Ryan Richard
246471bc91
Also run OIDC validations in supervisor authorize endpoint
...
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-11-06 14:44:58 -08:00
Andrew Keesler
4032ed32ae
Auth endpoint integration test initial thoughts
...
This is awaiting the new upstream OIDC provider CRD in order
to pass, however hopefully this is a starting point for us.
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-11-05 11:00:05 -05:00
Ryan Richard
33ce79f89d
Expose the Supervisor OIDC authorization endpoint to the public
2020-11-04 17:06:47 -08:00
Andrew Keesler
a36f7c6c07
Test that the port of localhost redirect URI is ignored during validation
...
Also move definition of our oauth client and the general fosite
configuration to a helper so we can use the same config to construct
the handler for both test and production code.
Signed-off-by: Ryan Richard <richardry@vmware.com>
2020-11-04 15:04:50 -08:00
Ryan Richard
ba688f56aa
Supervisor authorize endpoint errors when PKCE code_challenge_method is invalid
...
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-11-04 12:29:43 -08:00
Andrew Keesler
2564d1be42
Supervisor authorize endpoint errors when missing PKCE params
...
Signed-off-by: Ryan Richard <richardry@vmware.com>
2020-11-04 12:19:07 -08:00
Ryan Richard
0045ce4286
Refactor auth_handler_test.go's creation of paths and urls to use helpers
2020-11-04 09:58:40 -08:00
Ryan Richard
8a7e22e63e
@ankeesler: Maybe, but not this time ;)
2020-11-04 08:43:45 -08:00
Andrew Keesler
9e4ffd1cce
One of these days I will get here.Doc() spacing correct
...
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-11-04 11:29:33 -05:00
Andrew Keesler
6fe455c687
auth_handler.go: comment out currently unused fosite wiring
...
See e8f4336
for why this is here in the first place.
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-11-04 11:20:03 -05:00
Andrew Keesler
d8c8f04860
auth_handler.go: write some more negative tests
...
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-11-04 11:12:26 -05:00
Andrew Keesler
e8f433643f
auth_handler.go: only inject oauth store into handler
...
Previously we were injecting the whole oauth handler chain into this function,
which meant we were essentially writing unit tests to test our tests. Let's push
some of this logic into the source code.
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-11-04 10:35:26 -05:00
Andrew Keesler
4f95e6a372
auth_handler.go: add test for invalid downstream redirect uri
...
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-11-04 10:30:53 -05:00
Andrew Keesler
259ffb5267
Checkpoint: write a single negative test using fosite
...
Bringing in fosite to our go.mod introduced those other go.mod changes.
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-11-04 10:15:19 -05:00
Andrew Keesler
aab0fd644f
Merge remote-tracking branch 'upstream/main' into authorize_endpoint
2020-11-04 10:14:54 -05:00
Andrew Keesler
e7a817e67a
Merge pull request #186 from ankeesler/bump-jose
...
gopkg.in/square/go-jose.v2: v2.2.2 -> v2.5.1
2020-11-04 10:14:32 -05:00
Andrew Keesler
0bbf55e46f
gopkg.in/square/go-jose.v2: v2.2.2 -> v2.5.1
...
We were behind for some reason. Probably makes sense to bump to
latest version to get bug fixes and such.
2020-11-04 09:55:18 -05:00
Ryan Richard
c34e5a727d
Starting the implementation of an OIDC authorization endpoint handler
...
Does not validate incoming request parameters yet. Also is not
served on the http/https ports yet. Those will come in future commits.
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-11-03 16:17:38 -08:00
Andrew Keesler
0d8477ea8a
Add a type for in-memory caching of upstream OIDC Identity Providers
...
Signed-off-by: Ryan Richard <richardry@vmware.com>
2020-11-03 12:06:07 -08:00
Ryan Richard
1223cf7877
Merge pull request #154 from vmware-tanzu/change_release_static_yaml_names
...
Rename static yaml files in release process
2020-11-02 17:09:11 -08:00
Ryan Richard
036845deee
Merge pull request #184 from vmware-tanzu/bump_golang_and_slim
...
Upgrade golang patch release to 1.15.3 and debian 10.5-slim -> 10.6-slim
2020-11-02 17:08:48 -08:00
Matt Moyer
c451604816
Merge pull request #182 from mattmoyer/more-renames
...
Rename more APIs before we cut a release with longer-term API compatibility
2020-11-02 18:34:26 -06:00
Ryan Richard
05cf56a0fa
Merge pull request #180 from vmware-tanzu/limits
...
Add CPU/memory limits to our deployments
2020-11-02 16:22:37 -08:00
Ryan Richard
5a0e7fd358
Upgrade golang patch release to 1.15.3 and debian 10.5-slim -> 10.6-slim
2020-11-02 16:17:15 -08:00
Matt Moyer
2bf5c8b48b
Replace the OIDCProvider field SNICertificateSecretName with a TLS.SecretName field.
