Commit Graph

3231 Commits

Author SHA1 Message Date
Matt Moyer
a1593c4b7b Fix linter error in certauthority.
The error was:
```
internal/certauthority/certauthority.go:68:15: err113: do not define dynamic errors, use wrapped static errors instead: "fmt.Errorf(\"expected CA to be a single certificate, found %d certificates\", certCount)" (goerr113)
		return nil, fmt.Errorf("expected CA to be a single certificate, found %d certificates", certCount)
		            ^
exit status 1
```

I'm not sure if I love this err113 linter.
2020-07-27 08:21:19 -05:00
Matt Moyer
8606cc9662 Update loginrequest/REST.Create to issue client certificates.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-07-27 08:10:04 -05:00
Matt Moyer
613f324a47 Add generated mock for loginrequest.CertIssuer interface.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-07-27 08:10:04 -05:00
Matt Moyer
d8c7a25487 Extend the REST service to keep a CertIssuer.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-07-27 08:10:04 -05:00
Matt Moyer
07a71236aa Fix a bad assumption in library.NewClientConfigWithCertAndKey.
It turns out these fields are not meant to be base64 encoded, even though that's how they are in the kubeconfig.

Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-07-27 07:52:36 -05:00
Matt Moyer
757d987204 Extend certauthority to support loading an existing CA.
I think we may still split this apart into multiple packages, but for now it works pretty well in both use cases.

Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-07-27 07:50:59 -05:00
Ryan Richard
899f736b8c Int test for LoginRequest grants permissions to test user
- Dynamically grant RBAC permission to the test user to allow them
  to make read requests via the API
- Then use the credential returned from the LoginRequest to make a
  request back to the API server which should be successful
2020-07-24 15:57:29 -07:00
Ryan Richard
6001f1f456 Fix a failing unit test and import mistake from previous commits 2020-07-24 14:32:07 -07:00
Ryan Richard
99b35e1a61 Merge branch 'main' into issue-cert 2020-07-24 14:11:06 -07:00
Matt Moyer
e5902533eb Add "--cluster-signing-*-file" flags pointing at a host volume mount.
This is a somewhat more basic way to get access to the certificate and private key we need to issue short lived certificates.

The host path, tolerations, and node selector here should work on any kubeadm-derived cluster including TKG-S and Kind.

Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-07-24 15:45:49 -05:00
Andrew Keesler
0d667466e8
Merge pull request #26 from ankeesler/proposed-integration-test-cleanup
Condense discovery integration tests
2020-07-24 14:59:05 -04:00
Ryan Richard
9bfec08d90 More tests and more validations for create LoginRequest endpoint
- Mostly testing the way that the validation webhooks are called
- Also error when the auth webhook does not return user info, since we wouldn't know who you are in that case
2020-07-24 11:00:29 -07:00
Andrew Keesler
6cc8a2f8dd WIP: initial integration test for cert issuing 2020-07-24 13:01:58 -04:00
Matt Moyer
6fe7a4c9dc Add a test for when a validation function is passed.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-07-24 11:53:06 -05:00
Matt Moyer
924eb1abaa
Merge pull request #25 from cfryanr/finishing_webhook_invocation
Finishing touches on webhook invocation
2020-07-24 11:30:11 -05:00
Matt Moyer
a7748a360e Extend integration tests to check new LoginRequest API semantics.
Signed-off-by: Ryan Richard <richardry@vmware.com>
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-07-24 11:15:41 -05:00
Matt Moyer
84bb0a9a21 Start returning user info in LoginRequest response.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
Signed-off-by: Ryan Richard <richardry@vmware.com>
2020-07-24 11:15:41 -05:00
Andrew Keesler
e1f44e2654
Condense discovery integration tests
I think these tests do roughly the same thing...

Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-07-24 11:17:32 -04:00
Ryan Richard
9af3637403 Bump version of -api dependency
Signed-off-by: Aram Price <pricear@vmware.com>
2020-07-23 17:12:25 -07:00
Ryan Richard
6a93de3931 More validations and error handling for create LoginRequest endpoint 2020-07-23 16:01:55 -07:00
Ryan Richard
6c87c793db Extract test helper for asserting API errors in rest_test.go
Signed-off-by: Aram Price <pricear@vmware.com>
2020-07-23 09:50:23 -07:00
Mo Khan
5fdc20886d
Initial aggregated API server (#15)
Add initial aggregated API server (squashed from a bunch of commits).

