djpbessems/ContainerImage.Pinniped
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
1,016 Commits 30 Branches 34 Tags 22 MiB
5a0918afde
Commit Graph

1016 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Ryan Richard
05cf56a0fa
Merge pull request #180 from vmware-tanzu/limits 
Add CPU/memory limits to our deployments
 2020-11-02 16:22:37 -08:00
Ryan Richard
5a0e7fd358 Upgrade golang patch release to 1.15.3 and debian 10.5-slim -> 10.6-slim 2020-11-02 16:17:15 -08:00
Matt Moyer
2bf5c8b48b
Replace the OIDCProvider field SNICertificateSecretName with a TLS.SecretName field. 
Signed-off-by: Matt Moyer <moyerm@vmware.com>
 2020-11-02 18:15:03 -06:00
Ryan Richard
05233963fb Add CPU requests and limits to the Concierge and Supervisor deployments 2020-11-02 15:47:20 -08:00
Matt Moyer
2b8773aa54
Rename OIDCProviderConfig to OIDCProvider. 
Signed-off-by: Matt Moyer <moyerm@vmware.com>
 2020-11-02 17:40:39 -06:00
Matt Moyer
59263ea733
Rename CredentialIssuerConfig to CredentialIssuer. 
Signed-off-by: Matt Moyer <moyerm@vmware.com>
 2020-11-02 17:39:42 -06:00
Matt Moyer
b13a8075e4
Merge pull request #183 from vmware-tanzu/non-root 
Run as non-root
 2020-11-02 17:39:14 -06:00
Ryan Richard
d596f8c3e5 Empty commit to trigger CI 2020-11-02 15:18:39 -08:00
Ryan Richard
75c35e74cc Refactor and add unit tests for previous commit to run agent pod as root 2020-11-02 15:03:37 -08:00
Matt Moyer
e4f4cd7ca0
Merge pull request #181 from mattmoyer/add-psp-cluster-role-permission 
Give the concierge access to use any PodSecurityPolicy.
 2020-11-02 15:35:56 -06:00
Ryan Richard
a01921012d
kubecertagent: explicitly run as root 
We need root here because the files that this pod reads are
most likely restricted to root access.

Signed-off-by: Andrew Keesler <akeesler@vmware.com>
 2020-11-02 16:33:46 -05:00
Ryan Richard
2e50e8f01b
hack/lib/tilt: run Tilt images with non-root user 
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
 2020-11-02 16:32:50 -05:00
Matt Moyer
935577f8e7
Give the concierge access to use any PodSecurityPolicy. 
This is needed on clusters with PodSecurityPolicy enabled by default, but should be harmless in other cases.

This is generally needed because a restrictive PodSecurityPolicy will usually otherwise prevent the `hostPath` volume mount needed by the dynamically-created cert agent pod.

Signed-off-by: Matt Moyer <moyerm@vmware.com>
 2020-11-02 15:10:00 -06:00
Ryan Richard
781f86d18c
deploy: add memory limits 
This is the beginning of a change to add cpu/memory limits to our pods.
We are doing this because some consumers require this, and it is generally
a good practice.

The limits == requests for "Guaranteed" QoS.

Signed-off-by: Andrew Keesler <akeesler@vmware.com>
 2020-11-02 14:57:39 -05:00
Andrew Keesler
fcea48c8f9
Run as non-root 
I tried to follow a principle of encapsulation here - we can still default to
peeps making connections to 80/443 on a Service object, but internally we will
use 8080/8443.

Signed-off-by: Andrew Keesler <akeesler@vmware.com>
 2020-11-02 12:51:15 -05:00
Andrew Keesler
7639d5e161
Merge pull request #178 from ankeesler/test-cleanup 
test/integration: protect from NPE and follow doc conventions
 2020-11-02 12:22:34 -05:00
Ryan Richard
ab5c04b1f3
Merge pull request #176 from vmware-tanzu/agent_pod_additional_label_handling 
Handle custom labels better in the agent pod controllers
 2020-11-02 09:08:42 -08:00
Andrew Keesler
fb3c5749e8
test/integration: protect from NPE and follow doc conventions 
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
 2020-11-02 11:51:02 -05:00
Ryan Richard
7597b12a51 Small unit test changes for deleter_test.go 2020-11-02 08:40:39 -08:00
Matt Moyer
5bbfc35d27
Merge pull request #175 from mattmoyer/split-config-apis 
Split the config CRDs into two API groups.
 2020-10-30 19:42:03 -05:00
Ryan Richard
f76b9857da Don't use custom labels when selecting an agent pod 
And delete the agent pod when it needs its custom labels to be
updated, so that the creator controller will notice that it is missing
and immediately create it with the new custom labels.
 2020-10-30 17:41:17 -07:00
Matt Moyer
9e1922f1ed
Split the config CRDs into two API groups. 
Signed-off-by: Matt Moyer <moyerm@vmware.com>
 2020-10-30 19:22:46 -05:00
Ryan Richard
01f4fdb5c3 Remove namespace from a ClusterRoleBinding, which are not namespaced 2020-10-30 16:10:04 -07:00
Andrew Keesler
a5379c08e2 Whitespace-only change in two files 
Signed-off-by: Ryan Richard <richardry@vmware.com>
 2020-10-30 15:18:40 -07:00
Matt Moyer
ad95bb44b0
Merge pull request #174 from mattmoyer/rename-webhook-idp 
Rename webhook configuration CRD "WebhookAuthenticator" in group "authentication.concierge.pinniped.dev".
 2020-10-30 15:50:39 -05:00
Ryan Richard
4b7592feaf Skip a part of an integration test which is not so easy with real Ingress 
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
 2020-10-30 13:19:34 -07:00
Matt Moyer
34da8c7877
Rename existing references to "IDP" and "Identity Provider". 
Signed-off-by: Matt Moyer <moyerm@vmware.com>
 2020-10-30 15:12:01 -05:00
Matt Moyer
f3a83882a4
Rename the IdentityProvider field to Authenticator in TokenCredentialRequest. 
Signed-off-by: Matt Moyer <moyerm@vmware.com>
 2020-10-30 15:11:53 -05:00
Matt Moyer
0f25657a35
Rename WebhookIdentityProvider to WebhookAuthenticator. 
Signed-off-by: Matt Moyer <moyerm@vmware.com>
 2020-10-30 15:11:53 -05:00
Matt Moyer
e69183aa8a
Rename idp.concierge.pinniped.dev to authentication.concierge.pinniped.dev. 
Signed-off-by: Matt Moyer <moyerm@vmware.com>
 2020-10-30 14:07:40 -05:00
Matt Moyer
81390bba89
Rename idp.pinniped.dev to idp.concierge.pinniped.dev. 
Signed-off-by: Matt Moyer <moyerm@vmware.com>
 2020-10-30 14:07:39 -05:00
Matt Moyer
59431a3d3d
Merge pull request #173 from mattmoyer/parallel-codegen 
Do codegen across all version in parallel.
 2020-10-30 13:45:21 -05:00
Matt Moyer
9760c03617
Do codegen across all version in parallel. 
This only matters for local development, since we don't use this script directly in CI. Makes the full codegen ste take ~90s on my laptop.

