Commit Graph

1300 Commits

Author SHA1 Message Date
Ryan Richard
288d9c999e Use custom suffix in Spec.Authenticator.APIGroup of TokenCredentialRequest
When the Pinniped server has been installed with the `api_group_suffix`
option, for example using `mysuffix.com`, then clients who would like to
submit a `TokenCredentialRequest` to the server should set the
`Spec.Authenticator.APIGroup` field as `authentication.concierge.mysuffix.com`.

This makes more sense from the client's point of view than using the
default `authentication.concierge.pinniped.dev` because
`authentication.concierge.mysuffix.com` is the name of the API group
that they can observe their cluster and `authentication.concierge.pinniped.dev`
does not exist as an API group on their cluster.

This commit includes both the client and server-side changes to make
this work, as well as integration test updates.

Co-authored-by: Andrew Keesler <akeesler@vmware.com>
Co-authored-by: Ryan Richard <richardry@vmware.com>
Co-authored-by: Margo Crawford <margaretc@vmware.com>
2021-02-03 15:49:15 -08:00
Andrew Keesler
26922307ad prepare-for-integration-tests.sh: New cmdline option --api_group_suffix
Makes it easy to deploy Pinniped under a different API group for manual
testing and iterating on integration tests on your laptop.

Signed-off-by: Ryan Richard <richardry@vmware.com>
2021-02-03 12:07:38 -08:00
Ryan Richard
5549a262b9 Rename client_test.go to concierge_client_test.go
Because it is a test of the conciergeclient package, and the naming
convention for integration test files is supervisor_*_test.go,
concierge_*_test.go, or cli_*_test.go to identify which component
the test is primarily covering.

Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2021-02-03 12:07:38 -08:00
Mo Khan
c5df66fbd5
Merge pull request #383 from enj/enj/i/avoid_scheme_double_register
Avoid double registering types in server scheme
2021-02-03 13:55:33 -05:00
Monis Khan
300d7bd99c
Drop duplicate logic for unversioned type registration
Signed-off-by: Monis Khan <mok@vmware.com>
2021-02-03 12:16:57 -05:00
Monis Khan
012bebd66e
Avoid double registering types in server scheme
This makes sure that if our clients ever send types with the wrong
group, the server will refuse to decode it.

Signed-off-by: Monis Khan <mok@vmware.com>
2021-02-03 12:16:57 -05:00
Andrew Keesler
e1d06ce4d8
internal/mocks/mockroundtripper: we don't need these anymore
We thought we needed these to test the middleware, but we don't.

Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2021-02-03 08:55:38 -05:00
Andrew Keesler
52b98bdb87
Merge pull request #330 from enj/enj/f/better_middleware
Enhance middleware to allow multiple Pinnipeds
2021-02-03 08:53:00 -05:00
Andrew Keesler
62c117421a
internal/kubeclient: fix not found test and request body closing bug
- I realized that the hardcoded fakekubeapi 404 not found response was invalid,
  so we were getting a default error message. I fixed it so the tests follow a
  higher fidelity code path.
- I caved and added a test for making sure the request body was always closed,
  and believe it or not, we were double closing a body. I don't *think* this will
  matter in production, since client-go will pass us ioutil.NopReader()'s, but
  at least we know now.

Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2021-02-03 08:19:34 -05:00
Monis Khan
efe1fa89fe Allow multiple Pinnipeds to work on same cluster
Yes, this is a huge commit.

The middleware allows you to customize the API groups of all of the
*.pinniped.dev API groups.

Some notes about other small things in this commit:
- We removed the internal/client package in favor of pkg/conciergeclient. The
  two packages do basically the same thing. I don't think we use the former
  anymore.
- We re-enabled cluster-scoped owner assertions in the integration tests.
  This code was added in internal/ownerref. See a0546942 for when this
  assertion was removed.
- Note: the middlware code is in charge of restoring the GV of a request object,
  so we should never need to write mutations that do that.
- We updated the supervisor secret generation to no longer manually set an owner
  reference to the deployment since the middleware code now does this. I think we
  still need some way to make an initial event for the secret generator
  controller, which involves knowing the namespace and the name of the generated
  secret, so I still wired the deployment through. We could use a namespace/name
  tuple here, but I was lazy.

