djpbessems/ContainerImage.Pinniped
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
402 Commits 30 Branches 34 Tags 22 MiB
37da441e96
Commit Graph

402 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Matt Moyer
37da441e96
Merge pull request #107 from mattmoyer/tidy-go-modules 
Tidy go.mod/go.sum.
 2020-09-15 14:29:39 -05:00
Matt Moyer
6faf224e20
Merge pull request #105 from mattmoyer/extend-readiness-check 
Wait for informers to sync before we pass readiness check.
 2020-09-15 14:27:42 -05:00
Matt Moyer
92372d20a9
Tidy go.mod/go.sum. 
I accidentally missed this in bbef017989 and it's not currently part of our CI linting.

Signed-off-by: Matt Moyer <moyerm@vmware.com>
 2020-09-15 14:14:44 -05:00
Matt Moyer
12f0997193
Wait for informers to sync before we pass readiness check. 
Signed-off-by: Matt Moyer <moyerm@vmware.com>
 2020-09-15 14:14:25 -05:00
Matt Moyer
e428877473
Merge pull request #106 from mattmoyer/fix-webhook-base64-encoding 
Fix base64 encoding style in webhookcachefiller.
 2020-09-15 14:12:02 -05:00
Matt Moyer
1c7b3c3072
Fix base64 encoding style in webhookcachefiller. 
This was previously using the unpadded (raw) base64 encoder, which worked sometimes (if the CA happened to be a length that didn't require padding). The correct encoding is the `base64.StdEncoding` one that includes padding.

Signed-off-by: Matt Moyer <moyerm@vmware.com>
 2020-09-15 13:54:19 -05:00
Matt Moyer
b1ea04b036
Merge pull request #83 from mattmoyer/add-idp-config-crd 
Implement the initial version of a WebhookIdentityProvider CRD.
 2020-09-15 12:53:31 -05:00
Andrew Keesler
36a66f4e8b
Merge pull request #104 from ankeesler/maintainers-doc 
MAINTAINERS.md: add initial draft
 2020-09-15 13:31:15 -04:00
Matt Moyer
b39160e4c4
Add some log output to TestCredentialIssuerConfig for troubleshooting. 
Signed-off-by: Matt Moyer <moyerm@vmware.com>
 2020-09-15 12:15:42 -05:00
Andrew Keesler
a22b414b58
MAINTAINERS.md: add initial draft 
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
 2020-09-15 13:14:50 -04:00
Matt Moyer
8de046a561
Remove static webhook config options. 
Signed-off-by: Matt Moyer <moyerm@vmware.com>
 2020-09-15 12:02:34 -05:00
Matt Moyer
f7c9ae8ba3
Validate tokens using the new dynamic IDP cache instead of the static config. 
Signed-off-by: Matt Moyer <moyerm@vmware.com>
 2020-09-15 12:02:34 -05:00
Matt Moyer
75ea0f48d9
Add a controller to clean up stale entries in the idpcache.Cache. 
Signed-off-by: Matt Moyer <moyerm@vmware.com>
 2020-09-15 12:02:33 -05:00
Matt Moyer
acfc5acfb2
Add a controller to fill the idpcache.Cache from WebhookIdentityProvider objects. 
Signed-off-by: Matt Moyer <moyerm@vmware.com>
 2020-09-15 12:02:33 -05:00
Matt Moyer
6506a82b19
Add a cache of active IDPs, which implements authenticator.Token. 
Signed-off-by: Matt Moyer <moyerm@vmware.com>
 2020-09-15 12:02:33 -05:00
Matt Moyer
66f4e62c6c
Add internal/mocks/mocktokenauthenticator generated mocks. 
Signed-off-by: Matt Moyer <moyerm@vmware.com>
 2020-09-15 12:02:33 -05:00
Matt Moyer
80a23bd2fd
Rename "Webhook" to "TokenAuthenticator" in our REST handler and callers. 
Signed-off-by: Matt Moyer <moyerm@vmware.com>
 2020-09-15 12:02:33 -05:00
Matt Moyer
2bdbac3e15
Move the ytt webhook config out into the CRD. 
Signed-off-by: Matt Moyer <moyerm@vmware.com>
 2020-09-15 12:02:33 -05:00
Matt Moyer
5b9f2ec9fc
Give our controller access to all our CRD types. 
Signed-off-by: Matt Moyer <moyerm@vmware.com>
 2020-09-15 12:02:33 -05:00
Matt Moyer
fc220d5f79
Remove kubectl dry-run verify for now. 
The dry-run fails now because we are trying to install a CRD and a custom resource (of that CRD type) in the same step.

