Commit Graph

330 Commits

Author SHA1 Message Date
Joshua Casey
46178e91ee
Merge branch 'main' into ldap_userAttributeForFilter 2023-05-31 14:41:16 -05:00
Ryan Richard
552eceabdb Add integration test for UserAttributeForFilter group search setting
Also adds new integration test env var to support the new test:
PINNIPED_TEST_LDAP_EXPECTED_DIRECT_POSIX_GROUPS_CN
2023-05-31 10:29:44 -07:00
Joshua Casey
6bd34fa6ea Bump dependencies 2023-05-30 09:16:53 -05:00
Ryan Richard
b40366d1f6 update versions in hack/lib/kube-versions.txt 2023-05-10 12:38:32 -07:00
Ryan Richard
4756df08cb Bump golang from 1.20.3 to 1.20.4 2023-05-10 10:36:03 -07:00
Joshua Casey
6b1dc9f3ce Bump update-go-mod to latest direct go dependencies 2023-04-05 09:17:04 -05:00
Joshua Casey
93f51c1a1d Bump Dockerfiles to go1.20.3 2023-04-05 09:12:10 -05:00
Ryan Richard
2ba378904d Bump dependencies to latest
Signed-off-by: Joshua T Casey <caseyj@vmware.com>
2023-03-28 15:15:27 -05:00
Joshua Casey
1699a9995e Update generated K8s API files 2023-03-20 18:44:48 -05:00
Joshua Casey
255f51f75b Bump all golang dependencies 2023-03-20 14:31:59 -05:00
Joshua Casey
fc0f9d959a Bump golangci-lint to 1.51.2 and fix lint issues 2023-03-16 14:55:37 -05:00
Joshua Casey
a783a5d6b2 Bump to golang 1.20.2 2023-03-16 09:42:15 -05:00
Joshua Casey
72d537f8b4 Bump all golang deps 2023-03-16 09:42:15 -05:00
Joshua Casey
daf4be03ce Update generated kubernetes API files 2023-03-05 22:12:54 -06:00
Joshua Casey
947b4fd579 Add helper script to give you all the commands to update all go mod dependencies 2023-03-02 08:47:57 -06:00
Joshua Casey
2bd24f674a Bump golang in Dockerfiles to 1.20.1 2023-02-27 14:16:49 -06:00
Joshua Casey
0d4a4fd2bf Bump to go 1.18 semantics 2023-01-31 10:09:55 -06:00
Ryan Richard
14858a6db3 Increase lint timeout to 20m for CI 2023-01-19 14:41:42 -08:00
Ryan Richard
23f6dd44a0 Use Go 1.19 for fips builds
Co-authored-by: Ryan Richard <richardry@vmware.com>
Co-authored-by: Joshua Casey <joshuatcasey@gmail.com>
2023-01-18 16:00:16 -08:00
Joshua Casey
a430f4b730 Bump K8s deps to 0.26 and add codegen for 0.26 2023-01-18 13:41:06 -08:00
Joshua Casey
585adc96d8 Bump generated files for K8s 1.22, 1.23, 1.24, 1.25 2023-01-18 13:38:36 -08:00
Ryan Richard
3b46547efc add hack/update-copyright-year.sh 2023-01-18 13:36:23 -08:00
Joshua Casey
a49e48c6f7 Bump FIPS Golang to 1.18.10b7
Resolves #1367
2023-01-17 21:20:50 -06:00
Ryan Richard
2f9b8b105d update copyright to 2023 in files changed by this PR 2023-01-17 15:54:16 -08:00
Ryan Richard
6d3ed73eee Bump Go 1.19.1 -> 1.19.4, and go-boringcrypto 1.18.6b7 -> 1.18.9b7 2022-12-15 09:40:32 -08:00
Ryan Richard
3b507dab4a Upgrade generated code to use the latest available versions of Kube libs
Manually kube-versions.txt and then ran ./hack/update.sh to update the
generated code.
2022-09-23 14:55:23 -07:00
Ryan Richard
bad95c072e Upgrade project dependencies to latest
- Upgrade Go used in CI from 1.19.0 to 1.19.1
- Upgrade all go.mod direct dependencies to latest available versions
- Upgrade distroless base image to latest available version
- Upgrade Go fips compiler to to latest available version

