62651eddb0
Took care of some impersonation cluster ip related todos
2021-05-20 11:57:07 -07:00
ec25259901
Update impersonatorconfig controller to use new CredentialIssuer update helper.
...
Signed-off-by: Margo Crawford <margaretc@vmware.com>
2021-05-20 12:26:07 -05:00
e4dd83887a
Merge remote-tracking branch 'origin/main' into credentialissuer-spec-api
2021-05-20 10:53:53 -05:00
562942cdbf
Merge pull request #627 from mattmoyer/use-informers-for-credentialissuer-updates
...
Create CredentialIssuer at install, not runtime.
2021-05-20 10:13:41 -05:00
63c39454f6
WIP on impersonation clusterip service
2021-05-19 17:00:28 -07:00
657488fe90
Create CredentialIssuer at install, not runtime.
...
Previously, our controllers would automatically create a CredentialIssuer with a singleton name. The helpers we had for this also used "raw" client access and did not take advantage of the informer cache pattern.
With this change, the CredentialIssuer is always created at install time in the ytt YAML. The controllers now only update the existing CredentialIssuer status, and they do so using the informer cache as much as possible.
This change is targeted at only the kubecertagent controller to start. The impersonatorconfig controller will be updated in a following PR along with other changes.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-05-19 17:15:25 -05:00
9e61640c92
LoadBalancerIP updated dynamically
2021-05-19 14:16:15 -07:00
3bb95f1de2
Give kubeclient_test some default values for credentialissuer spec
2021-05-19 11:56:54 -07:00
0b66321902
Changes to make the linter pass
2021-05-19 11:05:35 -07:00
297a484948
Add more validation and update tests for impersonationProxy as pointer.
...
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-05-19 12:42:31 -05:00
13372a43e6
Update generated code from previous commit.
2021-05-19 11:41:35 -05:00
54e0b83146
Update API so that impersonationProxy spec is a pointer.
2021-05-19 11:41:17 -05:00
94c370ac85
Annotations for impersonation load balancer
2021-05-18 16:54:59 -07:00
eaea3471ec
Validation for service type none and external endpoint none
...
Also added a few more test cases for provisioning a load balancer
2021-05-18 13:50:52 -07:00
4a785e73e6
WIP fixing impersonatorconfig tests
2021-05-18 14:54:04 -05:00
51f1a0ec13
WIP: not using impersonator.config just credentialissuer directly
...
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-05-18 12:16:27 -07:00
9af3cb1115
Change impersonation integration test to use CredentialIssuer spec
...
rather than a configmap
Signed-off-by: Margo Crawford <margaretc@vmware.com>
2021-05-18 09:51:11 -07:00
18ccf11905
Update impersonatorconfig controller to use CredentialIssuer API instead of ConfigMap.
...
Signed-off-by: Margo Crawford <margaretc@vmware.com>
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-05-18 09:50:35 -07:00
1a131e64fe
Start deploying an initial CredentialIssuer in our install YAML.
...
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-05-18 11:12:18 -05:00
e885114221
Add generated code from adding spec fields to CredentialIssuer.
...
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-05-18 11:12:18 -05:00
26da763962
Add spec fields to CredentialIssuer.
...
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-05-18 11:12:18 -05:00
4a456446ff
Update doc comments for types_credentialissuer.go.tmpl.
...
Update to follow https://golang.org/doc/effective_go#commentary :
> The first sentence should be a one-sentence summary that starts with the name being declared.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-05-18 11:12:18 -05:00
efeb25b8eb
Merge pull request #619 from vmware-tanzu/dependabot/go_modules/github.com/creack/pty-1.1.12
...
Bump github.com/creack/pty from 1.1.11 to 1.1.12
2021-05-18 09:16:27 -05:00
f595e81dbb
Bump github.com/creack/pty from 1.1.11 to 1.1.12
...
Bumps [github.com/creack/pty](https://github.com/creack/pty ) from 1.1.11 to 1.1.12.
