djpbessems
/
ContainerImage.Pinniped
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
1,605 Commits 30 Branches 34 Tags 22 MiB
Commit Graph

1605 Commits

Author SHA1 Message Date
Matt Moyer 3721632de2
Move scope doc out of website to SCOPE.md. 
This is contributor-focused, so we decided to move it into GitHub only for now.

Signed-off-by: Matt Moyer <moyerm@vmware.com>
 2021-02-23 11:11:07 -06:00
Matt Moyer 4de949fe18
Rework docs sidebar to have some nesting. 
Signed-off-by: Matt Moyer <moyerm@vmware.com>
 2021-02-23 11:11:07 -06:00
Andrew Keesler 069b3fba37
Merge remote-tracking branch 'upstream/main' into impersonation-proxy 
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
 2021-02-23 12:10:52 -05:00
Mo Khan e74dd47b1d
Merge pull request #439 from enj/enj/f/whoami_api 
Add WhoAmIRequest Aggregated Virtual REST API
 2021-02-23 10:40:38 -05:00
Monis Khan 6a9f57f83d
TestWhoAmI: support older clusters (CSR and impersonation) 
Signed-off-by: Monis Khan <mok@vmware.com>
 2021-02-23 10:15:17 -05:00
Ryan Richard 80ff5c1f17 Fix bug which prevented watches from working through impersonator 
Also:
- Changed base64 encoding of impersonator bearer tokens to use
  `base64.StdEncoding` to make it easier for users to manually
  create a token using the unix `base64` command
- Test the headers which are and are not passed through to the Kube API
  by the impersonator more carefully in the unit tests
- More WIP on concierge_impersonation_proxy_test.go

Signed-off-by: Margo Crawford <margaretc@vmware.com>
 2021-02-22 17:23:11 -08:00
Monis Khan aa22047a0f
Generated 
Signed-off-by: Monis Khan <mok@vmware.com>
 2021-02-22 20:02:42 -05:00
Monis Khan abc941097c
Add WhoAmIRequest Aggregated Virtual REST API 
This change adds a new virtual aggregated API that can be used by
any user to echo back who they are currently authenticated as.  This
has general utility to end users and can be used in tests to
validate if authentication was successful.

Signed-off-by: Monis Khan <mok@vmware.com>
 2021-02-22 20:02:41 -05:00
Monis Khan 62630d6449
getAggregatedAPIServerScheme: move group version logic internally 
Signed-off-by: Monis Khan <mok@vmware.com>
 2021-02-19 11:10:54 -05:00
Mo Khan f228f022f5
Merge pull request #435 from enj/enj/c/bump_v0.20.4 
Bump Kube deps to v0.20.4
 2021-02-19 10:59:40 -05:00
Monis Khan 1c1decfaf1
Generated 
Signed-off-by: Monis Khan <mok@vmware.com>
 2021-02-19 10:33:10 -05:00
Monis Khan 7786c83b0d
Bump kube deps to v0.20.4 
Signed-off-by: Monis Khan <mok@vmware.com>
 2021-02-19 10:26:53 -05:00
Mo Khan 41b75e6977
Merge pull request #431 from enj/enj-patch-1 
concierge API service: update groupPriorityMinimum and versionPriority
 2021-02-19 08:48:06 -05:00
Mo Khan a54e1145a5
concierge API service: update groupPriorityMinimum and versionPriority 
Copy over values that I have seen used in the past.
Signed-off-by: Monis Khan <mok@vmware.com>
 2021-02-19 07:47:38 -05:00
Ryan Richard b8592a361c Add some comments to concierge_impersonation_proxy_test.go 
Signed-off-by: Margo Crawford <margaretc@vmware.com>
 2021-02-18 16:27:03 -08:00
Margo Crawford 19881e4d7f Increase how long we wait for loadbalancers to be deleted for int test 
Also add some log messages which might help us debug issues like this
in the future.

Signed-off-by: Ryan Richard <richardry@vmware.com>
 2021-02-18 15:58:27 -08:00
Ryan Richard 126f9c0da3 certs_manager.go: Rename some local variables 
Signed-off-by: Margo Crawford <margaretc@vmware.com>
 2021-02-18 11:16:34 -08:00
Margo Crawford 7a140bf63c concierge_impersonation_proxy_test.go: add an eventually loop 
Signed-off-by: Ryan Richard <richardry@vmware.com>
 2021-02-18 11:08:13 -08:00
Ryan Richard f5fedbb6b2 Add Service resource "delete" permission to Concierge RBAC 
- Because the impersonation proxy config controller needs to be able
  to delete the load balancer which it created

Signed-off-by: Margo Crawford <margaretc@vmware.com>
 2021-02-18 11:00:22 -08:00
Andrew Keesler 957cb2d56c
Merge remote-tracking branch 'upstream/main' into impersonation-proxy 
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
 2021-02-18 13:37:28 -05:00
Andrew Keesler b3cdc438ce
internal/concierge/impersonator: reuse kube bearertoken.Authenticator 
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
 2021-02-18 10:13:24 -05:00
Margo Crawford 22a3e73bac impersonator_config_test.go: use require.Len() when applicable 
Also fix a lint error in concierge_impersonation_proxy_test.go

Signed-off-by: Ryan Richard <richardry@vmware.com>
 2021-02-17 17:29:56 -08:00
Margo Crawford 0ad91c43f7 ImpersonationConfigController uses servicesinformer 
This is a more reliable way to determine whether the load balancer
is already running.
Also added more unit tests for the load balancer.

