Commit Graph

78 Commits

Author SHA1 Message Date
Ryan Richard
80a520390b Rename many of resources that are created in Kubernetes by Pinniped
New resource naming conventions:
- Do not repeat the Kind in the name,
  e.g. do not call it foo-cluster-role-binding, just call it foo
- Names will generally start with a prefix to identify our component,
  so when a user lists all objects of that kind, they can tell to which
  component it is related,
  e.g. `kubectl get configmaps` would list one named "pinniped-config"
- It should be possible for an operator to make the word "pinniped"
  mostly disappear if they choose, by specifying the app_name in
  values.yaml, to the extent that is practical (but not from APIService
  names because those are hardcoded in golang)
- Each role/clusterrole and its corresponding binding have the same name
- Pinniped resource names that must be known by the server golang code
  are passed to the code at run time via ConfigMap, rather than
  hardcoded in the golang code. This also allows them to be prepended
  with the app_name from values.yaml while creating the ConfigMap.
- Since the CLI `get-kubeconfig` command cannot guess the name of the
  CredentialIssuerConfig resource in advance anymore, it lists all
  CredentialIssuerConfig in the app's namespace and returns an error
  if there is not exactly one found, and then uses that one regardless
  of its name
2020-09-18 15:56:50 -07:00
Ryan Richard
24f962f1b8 Ignore a lint err in cli_test.go 2020-09-18 10:52:31 -07:00
Ryan Richard
2ecb43154b Enhance TestCLI integration test so it can catch mistakes with env vars
- Also remove a log statement from a test which caused a lot of extra
  output when the tests are run with `go test -v`
2020-09-18 10:27:15 -07:00
Matt Moyer
8c9c1e206d
Update module/package names to match GitHub org switch.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-09-17 12:56:54 -05:00
Matt Moyer
b3327d7522
Switch our client over to use the new TokenCredentialRequest API.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-09-17 09:52:23 -05:00
Andrew Keesler
eab5c2b86b
Save 2 lines by using inline-style comments for Copyright
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-09-16 10:35:19 -04:00
Andrew Keesler
e7b389ae6c
Update copyright to reference Pinniped contributors
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-09-16 10:05:51 -04:00
Ryan Richard
db98f2810f
Merge pull request #98 from suzerain-io/get_kubeconfig_cli
Organize Pinniped CLI into subcommands; Add get-kubeconfig subcommand
2020-09-15 13:34:14 -07:00
Matt Moyer
b39160e4c4
Add some log output to TestCredentialIssuerConfig for troubleshooting.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-09-15 12:15:42 -05:00
Matt Moyer
3344b5b86a
Expect the WebhookIdentityProvider CRD to be installed.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-09-15 11:44:24 -05:00
Andrew Keesler
831df90c93
test/integration: add integration test for pinniped cli 2020-09-15 11:00:38 -04:00
Ryan Richard
2cdc3defb7 Use here.Doc() in a few more places that were begging for it 2020-09-11 18:15:24 -07:00
Ryan Richard
c436f84b3d Fix a nil dereference crash in rest.go 2020-09-11 13:08:54 -07:00
Andrew Keesler
b1d9665b03
Merge pull request #90 from suzerain-io/easy_demo
Add <20 minutes Pinniped demo
2020-09-11 10:26:20 -04:00
Ryan Richard
6deaa0fb1a Fix lint errors 2020-09-10 18:34:18 -07:00
Andrew Keesler
e6cb2f8220 Assert on specific expected username and groups in integration tests
Signed-off-by: Ryan Richard <richardry@vmware.com>
2020-09-10 17:10:27 -07:00
Andrew Keesler
b506ac5823
Port integration test setup script from CI repo
I also started updating the script to deploy the test-webhook instead of
doing TMC stuff. I think the script should live in this repo so that
Pinniped contributors only need to worry about one repo for running
integration tests.

There are a bunch of TODOs in the script, but I figured this was a good
checkpoint. The script successfully runs on my machine and sets up the
test-webhook and pinniped on a local kind cluster. The integration tests
are failing because of some issue with pinniped talking to the test-webhook,
but this is step in the right direction.

Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-09-10 11:30:15 -04:00
Matt Moyer
7f9cb43ffa
Refactor GetAPIResourceList test a bit to prep for IDP CRD changes.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-09-09 10:24:41 -05:00
Andrew Keesler
a4fe76f6a9
test/integration: increase confidence that a cert has rotated
It looks like requests to our aggregated API service on GKE vacillate
between success and failure until they reach a converged successful
state. I think this has to do with our pods updating the API serving
cert at different times. If only one pod updates its serving cert to
the correct value, then it should respond with success. However, the
other pod would respond with failure. Depending on the load balancing
algorithm that GKE uses to send traffic to pods in a service, we could
end up with a success that we interpret as "all pods have rotated
their certs" when it really just means "at least one pod has rotated
its certs."

Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-08-28 10:20:05 -04:00
Ryan Richard
9d7e073a9d Fix an assertion about an error message in an integration test 2020-08-27 17:50:46 -07:00
Ryan Richard
e0b5c3a146 Fix an assumption about GKE in an integration test 2020-08-27 17:18:48 -07:00
Matt Moyer
8f93fbb87b Make ./pkg/client into an internal package using the native k8s client.
This should simplify our build/test setup quite a bit, since it means we have only a single module (at the top level) with all hand-written code. I'll leave `module.sh` alone for now but we may be able to simplify that a bit more.

Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-08-27 11:48:18 -05:00
Ryan Richard
5ed97f7f9e Merge branch 'main' into self_test 2020-08-25 19:02:27 -07:00
Ryan Richard
80153f9a80 Allow app to start despite failing to borrow the cluster signing key
- Controller and aggregated API server are allowed to run
- Keep retrying to borrow the cluster signing key in case the failure
  to get it was caused by a transient failure
- The CredentialRequest endpoint will always return an authentication
  failure as long as the cluster signing key cannot be borrowed
- Update which integration tests are skipped to reflect what should
  and should not work based on the cluster's capability under this
  new behavior
- Move CreateOrUpdateCredentialIssuerConfig() and related methods
  to their own file
- Update the CredentialIssuerConfig's Status every time we try to
  refresh the cluster signing key
2020-08-25 18:22:53 -07:00
Ryan Richard
6e59596285 Upon pod startup, update the Status of CredentialIssuerConfig
- Indicate the success or failure of the cluster signing key strategy
- Also introduce the concept of "capabilities" of an integration test
  cluster to allow the integration tests to be run against clusters
  that do or don't allow the borrowing of the cluster signing key
- Tests that are not expected to pass on clusters that lack the
  borrowing of the signing key capability are now ignored by
  calling the new library.SkipUnlessClusterHasCapability test helper
- Rename library.Getenv to library.GetEnv
- Add copyrights where they were missing
2020-08-24 18:07:34 -07:00
Matt Moyer
8b36f2e8ae Convert code to use the new generated packages.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-08-24 14:42:27 -05:00
Ryan Richard
6d43d7ba19 Update the schema of CredentialIssuerConfig
- Move the current info from spec to status
- Add schema for new stuff that we will use in a future commit to status
- Regenerate the generated code
2020-08-21 17:00:42 -07:00
Ryan Richard
ace01c86de Rename PinnipedDiscoveryInfo to CredentialIssuerConfig
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-08-21 16:16:34 -07:00
Ryan Richard
d0a9d8df33
pkg/config: force api.servingCertificate.renewBeforeSeconds to be positive
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-08-20 18:21:48 -04:00
Andrew Keesler
39c299a32d
Use duration and renewBefore to control API cert rotation
These configuration knobs are much more human-understandable than the
previous percentage-based threshold flag.

We now allow users to set the lifetime of the serving cert via a ConfigMap.
Previously this was hardcoded to 1 year.

Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-08-20 16:35:04 -04:00
Ryan Richard
3929fa672e Rename project 2020-08-20 10:54:15 -07:00
Andrew Keesler
6b90dc8bb7
Auto-rotate serving certificate
The rotation is forced by a new controller that deletes the serving cert
secret, as other controllers will see this deletion and ensure that a new
serving cert is created.

Note that the integration tests now have an addition worst case runtime of
60 seconds. This is because of the way that the aggregated API server code
reloads certificates. We will fix this in a future story. Then, the
integration tests should hopefully get much faster.

Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-08-20 10:03:36 -04:00
Matt Moyer
1b9a70d089
Switch back to an exec-based approach to grab the controller-manager CA. (#65)
This switches us back to an approach where we use the Pod "exec" API to grab the keys we need, rather than forcing our code to run on the control plane node. It will help us fail gracefully (or dynamically switch to alternate implementations) when the cluster is not self-hosted.