Signed-off-by: Matt Moyer <moyerm@vmware.com>
 2020-10-30 11:12:53 -05:00
Matt Moyer
8b8ffc21c4
Merge pull request #172 from mattmoyer/rename-login-api 
Rename login API to `login.concierge.pinniped.dev`.
 2020-10-30 10:23:45 -05:00
Matt Moyer
f0320dfbd8
Rename login API to login.concierge.pinniped.dev. 
This is the first of a few related changes that re-organize our API after the big recent changes that introduced the supervisor component.

Signed-off-by: Matt Moyer <moyerm@vmware.com>
 2020-10-30 09:58:28 -05:00
Ryan Richard
3277e778ea Add a comment to an integration test 2020-10-29 15:42:22 -07:00
Ryan Richard
9c13b7144e
Merge pull request #170 from vmware-tanzu/oidc_https_endpoints 
Add HTTPS endpoints for OIDC providers, and terminate TLS with the configured certificates
 2020-10-28 17:15:11 -07:00
Ryan Richard
059b6e885f Allow ytt templating of the loadBalancerIP for the supervisor 2020-10-28 16:45:23 -07:00
Ryan Richard
4af508981a Make default TLS secret name from app name in supervisor_discovery_test.go 2020-10-28 16:11:19 -07:00
Ryan Richard
a007fc3bd3 Form paths correctly when the path arg is empty in supervisor_discovery_test.go 2020-10-28 15:22:53 -07:00
Ryan Richard
c52874250a Fix a mistake in supervisor_discovery_test.go 
- Should not fail when the default TLS cert does not exist in the
  test cluster before the test started
 2020-10-28 14:25:01 -07:00
Ryan Richard
01dddd3cae Add some docs for configuring supervisor TLS 
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
 2020-10-28 13:42:02 -07:00
Andrew Keesler
bd04570e51 supervisor_discovery_test.go tests hostnames are treated as case-insensitive 
Signed-off-by: Ryan Richard <richardry@vmware.com>
 2020-10-28 13:09:20 -07:00
Ryan Richard
8ff64d4c1a Require https scheme for OIDCProviderConfig Issuer field 
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
 2020-10-28 12:49:41 -07:00
Andrew Keesler
2542a8e175 Stash and restore any pre-existing default TLS cert in supervisor_discovery_test.go 
Signed-off-by: Ryan Richard <richardry@vmware.com>
 2020-10-28 12:32:21 -07:00
Ryan Richard
29e0ce5662 Configure name of the supervisor default TLS cert secret via ConfigMap 
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
 2020-10-28 11:56:50 -07:00
Ryan Richard
978ecda758 Test SNI & default certs being used at the same time in integration test 2020-10-28 08:58:50 -07:00
Ryan Richard
170d3a3993 Forgot to commit some test fixtures in a prior commit 2020-10-27 17:00:00 -07:00
Ryan Richard
2777c4e9f3 Update prepare-for-integration-tests.sh to use ./hack/kind-{up,down}.sh 2020-10-27 16:56:53 -07:00
Ryan Richard
38802c2184 Add a way to set a default supervisor TLS cert for when SNI won't work 
- Setting a Secret in the supervisor's namespace with a special name
  will cause it to get picked up and served as the supervisor's TLS
  cert for any request which does not have a matching SNI cert.
- This is especially useful for when there is no DNS record for an
  issuer and the user will be accessing it via IP address. This
  is not how we would expect it to be used in production, but it
  might be useful for other cases.
- Includes a new integration test
- Also suppress all of the warnings about ignoring the error returned by
  Close() in lines like `defer x.Close()` to make GoLand happier
 2020-10-27 16:33:08 -07:00