Andrew Keesler
3e45bfc97d
internal/controller/issuerconfig: Publisher -> KubeConfigInfoPublisher
...
The new symbol more specifically describes what the controller does.
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-09-23 07:58:01 -04:00
Andrew Keesler
a55e9de4fc
Use existing clock test double to get kubecertagent units passing
...
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-09-23 07:50:45 -04:00
Ryan Richard
eb0d9a15fc
WIP: start replacing the kubecertauthority pkg with a new controller
...
- Lots of TODOs added that need to be resolved to finish this WIP
- execer_test.go seems like it should be passing, but it fails (sigh)
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-09-22 17:45:20 -07:00
Andrew Keesler
db9a97721f
Merge remote-tracking branch 'upstream/main' into 1-19-exec-strategy
2020-09-22 11:54:47 -04:00
Matt Moyer
3578d7cb9a
Merge pull request #128 from mattmoyer/add-idp-selector
...
Support multiple IDPs by adding IdentityProvider selector to TokenCredentialRequest spec.
2020-09-22 10:51:44 -05:00
Andrew Keesler
83920db502
Merge remote-tracking branch 'upstream/main' into 1-19-exec-strategy
2020-09-22 11:39:07 -04:00
Andrew Keesler
1a4f9e3466
kubecertagent: get integration tests passing again
...
Note: the non-kubecertagent integration tests are still failing :).
2020-09-22 11:38:13 -04:00
Matt Moyer
e574a99c5e
Add an integration test that tries to use a non-existent IDP.
...
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-09-22 10:16:47 -05:00
Matt Moyer
16ef2baf8a
Sort idpcache keys to make things as deterministic as possible.
...
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-09-22 10:03:32 -05:00
Matt Moyer
9beb3855b5
Create webhooks per-test and explicitly in demo.md
instead of with ytt in ./deploy
.
...
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-09-22 10:03:32 -05:00
Matt Moyer
81f2362543
Remove fallback support for implicitly choosing an IDP in TokenCredentialRequest.
...
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-09-22 10:03:32 -05:00
Matt Moyer
07f0181fa3
Add IDP selection to get-kubeconfig command.
...
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-09-22 10:03:32 -05:00
Matt Moyer
481308215d
Pass namespace properly in client.ExchangeToken.
...
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-09-22 10:03:32 -05:00
Matt Moyer
381fd51e13
Refactor get_kubeconfig.go.
...
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-09-22 10:03:32 -05:00
Matt Moyer
541336b997
Fix docstring for exchange credential CLI.
...
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-09-22 10:03:32 -05:00
Matt Moyer
6cdd4a9506
Add support for multiple IDPs selected using IdentityProvider field.
...
This also has fallback compatibility support if no IDP is specified and there is exactly one IDP in the cache.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-09-22 10:03:31 -05:00
Matt Moyer
fbe0551426
Add IDP selector support in client code.
...
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-09-22 10:03:31 -05:00
Matt Moyer
164f64a370
Add IdentityProvider field to TokenCredentialRequestSpec.
...
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-09-22 10:03:31 -05:00
Ryan Richard
526be79b11
Finish WIP from previous commits: agent pods created in install namespace
2020-09-21 17:15:36 -07:00
Ryan Richard
820f1e977e
Continue the WIP from the previous commit: finish adding second informer
...
- All of the `kubecertagent` controllers now take two informers
- This is moving in the direction of creating the agent pods in the
Pinniped installation namespace, but that will come in a future
commit
2020-09-21 16:37:22 -07:00
Andrew Keesler
50258fc569
WIP: start to create kube-cert-agent pods in namespace
...
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-09-21 16:27:00 -04:00
Ryan Richard
0d3ad0085d
Fix lint error from previous commit
2020-09-21 12:30:53 -07:00
Ryan Richard
cfb76a538c
Refactor kubectl exec test in TestCLI to avoid assuming any RBAC settings
2020-09-21 11:40:11 -07:00
Andrew Keesler
e18b6fdddc
deploy: add kube-cert-agent deployment knobs
2020-09-21 14:16:32 -04:00
Andrew Keesler
5a608cc84c
Add kube-cert-agent controller for getting kube API keypair
2020-09-21 14:16:14 -04:00
Ryan Richard
49145791cc
Merge pull request #127 from vmware-tanzu/rename_stuff
...
Rename many of resources that are created in Kubernetes by Pinniped
2020-09-18 16:58:44 -07:00
Ryan Richard
6989e5da63
Merge branch 'main' into rename_stuff
2020-09-18 16:39:58 -07:00
Ryan Richard
a2365b1cce
Remove -count 1
from unit test running in module.sh
2020-09-18 15:58:22 -07:00
Ryan Richard
80a520390b
Rename many of resources that are created in Kubernetes by Pinniped
...
