Commit Graph

3421 Commits

Author SHA1 Message Date
Mo Khan
696c2b9133
Merge pull request #609 from enj/enj/t/eks_uid_nested_impersonation
impersonation proxy test: handle admin users with UID such as on EKS
2021-05-10 10:35:26 -04:00
Mo Khan
0770682bf9
impersonation proxy test: handle admin users with UID such as on EKS
Signed-off-by: Mo Khan <mok@vmware.com>
2021-05-10 09:21:45 -04:00
Mo Khan
88ff3164a2
Merge pull request #608 from enj/enj/i/discovery_keep_oidc_err
upstreamwatcher: do not truncate explicit oidc errors
2021-05-10 09:18:13 -04:00
Mo Khan
56d316e8d3
upstreamwatcher: do not truncate explicit oidc errors
This change makes it easier to understand misconfigurations caused
by issuers with extraneous trailing slashes.

Signed-off-by: Mo Khan <mok@vmware.com>
2021-05-10 01:45:19 -04:00
Matt Moyer
9fc7f43245
Merge pull request #607 from mattmoyer/fix-eks-nested-impersonation-tests
Fix TestImpersonationProxy on EKS.
2021-05-07 16:46:40 -05:00
Matt Moyer
47f5e822d0
Fix TestImpersonationProxy on EKS.
The admin kubeconfigs we have on EKS clusters are a bit different from others, because there is no certificate/key (EKS does not use certificate auth).

This code didn't quite work correctly in that case. The fix is to allow the case where `tlsConfig.GetClientCertificate` is non-nil, but returns a value with no certificates.

Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-05-07 16:22:08 -05:00
Mo Khan
cc99d9aeb4
Merge pull request #606 from enj/enj/i/log_discovery_err
upstreamwatcher: preserve oidc discovery error
2021-05-07 16:56:52 -04:00
Mo Khan
7ece196893
upstreamwatcher: preserve oidc discovery error
Signed-off-by: Mo Khan <mok@vmware.com>
2021-05-07 16:35:12 -04:00
Matt Moyer
a08a28d67b
Merge pull request #603 from vmware-tanzu/dependabot/docker/golang-1.16.4
Bump golang from 1.16.3 to 1.16.4
2021-05-07 06:58:13 -05:00
dependabot[bot]
2634c9f04a
Bump golang from 1.16.3 to 1.16.4
Bumps golang from 1.16.3 to 1.16.4.

Signed-off-by: dependabot[bot] <support@github.com>
2021-05-07 05:49:58 +00:00
Margo Crawford
29a1ca5168
Merge pull request #602 from vmware-tanzu/access-token-lifetime
Change access token storage lifetime to be the same as the refresh token's
2021-05-06 14:39:52 -07:00
Margo Crawford
5240f5e84a Change access token storage lifetime to be the same as the refresh token's
to avoid garbage collection breaking the refresh flow
Also changed the access token lifetime to be 2 minutes instead of 15
since we now have cert caching.
2021-05-06 13:14:20 -07:00
Matt Moyer
a8bccc5432
Merge pull request #599 from mattmoyer/docs-tweak-configure-supervisor-with-gitlab
Do some minor copyediting on "configure-supervisor-with-gitlab.md".
2021-05-04 17:32:14 -05:00
Matt Moyer
f167a075dd
Clean up this language in configure-supervisor-with-gitlab.md a bit more.
This was duplicitive.

Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-05-04 15:49:45 -05:00
Matt Moyer
8136c787a7
More adjustments to configure-supervisor-with-gitlab.md.
- Use `nickname` claim as an example, which means we only need the `openid` scope.
  This is also more stable since emails can change over time.

- Put the OIDCIdentityProvider and Secret into one YAML blob, since they will likely be copy-pasted together anyway.

- Add a separate section for using alternate claims.

- Add a separate section for using a private GitLab instance.

Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-05-04 15:49:45 -05:00
Matt Moyer
3e13b5f39d
Do some minor copyediting on "configure-supervisor-with-gitlab.md".
Some minor edits I came across while reviewing this:

- Capitalize "GitLab" the way they do.

