Commit Graph

2463 Commits

Author SHA1 Message Date
Ryan Richard
303b1f07d3 Fix mistake in previous commit 2021-10-22 14:06:31 -07:00
Ryan Richard
e0db59fd09 More small updates based on PR feedback 2021-10-22 10:23:21 -07:00
Ryan Richard
867853016f Merge branch 'main' into upstream_refresh 2021-10-22 09:23:52 -07:00
anjalitelang
be6c335bb8
Update ROADMAP.md
Minor changes
2021-10-21 10:16:54 -04:00
anjalitelang
b3a1dcd634
Update ROADMAP.md
Updated roadmap to reflect current focus of Pinniped project
2021-10-21 10:10:19 -04:00
Ryan Richard
dec43289f6 Lots of small updates based on PR feedback 2021-10-20 15:53:25 -07:00
Ryan Richard
7ec0304472 Add offline_access scope for integration tests when using Dex 2021-10-19 12:25:51 -07:00
Ryan Richard
d3ade82f3f Update docs 2021-10-19 09:48:40 -07:00
Ryan Richard
c43e019d3a Change default of additionalScopes and disallow "hd" in additionalAuthorizeParameters 2021-10-18 16:41:31 -07:00
Ryan Richard
d68bebeb49 Merge branch 'main' into upstream_refresh 2021-10-18 15:35:46 -07:00
Ryan Richard
c51d7c08b9 Add a comment that might be useful some day 2021-10-18 15:35:22 -07:00
Ryan Richard
ddb23bd2ed Add upstream refresh related config to OIDCIdentityProvider CRD
Also update related docs.
2021-10-14 15:49:44 -07:00
Ryan Richard
9e05d175a7 Add integration test: upstream refresh failure during downstream refresh 2021-10-13 15:12:19 -07:00
Ryan Richard
a34dae549b When performing an upstream refresh, use the configured http client
Otherwise, the CA and proxy settings will not be used for the call
to the upstream token endpoint while performing the refresh. This
mistake was exposed by the TestSupervisorLogin integration test, so
it has test coverage.
2021-10-13 14:05:00 -07:00
Ryan Richard
79ca1d7fb0 Perform an upstream refresh during downstream refresh for OIDC upstreams
- If the upstream refresh fails, then fail the downstream refresh
- If the upstream refresh returns an ID token, then validate it (we
  use its claims in the future, but not in this commit)
- If the upstream refresh returns a new refresh token, then save it
  into the user's session in storage
- Pass the provider cache into the token handler so it can use the
  cached providers to perform upstream refreshes
- Handle unexpected errors in the token handler where the user's session
  does not contain the expected data. These should not be possible
  in practice unless someone is manually editing the storage, but
  handle them anyway just to be safe.
- Refactor to share the refresh code between the CLI and the token
  endpoint by moving it into the UpstreamOIDCIdentityProviderI
  interface, since the token endpoint needed it to be part of that
  interface anyway
2021-10-13 12:31:20 -07:00
Mo Khan
bc6da55e96
Merge pull request #860 from vmware-tanzu/dependabot/docker/golang-1.17.2
Bump golang from 1.17.1 to 1.17.2
2021-10-11 13:23:37 -04:00
Margo Crawford
1bd346cbeb Require refresh tokens for upstream OIDC and save more session data
- Requiring refresh tokens to be returned from upstream OIDC idps
- Storing refresh tokens (for oidc) and idp information (for all idps) in custom session data during authentication
- Don't pass access=offline all the time
2021-10-08 15:48:21 -07:00
dependabot[bot]
d1d954bb3b
Bump golang from 1.17.1 to 1.17.2
Bumps golang from 1.17.1 to 1.17.2.

---
updated-dependencies:
- dependency-name: golang
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2021-10-08 01:03:52 +00:00
Margo Crawford
43244b6599 Do not pass through downstream prompt param
- throw an error when prompt=none because the spec says we can't ignore
  it
- ignore the other prompt params

Signed-off-by: Ryan Richard <richardry@vmware.com>
2021-10-06 16:30:30 -07:00
Ryan Richard
c6f1d29538 Use PinnipedSession type instead of fosite's DefaultSesssion type
This will allow us to store custom data inside the fosite session
storage for all downstream OIDC sessions.

