Commit Graph

707 Commits

Author SHA1 Message Date
Ryan Richard
e4bf6e068f Add a comment to impersonator.go 2021-03-18 10:46:27 -07:00
Monis Khan
205c22ddbe
impersonator config: catch panics when running impersonator
Signed-off-by: Monis Khan <mok@vmware.com>
2021-03-18 10:28:28 -04:00
Andrew Keesler
aa79bc7609
internal/concierge/impersonator: ensure log statement is printed
When the frontend connection to our proxy is closed, the proxy falls through to
a panic(), which means the HTTP handler goroutine is killed, so we were not
seeing this log statement.

Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2021-03-18 10:14:11 -04:00
Monis Khan
236dbdb2c4
impersonator: test UID impersonation and header canonicalization
Signed-off-by: Monis Khan <mok@vmware.com>
2021-03-16 13:00:51 -04:00
Ryan Richard
6887d0aca2 Repeat the method and url in the log line for the userinfo username 2021-03-15 17:12:03 -07:00
Ryan Richard
2460568be3 Add some debug logging 2021-03-15 16:26:51 -07:00
Monis Khan
4f671f5dca
dynamiccert: unit test with DynamicServingCertificateController
Signed-off-by: Monis Khan <mok@vmware.com>
2021-03-15 17:23:37 -04:00
Monis Khan
00694c9cb6
dynamiccert: split into serving cert and CA providers
Signed-off-by: Monis Khan <mok@vmware.com>
2021-03-15 12:24:07 -04:00
Monis Khan
4c162be8bf
impersonator: add comment about long running func
Signed-off-by: Monis Khan <mok@vmware.com>
2021-03-15 09:43:06 -04:00
Monis Khan
b530cef3b1
impersonator: encode proper API status on failure
Signed-off-by: Monis Khan <mok@vmware.com>
2021-03-13 20:25:23 -05:00
Ryan Richard
c82f568b2c certauthority.go: Refactor issuing client versus server certs
We were previously issuing both client certs and server certs with
both extended key usages included. Split the Issue*() methods into
separate methods for issuing server certs versus client certs so
they can have different extended key usages tailored for each use
case.

Also took the opportunity to clean up the parameters of the Issue*()
methods and New() methods to more closely match how we prefer to call
them. We were always only passing the common name part of the
pkix.Name to New(), so now the New() method just takes the common name
as a string. When making a server cert, we don't need to set the
deprecated common name field, so remove that param. When making a client
cert, we're always making it in the format expected by the Kube API
server, so just accept the username and group as parameters directly.
2021-03-12 16:09:37 -08:00
Monis Khan
5e4746e96b
impersonator: match kube API server long running func
Signed-off-by: Monis Khan <mok@vmware.com>
2021-03-12 16:36:37 -05:00
Monis Khan
8c0bafd5be
impersonator: prep work for future SA token support
Signed-off-by: Monis Khan <mok@vmware.com>
2021-03-12 10:47:07 -05:00
Monis Khan
12b13b1ea5
impersonator: wire in genericapiserver.Config
Signed-off-by: Monis Khan <mok@vmware.com>
2021-03-12 10:47:07 -05:00
Ryan Richard
87f2899047 impersonator_test.go: small refactor of previous commit 2021-03-11 17:24:52 -08:00
Ryan Richard
6ddf4c04e6 impersonator_test.go: Test failed and anonymous auth 2021-03-11 17:11:38 -08:00
Ryan Richard
1d68841c78 impersonator_test.go: Test one more thing and small refactors 2021-03-11 16:44:08 -08:00
Ryan Richard
f77c92560f Rewrite impersonator_test.go, add missing argument to IssuePEM()
The impersonator_test.go unit test now starts the impersonation
server and makes real HTTP requests against it using client-go.
It is backed by a fake Kube API server.

The CA IssuePEM() method was missing the argument to allow a slice
of IP addresses to be passed in.
2021-03-11 16:27:16 -08:00
Monis Khan
2d28d1da19
Implement all optional methods in dynamic certs provider
Signed-off-by: Monis Khan <mok@vmware.com>
2021-03-11 16:24:08 -05:00
Ryan Richard
29d7f406f7 Test double impersonation as the cluster admin 2021-03-11 12:53:27 -08:00
Monis Khan
7b1ecf79a6
Fix race between err chan send and re-queue
Signed-off-by: Monis Khan <mok@vmware.com>
2021-03-11 10:13:29 -05:00
Monis Khan
6582c23edb Fix a race detector error in a unit test
Signed-off-by: Ryan Richard <richardry@vmware.com>
2021-03-10 11:24:42 -08:00
Ryan Richard
0b300cbe42 Use TokenCredentialRequest instead of base64 token with impersonator
To make an impersonation request, first make a TokenCredentialRequest
to get a certificate. That cert will either be issued by the Kube
API server's CA or by a new CA specific to the impersonator. Either
way, you can then make a request to the impersonator and present
that client cert for auth and the impersonator will accept it and
make the impesonation call on your behalf.

The impersonator http handler now borrows some Kube library code
to handle request processing. This will allow us to more closely
mimic the behavior of a real API server, e.g. the client cert
auth will work exactly like the real API server.

Signed-off-by: Monis Khan <mok@vmware.com>
2021-03-10 10:30:06 -08:00
Matt Moyer
8fd6a71312
Use simpler prefix matching for impersonation headers.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-03-08 14:44:38 -06:00
Matt Moyer
8c0a073cb6
Fix this constant name to match its value.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-03-08 13:31:16 -06:00
Matt Moyer
c4f6fd5b3c
Add a bit nicer assertion helper in testutil/testlogger.
This makes output that's easier to copy-paste into the test. We could also make it ignore the order of key/value pairs in the future.

Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-03-05 15:49:45 -06:00
Ryan Richard
d8c6894cbc All controller unit tests should not cancel context until test is over
All controller unit tests were accidentally using a timeout context
for the informers, instead of a cancel context which stays alive until
each test is completely finished. There is no reason to risk
unpredictable behavior of a timeout being reached during an individual
test, even though with the previous 3 second timeout it could only be
reached on a machine which is running orders of magnitude slower than
usual, since each test usually runs in about 100-300 ms. Unfortunately,
sometimes our CI workers might get that slow.

This sparked a review of other usages of timeout contexts in other
tests, and all of them were increased to a minimum value of 1 minute,
under the rule of thumb that our tests will be more reliable on slow
machines if they "pass fast and fail slow".
2021-03-04 17:26:01 -08:00
Ryan Richard
b102aa8991 In unit test, wait for obj from informer instead of resource version
In impersonator_config_test.go, instead of waiting for the resource
version to appear in the informers, wait for the actual object to
appear.

This is an attempt to resolve flaky failures that only happen in CI,
but it also cleans up the test a bit by avoiding inventing fake resource
version numbers all over the test.

Signed-off-by: Monis Khan <mok@vmware.com>
2021-03-04 17:26:01 -08:00
Ryan Richard
9eb97e2683 Use Eventually when making tls connections and avoid resource version 0
- Use `Eventually` when making tls connections because the production
  code's handling of starting and stopping the TLS server port
  has some async behavior.
- Don't use resource version "0" because that has special meaning
  in the informer libraries.
2021-03-04 17:26:01 -08:00
Matt Moyer
1734280a19
Merge branch 'main' of github.com:vmware-tanzu/pinniped into impersonation-proxy 2021-03-04 12:38:00 -06:00
Ryan Richard
1b3103c9b5 Remove a nolint comment to satisfy the version of the linter used in CI 2021-03-03 13:37:03 -08:00
Matt Moyer
f4fcb9bde6
Sort CredentialIssuer strategies in preferred order.
This updates our issuerconfig.UpdateStrategy to sort strategies according to a weighted preference.
The TokenCredentialRequest API strategy is preffered, followed by impersonation proxy, followed by any other unknown types.

Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-03-03 14:03:27 -06:00
Margo Crawford
0799a538dc change FromString to Parse so TargetPort parses correctly 2021-03-03 11:12:37 -08:00
Monis Khan
d7edc41c24
oidc discovery: encode metadata once and reuse
Signed-off-by: Monis Khan <mok@vmware.com>
2021-03-03 13:37:43 -05:00
Ryan Richard
333a3ab4c2 impersonator_config_test.go: Add another unit test 2021-03-03 09:37:08 -08:00
Ryan Richard
730092f39c impersonator_config.go: refactor to clean up cert name handling 2021-03-03 09:22:35 -08:00
Ryan Richard
d3599c541b Fill in the frontend field of CredentialIssuer status for impersonator 2021-03-02 16:52:23 -08:00
Ryan Richard
8bf03257f4 Add new impersonation-related constants to api types and run codegen 2021-03-02 15:28:13 -08:00
Ryan Richard
1ad2c38509 Impersonation controller updates CredentialIssuer on every call to Sync
- This commit does not include the updates that we plan to make to
  the `status.strategies[].frontend` field of the CredentialIssuer.
  That will come in a future commit.
2021-03-02 15:28:13 -08:00
Ryan Richard
84cc42b2ca Remove tls field from the impersonator config
- Decided that we're not going to implement this now, although
  we may decide to add it in the future
2021-03-02 15:28:13 -08:00
Margo Crawford
4c68050706 Allow all headers besides impersonation-* through impersonation proxy 2021-03-02 15:01:13 -08:00
Matt Moyer
60f92d5fe2
Merge branch 'main' of github.com:vmware-tanzu/pinniped into impersonation-proxy
This is more than an automatic merge. It also includes a rewrite of the CredentialIssuer API impersonation proxy fields using the new structure, and updates to the CLI to account for that new API.

Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-03-02 16:06:19 -06:00
Matt Moyer
2a29303e3f
Fix label handling in kubecertagent controllers.
These controllers were a bit inconsistent. There were cases where the controllers ran out of the expected order and the custom labels might not have been applied.

We should still plan to remove this label handling or move responsibility into the middleware layer, but this avoids any regression.

Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-03-02 13:59:46 -06:00
Matt Moyer
643c60fd7a
Drop NewKubeConfigInfoPublisherController, start populating strategy frontend from kubecertagent execer controller.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-03-02 13:09:25 -06:00
Ryan Richard
a75c2194bc Read the names of the impersonation-related resources from the config
They were previously temporarily hardcoded. Now they are set at deploy
time via the static ConfigMap in deployment.yaml
2021-03-02 09:31:24 -08:00
Ryan Richard
045c427317 Merge branch 'main' into impersonation-proxy 2021-03-01 17:03:56 -08:00
Ryan Richard
a2ecd05240 Impersonator config controller writes CA cert & key to different Secret
- The CA cert will end up in the end user's kubeconfig on their client
  machine, so if it changes they would need to fetch the new one and
  update their kubeconfig. Therefore, we should avoid changing it as
  much as possible.
- Now the controller writes the CA to a different Secret. It writes both
  the cert and the key so it can reuse them to create more TLS
  certificates in the future.
- For now, it only needs to make more TLS certificates if the old
  TLS cert Secret gets deleted or updated to be invalid. This allows
  for manual rotation of the TLS certs by simply deleting the Secret.
  In the future, we may want to implement some kind of auto rotation.
- For now, rotation of both the CA and TLS certs will also happen if
  you manually delete the CA Secret. However, this would cause the end
  users to immediately need to get the new CA into their kubeconfig,
  so this is not as elegant as a normal rotation flow where you would
  have a window of time where you have more than one CA.
2021-03-01 17:02:08 -08:00
Matt Moyer
c94ee7188c
Factor out issuerconfig.UpdateStrategy helper.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-03-01 16:21:10 -06:00
Matt Moyer
c832cab8d0
Update internal/oidc/token_exchange.go for latest Fosite version.
The `fosite.TokenEndpointHandler` changed and now requires some additional methods.

Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-03-01 13:08:41 -06:00
Matt Moyer
234465789b
Regenerate gomock mocks with v1.5.0.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-03-01 11:44:27 -06:00
Ryan Richard
f1eeae8c71 Parse out ports from impersonation proxy endpoint config
Signed-off-by: Margo Crawford <margaretc@vmware.com>
2021-02-26 15:01:38 -08:00
Ryan Richard
41e4a74b57 impersonator_config_test.go: more small refactoring of test helpers 2021-02-26 13:53:30 -08:00
Margo Crawford
fa49beb623 Change length of TLS certs and CA.
Signed-off-by: Ryan Richard <richardry@vmware.com>
2021-02-26 12:05:17 -08:00
Margo Crawford
9bd206cedb impersonator_config_test.go: small refactor of test helpers
Signed-off-by: Ryan Richard <richardry@vmware.com>
2021-02-26 11:27:19 -08:00
Ryan Richard
5b01e4be2d impersonator_config.go: handle more error cases
Signed-off-by: Margo Crawford <margaretc@vmware.com>
2021-02-26 10:58:56 -08:00
Ryan Richard
bbbb40994d Prefer hostnames over IPs when making certs to match load balancer ingress
Signed-off-by: Margo Crawford <margaretc@vmware.com>
2021-02-25 17:03:34 -08:00
Margo Crawford
f709da5569 Updated test assertions for new logger version
Signed-off-by: Ryan Richard <richardry@vmware.com>
2021-02-25 15:18:36 -08:00
Ryan Richard
f8111db5ff Merge branch 'main' into impersonation-proxy 2021-02-25 14:50:40 -08:00
Ryan Richard
0cae72b391 Get hostname from load balancer ingress to use for impersonator certs
Signed-off-by: Margo Crawford <margaretc@vmware.com>
2021-02-25 11:40:14 -08:00
Margo Crawford
9a8c80f20a Impersonator checks cert addresses when endpoint config is a hostname
Also update concierge_impersonation_proxy_test.go integration test
to use real TLS when calling the impersonator.

Signed-off-by: Ryan Richard <richardry@vmware.com>
2021-02-25 10:27:19 -08:00
Matt Moyer
c8fc8a0b65
Reformat some log-based test assertions.
These are prone to breaking when stdr is upgraded because they rely on the exact ordering of keys in the log message. If we have more problems we can rewrite the assertions to be more robust, but for this time I'm just fixing them to match the new output.

Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-02-25 08:11:37 -06:00
Margo Crawford
8fc68a4b21 WIP improved cert management in impersonator config
- Allows Endpoint to be a hostname, not just an IP address

Signed-off-by: Ryan Richard <richardry@vmware.com>
2021-02-24 17:08:58 -08:00
Ryan Richard
aee7a7a72b More WIP managing TLS secrets from the impersonation config controller
Signed-off-by: Margo Crawford <margaretc@vmware.com>
2021-02-24 16:03:26 -08:00
Ryan Richard
d42c533fbb WIP managing TLS secrets from the impersonation config controller
Signed-off-by: Margo Crawford <margaretc@vmware.com>
2021-02-24 10:57:36 -08:00
Andrew Keesler
069b3fba37
Merge remote-tracking branch 'upstream/main' into impersonation-proxy
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2021-02-23 12:10:52 -05:00
Ryan Richard
80ff5c1f17 Fix bug which prevented watches from working through impersonator
Also:
- Changed base64 encoding of impersonator bearer tokens to use
  `base64.StdEncoding` to make it easier for users to manually
  create a token using the unix `base64` command
- Test the headers which are and are not passed through to the Kube API
  by the impersonator more carefully in the unit tests
- More WIP on concierge_impersonation_proxy_test.go

Signed-off-by: Margo Crawford <margaretc@vmware.com>
2021-02-22 17:23:11 -08:00
Monis Khan
abc941097c
Add WhoAmIRequest Aggregated Virtual REST API
This change adds a new virtual aggregated API that can be used by
any user to echo back who they are currently authenticated as.  This
has general utility to end users and can be used in tests to
validate if authentication was successful.

Signed-off-by: Monis Khan <mok@vmware.com>
2021-02-22 20:02:41 -05:00
Monis Khan
62630d6449
getAggregatedAPIServerScheme: move group version logic internally
Signed-off-by: Monis Khan <mok@vmware.com>
2021-02-19 11:10:54 -05:00
Margo Crawford
19881e4d7f Increase how long we wait for loadbalancers to be deleted for int test
Also add some log messages which might help us debug issues like this
in the future.

Signed-off-by: Ryan Richard <richardry@vmware.com>
2021-02-18 15:58:27 -08:00
Ryan Richard
126f9c0da3 certs_manager.go: Rename some local variables
Signed-off-by: Margo Crawford <margaretc@vmware.com>
2021-02-18 11:16:34 -08:00
Andrew Keesler
957cb2d56c
Merge remote-tracking branch 'upstream/main' into impersonation-proxy
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2021-02-18 13:37:28 -05:00
Andrew Keesler
b3cdc438ce
internal/concierge/impersonator: reuse kube bearertoken.Authenticator
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2021-02-18 10:13:24 -05:00
Margo Crawford
22a3e73bac impersonator_config_test.go: use require.Len() when applicable
Also fix a lint error in concierge_impersonation_proxy_test.go

Signed-off-by: Ryan Richard <richardry@vmware.com>
2021-02-17 17:29:56 -08:00
Margo Crawford
0ad91c43f7 ImpersonationConfigController uses servicesinformer
This is a more reliable way to determine whether the load balancer
is already running.
Also added more unit tests for the load balancer.