Signed-off-by: Matt Moyer <moyerm@vmware.com>
Co-authored-by: Ryan Richard <richardry@vmware.com>
2020-08-19 13:21:07 -05:00
Ryan Richard
d8d49be5d9 Make an integration test more reliable
- It would sometimes fail with this error:
  namespaces is forbidden: User "tanzu-user-authentication@groups.vmware.com"
  cannot list resource "namespaces" in API group "" at the cluster scope
- Seems like it was because the RBAC rule added by the test needs a
  moment before it starts to take effect, so change the test to retry
  the API until it succeeds or fail after 3 seconds of trying.
2020-08-17 16:28:12 -07:00
Matt Moyer
769ef71db7
Merge pull request #58 from ankeesler/api-review-updates
Update API for pre-release
2020-08-17 15:52:52 -05:00
Matt Moyer
9376f034ea Mask this testing-only private key so we don't alert on it.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-08-14 14:42:22 -05:00
Andrew Keesler
df1a1cf1bd
LoginRequest -> CredentialRequest
- We want to follow the <noun>Request convention.
- The actual operation does not login a user, but it does retrieve a
  credential with which they can login.

- This commit includes changes to all LoginRequest-related symbols and
  constants to try to update their names to follow the new
  CredentialRequest type.

Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-08-14 11:26:09 -04:00
Andrew Keesler
dd8ce677ba
Remove LoginRequestStatus.User, for now
As discussed in API review, this field exists for convenience right
now.  Since the username/groups are encoded in the Credential sent in
the LoginRequestStatus, the client still has access to their
user/groups information. We want to remove this for now to be
conservative and limit our API surface area (smaller surface area =
less to maintain). We can always add this back in the future.

Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-08-14 10:01:38 -04:00
Andrew Keesler
c6f1defa9d
LoginRequestStatus.Message should be a pointer since it is +optional
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-08-14 09:18:31 -04:00
Ryan Richard
9648db0837 Update how integration tests which use LoginRequest make their clients
- When we call the LoginRequest endpoint in loginrequest_test.go,
  do it with an unauthenticated client, to make sure that endpoint works
  with unauthenticated clients.
- For tests which want to test using certs returned by LoginRequest to
  make API calls back to kube to check if those certs are working, make
  sure they start with a bare client and then add only those certs.
  Avoid accidentally picking up other kubeconfig configuration like
  tokens, etc.

Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-08-12 14:30:07 -07:00
Ryan Richard
4cb0fd3949 Use a DaemonSet instead of a Deployment to deploy our app
- For high availability reasons, we would like our app to scale linearly
  with the size of the control plane. Using a DaemonSet allows us to run
  one pod on each node-role.kubernetes.io/master node.
- The hope is that the Service that we create should load balance
  between these pods appropriately.
2020-08-11 17:55:34 -07:00
Andrew Keesler
224b59e740
test/integration: bump (another) cert expiration delta to help flake
Related: 553b519.
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-08-11 17:22:25 -04:00
Andrew Keesler
553b519d0f
test/integration: bump cert expiration delta to help flake
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-08-11 16:09:31 -04:00
Ryan Richard
fadd718d08 Add integration and more unit tests
- Add integration test for serving cert auto-generation and rotation
- Add unit test for `WithInitialEvent` of the cert manager controller
- Move UpdateAPIService() into the `apicerts` package, since that is
  the only user of the function.
2020-08-11 10:14:57 -07:00
Matt Moyer
6dd331b21d Use Go's -short flag as a way to avoid running integration tests.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-08-06 20:44:14 -05:00
Matt Moyer
cbe4c1b370 Pull placeholder-name-api back into this repo as a library.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-08-06 20:09:15 -05:00
Andrew Keesler
da5b509cc6 Stop using $PLACEHOLDER_NAME_TEST_INTEGRATION
Instead, make the integration tests a separate module. You can't run
these tests by accident because they will not run at all when you
`go test` from the top-level directory. You will need to `cd test`
before using `go test` in order to run the integration tests.

Signed-off-by: Ryan Richard <richardry@vmware.com>
2020-08-05 14:15:45 -07:00
Matt Moyer
519484816d Clean up some lint errors that we missed before.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-08-05 09:26:50 -05:00
Ryan Richard
f8567450ee Increase test timeout to avoid CI flakes 2020-08-04 17:28:16 -07:00
Ryan Richard
09571d1117
Merge pull request #33 from cfryanr/discovery_doc
Adding discovery document object
2020-08-04 10:01:20 -07:00