Note that upgrading the go-oidc library changed an error message
returned by that library, so update the places where tests were
expecting that error message.
2022-09-23 14:41:54 -07:00
Ryan Richard
7997285b19 Make fields optional on OIDCClientSecretRequest 2022-09-21 15:17:08 -07:00
Ryan Richard
af01c3aeb6 Make kubectl explain work for Pinniped aggregated APIs
- Change update-codegen.sh script to also generated openapi code for the
  aggregated API types
- Update both aggregated API servers' configuration to make them serve
  the openapi docs for the aggregated APIs
- Add new integration test which runs `kubectl explain` for all Pinniped
  API resources, and all fields and subfields of those resources
- Update some the comments on the API structs
- Change some names of the tmpl files to make the filename better match
  the struct names
2022-09-21 15:15:37 -07:00
Ryan Richard
8d8f980e86 Merge branch 'main' into dynamic_clients 2022-08-26 11:35:35 -07:00
dependabot[bot]
036c937db5
Bump distroless/static from 2556293 to 66cd130 in /hack
Bumps distroless/static from `2556293` to `66cd130`.

---
updated-dependencies:
- dependency-name: distroless/static
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-08-24 23:40:34 +00:00
Ryan Richard
43af297b44 Add codegen for Kube 1.25, and update patch versions on older codegen 2022-08-24 15:13:21 -07:00
Ryan Richard
c6c2c525a6 Upgrade the linter and fix all new linter warnings
Also fix some tests that were broken by bumping golang and dependencies
in the previous commits.

Note that in addition to changes made to satisfy the linter which do not
impact the behavior of the code, this commit also adds ReadHeaderTimeout
to all usages of http.Server to satisfy the linter (and because it
seemed like a good suggestion).
2022-08-24 14:45:55 -07:00
Ryan Richard
fe083f73fc Bump to golang 1.19.0 and to latest distroless base image
For fips dockerfile, the fips 1.19 compiler has not been released yet,
so bump to the latest available.
2022-08-24 11:18:53 -07:00
Ryan Richard
57f8e18dbc Merge branch 'main' into dynamic_clients 2022-07-26 09:31:18 -07:00
Ryan Richard
c07cc6b8ec Update e2e_test.go for clusters which have ServerSideFieldValidation
Also update prepare-cluster-for-integration-tests.sh for new
kubectl version command options.
2022-07-25 17:25:21 -07:00
Ryan Richard
f1cd4eebb0 Merge branch 'main' into dynamic_clients 2022-07-22 10:00:53 -07:00
Ryan Richard
5b0c165dc8 fix usage of base64 in hack script 2022-06-28 12:44:41 -07:00
Margo Crawford
104e08b0f6 Merge branch 'dynamic_clients' into client-secret-api-noop 2022-06-13 15:52:34 -07:00
Margo Crawford
8f4285dbff Change group names
Signed-off-by: Margo Crawford <margaretc@vmware.com>
2022-06-13 14:28:05 -07:00
Ryan Richard
aceea7888b Merge branch 'main' into dynamic_clients 2022-06-13 12:29:09 -07:00
Margo Crawford
b3ad29fe1c Always attempt to docker pull before codegen
Signed-off-by: Margo Crawford <margaretc@vmware.com>
2022-06-10 12:26:40 -07:00
Margo Crawford
889348e999 WIP aggregated api for oidcclientsecretrequest
Signed-off-by: Margo Crawford <margaretc@vmware.com>
2022-06-09 13:47:19 -07:00
Ryan Richard
97d17bbda8 Merge branch 'main' into dynamic_clients 2022-06-08 09:03:06 -07:00
Ryan Richard
e78c7d4e0e
update kube codegen versions and add 1.24 codegen
Signed-off-by: Monis Khan <mok@vmware.com>
2022-06-07 15:26:30 -04:00
Ryan Richard
7751c0bf59
Bump project deps, including kube 0.23.6->0.24.1 and Go 1.18.1->1.18.3
Several API changes in Kube required changes in Pinniped code.

Signed-off-by: Monis Khan <mok@vmware.com>
2022-06-07 15:26:30 -04:00
Margo Crawford
cd47ba53c2 Add CRD for OIDCClient
Signed-off-by: Margo Crawford <margaretc@vmware.com>
2022-06-03 16:22:15 -07:00
Ryan Richard
00d68845c4 Add --flow to choose login flow in prepare-supervisor-on-kind.sh 2022-05-05 13:42:23 -07:00
Ryan Richard
eaa87c7628 support AD in hack/prepare-supervisor-on-kind.sh 2022-05-03 12:59:39 -07:00
Ryan Richard
90e88bb83c Update kube codegen versions
Note that attempting to update 1.18.18 to 1.18.20 didn't work for some
reason, so I skipped that one. The code generator didn't like 1.18.20
and it deleted all the generated code. Avoiding 1.18.19 because it is
listed as having a regression at
https://kubernetes.io/releases/patch-releases/#non-active-branch-history
2022-05-02 14:33:33 -07:00
Monis Khan
2cdb55e7da
Bump deps to latest and go mod compat to 1.17
Signed-off-by: Monis Khan <mok@vmware.com>
2022-04-28 15:37:51 -04:00
Margo Crawford
019750a292 Update kube versions to latest patch
Signed-off-by: Margo Crawford <margaretc@vmware.com>
2022-04-19 11:19:24 -07:00
dependabot[bot]
5621c1161a
Bump google.com/api-project-999119582588/go-boringcrypto/golang in /hack
Bumps google.com/api-project-999119582588/go-boringcrypto/golang from 1.17.8b7 to 1.18.1b7.