...
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-11-02 18:15:03 -06:00
Ryan Richard
05233963fb
Add CPU requests and limits to the Concierge and Supervisor deployments
2020-11-02 15:47:20 -08:00
Matt Moyer
2b8773aa54
Rename OIDCProviderConfig to OIDCProvider.
...
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-11-02 17:40:39 -06:00
Matt Moyer
59263ea733
Rename CredentialIssuerConfig to CredentialIssuer.
...
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-11-02 17:39:42 -06:00
Matt Moyer
b13a8075e4
Merge pull request #183 from vmware-tanzu/non-root
...
Run as non-root
2020-11-02 17:39:14 -06:00
Ryan Richard
d596f8c3e5
Empty commit to trigger CI
2020-11-02 15:18:39 -08:00
Ryan Richard
75c35e74cc
Refactor and add unit tests for previous commit to run agent pod as root
2020-11-02 15:03:37 -08:00
Matt Moyer
e4f4cd7ca0
Merge pull request #181 from mattmoyer/add-psp-cluster-role-permission
...
Give the concierge access to use any PodSecurityPolicy.
2020-11-02 15:35:56 -06:00
Ryan Richard
a01921012d
kubecertagent: explicitly run as root
...
We need root here because the files that this pod reads are
most likely restricted to root access.
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-11-02 16:33:46 -05:00
Ryan Richard
2e50e8f01b
hack/lib/tilt: run Tilt images with non-root user
...
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-11-02 16:32:50 -05:00
Matt Moyer
935577f8e7
Give the concierge access to use any PodSecurityPolicy.
...
This is needed on clusters with PodSecurityPolicy enabled by default, but should be harmless in other cases.
This is generally needed because a restrictive PodSecurityPolicy will usually otherwise prevent the `hostPath` volume mount needed by the dynamically-created cert agent pod.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-11-02 15:10:00 -06:00
Ryan Richard
781f86d18c
deploy: add memory limits
...
This is the beginning of a change to add cpu/memory limits to our pods.
We are doing this because some consumers require this, and it is generally
a good practice.
The limits == requests for "Guaranteed" QoS.
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-11-02 14:57:39 -05:00
Andrew Keesler
fcea48c8f9
Run as non-root
...
I tried to follow a principle of encapsulation here - we can still default to
peeps making connections to 80/443 on a Service object, but internally we will
use 8080/8443.
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-11-02 12:51:15 -05:00
Andrew Keesler
7639d5e161
Merge pull request #178 from ankeesler/test-cleanup
...
test/integration: protect from NPE and follow doc conventions
2020-11-02 12:22:34 -05:00
Ryan Richard
ab5c04b1f3
Merge pull request #176 from vmware-tanzu/agent_pod_additional_label_handling
...
Handle custom labels better in the agent pod controllers
2020-11-02 09:08:42 -08:00
Andrew Keesler
fb3c5749e8
test/integration: protect from NPE and follow doc conventions
...
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-11-02 11:51:02 -05:00
Ryan Richard
7597b12a51
Small unit test changes for deleter_test.go
2020-11-02 08:40:39 -08:00
Matt Moyer
5bbfc35d27
Merge pull request #175 from mattmoyer/split-config-apis
...
Split the config CRDs into two API groups.
2020-10-30 19:42:03 -05:00
Ryan Richard
f76b9857da
Don't use custom labels when selecting an agent pod
...
And delete the agent pod when it needs its custom labels to be
updated, so that the creator controller will notice that it is missing
and immediately create it with the new custom labels.
2020-10-30 17:41:17 -07:00
Matt Moyer
9e1922f1ed
Split the config CRDs into two API groups.
...
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-10-30 19:22:46 -05:00
Ryan Richard
01f4fdb5c3
Remove namespace from a ClusterRoleBinding, which are not namespaced
2020-10-30 16:10:04 -07:00
Andrew Keesler
a5379c08e2
Whitespace-only change in two files
...
Signed-off-by: Ryan Richard <richardry@vmware.com>
2020-10-30 15:18:40 -07:00
Matt Moyer
ad95bb44b0
Merge pull request #174 from mattmoyer/rename-webhook-idp
...
Rename webhook configuration CRD "WebhookAuthenticator" in group "authentication.concierge.pinniped.dev".
2020-10-30 15:50:39 -05:00
Ryan Richard
4b7592feaf
Skip a part of an integration test which is not so easy with real Ingress
...
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-10-30 13:19:34 -07:00
Matt Moyer
34da8c7877
Rename existing references to "IDP" and "Identity Provider".
...
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-10-30 15:12:01 -05:00
Matt Moyer
f3a83882a4
Rename the IdentityProvider field to Authenticator in TokenCredentialRequest.
...
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-10-30 15:11:53 -05:00