Commit Graph

277 Commits

Author SHA1 Message Date
Ryan Richard
1ae3c6a1ad Split package upstreamwatchers into four packages 2021-05-12 14:00:39 -07:00
Ryan Richard
4804c837d4 Insignificant change in ldap_upstream_watcher_test.go 2021-05-12 13:37:01 -07:00
Ryan Richard
675bbb2aba Merge branch 'main' into initial_ldap 2021-05-11 11:09:37 -07:00
Mo Khan
56d316e8d3
upstreamwatcher: do not truncate explicit oidc errors
This change makes it easier to understand misconfigurations caused
by issuers with extraneous trailing slashes.

Signed-off-by: Mo Khan <mok@vmware.com>
2021-05-10 01:45:19 -04:00
Mo Khan
7ece196893
upstreamwatcher: preserve oidc discovery error
Signed-off-by: Mo Khan <mok@vmware.com>
2021-05-07 16:35:12 -04:00
Monis Khan
4ce77c4837
supervisor gc: use singleton queue
The supervisor treats all events the same hence it must use a
singleton queue.

Updated the integration test to remove the data race caused by
calling methods on testing.T outside of the main test go routine.

Signed-off-by: Monis Khan <mok@vmware.com>
2021-05-04 14:44:55 -04:00
Matt Moyer
b80cbb8cc5
Run kube-cert-agent pod as Concierge ServiceAccount.
Since 0dfb3e95c5, we no longer directly create the kube-cert-agent Pod, so our "use"
permission on PodSecurityPolicies no longer has the intended effect. Since the deployments controller is now the
one creating pods for us, we need to get the permission on the PodSpec of the target pod instead, which we do somewhat
simply by using the same service account as the main Concierge pods.

We still set `automountServiceAccountToken: false`, so this should not actually give any useful permissions to the
agent pod when running.

Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-05-03 16:20:13 -05:00
Monis Khan
62785674c3
impersonator: add support for service account token authentication
This change updates the impersonator logic to pass through requests
that authenticated via a bearer token that asserts a UID.  This
allows us to support service account tokens (as well as any other
form of token based authentication).

Signed-off-by: Monis Khan <mok@vmware.com>
2021-04-29 17:30:35 -04:00
Monis Khan
bb7e7fe81e
webhookcachefiller: be stricter about CA bundle validation
Signed-off-by: Monis Khan <mok@vmware.com>
2021-04-29 05:49:06 -04:00
Ryan Richard
36819989a3 Remove DryRunAuthenticationUsername from LDAPIdentityProviderSpec
Signed-off-by: Margo Crawford <margaretc@vmware.com>
2021-04-28 14:26:57 -07:00
Ryan Richard
263a33cc85 Some updates based on PR review 2021-04-27 12:43:09 -07:00
Ryan Richard
b3b108500a Merge branch 'main' into initial_ldap 2021-04-27 10:12:43 -07:00
Matt Moyer
e532a88647
Add a new "legacy pod cleaner" controller.
This controller is responsible for cleaning up kube-cert-agent pods that were deployed by previous versions.

They are easily identified because they use a different `kube-cert-agent.pinniped.dev` label compared to the new agent pods (`true` vs. `v2`).

Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-04-26 08:19:45 -06:00
Matt Moyer
54a8297cc4
Add generated mocks for kubecertagent.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-04-26 08:19:45 -06:00
Matt Moyer
2843c4f8cb
Refactor kube-cert-agent controllers to use a Deployment.
This is a relatively large rewrite of much of the kube-cert-agent controllers. Instead of managing raw Pod objects, they now create a single Deployment and let the builtin k8s controller handle it from there.

This reduces the amount of code we need and should handle a number of edge cases better, especially those where a Pod becomes "wedged" and needs to be recreated.

Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-04-26 08:19:45 -06:00
Matt Moyer
638d9235a2
Remove unneeded OIDC-related sleeps in tests.
Now that we have the fix from https://github.com/kubernetes/kubernetes/pull/97693, we no longer need these sleeps.
The underlying authenticator initialization is still asynchronous, but should happen within a few milliseconds.

Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-04-22 10:25:44 -05:00
Ryan Richard
e9d5743845 Add authentication dry run validation to LDAPIdentityProvider
Also force the LDAP server pod to restart whenever the LDIF file
changes, so whenever you redeploy the tools deployment with a new test
user password the server will be updated.
2021-04-16 14:04:05 -07:00
Ryan Richard
83085aa3d6 Retest the server connection when the bind Secret has changed
Unfortunately, Secrets do not seem to have a Generation field, so we
use the ResourceVersion field instead. This means that any change to
the Secret will cause us to retry the connection to the LDAP server,
even if the username and password fields in the Secret were not
changed. Seems like an okay trade-off for this early draft of the
controller compared to a more complex implementation.
2021-04-15 17:45:15 -07:00
Ryan Richard
8e438e22e9 Only test the server connection when the spec has changed
This early version of the controller is not intended to act as an
ongoing health check for your upstream LDAP server. It will connect
to the LDAP server to essentially "lint" your configuration once.
It will do it again only when you change your configuration. To account
for transient errors, it will keep trying to connect to the server
until it succeeds once.

This commit does not include looking for changes in the associated bind
user username/password Secret.
2021-04-15 16:46:27 -07:00
Ryan Richard
b9ce84fd68 Test the LDAP config by connecting to the server in the controller 2021-04-15 14:44:43 -07:00
Ryan Richard
e6e6497022 Introduce upstreamldap.New to prevent changes to the underlying config
Makes it easier to support using the same upstreamldap.Provider from
multiple goroutines safely.
2021-04-15 10:25:35 -07:00
Ryan Richard
14ff5ee4ff ldap_upstream_watcher.go: decode and validate CertificateAuthorityData 2021-04-13 17:16:57 -07:00
Ryan Richard
e24d5891dd ldap_upstream_watcher_test.go: add another unit test 2021-04-12 14:12:51 -07:00
Ryan Richard
25c1f0d523 Add Conditions to LDAPIdentityProvider's Status and start to fill them
- The ldap_upstream_watcher.go controller validates the bind secret and
  uses the Conditions to report errors. Shares some condition reporting
  logic with its sibling controller oidc_upstream_watcher.go, to the
  extent which is convenient without generics in golang.
2021-04-12 13:53:21 -07:00
Ryan Richard
05571abb74 Add a little more logic to ldap_upstream_watcher.go 2021-04-12 11:23:08 -07:00
Ryan Richard
05daa9eff5 More LDAP WIP: started controller and LDAP server connection code
Both are unfinished works in progress.
2021-04-09 18:49:43 -07:00
Ryan Richard
7781a2e17a Some renames in pkg upstreamwatcher to make room for a second controller 2021-04-09 08:43:19 -07:00
Ryan Richard
f6ded84f07 Implement upstream LDAP support in auth_handler.go
- When the upstream IDP is an LDAP IDP and the user's LDAP username and
  password are received as new custom headers, then authenticate the
  user and, if authentication was successful, return a redirect with
  an authcode. Handle errors according to the OAuth/OIDC specs.
- Still does not support having multiple upstream IDPs defined at the
  same time, which was an existing limitation of this endpoint.
- Does not yet include the actual LDAP authentication, which is
  hidden behind an interface from the point of view of auth_handler.go
- Move the oidctestutil package to the testutil directory.
- Add an interface for Fosite storage to avoid a cyclical test
  dependency.
- Add GetURL() to the UpstreamLDAPIdentityProviderI interface.
- Extract test helpers to be shared between callback_handler_test.go
  and auth_handler_test.go because the authcode and fosite storage
  assertions should be identical.
- Backfill Content-Type assertions in callback_handler_test.go.

Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2021-04-08 17:28:01 -07:00
Ryan Richard
1f5978aa1a Supervisor pre-factor to make room for upstream LDAP identity providers 2021-04-07 16:12:13 -07:00
Margo Crawford
8b6fe0ac70 Fix lint error 2021-03-30 14:53:26 -07:00
Margo Crawford
d47603472d Do not error when trying to delete the TLS secret and you get a not found 2021-03-30 14:44:06 -07:00
Margo Crawford
3742719427 Add annotation to make the idle timeout be over 1 hour rather than 1 minute
- Note that 4000 seconds is the maximum value that AWS allows.
2021-03-30 09:12:34 -07:00
Monis Khan
205c22ddbe
impersonator config: catch panics when running impersonator
Signed-off-by: Monis Khan <mok@vmware.com>
2021-03-18 10:28:28 -04:00
Monis Khan
00694c9cb6
dynamiccert: split into serving cert and CA providers
Signed-off-by: Monis Khan <mok@vmware.com>
2021-03-15 12:24:07 -04:00
Ryan Richard
c82f568b2c certauthority.go: Refactor issuing client versus server certs
We were previously issuing both client certs and server certs with
both extended key usages included. Split the Issue*() methods into
separate methods for issuing server certs versus client certs so
they can have different extended key usages tailored for each use
case.

