Commit Graph

1745 Commits

Author SHA1 Message Date
dependabot[bot]
f05c3092b5
Bump github.com/go-openapi/spec from 0.19.9 to 0.20.3
Bumps [github.com/go-openapi/spec](https://github.com/go-openapi/spec) from 0.19.9 to 0.20.3.
- [Release notes](https://github.com/go-openapi/spec/releases)
- [Commits](https://github.com/go-openapi/spec/compare/v0.19.9...v0.20.3)

Signed-off-by: dependabot[bot] <support@github.com>
2021-03-01 11:44:26 -06:00
dependabot[bot]
2637dc00da
Bump golang from 1.15.8 to 1.16.0
Bumps golang from 1.15.8 to 1.16.0.

Signed-off-by: dependabot[bot] <support@github.com>
2021-03-01 11:44:26 -06:00
Matt Moyer
e8365d2c57
Merge pull request #467 from mattmoyer/fix-docs-title
Fix missing titles on website docs.
2021-03-01 11:35:56 -06:00
Matt Moyer
dd151b3f50
Fix missing titles on website docs.
Also fixes our sitemap to have correct `lastmod` times when built locally (it was already correct on Netlify).

Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-03-01 11:31:27 -06:00
Ryan Richard
f1eeae8c71 Parse out ports from impersonation proxy endpoint config
Signed-off-by: Margo Crawford <margaretc@vmware.com>
2021-02-26 15:01:38 -08:00
Ryan Richard
41e4a74b57 impersonator_config_test.go: more small refactoring of test helpers 2021-02-26 13:53:30 -08:00
Margo Crawford
fa49beb623 Change length of TLS certs and CA.
Signed-off-by: Ryan Richard <richardry@vmware.com>
2021-02-26 12:05:17 -08:00
Margo Crawford
9bd206cedb impersonator_config_test.go: small refactor of test helpers
Signed-off-by: Ryan Richard <richardry@vmware.com>
2021-02-26 11:27:19 -08:00
Ryan Richard
5b01e4be2d impersonator_config.go: handle more error cases
Signed-off-by: Margo Crawford <margaretc@vmware.com>
2021-02-26 10:58:56 -08:00
Ryan Richard
bbbb40994d Prefer hostnames over IPs when making certs to match load balancer ingress
Signed-off-by: Margo Crawford <margaretc@vmware.com>
2021-02-25 17:03:34 -08:00
Margo Crawford
f709da5569 Updated test assertions for new logger version
Signed-off-by: Ryan Richard <richardry@vmware.com>
2021-02-25 15:18:36 -08:00
Margo Crawford
ccb17843c1 Fix some lint errors that resulted from merging main
Signed-off-by: Ryan Richard <richardry@vmware.com>
2021-02-25 15:06:24 -08:00
Ryan Richard
f8111db5ff Merge branch 'main' into impersonation-proxy 2021-02-25 14:50:40 -08:00
Ryan Richard
3fcde8088c concierge_impersonation_proxy_test.go: Make it work on more clusters
Should work on cluster which have:
- load balancers not supported, has squid proxy (e.g. kind)
- load balancers supported, has squid proxy (e.g. EKS)
- load balancers supported, no squid proxy (e.g. GKE)

When testing with a load balancer, call the impersonation proxy through
the load balancer.

Also, added a new library.RequireNeverWithoutError() helper.

Signed-off-by: Margo Crawford <margaretc@vmware.com>
2021-02-25 14:40:18 -08:00
Matt Moyer
f937ae2c07
Add --concierge-credential-issuer flag to "pinniped get kubeconfig" command.
This flag selects a CredentialIssuer to use when detecting what mode the Concierge is in on a cluster. If not specified, the command will look for a single CredentialIssuer. If there are multiple, then the flag is required.

Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-02-25 14:31:51 -06:00
Matt Moyer
1c7c22352f
Switch "get kubeconfig" flags to use --concierge-mode flag instead of boolean flag.
This is the same as the previous change to the login commands.

Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-02-25 14:31:51 -06:00
Ryan Richard
0cae72b391 Get hostname from load balancer ingress to use for impersonator certs
Signed-off-by: Margo Crawford <margaretc@vmware.com>
2021-02-25 11:40:14 -08:00
Margo Crawford
9a8c80f20a Impersonator checks cert addresses when endpoint config is a hostname
Also update concierge_impersonation_proxy_test.go integration test
to use real TLS when calling the impersonator.