Signed-off-by: Ryan Richard <richardry@vmware.com>
2021-02-17 17:22:13 -08:00
Margo Crawford
67da840097 Add loadbalancer for impersonation proxy when needed 2021-02-16 15:57:02 -08:00
Matt Moyer
6565265bee
Use new 'go.pinniped.dev/generated/latest' package.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-02-16 13:00:08 -06:00
Andrew Keesler
eb19980110
internal/concierge/impersonator: set user extra impersonation headers
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2021-02-16 09:26:47 -05:00
Andrew Keesler
c7905c6638
internal/concierge/impersonator: fail if impersonation headers set
If someone has already set impersonation headers in their request, then
we should fail loudly so the client knows that its existing impersonation
headers will not work.

Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2021-02-16 08:15:50 -05:00
Andrew Keesler
fdd8ef5835
internal/concierge/impersonator: handle custom login API group
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2021-02-16 07:55:09 -05:00
Andrew Keesler
6512ab1351
internal/concierge/impersonator: don't care about namespace
Concierge APIs are no longer namespaced (see f015ad5852).

Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2021-02-15 17:11:59 -05:00
Ryan Richard
5cd60fa5f9 Move starting/stopping impersonation proxy server to a new controller
- Watch a configmap to read the configuration of the impersonation
  proxy and reconcile it.
- Implements "auto" mode by querying the API for control plane nodes.
- WIP: does not create a load balancer or proper TLS certificates yet.
  Those will come in future commits.

Signed-off-by: Margo Crawford <margaretc@vmware.com>
2021-02-11 17:25:52 -08:00
Andrew Keesler
9b87906a30
Merge remote-tracking branch 'upstream/main' into impersonation-proxy
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2021-02-11 11:03:33 -05:00
Monis Khan
b04fd46319
Update federation domain logic to use status subresource
Signed-off-by: Monis Khan <mok@vmware.com>
2021-02-10 21:52:10 -05:00
Monis Khan
0a9f446893
Update credential issuer logic to use status subresource
Signed-off-by: Monis Khan <mok@vmware.com>
2021-02-10 21:52:10 -05:00
Monis Khan
ac01186499
Use API service as owner ref for cluster scoped resources
Signed-off-by: Monis Khan <mok@vmware.com>
2021-02-10 21:52:08 -05:00
Monis Khan
2eb01bd307
authncache: remove namespace concept
Signed-off-by: Monis Khan <mok@vmware.com>
2021-02-10 21:52:08 -05:00
Monis Khan
89b00e3702
Declare war on namespaces
Signed-off-by: Monis Khan <mok@vmware.com>
2021-02-10 21:52:07 -05:00
Monis Khan
4205e3dedc
Make concierge APIs cluster scoped
Signed-off-by: Monis Khan <mok@vmware.com>
2021-02-10 21:52:07 -05:00
Andrew Keesler
0fc1f17866
internal/groupsuffix: mutate TokenCredentialRequest's Authenticator
This is a partial revert of 288d9c999e. For some reason it didn't occur to me
that we could do it this way earlier. Whoops.

This also contains a middleware update: mutation funcs can return an error now
and short-circuit the rest of the request/response flow. The idea here is that
if someone is configuring their kubeclient to use middleware, they are agreeing
to a narrow-er client contract by doing so (e.g., their TokenCredentialRequest's
must have an Spec.Authenticator.APIGroup set).

I also updated some internal/groupsuffix tests to be more realistic.

Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2021-02-10 15:53:44 -05:00
Andrew Keesler
ae6503e972
internal/plog: add KObj() and KRef()
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2021-02-10 14:25:39 -05:00
Ryan Richard
e4c49c37b9 Merge branch 'main' into impersonation-proxy 2021-02-09 13:45:37 -08:00
Ryan Richard
268ca5b7f6 Add config structs in impersonator package
Signed-off-by: Margo Crawford <margaretc@vmware.com>
2021-02-09 13:44:19 -08:00
Monis Khan
2679d27ced
Use server scheme to handle credential request API group changes
Signed-off-by: Monis Khan <mok@vmware.com>
2021-02-09 15:51:38 -05:00
Monis Khan
6b71b8d8ad
Revert server side token credential request API group changes
Signed-off-by: Monis Khan <mok@vmware.com>
2021-02-09 15:51:35 -05:00
Andrew Keesler
8697488126
internal/concierge/impersonator: use kubeconfig from kubeclient
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2021-02-09 15:28:56 -05:00
Margo Crawford
dfcc2a1eb8 Introduce clusterhost package to determine whether a cluster has control plane nodes
Also added hasExternalLoadBalancerProvider key to cluster capabilities
for integration testing.

Signed-off-by: Ryan Richard <richardry@vmware.com>
2021-02-09 11:16:01 -08:00
Andrew Keesler
812f5084a1
internal/concierge/impersonator: don't mutate ServeHTTP() req
I added that test helper to create an http.Request since I wanted to properly
initialize the http.Request's context.

Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2021-02-09 13:25:32 -05:00
Monis Khan
05a471fdf9
Migrate callers to k8s.io/apimachinery/pkg/util/errors.NewAggregate
Signed-off-by: Monis Khan <mok@vmware.com>
2021-02-05 12:56:05 -05:00
Monis Khan
81d4e50f94
Remove multierror package
Signed-off-by: Monis Khan <mok@vmware.com>
2021-02-05 12:55:18 -05:00
Monis Khan
f7958ae75b
Add no-op list support to token credential request
This allows us to keep all of our resources in the pinniped category
while not having kubectl return errors for calls such as:

kubectl get pinniped -A

Signed-off-by: Monis Khan <mok@vmware.com>
2021-02-05 10:59:39 -05:00
Ryan Richard
288d9c999e Use custom suffix in Spec.Authenticator.APIGroup of TokenCredentialRequest
When the Pinniped server has been installed with the `api_group_suffix`
option, for example using `mysuffix.com`, then clients who would like to
submit a `TokenCredentialRequest` to the server should set the
`Spec.Authenticator.APIGroup` field as `authentication.concierge.mysuffix.com`.