---
updated-dependencies:
- dependency-name: google.com/api-project-999119582588/go-boringcrypto/golang
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-04-14 13:26:21 +00:00
Ryan Richard
9ebf3a5b92
Merge branch 'main' into main 2022-04-13 08:41:04 -07:00
dependabot[bot]
721526b7e7
Bump distroless/static from 80c956f to 2556293 in /hack
Bumps distroless/static from `80c956f` to `2556293`.

---
updated-dependencies:
- dependency-name: distroless/static
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-04-07 14:13:12 +00:00
Ryan Richard
25d20d4081 Merge branch 'main' into disable_http 2022-04-05 09:00:26 -07:00
Víctor Martínez Bevià
dc24397df4 Use vmware-tanzu/carvel instead of the deprecated k14/tap to install deps with brew 2022-04-05 16:43:22 +02:00
Monis Khan
15bc6a4a67
Add more details to FIPS comments
Signed-off-by: Monis Khan <mok@vmware.com>
2022-04-01 10:56:38 -04:00
Ryan Richard
ae7aac020a Merge branch 'main' into disable_http 2022-03-30 11:30:32 -07:00
Margo Crawford
53597bb824 Introduce FIPS compatibility
Signed-off-by: Margo Crawford <margaretc@vmware.com>
2022-03-29 16:58:41 -07:00
Ryan Richard
488f08dd6e Provide a way to override the new HTTP loopback-only validation
Add new deprecated_insecure_accept_external_unencrypted_http_requests
value in values.yaml. Allow it to be a boolean or a string to make it
easier to use (both --data-value and --data-value-yaml will work).

Also:
- Consider "ip6-localhost" and "ip6-loopback" to be loopback addresses
  for the validation
- Remove unused env.SupervisorHTTPAddress var
- Deprecate the `service_http_*` values in values.yaml by renaming them
  and causing a ytt render error when the old names are used
2022-03-28 17:03:23 -07:00
Margo Crawford
051a228a8c Update install-linter.sh to use v1.45.0
Signed-off-by: Margo Crawford <margaretc@vmware.com>
2022-03-22 10:29:08 -07:00
Ryan Richard
e465056943 Use both kubeadm.k8s.io/v1beta2 and v1beta3 to allow old versions of K8s
You can use an older version of K8s on your development workstation
by temporarily editing kind-up.sh to add the `--image` flag. By defining
both v1beta2 and v1beta3 you should continue to be able to use old
versions of K8s in this way with Kind v0.12.0.
2022-03-15 15:09:39 -07:00
Ryan Richard
16c4c67af1 Use kubeadm.k8s.io/v1beta3 instead of v1beta2 for kind config
It appears that kind completely ignores kubeadm.k8s.io/v1beta2 config
starting in Kind v0.12.0.

You can observe the config being ignored or used by adding `-v 10` to
the command-line arguments of `kind create cluster` in kind-up.sh.
2022-03-15 09:37:27 -07:00
Mo Khan
61c8d54527
Fix typo in concierge deploy step 2022-03-10 09:08:40 -05:00
Ryan Richard
1c2dd12f32 Merge branch 'main' into update-linter 2022-03-08 12:57:22 -08:00
Ryan Richard
fffcb7f5b4 Update to github.com/golangci/golangci-lint/cmd/golangci-lint@v1.44.2
- Two of the linters changed their names
- Updated code and nolint comments to make all linters pass with 1.44.2
- Added a new hack/install-linter.sh script to help developers install
  the expected version of the linter for local development
2022-03-08 12:28:09 -08:00
Ryan Richard
0ec5b31c40 Regenerate code after updating controller-gen to v0.8.0
- Note that v0.8.0 no longer supports the "trivialVersions=true"
  command-line option, so remove that from update-codegen.sh.
  It doesn't seem to impact the output (our generated CRD yaml files).
2022-03-08 11:27:05 -08:00
Margo Crawford
60d2b852ae Corresponds with making our CI use the head of the master branch of crd-ref-docs
This fixes #906

