Matt Moyer
349d3dad83
Make temporary errors return Pending in impersonatorconfig.
...
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-05-27 11:13:10 -05:00
Matt Moyer
0a47aa4843
Adjust log levels in impersonatorconfig controller.
...
Signed-off-by: Margo Crawford <margaretc@vmware.com>
2021-05-26 16:47:02 -05:00
Matt Moyer
d780bf64bc
Remove references to impersonationConfigMap.
...
Signed-off-by: Margo Crawford <margaretc@vmware.com>
2021-05-26 15:24:59 -05:00
Matt Moyer
b57878ebc5
Remove TODO from impersonator.go.
...
We're now tracking this in an issue: https://github.com/vmware-tanzu/pinniped/issues/642
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-05-26 15:08:29 -05:00
Matt Moyer
1932b03c39
Refactor createOrUpdateService() method.
...
This updates the code to use a different mechanism for driving desired state:
- Read existing object
- If it does not exist, create desired object
- If it does exist, make a copy and set all the desired fields
- Do a deepequal to see if an update is necessary.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-05-26 15:03:04 -05:00
Matt Moyer
be8118ec2e
Re-enable parallelism on TestImpersonatorConfigControllerSync.
...
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-05-26 12:57:51 -05:00
Matt Moyer
1a4687a40a
Switch impersonatorconfig to all singleton queues.
...
We also no longer need an initial event, since we don't do anything unless the CredentialIssuer exists, so we'll always be triggered at the appropriate time.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-05-26 12:54:40 -05:00
Matt Moyer
b13c494f93
Migrate off global logger in impersonatorconfig.
...
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-05-26 12:44:05 -05:00
Margo Crawford
e5a61f3b95
IPv6 address in unit tests for ClusterIPs
2021-05-26 10:30:33 -07:00
Margo Crawford
f2021f1b53
Merge branch 'credentialissuer-spec-api' of github.com:vmware-tanzu/pinniped into credentialissuer-spec-api
2021-05-25 17:06:26 -07:00
Margo Crawford
e2fad6932f
multiple cluster ips
2021-05-25 17:01:42 -07:00
Matt Moyer
450ce6a4aa
Switch impersonatorconfig to new endpointaddr package.
...
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-05-25 17:44:25 -05:00
Matt Moyer
c970dd1fb0
Merge branch 'main' of github.com:vmware-tanzu/pinniped into credentialissuer-spec-api
2021-05-25 17:32:58 -05:00
Matt Moyer
89eff28549
Convert LDAP code to use endpointaddr package.
...
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-05-25 16:17:27 -05:00
Matt Moyer
d9a3992b3b
Add endpointaddr pkg for parsing host+port inputs.
...
This type of field appears in more than one of our APIs, so this package will provide a single source of truth for validating and parsing inputs.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-05-25 16:17:26 -05:00
Ryan Richard
2014f4623d
Move require.NoError() to t.Cleanup()
2021-05-24 14:24:09 -07:00
Matt Moyer
fabc08b01b
Merge branch 'main' of github.com:vmware-tanzu/pinniped into credentialissuer-spec-api
2021-05-24 15:49:13 -05:00
Margo Crawford
5de9bac4ac
Oof... good I wrote an integration test because that's not how updating works!
...
Now updating the existing service in kubernetes but with the new
annotations
2021-05-24 09:41:49 -07:00
Margo Crawford
150e879a68
Add tests for deleting services
2021-05-21 13:47:06 -07:00
Ryan Richard
b16e84d90a
Add another unit test for the LDAP client code
2021-05-21 12:44:01 -07:00
Margo Crawford
b4bb0db6e5
Refactor some shared code between load balancer and cluster ip creation
2021-05-21 09:57:46 -07:00
Margo Crawford
4606f1d8bd
More error handling for cluster ip
2021-05-20 16:21:10 -07:00
Margo Crawford
599d70d6dc
Wire generatedClusterIPServiceName through from NamesConfig
2021-05-20 14:11:35 -07:00
Ryan Richard
901ddd1870
Merge branch 'main' into ldap_starttls
2021-05-20 13:40:56 -07:00
Ryan Richard
8b549f66d4
Add integration test for LDAP StartTLS
2021-05-20 13:39:48 -07:00
Ryan Richard
7e76b66639
LDAP upstream watcher controller tries using both TLS and StartTLS
...
- Automatically try to fall back to using StartTLS when using TLS
doesn't work. Only complain when both don't work.
- Remember (in-memory) which one worked and keeping using that one
in the future (unless the pod restarts).
