ContainerImage.Pinniped

Author	SHA1	Message	Date
aram price	cc5af1a810	Fix lint error Signed-off-by: Ryan Richard <richardry@vmware.com>	2020-12-18 15:28:56 -08:00
Ryan Richard	2f518b8b7c	TLSCertObserverController Syncs less often by adjusting its filters - Only watches Secrets of type "kubernetes.io/tls" Signed-off-by: Aram Price <pricear@vmware.com>	2020-12-18 15:10:48 -08:00
Ryan Richard	b96d49df0f	Rename all "op" and "opc" usages Signed-off-by: Aram Price <pricear@vmware.com>	2020-12-17 11:34:49 -08:00
Margo Crawford	196e43aa48	Rename off of main Signed-off-by: Ryan Richard <richardry@vmware.com>	2020-12-16 14:27:09 -08:00
Matt Moyer	7dae166a69	Merge branch 'main' into username-and-subject-claims	2020-12-16 15:23:19 -06:00
Ryan Richard	dcb19150fc	Nest claim configs one level deeper in JWTAuthenticatorSpec Signed-off-by: Margo Crawford <margaretc@vmware.com>	2020-12-16 09:42:19 -08:00
aram price	78df80f128	Tests ensure OIDCProvider secrets exist ... whenever one is successfully created.	2020-12-15 18:26:27 -08:00
Ryan Richard	40c6a67631	Merge branch 'main' into username-and-subject-claims	2020-12-15 18:09:44 -08:00
Ryan Richard	91af51d38e	Fix integration tests to work with the username and sub claims Signed-off-by: Margo Crawford <margaretc@vmware.com>	2020-12-15 17:16:08 -08:00
Andrew Keesler	0758ecfea8	Tests wait for OIDCProvider secrets to be set Signed-off-by: aram price <pricear@vmware.com>	2020-12-15 15:46:55 -08:00
Matt Moyer	ff49647de4	Add some missing test logs in test/library/client.go. Signed-off-by: Matt Moyer <moyerm@vmware.com>	2020-12-15 12:34:50 -06:00
Matt Moyer	e0eba9d5a6	Refactor library.CreateTestJWTAuthenticator() so we can also use the supervisor as an upstream. Signed-off-by: Matt Moyer <moyerm@vmware.com>	2020-12-15 12:34:50 -06:00
Matt Moyer	8cdcb89cef	Add a library.PinnipedCLIPath() test helper, with caching. Caching saves us a little bit of time now that we're using the CLI in more and more tests. Signed-off-by: Matt Moyer <moyerm@vmware.com>	2020-12-15 12:34:49 -06:00
Matt Moyer	70fd330178	Add library.CreateTestClusterRoleBinding test helper. Signed-off-by: Matt Moyer <moyerm@vmware.com>	2020-12-15 12:34:49 -06:00
Matt Moyer	ad5e257600	Add a library.RandHex() test helper. Signed-off-by: Matt Moyer <moyerm@vmware.com>	2020-12-15 12:34:49 -06:00
Matt Moyer	4088793cc5	Add a .ProxyEnv() helper on the test environment. Signed-off-by: Matt Moyer <moyerm@vmware.com>	2020-12-15 12:28:04 -06:00
Matt Moyer	f9691208d5	Add library.NewRestConfigFromKubeconfig() test helper. This is extracted from library.NewClientsetForKubeConfig(). It is useful so you can assert properties of the loaded, parsed kubeconfig. Signed-off-by: Matt Moyer <moyerm@vmware.com>	2020-12-15 12:28:03 -06:00
Andrew Keesler	50f9b434e7	SameIssuerHostMustUseSameSecret is a valid OIDCProvider status I saw this message in our CI logs, which led me to this fix. could not update status: OIDCProvider.config.supervisor.pinniped.dev "acceptance-provider" is invalid: status.status: Unsupported value: "SameIssuerHostMustUseSameSecret": supported values: "Success", "Duplicate", "Invalid" Also - correct an integration test error message that was misleading. Signed-off-by: Andrew Keesler <akeesler@vmware.com>	2020-12-15 11:53:53 -05:00