Signed-off-by: Margo Crawford <margaretc@vmware.com>
2022-03-02 14:31:58 -08:00
Ryan Richard
0a63784ca2
Merge branch 'main' into main 2022-03-02 08:41:06 -08:00
Ryan Richard
bf7457db59 expose env var for debug level of codegen 2022-03-01 10:01:49 -08:00
Ryan Richard
f501c76acc Add generated code for Kube 1.21, 1.22, and 1.23
Also:
- Make our code generator script work with Go 1.17
- Make our update.sh script work on linux
- Update the patch versions of the old Kube versions that we were using
  to generate code (see kube-versions.txt)
- Use our container images from ghcr instead of
  projects.registry.vmware.com for codegen purposes
- Make it easier to debug in the future by passing "-v" to the Kube
  codegen scripts
- Updated copyright years to make commit checks pass
2022-02-28 17:58:48 -08:00
Jason van Zyl
0ea10c77c7 Consolidate declaration of variables 2022-02-25 11:26:53 -05:00
Jason van Zyl
782157e1df Remove debug output 2022-02-25 06:25:20 -05:00
Jason van Zyl
1e3f3555a4 Add line in help output for --alternate-deploy 2022-02-25 06:22:25 -05:00
Jason van Zyl
6491742c3a Minimal changes to allow an alternate deployment mechanism
The purpose of this change is to allow Helm to be used to deploy Pinniped
into the local KinD cluster for the local integration tests. That said,
the change allows any alternate deployment mechanism, I just happen
to be using it with Helm.

All default behavior is preserved. This won't change how anyone uses the
script today, it just allows me not to copy/paste the whole setup for the
integration tests.

Changes:

1) An option called `--alternate-deploy <path-to-deploy-script>` has been
added, that when enabled calls the specified script instead of using ytt
and kapp. The alternate deploy script is called with the app to deploy
and the tag of the docker image to use. We set the default value of
the alternate_deploy variable to undefined, and there is a check that
tests if the alternate deploy is defined. For the superivsor it looks
like this:

```
if [ "$alternate_deploy" != "undefined" ]; then
  log_note "The Pinniped Supervisor will be deployed with $alternate_deploy pinniped-supervisor $tag..."
  $alternate_deploy pinniped-supervisor $tag
else
  normal ytt/kapp deploy
fi
```

2) Additional log_note entries have been added to enumerate all values passed
into the ytt/kapp deploy. Used while I was trying to reach parity in the integration
tests, but I think they are useful for debugging.

3) The manifests produced by ytt and written to /tmp are now named individually.
This is so an easy comparison can be made between manifests produced by a ytt/kapp
run of integration tests and manifests produced by helm run of the integration tests.
If something is not working I have been comparing the manifests after these runs to
find differences.
2022-02-20 10:15:29 -05:00
Ryan Richard
b0c36c6633 Fix int test that was failing on MacOS, and some small doc changes 2022-02-15 11:19:49 -08:00
Monis Khan
1e1789f6d1
Allow configuration of supervisor endpoints
This change allows configuration of the http and https listeners
used by the supervisor.

TCP (IPv4 and IPv6 with any interface and port) and Unix domain
socket based listeners are supported.  Listeners may also be
disabled.

Binding the http listener to TCP addresses other than 127.0.0.1 or
::1 is deprecated.

The deployment now uses https health checks.  The supervisor is
always able to complete a TLS connection with the use of a bootstrap
certificate that is signed by an in-memory certificate authority.

To support sidecar containers used by service meshes, Unix domain
socket based listeners include ACLs that allow writes to the socket
file from any runAsUser specified in the pod's containers.

Signed-off-by: Monis Khan <mok@vmware.com>
2022-01-18 17:43:45 -05:00
Ryan Richard
6143d66504 Increase timeout on linter for when CI gets slow 2022-01-18 10:07:36 -08:00
Margo Crawford
683a2c5b23 WIP adding access token to storage upon login 2022-01-12 18:03:25 -08:00
Monis Khan
cd686ffdf3
Force the use of secure TLS config
This change updates the TLS config used by all pinniped components.
There are no configuration knobs associated with this change.  Thus
this change tightens our static defaults.

