API server.

Signed-off-by: Monis Khan <mok@vmware.com>
2021-03-10 10:30:06 -08:00
Margo Crawford
c853707889 Added integration test for using websockets via the impersonation proxy
Tested that this test passed when using the kube api server directly,
so it's just the impersonation proxy that must be improved.
2021-03-09 17:00:30 -08:00
Matt Moyer
0cb1538b39
Fix linter warnings, including a bit of refactoring.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-03-09 15:16:46 -06:00
Margo Crawford
883b90923d Add integration test for kubectl port-forward with impersonation 2021-03-09 11:32:50 -08:00
Matt Moyer
29d5e43220
Fix minor typo in e2e_test.go.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-03-09 12:12:52 -06:00
Matt Moyer
a58b460bcb
Switch TestImpersonationProxy to get clients from library.NewKubeclient instead of directly from kubernetes.NewForConfig.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-03-08 15:03:34 -06:00
Ryan Richard
49ec16038c Add integration test for using "kubectl exec" through the impersonator
Signed-off-by: Margo Crawford <margaretc@vmware.com>
2021-03-05 16:14:45 -08:00
Matt Moyer
4750d7d7d2
The stderr from "pinniped get kubeconfig" is no longer empty.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-03-05 16:57:24 -06:00
Matt Moyer
ba0dc3bf52
Remove this test retry loop since the "get kubeconfig" step should now wait.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-03-05 16:39:57 -06:00
Matt Moyer
52f58477b8
Wait for the ELB to become available _before_ starting the kubectl command.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-03-05 09:32:49 -06:00
Matt Moyer
d848499176
Close this HTTP response body in TestE2EFullIntegration.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-03-05 08:45:25 -06:00
Matt Moyer
c3b7d21037
Be less picky about what error code is returned here.
The thing we're waiting for is mostly that DNS is resolving, the ELB is listening, and connections are making it to the proxy.

Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-03-05 08:40:29 -06:00
Ryan Richard
ec133b9743 Resolve some new linter errors 2021-03-04 17:44:01 -08:00
Ryan Richard
d8c6894cbc All controller unit tests should not cancel context until test is over
All controller unit tests were accidentally using a timeout context
for the informers, instead of a cancel context which stays alive until
each test is completely finished. There is no reason to risk
unpredictable behavior of a timeout being reached during an individual
test, even though with the previous 3 second timeout it could only be
reached on a machine which is running orders of magnitude slower than
usual, since each test usually runs in about 100-300 ms. Unfortunately,
sometimes our CI workers might get that slow.

This sparked a review of other usages of timeout contexts in other
tests, and all of them were increased to a minimum value of 1 minute,
under the rule of thumb that our tests will be more reliable on slow
machines if they "pass fast and fail slow".
2021-03-04 17:26:01 -08:00
Matt Moyer
fea626b654
Remove this proxy-related test code that we ended up not needing.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-03-04 17:19:59 -06:00
Matt Moyer
16163b989b
Use regular http.Client in this test.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-03-04 17:18:24 -06:00
Matt Moyer
165fce67af
Use the unversioned REST client for this check.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-03-04 16:23:39 -06:00
Matt Moyer
d24cf4b8a7
Go back to testing entirely through the proxy, but add a retry loop during the first connection.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-03-04 16:05:56 -06:00
Matt Moyer
274e6281a8
Whoops, missed these fixes in test/library/env.go.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-03-04 15:21:49 -06:00
Matt Moyer
9dfbe60253
Do the kubeconfig proxy environment injection, but actually render back out the YAML.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-03-04 14:41:20 -06:00
Matt Moyer
1734280a19
Merge branch 'main' of github.com:vmware-tanzu/pinniped into impersonation-proxy 2021-03-04 12:38:00 -06:00
Matt Moyer
9a0f75980d
Set a special proxy environment just for the "pinniped login oidc" command in the E2E test.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-03-04 12:35:29 -06:00
Matt Moyer
03f09c6870
Allow TestE2EFullIntegration to run on clusters where only the impersonation proxy works (again).
This time, don't use the Squid proxy if the cluster supports real external load balancers (as in EKS/GKE/AKS).

Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-03-04 12:04:52 -06:00
Ryan Richard
5697adc36a Revert "Allow TestE2EFullIntegration to run on clusters where only the impersonation proxy works."
This reverts commit 7c9aff3278.
2021-03-03 17:24:10 -08:00
Ryan Richard
9c1c760f56 Always clean up the ConfigMap at the end of the impersonator int test
Signed-off-by: Margo Crawford <margaretc@vmware.com>
2021-03-03 16:23:07 -08:00
Ryan Richard
48f2ae9eb4 Fix a typo in concierge_impersonation_proxy_test.go 2021-03-03 15:18:01 -08:00
Matt Moyer
7c9aff3278
Allow TestE2EFullIntegration to run on clusters where only the impersonation proxy works.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-03-03 17:05:46 -06:00
Ryan Richard
58607c7e81 Update TestCredentialIssuer int test to ignore ImpersonationProxy type 2021-03-03 14:19:24 -08:00
Ryan Richard
666c0b0e18 Use CredentialIssuer for URL/CA discovery in impersonator int test 2021-03-03 12:53:41 -08:00
Margo Crawford
27daf0a2fe Increase timeout for creating load balancer in impersonation proxy test 2021-03-02 15:49:30 -08:00
Ryan Richard
84cc42b2ca Remove tls field from the impersonator config
- Decided that we're not going to implement this now, although
  we may decide to add it in the future
2021-03-02 15:28:13 -08:00
Matt Moyer
60f92d5fe2
Merge branch 'main' of github.com:vmware-tanzu/pinniped into impersonation-proxy
This is more than an automatic merge. It also includes a rewrite of the CredentialIssuer API impersonation proxy fields using the new structure, and updates to the CLI to account for that new API.

Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-03-02 16:06:19 -06:00
Matt Moyer
df27c2e1fc
Use randomly generated API groups in TestKubeClientOwnerRef.
I think this is another aspect of the test flakes we're trying to fix. This matters especially for the "Multiple Pinnipeds" test environment where two copies of the test suite are running concurrently.

Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-03-02 15:48:13 -06:00
Matt Moyer
45f57939af
Make TestGetPinnipedCategory more resilient.
If the test is run immediately after the Concierge is installed, the API server can still have broken discovery data and return an error on the first call.
This commit adds a retry loop to attempt this first kubectl command for up to 60s before declaring failure.
The subsequent tests should be covered by this as well since they are not run in parallel.

Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-03-02 15:40:17 -06:00
Matt Moyer
643c60fd7a
Drop NewKubeConfigInfoPublisherController, start populating strategy frontend from kubecertagent execer controller.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-03-02 13:09:25 -06:00
Ryan Richard
a75c2194bc Read the names of the impersonation-related resources from the config
They were previously temporarily hardcoded. Now they are set at deploy
time via the static ConfigMap in deployment.yaml
2021-03-02 09:31:24 -08:00
Ryan Richard
41140766f0 Add integration test which demonstrates double impersonation
We don't support using the impersonate headers through the impersonation
proxy yet, so this integration test is a negative test which asserts
that we get an error.
2021-03-01 17:53:26 -08:00
Ryan Richard
a2ecd05240 Impersonator config controller writes CA cert & key to different Secret
- The CA cert will end up in the end user's kubeconfig on their client
  machine, so if it changes they would need to fetch the new one and
  update their kubeconfig. Therefore, we should avoid changing it as
  much as possible.
- Now the controller writes the CA to a different Secret. It writes both
  the cert and the key so it can reuse them to create more TLS
  certificates in the future.
- For now, it only needs to make more TLS certificates if the old
  TLS cert Secret gets deleted or updated to be invalid. This allows
  for manual rotation of the TLS certs by simply deleting the Secret.
  In the future, we may want to implement some kind of auto rotation.
- For now, rotation of both the CA and TLS certs will also happen if
  you manually delete the CA Secret. However, this would cause the end
  users to immediately need to get the new CA into their kubeconfig,
  so this is not as elegant as a normal rotation flow where you would
  have a window of time where you have more than one CA.
2021-03-01 17:02:08 -08:00
Ryan Richard
3fcde8088c concierge_impersonation_proxy_test.go: Make it work on more clusters
Should work on cluster which have:
- load balancers not supported, has squid proxy (e.g. kind)
- load balancers supported, has squid proxy (e.g. EKS)
- load balancers supported, no squid proxy (e.g. GKE)

When testing with a load balancer, call the impersonation proxy through
the load balancer.

