Commit Graph

134 Commits

Author SHA1 Message Date
Ryan Richard
0089540b07 Extract Supervisor IDP discovery endpoint string constants into apis pkg 2021-08-17 17:50:02 -07:00
Ryan Richard
96474b3d99 Extract Supervisor IDP discovery endpoint types into apis package 2021-08-17 15:23:03 -07:00
Ryan Richard
964d16110e Some refactors based on PR feedback from @enj 2021-08-17 13:14:09 -07:00
Ryan Richard
84c3c3aa9c Optionally allow OIDC password grant for CLI-based login experience
- Add `AllowPasswordGrant` boolean field to OIDCIdentityProvider's spec
- The oidc upstream watcher controller copies the value of
  `AllowPasswordGrant` into the configuration of the cached provider
- Add password grant to the UpstreamOIDCIdentityProviderI interface
  which is implemented by the cached provider instance for use in the
  authorization endpoint
- Enhance the IDP discovery endpoint to return the supported "flows"
  for each IDP ("cli_password" and/or "browser_authcode")
- Enhance `pinniped get kubeconfig` to help the user choose the desired
  flow for the selected IDP, and to write the flow into the resulting
  kubeconfg
- Enhance `pinniped login oidc` to have a flow flag to tell it which
  client-side flow it should use for auth (CLI-based or browser-based)
- In the Dex config, allow the resource owner password grant, which Dex
  implements to also return ID tokens, for use in integration tests
- Enhance the authorize endpoint to perform password grant when
  requested by the incoming headers. This commit does not include unit
  tests for the enhancements to the authorize endpoint, which will come
  in the next commit
- Extract some shared helpers from the callback endpoint to share the
  code with the authorize endpoint
- Add new integration tests
2021-08-12 10:45:39 -07:00
Margo Crawford
00978c15f7 Update wording for ActiveDirectoryIdentityProvider crd 2021-07-23 13:01:41 -07:00
Margo Crawford
8fb35c6569 Active Directory cli options 2021-07-23 13:01:40 -07:00
Margo Crawford
b06de69f6a ActiveDirectoryIdentityProvider
- Create CRD
- Create implementation of AD-specific user search defaults
2021-07-23 13:01:40 -07:00
Matt Moyer
ff9095f9c4
Fix typo in generated API docs (s/mode/type/).
This CredentialIssuer field is called `spec.impersonationProxy.service.type`, not `spec.impersonationProxy.service.mode`.

Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-07-09 11:28:02 -05:00
Ryan Richard
cedbe82bbb Default groupSearch.attributes.groupName to "dn" instead of "cn"
- DNs are more unique than CNs, so it feels like a safer default
2021-05-28 13:27:11 -07:00
Matt Moyer
fabc08b01b
Merge branch 'main' of github.com:vmware-tanzu/pinniped into credentialissuer-spec-api 2021-05-24 15:49:13 -05:00
Matt Moyer
fd9d9b8c73
Stop generating zz_generated.openapi.go files.
It turns out we no longer need these and can skip this bit of code generation.

Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-05-21 11:16:59 -05:00
Matt Moyer
13372a43e6
Update generated code from previous commit. 2021-05-19 11:41:35 -05:00
Matt Moyer
e885114221
Add generated code from adding spec fields to CredentialIssuer.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-05-18 11:12:18 -05:00
Matt Moyer
4a456446ff
Update doc comments for types_credentialissuer.go.tmpl.
Update to follow https://golang.org/doc/effective_go#commentary:

> The first sentence should be a one-sentence summary that starts with the name being declared.

Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-05-18 11:12:18 -05:00
Ryan Richard
3e1e8880f7 Initial support for upstream LDAP group membership
Reflect the upstream group membership into the Supervisor's
downstream tokens, so they can be added to the user's
identity on the workload clusters.