This makes more sense from the client's point of view than using the
default `authentication.concierge.pinniped.dev` because
`authentication.concierge.mysuffix.com` is the name of the API group
that they can observe their cluster and `authentication.concierge.pinniped.dev`
does not exist as an API group on their cluster.

This commit includes both the client and server-side changes to make
this work, as well as integration test updates.

Co-authored-by: Andrew Keesler <akeesler@vmware.com>
Co-authored-by: Ryan Richard <richardry@vmware.com>
Co-authored-by: Margo Crawford <margaretc@vmware.com>
2021-02-03 15:49:15 -08:00
Matt Moyer
64aff7b983 Only log user ID, not user name/groups.
Signed-off-by: Margo Crawford <margaretc@vmware.com>
2021-02-03 09:31:30 -08:00
Margo Crawford
b6abb022f6 Add initial implementation of impersonation proxy.
Signed-off-by: Margo Crawford <margaretc@vmware.com>
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-02-03 09:31:13 -08:00
Monis Khan
300d7bd99c
Drop duplicate logic for unversioned type registration
Signed-off-by: Monis Khan <mok@vmware.com>
2021-02-03 12:16:57 -05:00
Monis Khan
012bebd66e
Avoid double registering types in server scheme
This makes sure that if our clients ever send types with the wrong
group, the server will refuse to decode it.

Signed-off-by: Monis Khan <mok@vmware.com>
2021-02-03 12:16:57 -05:00
Andrew Keesler
e1d06ce4d8
internal/mocks/mockroundtripper: we don't need these anymore
We thought we needed these to test the middleware, but we don't.

Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2021-02-03 08:55:38 -05:00
Andrew Keesler
62c117421a
internal/kubeclient: fix not found test and request body closing bug
- I realized that the hardcoded fakekubeapi 404 not found response was invalid,
  so we were getting a default error message. I fixed it so the tests follow a
  higher fidelity code path.
- I caved and added a test for making sure the request body was always closed,
  and believe it or not, we were double closing a body. I don't *think* this will
  matter in production, since client-go will pass us ioutil.NopReader()'s, but
  at least we know now.

Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2021-02-03 08:19:34 -05:00
Monis Khan
efe1fa89fe Allow multiple Pinnipeds to work on same cluster
Yes, this is a huge commit.

The middleware allows you to customize the API groups of all of the
*.pinniped.dev API groups.

Some notes about other small things in this commit:
- We removed the internal/client package in favor of pkg/conciergeclient. The
  two packages do basically the same thing. I don't think we use the former
  anymore.
- We re-enabled cluster-scoped owner assertions in the integration tests.
  This code was added in internal/ownerref. See a0546942 for when this
  assertion was removed.
- Note: the middlware code is in charge of restoring the GV of a request object,
  so we should never need to write mutations that do that.
- We updated the supervisor secret generation to no longer manually set an owner
  reference to the deployment since the middleware code now does this. I think we
  still need some way to make an initial event for the secret generator
  controller, which involves knowing the namespace and the name of the generated
  secret, so I still wired the deployment through. We could use a namespace/name
  tuple here, but I was lazy.

Signed-off-by: Andrew Keesler <akeesler@vmware.com>
Co-authored-by: Ryan Richard <richardry@vmware.com>
2021-02-02 15:18:41 -08:00
Andrew Keesler
93ebd0f949
internal/plog: add Enabled()
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2021-02-02 18:01:06 -05:00
Matt Moyer
5b4e58f0b8
Add some trivial unit tests to internal/oidc/csrftoken.
This change is primarily to test that our test coverage reporting is working as expected.

Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-02-02 09:38:17 -06:00
Ryan Richard
6ef7ec21cd Merge branch 'release-0.4' into main 2021-01-25 15:13:14 -08:00
Ryan Richard
b77297c68d Validate the upstream email_verified claim when it makes sense 2021-01-25 15:10:41 -08:00
Matt Moyer
04c4cd9534
Upgrade to github.com/coreos/go-oidc v3.0.0.
See https://github.com/coreos/go-oidc/releases/tag/v3.0.0 for release notes.

Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-01-21 12:08:14 -06:00
Andrew Keesler
50c3e4c00f
Merge branch 'main' into reenable-max-inflight-checks 2021-01-19 18:14:27 -05:00
Andrew Keesler
88fd9e5c5e
internal/config: wire API group suffix through to server components
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2021-01-19 17:23:20 -05:00
Matt Moyer
93ba1b54f2
Merge branch 'main' into reenable-max-inflight-checks 2021-01-15 10:19:17 -06:00
Margo Crawford
d11a73c519 PR feedback-- omit empty groups, keep groups as nil until last minute
Also log keys and values for claims
2021-01-14 15:11:00 -08:00
Andrew Keesler
6fce1bd6bb
Allow arrays of type interface
and always set the groups claim to an
array in the downstream token

Signed-off-by: Margo Crawford <margaretc@vmware.com>
2021-01-14 17:21:41 -05:00
Margo Crawford
5e60c14ce7
internal/upstreamoidc: log claims from ID token and userinfo
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2021-01-14 16:47:39 -05:00
Andrew Keesler
792bb98680
Revert "Temporarily disable max inflight checks for mutating requests"
This reverts commit 4a28d1f800.