Signed-off-by: Matt Moyer <moyerm@vmware.com>
 2020-09-15 12:02:32 -05:00
Matt Moyer
3344b5b86a
Expect the WebhookIdentityProvider CRD to be installed. 
Signed-off-by: Matt Moyer <moyerm@vmware.com>
 2020-09-15 11:44:24 -05:00
Matt Moyer
557fd0df26
Define the WebhookIdentityProvider CRD. 
Signed-off-by: Matt Moyer <moyerm@vmware.com>
 2020-09-15 11:44:23 -05:00
Matt Moyer
9bb3d4ef28
Add .gitattributes as a hint to the GitHub diff viewer. 
Signed-off-by: Matt Moyer <moyerm@vmware.com>
 2020-09-15 11:44:23 -05:00
Matt Moyer
21187bc28a
Merge pull request #103 from mattmoyer/add-controller-utils 
Add new controller.SimpleFilter and controller.NoOpFilter utilities.
 2020-09-14 13:59:32 -05:00
aram price
9bad0d52f7
Merge pull request #102 from mattmoyer/prefactor-test-helpers 
Prefactor some test helpers prior to the IDP CRD PR.
 2020-09-14 11:38:05 -07:00
Matt Moyer
92fabf43b3
Add new controller.SimpleFilter and controller.NoOpFilter utilities. 
Signed-off-by: Matt Moyer <moyerm@vmware.com>
 2020-09-14 13:25:16 -05:00
Matt Moyer
7d8c28a9dc
Extract testutil.TLSTestServer so it can be reused elsewhere. 
Signed-off-by: Matt Moyer <moyerm@vmware.com>
 2020-09-14 13:23:12 -05:00
Matt Moyer
bbef017989
Add a testlogger util package for testing go-logr. 
Signed-off-by: Matt Moyer <moyerm@vmware.com>
 2020-09-14 13:23:06 -05:00
Andrew Keesler
19c671a60a
cmd/local-user-authenticator: go back to use TokenReview structs 
So I looked into other TokenReview webhook implementations, and most
of them just use the json stdlib package to unmarshal/marshal
TokenReview payloads. I'd say let's follow that pattern, even though
it leads to extra fields in the JSON payload (these are not harmful).

Signed-off-by: Andrew Keesler <akeesler@vmware.com>
 2020-09-11 16:12:43 -04:00
Andrew Keesler
17d40b7a73
cmd/local-user-authenticator: protect against nil-body 
I saw this while reading other TokenReview code.
 2020-09-11 16:11:42 -04:00
Andrew Keesler
4e40c0320e
cmd/local-user-authenticator: use v1beta1 everywhere 
See 63f5416b2 for a previous time where we decided to use the v1beta1
TokenReview API.