New resource naming conventions:
- Do not repeat the Kind in the name,
e.g. do not call it foo-cluster-role-binding, just call it foo
- Names will generally start with a prefix to identify our component,
so when a user lists all objects of that kind, they can tell to which
component it is related,
e.g. `kubectl get configmaps` would list one named "pinniped-config"
- It should be possible for an operator to make the word "pinniped"
mostly disappear if they choose, by specifying the app_name in
values.yaml, to the extent that is practical (but not from APIService
names because those are hardcoded in golang)
- Each role/clusterrole and its corresponding binding have the same name
- Pinniped resource names that must be known by the server golang code
are passed to the code at run time via ConfigMap, rather than
hardcoded in the golang code. This also allows them to be prepended
with the app_name from values.yaml while creating the ConfigMap.
- Since the CLI `get-kubeconfig` command cannot guess the name of the
CredentialIssuerConfig resource in advance anymore, it lists all
CredentialIssuerConfig in the app's namespace and returns an error
if there is not exactly one found, and then uses that one regardless
of its name
2020-09-18 15:56:50 -07:00
Matt Moyer
86e1c99dcd
Merge pull request #126 from mattmoyer/remove-old-apis
...
Remove deprecated "pinniped.dev" API group.
2020-09-18 17:52:14 -05:00
Matt Moyer
78ac27c262
Remove deprecated "pinniped.dev" API group.
...
This has been replaced by the "login.pinniped.dev" group with a slightly different API.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-09-18 17:32:15 -05:00
Pinny
f86a5244a6
Merge pull request #125 from mattmoyer/remove-old-apis
...
Move CredentialIssuerConfig into new "config.pinniped.dev" API group.
2020-09-18 16:55:09 -05:00
Matt Moyer
907ccb68f5
Move CredentialIssuerConfig into new "config.pinniped.dev" API group.
...
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-09-18 16:38:45 -05:00
Matt Moyer
98490b1a1b
Merge pull request #124 from mattmoyer/add-vanity-imports
...
Add Go vanity import paths.
2020-09-18 15:18:32 -05:00
Matt Moyer
2d4d7e588a
Add Go vanity import paths.
...
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-09-18 14:56:24 -05:00
Ryan Richard
24f962f1b8
Ignore a lint err in cli_test.go
2020-09-18 10:52:31 -07:00
Ryan Richard
2ecb43154b
Enhance TestCLI integration test so it can catch mistakes with env vars
...
- Also remove a log statement from a test which caused a lot of extra
output when the tests are run with `go test -v`
2020-09-18 10:27:15 -07:00
Ryan Richard
dba951fe89
Note that CLI warning can be ignored in demo.md
2020-09-18 09:24:04 -07:00
Ryan Richard
245854b85a
Update demo.md
2020-09-18 09:11:56 -07:00
Andrew Keesler
5867f3699c
Merge pull request #123 from ankeesler/kubernetes-deep-equal
...
internal/controller/issuerconfig: use Kubernetes DeepEqual
2020-09-18 07:48:57 -04:00
Ryan Richard
7d5f57f923
PR template is not working, so trying moving it up one directory
2020-09-17 16:36:33 -07:00
Ryan Richard
2d497cbd36
Update the demo; most importantly remove the base64 decoding of the CA
...
- The `webhook_ca_bundle` ytt value should be base64 encoded
2020-09-17 16:08:45 -07:00
Ryan Richard
eabe51c446
local-user-authenticator can be deployed from a private registry image
...
- Also add more comment to the values.yaml files to make the options
more clear
2020-09-17 16:07:31 -07:00
Ryan Richard
a479450940
CLI's get-kubeconfig
subcommand now also sets PINNIPED_NAMESPACE env var
2020-09-17 16:05:56 -07:00
Andrew Keesler
b523e5832c
internal/controller/issuerconfig: use Kubernetes DeepEqual
...
I learned this here:
https://github.com/kubernetes/apimachinery/issues/75#issuecomment-550150929
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-09-17 17:35:14 -04:00
Ryan Richard
079e07a51f
Fix mistake in ytt/kapp command in demo.md
2020-09-17 14:07:18 -07:00
Matt Moyer
025940d4f1
Merge pull request #121 from mattmoyer/switch-orgs
...
Update module/package names to match GitHub org switch.
2020-09-17 13:24:56 -05:00
Matt Moyer
8c9c1e206d
Update module/package names to match GitHub org switch.
...
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-09-17 12:56:54 -05:00
Ryan Richard
4c9cbf0706
Remove mention of things not yet implemented from architecture.md
2020-09-17 09:10:35 -07:00
Matt Moyer
a70a4766d2
Merge pull request #92 from suzerain-io/dependabot/docker/golang-1.15.2
...
Bump golang from 1.15.1 to 1.15.2
2020-09-17 10:24:04 -05:00