This commit was originally made to fix a bug that caused TokenCredentialRequest
to become slow when the server was idle for an extended period of time. This was
to address a Kubernetes issue that was fixed in 1.19.5 and onward. We are now
running with Kubernetes 1.20, so we should be able to pick up this fix.
2021-01-13 11:12:09 -05:00
Monis Khan
3c3da9e75d
Wire in new env vars for user info testing
Signed-off-by: Monis Khan <mok@vmware.com>
2021-01-12 11:23:25 -05:00
Monis Khan
6fff179e39
Fetch claims from the user info endpoint if provided
Signed-off-by: Monis Khan <mok@vmware.com>
2021-01-09 18:16:24 -05:00
Margo Crawford
6f04613aed Merge branch 'main' of github.com:vmware-tanzu/pinniped into kubernetes-1.20 2021-01-08 13:22:31 -08:00
Margo Crawford
5611212ea9 Changing references from 1.19 to 1.20 2021-01-07 15:25:47 -08:00
Monis Khan
bba0f3a230
Always set an owner ref back to our deployment
This change updates our clients to always set an owner ref when:

1. The operation is a create
2. The object does not already have an owner ref set

Signed-off-by: Monis Khan <mok@vmware.com>
2021-01-07 15:25:40 -05:00
Margo Crawford
19d592566d
Merge branch 'main' into copyright-year 2021-01-06 09:03:13 -08:00
Margo Crawford
ea6ebd0226 Got pre-commit to check for correct copyright year 2021-01-05 15:53:14 -08:00
Andrew Keesler
53a185083c Hopefully triggering the precommit hook
Signed-off-by: Margo Crawford <margaretc@vmware.com>
2021-01-05 14:15:46 -08:00
Andrew Keesler
40753d1454 Remove blockOwnerDeletion from the supervisor secrets
Signed-off-by: Margo Crawford <margaretc@vmware.com>
2021-01-05 10:44:36 -08:00
Ryan Richard
116c8dd6c5 SupervisorSecretsController Syncs less often by adjusting its filters
- Only watches Secrets of type
  "secrets.pinniped.dev/supervisor-csrf-signing-key"

Signed-off-by: Aram Price <pricear@vmware.com>
2020-12-18 15:57:12 -08:00
Aram Price
1b5e8c3439 Upstream Watcher Controller Syncs less often by adjusting its filters
- Only watches Secrets of type "secrets.pinniped.dev/oidc-client"

Signed-off-by: Ryan Richard <richardry@vmware.com>
2020-12-18 15:41:18 -08:00
Ryan Richard
23be766c8b Move const to file-of-use and replce dup string
Signed-off-by: aram price <pricear@vmware.com>
2020-12-18 15:14:51 -08:00
Ryan Richard
2f518b8b7c TLSCertObserverController Syncs less often by adjusting its filters
- Only watches Secrets of type "kubernetes.io/tls"

Signed-off-by: Aram Price <pricear@vmware.com>
2020-12-18 15:10:48 -08:00
aram price
cff2dc1379 Reorder functions 2020-12-18 15:08:55 -08:00
Ryan Richard
fc250f98d0 Adjust func grouping 2020-12-18 14:58:39 -08:00
Aram Price
b3e428c9de Several more controllers Sync less often by adjusting their filters
- JWKSWriterController
- JWKSObserverController
- FederationDomainSecretsController for HMAC keys
- FederationDomainSecretsController for state signature key
- FederationDomainSecretsController for state encryption key

Signed-off-by: Ryan Richard <richardry@vmware.com>
2020-12-18 14:55:05 -08:00
Ryan Richard
1056cef384 Sync garbage collector controller less often by adjusting its filters
- Only sync on add/update of secrets in the same namespace which
  have the "storage.pinniped.dev/garbage-collect-after" annotation, and
  also during a full resync of the informer whenever secrets in the
  same namespace with that annotation exist.
- Ignore deleted secrets to avoid having this controller trigger itself
  unnecessarily when it deletes a secret. This controller is never
  interested in deleted secrets, since its only job is to delete
  existing secrets.
- No change to the self-imposed rate limit logic. That still applies
  because secrets with this annotation will be created and updated
  regularly while the system is running (not just during rare system
  configuration steps).
2020-12-18 09:36:28 -08:00
Ryan Richard
3a4405659e
Merge branch 'main' into typed-secrets 2020-12-17 17:42:04 -08:00
aram price
187bd9060c All FederationDomain Secrets have distinct Types
Signed-off-by: Ryan Richard <richardry@vmware.com>
2020-12-17 17:07:38 -08:00
aram price
587cced768 Add extra type info where SecretType is used 2020-12-17 15:43:20 -08:00
Ryan Richard
50964c6677 Supervisor CSRF Secret has unique Type
Signed-off-by: aram price <pricear@vmware.com>
2020-12-17 15:30:26 -08:00
Ryan Richard
b27e3e1a89 Put a Type on the Secrets that we create for FederationDomain JWKS
Signed-off-by: Aram Price <pricear@vmware.com>
2020-12-17 14:48:49 -08:00
Matt Moyer
8db9331fed
Update ExpectedAuthorizeCodeSessionJSONFromFuzzing.
We stared at this very carefully and we don't think there are any structural changes. Maybe something small happened to get the RNG off by one?

Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-12-17 16:31:08 -06:00
Matt Moyer
3a81fbd1b4
Update fosite error usage.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-12-17 16:31:08 -06:00
Aram Price
55483b726b More "op" and "opc" local variable renames
Signed-off-by: Ryan Richard <richardry@vmware.com>
2020-12-17 13:49:53 -08:00
Ryan Richard
b96d49df0f Rename all "op" and "opc" usages
Signed-off-by: Aram Price <pricear@vmware.com>
2020-12-17 11:34:49 -08:00
Matt Moyer
b60542f0d1
Clean this test up a trivial amount using require.Implementsf().
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-12-17 08:38:16 -06:00
Monis Khan
dc8e7a2f39
Enable cache mutation detector in unit tests
Signed-off-by: Monis Khan <mok@vmware.com>
2020-12-17 08:38:15 -06:00
Andrew Keesler
04d54e622a
Only set single secret status field in FederationDomainSecretsController
This implementation is janky because I wanted to make the smallest change
possible to try to get the code back to stable so we can release.

