Commit Graph

3494 Commits

Author SHA1 Message Date
Monis Khan
5ff2be973c
credentialrequest: use safer approximation for ExpirationTimestamp
We want the value of time.Now() to be calculated before the call to
IssueClientCertPEM to prevent the ExpirationTimestamp from being
later than the notAfter timestamp on the issued certificate.

Signed-off-by: Monis Khan <mok@vmware.com>
2021-06-23 11:07:00 -04:00
Matt Moyer
73201ba575
Merge pull request #682 from vmware-tanzu/dependabot/docker/debian-10.10-slim
Bump debian from 10.9-slim to 10.10-slim
2021-06-22 19:39:13 -07:00
dependabot[bot]
125d891cd5
Bump debian from 10.9-slim to 10.10-slim
Bumps debian from 10.9-slim to 10.10-slim.

---
updated-dependencies:
- dependency-name: debian
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
2021-06-23 01:02:44 +00:00
Matt Moyer
682a47f739
Merge pull request #680 from mattmoyer/update-k8s-1.21.2
Update to Kubernetes 1.21.2 runtime components.
2021-06-22 10:23:14 -07:00
Matt Moyer
594e47efdf
Update to Kubernetes 1.21.2 runtime components.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-06-22 11:55:22 -05:00
Mo Khan
f09a45382e
Merge pull request #681 from enj/enj/i/fix_bad_name
Fix bad test package name
2021-06-22 12:54:29 -04:00
Monis Khan
d78b845575
Fix bad test package name
Signed-off-by: Monis Khan <mok@vmware.com>
2021-06-22 11:23:19 -04:00
Mo Khan
1929b47dda
Merge pull request #674 from mattmoyer/new-eventual-assertion-helpers
Improve our integration test "Eventually" assertions.
2021-06-22 11:15:06 -04:00
Matt Moyer
3efa7bdcc2
Improve our integration test "Eventually" assertions.
This fixes some rare test flakes caused by a data race inherent in the way we use `assert.Eventually()` with extra variables for followup assertions. This function is tricky to use correctly because it runs the passed function in a separate goroutine, and you have no guarantee that any shared variables are in a coherent state when the `assert.Eventually()` call returns. Even if you add manual mutexes, it's tricky to get the semantics right. This has been a recurring pain point and the cause of several test flakes.

This change introduces a new `library.RequireEventually()` that works by internally constructing a per-loop `*require.Assertions` and running everything on a single goroutine (using `wait.PollImmediate()`). This makes it very easy to write eventual assertions.

Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-06-17 16:56:03 -05:00
Matt Moyer
6a9eb87c35
Update ROADMAP.md 2021-06-17 10:17:04 -05:00
Matt Moyer
3eba3e07c6
Merge pull request #669 from vmware-tanzu/dependabot/go_modules/github.com/golang/mock-1.6.0
Bump github.com/golang/mock from 1.5.0 to 1.6.0
2021-06-15 18:49:23 -07:00
dependabot[bot]
9f06869f76
Bump github.com/golang/mock from 1.5.0 to 1.6.0
Bumps [github.com/golang/mock](https://github.com/golang/mock) from 1.5.0 to 1.6.0.
- [Release notes](https://github.com/golang/mock/releases)
- [Changelog](https://github.com/golang/mock/blob/master/.goreleaser.yml)
- [Commits](https://github.com/golang/mock/compare/v1.5.0...v1.6.0)

---
updated-dependencies:
- dependency-name: github.com/golang/mock
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2021-06-16 01:22:04 +00:00
Matt Moyer
3f41261580
Merge pull request #673 from mattmoyer/refactor-static-client-struct-second-attempt
Use a custom type for our static CLI client.
2021-06-15 17:37:08 -07:00
Matt Moyer
551249fb69
Use a custom type for our static CLI client (smaller change).
Before this change, we used the `fosite.DefaultOpenIDConnectClient{}` struct, which implements the  `fosite.Client` and `fosite.OpenIDConnectClient` interfaces. For a future change, we also need to implement some additional optional interfaces, so we can no longer use the provided default types. Instead, we now use a custom `clientregistry.Client{}` struct, which implements all the requisite interfaces and can be extended to handle the new functionality (in a future change).

There is also a new `clientregistry.StaticRegistry{}` struct, which implements the `fosite.ClientManager` and looks up our single static client. We could potentially extend this in the future with a registry backed by Kubernetes API, for example.

This should be 100% refactor, with no user-observable change.

Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-06-15 15:31:48 -05:00
Mo Khan
1a610022cf
Merge pull request #671 from enj/enj/i/eks_rbac
TestServiceAccountPermissions: handle extra permissions on EKS
2021-06-15 11:46:24 -04:00
Monis Khan
524ff21b7f
TestServiceAccountPermissions: handle extra permissions on EKS
Signed-off-by: Monis Khan <mok@vmware.com>
2021-06-15 11:17:59 -04:00
Matt Moyer
913c140be8
Update the latest version number in the docs.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-06-15 09:46:51 -05:00
Mo Khan
e06c696bea
Merge pull request #670 from enj/enj/f/impersonator_always_authz
impersonator: always authorize every request
2021-06-14 16:16:12 -04:00
Monis Khan
269db6b7c2
impersonator: always authorize every request
This change updates the impersonator to always authorize every
request instead of relying on the Kuberentes API server to perform
the check on the impersonated request.  This protects us from
scenarios where we fail to correctly impersonate the user due to
some bug in our proxy logic.  We still rely completely on the API
server to perform admission checks on the impersonated requests.

Signed-off-by: Monis Khan <mok@vmware.com>
2021-06-14 12:53:09 -04:00
Monis Khan
addf632e7c
impersonator: add docs regarding limited serivce account
Signed-off-by: Monis Khan <mok@vmware.com>
2021-06-11 15:37:55 -04:00
Mo Khan
87489da316
Merge pull request #667 from enj/enj/f/impersonator_distinct_sa
impersonator: run as a distinct SA with minimal permissions
2021-06-11 15:36:28 -04:00
Monis Khan
898f2bf942
impersonator: run as a distinct SA with minimal permissions
This change updates the impersonation proxy code to run as a
distinct service account that only has permission to impersonate
identities.  Thus any future vulnerability that causes the
impersonation headers to be dropped will fail closed instead of
escalating to the concierge's default service account which has
significantly more permissions.

Signed-off-by: Monis Khan <mok@vmware.com>
2021-06-11 12:13:53 -04:00
Matt Moyer
918c50f6a7
Merge pull request #666 from vmware-tanzu/dependabot/go_modules/gopkg.in/square/go-jose.v2-2.6.0
Bump gopkg.in/square/go-jose.v2 from 2.5.1 to 2.6.0
2021-06-10 15:06:55 -07:00
Matt Moyer
9ca82116f1
Update ROADMAP.md 2021-06-10 12:45:23 -05:00
Matt Moyer
564c1f8ae5
Update ROADMAP.md 2021-06-10 10:27:20 -05:00
dependabot[bot]
c88aad873b
Bump gopkg.in/square/go-jose.v2 from 2.5.1 to 2.6.0
Bumps [gopkg.in/square/go-jose.v2](https://github.com/square/go-jose) from 2.5.1 to 2.6.0.
- [Release notes](https://github.com/square/go-jose/releases)
- [Commits](https://github.com/square/go-jose/compare/v2.5.1...v2.6.0)

---
updated-dependencies:
- dependency-name: gopkg.in/square/go-jose.v2
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2021-06-08 05:41:45 +00:00
Mo Khan
9d27e6b4c6
Merge pull request #665 from enj/enj/i/impersonator_dead_code
impersonator: remove redundant deleteKnownImpersonationHeaders logic
2021-06-04 16:12:08 -04:00
Monis Khan
5b327a2b37
impersonator: remove redundant deleteKnownImpersonationHeaders logic
WithImpersonation already deletes impersonation headers and has done
so since the early days:

https://github.com/kubernetes/kubernetes/pull/36769

ensureNoImpersonationHeaders will still reject any request that has
impersonation headers set so we will always fail closed.

Signed-off-by: Monis Khan <mok@vmware.com>
2021-06-04 15:22:01 -04:00
Matt Moyer
7114988eec
Merge pull request #663 from vmware-tanzu/dependabot/docker/golang-1.16.5
Bump golang from 1.16.4 to 1.16.5
2021-06-04 09:20:44 -05:00
Mo Khan
3a47060256
Merge pull request #645 from enj/enj/f/anon_impersonation_proxy
impersonator: honor anonymous authentication being disabled
2021-06-04 09:28:14 -04:00
Benjamin A. Petersen
492f6cfddf
impersonator: honor anonymous authentication being disabled
When anonymous authentication is disabled, the impersonation proxy
will no longer authenticate anonymous requests other than calls to
the token credential request API (this API is used to retrieve
credentials and thus must be accessed anonymously).

Signed-off-by: Benjamin A. Petersen <ben@benjaminapetersen.me>
Signed-off-by: Monis Khan <mok@vmware.com>
2021-06-04 09:00:56 -04:00
dependabot[bot]
f417f706b9
Bump golang from 1.16.4 to 1.16.5
Bumps golang from 1.16.4 to 1.16.5.

