Commit Graph

3154 Commits

Author SHA1 Message Date
Ryan Richard
14f1d86833
supervisor-oidc: add OIDCProviderConfig CRD
This will hopefully come in handy later if we ever decide to add
support for multiple OIDC providers as a part of one supervisor.

Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-10-06 15:20:29 -04:00
Ryan Richard
5b3dd5fc7d
Rename pinniped-server -> pinniped-concierge
Do we like this? We don't know yet.

Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-10-06 14:59:03 -04:00
Matt Moyer
38501ff763
Add initial "pinniped alpha login oidc" partial implementation.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-10-06 12:42:29 -05:00
Andrew Keesler
006d96ab92
supervisor-oidc: create dynamic config in YTT templates
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-10-06 11:16:57 -04:00
Andrew Keesler
fd6a7f5892
supervisor-oidc: hoist OIDC discovery handler for testing
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-10-06 11:16:57 -04:00
Ryan Richard
76bd462cf8 Implement very rough skeleton of the start of a supervisor server
- This is just stab at a starting place because it felt easier to
  put something down on paper than to keep staring at a blank page
2020-10-05 17:28:19 -07:00
Matt Moyer
b0a4ae13c5
Add Tilt-based local dev workflow.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-10-05 16:34:33 -05:00
Matt Moyer
01153dcb9d
Iterate on pull request template.
- Moves the "front matter" to a Markdown comment so you don't necessarily have to delete it.

- Reduces a little bit of boilerplate (this is a bit subjective).

- Tweaks some formatting (also subjective).

- Describe what happens when you use "Fixes [...]".

- Tweak the release note block so it should be easier to parse out automatically (using the same syntax as Kubernetes).

Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-10-05 15:51:53 -05:00
Matt Moyer
c1c75a8f22
Add kube_cert_agent_image value to main ytt template.
This needs to be overridden for Tilt usage, since the main image referenced by Tilt isn't actually pullable.

Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-10-05 15:18:38 -05:00
Matt Moyer
7eed7ba19a
Merge pull request #140 from mattmoyer/shuffle-contrib-docs
Rename the CoC and contributor guide to the names GitHub recognizes.
2020-10-05 11:24:59 -05:00
Ryan Richard
969c136921
Merge pull request #142 from vmware-tanzu/remove_curly_braces_from_doc_commands
Remove curly braces from doc commands
2020-10-02 17:45:50 -07:00
Ryan Richard
8a360fe08e
Merge pull request #141 from danjahner/main
Minor docs updates
2020-10-02 17:20:44 -07:00
Ryan Richard
da695ef787 Remove curly braces from doc commands
Because when you copy/paste them to zsh they are automatically
escaped and then they do not work correctly
2020-10-02 16:44:27 -07:00
Dan Jahner
13e0b272c0
Docs only: Use consistent sample user name 2020-10-02 13:59:14 -07:00
Dan Jahner
e97bad2198
Docs only: Fix failure response, format for clarity 2020-10-02 13:58:31 -07:00
Matt Moyer
fe12f85c70
Rename the CoC and contributor guide to the names GitHub recognizes.
These special names are recognized by GitHub, for example on https://github.com/vmware-tanzu/pinniped/community.

Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-10-02 15:53:48 -05:00
Dan Jahner
127914703e
Docs only: Use prettier URL for latest config 2020-10-02 12:00:57 -07:00
Andrew Keesler
916db74d65
Merge pull request #138 from vmware-tanzu/no_dirty_in_version
Do not append "-dirty" to the version number when the git repo is dirty
2020-10-02 13:33:21 -04:00
Ryan Richard
0bfa351eb4 Do not append "-dirty" to the version number when the git repo is dirty
- Semver version numbers do not end with "-dirty"
- Continue to include the clean/dirty status of the repo in the
  `gitTreeState` field
2020-10-01 17:23:37 -07:00
Ryan Richard
b69eb5e850
Add link to GitHub Discussions on the main README 2020-09-29 16:46:18 -07:00
Ryan Richard
d43744f8e9 Allow CI to embed version info at build time for CLI
- Prevent the server binary from lying about its version number
  by having it report "?.?.?" as its version number for now.
- Later we can devise a way for CI to inject the version number
  for the server into the container image at release time,
  not at build time, since the version number is not known
  at build time.
- Pre-release builds of the binary from before the release stage or
  builds on developer workstation will also report "?.?.?" as its
  version number, which is fine since they are not official releases
  and shouldn't find their way to the public.
2020-09-28 09:58:02 -07:00
Andrew Keesler
d23ff1f5eb
Merge pull request #136 from ankeesler/pinniped-version-command
cmd/pinniped: add version command
2020-09-28 12:21:25 -04:00
Andrew Keesler
d6571671f6
cmd/pinniped: add version command
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-09-28 10:44:33 -04:00
Andrew Keesler
38e26d7a49
test/library: use client-go anonymous rest config helper
I saw this helper function the other day and wondered if we could use it.
It does indeed look like it does what we want, because when I run this code,
I get `...User "system:anonymous" cannot get resource...`.

  c := library.NewAnonymousPinnipedClientset(t)
  _, err := c.
    ConfigV1alpha1().
    CredentialIssuerConfigs("integration").
    Get(context.Background(), "pinniped-config", metav1.GetOptions{})
  t.Log(err)

I also ran a similar test using this new helper in the context of
library.NewClientsetWithCertAndKey(). Seemed to get us what we want.

Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-09-28 09:22:01 -04:00
Andrew Keesler
efe420b737 Add mention of how to work around MacOS download security in demo.md
Signed-off-by: Ryan Richard <richardry@vmware.com>
2020-09-25 12:56:45 -07:00
Matt Moyer
42e74a02e9
Merge pull request #134 from mattmoyer/refactor-test-params
Refactor integration test environment helpers to be more structured.
2020-09-25 10:04:37 -05:00
Matt Moyer
70480260dd
Remove support for loading test context from a Secret.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-09-25 09:37:17 -05:00
Ryan Richard
82f8094de7 Update documentation to use the deployment YAML files from the releases 2020-09-24 17:56:21 -07:00
Matt Moyer
434e3fe435
Refactor integration test environment helpers to be more structured.
This change replaces our previous test helpers for checking cluster capabilities and passing external test parameters. Prior to this change, we always used `$PINNIPED_*` environment variables and these variables were accessed throughout the test code.

The new code introduces a more strongly-typed `TestEnv` structure and helpers which load and expose the parameters. Tests can now call `env := library.IntegrationEnv(t)`, then access parameters such as `env.Namespace` or `env.TestUser.Token`. This should make this data dependency easier to manage and refactor in the future. In many ways this is just an extended version of the previous cluster capabilities YAML.

Tests can also check for cluster capabilities easily by using `env := library.IntegrationEnv(t).WithCapability(xyz)`.

The actual parameters are still loaded from OS environment variables by default (for compatibility), but the code now also tries to load the data from a Kubernetes Secret (`integration/pinniped-test-env` by default). I'm hoping this will be a more convenient way to pass data between various scripts than the local `/tmp` directory. I hope to remove the OS environment code in a future commit.

Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-09-24 18:03:45 -05:00
Andrew Keesler
b21b43c654
Fix expected CIC status message on non-hosted control planes 2020-09-24 17:56:55 -04:00
Andrew Keesler
9e0195e024
kubecertagent: use initial event for when key can't be found
This should fix integration tests running on clusters that don't have
visible controller manager pods (e.g., GKE). Pinniped should boot, not
find any controller manager pods, but still post a status in the CIC.

I also updated a test helper so that we could tell the difference
between when an event was not added and when an event was added with
an empty key.

Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-09-24 16:54:20 -04:00
Andrew Keesler
d853cbc7ff
Plumb through ImagePullSecrets to agent pod
Right now in the YTT templates we assume that the agent pods are gonna use
the same image as the main Pinniped deployment, so we can use the same logic
for the image pull secrets.

Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-09-24 15:52:05 -04:00
Andrew Keesler
9ed52e6b4a
test/integration: declare some test helpers to fix line reporting
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-09-24 13:53:45 -04:00
Andrew Keesler
fab36c55f5
inernal/controller/kubecertagent: fix some godoc's
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-09-24 13:53:06 -04:00
Ryan Richard
409d10baf8
Merge pull request #122 from ankeesler/1-19-exec-strategy
Fix exec strategy for Kubernetes 1.19
2020-09-24 10:32:43 -07:00
Ryan Richard
ea762b405d Increase some integration test timeouts so they can pass when CI is slow 2020-09-24 10:20:51 -07:00
Ryan Richard
3ff605bb39 Merge branch 'main' into 1-19-exec-strategy 2020-09-24 10:12:54 -07:00
Ryan Richard
856971e452 Replace title in README.md with project logo 2020-09-24 10:09:50 -07:00
Ryan Richard
eaf2d9a185 Improve failure message in an integration test for better debugging
This seems to fail on CI when the Concourse workers get slow and
kind stops working reliably. It would be interesting to see the
error message in that case to figure out if there's anything we
could do to make the test more resilient.
2020-09-24 09:44:10 -07:00
Ryan Richard
3f06be2246 Remove kubecertauthority pkg
All of its functionality was refactored to move elsewhere or to not
be needed anymore by previous commits
2020-09-24 09:23:29 -07:00
Andrew Keesler
69137fb6b9 kube_config_info_publisher.go no longer watches cic's with an informer
Simplifies the implementation, makes it more consistent with other
updaters of the cic (CredentialIssuerConfig), and also retries on
update conflicts

Signed-off-by: Ryan Richard <richardry@vmware.com>
2020-09-24 09:19:57 -07:00
Ryan Richard
253d3bb36f Remove an accidentally committed it.Focus 2020-09-24 08:15:10 -07:00
Andrew Keesler
9f80b0ea00
Set CIC error statuses in kubecertagent annotater and creater
Also fix an instance where we were using an informer in a retry loop.

Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-09-24 10:40:50 -04:00
Matt Moyer
6f4cf705e5
Merge pull request #133 from mattmoyer/upgrade-to-kubernetes-1.19.2
Upgrade client-go et al from 1.19.0 to 1.19.2.
2020-09-24 09:35:38 -05:00
Matt Moyer
ec3e4cae68
Upgrade client-go, et al from 1.19.0 to 1.19.2.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-09-24 09:21:10 -05:00
Ryan Richard
381811b36f Refactor constructor params of the kubecertagent pkg's controllers
- Only inject things through the constructor that the controller
  will need
- Use pkg private constants when possible for things that are not
  actually configurable by the user
- Make the agent pod template private to the pkg
- Introduce a test helper to reduce some duplicated test code
- Remove some `it.Focus` lines that were accidentally committed, and
  repair the broken tests that they were hiding
2020-09-23 17:30:22 -07:00
Andrew Keesler
906a88f2d3
Set kube-cert-agent imagePullPolicy to IfNotPresent for CI
Maybe this will fix kind integration tests? It is what the main
Pinniped deployment does?

Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-09-23 14:15:59 -04:00
Andrew Keesler
0f8437bc3a
Integration tests are passing ayooooooooooooooo 2020-09-23 12:47:04 -04:00
Andrew Keesler
6d047c151f
Fix kubecertagent deleter test to reconcile on pod template fields
I think we want to reconcile on these pod template fields so that if
someone were to redeploy Pinniped with a new image for the agent, the
agent would get updated immediately. Before this change, the agent image
wouldn't get updated until the agent pod was deleted.
2020-09-23 11:30:13 -04:00
Andrew Keesler
9735122db9
Wire in kubecertagent.NewExecerController() to server
Also fill in a couple of low-hanging unit tests.

Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-09-23 11:01:41 -04:00