Commit Graph

423 Commits

Author SHA1 Message Date
Ryan Richard
263a33cc85 Some updates based on PR review 2021-04-27 12:43:09 -07:00
Ryan Richard
b3b108500a Merge branch 'main' into initial_ldap 2021-04-27 10:12:43 -07:00
Matt Moyer
e532a88647
Add a new "legacy pod cleaner" controller.
This controller is responsible for cleaning up kube-cert-agent pods that were deployed by previous versions.

They are easily identified because they use a different `kube-cert-agent.pinniped.dev` label compared to the new agent pods (`true` vs. `v2`).

Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-04-26 08:19:45 -06:00
Matt Moyer
2843c4f8cb
Refactor kube-cert-agent controllers to use a Deployment.
This is a relatively large rewrite of much of the kube-cert-agent controllers. Instead of managing raw Pod objects, they now create a single Deployment and let the builtin k8s controller handle it from there.

This reduces the amount of code we need and should handle a number of edge cases better, especially those where a Pod becomes "wedged" and needs to be recreated.

Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-04-26 08:19:45 -06:00
Matt Moyer
638d9235a2
Remove unneeded OIDC-related sleeps in tests.
Now that we have the fix from https://github.com/kubernetes/kubernetes/pull/97693, we no longer need these sleeps.
The underlying authenticator initialization is still asynchronous, but should happen within a few milliseconds.

Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-04-22 10:25:44 -05:00
Monis Khan
73716f1b91
Ignore client-side throttling in kubectl stderr
Signed-off-by: Monis Khan <mok@vmware.com>
2021-04-19 15:52:47 -04:00
Monis Khan
521adffb17
impersonation proxy: add nested impersonation support
This change updates the impersonator logic to use the delegated
authorizer for all non-rest verbs such as impersonate.  This allows
it to correctly perform authorization checks for incoming requests
that set impersonation headers while not performing unnecessary
checks that are already handled by KAS.

The audit layer is enabled to track the original user who made the
request.  This information is then included in a reserved extra
field original-user-info.impersonation-proxy.concierge.pinniped.dev
as a JSON blob.

Signed-off-by: Monis Khan <mok@vmware.com>
2021-04-19 15:52:46 -04:00
Ryan Richard
e9d5743845 Add authentication dry run validation to LDAPIdentityProvider
Also force the LDAP server pod to restart whenever the LDIF file
changes, so whenever you redeploy the tools deployment with a new test
user password the server will be updated.
2021-04-16 14:04:05 -07:00
Ryan Richard
e6e6497022 Introduce upstreamldap.New to prevent changes to the underlying config
Makes it easier to support using the same upstreamldap.Provider from
multiple goroutines safely.
2021-04-15 10:25:35 -07:00
Ryan Richard
5c28d36c9b Redact some params of URLs in logs to avoid printing sensitive info 2021-04-15 07:59:38 -07:00
Ryan Richard
939b6b12cc ldap_client_test.go: refactor to use the LDAP server on the K8s cluster 2021-04-14 17:49:40 -07:00
Ryan Richard
8d75825635 Merge branch 'main' into initial_ldap 2021-04-14 17:47:26 -07:00
Ryan Richard
a6e1a949d2 ldap_client_test.go: mark as integration test so units skip it 2021-04-14 08:12:15 -07:00
Ryan Richard
47b66ceaa7 Passing integration test for LDAP login! 🚀 2021-04-13 18:11:16 -07:00
Ryan Richard
51263a0f07 Return unauthenticated instead of error for bad username or password
- Bad usernames and passwords aren't really errors, since they are
  based on end-user input.
- Other kinds of authentication failures are caused by bad configuration
  so still treat those as errors.
- Empty usernames and passwords are already prevented by our endpoint
  handler, but just to be safe make sure they cause errors inside the
  authenticator too.
2021-04-13 16:22:13 -07:00
Ryan Richard
fec3d92f26 Add integration test for upstreamldap.Provider
- The unit tests for upstreamldap.Provider need to mock the LDAP server,
  so add an integration test which allows us to get fast feedback for
  this code against a real LDAP server.
- Automatically wrap the user search filter in parenthesis if it is not
  already wrapped in parens.
- More special handling for using "dn" as the username or UID attribute
  name.
- Also added some more comments to types_ldapidentityprovider.go.tmpl
2021-04-13 15:23:14 -07:00
Matt Moyer
b59a4f3fec
Use a temporary directory for credential cache in CLI tests.
This avoids polluting the main cache directory on developer machines.

Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-04-08 18:14:21 -05:00
Ryan Richard
1f5978aa1a Supervisor pre-factor to make room for upstream LDAP identity providers 2021-04-07 16:12:13 -07:00
Ryan Richard
1c55c857f4 Start to fill out LDAPIdentityProvider's fields and TestSupervisorLogin
- Add some fields to LDAPIdentityProvider that we will need to be able
  to search for users during login
- Enhance TestSupervisorLogin to test logging in using an upstream LDAP
  identity provider. Part of this new test is skipped for now because
  we haven't written the corresponding production code to make it
  pass yet.
- Some refactoring and enhancement to env.go and the corresponding env
  vars to support the new upstream LDAP provider integration tests.
- Use docker.io/bitnami/openldap for our test LDAP server instead of our
  own fork now that they have fixed the bug that we reported.

Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2021-04-07 12:56:09 -07:00
Ryan Richard
2b6859b161
Add stub LDAP API type and integration test
The goal here was to start on an integration test to get us closer to the red
test that we want so we can start working on LDAP.

Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2021-04-06 13:10:01 -04:00
Ryan Richard
9450048acf Fix lint error from previous commit 2021-04-05 15:14:24 -07:00
Andrew Keesler
c53507809d Rename dex namespace, add new ytt value to deploy/tools, and remove Tilt
- Rename the test/deploy/dex directory to test/deploy/tools
- Rename the dex namespace to tools
- Add a new ytt value called `pinny_ldap_password` for the tools
  ytt templates
- This new value is not used on main at this time. We intend to use
  it in the forthcoming ldap branch. We're defining it on main so
  that the CI scripts can use it across all branches and PRs.

Signed-off-by: Ryan Richard <richardry@vmware.com>
2021-04-05 15:01:49 -07:00
Matt Moyer
d4baeff94e
Merge pull request #534 from mattmoyer/deflake-categories-test-rate-limiting
Deflake TestGetPinnipedCategory.
2021-03-30 13:46:55 -07:00
Matt Moyer
4ebd0f5f12
Deflake TestImpersonationProxy (especially on EKS).
This test could flake if the load balancer hostname was provisioned but is not yet resolving in DNS from the test process.

The fix is to retry this step for up to 5 minutes.

Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-03-30 13:48:53 -05:00
Matt Moyer
f02b39b80f
Deflake TestGetPinnipedCategory.
This test could fail when the cluster was under heavy load. This could cause kubectl to emit "Throttling request took [...]" logs that triggered a failure in the test.

The fix is to ignore these innocuous warnings.

Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-03-30 13:38:33 -05:00
Margo Crawford
d8baa43903 Add new non-idle timeout integration test for impersonation proxy
Signed-off-by: Ryan Richard <richardry@vmware.com>
2021-03-29 09:30:51 -07:00
Matt Moyer
391202c253
Merge pull request #517 from mattmoyer/deflake-supervisor-oidc-discovery-test
Tweak some assertions in TestSupervisorOIDCDiscovery.
2021-03-29 07:35:58 -07:00
Ryan Richard
95bb4c4be5 Fix concierge_impersonation_proxy_test.go on AKS
Also send the correct instance of `t` into a helper function which
makes assertions.
2021-03-26 19:32:46 -07:00
Matt Moyer
defad3cdd7
Remove library.DumpLogs test helper.
We had this code that printed out pod logs when certain tests failed, but it is a bit cumbersome. We're removing it because we added a CI task that exports all pod logs after every CI run, which accomplishes the same thing and provides us a bunch more data.

Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-03-26 16:43:02 -05:00
Matt Moyer
c6d7724b67
In TestImpersonationProxy, instead of failing in this case just skip the test.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-03-26 16:28:33 -05:00
Ryan Richard
3359311228 concierge_impersonation_proxy_test.go: fix typo in previous commit 2021-03-26 09:49:49 -07:00
Ryan Richard
7e16619146 concierge_impersonation_proxy_test.go: handle TKGS test clusters
Handle any test cluster which supports load balancers but should
not automatically start the impersonator, e.g. TKGS clusters.
2021-03-26 09:28:42 -07:00
Margo Crawford
b6e217e13a Hardcode type "webhook" in concierge_impersonation_proxy_test.go
Signed-off-by: Ryan Richard <richardry@vmware.com>
2021-03-25 17:19:47 -07:00
Margo Crawford
6f2882b831 Explicitly set the correct authenticator for impersonator test
Signed-off-by: Ryan Richard <richardry@vmware.com>
2021-03-25 16:57:37 -07:00
Matt Moyer
c0d32f10b2
Add some test debug logging when running the CLI.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-03-23 12:07:34 -05:00
Matt Moyer
9501168265
Simplify TestCLIGetKubeconfigStaticToken now that there's only a single table case.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-03-23 10:26:04 -05:00
Margo Crawford
d90398815b Nothing in parallel in the impersonation proxy integration test 2021-03-22 10:48:09 -07:00
Margo Crawford
7683a98792 Unparallelize run all the verbs and port-forward tests 2021-03-22 09:45:51 -07:00
Margo Crawford
d7e9568137 Unparallelize a couple 2021-03-22 09:43:40 -07:00
Matt Moyer
5e95c25d4f
Tweak some assertions in TestSupervisorOIDCDiscovery.
We've seen some test flakes caused by this test. Some small changes:

- Use a 30s timeout for each iteration of the test loop (so each iteration needs to check or fail more quickly).
- Log a bit more during the checks so we can diagnose what's going on.
- Increase the overall timeout from one minute to five minutes

Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-03-22 11:33:02 -05:00
Ryan Richard
3e50b4e129 Add -sS to the curl command in concierge_impersonation_proxy_test.go 2021-03-19 13:23:28 -07:00
Ryan Richard
d856221f56 Edit some comments in concierge_impersonation_proxy_test.go 2021-03-19 13:19:17 -07:00
Andrew Keesler
2749044625
test/integration: unparallelize impersonation kubectl test
Maybe this will cut down on flakes we see in CI?

Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2021-03-19 13:31:28 -04:00
Andrew Keesler
ebd5e45fa6
test/integration: wait for convergence at end of impersonation test
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2021-03-19 12:54:37 -04:00
Andrew Keesler
6154883855
test/integration: add temporary debug 'kubectl attach' logging
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2021-03-19 10:42:11 -04:00
Andrew Keesler
ebe01a5aef
test/integration: catch early 'kubectl attach' return
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2021-03-19 09:59:24 -04:00
Andrew Keesler
1a9922d050
test/integration: poll more quickly in f2a48aee
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2021-03-18 17:53:14 -04:00
Andrew Keesler
f2a48aee2b
test/integration: increase timeout to a minute to see if it helps
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2021-03-18 17:48:00 -04:00
Andrew Keesler
14a28bec24
test/integration: fix second assertion from dae62929
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2021-03-18 16:34:30 -04:00
Andrew Keesler
dae62929e0
test/integration: error assertions pass w/ and w/o middleware
In the case where we are using middleware (e.g., when the api group is
different) in our kubeclient, these error messages have a "...middleware request
for..." bit in the middle.

Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2021-03-18 15:35:31 -04:00