- [Release notes](https://github.com/creack/pty/releases )
- [Commits](https://github.com/creack/pty/compare/v1.1.11...v1.1.12 )
Signed-off-by: dependabot[bot] <support@github.com>
2021-05-18 05:56:45 +00:00
0f5f72829b
Merge pull request #594 from enj/enj/i/tcr_strict_user_info
...
cred req: disallow lossy user info translations
2021-05-17 19:28:21 -04:00
f40fd29c7c
local-user-authenticator: stop setting UID
...
Signed-off-by: Monis Khan <mok@vmware.com>
2021-05-17 19:03:45 -04:00
35479e2978
cred req: disallow lossy user info translations
...
Signed-off-by: Monis Khan <mok@vmware.com>
2021-05-17 19:03:44 -04:00
99099fd32f
Yet more debugging of tests which only fail in main CI
2021-05-17 14:20:41 -07:00
8c660f09bc
More debugging of tests which only fail in main CI
2021-05-17 13:53:17 -07:00
ac431ddc6d
Add more to failure message in test which only fails in main CI
2021-05-17 12:57:34 -07:00
14b8fcc472
Merge pull request #555 from vmware-tanzu/initial_ldap
...
Initial `LDAPIdentityProvider` support for the Supervisor and CLI
2021-05-17 10:40:50 -07:00
20b1c41bf5
Experiment to see if we can ignore `read /dev/ptmx: input/output error`
...
This error seems to always happen on linux, but never on MacOS.
2021-05-13 16:02:24 -07:00
f5bf8978a3
Cache ResourceVersion of the validated bind Secret in memory
...
...instead of caching it in the text of the Condition message
2021-05-13 15:22:36 -07:00
514ee5b883
Merge branch 'main' into initial_ldap
2021-05-13 14:24:10 -07:00
39d7f8b6eb
Merge pull request #614 from vmware-tanzu/gc-bug-tests
...
Tests for garbage collection behavior for access and refresh tokens
2021-05-13 13:08:07 -07:00
609883c49e
Update TestSupervisorOIDCDiscovery for versioned IDP discovery endpoint
2021-05-13 13:07:31 -07:00
f15fc66e06
`pinniped get kubeconfig` refactor to use oidc.NewProvider for discovery
...
- Note that this adds an extra check of the response, which is that
the issuer string in the response must match issuer of the requested
URL.
- Some of the error messages also changed to match the errors provided
by oidc.NewProvider
2021-05-13 12:27:42 -07:00
6479015caf
Remove timeout so this test doesnt take forever
2021-05-13 10:23:44 -07:00
67dca688d7
Add an API version to the Supervisor IDP discovery endpoint
...
Also rename one of the new functional opts in login.go to more
accurately reflect the intention of the opt.
2021-05-13 10:05:56 -07:00
b391d5ae02
Also check that the authcode storage is around for a while
2021-05-12 14:22:14 -07:00
29ca8acab4
oidc_upstream_watcher.go: two methods become private funcs
2021-05-12 14:05:08 -07:00
1ae3c6a1ad
Split package upstreamwatchers into four packages
2021-05-12 14:00:39 -07:00
22092e9aed
Missed a usage of int64Ptr in previous commit
2021-05-12 14:00:26 -07:00
874f938fc7
unit test for garbage collection time for refresh and access tokens
2021-05-12 13:55:54 -07:00
4804c837d4
Insignificant change in ldap_upstream_watcher_test.go
2021-05-12 13:37:01 -07:00
f0652c1ce1
Replace all usages of strPtr() with pointer.StringPtr()
2021-05-12 13:20:00 -07:00
044443f315
Rename `X-Pinniped-Idp-*` headers to `Pinniped-*`
...
See RFC6648 which asks that people stop using `X-` on header names.
Also Matt preferred not mentioning "IDP" in the header name.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-05-12 13:06:08 -07:00
9ca72fcd30
login.go: Respect `overallTimeout` for LDAP login-related http requests
...
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-05-12 12:57:10 -07:00
3008d1a85c
Log slow LDAP authentication attempts for debugging purposes
2021-05-12 11:59:48 -07:00
6c2a775c9b
Use proxy for `pinniped get kubeconfig` in hack/prepare-supervisor-on-kind.sh
...
Because the command now calls the discovery endpoint,
so it needs to go through the proxy to resolve the
hostname.
2021-05-12 11:34:16 -07:00
Margo Crawford