Commit Graph

73 Commits

Author SHA1 Message Date
Andrew Keesler
0f8437bc3a
Integration tests are passing ayooooooooooooooo 2020-09-23 12:47:04 -04:00
Andrew Keesler
db9a97721f
Merge remote-tracking branch 'upstream/main' into 1-19-exec-strategy 2020-09-22 11:54:47 -04:00
Andrew Keesler
1a4f9e3466
kubecertagent: get integration tests passing again
Note: the non-kubecertagent integration tests are still failing :).
2020-09-22 11:38:13 -04:00
Matt Moyer
9beb3855b5
Create webhooks per-test and explicitly in demo.md instead of with ytt in ./deploy.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-09-22 10:03:32 -05:00
Andrew Keesler
e18b6fdddc
deploy: add kube-cert-agent deployment knobs 2020-09-21 14:16:32 -04:00
Ryan Richard
6989e5da63 Merge branch 'main' into rename_stuff 2020-09-18 16:39:58 -07:00
Ryan Richard
80a520390b Rename many of resources that are created in Kubernetes by Pinniped
New resource naming conventions:
- Do not repeat the Kind in the name,
  e.g. do not call it foo-cluster-role-binding, just call it foo
- Names will generally start with a prefix to identify our component,
  so when a user lists all objects of that kind, they can tell to which
  component it is related,
  e.g. `kubectl get configmaps` would list one named "pinniped-config"
- It should be possible for an operator to make the word "pinniped"
  mostly disappear if they choose, by specifying the app_name in
  values.yaml, to the extent that is practical (but not from APIService
  names because those are hardcoded in golang)
- Each role/clusterrole and its corresponding binding have the same name
- Pinniped resource names that must be known by the server golang code
  are passed to the code at run time via ConfigMap, rather than
  hardcoded in the golang code. This also allows them to be prepended
  with the app_name from values.yaml while creating the ConfigMap.
- Since the CLI `get-kubeconfig` command cannot guess the name of the
  CredentialIssuerConfig resource in advance anymore, it lists all
  CredentialIssuerConfig in the app's namespace and returns an error
  if there is not exactly one found, and then uses that one regardless
  of its name
2020-09-18 15:56:50 -07:00
Matt Moyer
78ac27c262
Remove deprecated "pinniped.dev" API group.
This has been replaced by the "login.pinniped.dev" group with a slightly different API.

Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-09-18 17:32:15 -05:00
Matt Moyer
907ccb68f5
Move CredentialIssuerConfig into new "config.pinniped.dev" API group.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-09-18 16:38:45 -05:00
Ryan Richard
eabe51c446 local-user-authenticator can be deployed from a private registry image
- Also add more comment to the values.yaml files to make the options
  more clear
2020-09-17 16:07:31 -07:00
Matt Moyer
10793ac11f
Allow anonymous access to TokenCredentialRequests.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-09-17 09:52:23 -05:00
Matt Moyer
7ce760a5dd
Register a second APIService for the login.pinniped.dev.
This is handled by a second instance of the APIServiceUpdaterController.

Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-09-17 09:52:23 -05:00
Andrew Keesler
6c75de9334 Use public container images for codegen as as defaults when deploying
Signed-off-by: Ryan Richard <richardry@vmware.com>
2020-09-16 15:46:51 -07:00
Andrew Keesler
e7b389ae6c
Update copyright to reference Pinniped contributors
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-09-16 10:05:51 -04:00
Ryan Richard
db98f2810f
Merge pull request #98 from suzerain-io/get_kubeconfig_cli
Organize Pinniped CLI into subcommands; Add get-kubeconfig subcommand
2020-09-15 13:34:14 -07:00
Ryan Richard
cecd691a84 Add demo instructions
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-09-15 12:10:20 -07:00
Matt Moyer
2bdbac3e15
Move the ytt webhook config out into the CRD.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-09-15 12:02:33 -05:00
Matt Moyer
5b9f2ec9fc
Give our controller access to all our CRD types.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-09-15 12:02:33 -05:00
Matt Moyer
557fd0df26
Define the WebhookIdentityProvider CRD.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-09-15 11:44:23 -05:00
Ryan Richard
b7bdb7f3b1 Rename test-webhook to local-user-authenticator
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-09-10 15:20:02 -07:00
Andrew Keesler
89d01b84f8
deploy/README.md: fix markdown link to test webhook README.md
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-09-10 09:33:46 -04:00
Ryan Richard
2565f67824 Create a deployment for test-webhook
- For now, build the test-webhook binary in the same container image as
  the pinniped-server binary, to make it easier to distribute
- Also fix lots of bugs from the first draft of the test-webhook's
  `/authenticate` implementation from the previous commit
- Add a detailed README for the new deploy-test-webhook directory
2020-09-09 19:06:39 -07:00
Matt Moyer
b0315e5e9f Add a ytt template value for replica count.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-09-08 11:36:32 -05:00
Andrew Keesler
f8f16fadb9
Merge pull request #69 from ankeesler/pod-anti-affinity
Add pod anti-affinity to make our HA deployment more HA
2020-09-08 11:01:55 -04:00
Andrew Keesler
1415fcc6dc
Add pod anti-affinity to make our HA deployment more HA
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-09-08 10:08:34 -04:00
Matt Moyer
2959b54e7b Generate CRD YAML using controller-tools, update doc strings.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-08-31 16:38:48 -05:00
Ryan Richard
f0c400235a
Add memory request to pinniped deployment
- We are not setting an upper limit because Kubernetes might randomly
  decide to unschedule our pod in ways that we can't anticipate in
  advance, causing very hard to reproduce production bugs.
- We noticed that our app currently uses ~30 MB of memory when idle,
  and ~35 MB of memory under some load. So a memory request of 128
  MB should be reasonable.

Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-08-28 15:19:16 -04:00
Ryan Richard
1375df185d Doc updates 2020-08-27 10:14:03 -07:00
Andrew Keesler
7502190135
Fix some copy issues in the docs 2020-08-27 08:39:57 -04:00
Ryan Richard
6e59596285 Upon pod startup, update the Status of CredentialIssuerConfig
- Indicate the success or failure of the cluster signing key strategy
- Also introduce the concept of "capabilities" of an integration test
  cluster to allow the integration tests to be run against clusters
  that do or don't allow the borrowing of the cluster signing key
- Tests that are not expected to pass on clusters that lack the
  borrowing of the signing key capability are now ignored by
  calling the new library.SkipUnlessClusterHasCapability test helper
- Rename library.Getenv to library.GetEnv
- Add copyrights where they were missing
2020-08-24 18:07:34 -07:00
Ryan Richard
6d43d7ba19 Update the schema of CredentialIssuerConfig
- Move the current info from spec to status
- Add schema for new stuff that we will use in a future commit to status
- Regenerate the generated code
2020-08-21 17:00:42 -07:00
Ryan Richard
ace01c86de Rename PinnipedDiscoveryInfo to CredentialIssuerConfig
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-08-21 16:16:34 -07:00
Andrew Keesler
2b297c28d5
Get rid of TODO that was completed in ecde8fa8
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-08-21 10:38:28 -04:00
Ryan Richard
88f3b41e71
deploy: add API cert config map values
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-08-20 17:14:16 -04:00
Ryan Richard
3929fa672e Rename project 2020-08-20 10:54:15 -07:00
Andrew Keesler
6b90dc8bb7
Auto-rotate serving certificate
The rotation is forced by a new controller that deletes the serving cert
secret, as other controllers will see this deletion and ensure that a new
serving cert is created.

Note that the integration tests now have an addition worst case runtime of
60 seconds. This is because of the way that the aggregated API server code
reloads certificates. We will fix this in a future story. Then, the
integration tests should hopefully get much faster.

Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-08-20 10:03:36 -04:00
Matt Moyer
1b9a70d089
Switch back to an exec-based approach to grab the controller-manager CA. (#65)
This switches us back to an approach where we use the Pod "exec" API to grab the keys we need, rather than forcing our code to run on the control plane node. It will help us fail gracefully (or dynamically switch to alternate implementations) when the cluster is not self-hosted.