Signed-off-by: Margo Crawford <margaretc@vmware.com>
2021-10-06 15:28:13 -07:00
Margo Crawford
a2cafb251a
Merge pull request #857 from vmware-tanzu/impersonation-proxy-supported-clusters
Change description of impersonation proxy strategy in supported clusters
2021-10-06 11:40:24 -07:00
Margo Crawford
e0b62a46bb
Merge branch 'main' into impersonation-proxy-supported-clusters 2021-10-06 11:36:45 -07:00
Margo Crawford
4aa66b9667
Update site/content/docs/reference/supported-clusters.md
Co-authored-by: Mo Khan <i@monis.app>
2021-10-06 11:23:29 -07:00
Margo Crawford
11797db866 Change description of impersonation proxy strategy in supported clusters.
This was wrong, since you don't need a LoadBalancer to run the
impersonation proxy if you specify spec.service.type = "None" or
"ClusterIP" on the CredentialIssuer.
2021-10-06 11:08:17 -07:00
Mo Khan
c2c966b761
Merge pull request #856 from enj/enj/i/impersonation_proxy_signer_expiration
Do not rotate impersonation proxy signer CA unless necessary
2021-10-06 13:51:52 -04:00
Monis Khan
4bf715758f
Do not rotate impersonation proxy signer CA unless necessary
This change fixes a copy paste error that led to the impersonation
proxy signer CA being rotated based on the configuration of the
rotation of the aggregated API serving certificate.  This would lead
to occasional "Unauthorized" flakes in our CI environments that
rotate the serving certificate at a frequent interval.

Updated the certs_expirer controller logs to be more detailed.

Updated CA common names to be more specific (this does not update
any previously generated CAs).

Signed-off-by: Monis Khan <mok@vmware.com>
2021-10-06 12:03:49 -04:00
anjalitelang
946419fc18
Update ROADMAP.md
Updated Roadmap to reflect the work on Supervisor token refresh for OIDC and LDAP/AD. Also changed ordering on Multiple IDP Support as we are seeing more user interest for this feature.
2021-10-05 19:31:33 -04:00
Mo Khan
2b9a869633
Merge pull request #851 from vmware-tanzu/dependabot/docker/distroless/static-7cb5539
Bump distroless/static from `be5d77c` to `7cb5539`
2021-10-01 08:26:29 -04:00
dependabot[bot]
19cecc3235
Bump distroless/static from be5d77c to 7cb5539
Bumps distroless/static from `be5d77c` to `7cb5539`.

---
updated-dependencies:
- dependency-name: distroless/static
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
2021-09-30 17:09:57 +00:00
Mo Khan
6e41c10584
Merge pull request #854 from enj/enj/i/do_not_truncate_x509
Do not truncate x509 errors
2021-09-30 12:44:19 -04:00
Monis Khan
266d64f7d1
Do not truncate x509 errors
Signed-off-by: Monis Khan <mok@vmware.com>
2021-09-29 09:38:22 -04:00
Mo Khan
725b35196f
Merge pull request #853 from enj/enj/i/oidc_log_claims
upstreamoidc: log claim keys at debug level
2021-09-28 20:11:05 -04:00
Monis Khan
03bbc54023
upstreamoidc: log claim keys at debug level
At debug level:

upstreamoidc.go:213] "claims from ID token and userinfo"
providerName="oidc"
keys=[at_hash aud email email_verified exp iat iss sub]

At all level:

upstreamoidc.go:207] "claims from ID token and userinfo"
providerName="oidc"
claims="{\"at_hash\":\"C55S-BgnHTmr2_TNf...hYmVhYWESBWxvY2Fs\"}"

Signed-off-by: Monis Khan <mok@vmware.com>
2021-09-28 12:58:00 -04:00
Mo Khan
ad8610fa03
Merge pull request #852 from enj/enj/i/user_info_cleanup
upstreamoidc: directly detect user info support
2021-09-28 12:56:26 -04:00
Monis Khan
e86488615a
upstreamoidc: directly detect user info support
Avoid reliance on an error string from the Core OS OIDC lib.

