Commit Graph

1813 Commits

Author SHA1 Message Date
Monis Khan
521adffb17
impersonation proxy: add nested impersonation support
This change updates the impersonator logic to use the delegated
authorizer for all non-rest verbs such as impersonate.  This allows
it to correctly perform authorization checks for incoming requests
that set impersonation headers while not performing unnecessary
checks that are already handled by KAS.

The audit layer is enabled to track the original user who made the
request.  This information is then included in a reserved extra
field original-user-info.impersonation-proxy.concierge.pinniped.dev
as a JSON blob.

Signed-off-by: Monis Khan <mok@vmware.com>
2021-04-19 15:52:46 -04:00
Ryan Richard
70d607d87e prepare-supervisor-on-kind.sh was accidentally double base64 encoding
$PINNIPED_TEST_SUPERVISOR_UPSTREAM_OIDC_ISSUER_CA_BUNDLE was recently
changed to be a base64 encoded value, so this script does not need to
base64 encode the value itself anymore.
2021-04-16 18:32:30 -07:00
Matt Moyer
9dfa1f5ee5
Update ROADMAP.md
Update ROADMAP.md with Pablo.
2021-04-15 13:43:01 -05:00
Ryan Richard
f63ded99bc Add a flag for skipping chromedriver version check to hack script 2021-04-15 10:27:00 -07:00
Andrew Keesler
e7b7b597ff
Merge pull request #570 from vmware-tanzu/add-ok-amba-to-adopters
Add OK a.m.b.a. to adopters.md file
2021-04-15 09:22:16 -04:00
Andrew Keesler
e5da119000
Merge branch 'main' into add-ok-amba-to-adopters 2021-04-15 08:56:02 -04:00
Ryan Richard
923938ab26 Avoid multi-line integration test env vars
Avoid them because they can't be used in GoLand for running integration
tests in the UI, like running in the debugger.

Also adds optional PINNIPED_TEST_TOOLS_NAMESPACE because we need it
on the LDAP feature branch where we are developing the upcoming LDAP
support for the Supervisor.
2021-04-14 17:26:12 -07:00
Nanci Lancaster
352d4dc5b1
Add OK a.m.b.a. to adopters.md file
Adding just logo for now. Use case will come at a later time.
2021-04-14 18:38:11 -05:00
Matt Moyer
dab7b57da0
Merge pull request #556 from microwavables/add-search-function-to-docs
added search functionality to docs on Pinniped.dev
2021-04-09 12:42:27 -07:00
Matt Moyer
12d35583c5
Merge pull request #566 from mattmoyer/upgrade-kubernetes-1.21
Upgrade to client-go and apimachinery from Kubernetes 1.21.0.
2021-04-09 11:27:09 -07:00
Matt Moyer
599c537d24
Remove metav1.ExportOptions from scheme tests.
This type was removed in Kubernetes v1.21.0 (see https://github.com/kubernetes/kubernetes/pull/98312).

Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-04-09 13:00:50 -05:00
Matt Moyer
38f3ea3f2f
Upgrade to client-go and apimachinery from Kubernetes 1.21.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-04-09 13:00:49 -05:00
Matt Moyer
e450a348c5
Merge pull request #565 from mattmoyer/cleanup-test-file
Remove proxy-kubeconfig.yaml.
2021-04-09 09:59:56 -07:00
Matt Moyer
11d820be06
Remove proxy-kubeconfig.yaml.
I don't believe this is used by any tests or docs. I think it was for some initial local testing of the impersonation proxy?

Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-04-09 11:33:50 -05:00
Matt Moyer
63816aa3ba
Disable Content-Security-Policy for now.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-04-09 10:58:39 -05:00
Nanci Lancaster
e5314164c5
added search functionality to docs on Pinniped.dev
Signed-off-by: Nanci Lancaster <nancil@vmware.com>
2021-04-09 10:58:39 -05:00
Matt Moyer
abf606ab72
Merge pull request #563 from mattmoyer/cli-caching-enhancements
CLI cluster-specific credentials enhancements (followup to #562)
2021-04-08 16:48:48 -07:00
Matt Moyer
b59a4f3fec
Use a temporary directory for credential cache in CLI tests.
This avoids polluting the main cache directory on developer machines.

Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-04-08 18:14:21 -05:00
Matt Moyer
3b461572ea
Add cluster info to cache key for cluster-specific credential cache.
This isn't strictly necessary because we currently always have the concierge endpoint and CA as CLI flags, but it doesn't hurt and it's better to err on the side of _not_ reusing a cache entry.

Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-04-08 17:12:59 -05:00
Matt Moyer
271c006b6c
Add --credential-cache flag to "pinniped get kubeconfig" and tweak usage messages.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-04-08 16:57:18 -05:00
Matt Moyer
043cefcd9f
Merge pull request #562 from mattmoyer/add-cluster-credential-caching
Add cluster-specific credential caching to login subcommands.
2021-04-08 12:59:23 -07:00
Matt Moyer
2296faaeef
Add CLI caching of cluster-specific credentials.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-04-08 14:12:34 -05:00
Matt Moyer
fec24d307e
Fix missing normalization in pkg/oidcclient/filesession.
We have some nice normalization code in this package to remove expired or otherwise malformed cache entries, but we weren't calling it in the appropriate place.

Added calls to normalize the cache data structure before and after each transaction, and added test cases to ensure that it's being called.

Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-04-08 14:12:34 -05:00
Margo Crawford
64b13043ed
Merge pull request #561 from vmware-tanzu/Adding-OK-amba-to-adopters-file
Added Ok amba logo for adopters file
2021-04-08 11:51:40 -07:00
Nanci Lancaster
5501b5aa13
Added Ok amba logo for adopters file 2021-04-08 11:48:06 -05:00
Ryan Richard
9450048acf Fix lint error from previous commit 2021-04-05 15:14:24 -07:00
Andrew Keesler
c53507809d Rename dex namespace, add new ytt value to deploy/tools, and remove Tilt
- Rename the test/deploy/dex directory to test/deploy/tools
- Rename the dex namespace to tools
- Add a new ytt value called `pinny_ldap_password` for the tools
  ytt templates
- This new value is not used on main at this time. We intend to use
  it in the forthcoming ldap branch. We're defining it on main so
  that the CI scripts can use it across all branches and PRs.

Signed-off-by: Ryan Richard <richardry@vmware.com>
2021-04-05 15:01:49 -07:00
Matt Moyer
9cd2b6e855
Merge pull request #552 from mattmoyer/nicer-generated-kubeconfig-names
Generate more helpful context/cluster/user names in `pinniped get kubeconfig`
2021-04-05 11:35:07 -07:00
Matt Moyer
4e25bcd4b2
Generate more helpful context/cluster/user names in pinniped get kubeconfig
Before this change, the "context", "cluster", and "user" fields in generated kubeconfig YAML were always hardcoded to "pinniped". This could be confusing if you generated many kubeconfigs for different clusters.

After this change, the fields will be copied from their names in the original kubeconfig, suffixed with "-pinniped". This suffix can be overridden by setting the new `--generated-name-suffix` CLI flag.

The goal of this change is that you can distinguish between kubeconfigs generated for different clusters, as well as being able to distinguish between the Pinniped and original (admin) kubeconfigs for a cluster.

Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-04-05 12:36:02 -05:00
Matt Moyer
5add31d263
Merge pull request #545 from vmware-tanzu/dependabot/docker/golang-1.16.3
Bump golang from 1.16.2 to 1.16.3
2021-04-05 08:58:23 -07:00
Matt Moyer
88c4335b4b
Display blog posts in reverse order by date.
This is a minor style tweak.

Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-04-05 10:54:00 -05:00
Matt Moyer
623830bf1f
Fix a typo on the timezones on the website.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-04-05 10:50:10 -05:00
dependabot[bot]
30f476e1ac
Bump golang from 1.16.2 to 1.16.3
Bumps golang from 1.16.2 to 1.16.3.

Signed-off-by: dependabot[bot] <support@github.com>
2021-04-02 05:56:43 +00:00
Pinny
7b82b7a010 Update CLI docs for v0.7.0 release 2021-04-01 19:15:23 +00:00
Matt Moyer
44bf925c3e
Merge pull request #544 from mattmoyer/blog-post-v0.7.0
Add a blog post about the v0.7.0 release.
2021-04-01 11:03:09 -07:00
Matt Moyer
d2a6d7689f
Add a small note about our test grid, and mention some limitations of the first version.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-04-01 13:02:24 -05:00
Matt Moyer
23dbd7cab6
Extract out a common shortcode for the "join the community" blurb we put at the end of each blog post.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-04-01 11:55:17 -05:00
Matt Moyer
e4321cb369
Add v0.7.0 blog post.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-04-01 11:55:17 -05:00
Matt Moyer
ad66f67dc9
Rename existing posts for clarity.
This doesn't change the generated HTML at all, as far as I can tell.

Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-03-31 23:20:48 -05:00
Matt Moyer
55bc3dee7f
Merge pull request #543 from mattmoyer/fix-head-version-string-validation
Fix missing "v".
2021-03-31 14:54:26 -07:00
Ryan Richard
fdbeb213fb
Merge pull request #540 from vmware-tanzu/prepare-supervisor-on-kind.sh
Add hack/prepare-supervisor-on-kind.sh
2021-03-31 13:47:32 -07:00
Ryan Richard
1817d6c751
Merge branch 'main' into prepare-supervisor-on-kind.sh 2021-03-31 13:47:13 -07:00
Matt Moyer
476cc98e5a
Fix missing "v".
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-03-31 15:41:44 -05:00
Matt Moyer
4cbf4959f2
Merge pull request #542 from mattmoyer/fix-head-version-string-validation
Use "0.0.0" as our fake version instead of "?.?.?" to avoid a panic.
2021-03-31 13:36:22 -07:00
Matt Moyer
e4e4e686f6
Use "0.0.0" as our fake version instead of "?.?.?" to avoid a panic.
These values need to pass the validation in k8s.io/component-base/metrics: https://github.com/kubernetes/component-base/blob/v0.20.5/metrics/version_parser.go#L28-L50

Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-03-31 15:03:40 -05:00
Ryan Richard
d5be37673a
Merge branch 'main' into prepare-supervisor-on-kind.sh 2021-03-31 11:42:06 -07:00
Ryan Richard
7bb5657c4d Add hack/prepare-supervisor-on-kind.sh
A demo of running the Supervisor and Concierge on
a kind cluster. Can be used to quickly set up an
environment for manual testing.

Also added some missing copyright headers to other
hack scripts.
2021-03-31 11:39:10 -07:00
Matt Moyer
fe9f12a29c
Merge pull request #539 from mattmoyer/upgrade-kubernetes-deps
Upgrade to prereleased Kubernetes v1.20.5++ dependencies.
2021-03-31 11:21:54 -07:00
Matt Moyer
bea75bb7ac
Upgrade to prereleased Kubernetes v1.20.5++ dependencies.
These commits include security fixes (CVE-2021-3121) for code generated by github.com/gogo/protobuf.
We expect this fix to also land in v1.20.6, but we don't want to wait for it.

Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-03-31 12:53:41 -05:00
Matt Moyer
081de8da62
Merge pull request #538 from vmware-tanzu/dependabot/docker/debian-10.9-slim
Bump debian from 10.8-slim to 10.9-slim
2021-03-31 06:00:27 -07:00