Signed-off-by: Andrew Keesler <akeesler@vmware.com>
Co-authored-by: Ryan Richard <richardry@vmware.com>
2021-02-02 15:18:41 -08:00
Andrew Keesler
93d25a349f
hack: fix docker most recent tag check
I think this stopped working when we starting using a specific registry in e0b94f47.

Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2021-02-02 18:01:07 -05:00
Andrew Keesler
93ebd0f949
internal/plog: add Enabled()
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2021-02-02 18:01:06 -05:00
Matt Moyer
74a8005f92
Merge pull request #376 from mattmoyer/add-csrftoken-test
Add some trivial unit tests to internal/oidc/csrftoken.
2021-02-02 11:02:39 -06:00
Matt Moyer
5b4e58f0b8
Add some trivial unit tests to internal/oidc/csrftoken.
This change is primarily to test that our test coverage reporting is working as expected.

Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-02-02 09:38:17 -06:00
Matt Moyer
b871a02ca3
Merge pull request #375 from mattmoyer/test-coverage
Add Codecov configuration file.
2021-02-01 15:19:37 -06:00
Matt Moyer
6a20bbf607
Add Codecov configuration file.
This configures how our coverage reports are processed on https://codecov.io. See https://docs.codecov.io/docs/codecov-yaml for reference.

Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-02-01 14:28:38 -06:00
Ryan Richard
dfa4d639e6
Merge pull request #374 from microwavables/main
Updated the community meeting info with new zoom link and agenda notes
2021-01-29 14:15:17 -08:00
Nanci Lancaster
8b4024bf82 Updated the community meeting info with new zoom link and agenda notes
Signed-off-by: Nanci Lancaster <nancil@vmware.com>
2021-01-29 16:07:23 -06:00
Ryan Richard
d89c6546e7
Merge pull request #373 from microwavables/main
Updated text on community meetings and added YouTube link
2021-01-28 09:49:12 -08:00
Nanci Lancaster
2710591429 Updated text on community meetings and added YouTube link
Signed-off-by: Nanci Lancaster <nancil@vmware.com>
2021-01-28 11:22:44 -06:00
Matt Moyer
02815cfb26
Revert "Use GitHub's "latest" handling so this doesn't get out of sync."
This reverts commit 46ad41e813.

This turns out not to work, so we have to use a hardcoded version here.
2021-01-28 10:28:46 -06:00
Matt Moyer
3f7cb5d9f8
Merge pull request #372 from mattmoyer/fix-redirects-version
Fix get.pinniped.dev latest version redirects.
2021-01-28 10:26:51 -06:00
Matt Moyer
46ad41e813
Use GitHub's "latest" handling so this doesn't get out of sync.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-01-28 10:25:33 -06:00
Matt Moyer
d4eca3a82a
Fix get.pinniped.dev latest version redirects.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-01-28 10:23:48 -06:00
Matt Moyer
c03a088399
Merge pull request #370 from mattmoyer/cleanup-docs
Clean up docs using https://get.pinniped.dev redirects.
2021-01-28 10:17:46 -06:00
Matt Moyer
f81dda4eda
Add syntax highlighting CSS.
This was generated via `hugo gen chromastyles --style=monokailight > ./site/themes/pinniped/assets/scss/_syntax.css`.

Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-01-28 10:15:39 -06:00
Matt Moyer
1ceef5874e
Clean up docs using https://get.pinniped.dev redirects.
We have these redirects set up to make the `kubectl apply -f [...]` commands cleaner, but we never went back and fixed up the documentation to use them until now.

Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-01-28 10:15:39 -06:00
Matt Moyer
1b224bc4f2
Merge pull request #369 from mattmoyer/cleanup-go-sum
Prune unused versions from go.sum.
2021-01-28 10:09:06 -06:00
Matt Moyer
530d6961c2
Prune unused versions from go.sum.
The broken github.com/oleiade/reflections v1.0.0 package was still causing problems with Dependabot.

Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-01-28 09:03:00 -06:00
Matt Moyer
fe500882ef
Merge pull request #365 from mattmoyer/upgrade-oleiade-reflections-dep
Upgrade github.com/oleiade/reflections to v1.0.1.
2021-01-27 15:56:49 -06:00
Matt Moyer
8358c26107
Upgrade github.com/oleiade/reflections to v1.0.1.
This project overwrote the v1.0.0 tag with a different commit ID, which has caused issues with the Go module sum DB (which accurately detected the issue).

