djpbessems/ContainerImage.Pinniped
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
1,067 Commits 30 Branches 34 Tags 22 MiB
60d4a7beac
Commit Graph

155 Commits

Author SHA1 Message Date
Andrew Keesler
60d4a7beac
Test more filters in SupervisorSecretsController (see 6e8d564013) 
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
 2020-12-15 07:58:33 -05:00
aram price
e03e344dcd SecretHelper depends less on OIDCProvider 
This should allow the helper to be more generic so that it can be used
with the SupervisorSecretsController
 2020-12-14 19:35:45 -08:00
aram price
bf86bc3383 Rename for clarity 2020-12-14 18:36:56 -08:00
aram price
b799515f84 Pull symmetricsecrethelper package up to generator 
- rename symmetricsecrethelper.New => generator.NewSymmetricSecretHelper
 2020-12-14 17:41:02 -08:00
aram price
b1ee434ddf Rename in preparation for refactor 2020-12-14 16:44:27 -08:00
aram price
6e8d564013 Test filters in SupervisorSecretsController 2020-12-14 16:08:48 -08:00
Andrew Keesler
9c79adcb26 Rename and move some code to perpare for refactor 
Signed-off-by: aram price <pricear@vmware.com>
 2020-12-14 14:24:13 -08:00
Aram Price
5b7a86ecc1
Integration test for Supervisor secret controllers 
This forced us to add labels to the CSRF cookie secret, just as we do
for other Supervisor secrets. Yay tests.

Signed-off-by: Andrew Keesler <akeesler@vmware.com>
 2020-12-14 15:53:12 -05:00
Andrew Keesler
cae0023234
Merge remote-tracking branch 'upstream/main' into secret-generation 
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
 2020-12-14 11:44:01 -05:00
Andrew Keesler
e3ea141bf3
Reuse helper filter in generic secret gen controller 
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
 2020-12-14 10:37:27 -05:00
Andrew Keesler
b043dae149
Finish first implementation of generic secret generator controller 
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
 2020-12-14 10:36:45 -05:00
aram price
3ca877f1df
WIP - preliminary OIDCProviderSecrets controller 
Tests not yet passing, controller is incomplete and expectations may be
incorrect.
 2020-12-13 17:37:49 -05:00
aram price
3e31668eb0
Refactor some utilitiy methods for sharing. 2020-12-13 17:37:48 -05:00
aram price
9e2213cbae
Rename for clarity 
- makes space for OIDCPrivder related controller
 2020-12-13 17:37:48 -05:00
Ryan Richard
baa1a4a2fc Supervisor storage garbage collection controller enabled in production 
- Also add more log statements to the controller
- Also have the controller apply a rate limit to itself, to avoid
  having a very chatty controller that runs way more often than is
  needed.
- Also add an integration test for the controller's behavior.

Signed-off-by: Margo Crawford <margaretc@vmware.com>
 2020-12-11 15:21:34 -08:00
Andrew Keesler
022dcd1909
Update secretgenerator controller after synchronous review 
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
 2020-12-11 15:37:10 -05:00
Andrew Keesler
e17bc31b29
Pass CSRF cookie signing key from controller to cache 
This also sets the CSRF cookie Secret's OwnerReference to the Pod's grandparent
Deployment so that when the Deployment is cleaned up, then the Secret is as
well.

Obviously this controller implementation has a lot of issues, but it will at
least get us started.

Signed-off-by: Andrew Keesler <akeesler@vmware.com>
 2020-12-11 11:49:27 -05:00
Margo Crawford
ed9b3ffce5 Add controller for garbage collecting secrets 
Signed-off-by: Ryan Richard <rrichard@vmware.com>
 2020-12-10 17:34:05 -08:00
aram price
ccac124b7a Fix broken test 
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
 2020-12-10 17:32:55 -08:00
Andrew Keesler
c3f73ffb57 Check in some musings on a symmetric key generator controller 
There is still a test failing, but I am sure it is a simple fix hiding in the
code. I think this is the general shape of the controller that we want.

Signed-off-by: Andrew Keesler <akeesler@vmware.com>
 2020-12-10 17:32:55 -08:00
Andrew Keesler
381a2e749a
impotent -> idempotent 
These words do not mean the same thing...

Signed-off-by: Andrew Keesler <akeesler@vmware.com>
 2020-12-08 15:41:49 -05:00
Aram Price
9ed5dcb031
Only create underlying jwt authenticator when spec has changed 
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
 2020-12-08 15:41:49 -05:00
Andrew Keesler
e0ee18a993
Always close JWTAuthenticator underlying authenticator 
Otherwise we will leak goroutines.

Signed-off-by: Andrew Keesler <akeesler@vmware.com>
 2020-12-08 15:41:48 -05:00
Andrew Keesler
57103e0a9f
Add JWTAuthenticator controller 
See https://github.com/vmware-tanzu/pinniped/issues/260 for UX bummer.

Signed-off-by: Andrew Keesler <akeesler@vmware.com>
 2020-12-08 15:41:48 -05:00
Andrew Keesler
58237d0e7d
WIP: start to wire signing key into token handler 
This commit includes a failing test (amongst other compiler failures) for the
dynamic signing key fetcher that we will inject into fosite. We are checking it
in so that we can pass the WIP off.

Signed-off-by: Margo Crawford <margaretc@vmware.com>
 2020-12-03 15:37:25 -05:00
Matt Moyer
4fe691de92
Save an http.Client with each upstreamoidc.ProviderConfig object. 
This allows the token exchange request to be performed with the correct TLS configuration.

We go to a bit of extra work to make sure the `http.Client` object is cached between reconcile operations so that connection pooling works as expected.