Also deep copy an object so we aren't mutating the cache.

Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-12-17 07:41:53 -05:00
Margo Crawford
196e43aa48 Rename off of main
Signed-off-by: Ryan Richard <richardry@vmware.com>
2020-12-16 14:27:09 -08:00
Matt Moyer
7dae166a69
Merge branch 'main' into username-and-subject-claims 2020-12-16 15:23:19 -06:00
Matt Moyer
72ce69410e
Merge pull request #273 from vmware-tanzu/secret-generation
Generate secrets for Pinniped Supervisor
2020-12-16 15:22:23 -06:00
Andrew Keesler
095ba14cc8
Merge remote-tracking branch 'upstream/main' into secret-generation 2020-12-16 15:40:34 -05:00
Matt Moyer
8527c363bb
Rename the "pinniped.sts.unrestricted" scope to "pinniped:request-audience".
This is a bit more clear. We're changing this now because it is a non-backwards-compatible change that we can make now since none of this RFC8693 token exchange stuff has been released yet.

There is also a small typo fix in some flag usages (s/RF8693/RFC8693/)

Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-12-16 14:24:13 -06:00
Matt Moyer
3948bb76d8
Be more lax in some of our test assertions.
Fosite overrides the `Cache-Control` header we set, which is basically fine even though it's not exactly what we want.

Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-12-16 13:15:38 -06:00
Matt Moyer
74e52187a3
Simplify securityheader package by merging header fields.
From RFC2616 (https://www.w3.org/Protocols/rfc2616/rfc2616-sec4.html#sec4.2):
 > It MUST be possible to combine the multiple header fields into one "field-name: field-value" pair,
 > without changing the semantics of the message, by appending each subsequent field-value to the first,
 > each separated by a comma.

This was correct before, but this simplifes a bit and shaves off a few bytes from the response.

Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-12-16 12:41:05 -06:00
Matt Moyer
602f3c59ba
Fix a regression in securityheader package.
The bug itself has to do with when headers are streamed to the client. Once a wrapped handler has sent any bytes to the `http.ResponseWriter`, the value of the map returned from `w.Header()` no longer matters for the response. The fix is fairly trivial, which is to add those response headers before invoking the wrapped handler.

The existing unit test didn't catch this due to limitations in `httptest.NewRecorder()`. It is now replaced with a new test that runs a full HTTP test server, which catches the previous bug.

Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-12-16 12:41:05 -06:00
Margo Crawford
1d4012cabf jwtcachefiller_test.go: don't assert about time zones in errors
Because the library that we are using which returns that error
formats the timestamp in localtime, which is LMT when running
on a laptop, but is UTC when running in CI.

Signed-off-by: Ryan Richard <richardry@vmware.com>
2020-12-16 10:17:17 -08:00
Ryan Richard
dcb19150fc Nest claim configs one level deeper in JWTAuthenticatorSpec
Signed-off-by: Margo Crawford <margaretc@vmware.com>
2020-12-16 09:42:19 -08:00
Ryan Richard
40c6a67631 Merge branch 'main' into username-and-subject-claims 2020-12-15 18:09:44 -08:00
Margo Crawford
a10d219049 Pass through custom groups claim and username claim
Signed-off-by: Ryan Richard <richardry@vmware.com>
2020-12-15 16:11:53 -08:00
Ryan Richard
05ab8f375e Default to "username" claim in jwtcachefiller
Signed-off-by: Margo Crawford <margaretc@vmware.com>
2020-12-15 14:37:38 -08:00
Margo Crawford
720bc7ae42 jwtcachefiller_test.go: refactor and remove "if short skip" check
- Refactor the test to avoid testing a private method and instead
  always test the results of running the controller.
- Also remove the `if testing.Short()` check because it will always
  be short when running unit tests. This prevented the unit test
  from ever running, both locally and in CI.

Signed-off-by: Ryan Richard <richardry@vmware.com>
2020-12-15 13:33:49 -08:00
Andrew Keesler
056afc17bd
Merge remote-tracking branch 'upstream/main' into secret-generation 2020-12-15 15:55:46 -05:00
Andrew Keesler
35bb76ea82
Ensure labels are set correct on generated Supervisor secret
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-12-15 15:55:14 -05:00
Andrew Keesler
9d9040944a Secrets owned by Deployment have Controller: false
- This is to prevent K8s internal Deployment controller from trying to
manage these objects

Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-12-15 12:12:47 -08:00
aram price
2edcdc92f4 Log when unexpected Upstream OIDC Providers found
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-12-15 10:49:13 -08:00
Ryan Richard
43bb7117b7 Allow upstream group claim values to be either arrays or strings 2020-12-15 08:34:24 -08:00
Andrew Keesler
7320928235
Get rid of TODOs in code by punting on them
We will do these later; they have been recorded in a work tracking record.

Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-12-15 09:58:46 -05:00
Andrew Keesler
d2498c96e0
Merge remote-tracking branch 'upstream/main' into secret-generation 2020-12-15 09:27:23 -05:00
Andrew Keesler
82ae98d9d0
Set secret names on OIDCProvider status field
We believe this API is more forwards compatible with future secrets management
use cases. The implementation is a cry for help, but I was trying to follow the
previously established pattern of encapsulating the secret generation
functionality to a single group of packages.

