Andrew Keesler
957cb2d56c
Merge remote-tracking branch 'upstream/main' into impersonation-proxy
...
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2021-02-18 13:37:28 -05:00
Andrew Keesler
b3cdc438ce
internal/concierge/impersonator: reuse kube bearertoken.Authenticator
...
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2021-02-18 10:13:24 -05:00
Andrew Keesler
eb19980110
internal/concierge/impersonator: set user extra impersonation headers
...
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2021-02-16 09:26:47 -05:00
Andrew Keesler
c7905c6638
internal/concierge/impersonator: fail if impersonation headers set
...
If someone has already set impersonation headers in their request, then
we should fail loudly so the client knows that its existing impersonation
headers will not work.
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2021-02-16 08:15:50 -05:00
Andrew Keesler
fdd8ef5835
internal/concierge/impersonator: handle custom login API group
...
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2021-02-16 07:55:09 -05:00
Andrew Keesler
6512ab1351
internal/concierge/impersonator: don't care about namespace
...
Concierge APIs are no longer namespaced (see f015ad5852
).
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2021-02-15 17:11:59 -05:00
Ryan Richard
5cd60fa5f9
Move starting/stopping impersonation proxy server to a new controller
...
- Watch a configmap to read the configuration of the impersonation
proxy and reconcile it.
- Implements "auto" mode by querying the API for control plane nodes.
- WIP: does not create a load balancer or proper TLS certificates yet.
Those will come in future commits.
Signed-off-by: Margo Crawford <margaretc@vmware.com>
2021-02-11 17:25:52 -08:00
Andrew Keesler
9b87906a30
Merge remote-tracking branch 'upstream/main' into impersonation-proxy
...
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2021-02-11 11:03:33 -05:00
Ryan Richard
268ca5b7f6
Add config structs in impersonator package
...
Signed-off-by: Margo Crawford <margaretc@vmware.com>
2021-02-09 13:44:19 -08:00
Andrew Keesler
8697488126
internal/concierge/impersonator: use kubeconfig from kubeclient
...
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2021-02-09 15:28:56 -05:00
Andrew Keesler
812f5084a1
internal/concierge/impersonator: don't mutate ServeHTTP() req
...
I added that test helper to create an http.Request since I wanted to properly
initialize the http.Request's context.
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2021-02-09 13:25:32 -05:00
Matt Moyer
64aff7b983
Only log user ID, not user name/groups.
...
Signed-off-by: Margo Crawford <margaretc@vmware.com>
2021-02-03 09:31:30 -08:00
Margo Crawford
b6abb022f6
Add initial implementation of impersonation proxy.
...
Signed-off-by: Margo Crawford <margaretc@vmware.com>
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-02-03 09:31:13 -08:00