Signed-off-by: Matt Moyer <moyerm@vmware.com>
 2020-12-02 15:55:33 -06:00
Matt Moyer
d64acbb5a9
Add upstreamoidc.ProviderConfig type implementing provider.UpstreamOIDCIdentityProviderI. 
Signed-off-by: Matt Moyer <moyerm@vmware.com>
 2020-11-30 15:22:56 -06:00
Ryan Richard
227fbd63aa Use an interface instead of a concrete type for UpstreamOIDCIdentityProvider 
Because we want it to implement an AuthcodeExchanger interface and
do it in a way that will be more unit test-friendly than the underlying
library that we intend to use inside its implementation.
 2020-11-18 13:38:13 -08:00
Matt Moyer
ee978fdde8
Add controller support for spec.tls field. 
Signed-off-by: Matt Moyer <moyerm@vmware.com>
 2020-11-16 20:23:20 -06:00
Matt Moyer
c10393b495
Mask the raw error messages from go-oidc, since they are dangerous. 
Signed-off-by: Matt Moyer <moyerm@vmware.com>
 2020-11-13 16:22:34 -06:00
Matt Moyer
cbd71df574
Add "upstream-watcher" controller to supervisor. 
Signed-off-by: Matt Moyer <moyerm@vmware.com>
 2020-11-13 12:30:38 -06:00
Monis Khan
9c8b081906
Prevent multiple pinnipeds from thrashing on the API service 
Signed-off-by: Monis Khan <mok@vmware.com>
 2020-11-11 20:09:49 -05:00
Monis Khan
15a5332428
Reduce log spam 
Signed-off-by: Monis Khan <mok@vmware.com>
 2020-11-10 10:22:27 -05:00
Matt Moyer
4da3d93f6e
The supervisor JWKS observer and TLS cert controllers use the ctx after all, whoops. 
Signed-off-by: Matt Moyer <moyerm@vmware.com>
 2020-11-04 13:08:50 -06:00
Monis Khan
418f4d20ae
Use parent func to indicate when the controller queue is a singleton 
This prevents unnecessary sync loop runs when the controller is
running with a single worker.  When the controller is running with
more than one worker, it prevents subtle bugs that can cause the
controller to go "back in time."

Signed-off-by: Monis Khan <mok@vmware.com>
Signed-off-by: Matt Moyer <moyerm@vmware.com>
 2020-11-04 11:08:10 -06:00
Matt Moyer
2bf5c8b48b
Replace the OIDCProvider field SNICertificateSecretName with a TLS.SecretName field. 
Signed-off-by: Matt Moyer <moyerm@vmware.com>
 2020-11-02 18:15:03 -06:00
Matt Moyer
2b8773aa54
Rename OIDCProviderConfig to OIDCProvider. 
Signed-off-by: Matt Moyer <moyerm@vmware.com>
 2020-11-02 17:40:39 -06:00
Matt Moyer
59263ea733
Rename CredentialIssuerConfig to CredentialIssuer. 
Signed-off-by: Matt Moyer <moyerm@vmware.com>
 2020-11-02 17:39:42 -06:00
Ryan Richard
75c35e74cc Refactor and add unit tests for previous commit to run agent pod as root 2020-11-02 15:03:37 -08:00
Ryan Richard
a01921012d
kubecertagent: explicitly run as root 
We need root here because the files that this pod reads are
most likely restricted to root access.

Signed-off-by: Andrew Keesler <akeesler@vmware.com>
 2020-11-02 16:33:46 -05:00
Ryan Richard
ab5c04b1f3
Merge pull request #176 from vmware-tanzu/agent_pod_additional_label_handling 
Handle custom labels better in the agent pod controllers
 2020-11-02 09:08:42 -08:00
Ryan Richard
7597b12a51 Small unit test changes for deleter_test.go 2020-11-02 08:40:39 -08:00
Ryan Richard
f76b9857da Don't use custom labels when selecting an agent pod 
And delete the agent pod when it needs its custom labels to be
updated, so that the creator controller will notice that it is missing
and immediately create it with the new custom labels.
 2020-10-30 17:41:17 -07:00
Matt Moyer
9e1922f1ed
Split the config CRDs into two API groups. 
Signed-off-by: Matt Moyer <moyerm@vmware.com>
 2020-10-30 19:22:46 -05:00
Matt Moyer
34da8c7877
Rename existing references to "IDP" and "Identity Provider". 
Signed-off-by: Matt Moyer <moyerm@vmware.com>
 2020-10-30 15:12:01 -05:00
Matt Moyer
f3a83882a4
Rename the IdentityProvider field to Authenticator in TokenCredentialRequest. 
Signed-off-by: Matt Moyer <moyerm@vmware.com>
 2020-10-30 15:11:53 -05:00
Matt Moyer
0f25657a35
Rename WebhookIdentityProvider to WebhookAuthenticator. 
Signed-off-by: Matt Moyer <moyerm@vmware.com>
 2020-10-30 15:11:53 -05:00
Matt Moyer
e69183aa8a
Rename idp.concierge.pinniped.dev to authentication.concierge.pinniped.dev. 
Signed-off-by: Matt Moyer <moyerm@vmware.com>
 2020-10-30 14:07:40 -05:00
Matt Moyer
81390bba89
Rename idp.pinniped.dev to idp.concierge.pinniped.dev. 
Signed-off-by: Matt Moyer <moyerm@vmware.com>
 2020-10-30 14:07:39 -05:00
Matt Moyer
f0320dfbd8
Rename login API to login.concierge.pinniped.dev. 
This is the first of a few related changes that re-organize our API after the big recent changes that introduced the supervisor component.

Signed-off-by: Matt Moyer <moyerm@vmware.com>
 2020-10-30 09:58:28 -05:00