2021-05-20 12:46:33 -07:00
Ryan Richard
fff90ed2ca
Merge branch 'main' into initial_ldap_group_support
2021-05-20 12:36:04 -07:00
Margo Crawford
62651eddb0
Took care of some impersonation cluster ip related todos
2021-05-20 11:57:07 -07:00
Matt Moyer
ec25259901
Update impersonatorconfig controller to use new CredentialIssuer update helper.
...
Signed-off-by: Margo Crawford <margaretc@vmware.com>
2021-05-20 12:26:07 -05:00
Matt Moyer
e4dd83887a
Merge remote-tracking branch 'origin/main' into credentialissuer-spec-api
2021-05-20 10:53:53 -05:00
Ryan Richard
025b37f839
upstreamldap.New() now supports a StartTLS config option
...
- This enhances our LDAP client code to make it possible to optionally
dial an LDAP server without TLS and then use StartTLS to upgrade
the connection to TLS.
- The controller for LDAPIdentityProviders is not using this option
yet. That will come in a future commit.
2021-05-19 17:17:44 -07:00
Margo Crawford
63c39454f6
WIP on impersonation clusterip service
2021-05-19 17:00:28 -07:00
Matt Moyer
657488fe90
Create CredentialIssuer at install, not runtime.
...
Previously, our controllers would automatically create a CredentialIssuer with a singleton name. The helpers we had for this also used "raw" client access and did not take advantage of the informer cache pattern.
With this change, the CredentialIssuer is always created at install time in the ytt YAML. The controllers now only update the existing CredentialIssuer status, and they do so using the informer cache as much as possible.
This change is targeted at only the kubecertagent controller to start. The impersonatorconfig controller will be updated in a following PR along with other changes.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-05-19 17:15:25 -05:00
Margo Crawford
9e61640c92
LoadBalancerIP updated dynamically
2021-05-19 14:16:15 -07:00
Ryan Richard
424c112bbc
Merge branch 'main' into initial_ldap_group_support
2021-05-19 13:12:17 -07:00
Margo Crawford
0b66321902
Changes to make the linter pass
2021-05-19 11:05:35 -07:00
Matt Moyer
297a484948
Add more validation and update tests for impersonationProxy as pointer.
...
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-05-19 12:42:31 -05:00
Margo Crawford
94c370ac85
Annotations for impersonation load balancer
2021-05-18 16:54:59 -07:00
Margo Crawford
eaea3471ec
Validation for service type none and external endpoint none
...
Also added a few more test cases for provisioning a load balancer
2021-05-18 13:50:52 -07:00
Matt Moyer
4a785e73e6
WIP fixing impersonatorconfig tests
2021-05-18 14:54:04 -05:00
Margo Crawford
51f1a0ec13
WIP: not using impersonator.config just credentialissuer directly
...
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-05-18 12:16:27 -07:00
Matt Moyer
18ccf11905
Update impersonatorconfig controller to use CredentialIssuer API instead of ConfigMap.
...
Signed-off-by: Margo Crawford <margaretc@vmware.com>
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-05-18 09:50:35 -07:00
Monis Khan
35479e2978
cred req: disallow lossy user info translations
...
Signed-off-by: Monis Khan <mok@vmware.com>
2021-05-17 19:03:44 -04:00
Ryan Richard
3e1e8880f7
Initial support for upstream LDAP group membership
...
Reflect the upstream group membership into the Supervisor's
downstream tokens, so they can be added to the user's
identity on the workload clusters.
LDAP group search is configurable on the
LDAPIdentityProvider resource.
2021-05-17 11:10:26 -07:00
Ryan Richard
f5bf8978a3
Cache ResourceVersion of the validated bind Secret in memory
...
...instead of caching it in the text of the Condition message
2021-05-13 15:22:36 -07:00
Ryan Richard
514ee5b883
Merge branch 'main' into initial_ldap
2021-05-13 14:24:10 -07:00
Margo Crawford
39d7f8b6eb
Merge pull request #614 from vmware-tanzu/gc-bug-tests
...
Tests for garbage collection behavior for access and refresh tokens
2021-05-13 13:08:07 -07:00
Ryan Richard
67dca688d7
Add an API version to the Supervisor IDP discovery endpoint
...
Also rename one of the new functional opts in login.go to more
accurately reflect the intention of the opt.
2021-05-13 10:05:56 -07:00
Margo Crawford
b391d5ae02
Also check that the authcode storage is around for a while
2021-05-12 14:22:14 -07:00
Ryan Richard
29ca8acab4
oidc_upstream_watcher.go: two methods become private funcs
2021-05-12 14:05:08 -07:00