---
updated-dependencies:
- dependency-name: golang
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2021-06-04 06:00:24 +00:00
Matt Moyer
02335e2ade
Bump the latest version referenced in the docs.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-06-03 17:25:32 -05:00
Matt Moyer
9b9e733a7d
Merge pull request #662 from mattmoyer/parameterize-test-images
Parameterize our test images in ytt.
2021-06-03 15:53:13 -05:00
Matt Moyer
df78e00df3
Parameterize our test images in ytt.
These are images we use for local and some CI testing.

Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-06-03 15:25:09 -05:00
Matt Moyer
b5ed4e6a13
Merge pull request #660 from mattmoyer/fix-credentialissuer-service-type-field-typo
Fix typo in CredentialIssuer ytt template.
2021-06-03 14:01:14 -05:00
Matt Moyer
500b444bad
Merge pull request #657 from vmware-tanzu/fix-ldap-supervisor-login-test-flake
Avoid a rare flake in TestSupervisorLogin.
2021-06-03 13:31:15 -05:00
Matt Moyer
d3e2859238
Merge pull request #658 from vmware-tanzu/fix-impersonation-notfound-handling
Tolerate NotFound when deleting services in `impersonatorconfig`.
2021-06-03 13:30:54 -05:00
Matt Moyer
5686591420
Avoid a rare flake in TestSupervisorLogin.
There was nothing to guarantee that _all_ Supervisor pods would be ready to handle this request. We saw a rare test flake where the LDAPIdentityProvider was marked as ready but one of the Supervisor pods didn't have it loaded yet and returned an HTTP 422 error (`Unprocessable Entity: No upstream providers are configured`).

Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-06-03 12:13:56 -05:00
Matt Moyer
6903196c18
Fix a data race in TestImpersonationProxy.
The `require.Eventually()` function runs the body of the check in a separate goroutine, so it's not safe to use other `require` assertions as we did here. Our `library.RequireEventuallyWithoutError()` function does not spawn a goroutine, so it's safer to use here.

Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-06-03 12:07:19 -05:00
Matt Moyer
af4cd1b515
Tolerate NotFound when deleting services in impersonatorconfig.
When a CredentialIssuer is switched from one service type to another (or switched to disabled mode), the `impersonatorconfig` controller will delete the previous Service, if any. Normally one Concierge pod will succeed to delete this initially and any other pods will see a NotFound error.

Before this change, the NotFound would bubble up and cause the strategy to enter a ErrorDuringSetup status until the next reconcile loop. We now handle this case without reporting an error.

Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-06-03 12:07:19 -05:00
Matt Moyer
2acfafd5a5
Merge pull request #656 from vmware-tanzu/fix-credentialissuer-test-flake
Remove an invalid test assertion in TestCredentialIssuer.
2021-06-03 12:03:22 -05:00
anjalitelang
a5067cdbb3
Update ROADMAP.md
Updating Roadmap for June to reflect Device Code Flow and AD support
2021-06-03 12:33:36 -04:00
Matt Moyer
5aa08756e0
Fix typo in CredentialIssuer ytt template.
This typo wasn't caught in testing because 1) the Kubernetes API ignores the unknown field and 2) the `type` field defaults to `LoadBalancer` anyway, so things behave as expected.

Even though this doesn't cause any large problems, it's quite confusing.

Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-06-02 14:48:18 -05:00
Matt Moyer
0e66b0b165
Remove an invalid test assertion in TestCredentialIssuer.
The LastUpdateTime is no longer updated on every resync. It only changes if the underlying status has changed, so that it effectively shows when the transition happened.

This change happened in ab750f48aa, but we missed this test. It only fails when it has been more than ten minutes since the CredentialIssuer transitioned into a healthy state, but that can happen in our long-running CI environments.

Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-06-02 12:05:02 -05:00
Matt Moyer
87660611d2
Tweak blog post to add a shoutout.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-06-02 11:28:54 -05:00
Matt Moyer
9968c0d234
Fix my fix 🤦🏻 . 2021-06-02 11:06:03 -05:00
Matt Moyer
193fcb87bb
Fix a typo on the "Community Meetings" time.
We had "PT" twice, when one of them should have been "ET".
2021-06-02 11:05:29 -05:00
Ryan Richard
a08e4ec043
Update architecture.md 2021-06-02 08:54:04 -07:00
Matt Moyer
e38a7548cc
Link the v0.9.0 release from the blog post.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-06-02 10:24:17 -05:00