Also took the opportunity to clean up the parameters of the Issue*()
methods and New() methods to more closely match how we prefer to call
them. We were always only passing the common name part of the
pkix.Name to New(), so now the New() method just takes the common name
as a string. When making a server cert, we don't need to set the
deprecated common name field, so remove that param. When making a client
cert, we're always making it in the format expected by the Kube API
server, so just accept the username and group as parameters directly.
2021-03-12 16:09:37 -08:00
Monis Khan
2d28d1da19
Implement all optional methods in dynamic certs provider
Signed-off-by: Monis Khan <mok@vmware.com>
2021-03-11 16:24:08 -05:00
Monis Khan
7b1ecf79a6
Fix race between err chan send and re-queue
Signed-off-by: Monis Khan <mok@vmware.com>
2021-03-11 10:13:29 -05:00
Monis Khan
6582c23edb Fix a race detector error in a unit test
Signed-off-by: Ryan Richard <richardry@vmware.com>
2021-03-10 11:24:42 -08:00
Ryan Richard
0b300cbe42 Use TokenCredentialRequest instead of base64 token with impersonator
To make an impersonation request, first make a TokenCredentialRequest
to get a certificate. That cert will either be issued by the Kube
API server's CA or by a new CA specific to the impersonator. Either
way, you can then make a request to the impersonator and present
that client cert for auth and the impersonator will accept it and
make the impesonation call on your behalf.

The impersonator http handler now borrows some Kube library code
to handle request processing. This will allow us to more closely
mimic the behavior of a real API server, e.g. the client cert
auth will work exactly like the real API server.

Signed-off-by: Monis Khan <mok@vmware.com>
2021-03-10 10:30:06 -08:00
Matt Moyer
8c0a073cb6
Fix this constant name to match its value.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-03-08 13:31:16 -06:00
Ryan Richard
d8c6894cbc All controller unit tests should not cancel context until test is over
All controller unit tests were accidentally using a timeout context
for the informers, instead of a cancel context which stays alive until
each test is completely finished. There is no reason to risk
unpredictable behavior of a timeout being reached during an individual
test, even though with the previous 3 second timeout it could only be
reached on a machine which is running orders of magnitude slower than
usual, since each test usually runs in about 100-300 ms. Unfortunately,
sometimes our CI workers might get that slow.

This sparked a review of other usages of timeout contexts in other
tests, and all of them were increased to a minimum value of 1 minute,
under the rule of thumb that our tests will be more reliable on slow
machines if they "pass fast and fail slow".
2021-03-04 17:26:01 -08:00
Ryan Richard
b102aa8991 In unit test, wait for obj from informer instead of resource version
In impersonator_config_test.go, instead of waiting for the resource
version to appear in the informers, wait for the actual object to
appear.

This is an attempt to resolve flaky failures that only happen in CI,
but it also cleans up the test a bit by avoiding inventing fake resource
version numbers all over the test.

Signed-off-by: Monis Khan <mok@vmware.com>
2021-03-04 17:26:01 -08:00
Ryan Richard
9eb97e2683 Use Eventually when making tls connections and avoid resource version 0
- Use `Eventually` when making tls connections because the production
  code's handling of starting and stopping the TLS server port
  has some async behavior.
- Don't use resource version "0" because that has special meaning
  in the informer libraries.
2021-03-04 17:26:01 -08:00
Matt Moyer
f4fcb9bde6
Sort CredentialIssuer strategies in preferred order.
This updates our issuerconfig.UpdateStrategy to sort strategies according to a weighted preference.
The TokenCredentialRequest API strategy is preffered, followed by impersonation proxy, followed by any other unknown types.

Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-03-03 14:03:27 -06:00
Margo Crawford
0799a538dc change FromString to Parse so TargetPort parses correctly 2021-03-03 11:12:37 -08:00
Ryan Richard
333a3ab4c2 impersonator_config_test.go: Add another unit test 2021-03-03 09:37:08 -08:00
Ryan Richard
730092f39c impersonator_config.go: refactor to clean up cert name handling 2021-03-03 09:22:35 -08:00
Ryan Richard
d3599c541b Fill in the frontend field of CredentialIssuer status for impersonator 2021-03-02 16:52:23 -08:00
Ryan Richard
8bf03257f4 Add new impersonation-related constants to api types and run codegen 2021-03-02 15:28:13 -08:00
Ryan Richard
1ad2c38509 Impersonation controller updates CredentialIssuer on every call to Sync
- This commit does not include the updates that we plan to make to
  the `status.strategies[].frontend` field of the CredentialIssuer.
  That will come in a future commit.
2021-03-02 15:28:13 -08:00