Signed-off-by: Ryan Richard <richardry@vmware.com>
2021-02-25 10:27:19 -08:00
Matt Moyer
a42e3708aa
Merge pull request #453 from mattmoyer/bump-dependencies
Bump a bunch of minor dependencies.
2021-02-25 09:33:53 -06:00
Matt Moyer
c8fc8a0b65
Reformat some log-based test assertions.
These are prone to breaking when stdr is upgraded because they rely on the exact ordering of keys in the log message. If we have more problems we can rewrite the assertions to be more robust, but for this time I'm just fixing them to match the new output.

Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-02-25 08:11:37 -06:00
Margo Crawford
8fc68a4b21 WIP improved cert management in impersonator config
- Allows Endpoint to be a hostname, not just an IP address

Signed-off-by: Ryan Richard <richardry@vmware.com>
2021-02-24 17:08:58 -08:00
Margo Crawford
975d493b8a Fix some small lint errors
Signed-off-by: Ryan Richard <richardry@vmware.com>
2021-02-24 16:09:15 -08:00
Ryan Richard
aee7a7a72b More WIP managing TLS secrets from the impersonation config controller
Signed-off-by: Margo Crawford <margaretc@vmware.com>
2021-02-24 16:03:26 -08:00
Matt Moyer
a31c24e5a0
Bump a bunch of minor dependencies.
Bumps [github.com/stretchr/testify](https://github.com/stretchr/testify) from 1.6.1 to 1.7.0.
- [Release notes](https://github.com/stretchr/testify/releases)
- [Commits](https://github.com/stretchr/testify/compare/v1.6.1...v1.7.0)

Bumps [github.com/go-logr/logr](https://github.com/go-logr/logr) from 0.3.0 to 0.4.0.
- [Release notes](https://github.com/go-logr/logr/releases)
- [Commits](https://github.com/go-logr/logr/compare/v0.3.0...v0.4.0)

Bumps [k8s.io/klog/v2](https://github.com/kubernetes/klog) from 2.4.0 to 2.5.0.
- [Release notes](https://github.com/kubernetes/klog/releases)
- [Changelog](https://github.com/kubernetes/klog/blob/master/RELEASE.md)
- [Commits](https://github.com/kubernetes/klog/compare/v2.4.0...v2.5.0)

Bumps [github.com/go-logr/stdr](https://github.com/go-logr/stdr) from 0.2.0 to 0.4.0.
- [Release notes](https://github.com/go-logr/stdr/releases)
- [Commits](https://github.com/go-logr/stdr/compare/v0.2.0...v0.4.0)

Bumps [github.com/spf13/cobra](https://github.com/spf13/cobra) from 1.1.1 to 1.1.3.
- [Release notes](https://github.com/spf13/cobra/releases)
- [Changelog](https://github.com/spf13/cobra/blob/master/CHANGELOG.md)
- [Commits](https://github.com/spf13/cobra/compare/v1.1.1...v1.1.3)

Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-02-24 17:37:29 -06:00
Matt Moyer
943b0ff6ec
Switch login flags to use --concierge-mode flag instead of boolean flag.
The login commands now expect either `--concierge-mode ImpersonationProxy` or `--concierge-mode TokenCredentialRequestAPI` (the default).

This is partly a style choice, but I also think it helps in case we need to add a third major mode of operation at some point.

I also cleaned up some other minor style items in the help text.

Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-02-24 17:09:08 -06:00
Ryan Richard
d42c533fbb WIP managing TLS secrets from the impersonation config controller
Signed-off-by: Margo Crawford <margaretc@vmware.com>
2021-02-24 10:57:36 -08:00
Matt Moyer
4dbde4cf7f
Fix TestImpersonationProxy on Kubernetes 1.20 with RootCAConfigMap.
There is a new feature in 1.20 that creates a ConfigMap by default in each namespace: https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.20.md#introducing-rootcaconfigmap

This broke this test because it assumed that all the ConfigMaps in the ephemeral test namespace were those created by the test code. The fix is to add a test label and rewrite our assertions to filter with it.

Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-02-24 12:08:41 -06:00
Matt Moyer
7be8927d5e
Add generated code for new CredentialIssuer API fields.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-02-24 10:47:06 -06:00
Matt Moyer
96d7743eab
Add CredentialIssuer API fields for impersonation proxy.
Adds a new optional `spec.impersonationProxyInfo` field to hold the URL and CA data for the impersonation proxy, as well as some additional status condition constants for describing the current status of the impersonation proxy.

Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-02-24 10:45:25 -06:00
Matt Moyer
2254f76b30
Fix a broken link, a typo, and tweak menu text.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-02-24 09:23:21 -06:00
Matt Moyer
852c1b7a27
Fix some copy-paste errors on install-supervisor.md.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-02-23 16:02:27 -06:00
Matt Moyer
522210adb6
Merge pull request #447 from mattmoyer/website-security-headers
Add security headers to the website.
2021-02-23 14:39:31 -06:00
Matt Moyer
a4089fcc72
Add security headers to the website.
The one bit of JS we have for the mobile menu needed some tweaking.

Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-02-23 14:38:05 -06:00
Matt Moyer
60034b39a3
Fix wording on website hero text.
Requested by @pabloschuhmacher as a small fix.
2021-02-23 12:17:26 -08:00
Matt Moyer
2f7c80a5e0
Merge pull request #446 from mattmoyer/more-website-tweaks
More website tweaks.
2021-02-23 14:13:27 -06:00
Matt Moyer
827e6e0dc0
More website tweaks.
These are some more changes that came up when Pablo and I were reviewing the previous docs PR.

In no particular order:

- Fix "related posts" on the blog section, and hide the section if there are none.

- Minor style changes to several pages (guided by various style guides).

- Redirect the root of get.pinniped.dev to our main page (shouldn't really be hit, but it's nice to do something).

- Add more mobile-friendly CSS for our docs.

- Reword the "getting started" CTA, and hide it on the docs pages (you're already there).

- Fix the "Learn how Pinniped provides identity services to Kubernetes" link on the landing page.

- Add a date to our blog post cards.

- Rewrite the hero text on the landing page.

- Fix the docs link for the "Get Started with Pinniped" button on the landing page.

- Rework the landing page grid text.

- Add Margo and Nanci to the team section and sort it alphabetically.

Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-02-23 14:03:37 -06:00
Margo Crawford
dac1c9939e concierge_impersonation_proxy_test.go: Test all the verbs
Also:
- Shut down the informer correctly in
  concierge_impersonation_proxy_test.go
- Remove the t.Failed() checks which avoid cleaning up after failed
  tests. This was inconsistent with how most of the tests work, and
  left cruft on clusters when a test failed.

Signed-off-by: Ryan Richard <richardry@vmware.com>
2021-02-23 10:38:32 -08:00
Matt Moyer
a6d74ea876
Merge pull request #443 from mattmoyer/reorg-docs
Restructure website documentation
2021-02-23 11:12:32 -06:00
Matt Moyer
7a1d92a8d4
Restructure docs into new layout.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-02-23 11:11:07 -06:00
Matt Moyer
f2db76a0d5
Fix typo in multiple-pinnipeds post.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-02-23 11:11:07 -06:00
Matt Moyer
3721632de2
Move scope doc out of website to SCOPE.md.
This is contributor-focused, so we decided to move it into GitHub only for now.

Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-02-23 11:11:07 -06:00
Matt Moyer
4de949fe18
Rework docs sidebar to have some nesting.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-02-23 11:11:07 -06:00
Andrew Keesler
069b3fba37
Merge remote-tracking branch 'upstream/main' into impersonation-proxy
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2021-02-23 12:10:52 -05:00
Mo Khan
e74dd47b1d
Merge pull request #439 from enj/enj/f/whoami_api
Add WhoAmIRequest Aggregated Virtual REST API
2021-02-23 10:40:38 -05:00
Monis Khan
6a9f57f83d
TestWhoAmI: support older clusters (CSR and impersonation)
Signed-off-by: Monis Khan <mok@vmware.com>
2021-02-23 10:15:17 -05:00
Ryan Richard
80ff5c1f17 Fix bug which prevented watches from working through impersonator
Also:
- Changed base64 encoding of impersonator bearer tokens to use
  `base64.StdEncoding` to make it easier for users to manually
  create a token using the unix `base64` command
- Test the headers which are and are not passed through to the Kube API
  by the impersonator more carefully in the unit tests
- More WIP on concierge_impersonation_proxy_test.go

Signed-off-by: Margo Crawford <margaretc@vmware.com>
2021-02-22 17:23:11 -08:00
Monis Khan
aa22047a0f
Generated
Signed-off-by: Monis Khan <mok@vmware.com>
2021-02-22 20:02:42 -05:00
Monis Khan
abc941097c
Add WhoAmIRequest Aggregated Virtual REST API
This change adds a new virtual aggregated API that can be used by
any user to echo back who they are currently authenticated as.  This
has general utility to end users and can be used in tests to
validate if authentication was successful.

Signed-off-by: Monis Khan <mok@vmware.com>
2021-02-22 20:02:41 -05:00
Monis Khan
62630d6449
getAggregatedAPIServerScheme: move group version logic internally
Signed-off-by: Monis Khan <mok@vmware.com>
2021-02-19 11:10:54 -05:00
Mo Khan
f228f022f5
Merge pull request #435 from enj/enj/c/bump_v0.20.4
Bump Kube deps to v0.20.4
2021-02-19 10:59:40 -05:00