Commit Graph

2238 Commits

Author SHA1 Message Date
Mo Khan
46304c8137
Merge pull request #775 from enj/enj/i/dynamiccert_no_unload
impersonatorconfig: only unload dynamiccert when proxy is disabled
2021-08-16 16:36:03 -04:00
Monis Khan
7a812ac5ed
impersonatorconfig: only unload dynamiccert when proxy is disabled
In the upstream dynamiccertificates package, we rely on two pieces
of code:

1. DynamicServingCertificateController.newTLSContent which calls
   - clientCA.CurrentCABundleContent
   - servingCert.CurrentCertKeyContent
2. unionCAContent.VerifyOptions which calls
   - unionCAContent.CurrentCABundleContent

This results in calls to our tlsServingCertDynamicCertProvider and
impersonationSigningCertProvider.  If we Unset these providers, we
subtly break these consumers.  At best this results in test slowness
and flakes while we wait for reconcile loops to converge.  At worst,
it results in actual errors during runtime.  For example, we
previously would Unset the impersonationSigningCertProvider on any
sync loop error (even a transient one caused by a network blip or
a conflict between writes from different replicas of the concierge).
This would cause us to transiently fail to issue new certificates
from the token credential require API.  It would also cause us to
transiently fail to authenticate previously issued client certs
(which results in occasional Unauthorized errors in CI).

Signed-off-by: Monis Khan <mok@vmware.com>
2021-08-16 16:07:46 -04:00
Mo Khan
bb30569e41
Merge pull request #780 from enj/enj/i/browser_stderr
cli: prevent browser output from breaking ExecCredential output
2021-08-16 10:34:33 -04:00
Monis Khan
942c55cf51
cli: prevent browser output from breaking ExecCredential output
This change updates the pinniped CLI entrypoint to prevent browser
processes that we spawn from polluting our std out stream.

For example, chrome will print the following message to std out:

Opening in existing browser session.

Which leads to the following incomprehensible error message from
kubectl:

Unable to connect to the server: getting credentials:
decoding stdout: couldn't get version/kind; json parse error:
json: cannot unmarshal string into Go value of type struct
{ APIVersion string "json:\"apiVersion,omitempty\"";
  Kind string "json:\"kind,omitempty\"" }

This would only occur on the initial login when we opened the
browser.  Since credentials would be cached afterwards, kubectl
would work as expected for future invocations as no browser was
opened.

I could not think of a good way to actually test this change.  There
is a clear gap in our integration tests - we never actually launch a
browser in the exact same way a user does - we instead open a chrome
driver at the login URL as a subprocess of the integration test
binary and not the pinniped CLI.  Thus even if the chrome driver was
writing to std out, we would not notice any issues.

It is also unclear if there is a good way to prevent future related
bugs since std out is global to the process.

Signed-off-by: Monis Khan <mok@vmware.com>
2021-08-16 09:13:57 -04:00
anjalitelang
592563124b
Update ROADMAP.md
Updated the roadmap to reflect the Non-Interactive Password based Login support we delivered in July for LDAP and TBD in Aug for OIDC
2021-08-12 11:08:27 -04:00
Mo Khan
c4d7e5c124
Merge pull request #770 from enj/enj/i/bump_1.22.0
Bump to Go 1.16.7 and Kube v0.22.0
2021-08-10 12:29:35 -04:00
Monis Khan
34fd0ea2e2
impersonation proxy: assert nested UID impersonation is disallowed
Signed-off-by: Monis Khan <mok@vmware.com>
2021-08-10 00:03:33 -04:00
Monis Khan
5678fc6196
login: update tests for new client exec code
Signed-off-by: Monis Khan <mok@vmware.com>
2021-08-09 19:16:55 -04:00
Monis Khan
4a17e1e736
impersonator: update tests for new Impersonate-Uid code
Signed-off-by: Monis Khan <mok@vmware.com>
2021-08-09 19:16:54 -04:00
Monis Khan
724acdca1d
Update tests for new CSR duration code
Signed-off-by: Monis Khan <mok@vmware.com>
2021-08-09 19:16:50 -04:00
Monis Khan
a027f1ae2c
jwtcachefiller: update to use CAContentProvider
Signed-off-by: Monis Khan <mok@vmware.com>
2021-08-09 19:16:25 -04:00
Monis Khan
d2891554a4
remove google.golang.org/grpc pin
Signed-off-by: Monis Khan <mok@vmware.com>
2021-08-09 19:16:14 -04:00
Monis Khan
25b4d82d87
Bump to Go 1.16.7 and Kube v0.22.0
Signed-off-by: Monis Khan <mok@vmware.com>
2021-08-09 15:32:13 -04:00
Mo Khan
01ddc7ac36
Merge pull request #738 from mattmoyer/distroless
Switch to a slimmer distroless base image
2021-08-09 15:31:17 -04:00
Matt Moyer
58bbffded4
Switch to a slimmer distroless base image.
At a high level, it switches us to a distroless base container image, but that also includes several related bits:

- Add a writable /tmp but make the rest of our filesystems read-only at runtime.

- Condense our main server binaries into a single pinniped-server binary. This saves a bunch of space in
  the image due to duplicated library code. The correct behavior is dispatched based on `os.Args[0]`, and
  the `pinniped-server` binary is symlinked to `pinniped-concierge` and `pinniped-supervisor`.

- Strip debug symbols from our binaries. These aren't really useful in a distroless image anyway and all the
  normal stuff you'd expect to work, such as stack traces, still does.

- Add a separate `pinniped-concierge-kube-cert-agent` binary with "sleep" and "print" functionality instead of
  using builtin /bin/sleep and /bin/cat for the kube-cert-agent. This is split from the main server binary
  because the loading/init time of the main server binary was too large for the tiny resource footprint we
  established in our kube-cert-agent PodSpec. Using a separate binary eliminates this issue and the extra
  binary adds only around 1.5MiB of image size.

- Switch the kube-cert-agent code to use a JSON `{"tls.crt": "<b64 cert>", "tls.key": "<b64 key>"}` format.
  This is more robust to unexpected input formatting than the old code, which simply concatenated the files
  with some extra newlines and split on whitespace.

- Update integration tests that made now-invalid assumptions about the `pinniped-server` image.

Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-08-09 15:05:13 -04:00
Matt Moyer
a464c81711
Bump latest version on website.
We accidentally missed this in the v0.10.0 release process. The new YAML field here should make it easier to automate this step, which seems like a really good idea.
2021-08-03 09:21:54 -05:00
Mo Khan
f18cbcd9a6
Merge pull request #763 from enj/enj/i/eks_slow_test
concierge_impersonation_proxy_test: run slowly for EKS
2021-08-01 18:21:54 -04:00
Monis Khan
ac7d65c4a8
concierge_impersonation_proxy_test: run slowly for EKS
Signed-off-by: Monis Khan <mok@vmware.com>
2021-08-01 18:19:53 -04:00
Matt Moyer
65fa47cbcd
Link to the release from our v0.10.0 blog post.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-07-30 16:35:38 -05:00
Matt Moyer
a06b38d2cd
Merge pull request #760 from mattmoyer/add-v0.10.0-blog-post
Add v0.10.0 blog post.
2021-07-30 16:21:36 -05:00
Matt Moyer
7773fb8afe
Add v0.10.0 blog post.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-07-30 15:30:56 -05:00
Matt Moyer
f4badb3961
Merge pull request #758 from mattmoyer/use-plain-authcode-prompt
Fix broken TTY after manual auth code prompt.
2021-07-30 13:50:27 -05:00
Matt Moyer
1e32530d7b
Fix broken TTY after manual auth code prompt.
This may be a temporary fix. It switches the manual auth code prompt to use `promptForValue()` instead of `promptForSecret()`. The `promptForSecret()` function no longer supports cancellation (the v0.9.2 behavior) and the method of cancelling in `promptForValue()` is now based on running the blocking read in a background goroutine, which is allowed to block forever or leak (which is not important for our CLI use case).