Also, added a new library.RequireNeverWithoutError() helper.

Signed-off-by: Margo Crawford <margaretc@vmware.com>
2021-02-25 14:40:18 -08:00
Margo Crawford
9a8c80f20a Impersonator checks cert addresses when endpoint config is a hostname
Also update concierge_impersonation_proxy_test.go integration test
to use real TLS when calling the impersonator.

Signed-off-by: Ryan Richard <richardry@vmware.com>
2021-02-25 10:27:19 -08:00
Matt Moyer
4dbde4cf7f
Fix TestImpersonationProxy on Kubernetes 1.20 with RootCAConfigMap.
There is a new feature in 1.20 that creates a ConfigMap by default in each namespace: https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.20.md#introducing-rootcaconfigmap

This broke this test because it assumed that all the ConfigMaps in the ephemeral test namespace were those created by the test code. The fix is to add a test label and rewrite our assertions to filter with it.

Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-02-24 12:08:41 -06:00
Margo Crawford
dac1c9939e concierge_impersonation_proxy_test.go: Test all the verbs
Also:
- Shut down the informer correctly in
  concierge_impersonation_proxy_test.go
- Remove the t.Failed() checks which avoid cleaning up after failed
  tests. This was inconsistent with how most of the tests work, and
  left cruft on clusters when a test failed.

Signed-off-by: Ryan Richard <richardry@vmware.com>
2021-02-23 10:38:32 -08:00
Andrew Keesler
069b3fba37
Merge remote-tracking branch 'upstream/main' into impersonation-proxy
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2021-02-23 12:10:52 -05:00
Monis Khan
6a9f57f83d
TestWhoAmI: support older clusters (CSR and impersonation)
Signed-off-by: Monis Khan <mok@vmware.com>
2021-02-23 10:15:17 -05:00
Ryan Richard
80ff5c1f17 Fix bug which prevented watches from working through impersonator
Also:
- Changed base64 encoding of impersonator bearer tokens to use
  `base64.StdEncoding` to make it easier for users to manually
  create a token using the unix `base64` command
- Test the headers which are and are not passed through to the Kube API
  by the impersonator more carefully in the unit tests
- More WIP on concierge_impersonation_proxy_test.go

Signed-off-by: Margo Crawford <margaretc@vmware.com>
2021-02-22 17:23:11 -08:00
Monis Khan
abc941097c
Add WhoAmIRequest Aggregated Virtual REST API
This change adds a new virtual aggregated API that can be used by
any user to echo back who they are currently authenticated as.  This
has general utility to end users and can be used in tests to
validate if authentication was successful.

Signed-off-by: Monis Khan <mok@vmware.com>
2021-02-22 20:02:41 -05:00
Ryan Richard
b8592a361c Add some comments to concierge_impersonation_proxy_test.go
Signed-off-by: Margo Crawford <margaretc@vmware.com>
2021-02-18 16:27:03 -08:00
Margo Crawford
19881e4d7f Increase how long we wait for loadbalancers to be deleted for int test
Also add some log messages which might help us debug issues like this
in the future.

Signed-off-by: Ryan Richard <richardry@vmware.com>
2021-02-18 15:58:27 -08:00
Margo Crawford
7a140bf63c concierge_impersonation_proxy_test.go: add an eventually loop
Signed-off-by: Ryan Richard <richardry@vmware.com>
2021-02-18 11:08:13 -08:00
Andrew Keesler
957cb2d56c
Merge remote-tracking branch 'upstream/main' into impersonation-proxy
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2021-02-18 13:37:28 -05:00
Margo Crawford
22a3e73bac impersonator_config_test.go: use require.Len() when applicable
Also fix a lint error in concierge_impersonation_proxy_test.go

Signed-off-by: Ryan Richard <richardry@vmware.com>
2021-02-17 17:29:56 -08:00
Margo Crawford
10b769c676 Fixed integration tests for load balancer capabilities 2021-02-17 10:55:49 -08:00
Matt Moyer
6565265bee
Use new 'go.pinniped.dev/generated/latest' package.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-02-16 13:00:08 -06:00
Andrew Keesler
fdd8ef5835
internal/concierge/impersonator: handle custom login API group
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2021-02-16 07:55:09 -05:00
Andrew Keesler
25bc8dd8a9
test/integration: hopefully fix TestImpersonationProxy
I think we were assuming the name of our Concierge app, and getting lucky
because it was the name we use when testing locally (but not in CI).

Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2021-02-15 18:04:21 -05:00
Ryan Richard
5cd60fa5f9 Move starting/stopping impersonation proxy server to a new controller
- Watch a configmap to read the configuration of the impersonation
  proxy and reconcile it.
- Implements "auto" mode by querying the API for control plane nodes.
- WIP: does not create a load balancer or proper TLS certificates yet.
  Those will come in future commits.

Signed-off-by: Margo Crawford <margaretc@vmware.com>
2021-02-11 17:25:52 -08:00
Andrew Keesler
9b87906a30
Merge remote-tracking branch 'upstream/main' into impersonation-proxy
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2021-02-11 11:03:33 -05:00
Monis Khan
4c304e4224
Assert all APIs have a status subresource
Signed-off-by: Monis Khan <mok@vmware.com>
2021-02-10 21:52:10 -05:00
Monis Khan
0a9f446893
Update credential issuer logic to use status subresource
Signed-off-by: Monis Khan <mok@vmware.com>
2021-02-10 21:52:10 -05:00
Monis Khan
ac01186499
Use API service as owner ref for cluster scoped resources
Signed-off-by: Monis Khan <mok@vmware.com>
2021-02-10 21:52:08 -05:00
Monis Khan
89b00e3702
Declare war on namespaces
Signed-off-by: Monis Khan <mok@vmware.com>
2021-02-10 21:52:07 -05:00
Monis Khan
4205e3dedc
Make concierge APIs cluster scoped
Signed-off-by: Monis Khan <mok@vmware.com>
2021-02-10 21:52:07 -05:00
Matt Moyer
45f4a0528c
Upgrade Debian base images from 10.7 to 10.8.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-02-10 15:57:16 -06:00
Andrew Keesler
0fc1f17866
internal/groupsuffix: mutate TokenCredentialRequest's Authenticator
This is a partial revert of 288d9c999e. For some reason it didn't occur to me
that we could do it this way earlier. Whoops.

This also contains a middleware update: mutation funcs can return an error now
and short-circuit the rest of the request/response flow. The idea here is that
if someone is configuring their kubeclient to use middleware, they are agreeing
to a narrow-er client contract by doing so (e.g., their TokenCredentialRequest's
must have an Spec.Authenticator.APIGroup set).

I also updated some internal/groupsuffix tests to be more realistic.

Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2021-02-10 15:53:44 -05:00
Andrew Keesler
12d5b8959d
test/integration: make TestKubeCertAgent more stable
I think the reason we were seeing flakes here is because the kube cert agent
pods had not reached a steady state even though our test assertions passed, so
the test would proceed immediately and run more assertions on top of a weird
state of the kube cert agent pods.

Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2021-02-10 12:08:34 -05:00
Andrew Keesler
1ffe70bbea
cmd/pinniped: delete get-kubeconfig + exchange-token
These were deprecated in v0.3.0.

Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2021-02-09 17:01:57 -05:00
Ryan Richard
e4c49c37b9 Merge branch 'main' into impersonation-proxy 2021-02-09 13:45:37 -08:00
Margo Crawford
dfcc2a1eb8 Introduce clusterhost package to determine whether a cluster has control plane nodes
Also added hasExternalLoadBalancerProvider key to cluster capabilities
for integration testing.

Signed-off-by: Ryan Richard <richardry@vmware.com>
2021-02-09 11:16:01 -08:00
Monis Khan
f7958ae75b
Add no-op list support to token credential request
This allows us to keep all of our resources in the pinniped category
while not having kubectl return errors for calls such as:

kubectl get pinniped -A

Signed-off-by: Monis Khan <mok@vmware.com>
2021-02-05 10:59:39 -05:00
Ryan Richard
2a921f7090
Merge branch 'main' into credential_request_spec_api_group 2021-02-04 13:44:53 -08:00
Andrew Keesler
ae498f14b4
test/integration: ensure no pods restart during integration tests
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2021-02-04 10:24:33 -05:00
Ryan Richard
288d9c999e Use custom suffix in Spec.Authenticator.APIGroup of TokenCredentialRequest
When the Pinniped server has been installed with the `api_group_suffix`
option, for example using `mysuffix.com`, then clients who would like to
submit a `TokenCredentialRequest` to the server should set the
`Spec.Authenticator.APIGroup` field as `authentication.concierge.mysuffix.com`.