This commit makes a breaking change to the current OIDCProvider API, but that
OIDCProvider API was added after the latest release, so it is technically still
in development until we release, and therefore we can continue to thrash on it.

I also took this opportunity to make some things private that didn't need to be
public.

Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-12-15 09:13:01 -05:00
Andrew Keesler
60d4a7beac
Test more filters in SupervisorSecretsController (see 6e8d564013)
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-12-15 07:58:33 -05:00
aram price
e03e344dcd SecretHelper depends less on OIDCProvider
This should allow the helper to be more generic so that it can be used
with the SupervisorSecretsController
2020-12-14 19:35:45 -08:00
aram price
bf86bc3383 Rename for clarity 2020-12-14 18:36:56 -08:00
Ryan Richard
16dfab0aff token_handler_test.go: Add tests for username and groups custom claims 2020-12-14 18:27:14 -08:00
aram price
b799515f84 Pull symmetricsecrethelper package up to generator
- rename symmetricsecrethelper.New => generator.NewSymmetricSecretHelper
2020-12-14 17:41:02 -08:00
Margo Crawford
afcd5e3e36 WIP: Adjust subject and username claims
Signed-off-by: Ryan Richard <richardry@vmware.com>
2020-12-14 17:05:53 -08:00
aram price
b1ee434ddf Rename in preparation for refactor 2020-12-14 16:44:27 -08:00
aram price
6e8d564013 Test filters in SupervisorSecretsController 2020-12-14 16:08:48 -08:00
Ryan Richard
16907e4453 Add Cache-Control, Pragma, Expires, and X-DNS-Prefetch-Control headers
Signed-off-by: Margo Crawford <margaretc@vmware.com>
2020-12-14 15:28:32 -08:00
Andrew Keesler
9c79adcb26 Rename and move some code to perpare for refactor
Signed-off-by: aram price <pricear@vmware.com>
2020-12-14 14:24:13 -08:00
Aram Price
5b7a86ecc1
Integration test for Supervisor secret controllers
This forced us to add labels to the CSRF cookie secret, just as we do
for other Supervisor secrets. Yay tests.

Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-12-14 15:53:12 -05:00
Andrew Keesler
cae0023234
Merge remote-tracking branch 'upstream/main' into secret-generation
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-12-14 11:44:01 -05:00
Andrew Keesler
2f28d2a96b
Synchronize the OIDCProvider secrets cache
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-12-14 11:32:33 -05:00
Andrew Keesler
e3ea141bf3
Reuse helper filter in generic secret gen controller
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-12-14 10:37:27 -05:00
Andrew Keesler
b043dae149
Finish first implementation of generic secret generator controller
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-12-14 10:36:45 -05:00
aram price
3ca877f1df
WIP - preliminary OIDCProviderSecrets controller
Tests not yet passing, controller is incomplete and expectations may be
incorrect.
2020-12-13 17:37:49 -05:00
aram price
3e31668eb0
Refactor some utilitiy methods for sharing. 2020-12-13 17:37:48 -05:00
aram price
9e2213cbae
Rename for clarity
- makes space for OIDCPrivder related controller
2020-12-13 17:37:48 -05:00
Ryan Richard
7cda6628a6
Merge branch 'main' into fosite-settings 2020-12-11 18:19:37 -08:00
Ryan Richard
020fbcf190 Adjust some expectations about the state and nonce lengths 2020-12-11 17:39:58 -08:00
Margo Crawford
2a19dd0d2e Pass prompt through to upstream login request
Signed-off-by: Ryan Richard <rrichard@vmware.com>
2020-12-11 17:13:27 -08:00
Margo Crawford
ded28dff15 Update the fosite settings
- AudienceMatchingStrategy: we want to use the default matcher from
  fosite, so remove that line
- AllowedPromptValues: We can use the default if we add a small
  change to the auth_handler.go to account for it (in a future commit)
- MinParameterEntropy: Use the fosite default to make it more likely
  that off the shelf OIDC clients can work with the supervisor

Signed-off-by: Ryan Richard <richardry@vmware.com>
2020-12-11 16:15:50 -08:00
Ryan Richard
baa1a4a2fc Supervisor storage garbage collection controller enabled in production
- Also add more log statements to the controller
- Also have the controller apply a rate limit to itself, to avoid
  having a very chatty controller that runs way more often than is
  needed.
- Also add an integration test for the controller's behavior.

Signed-off-by: Margo Crawford <margaretc@vmware.com>
2020-12-11 15:21:34 -08:00
Andrew Keesler
022dcd1909
Update secretgenerator controller after synchronous review
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-12-11 15:37:10 -05:00
Andrew Keesler
e2aad48852
internal/oidc/dynamiccodec: loosen test to reduce flakes
When we try to decode with the wrong decryption key, we could get any number of
error messages, depending on what failure mode we are in (couldn't authenticate
plaintext after decryption, couldn't deserialize, etc.). This change makes the
test weaker, but at least we know we will get an error message in the case where
the decryption key is wrong.

Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-12-11 11:49:27 -05:00
Andrew Keesler
e17bc31b29
Pass CSRF cookie signing key from controller to cache
This also sets the CSRF cookie Secret's OwnerReference to the Pod's grandparent
Deployment so that when the Deployment is cleaned up, then the Secret is as
well.

Obviously this controller implementation has a lot of issues, but it will at
least get us started.

Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-12-11 11:49:27 -05:00
Andrew Keesler
22c5b102ed
internal/downward: add support for (optional) pod name
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-12-11 11:49:27 -05:00
Andrew Keesler
0246e57d7f
Set lifespans on state and CSRF cooking encoding
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-12-11 11:49:22 -05:00
Andrew Keesler
9460b08873
Use just-in-time HMAC signing key fetching in our Fosite config
This pattern is similar to what we did in
58237d0e7d.

Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-12-11 11:16:46 -05:00