This means that the authorization code is now visible in the user's terminal, but this is really not a big deal because of PKCE and the limited lifetime of an auth code.

The main goroutine now correctly waits for the "manual prompt" goroutine to clean up, which now includes printing the extra newline that would normally have been entered by the user in the manual flow.

The text of the manual login prompt is updated to be more concise and less scary (don't use the word "fail").

Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-07-30 12:45:44 -05:00
Matt Moyer
0ab8e14e4a
Merge pull request #755 from mattmoyer/update-installation-docs
Update installation documentation
2021-07-29 17:54:23 -05:00
Mo Khan
f1109afa79
Merge pull request #757 from enj/enj/t/dns_hacks
concierge_impersonation_proxy_test: check all forms of DNS
2021-07-29 15:51:22 -04:00
Monis Khan
22be97eeda
concierge_impersonation_proxy_test: check all forms of DNS
Signed-off-by: Monis Khan <mok@vmware.com>
2021-07-29 13:35:37 -04:00
Matt Moyer
d23f3c9428
Update ROADMAP.md 2021-07-29 10:22:43 -05:00
Matt Moyer
c3e037b24e
Fix a broken link in .../docs/howto/configure-supervisor.md.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-07-29 09:56:00 -05:00
Matt Moyer
62afb34877
Fix command typo and expand description of values.yaml a bit.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-07-29 08:45:19 -05:00
Matt Moyer
fd5ed2e5da
Rework "install" sections of our docs.
- Remove all the "latest" links and replace them with our new shortcode so they point at the latest release in a more explicit way.
  This also eliminates one of the sections in our Concierge and Supervisor install guides, since you're always installing a specific version.

- Provide instructions for installing with both kapp (one step) and kubectl (two steps for the Concierge).

- Minor wording changes. Mainly we are now a bit less verbose about reminding people they can choose a different version (once per page instead of in each step).

- When we give an example `kapp deploy` command, don't suggest `--yes` and `--diff-changes`.
  Users can still use these but it seems overly verbose for an example command.

Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-07-29 08:45:19 -05:00
Matt Moyer
ca82609d1a
Create a site parameter and shortcode for "latestversion".
This gives us a single line of YAML to edit when we want to bump our docs to the latest version number.

Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-07-29 08:45:18 -05:00
Ryan Richard
d73093a694 Avoid failures due to impersonation Service having unrelated annotations 2021-07-28 14:19:14 -07:00
Matt Moyer
85560299e0
Merge pull request #754 from mattmoyer/fix-TestLegacyPodCleaner-flake
Relax the timeout for TestLegacyPodCleaner a bit.
2021-07-28 12:43:08 -06:00
Matt Moyer
b42b1c1110
Relax the timeout for TestLegacyPodCleaner a bit.
This test is asynchronously waiting for the controller to do something, and in some of our test environments it will take a bit longer than we'd previously allowed.

Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-07-28 13:08:57 -05:00
Matt Moyer
84733405d0
Merge pull request #753 from mattmoyer/fix-e2e-test-assertion
Fix backwards condition in E2E test assertion.
2021-07-28 12:07:00 -06:00
Matt Moyer
48c8fabb5c
Fix backwards condition in E2E test assertion.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-07-28 12:40:07 -05:00
Matt Moyer
1f51159d22
Merge pull request #752 from mattmoyer/fix-impersonator-config-controller-informers
Add ClusterIP service to impersonator-config-controller informer.
2021-07-28 11:28:30 -06:00
Matt Moyer
5f679059d5
Add ClusterIP service to impersonator-config-controller informer.
Prior to this fix, this controller did not correctly react to changes to the ClusterIP service. It would still eventually react with a long delay due to our 5 minute resync interval.

Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-07-28 11:57:18 -05:00
Ryan Richard
8afbb4eb4f
Merge pull request #744 from vmware-tanzu/dependabot/go_modules/github.com/tdewolff/minify/v2-2.9.20
Bump github.com/tdewolff/minify/v2 from 2.9.19 to 2.9.20
2021-07-28 09:08:22 -07:00
Ryan Richard
c9b4598fa0
Merge pull request #745 from vmware-tanzu/dependabot/go_modules/github.com/creack/pty-1.1.14
Bump github.com/creack/pty from 1.1.13 to 1.1.14
2021-07-28 09:08:03 -07:00
Mo Khan
ef33846d7d
Merge pull request #747 from enj/enj/i/delete_race
certs_expirer: be specific about what secret to delete
2021-07-28 10:32:17 -04:00
Monis Khan
8b4ed86071
certs_expirer: be specific about what secret to delete
This change fixes a race that can occur because we have multiple
writers with no leader election lock.

1. TestAPIServingCertificateAutoCreationAndRotation/automatic
   expires the current serving certificate
2. CertsExpirerController 1 deletes expired serving certificate
3. CertsExpirerController 2 starts deletion of expired serving
   certificate but has not done so yet
4. CertsManagerController 1 creates new serving certificate
5. TestAPIServingCertificateAutoCreationAndRotation/automatic
   records the new serving certificate
6. CertsExpirerController 2 finishes deletion, and thus deletes the
   newly created serving certificate instead of the old one
7. CertsManagerController 2 creates new serving certificate
8. TestAPIServingCertificateAutoCreationAndRotation/automatic keeps
   running and eventually times out because it is expecting the
   serving certificate created by CertsManagerController 2 to match
   the value it recorded from CertsManagerController 1 (which will
   never happen since that certificate was incorrectly deleted).

Signed-off-by: Monis Khan <mok@vmware.com>
2021-07-28 09:56:05 -04:00
Mo Khan
8b74dd824b
Merge pull request #748 from mattmoyer/fix-css-text-wrapping
Fix form_post CSS styling in Firefox and Safari.
2021-07-28 09:55:39 -04:00
Matt Moyer
727035a2dc
Fix form_post CSS styling in Firefox and Safari.
This functioned fine, but did not have the intended visual appearance when it came to how the text of the auth code wrapped inside the copy button in the manual flow.

The new styling behaves correctly on at least Chrome, Firefox, and Safari on macOS.

Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-07-28 08:09:20 -05:00
dependabot[bot]
fc82fde585
Bump github.com/tdewolff/minify/v2 from 2.9.19 to 2.9.20
Bumps [github.com/tdewolff/minify/v2](https://github.com/tdewolff/minify) from 2.9.19 to 2.9.20.
- [Release notes](https://github.com/tdewolff/minify/releases)
- [Commits](https://github.com/tdewolff/minify/compare/v2.9.19...v2.9.20)

---
updated-dependencies:
- dependency-name: github.com/tdewolff/minify/v2
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2021-07-28 00:03:48 +00:00
dependabot[bot]
f352db8072
Bump github.com/creack/pty from 1.1.13 to 1.1.14
Bumps [github.com/creack/pty](https://github.com/creack/pty) from 1.1.13 to 1.1.14.
- [Release notes](https://github.com/creack/pty/releases)
- [Commits](https://github.com/creack/pty/compare/v1.1.13...v1.1.14)

---
updated-dependencies:
- dependency-name: github.com/creack/pty
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2021-07-28 00:03:39 +00:00
Matt Moyer
22a66c1192
Merge pull request #746 from mattmoyer/fix-windows-build
Fix CLI compilation on Windows.
2021-07-27 16:15:01 -06:00
Matt Moyer
8e8af51955
Fix CLI compilation on Windows.
It turns out that `syscall.Stdin` is of type `int` on Linux and macOS, but not on Windows (it's `syscall.Handle`). This should now be portable and do all the require type casting on every platform.

Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-07-27 16:10:05 -05:00
Ryan Richard
d5759c9951
Merge pull request #739 from vmware-tanzu/merge_impersonator_service_annotations
Carefully merge desired annotations into impersonation proxy Service
2021-07-27 12:40:31 -07:00
Ryan Richard
bf99348faf
Merge branch 'main' into merge_impersonator_service_annotations 2021-07-27 12:40:02 -07:00