Andrew Keesler	4c0fb12cf6	test/integration: only set JWTAuthenticator CA bundle when it exists See comment in code. Signed-off-by: Andrew Keesler <akeesler@vmware.com>	2020-12-09 10:15:53 -05:00
Andrew Keesler	57103e0a9f	Add JWTAuthenticator controller See https://github.com/vmware-tanzu/pinniped/issues/260 for UX bummer. Signed-off-by: Andrew Keesler <akeesler@vmware.com>	2020-12-08 15:41:48 -05:00
Matt Moyer	9455a66be8	This trailing dash is now taken care of by the library method. Signed-off-by: Matt Moyer <moyerm@vmware.com>	2020-12-03 13:56:24 -06:00
Matt Moyer	cb5e494815	Dump out proxy access logs in TestSupervisorLogin. Signed-off-by: Matt Moyer <moyerm@vmware.com>	2020-12-03 11:28:48 -06:00
Matt Moyer	1d44a0cdfa	Add a small integration test library to dump pod logs on test failures. Signed-off-by: Matt Moyer <moyerm@vmware.com>	2020-12-03 09:39:33 -06:00
Matt Moyer	1fa41c4d0a	Merge remote-tracking branch 'origin/main' into callback-endpoint	2020-12-03 08:50:31 -06:00
Matt Moyer	37c5e121c4	Fix a test issue with IPv6 localhost interfaces. This fixes a regression introduced by `24c4bc0dd4`. It could occasionally cause the tests to fail when run on a machine with an IPv6 localhost interface. As a fix I added a wrapper for the new Go 1.15 `LookupIP()` method, and created a partially-functional backport for Go 1.14. This should be easy to delete in the future. Signed-off-by: Matt Moyer <moyerm@vmware.com>	2020-12-02 17:49:21 -06:00
Matt Moyer	879525faac	Clean up the browsertest package a bit. Signed-off-by: Matt Moyer <moyerm@vmware.com>	2020-12-02 17:20:24 -06:00
Matt Moyer	0ccf14801e	Expose the MaskTokens function so other test code can use it. This is just a small helper to make test output more readable. Signed-off-by: Matt Moyer <moyerm@vmware.com>	2020-12-02 15:55:34 -06:00
Matt Moyer	273ac62ec2	Extend the test client helpers in ./test/library/client.go. This adds a few new "create test object" helpers and extends `CreateTestOIDCProvider()` to optionally wait for the created OIDCProvider to enter some expected status condition. Signed-off-by: Matt Moyer <moyerm@vmware.com>	2020-12-02 15:55:34 -06:00
Matt Moyer	545c26e5fe	Refactor browser-related test functions to a `./test/library/browsertest` package. Signed-off-by: Matt Moyer <moyerm@vmware.com>	2020-12-02 15:55:34 -06:00
Margo Crawford	d60c184424	Add pkce and openidconnect storage - Also refactor authorizationcode_test Signed-off-by: Ryan Richard <rrichard@vmware.com>	2020-12-01 17:18:32 -08:00
Ryan Richard	f38c150f6a	Finished tests for pkce storage and added it to kubestorage - Also fixed some lint errors with v1.33.0 of the linter Signed-off-by: Margo Crawford <margaretc@vmware.com>	2020-12-01 14:53:22 -08:00
Matt Moyer	bc700d58ae	Split test environment variables so there's a specific supervisor upstream client. Prior to this we re-used the CLI testing client to test the authorize flow of the supervisor, but they really need to be separate upstream clients. For example, the supervisor client should be a non-public client with a client secret and a different callback endpoint. Signed-off-by: Matt Moyer <moyerm@vmware.com>	2020-11-20 08:03:06 -06:00
Matt Moyer	b17ac6ec0b	Update integration tests to run Dex over HTTPS. Signed-off-by: Matt Moyer <moyerm@vmware.com>	2020-11-16 20:23:20 -06:00