This makes more sense from the client's point of view than using the
default `authentication.concierge.pinniped.dev` because
`authentication.concierge.mysuffix.com` is the name of the API group
that they can observe their cluster and `authentication.concierge.pinniped.dev`
does not exist as an API group on their cluster.

This commit includes both the client and server-side changes to make
this work, as well as integration test updates.

Co-authored-by: Andrew Keesler <akeesler@vmware.com>
Co-authored-by: Ryan Richard <richardry@vmware.com>
Co-authored-by: Margo Crawford <margaretc@vmware.com>
2021-02-03 15:49:15 -08:00
Ryan Richard
5549a262b9 Rename client_test.go to concierge_client_test.go
Because it is a test of the conciergeclient package, and the naming
convention for integration test files is supervisor_*_test.go,
concierge_*_test.go, or cli_*_test.go to identify which component
the test is primarily covering.

Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2021-02-03 12:07:38 -08:00
Margo Crawford
6b46bae6c6 Fixed integration test compile failures after rebase 2021-02-03 11:32:29 -08:00
Matt Moyer
1299231a48 Add integration test for impersonation proxy.
Signed-off-by: Margo Crawford <margaretc@vmware.com>
2021-02-03 09:31:30 -08:00
Monis Khan
efe1fa89fe Allow multiple Pinnipeds to work on same cluster
Yes, this is a huge commit.

The middleware allows you to customize the API groups of all of the
*.pinniped.dev API groups.

Some notes about other small things in this commit:
- We removed the internal/client package in favor of pkg/conciergeclient. The
  two packages do basically the same thing. I don't think we use the former
  anymore.
- We re-enabled cluster-scoped owner assertions in the integration tests.
  This code was added in internal/ownerref. See a0546942 for when this
  assertion was removed.
- Note: the middlware code is in charge of restoring the GV of a request object,
  so we should never need to write mutations that do that.
- We updated the supervisor secret generation to no longer manually set an owner
  reference to the deployment since the middleware code now does this. I think we
  still need some way to make an initial event for the secret generator
  controller, which involves knowing the namespace and the name of the generated
  secret, so I still wired the deployment through. We could use a namespace/name
  tuple here, but I was lazy.

Signed-off-by: Andrew Keesler <akeesler@vmware.com>
Co-authored-by: Ryan Richard <richardry@vmware.com>
2021-02-02 15:18:41 -08:00
Matt Moyer
04c4cd9534
Upgrade to github.com/coreos/go-oidc v3.0.0.
See https://github.com/coreos/go-oidc/releases/tag/v3.0.0 for release notes.

Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-01-21 12:08:14 -06:00
Ryan Richard
b5cbe018e3
Allow passing multiple redirect URIs to Dex
We need this in CI when we want to configure Dex with the redirect URI for both
primary and secondary deploys at one time (since we only stand up Dex once).

Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2021-01-20 17:06:50 -05:00
Andrew Keesler
906bfa023c
test: wire API group suffix through to tests
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2021-01-19 17:23:20 -05:00
Matt Moyer
6a0dc1e2bb
Fix an issue in TestE2EFullIntegration groups assertions.
The group claims read from the session cache file are loaded as `[]interface{}` (slice of empty interfaces) so when we previously did a `groups, _ := idTokenClaims[oidc.DownstreamGroupsClaim].([]string)`, then `groups` would always end up nil.

The solution I tried here was to convert the expected value to also be `[]interface{}` so that `require.Equal(t, ...)` does the right thing.

This bug only showed up in our acceptance environnment against Okta, since we don't have any other integration test coverage with IDPs that pass a groups claim.

Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-01-14 21:06:02 -06:00
Andrew Keesler
6fce1bd6bb
Allow arrays of type interface
and always set the groups claim to an
array in the downstream token

Signed-off-by: Margo Crawford <margaretc@vmware.com>
2021-01-14 17:21:41 -05:00
Andrew Keesler
8a916ce8ae
test/integration: add test helper to avoid race conditions
We were seeing a race in this test code since the require.NoError() and
require.Eventually() would write to the same testing.T state on separate
goroutines. Hopefully this helper function should cover the cases when we want
to require.NoError() inside a require.Eventually() without causing a race.

Signed-off-by: Andrew Keesler <akeesler@vmware.com>
Co-authored-by: Margo Crawford <margaretc@vmware.com>
Co-authored-by: Monis Khan <i@monis.app>
2021-01-14 10:19:35 -05:00
Andrew Keesler
a0546942b8
test/integration: skip part of test to avoid Kube 1.20 GC bug
See comment.

Signed-off-by: Andrew Keesler <akeesler@vmware.com>
Co-authored-by: Margo Crawford <margaretc@vmware.com>
Co-authored-by: Monis Khan <i@monis.app>
2021-01-14 10:19:26 -05:00
Monis Khan
3c3da9e75d
Wire in new env vars for user info testing
Signed-off-by: Monis Khan <mok@vmware.com>
2021-01-12 11:23:25 -05:00
Margo Crawford
6f04613aed Merge branch 'main' of github.com:vmware-tanzu/pinniped into kubernetes-1.20 2021-01-08 13:22:31 -08:00
Margo Crawford
5611212ea9 Changing references from 1.19 to 1.20 2021-01-07 15:25:47 -08:00
Monis Khan
bba0f3a230
Always set an owner ref back to our deployment
This change updates our clients to always set an owner ref when:

1. The operation is a create
2. The object does not already have an owner ref set

Signed-off-by: Monis Khan <mok@vmware.com>
2021-01-07 15:25:40 -05:00
Andrew Keesler
3d8616e75f
test/integration: fix intermittent failures on GKE
See comment. This is at least a first step to make our GKE acceptance
environment greener. Previously, this test assumed that the Pinniped-under-test
had been deployed in (roughly) the last 10 minutes, which is not an assumption
that we make anywhere else in the integration test suite.

Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2021-01-06 12:09:11 -05:00
aram price
cc5af1a810 Fix lint error
Signed-off-by: Ryan Richard <richardry@vmware.com>
2020-12-18 15:28:56 -08:00
Ryan Richard
2f518b8b7c TLSCertObserverController Syncs less often by adjusting its filters
- Only watches Secrets of type "kubernetes.io/tls"

Signed-off-by: Aram Price <pricear@vmware.com>
2020-12-18 15:10:48 -08:00
Ryan Richard
1056cef384 Sync garbage collector controller less often by adjusting its filters
- Only sync on add/update of secrets in the same namespace which
  have the "storage.pinniped.dev/garbage-collect-after" annotation, and
  also during a full resync of the informer whenever secrets in the
  same namespace with that annotation exist.
- Ignore deleted secrets to avoid having this controller trigger itself
  unnecessarily when it deletes a secret. This controller is never
  interested in deleted secrets, since its only job is to delete
  existing secrets.
- No change to the self-imposed rate limit logic. That still applies
  because secrets with this annotation will be created and updated
  regularly while the system is running (not just during rare system
  configuration steps).
2020-12-18 09:36:28 -08:00
Ryan Richard
3a4405659e
Merge branch 'main' into typed-secrets 2020-12-17 17:42:04 -08:00
aram price
187bd9060c All FederationDomain Secrets have distinct Types
Signed-off-by: Ryan Richard <richardry@vmware.com>
2020-12-17 17:07:38 -08:00
Matt Moyer
e0b94f4780
Move our main image references to the VMware Harbor registry.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-12-17 17:51:09 -06:00
aram price
587cced768 Add extra type info where SecretType is used 2020-12-17 15:43:20 -08:00
Ryan Richard
50964c6677 Supervisor CSRF Secret has unique Type
Signed-off-by: aram price <pricear@vmware.com>
2020-12-17 15:30:26 -08:00
Ryan Richard
b27e3e1a89 Put a Type on the Secrets that we create for FederationDomain JWKS
Signed-off-by: Aram Price <pricear@vmware.com>
2020-12-17 14:48:49 -08:00