Signed-off-by: Andrew Keesler <akeesler@vmware.com>
Signed-off-by: Aram Price <pricear@vmware.com>
Signed-off-by: Ryan Richard <richardry@vmware.com>
2020-07-23 10:05:21 -05:00
Mo Khan
23c1b32a02
Merge pull request #24 from enj/enj/f/controller_lib
Add controller library code
2020-07-22 22:40:33 -04:00
Monis Khan
d4eeb74641
Add initial controller boilerplate and example controller
Signed-off-by: Monis Khan <mok@vmware.com>
2020-07-22 22:27:55 -04:00
Matt Moyer
31c4e6560d Drop GitHub Actions (we now have Concourse for PRs).
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-07-20 09:40:07 -05:00
Mo Khan
4b1a7436a9
Merge pull request #22 from enj/enj/i/user_agent
Encode git version info into binary and user agent
2020-07-20 00:41:41 -04:00
Monis Khan
549da37805
Encode git version info into binary and user agent
Signed-off-by: Monis Khan <mok@vmware.com>
2020-07-20 00:32:11 -04:00
Mo Khan
240f9f86b1
Merge pull request #21 from enj/enj/i/cleanup_apimachinery
Various clean ups
2020-07-19 01:39:05 -04:00
Monis Khan
b638bd7eeb
Describe why/how we recover type meta using scheme
Signed-off-by: Monis Khan <mok@vmware.com>
2020-07-19 01:28:25 -04:00
Monis Khan
5fa5b9a9a9
Do not hard code API version
Signed-off-by: Monis Khan <mok@vmware.com>
2020-07-19 01:28:24 -04:00
Monis Khan
9118869d04
Use protobuf with built-in Kube REST APIs
Signed-off-by: Monis Khan <mok@vmware.com>
2020-07-19 01:28:24 -04:00
Mo Khan
e92bdbea64
Merge pull request #20 from enj/enj/i/fix_gvk
Restore GVK info that apimachinery decoder unsets
2020-07-18 01:28:27 -04:00
Monis Khan
d71a620a18
Restore GVK info that apimachinery decoder unsets
Signed-off-by: Monis Khan <mok@vmware.com>
2020-07-18 01:05:11 -04:00
Ryan Richard
7cac20fc89
Merge pull request #18 from cfryanr/fix_deploy_errors
Fix deploy errors
2020-07-17 14:56:18 -07:00
Ryan Richard
260a271859 Add RBAC for autoregistration
- Also fix mistakes in the deployment.yaml
- Also hardcode the ownerRef kind and version because otherwise we get an error

Signed-off-by: Monis Khan <mok@vmware.com>
2020-07-17 14:42:02 -07:00
Monis Khan
611859f04a Update dockerfile to use netrc
Signed-off-by: Monis Khan <mok@vmware.com>
2020-07-17 13:26:30 -07:00
Matt Moyer
fd4c6f6a71
Merge pull request #17 from suzerain-io/feature/autoregistration
Add automatic registration of an APIService.
2020-07-17 12:16:23 -05:00
Matt Moyer
092cc26789 Refactor app.go and wire in autoregistration.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-07-17 12:10:33 -05:00
Matt Moyer
a3bce5f42e Add autoregistration package to manage APIService.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-07-17 10:53:13 -05:00
Matt Moyer
a01970602a Add a package for loading Downward API metadata.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-07-16 14:25:23 -05:00
Mo Khan
da4f036622
Merge pull request #16 from enj/enj/i/bump_1.19
Bump kube deps to v0.19.0-rc.0
2020-07-15 16:58:24 -04:00
Monis Khan
ffa417f745
Bump kube deps to v0.19.0-rc.0
Signed-off-by: Monis Khan <mok@vmware.com>
2020-07-15 16:47:02 -04:00
Matt Moyer
61a4eec144
Merge pull request #10 from ankeesler/ankeesler/initial-tmc-auth
Add webhook and config handling for TMC-integrated token validation
2020-07-14 12:49:48 -05:00
Andrew Keesler
9edae03812
deployment.yaml: update config file format
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-07-14 12:38:43 -04:00
Andrew Keesler
63f5416b21
Define initial config file format
- Users may want to consume pkg/config to generate configuration files.
- This also involved putting config-related utilities in the config
  package for ease of consumption.
- We did not add in versioning into the Config type for now...this is
  something we will likely do in the future, but it is not deemed
  necessary this early in the project.
- The config file format tries to follow the patterns of Kube. One such
  example of this is requiring the use of base64-encoded CA bundle PEM
  bytes instead of a file path. This also slightly simplifies the config
  file handling because we don't have to 1) read in a file or 2) deal
  with the error case of the file not being there.

- The webhook code from k8s.io/apiserver is really exactly what we want
  here. If this dependency gets too burdensome, we can always drop it,
  but the pros outweigh the cons at the moment.
- Writing out a kubeconfig to disk to configure the webhook is a little
  janky, but hopefully this won't hurt performance too much in the year
  2020.

- Also bonus: call the right *Serve*() function when starting our
  servers.

Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-07-14 11:50:28 -04:00
Matt Moyer
5a66b56b93
Merge pull request #13 from suzerain-io/add-ca-code
Add initial CA code.
2020-07-13 16:25:44 -05:00
Matt Moyer
2596ddfa25 Add initial CA code.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-07-13 16:23:54 -05:00
Andrew Keesler
89c8d1183b
Use 'main' branch instead of 'master'
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-07-10 08:09:06 -04:00
Monis Khan
7da347866b Avoid hard-coding namespace and deployment names in integration tests
Signed-off-by: Ryan Richard <richardry@vmware.com>
2020-07-09 13:57:59 -07:00
Ryan Richard
d3d9cc6fac Change the name of the env var that turns on integration tests
- Trying to use "placeholder-name" or "placeholder_name" everywhere
  that should later be changed to the actual name of the product,
  so we can just do a simple search and replace when we have a name.
2020-07-09 13:43:30 -07:00