Signed-off-by: Matt Moyer <moyerm@vmware.com>
Co-authored-by: Ryan Richard <richardry@vmware.com>
2020-08-19 13:21:07 -05:00
Ryan Richard
003aef75d2 For liveness and readiness, succeed quickly and fail slowly
- No reason to wait a long time before the first check, since our
  app should start quickly
2020-08-18 09:18:51 -07:00
Ryan Richard
ecde8fa8af Implement basic liveness and readiness probes
- Call the auto-generated /healthz endpoint of our aggregated API server
- Use http for liveness even though tcp seems like it might be
  more appropriate, because tcp probes cause TLS handshake errors
  to appear in our logs every few seconds
- Use conservative timeouts and retries on the liveness probe to avoid
  having our container get restarted when it is temporarily slow due
  to running in an environment under resource pressure
- Use less conservative timeouts and retries for the readiness probe
  to remove an unhealthy pod from the service less conservatively than
  restarting the container
- Tuning the settings for retries and timeouts seem to be a mysterious
  art, so these are just a first draft
2020-08-17 16:44:42 -07:00
Ryan Richard
29654c39a5 Update a CRD validation
- Allow both http and https because a user using `kubectl proxy` would
  want to use http, since the proxy upgrades requests from http to https
2020-08-17 16:29:21 -07:00
Matt Moyer
769ef71db7
Merge pull request #58 from ankeesler/api-review-updates
Update API for pre-release
2020-08-17 15:52:52 -05:00
Matt Moyer
787cf47c39 Standardize whitespace/newlines for consistency.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-08-14 14:42:49 -05:00
Andrew Keesler
df1a1cf1bd
LoginRequest -> CredentialRequest
- We want to follow the <noun>Request convention.
- The actual operation does not login a user, but it does retrieve a
  credential with which they can login.

- This commit includes changes to all LoginRequest-related symbols and
  constants to try to update their names to follow the new
  CredentialRequest type.

Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-08-14 11:26:09 -04:00
Ryan Richard
b6c468117e Set the type on the image pull Secret
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-08-13 13:34:23 -07:00
Matt Moyer
1b23e31464
Merge pull request #55 from mattmoyer/switch-to-debian-base
Switch to debian base images.
2020-08-13 13:56:11 -05:00
Matt Moyer
c02b6fee8f Switch to Debian base images.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-08-13 13:35:42 -05:00
Ryan Richard
87eddf8bbd Add image pull secret as a data value for our ytt templates
Signed-off-by: Aram Price <pricear@vmware.com>
2020-08-12 17:02:43 -07:00
Ryan Richard
4cb0fd3949 Use a DaemonSet instead of a Deployment to deploy our app
- For high availability reasons, we would like our app to scale linearly
  with the size of the control plane. Using a DaemonSet allows us to run
  one pod on each node-role.kubernetes.io/master node.
- The hope is that the Service that we create should load balance
  between these pods appropriately.
2020-08-11 17:55:34 -07:00
Ryan Richard
86c3f89b2e First draft of moving API server TLS cert generation to controllers
- Refactors the existing cert generation code into controllers
  which read and write a Secret containing the certs
- Does not add any new functionality yet, e.g. no new handling
  for cert expiration, and no leader election to allow for
  multiple servers running simultaneously
- This commit also doesn't add new tests for the cert generation
  code, but it should be more unit testable now as controllers
2020-08-09 10:04:05 -07:00
Ryan Richard
08961919b5 Fix a garbage collection bug
- Previously the golang code would create a Service and an APIService.
  The APIService would be given an owner reference which pointed to
  the namespace in which the app was installed.
- This prevented the app from being uninstalled. The namespace would
  refuse to delete, so `kapp delete` or `kubectl delete` would fail.
- The new approach is to statically define the Service and an APIService
  in the deployment.yaml, except for the caBundle of the APIService.
  Then the golang code will perform an update to add the caBundle at
  runtime.
- When the user uses `kapp deploy` or `kubectl apply` either tool will
  notice that the caBundle is not declared in the yaml and will
  therefore avoid editing that field.
- When the user uses `kapp delete` or `kubectl delete` either tool will
  destroy the objects because they are statically declared with names
  in the yaml, just like all of the other objects. There are no
  ownerReferences used, so nothing should prevent the namespace from
  being deleted.
- This approach also allows us to have less golang code to maintain.
- In the future, if our golang controllers want to dynamically add
  an Ingress or other objects, they can still do that. An Ingress
  would point to our statically defined Service as its backend.

Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-08-04 16:46:27 -07:00