- Use `{{< ref "xyz" >}}` references when linking internally. The advantage of these is that they're "type checked" by Hugo when the site is rendered, so we'll know if we ever break one.

- Add links to the GitLab docs about creating an OAuth client. These also cover adding a group-level or instance-wide application.

- Re-wrap the YAML lines to fit a bit more naturally.

- Add a `namespace` to the YAML examples, so they're more likely to work without tweaks.

- Use "gitlab" instead of "my-oidc-identity-provider" as the example name, for clarity.

- Re-word a few small bits. These are 100% subjective but hopefully an improvement?

Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-05-04 15:49:45 -05:00
Margo Crawford
1a2940c278
Merge pull request #560 from vmware-tanzu/client-debug-logging
Client debug logging
2021-05-04 13:46:47 -07:00
Mo Khan
4bb0fdeddd
Merge pull request #598 from enj/enj/i/gc_tz
supervisor gc: use singleton queue
2021-05-04 15:08:06 -04:00
Monis Khan
4ce77c4837
supervisor gc: use singleton queue
The supervisor treats all events the same hence it must use a
singleton queue.

Updated the integration test to remove the data race caused by
calling methods on testing.T outside of the main test go routine.

Signed-off-by: Monis Khan <mok@vmware.com>
2021-05-04 14:44:55 -04:00
Matt Moyer
1586171876
Merge pull request #595 from mattmoyer/fix-psp-related-regression
Fix PSP-related regression since kube-cert-agent change in #569.
2021-05-04 11:04:16 -05:00
Matt Moyer
165bef7809
Split out kube-cert-agent service account and bindings.
Followup on the previous comment to split apart the ServiceAccount of the kube-cert-agent and the main concierge pod. This is a bit cleaner and ensures that in testing our main Concierge pod never requires any privileged permissions.

Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-05-04 10:09:33 -05:00
Matt Moyer
b80cbb8cc5
Run kube-cert-agent pod as Concierge ServiceAccount.
Since 0dfb3e95c5, we no longer directly create the kube-cert-agent Pod, so our "use"
permission on PodSecurityPolicies no longer has the intended effect. Since the deployments controller is now the
one creating pods for us, we need to get the permission on the PodSpec of the target pod instead, which we do somewhat
simply by using the same service account as the main Concierge pods.

We still set `automountServiceAccountToken: false`, so this should not actually give any useful permissions to the
agent pod when running.

Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-05-03 16:20:13 -05:00
Ryan Richard
71e38d232e login.go discards logs by default
Signed-off-by: Margo Crawford <margaretc@vmware.com>
2021-05-03 09:13:18 -07:00
Margo Crawford
778c194cc4 Autodetection with multiple idps in discovery document
Signed-off-by: Ryan Richard <richardry@vmware.com>
2021-04-30 17:14:28 -07:00
Margo Crawford
a8754b5658 Refactor: extract helper func from runGetKubeconfig()
- Reduces the cyclomatic complexity of the function

Signed-off-by: Ryan Richard <richardry@vmware.com>
2021-04-30 15:00:54 -07:00
Ryan Richard
1c66ffd5ff WIP: add supervisor upstream flags to pinniped get kubeconfig
- And perform auto-discovery when the flags are not set
- Several TODOs remain which will be addressed in the next commit