LDAP group search is configurable on the
LDAPIdentityProvider resource.
2021-05-17 11:10:26 -07:00
Ryan Richard
36819989a3 Remove DryRunAuthenticationUsername from LDAPIdentityProviderSpec
Signed-off-by: Margo Crawford <margaretc@vmware.com>
2021-04-28 14:26:57 -07:00
Ryan Richard
263a33cc85 Some updates based on PR review 2021-04-27 12:43:09 -07:00
Ryan Richard
e9d5743845 Add authentication dry run validation to LDAPIdentityProvider
Also force the LDAP server pod to restart whenever the LDIF file
changes, so whenever you redeploy the tools deployment with a new test
user password the server will be updated.
2021-04-16 14:04:05 -07:00
Ryan Richard
fec3d92f26 Add integration test for upstreamldap.Provider
- The unit tests for upstreamldap.Provider need to mock the LDAP server,
  so add an integration test which allows us to get fast feedback for
  this code against a real LDAP server.
- Automatically wrap the user search filter in parenthesis if it is not
  already wrapped in parens.
- More special handling for using "dn" as the username or UID attribute
  name.
- Also added some more comments to types_ldapidentityprovider.go.tmpl
2021-04-13 15:23:14 -07:00
Ryan Richard
25c1f0d523 Add Conditions to LDAPIdentityProvider's Status and start to fill them
- The ldap_upstream_watcher.go controller validates the bind secret and
  uses the Conditions to report errors. Shares some condition reporting
  logic with its sibling controller oidc_upstream_watcher.go, to the
  extent which is convenient without generics in golang.
2021-04-12 13:53:21 -07:00
Ryan Richard
1c55c857f4 Start to fill out LDAPIdentityProvider's fields and TestSupervisorLogin
- Add some fields to LDAPIdentityProvider that we will need to be able
  to search for users during login
- Enhance TestSupervisorLogin to test logging in using an upstream LDAP
  identity provider. Part of this new test is skipped for now because
  we haven't written the corresponding production code to make it
  pass yet.
- Some refactoring and enhancement to env.go and the corresponding env
  vars to support the new upstream LDAP provider integration tests.
- Use docker.io/bitnami/openldap for our test LDAP server instead of our
  own fork now that they have fixed the bug that we reported.

Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2021-04-07 12:56:09 -07:00
Ryan Richard
2b6859b161
Add stub LDAP API type and integration test
The goal here was to start on an integration test to get us closer to the red
test that we want so we can start working on LDAP.

Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2021-04-06 13:10:01 -04:00
Matt Moyer
077aa8a42e
Fix a copy-paste typo in the ImpersonationProxyInfo JSON field name.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-03-12 13:24:05 -06:00
Ryan Richard
f0fc84c922 Add new allowed values to field validations on CredentialIssuer
The new values are used by the impersonation proxy's status.
2021-03-03 12:53:41 -08:00
Ryan Richard
454f35ccd6 Edit a comment on a type and run codegen 2021-03-02 16:52:23 -08:00
Ryan Richard
8bf03257f4 Add new impersonation-related constants to api types and run codegen 2021-03-02 15:28:13 -08:00
Matt Moyer
60f92d5fe2
Merge branch 'main' of github.com:vmware-tanzu/pinniped into impersonation-proxy
This is more than an automatic merge. It also includes a rewrite of the CredentialIssuer API impersonation proxy fields using the new structure, and updates to the CLI to account for that new API.

Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-03-02 16:06:19 -06:00
Matt Moyer
7174f857d8
Add generated code.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-03-02 13:09:25 -06:00
Matt Moyer
7be8927d5e
Add generated code for new CredentialIssuer API fields.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-02-24 10:47:06 -06:00
Monis Khan
aa22047a0f
Generated
Signed-off-by: Monis Khan <mok@vmware.com>
2021-02-22 20:02:42 -05:00
Andrew Keesler
c8b1f00107
generated: include 2021 in copyright
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2021-02-11 10:52:01 -05:00
Monis Khan
96cec59236
Generated
Signed-off-by: Monis Khan <mok@vmware.com>
2021-02-10 21:52:09 -05:00
Monis Khan
dd3d1c8b1b
Generated
Signed-off-by: Monis Khan <mok@vmware.com>
2021-02-10 21:52:09 -05:00
Monis Khan
741b8fe88d
Generated
Signed-off-by: Monis Khan <mok@vmware.com>
2021-02-10 21:52:08 -05:00
Monis Khan
d2480e6300
Generated
Signed-off-by: Monis Khan <mok@vmware.com>
2021-02-10 21:52:07 -05:00
Margo Crawford
196e43aa48 Rename off of main
Signed-off-by: Ryan Richard <richardry@vmware.com>
2020-12-16 14:27:09 -08:00
Matt Moyer
7dae166a69
Merge branch 'main' into username-and-subject-claims 2020-12-16 15:23:19 -06:00
Andrew Keesler
095ba14cc8
Merge remote-tracking branch 'upstream/main' into secret-generation 2020-12-16 15:40:34 -05:00
Ryan Richard
dcb19150fc Nest claim configs one level deeper in JWTAuthenticatorSpec
Signed-off-by: Margo Crawford <margaretc@vmware.com>
2020-12-16 09:42:19 -08:00
Matt Moyer
404ff93102
Fix documentation comment for the UpstreamOIDCProvider's spec.client.secretName type.
The value is correctly validated as `secrets.pinniped.dev/oidc-client` elsewhere, only this comment was wrong.

Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-12-15 21:52:07 -06:00
Ryan Richard
40c6a67631 Merge branch 'main' into username-and-subject-claims 2020-12-15 18:09:44 -08:00
Ryan Richard
0e60c93cef Add UsernameClaim and GroupsClaim to JWTAuthenticator CRD spec
Signed-off-by: Margo Crawford <margaretc@vmware.com>
2020-12-15 10:36:19 -08:00
Andrew Keesler
2e784e006c
Merge remote-tracking branch 'upstream/main' into secret-generation 2020-12-15 13:24:33 -05:00
Andrew Keesler
50f9b434e7
SameIssuerHostMustUseSameSecret is a valid OIDCProvider status
I saw this message in our CI logs, which led me to this fix.
  could not update status: OIDCProvider.config.supervisor.pinniped.dev "acceptance-provider" is invalid: status.status: Unsupported value: "SameIssuerHostMustUseSameSecret": supported values: "Success", "Duplicate", "Invalid"

Also - correct an integration test error message that was misleading.

Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-12-15 11:53:53 -05:00
Andrew Keesler
82ae98d9d0
Set secret names on OIDCProvider status field
We believe this API is more forwards compatible with future secrets management
use cases. The implementation is a cry for help, but I was trying to follow the
previously established pattern of encapsulating the secret generation
functionality to a single group of packages.

This commit makes a breaking change to the current OIDCProvider API, but that
OIDCProvider API was added after the latest release, so it is technically still
in development until we release, and therefore we can continue to thrash on it.

I also took this opportunity to make some things private that didn't need to be
public.

Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-12-15 09:13:01 -05:00
Andrew Keesler
946b0539d2
Add JWTAuthenticator API type
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-12-08 15:41:48 -05:00
Matt Moyer
7520dadbdd
Use omitempty on UpstreamOIDCProvider spec.authorizationConfig field.
This allows you to omit the field in creation requests, which was annoying.

Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-11-18 17:14:35 -06:00
Matt Moyer
e867fb82b9
Add spec.tls field to UpstreamOIDCProvider API.
This allows for a custom CA bundle to be used when connecting to the upstream issuer.

Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-11-16 20:23:20 -06:00
Matt Moyer
d3d8ef44a0
Make more fields in UpstreamOIDCProvider optional.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-11-13 15:28:37 -06:00
Matt Moyer
2e7d869ccc
Add generated API/client code for new UpstreamOIDCProvider CRD.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-11-13 11:38:50 -06:00
Matt Moyer
7f2c43cd62
Put all of our APIs into a "pinniped" category, and never use "all".
We want to have our APIs respond to `kubectl get pinniped`, and we shouldn't use `all` because we don't think most average users should have permission to see our API types, which means if we put our types there, they would get an error from `kubectl get all`.

I also added some tests to assert these properties on all `*.pinniped.dev` API resources.

Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-11-12 16:26:34 -06:00
Matt Moyer
821190004c
Remove extraneous internal packages for CRD APIs.
These only really make sense for aggregated API types where we need `conversion-gen` to do version conversion.

Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-11-12 14:04:53 -06:00
Matt Moyer
2bf5c8b48b
Replace the OIDCProvider field SNICertificateSecretName with a TLS.SecretName field.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-11-02 18:15:03 -06:00
Matt Moyer
2b8773aa54
Rename OIDCProviderConfig to OIDCProvider.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-11-02 17:40:39 -06:00
Matt Moyer
59263ea733
Rename CredentialIssuerConfig to CredentialIssuer.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-11-02 17:39:42 -06:00
Matt Moyer
9e1922f1ed
Split the config CRDs into two API groups.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-10-30 19:22:46 -05:00
Matt Moyer
f3a83882a4
Rename the IdentityProvider field to Authenticator in TokenCredentialRequest.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-10-30 15:11:53 -05:00
Matt Moyer
0f25657a35
Rename WebhookIdentityProvider to WebhookAuthenticator.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-10-30 15:11:53 -05:00
Matt Moyer
e69183aa8a
Rename idp.concierge.pinniped.dev to authentication.concierge.pinniped.dev.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-10-30 14:07:40 -05:00
Matt Moyer
81390bba89
Rename idp.pinniped.dev to idp.concierge.pinniped.dev.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-10-30 14:07:39 -05:00
Matt Moyer
f0320dfbd8
Rename login API to login.concierge.pinniped.dev.
This is the first of a few related changes that re-organize our API after the big recent changes that introduced the supervisor component.

Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-10-30 09:58:28 -05:00
Ryan Richard
eeb110761e Rename secretName to SNICertificateSecretName in OIDCProviderConfig 2020-10-26 17:25:45 -07:00
Ryan Richard
25a91019c2 Add spec.secretName to OPC and handle case-insensitive hostnames
- When two different Issuers have the same host (i.e. they differ
  only by path) then they must have the same secretName. This is because
  it wouldn't make sense for there to be two different TLS certificates
  for one host. Find any that do not have the same secret name to
  put an error status on them and to avoid serving OIDC endpoints for
  them. The host comparison is case-insensitive.
- Issuer hostnames should be treated as case-insensitive, because
  DNS hostnames are case-insensitive. So https://me.com and
  https://mE.cOm are duplicate issuers. However, paths are
  case-sensitive, so https://me.com/A and https://me.com/a are
  different issuers. Fixed this in the issuer validations and in the
  OIDC Manager's request router logic.
2020-10-23 16:25:44 -07:00
Andrew Keesler
1b99983441
apis: fix indentation in Go type
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-10-15 09:19:00 -04:00
Andrew Keesler
6aed025c79
supervisor-generate-key: initial spike
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-10-14 09:47:34 -04:00
Andrew Keesler
c555c14ccb
supervisor-oidc: add OIDCProviderConfig.Status.LastUpdateTime
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-10-09 11:54:50 -04:00
Andrew Keesler
da00fc708f
supervisor-oidc: checkpoint: add status to provider CRD
Signed-off-by: Ryan Richard <richardry@vmware.com>
2020-10-08 13:27:45 -04:00
Andrew Keesler
ead1ade24b
supervisor-oidc: forgot OIDCProviderConfig type registration in 14f1d86
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-10-07 10:50:55 -04:00
Ryan Richard
14f1d86833
supervisor-oidc: add OIDCProviderConfig CRD
This will hopefully come in handy later if we ever decide to add
support for multiple OIDC providers as a part of one supervisor.

Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-10-06 15:20:29 -04:00
Matt Moyer
164f64a370
Add IdentityProvider field to TokenCredentialRequestSpec.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-09-22 10:03:31 -05:00
Matt Moyer
78ac27c262
Remove deprecated "pinniped.dev" API group.
This has been replaced by the "login.pinniped.dev" group with a slightly different API.

Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-09-18 17:32:15 -05:00
Matt Moyer
907ccb68f5
Move CredentialIssuerConfig into new "config.pinniped.dev" API group.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-09-18 16:38:45 -05:00
Matt Moyer
2d4d7e588a
Add Go vanity import paths.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-09-18 14:56:24 -05:00
Matt Moyer
8c9c1e206d
Update module/package names to match GitHub org switch.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-09-17 12:56:54 -05:00
Matt Moyer
58bf93b10c
Add a new login.pinniped.dev API group with TokenCredentialRequest.
This is essentially meant to be be "v1alpha2" of the existing CredentialRequest API, but since we want to move API groups we can just start over at v1alpha1.

Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-09-17 09:52:22 -05:00
Andrew Keesler
f464e03380
Generate code against 1.17.11
We want to be able to run kind integration tests against the same
versions that we generate code against. There is no public
kindest/node image for 1.17.9, so let's update to the next 1.17.x
version where there is an image: 1.17.11.

Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-09-17 10:35:45 -04:00
Andrew Keesler
eab5c2b86b
Save 2 lines by using inline-style comments for Copyright
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-09-16 10:35:19 -04:00
Andrew Keesler
e7b389ae6c
Update copyright to reference Pinniped contributors
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-09-16 10:05:51 -04:00
Matt Moyer
8df910361c
Clean up CredentialRequest types.go.
Mostly cleaned up and added doc strings, but also removed unneeded protobuf tags.

Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-09-15 14:30:12 -05:00
Matt Moyer
557fd0df26
Define the WebhookIdentityProvider CRD.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-09-15 11:44:23 -05:00
Matt Moyer
2959b54e7b Generate CRD YAML using controller-tools, update doc strings.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-08-31 16:38:48 -05:00
Matt Moyer
f49317d7e4
Add some generated API documentation. (#81)
Add some generated API documentation using https://github.com/elastic/crd-ref-docs which is now packaged in the codegen image.
2020-08-31 11:27:39 -05:00
Ryan Richard
5ed97f7f9e Merge branch 'main' into self_test 2020-08-25 19:02:27 -07:00
Matt Moyer
34d13f71c2 Add newly generated code.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-08-24 14:32:07 -05:00