Signed-off-by: Andrew Keesler <akeesler@vmware.com>
 2020-09-11 16:11:42 -04:00
Andrew Keesler
a3dbb309d0
cmd/local-user-authenticator: check for invalid TokenReview type meta 
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
 2020-09-11 16:11:42 -04:00
Ryan Richard
c436f84b3d Fix a nil dereference crash in rest.go 2020-09-11 13:08:54 -07:00
Ryan Richard
f685cd228f More integration test script updates 
- Don't need to `cd test` anymore before running the integration
  tests because it's not a separate Go module anymore
 2020-09-11 08:43:53 -07:00
Ryan Richard
63f9db72e8 Improvements and simplifications to prepare-for-integration-tests.sh 2020-09-11 08:19:49 -07:00
Andrew Keesler
004cfe380d
doc/contributing.md: add a tiny blurb about integration tests 
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
 2020-09-11 10:29:21 -04:00
Andrew Keesler
b1d9665b03
Merge pull request #90 from suzerain-io/easy_demo 
Add <20 minutes Pinniped demo
 2020-09-11 10:26:20 -04:00
Andrew Keesler
4fa7e1bd76
hack/prepare-for-integration-tests.sh: use log helper 
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
 2020-09-11 10:09:22 -04:00
Ryan Richard
22bf24b775 Fix a unit test failure that only happens on golang 1.15 
- Use the SAN field when creating a test cert or else the corresponding
  unit tests will fail when run with golang 1.15
 2020-09-10 18:50:34 -07:00
Ryan Richard
6deaa0fb1a Fix lint errors 2020-09-10 18:34:18 -07:00
Ryan Richard
4fe609a043 Remove mentions of uninstall tests and other repos from prepare-for-integration-tests.sh 2020-09-10 17:36:22 -07:00
Andrew Keesler
e6cb2f8220 Assert on specific expected username and groups in integration tests 
Signed-off-by: Ryan Richard <richardry@vmware.com>
 2020-09-10 17:10:27 -07:00
Ryan Richard
b7bdb7f3b1 Rename test-webhook to local-user-authenticator 
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
 2020-09-10 15:20:02 -07:00
Ryan Richard
9baea83066 Improve the parsing of headers in test-webhook 
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
 2020-09-10 15:00:53 -07:00
Andrew Keesler
56be4a6761 Add more logging to test-webhook's endpoint 
- Also correct the webhook url setting in prepare-for-integration-tests.sh
- Change the bcrypt count to 10, because 16 is way too slow on old laptops

Signed-off-by: Ryan Richard <richardry@vmware.com>
 2020-09-10 13:37:25 -07:00
Andrew Keesler
b506ac5823
Port integration test setup script from CI repo 
I also started updating the script to deploy the test-webhook instead of
doing TMC stuff. I think the script should live in this repo so that
Pinniped contributors only need to worry about one repo for running
integration tests.

There are a bunch of TODOs in the script, but I figured this was a good
checkpoint. The script successfully runs on my machine and sets up the
test-webhook and pinniped on a local kind cluster. The integration tests
are failing because of some issue with pinniped talking to the test-webhook,
but this is step in the right direction.

Signed-off-by: Andrew Keesler <akeesler@vmware.com>
 2020-09-10 11:30:15 -04:00
Andrew Keesler
fec31b71c0
deploy-test-webhook/README.md: add another tool needed for the demo 
The other diffs in this comment were dictated by pre-commit.

Signed-off-by: Andrew Keesler <akeesler@vmware.com>
 2020-09-10 09:50:17 -04:00
Andrew Keesler
89d01b84f8
deploy/README.md: fix markdown link to test webhook README.md 
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
 2020-09-10 09:33:46 -04:00
Andrew Keesler
fc3b4e9ae1
hack/test-unit.sh: remove this alias to cut down on scripts 
This script was basically an alias for `./hack/module.sh unittest`. We even
tell people to run the unit tests via module.sh in our contributing doc.
Let's ditch it - the best line of (shell code) is the one you don't write.

An analagous change was made in CI to use module.sh in place of test-unit.sh.

Signed-off-by: Andrew Keesler <akeesler@vmware.com>
 2020-09-10 09:26:18 -04:00
Ryan Richard
2565f67824 Create a deployment for test-webhook 
- For now, build the test-webhook binary in the same container image as
  the pinniped-server binary, to make it easier to distribute
- Also fix lots of bugs from the first draft of the test-webhook's
  `/authenticate` implementation from the previous commit
- Add a detailed README for the new deploy-test-webhook directory
 2020-09-09 19:06:39 -07:00