Signed-off-by: Margo Crawford <margaretc@vmware.com>
2021-04-30 14:28:03 -07:00
Margo Crawford
ab94b97f4a Change login.go to use logr.logger 2021-04-30 12:10:04 -07:00
Margo Crawford
d6a172214d
Merge pull request #587 from vmware-tanzu/supervisor-gitlab-docs
Added documentation for how to configure the Supervisor with GitLab
2021-04-30 11:01:22 -07:00
Mo Khan
638fa7ba27
Merge pull request #592 from enj/enj/t/valueless_ctx_2
valuelesscontext: make unit tests more clear
2021-04-30 11:07:32 -04:00
Monis Khan
b5ffab6330
valuelesscontext: make unit tests more clear
Signed-off-by: Monis Khan <mok@vmware.com>
2021-04-30 10:43:29 -04:00
Mo Khan
8556a638a2
Merge pull request #591 from enj/enj/t/valueless_ctx
valuelesscontext: add some unit tests
2021-04-30 10:10:48 -04:00
Monis Khan
44c7f8daf0
valuelesscontext: add some unit tests
Signed-off-by: Monis Khan <mok@vmware.com>
2021-04-30 09:45:34 -04:00
Mo Khan
1efa4da80c
Merge pull request #590 from enj/enj/f/sa_authn_impersonation_proxy
impersonator: add support for service account token authentication
2021-04-29 17:53:27 -04:00
Monis Khan
62785674c3
impersonator: add support for service account token authentication
This change updates the impersonator logic to pass through requests
that authenticated via a bearer token that asserts a UID.  This
allows us to support service account tokens (as well as any other
form of token based authentication).

Signed-off-by: Monis Khan <mok@vmware.com>
2021-04-29 17:30:35 -04:00
Mo Khan
9e4f601a3f
Merge pull request #588 from enj/enj/i/webhookcachefiller_ca
webhookcachefiller: be stricter about CA bundle validation
2021-04-29 07:47:06 -04:00
Monis Khan
bb7e7fe81e
webhookcachefiller: be stricter about CA bundle validation
Signed-off-by: Monis Khan <mok@vmware.com>
2021-04-29 05:49:06 -04:00
Ryan Richard
10c4cb4493 Merge branch 'initial_ldap' into ldap-get-kubeconfig 2021-04-28 14:28:32 -07:00
Ryan Richard
36819989a3 Remove DryRunAuthenticationUsername from LDAPIdentityProviderSpec
Signed-off-by: Margo Crawford <margaretc@vmware.com>
2021-04-28 14:26:57 -07:00
Margo Crawford
bed2d2dd62 Incorporated PR feedback 2021-04-28 13:34:36 -07:00
Ryan Richard
4bd83add35 Add Supervisor upstream IDP discovery on the server-side 2021-04-28 13:14:21 -07:00
Margo Crawford
90b2854032 Avoid using global logger in login.go 2021-04-28 09:34:42 -07:00
Ryan Richard
5c62a9d0bd More adjustments based on PR feedback 2021-04-27 16:54:26 -07:00
Margo Crawford
96fda6ed13 Added documentation for how to configure the Supervisor with GitLab 2021-04-27 16:18:30 -07:00
Ryan Richard
263a33cc85 Some updates based on PR review 2021-04-27 12:43:09 -07:00
Ryan Richard
b3b108500a Merge branch 'main' into initial_ldap 2021-04-27 10:12:43 -07:00
Ryan Richard
67a568811a Make prepare-for-integration-tests.sh work on linux too
- The linux base64 command is different, so avoid using it at all.
  On linux the default is to split the output into multiple lines,
  which messes up the integration-test-env file. The flag used to
  disable this behavior on linux ("-w0") does not exist on MacOS's
  base64.
- On debian linux, the latest version of Docker from apt-get still
  requires DOCKER_BUILDKIT=1 or else it barfs.
2021-04-27 10:10:02 -07:00
Matt Moyer
620a4d55b7
Merge pull request #584 from mattmoyer/fix-broken-readme-link
Fix a broken docs link in our README.
2021-04-26 13:23:35 -07:00
Matt Moyer
a52872cd03
Fix a broken docs link in our README.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-04-26 13:48:17 -06:00
Matt Moyer
0dfb3e95c5
Merge pull request #569 from mattmoyer/use-deployment-for-kube-cert-agent
Refactor kube-cert-agent controllers to use a Deployment.
2021-04-26 09:25:37 -07:00
Matt Moyer
e532a88647
Add a new "legacy pod cleaner" controller.
This controller is responsible for cleaning up kube-cert-agent pods that were deployed by previous versions.

They are easily identified because they use a different `kube-cert-agent.pinniped.dev` label compared to the new agent pods (`true` vs. `v2`).

Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-04-26 08:19:45 -06:00