Commit Graph

46 Commits

Author SHA1 Message Date
Ryan Richard
2e50e8f01b
hack/lib/tilt: run Tilt images with non-root user
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-11-02 16:32:50 -05:00
Andrew Keesler
fcea48c8f9
Run as non-root
I tried to follow a principle of encapsulation here - we can still default to
peeps making connections to 80/443 on a Service object, but internally we will
use 8080/8443.

Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-11-02 12:51:15 -05:00
Matt Moyer
9e1922f1ed
Split the config CRDs into two API groups.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-10-30 19:22:46 -05:00
Matt Moyer
0f25657a35
Rename WebhookIdentityProvider to WebhookAuthenticator.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-10-30 15:11:53 -05:00
Matt Moyer
e69183aa8a
Rename idp.concierge.pinniped.dev to authentication.concierge.pinniped.dev.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-10-30 14:07:40 -05:00
Matt Moyer
81390bba89
Rename idp.pinniped.dev to idp.concierge.pinniped.dev.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-10-30 14:07:39 -05:00
Matt Moyer
f0320dfbd8
Rename login API to login.concierge.pinniped.dev.
This is the first of a few related changes that re-organize our API after the big recent changes that introduced the supervisor component.

Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-10-30 09:58:28 -05:00
Ryan Richard
8b7c30cfbd Supervisor listens for HTTPS on port 443 with configurable TLS certs
- TLS certificates can be configured on the OIDCProviderConfig using
  the `secretName` field.
- When listening for incoming TLS connections, choose the TLS cert
  based on the SNI hostname of the incoming request.
- Because SNI hostname information on incoming requests does not include
  the port number of the request, we add a validation that
  OIDCProviderConfigs where the issuer hostnames (not including port
  number) are the same must use the same `secretName`.
- Note that this approach does not yet support requests made to an
  IP address instead of a hostname. Also note that `localhost` is
  considered a hostname by SNI.
- Add port 443 as a container port to the pod spec.
- A new controller watches for TLS secrets and caches them in memory.
  That same in-memory cache is used while servicing incoming connections
  on the TLS port.
- Make it easy to configure both port 443 and/or port 80 for various
  Service types using our ytt templates for the supervisor.
- When deploying to kind, add another nodeport and forward it to the
  host on another port to expose our new HTTPS supervisor port to the
  host.
2020-10-26 17:03:26 -07:00
Ryan Richard
397ec61e57 Specify the supervisor NodePort Service's port and nodePort separately
When using kind we forward the node's port to the host, so we only
really care about the `nodePort` value. For acceptance clusters,
we put an Ingress in front of a NodePort Service, so we only really
care about the `port` value.
2020-10-22 15:37:35 -07:00
Ryan Richard
8ae04605ca
Add comments for magic 31234 port
Also delete hack/lib/kind-config/multi-node.yaml since we don't think we will
use it...

Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-10-22 17:54:35 -04:00
Ryan Richard
94f20e57b1 Concierge controllers add labels to all created resources 2020-10-15 10:14:23 -07:00
Ryan Richard
84a0084703 Tilefile watches for changes in ytt templates
- When using `local()` in the Tiltfile it will not know
  to watch those files for changes, so each time we use
  `local()` we now also use `watch_file()`
- As a result, editing a ytt template file now causes
  an immediate `kubectl apply` of the results
2020-10-14 16:21:40 -07:00
Matt Moyer
33fcc74417
Add Dex to our integration test environment and use it to test the CLI.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-10-13 16:50:38 -05:00
Ryan Richard
6b135b93cf Binding both kind workers to the same localhost port fails, so just bind one 2020-10-09 18:42:15 -07:00
Ryan Richard
354b922e48 Allow creation of different Service types in Supervisor ytt templates
- Tiltfile and prepare-for-integration-tests.sh both specify the
  NodePort Service using `--data-value-yaml 'service_nodeport_port=31234'`
- Also rename the namespaces used by the Concierge and Supervisor apps
  during integration tests running locally
2020-10-09 16:00:11 -07:00
Ryan Richard
34549b779b Make tilt work with the supervisor app and add more uninstall testing
- Also continue renaming things related to the concierge app
- Enhance the uninstall test to also test uninstalling the supervisor
  and local-user-authenticator apps
2020-10-09 14:25:34 -07:00
Ryan Richard
f5a6a0bb1e Move all three deployment dirs under a new top-level deploy/ dir 2020-10-09 10:00:22 -07:00
Andrew Keesler
20ce142f90
Merge remote-tracking branch 'upstream/main' into supervisor-with-discovery 2020-10-07 11:37:33 -04:00
Ryan Richard
ae56fcb46a Add integration test for the OIDC discovery endpoint
- Intended to be a red test in this commit; will make it go
  green in a future commit
- Enhance env.go and prepare-for-integration-tests.sh to make it
  possible to write integration tests for the supervisor app
  by setting more env vars and by exposing the service to the kind
  host on a localhost port
- Add `--clean` option to prepare-for-integration-tests.sh
  to make it easier to start fresh
- Make prepare-for-integration-tests.sh advise you to run
  `go test -v -count 1 ./test/integration` because this does
  not buffer the test output
- Make concierge_api_discovery_test.go pass by adding expectations
  for the new OIDCProviderConfig type
2020-10-06 17:53:29 -07:00
Matt Moyer
b0a4ae13c5
Add Tilt-based local dev workflow.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-10-05 16:34:33 -05:00
Ryan Richard
0bfa351eb4 Do not append "-dirty" to the version number when the git repo is dirty
- Semver version numbers do not end with "-dirty"
- Continue to include the clean/dirty status of the repo in the
  `gitTreeState` field
2020-10-01 17:23:37 -07:00
Ryan Richard
d43744f8e9 Allow CI to embed version info at build time for CLI
- Prevent the server binary from lying about its version number
  by having it report "?.?.?" as its version number for now.
- Later we can devise a way for CI to inject the version number
  for the server into the container image at release time,
  not at build time, since the version number is not known
  at build time.
- Pre-release builds of the binary from before the release stage or
  builds on developer workstation will also report "?.?.?" as its
  version number, which is fine since they are not official releases
  and shouldn't find their way to the public.
2020-09-28 09:58:02 -07:00
Matt Moyer
ec3e4cae68
Upgrade client-go, et al from 1.19.0 to 1.19.2.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-09-24 09:21:10 -05:00
Matt Moyer
164f64a370
Add IdentityProvider field to TokenCredentialRequestSpec.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-09-22 10:03:31 -05:00
Matt Moyer
78ac27c262
Remove deprecated "pinniped.dev" API group.
This has been replaced by the "login.pinniped.dev" group with a slightly different API.

Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-09-18 17:32:15 -05:00
Matt Moyer
907ccb68f5
Move CredentialIssuerConfig into new "config.pinniped.dev" API group.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-09-18 16:38:45 -05:00
Matt Moyer
2d4d7e588a
Add Go vanity import paths.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-09-18 14:56:24 -05:00
Matt Moyer
8c9c1e206d
Update module/package names to match GitHub org switch.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-09-17 12:56:54 -05:00
Matt Moyer
58bf93b10c
Add a new login.pinniped.dev API group with TokenCredentialRequest.
This is essentially meant to be be "v1alpha2" of the existing CredentialRequest API, but since we want to move API groups we can just start over at v1alpha1.

Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-09-17 09:52:22 -05:00
Andrew Keesler
f464e03380
Generate code against 1.17.11
We want to be able to run kind integration tests against the same
versions that we generate code against. There is no public
kindest/node image for 1.17.9, so let's update to the next 1.17.x
version where there is an image: 1.17.11.

Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-09-17 10:35:45 -04:00
Andrew Keesler
6c75de9334 Use public container images for codegen as as defaults when deploying
Signed-off-by: Ryan Richard <richardry@vmware.com>
2020-09-16 15:46:51 -07:00
Andrew Keesler
e7b389ae6c
Update copyright to reference Pinniped contributors
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-09-16 10:05:51 -04:00
Matt Moyer
557fd0df26
Define the WebhookIdentityProvider CRD.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-09-15 11:44:23 -05:00
Matt Moyer
8e5912e4c2 Update precommit hook config to ignore generated files and fix whitespace.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-08-31 16:41:22 -05:00
Matt Moyer
2959b54e7b Generate CRD YAML using controller-tools, update doc strings.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-08-31 16:38:48 -05:00
Matt Moyer
f49317d7e4
Add some generated API documentation. (#81)
Add some generated API documentation using https://github.com/elastic/crd-ref-docs which is now packaged in the codegen image.
2020-08-31 11:27:39 -05:00
Matt Moyer
9d9b56073c Update Kubernetes versions.
- Upgrade from `1.19.0-rc.0` to the newly-release `1.19.0`.

- Downgrade from `1.18.6` to `1.18.2` to match some downstream consumers.

Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-08-27 13:06:05 -05:00
Matt Moyer
cbd6dd3356 Use a symlink instead of directly mounting into GOPATH.
This supports CI better, where the original input dir isn't in GOPATH.

Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-08-24 15:58:52 -05:00
Matt Moyer
eb05e7a138 Reverse the order of this diff so it makes more sense.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-08-24 15:46:51 -05:00
Matt Moyer
1aef2f07d3 Add new ./apis directory and codegen scripts.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-08-24 14:32:07 -05:00
Ryan Richard
0a805861ea Fix bug in code generator which prevented it from generating code
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-08-21 12:30:50 -07:00
Ryan Richard
3929fa672e Rename project 2020-08-20 10:54:15 -07:00
Andrew Keesler
40d1360b74
hack/lib/codegen.sh: get rid of TODO about K8S_PKG_VERSION
See c43946c in the CI repo.
2020-08-18 13:18:41 -04:00
Andrew Keesler
e3397c1c35
Hide codegen.sh in hack/lib
We don't want people to run codegen.sh directly, because it is meant
to be driven by hack/module.sh. To discourage this behavior, we will hide
codegen.sh away in hack/lib. I don't think this is actually what the
hack/lib directory is for, though...meh.

Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-08-18 11:06:59 -04:00
Mo Khan
5fdc20886d
Initial aggregated API server (#15)
Add initial aggregated API server (squashed from a bunch of commits).

Signed-off-by: Andrew Keesler <akeesler@vmware.com>
Signed-off-by: Aram Price <pricear@vmware.com>
Signed-off-by: Ryan Richard <richardry@vmware.com>
2020-07-23 10:05:21 -05:00
Monis Khan
549da37805
Encode git version info into binary and user agent
Signed-off-by: Monis Khan <mok@vmware.com>
2020-07-20 00:32:11 -04:00