There are four TLS config levels:

1. Secure (TLS 1.3 only)
2. Default (TLS 1.2+ best ciphers that are well supported)
3. Default LDAP (TLS 1.2+ with less good ciphers)
4. Legacy (currently unused, TLS 1.2+ with all non-broken ciphers)

Highlights per component:

1. pinniped CLI
   - uses "secure" config against KAS
   - uses "default" for all other connections
2. concierge
   - uses "secure" config as an aggregated API server
   - uses "default" config as a impersonation proxy API server
   - uses "secure" config against KAS
   - uses "default" config for JWT authenticater (mostly, see code)
   - no changes to webhook authenticater (see code)
3. supervisor
   - uses "default" config as a server
   - uses "secure" config against KAS
   - uses "default" config against OIDC IDPs
   - uses "default LDAP" config against LDAP IDPs

Signed-off-by: Monis Khan <mok@vmware.com>
2021-11-17 16:55:35 -05:00
Margo Crawford
6c47c3327a Add hint to hack/prepare-for-integration-tests.sh
I keep forgetting the name of the --get-active-directory-vars flag.
2021-10-26 16:25:34 -07:00
Ryan Richard
7ec0304472 Add offline_access scope for integration tests when using Dex 2021-10-19 12:25:51 -07:00
Ryan Richard
f700246bfa Allow focused integration tests to be run from the GoLand UI again
This was broken recently by the improvements in #808.
2021-09-21 12:04:45 -07:00
Monis Khan
316e6171d4
Enable aggregator routing on kind clusters
This should make it easier for us to to notice if something is wrong
with our service (especially in any future kubectl tests we add).

Signed-off-by: Monis Khan <mok@vmware.com>
2021-09-15 15:09:15 -04:00
Matt Moyer
c7a8c429ed
Add a dry-run 'kubectl apply' in prepare-for-integration-tests.sh so we can be sure that our manifests pass API validation.
We had this for some components, but not the ones that mattered the most.

Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-09-02 16:55:28 -05:00
Margo Crawford
e5718351ba
Merge pull request #695 from vmware-tanzu/active-directory-identity-provider
Active directory identity provider
2021-08-27 08:39:12 -07:00
Monis Khan
ad3086b8f1
Downgrade go mod compat to 1.16 for golangci-lint
Signed-off-by: Monis Khan <mok@vmware.com>
2021-08-27 10:03:48 -04:00
Monis Khan
a86949d0be
Use go 1.17 module lazy loading
See https://golang.org/doc/go1.17#go-command for details.

Signed-off-by: Monis Khan <mok@vmware.com>
2021-08-27 09:46:58 -04:00
Margo Crawford
2d32e0fa7d Merge branch 'main' of github.com:vmware-tanzu/pinniped into active-directory-identity-provider 2021-08-26 16:21:08 -07:00
Ryan Richard
d20cab10b9 Replace one-off usages of busybox and debian images in integration tests
Those images that are pulled from Dockerhub will cause pull failures
on some test clusters due to Dockerhub rate limiting.

Because we already have some images that we use for testing, and
because those images are already pre-loaded onto our CI clusters
to make the tests faster, use one of those images and always specify
PullIfNotPresent to avoid pulling the image again during the integration
test.
2021-08-25 15:12:07 -07:00
Margo Crawford
c590c8ff41 Merge branch 'main' of github.com:vmware-tanzu/pinniped into active-directory-identity-provider 2021-08-24 12:19:29 -07:00
Matt Moyer
4f5312807b
Undo dep hacks to work around gRPC example module.
This is essentially reverting 87c7e89b13.

Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-08-20 10:15:54 -05:00
Margo Crawford
cc3875f048 PR feedback 2021-07-26 16:03:12 -07:00
Margo Crawford
8ea1bd3dfb Make prepare-for-integration-tests active directory setup accessible for anyone 2021-07-23 13:01:41 -07:00
Margo Crawford
91085e68f9 Refactoring defaulting logic 2021-07-23 13:01:41 -07:00
Margo Crawford
b3d0b28bd0 Integration test fixes, fixing objectGUID handling 2021-07-23 13:01:40 -07:00
Margo Crawford
5c283d941c Helper script for running active directory tests 2021-07-23 13:01:40 -07:00
Matt Moyer
87c7e89b13
Upgrade github.com/ory/fosite to v0.40.2.
This required a weird hack because some of the Fosite tests (or a transitive dependency of them) depends on a newer version of gRPC that's incompatible with the Kubernetes runtime version we use. It wasn't as simple as just replacing the gRPC module with an older version, because in the latest versions of gRPC, they split out the "examples" packages into their own module. This new module name doesn't exist at the old version.

Ultimately, the workaround was to make a fake "examples" module locally. This module can be empty because we never actually depend on that code (it's only used in transitive dependency tests).

Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-05-28 12:53:37 -05:00
Matt Moyer
fd9d9b8c73
Stop generating zz_generated.openapi.go files.
It turns out we no longer need these and can skip this bit of code generation.

Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-05-21 11:16:59 -05:00