Matt Moyer	c8b17978a9	Convert CLI tests to work through an HTTP forward proxy. This change deploys a small Squid-based proxy into the `dex` namespace in our integration test environment. This lets us use the cluster-local DNS name (`http://dex.dex.svc.cluster.local/dex`) as the OIDC issuer. It will make generating certificates easier, and most importantly it will mean that our CLI can see Dex at the same name/URL as the supervisor running inside the cluster. Signed-off-by: Matt Moyer <moyerm@vmware.com>	2020-11-16 17:16:58 -06:00
Matt Moyer	2bf5c8b48b	Replace the OIDCProvider field SNICertificateSecretName with a TLS.SecretName field. Signed-off-by: Matt Moyer <moyerm@vmware.com>	2020-11-02 18:15:03 -06:00
Matt Moyer	2b8773aa54	Rename OIDCProviderConfig to OIDCProvider. Signed-off-by: Matt Moyer <moyerm@vmware.com>	2020-11-02 17:40:39 -06:00
Andrew Keesler	fb3c5749e8	test/integration: protect from NPE and follow doc conventions Signed-off-by: Andrew Keesler <akeesler@vmware.com>	2020-11-02 11:51:02 -05:00
Matt Moyer	9e1922f1ed	Split the config CRDs into two API groups. Signed-off-by: Matt Moyer <moyerm@vmware.com>	2020-10-30 19:22:46 -05:00
Matt Moyer	34da8c7877	Rename existing references to "IDP" and "Identity Provider". Signed-off-by: Matt Moyer <moyerm@vmware.com>	2020-10-30 15:12:01 -05:00
Matt Moyer	0f25657a35	Rename WebhookIdentityProvider to WebhookAuthenticator. Signed-off-by: Matt Moyer <moyerm@vmware.com>	2020-10-30 15:11:53 -05:00
Matt Moyer	e69183aa8a	Rename `idp.concierge.pinniped.dev` to `authentication.concierge.pinniped.dev`. Signed-off-by: Matt Moyer <moyerm@vmware.com>	2020-10-30 14:07:40 -05:00
Matt Moyer	81390bba89	Rename `idp.pinniped.dev` to `idp.concierge.pinniped.dev`. Signed-off-by: Matt Moyer <moyerm@vmware.com>	2020-10-30 14:07:39 -05:00
Ryan Richard	1f1b6c884e	Add integration test: supervisor TLS termination and SNI virtual hosting - Also reduce the minimum allowed TLS version to v1.2, because v1.3 is not yet supported by some common clients, e.g. the default MacOS curl command	2020-10-27 14:57:25 -07:00
Matt Moyer	fe3b44b134	Add some verbose logging to TestCLILoginOIDC. Signed-off-by: Matt Moyer <moyerm@vmware.com>	2020-10-22 10:33:37 -05:00
Ryan Richard	52ebd77527	Add optional PINNIPED_TEST_SUPERVISOR_HTTPS_CA_BUNDLE for integration tests - Not used by any of our integration test clusters yet - Planning to use it later for the kind clusters and maybe for the acceptance clusters too (although the acceptance clusters might not need to use self-signed certs so maybe not)	2020-10-20 16:46:33 -07:00
Ryan Richard	276dff5772	Introduce PINNIPED_TEST_SUPERVISOR_HTTPS_ADDRESS - We plan to use this on acceptance clusters - We also plan to use this for a future story in the kind-based tests, but not yet	2020-10-20 15:57:10 -07:00
Ryan Richard	9ba93d66c3	test/integration: prefactoring for testing virtual hosts Signed-off-by: Andrew Keesler <akeesler@vmware.com>	2020-10-20 17:00:36 -04:00
Ryan Richard	f8e461dfc3	Merge branch 'main' into label_every_resource	2020-10-15 10:19:03 -07:00
Ryan Richard	94f20e57b1	Concierge controllers add labels to all created resources	2020-10-15 10:14:23 -07:00
Andrew Keesler	31225ac7ae	test/integration: reuse CreateTestOIDCProvider helper Signed-off-by: Andrew Keesler <akeesler@vmware.com>	2020-10-15 09:09:49 -04:00

1 2

91 Commits