This has been one of the reasons why Dependabot is not updating our Go dependencies.

Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-01-27 13:49:30 -06:00
Matt Moyer
ad9a187522
Merge pull request #335 from mattmoyer/optimize-dockerfile
Optimize image build using .dockerignore and BuildKit features.
2021-01-27 11:35:42 -06:00
Matt Moyer
8a41419b94
Optimize image build using .dockerignore and BuildKit features.
This optimizes our image in a few different ways:

- It adds a bunch of files and directories to the `.dockerignore` file.
  This lets us have a single `COPY . .` but still be very aggressive about pruning what files end up in the build context.

- It adds build-time cache mounts to the `go build` commands using BuildKit's `--mount=type=cache` flag.
  This requires BuildKit-capable Docker, but means that our Go builds can all be incremental builds.
  This replaces the previous flow we had where we needed to split out `go mod download`.

- Instead of letting the full `apt-get install ca-certificates` layer end up in our final image, we copy just the single file we need.

Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-01-27 10:42:56 -06:00
Ryan Richard
6ef7ec21cd Merge branch 'release-0.4' into main 2021-01-25 15:13:14 -08:00
Ryan Richard
b77297c68d Validate the upstream email_verified claim when it makes sense 2021-01-25 15:10:41 -08:00
Ryan Richard
df1d15ebd1
Merge pull request from GHSA-wp53-6256-whf9
This is a fake PR for testing - please ignore
2021-01-22 12:46:53 -08:00
Ryan Richard
b3732e8b6c Trivial change to a comment 2021-01-22 12:43:35 -08:00
Matt Moyer
7e887666ce
Merge pull request #349 from microwavables/main
Add Google Group for meetings
2021-01-21 15:15:01 -06:00
Nanci Lancaster
d6e6f51ced Add Google Group for meetings
Signed-off-by: Nanci Lancaster <nancil@vmware.com>
2021-01-21 14:57:14 -06:00
Matt Moyer
9e21de9c47
Merge pull request #347 from mattmoyer/upgrade-go-oidc-library
Upgrade to github.com/coreos/go-oidc v3.0.0.
2021-01-21 14:39:22 -06:00
Matt Moyer
04c4cd9534
Upgrade to github.com/coreos/go-oidc v3.0.0.
See https://github.com/coreos/go-oidc/releases/tag/v3.0.0 for release notes.

Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-01-21 12:08:14 -06:00
Matt Moyer
5821faec03
Merge pull request #342 from vmware-tanzu/pre-commit-fix
Remove pre-commit hooks file to de-duplicate from pre-commit-config
2021-01-21 12:02:11 -06:00
Matt Moyer
8bca244d59
Merge pull request #345 from vmware-tanzu/dependabot/docker/golang-1.15.7
Bump golang from 1.15.6 to 1.15.7
2021-01-21 11:31:06 -06:00
dependabot[bot]
79fa96cfbc
Bump golang from 1.15.6 to 1.15.7
Bumps golang from 1.15.6 to 1.15.7.

Signed-off-by: dependabot[bot] <support@github.com>
2021-01-21 13:56:04 +00:00
Ryan Richard
b5cbe018e3
Allow passing multiple redirect URIs to Dex
We need this in CI when we want to configure Dex with the redirect URI for both
primary and secondary deploys at one time (since we only stand up Dex once).

Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2021-01-20 17:06:50 -05:00
Andrew Keesler
33f4b671d1
Merge pull request #327 from ankeesler/reenable-max-inflight-checks
Restore max in flight check when updating to 0.19.5 #243
2021-01-19 18:29:38 -05:00
Andrew Keesler
50c3e4c00f
Merge branch 'main' into reenable-max-inflight-checks 2021-01-19 18:14:27 -05:00
Andrew Keesler
5486427d88
Merge pull request #344 from vmware-tanzu/wire-api-group-suffix
Wire api group suffix through YTT/server components/CLI/integration tests
2021-01-19 18:06:12 -05:00
Andrew Keesler
906bfa023c
test: wire API group suffix through to tests
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2021-01-19 17:23:20 -05:00
Andrew Keesler
1c3518e18a
cmd/pinniped: wire API group suffix through to client components
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2021-01-19 17:23:20 -05:00