Signed-off-by: Ryan Richard <richardry@vmware.com>
 2021-02-17 17:22:13 -08:00
Matt Moyer 2b208807a6
Merge pull request #426 from mattmoyer/website-accessibility-tweaks 
Tweak website styles for accessibility.
 2021-02-17 17:28:03 -06:00
Matt Moyer 25f841d063
Tweak website styles for accessibility. 
Makes most of the fonts a bit bigger, increases contrast, fixes some nits about the spacing in numbered/bulletted lists, and adds some image alt texts.

Overall this improves our Lighthouse accessibility score from 71 to 95 and I think it's subjectively more readable.

Signed-off-by: Matt Moyer <moyerm@vmware.com>
 2021-02-17 17:19:58 -06:00
Margo Crawford 10b769c676 Fixed integration tests for load balancer capabilities 2021-02-17 10:55:49 -08:00
Margo Crawford 67da840097 Add loadbalancer for impersonation proxy when needed 2021-02-16 15:57:02 -08:00
Matt Moyer 93d4581721
Workaround a bad module version to fix Dependabot. 
Signed-off-by: Matt Moyer <moyerm@vmware.com>
 2021-02-16 17:05:33 -06:00
Matt Moyer 0a7c5b0604
Merge pull request #403 from mattmoyer/add-latest-generated-package 
Add "go.pinniped.dev/generated/latest" package that is not a nested module.
 2021-02-16 15:30:48 -06:00
Matt Moyer acbeb93f79
Don't lint generated code. 
This wasn't needed before because the other code wasn't in the main module and golangci-lint won't cross a module boundary.

Signed-off-by: Matt Moyer <moyerm@vmware.com>
 2021-02-16 13:18:18 -06:00
Matt Moyer 6565265bee
Use new 'go.pinniped.dev/generated/latest' package. 
Signed-off-by: Matt Moyer <moyerm@vmware.com>
 2021-02-16 13:00:08 -06:00
Matt Moyer b42a34d822
Add generated client code for 'latest'. 
Signed-off-by: Matt Moyer <moyerm@vmware.com>
 2021-02-16 12:34:33 -06:00
Matt Moyer 3ce3403b95
Update ./hack/update.sh to add a "latest" package. 
This is just a copy of the newest Kubernetes version, but as a plain package and not a submodule.

Signed-off-by: Matt Moyer <moyerm@vmware.com>
 2021-02-16 12:28:29 -06:00
Andrew Keesler eb19980110
internal/concierge/impersonator: set user extra impersonation headers 
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
 2021-02-16 09:26:47 -05:00
Andrew Keesler c7905c6638
internal/concierge/impersonator: fail if impersonation headers set 
If someone has already set impersonation headers in their request, then
we should fail loudly so the client knows that its existing impersonation
headers will not work.

Signed-off-by: Andrew Keesler <akeesler@vmware.com>
 2021-02-16 08:15:50 -05:00
Andrew Keesler fdd8ef5835
internal/concierge/impersonator: handle custom login API group 
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
 2021-02-16 07:55:09 -05:00
Andrew Keesler 25bc8dd8a9
test/integration: hopefully fix TestImpersonationProxy 
I think we were assuming the name of our Concierge app, and getting lucky
because it was the name we use when testing locally (but not in CI).

Signed-off-by: Andrew Keesler <akeesler@vmware.com>
 2021-02-15 18:04:21 -05:00
Andrew Keesler 6512ab1351
internal/concierge/impersonator: don't care about namespace 
Concierge APIs are no longer namespaced (see f015ad5852).

Signed-off-by: Andrew Keesler <akeesler@vmware.com>
 2021-02-15 17:11:59 -05:00
Ryan Richard 5cd60fa5f9 Move starting/stopping impersonation proxy server to a new controller 
- Watch a configmap to read the configuration of the impersonation
  proxy and reconcile it.
- Implements "auto" mode by querying the API for control plane nodes.
- WIP: does not create a load balancer or proper TLS certificates yet.
  Those will come in future commits.

Signed-off-by: Margo Crawford <margaretc@vmware.com>
 2021-02-11 17:25:52 -08:00
Andrew Keesler fac571b51a
Merge pull request #410 from ankeesler/update-copyright 
generated: include 2021 in copyright
 2021-02-11 12:26:31 -05:00
Andrew Keesler 9b87906a30
Merge remote-tracking branch 'upstream/main' into impersonation-proxy 
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
 2021-02-11 11:03:33 -05:00
Andrew Keesler c8b1f00107
generated: include 2021 in copyright 
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
 2021-02-11 10:52:01 -05:00
Mo Khan f015ad5852
Merge pull request #405 from enj/enj/i/cluster_scope_concierge 
Cluster scope all concierge APIs
 2021-02-11 08:50:42 -05:00
Monis Khan b04fd46319
Update federation domain logic to use status subresource 
Signed-off-by: Monis Khan <mok@vmware.com>
 2021-02-10 21:52:10 -05:00
Monis Khan 4c304e4224
Assert all APIs have a status subresource 
Signed-off-by: Monis Khan <mok@vmware.com>
 2021-02-10 21:52:10 -05:00
Monis Khan 0a9f446893
Update credential issuer logic to use status subresource 
Signed-off-by: Monis Khan <mok@vmware.com>
 2021-02-10 21:52:10 -05:00
Monis Khan 96cec59236
Generated 
Signed-off-by: Monis Khan <mok@vmware.com>
 2021-02-10 21:52:09 -05:00
Monis Khan 4faf724c2c
Make credential issuer status optional 
Signed-off-by: Monis Khan <mok@vmware.com>
 2021-02-10 21:52:09 -05:00
Monis Khan de88ae2f61
Fix status related RBAC 
Signed-off-by: Monis Khan <mok@vmware.com>
 2021-02-10 21:52:09 -05:00
Monis Khan dd3d1c8b1b
Generated 
Signed-off-by: Monis Khan <mok@vmware.com>
 2021-02-10 21:52:09 -05:00