Commit Graph

71 Commits

Author SHA1 Message Date
Andrew Keesler
6d047c151f
Fix kubecertagent deleter test to reconcile on pod template fields
I think we want to reconcile on these pod template fields so that if
someone were to redeploy Pinniped with a new image for the agent, the
agent would get updated immediately. Before this change, the agent image
wouldn't get updated until the agent pod was deleted.
2020-09-23 11:30:13 -04:00
Andrew Keesler
9735122db9
Wire in kubecertagent.NewExecerController() to server
Also fill in a couple of low-hanging unit tests.

Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-09-23 11:01:41 -04:00
Andrew Keesler
6c555f94e3
internal/provider -> internal/dynamiccert
3 main reasons:
- The cert and key that we store in this object are not always used for TLS.
- The package name "provider" was a little too generic.
- dynamiccert.Provider reads more go-ish than provider.DynamicCertProvider.

Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-09-23 08:29:35 -04:00
Andrew Keesler
3e45bfc97d
internal/controller/issuerconfig: Publisher -> KubeConfigInfoPublisher
The new symbol more specifically describes what the controller does.

Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-09-23 07:58:01 -04:00
Andrew Keesler
a55e9de4fc
Use existing clock test double to get kubecertagent units passing
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-09-23 07:50:45 -04:00
Ryan Richard
eb0d9a15fc WIP: start replacing the kubecertauthority pkg with a new controller
- Lots of TODOs added that need to be resolved to finish this WIP
- execer_test.go seems like it should be passing, but it fails (sigh)

Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-09-22 17:45:20 -07:00
Andrew Keesler
db9a97721f
Merge remote-tracking branch 'upstream/main' into 1-19-exec-strategy 2020-09-22 11:54:47 -04:00
Matt Moyer
16ef2baf8a
Sort idpcache keys to make things as deterministic as possible.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-09-22 10:03:32 -05:00
Matt Moyer
81f2362543
Remove fallback support for implicitly choosing an IDP in TokenCredentialRequest.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-09-22 10:03:32 -05:00
Matt Moyer
6cdd4a9506
Add support for multiple IDPs selected using IdentityProvider field.
This also has fallback compatibility support if no IDP is specified and there is exactly one IDP in the cache.

Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-09-22 10:03:31 -05:00
Ryan Richard
526be79b11 Finish WIP from previous commits: agent pods created in install namespace 2020-09-21 17:15:36 -07:00
Ryan Richard
820f1e977e Continue the WIP from the previous commit: finish adding second informer
- All of the `kubecertagent` controllers now take two informers
- This is moving in the direction of creating the agent pods in the
  Pinniped installation namespace, but that will come in a future
  commit
2020-09-21 16:37:22 -07:00
Andrew Keesler
50258fc569
WIP: start to create kube-cert-agent pods in namespace
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-09-21 16:27:00 -04:00
Andrew Keesler
5a608cc84c
Add kube-cert-agent controller for getting kube API keypair 2020-09-21 14:16:14 -04:00
Ryan Richard
6989e5da63 Merge branch 'main' into rename_stuff 2020-09-18 16:39:58 -07:00
Ryan Richard
80a520390b Rename many of resources that are created in Kubernetes by Pinniped
New resource naming conventions:
- Do not repeat the Kind in the name,
  e.g. do not call it foo-cluster-role-binding, just call it foo
- Names will generally start with a prefix to identify our component,
  so when a user lists all objects of that kind, they can tell to which
  component it is related,
  e.g. `kubectl get configmaps` would list one named "pinniped-config"
- It should be possible for an operator to make the word "pinniped"
  mostly disappear if they choose, by specifying the app_name in
  values.yaml, to the extent that is practical (but not from APIService
  names because those are hardcoded in golang)
- Each role/clusterrole and its corresponding binding have the same name
- Pinniped resource names that must be known by the server golang code
  are passed to the code at run time via ConfigMap, rather than
  hardcoded in the golang code. This also allows them to be prepended
  with the app_name from values.yaml while creating the ConfigMap.
- Since the CLI `get-kubeconfig` command cannot guess the name of the
  CredentialIssuerConfig resource in advance anymore, it lists all
  CredentialIssuerConfig in the app's namespace and returns an error
  if there is not exactly one found, and then uses that one regardless
  of its name
2020-09-18 15:56:50 -07:00
Matt Moyer
78ac27c262
Remove deprecated "pinniped.dev" API group.
This has been replaced by the "login.pinniped.dev" group with a slightly different API.

Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-09-18 17:32:15 -05:00
Matt Moyer
907ccb68f5
Move CredentialIssuerConfig into new "config.pinniped.dev" API group.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-09-18 16:38:45 -05:00
Matt Moyer
2d4d7e588a
Add Go vanity import paths.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-09-18 14:56:24 -05:00
Andrew Keesler
b523e5832c
internal/controller/issuerconfig: use Kubernetes DeepEqual
I learned this here:
  https://github.com/kubernetes/apimachinery/issues/75#issuecomment-550150929

Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-09-17 17:35:14 -04:00
Matt Moyer
8c9c1e206d
Update module/package names to match GitHub org switch.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-09-17 12:56:54 -05:00
Matt Moyer
af034befb0
Paramaterize the APIService name in apiServiceUpdaterController rather than hardcoding.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-09-17 09:52:23 -05:00
Andrew Keesler
eab5c2b86b
Save 2 lines by using inline-style comments for Copyright
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-09-16 10:35:19 -04:00
Andrew Keesler
e7b389ae6c
Update copyright to reference Pinniped contributors
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-09-16 10:05:51 -04:00
Ryan Richard
db98f2810f
Merge pull request #98 from suzerain-io/get_kubeconfig_cli
Organize Pinniped CLI into subcommands; Add get-kubeconfig subcommand
2020-09-15 13:34:14 -07:00
Matt Moyer
1c7b3c3072
Fix base64 encoding style in webhookcachefiller.
This was previously using the unpadded (raw) base64 encoder, which worked sometimes (if the CA happened to be a length that didn't require padding). The correct encoding is the `base64.StdEncoding` one that includes padding.

Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-09-15 13:54:19 -05:00
Matt Moyer
75ea0f48d9
Add a controller to clean up stale entries in the idpcache.Cache.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-09-15 12:02:33 -05:00
Matt Moyer
acfc5acfb2
Add a controller to fill the idpcache.Cache from WebhookIdentityProvider objects.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-09-15 12:02:33 -05:00
Matt Moyer
6506a82b19
Add a cache of active IDPs, which implements authenticator.Token.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-09-15 12:02:33 -05:00
Ryan Richard
4379d2772c CLI get-kubeconfig command reads kubeconfig and CredentialIssuerConfig 2020-09-14 19:07:18 -07:00
Matt Moyer
92fabf43b3
Add new controller.SimpleFilter and controller.NoOpFilter utilities.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-09-14 13:25:16 -05:00
Ryan Richard
2cdc3defb7 Use here.Doc() in a few more places that were begging for it 2020-09-11 18:15:24 -07:00
Ryan Richard
20b21e8639 Prefactor: Move updating of APIService to a separate controller
- The certs manager controller, along with its sibling certs expirer
  and certs observer controllers, are generally useful for any process
  that wants to create its own CA and TLS certs, but only if the
  updating of the APIService is not included in those controllers
- So that functionality for updating APIServices is moved to a new
  controller which watches the same Secret which is used by those
  other controllers
- Also parameterize `NewCertsManagerController` with the service name
  and the CA common name to make the controller more reusable
2020-09-08 16:36:49 -07:00
Matt Moyer
a503fa8673 Pull controller-go back into this repository as internal/controllerlib.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-08-28 13:07:47 -05:00
Andrew Keesler
ddb7a20c53
Use EC crypto (instead of RSA) to workaround weird test timeout
When we use RSA private keys to sign our test certificates, we run
into strange test timeouts. The internal/controller/apicerts package
was timing out on my machine more than once every 3 runs. When I
changed the RSA crypto to EC crypto, this timeout goes away. I'm not
gonna try to figure out what the deal is here because I think it would
take longer than it would be worth (although I am sure it is some fun
story involving prime numbers; the goroutine traces for timed out
tests would always include some big.Int operations involving prime
numbers...).

Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-08-28 11:19:52 -04:00
Ryan Richard
cbc80d5bc4 RetryOnConflict when updating CredentialIssuerConfig from outside any controller
- Controllers will automatically run again when there's an error,
  but when we want to update CredentialIssuerConfig from server.go
  we should be careful to retry on conflicts
- Add unit tests for `issuerconfig.CreateOrUpdateCredentialIssuerConfig()`
  which was covered by integration tests in previous commits, but not
  covered by units tests yet.
2020-08-27 17:11:10 -07:00
Andrew Keesler
92a6b7f4a4
Use same lifetime for serving cert and CA cert
So that operators won't look at the lifetime of the CA cert and be
like, "wtf, why does the serving cert have the lifetime that I
specified, but its CA cert is valid for 100 years".

Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-08-27 15:59:47 -04:00
Andrew Keesler
8ddc1a1e92
internal/controller/issuerconfig: add missing invalid kubeconfig test?
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-08-27 10:43:13 -04:00
Ryan Richard
5ed97f7f9e Merge branch 'main' into self_test 2020-08-25 19:02:27 -07:00
Ryan Richard
80153f9a80 Allow app to start despite failing to borrow the cluster signing key
- Controller and aggregated API server are allowed to run
- Keep retrying to borrow the cluster signing key in case the failure
  to get it was caused by a transient failure
- The CredentialRequest endpoint will always return an authentication
  failure as long as the cluster signing key cannot be borrowed
- Update which integration tests are skipped to reflect what should
  and should not work based on the cluster's capability under this
  new behavior
- Move CreateOrUpdateCredentialIssuerConfig() and related methods
  to their own file
- Update the CredentialIssuerConfig's Status every time we try to
  refresh the cluster signing key
2020-08-25 18:22:53 -07:00
Ryan Richard
6e59596285 Upon pod startup, update the Status of CredentialIssuerConfig
- Indicate the success or failure of the cluster signing key strategy
- Also introduce the concept of "capabilities" of an integration test
  cluster to allow the integration tests to be run against clusters
  that do or don't allow the borrowing of the cluster signing key
- Tests that are not expected to pass on clusters that lack the
  borrowing of the signing key capability are now ignored by
  calling the new library.SkipUnlessClusterHasCapability test helper
- Rename library.Getenv to library.GetEnv
- Add copyrights where they were missing
2020-08-24 18:07:34 -07:00
Matt Moyer
8b36f2e8ae Convert code to use the new generated packages.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-08-24 14:42:27 -05:00
Andrew Keesler
142e9a1583
internal/certauthority: backdate certs even further
We are seeing between 1 and 2 minutes of difference between the current time
reported in the API server pod and the pinniped pods on one of our testing
environments. Hopefully this change makes our tests pass again.

Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-08-24 15:01:07 -04:00
Ryan Richard
6d43d7ba19 Update the schema of CredentialIssuerConfig
- Move the current info from spec to status
- Add schema for new stuff that we will use in a future commit to status
- Regenerate the generated code
2020-08-21 17:00:42 -07:00
Ryan Richard
ace01c86de Rename PinnipedDiscoveryInfo to CredentialIssuerConfig
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-08-21 16:16:34 -07:00
Andrew Keesler
39c299a32d
Use duration and renewBefore to control API cert rotation
These configuration knobs are much more human-understandable than the
previous percentage-based threshold flag.

We now allow users to set the lifetime of the serving cert via a ConfigMap.
Previously this was hardcoded to 1 year.

Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-08-20 16:35:04 -04:00
Ryan Richard
3929fa672e Rename project 2020-08-20 10:54:15 -07:00
Andrew Keesler
43888e9e0a
Make CA age threshold delta more observable via more precision
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-08-20 11:42:29 -04:00
Andrew Keesler
6b90dc8bb7
Auto-rotate serving certificate
The rotation is forced by a new controller that deletes the serving cert
secret, as other controllers will see this deletion and ensure that a new
serving cert is created.

Note that the integration tests now have an addition worst case runtime of
60 seconds. This is because of the way that the aggregated API server code
reloads certificates. We will fix this in a future story. Then, the
integration tests should hopefully get much faster.

Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-08-20 10:03:36 -04:00
Matt Moyer
1b9a70d089
Switch back to an exec-based approach to grab the controller-manager CA. (#65)
This switches us back to an approach where we use the Pod "exec" API to grab the keys we need, rather than forcing our code to run on the control plane node. It will help us fail gracefully (or dynamically switch to alternate implementations) when the cluster is not self-hosted.

Signed-off-by: Matt Moyer <moyerm@vmware.com>
Co-authored-by: Ryan Richard <richardry@vmware.com>
2020-08-19 13:21:07 -05:00