Commit Graph

67 Commits

Author SHA1 Message Date
Andrew Keesler
6c555f94e3
internal/provider -> internal/dynamiccert
3 main reasons:
- The cert and key that we store in this object are not always used for TLS.
- The package name "provider" was a little too generic.
- dynamiccert.Provider reads more go-ish than provider.DynamicCertProvider.

Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-09-23 08:29:35 -04:00
Matt Moyer
07f0181fa3
Add IDP selection to get-kubeconfig command.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-09-22 10:03:32 -05:00
Matt Moyer
381fd51e13
Refactor get_kubeconfig.go.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-09-22 10:03:32 -05:00
Matt Moyer
541336b997
Fix docstring for exchange credential CLI.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-09-22 10:03:32 -05:00
Matt Moyer
fbe0551426
Add IDP selector support in client code.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-09-22 10:03:31 -05:00
Ryan Richard
6989e5da63 Merge branch 'main' into rename_stuff 2020-09-18 16:39:58 -07:00
Ryan Richard
80a520390b Rename many of resources that are created in Kubernetes by Pinniped
New resource naming conventions:
- Do not repeat the Kind in the name,
  e.g. do not call it foo-cluster-role-binding, just call it foo
- Names will generally start with a prefix to identify our component,
  so when a user lists all objects of that kind, they can tell to which
  component it is related,
  e.g. `kubectl get configmaps` would list one named "pinniped-config"
- It should be possible for an operator to make the word "pinniped"
  mostly disappear if they choose, by specifying the app_name in
  values.yaml, to the extent that is practical (but not from APIService
  names because those are hardcoded in golang)
- Each role/clusterrole and its corresponding binding have the same name
- Pinniped resource names that must be known by the server golang code
  are passed to the code at run time via ConfigMap, rather than
  hardcoded in the golang code. This also allows them to be prepended
  with the app_name from values.yaml while creating the ConfigMap.
- Since the CLI `get-kubeconfig` command cannot guess the name of the
  CredentialIssuerConfig resource in advance anymore, it lists all
  CredentialIssuerConfig in the app's namespace and returns an error
  if there is not exactly one found, and then uses that one regardless
  of its name
2020-09-18 15:56:50 -07:00
Matt Moyer
907ccb68f5
Move CredentialIssuerConfig into new "config.pinniped.dev" API group.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-09-18 16:38:45 -05:00
Matt Moyer
2d4d7e588a
Add Go vanity import paths.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-09-18 14:56:24 -05:00
Ryan Richard
a479450940 CLI's get-kubeconfig subcommand now also sets PINNIPED_NAMESPACE env var 2020-09-17 16:05:56 -07:00
Matt Moyer
8c9c1e206d
Update module/package names to match GitHub org switch.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-09-17 12:56:54 -05:00
Matt Moyer
b3327d7522
Switch our client over to use the new TokenCredentialRequest API.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-09-17 09:52:23 -05:00
Andrew Keesler
eab5c2b86b
Save 2 lines by using inline-style comments for Copyright
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-09-16 10:35:19 -04:00
Andrew Keesler
e7b389ae6c
Update copyright to reference Pinniped contributors
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-09-16 10:05:51 -04:00
Ryan Richard
4ced58b5b7 Add help/usage units for CLI exchange-credential subcommand 2020-09-15 09:05:40 -07:00
Andrew Keesler
82ef9e4806
cmd/pinniped/cmd: fix some linting errors
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-09-15 11:00:00 -04:00
Andrew Keesler
879d847ffb
cmd/pinniped/cmd: add get-kubeconfig cli tests
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-09-15 10:04:25 -04:00
Ryan Richard
4379d2772c CLI get-kubeconfig command reads kubeconfig and CredentialIssuerConfig 2020-09-14 19:07:18 -07:00
Ryan Richard
da7c981f14 Organize Pinniped CLI into subcommands; Add get-kubeconfig subcommand
- Add flag parsing and help messages for root command,
  `exchange-credential` subcommand, and new `get-kubeconfig` subcommand
- The new `get-kubeconfig` subcommand is a work in progress in this
  commit
- Also add here.Doc() and here.Docf() to enable nice heredocs in
  our code
2020-09-11 17:56:05 -07:00
Andrew Keesler
19c671a60a
cmd/local-user-authenticator: go back to use TokenReview structs
So I looked into other TokenReview webhook implementations, and most
of them just use the json stdlib package to unmarshal/marshal
TokenReview payloads. I'd say let's follow that pattern, even though
it leads to extra fields in the JSON payload (these are not harmful).

Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-09-11 16:12:43 -04:00
Andrew Keesler
17d40b7a73
cmd/local-user-authenticator: protect against nil-body
I saw this while reading other TokenReview code.
2020-09-11 16:11:42 -04:00
Andrew Keesler
4e40c0320e
cmd/local-user-authenticator: use v1beta1 everywhere
See 63f5416b2 for a previous time where we decided to use the v1beta1
TokenReview API.

Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-09-11 16:11:42 -04:00
Andrew Keesler
a3dbb309d0
cmd/local-user-authenticator: check for invalid TokenReview type meta
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-09-11 16:11:42 -04:00
Ryan Richard
c436f84b3d Fix a nil dereference crash in rest.go 2020-09-11 13:08:54 -07:00
Ryan Richard
22bf24b775 Fix a unit test failure that only happens on golang 1.15
- Use the SAN field when creating a test cert or else the corresponding
  unit tests will fail when run with golang 1.15
2020-09-10 18:50:34 -07:00
Ryan Richard
6deaa0fb1a Fix lint errors 2020-09-10 18:34:18 -07:00
Ryan Richard
b7bdb7f3b1 Rename test-webhook to local-user-authenticator
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-09-10 15:20:02 -07:00
Ryan Richard
9baea83066 Improve the parsing of headers in test-webhook
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-09-10 15:00:53 -07:00
Andrew Keesler
56be4a6761 Add more logging to test-webhook's endpoint
- Also correct the webhook url setting in prepare-for-integration-tests.sh
- Change the bcrypt count to 10, because 16 is way too slow on old laptops

Signed-off-by: Ryan Richard <richardry@vmware.com>
2020-09-10 13:37:25 -07:00
Ryan Richard
2565f67824 Create a deployment for test-webhook
- For now, build the test-webhook binary in the same container image as
  the pinniped-server binary, to make it easier to distribute
- Also fix lots of bugs from the first draft of the test-webhook's
  `/authenticate` implementation from the previous commit
- Add a detailed README for the new deploy-test-webhook directory
2020-09-09 19:06:39 -07:00
Ryan Richard
3ee7a0d881
cmd/test-webhook: first draft of webhook
The webhook still needs to be updated to auto generate its
certificates.

We decided not to give this webhook its own go module for now since
this webhook only pulled in one more dependency, and it is a
dependency that we will most likely need in the future.

Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-09-09 15:27:30 -04:00
Matt Moyer
8f93fbb87b Make ./pkg/client into an internal package using the native k8s client.
This should simplify our build/test setup quite a bit, since it means we have only a single module (at the top level) with all hand-written code. I'll leave `module.sh` alone for now but we may be able to simplify that a bit more.

Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-08-27 11:48:18 -05:00
Ryan Richard
3929fa672e Rename project 2020-08-20 10:54:15 -07:00
Andrew Keesler
df1a1cf1bd
LoginRequest -> CredentialRequest
- We want to follow the <noun>Request convention.
- The actual operation does not login a user, but it does retrieve a
  credential with which they can login.

- This commit includes changes to all LoginRequest-related symbols and
  constants to try to update their names to follow the new
  CredentialRequest type.

Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-08-14 11:26:09 -04:00
Andrew Keesler
0b4590b237 Now that we have a testutil package, put ioutil.go into it
Signed-off-by: Ryan Richard <richardry@vmware.com>
2020-08-06 15:19:09 -07:00
Andrew Keesler
31e6d8fbb1
Drop main module dependency on test module
I suppose we could solve this other ways, but this utility was
only used in one place right now, so it is easiest to copy it over.

Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-08-06 10:29:04 -04:00
Ryan Richard
2e05e032ee Merge remote-tracking branch 'upstream/main' into discovery_doc 2020-07-30 17:28:35 -07:00
Matt Moyer
04cacabc16 Convert pkg/client to depend only on stdlib.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-07-30 13:49:45 -05:00
Ryan Richard
e0cac97084 More tests for the PublisherController
- Also, don't repeat `spec.Parallel()` because, according to the docs
  for the spec package, "options are inherited by subgroups and subspecs"
- Two tests are left pending to be filled in on the next commit
2020-07-29 18:18:42 -07:00
Ryan Richard
43c3f1ab2e Minor test cleanup
- `Before` gives a nice place to call `require.New(t)` to make the assertion lines more terse
- Just delete the keys for testing when env vars are missing
2020-07-28 17:22:17 -07:00
Matt Moyer
42616e7d8a Fix a bug in placeholder-name CLI (wrong API version).
This is kind of a subtle bug, but we were using the unversioned Kubernetes type package here, where we should have been using the v1beta1 version. They have the same fields, but they serialize to JSON differently.

Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-07-28 16:10:27 -05:00
Matt Moyer
531954511b Extract a test library helper for ErrorWriter{}.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-07-28 15:15:59 -05:00
Matt Moyer
a15a106fd3 Add a trailing newline to our CLI error output.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-07-28 15:15:59 -05:00
Matt Moyer
1a349bb609 Add a context parameter so we can enforce a timeout for the token exchange.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-07-28 15:15:59 -05:00
Matt Moyer
0ee4f0417d Use require.EqualError instead of require.Error.
The type signatures of these methods make them easy to mix up. `require.Error()` asserts that there is any non-nil error -- the last parameter is an optional human-readable message to log when the assertion fails. `require.EqualError()` asserts that there is a non-nil error _and_ that when you call `err.Error()`, the string matches the expected value. It also takes an additional optional parameter to specify the log message.

Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-07-28 15:15:59 -05:00
Matt Moyer
ebe39c8663 Add a test for "failed to marshal response to stdout" error case.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-07-28 15:15:59 -05:00
Matt Moyer
1e8463ac2d Use Go's favorite version of the word "marshal".
Again, no idea why but this word has two commonly accepted spelling and Go code seems to very consistently use the one with one "l".

Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-07-28 15:15:59 -05:00
Matt Moyer
a5dbc324f6 Use the "Err*" idiomatic naming for error variables/consts.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-07-28 15:15:59 -05:00
Ryan Richard
27cd82065b Add placeholder-name CLI
- main and unit tests for main
- client package to be done in a future commit

Signed-off-by: Aram Price <pricear@vmware.com>
2020-07-28 15:15:59 -05:00
Ryan Richard
9e44bc28d9 Change the name of the placeholder-name CLI to placeholder-name-server
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-07-28 15:15:59 -05:00