Signed-off-by: Monis Khan <mok@vmware.com>
2021-09-28 11:29:38 -04:00
Mo Khan
ee0e2402b1
Merge pull request #845 from vmware-tanzu/crd_printcolumns
Update the AdditionalPrinterColumns of the CRDs, and add a test for it
2021-09-21 23:19:07 -04:00
Ryan Richard
ddf5e566b0 Update a comment 2021-09-21 14:07:08 -07:00
Ryan Richard
bb08e7635b Merge branch 'main' into crd_printcolumns 2021-09-21 14:05:30 -07:00
Mo Khan
3bde085c57
Merge pull request #846 from enj/enj/i/faster_kube_cert
kubecertagent: attempt to load signer as long as agent labels match
2021-09-21 17:03:23 -04:00
Monis Khan
0d6bf9db3e
kubecertagent: attempt to load signer as long as agent labels match
This change updates the kube cert agent to a middle ground behavior
that balances leader election gating with how quickly we load the
signer.

If the agent labels have not changed, we will attempt to load the
signer even if we cannot roll out the latest version of the kube
cert agent deployment.

This gives us the best behavior - we do not have controllers
fighting over the state of the deployment and we still get the
signer loaded quickly.

We will have a minute of downtime when the kube cert agent deployment
changes because the new pods will have to wait to become a leader
and for the new deployment to rollout the new pods.  We would need
to have a per pod deployment if we want to avoid that downtime (but
this would come at the cost of startup time and would require
coordination with the kubelet in regards to pod readiness).

Signed-off-by: Monis Khan <mok@vmware.com>
2021-09-21 16:20:56 -04:00
Ryan Richard
f700246bfa Allow focused integration tests to be run from the GoLand UI again
This was broken recently by the improvements in #808.
2021-09-21 12:04:45 -07:00
Ryan Richard
fca183b203 Show DefaultStrategy as a new printer column for CredentialIssuer 2021-09-21 12:01:30 -07:00
Ryan Richard
1b2a116518 Merge branch 'main' into crd_printcolumns 2021-09-21 09:36:46 -07:00
Mo Khan
9851035e40
Merge pull request #847 from enj/enj/i/tcr_log
token credential request: fix trace log kind
2021-09-21 12:36:16 -04:00
Mo Khan
aa5ff162b4
Merge pull request #849 from enj/enj/i/clock_skew
certauthority: tolerate larger clock skew between API server and pinniped
2021-09-21 12:18:49 -04:00
Mo Khan
933697f045
Merge pull request #848 from vmware-tanzu/tests_use_certificatesv1
Tests use CertificatesV1 when available, otherwise use CertificatesV1beta1
2021-09-21 12:13:22 -04:00
Monis Khan
91c8f747f4
certauthority: tolerate larger clock skew between API server and pinniped
This change updates our certificate code to use the same 5 minute
backdate that is used by the Kubernetes controller manager.  This
helps to account for clock skews between the API servers and the
kubelets that are running the pinniped pods.  While this backdating
reflects a large percentage of the lifetime of our short lived
certificates (100% for the 5 minute client certificates), even a 10
minute irrevocable client certificate is within our limits.  When
we move to the CSR based short lived certificates, they will always
have at least a 15 minute lifetime (5 minute backdating plus 10 minute
minimum valid duration).

Signed-off-by: Monis Khan <mok@vmware.com>
2021-09-21 09:32:24 -04:00
Ryan Richard
4e98c1bbdb Tests use CertificatesV1 when available, otherwise use CertificatesV1beta1
CertificatesV1beta1 was removed in Kube 1.22, so the tests cannot
blindly rely on it anymore. Use CertificatesV1 whenever the server
reports that is available, and otherwise use the old
CertificatesV1beta1.

Note that CertificatesV1 was introduced in Kube 1.19.
2021-09-20 17:14:58 -07:00
Ryan Richard
0a31f45812 Update the AdditionalPrinterColumns of the CRDs, and add a test for it 2021-09-20 12:47:39 -07:00
Monis Khan
e65817ad5b
token credential request: fix trace log kind
Signed-off-by: Monis Khan <mok@vmware.com>
2021-09-20 15:34:05 -04:00