Commit Graph

83 Commits

Author SHA1 Message Date
Matt Moyer
67b692b11f
Implement the rest of an OIDC client CLI library.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-10-12 16:41:46 -05:00
Matt Moyer
ce49d8bd7b
Remove the --use-pkce flag and just always use it.
Based on the spec, it seems like it's required that OAuth2 servers which do not support PKCE should just ignore the parameters, so this should always work.

Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-10-12 16:41:46 -05:00
Matt Moyer
a13d7ec5a1
Remove temporary --debug-auth-code-exchange flag for OIDC client CLI.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-10-12 16:41:46 -05:00
Ryan Richard
8b7d96f42c Several small refactors related to OIDC providers 2020-10-08 11:28:21 -07:00
Andrew Keesler
da00fc708f
supervisor-oidc: checkpoint: add status to provider CRD
Signed-off-by: Ryan Richard <richardry@vmware.com>
2020-10-08 13:27:45 -04:00
Ryan Richard
6b653fc663 Creation and deletion of OIDC Provider discovery endpoints from config
- The OIDCProviderConfigWatcherController synchronizes the
  OIDCProviderConfig settings to dynamically mount and unmount the
  OIDC discovery endpoints for each provider
- Integration test passes but unit tests need to be added still
2020-10-07 19:18:34 -07:00
Andrew Keesler
20ce142f90
Merge remote-tracking branch 'upstream/main' into supervisor-with-discovery 2020-10-07 11:37:33 -04:00
Andrew Keesler
c49ebf4b57
supervisor-oidc: int test passes, but impl needs refactor
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-10-07 11:33:50 -04:00
Andrew Keesler
019f44982c
supervisor-oidc: checkpoint: controller watches OIDCProviderConfig
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-10-07 10:54:56 -04:00
Matt Moyer
8012d6a1c2
Merge pull request #147 from mattmoyer/oidc-cli
Implement initial steps of OIDC CLI client.
2020-10-06 15:20:30 -05:00
Ryan Richard
5b3dd5fc7d
Rename pinniped-server -> pinniped-concierge
Do we like this? We don't know yet.

Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-10-06 14:59:03 -04:00
Matt Moyer
38501ff763
Add initial "pinniped alpha login oidc" partial implementation.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-10-06 12:42:29 -05:00
Andrew Keesler
fd6a7f5892
supervisor-oidc: hoist OIDC discovery handler for testing
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-10-06 11:16:57 -04:00
Ryan Richard
76bd462cf8 Implement very rough skeleton of the start of a supervisor server
- This is just stab at a starting place because it felt easier to
  put something down on paper than to keep staring at a blank page
2020-10-05 17:28:19 -07:00
Matt Moyer
b0a4ae13c5
Add Tilt-based local dev workflow.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-10-05 16:34:33 -05:00
Andrew Keesler
d6571671f6
cmd/pinniped: add version command
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-09-28 10:44:33 -04:00
Andrew Keesler
6c555f94e3
internal/provider -> internal/dynamiccert
3 main reasons:
- The cert and key that we store in this object are not always used for TLS.
- The package name "provider" was a little too generic.
- dynamiccert.Provider reads more go-ish than provider.DynamicCertProvider.

Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-09-23 08:29:35 -04:00
Matt Moyer
07f0181fa3
Add IDP selection to get-kubeconfig command.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-09-22 10:03:32 -05:00
Matt Moyer
381fd51e13
Refactor get_kubeconfig.go.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-09-22 10:03:32 -05:00
Matt Moyer
541336b997
Fix docstring for exchange credential CLI.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-09-22 10:03:32 -05:00
Matt Moyer
fbe0551426
Add IDP selector support in client code.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-09-22 10:03:31 -05:00
Ryan Richard
6989e5da63 Merge branch 'main' into rename_stuff 2020-09-18 16:39:58 -07:00
Ryan Richard
80a520390b Rename many of resources that are created in Kubernetes by Pinniped
New resource naming conventions:
- Do not repeat the Kind in the name,
  e.g. do not call it foo-cluster-role-binding, just call it foo
- Names will generally start with a prefix to identify our component,
  so when a user lists all objects of that kind, they can tell to which
  component it is related,
  e.g. `kubectl get configmaps` would list one named "pinniped-config"
- It should be possible for an operator to make the word "pinniped"
  mostly disappear if they choose, by specifying the app_name in
  values.yaml, to the extent that is practical (but not from APIService
  names because those are hardcoded in golang)
- Each role/clusterrole and its corresponding binding have the same name
- Pinniped resource names that must be known by the server golang code
  are passed to the code at run time via ConfigMap, rather than
  hardcoded in the golang code. This also allows them to be prepended
  with the app_name from values.yaml while creating the ConfigMap.
- Since the CLI `get-kubeconfig` command cannot guess the name of the
  CredentialIssuerConfig resource in advance anymore, it lists all
  CredentialIssuerConfig in the app's namespace and returns an error
  if there is not exactly one found, and then uses that one regardless
  of its name
2020-09-18 15:56:50 -07:00
Matt Moyer
907ccb68f5
Move CredentialIssuerConfig into new "config.pinniped.dev" API group.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-09-18 16:38:45 -05:00
Matt Moyer
2d4d7e588a
Add Go vanity import paths.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-09-18 14:56:24 -05:00
Ryan Richard
a479450940 CLI's get-kubeconfig subcommand now also sets PINNIPED_NAMESPACE env var 2020-09-17 16:05:56 -07:00
Matt Moyer
8c9c1e206d
Update module/package names to match GitHub org switch.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-09-17 12:56:54 -05:00
Matt Moyer
b3327d7522
Switch our client over to use the new TokenCredentialRequest API.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-09-17 09:52:23 -05:00
Andrew Keesler
eab5c2b86b
Save 2 lines by using inline-style comments for Copyright
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-09-16 10:35:19 -04:00
Andrew Keesler
e7b389ae6c
Update copyright to reference Pinniped contributors
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-09-16 10:05:51 -04:00
Ryan Richard
4ced58b5b7 Add help/usage units for CLI exchange-credential subcommand 2020-09-15 09:05:40 -07:00
Andrew Keesler
82ef9e4806
cmd/pinniped/cmd: fix some linting errors
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-09-15 11:00:00 -04:00
Andrew Keesler
879d847ffb
cmd/pinniped/cmd: add get-kubeconfig cli tests
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-09-15 10:04:25 -04:00
Ryan Richard
4379d2772c CLI get-kubeconfig command reads kubeconfig and CredentialIssuerConfig 2020-09-14 19:07:18 -07:00
Ryan Richard
da7c981f14 Organize Pinniped CLI into subcommands; Add get-kubeconfig subcommand
- Add flag parsing and help messages for root command,
  `exchange-credential` subcommand, and new `get-kubeconfig` subcommand
- The new `get-kubeconfig` subcommand is a work in progress in this
  commit
- Also add here.Doc() and here.Docf() to enable nice heredocs in
  our code
2020-09-11 17:56:05 -07:00
Andrew Keesler
19c671a60a
cmd/local-user-authenticator: go back to use TokenReview structs
So I looked into other TokenReview webhook implementations, and most
of them just use the json stdlib package to unmarshal/marshal
TokenReview payloads. I'd say let's follow that pattern, even though
it leads to extra fields in the JSON payload (these are not harmful).

Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-09-11 16:12:43 -04:00
Andrew Keesler
17d40b7a73
cmd/local-user-authenticator: protect against nil-body
I saw this while reading other TokenReview code.
2020-09-11 16:11:42 -04:00
Andrew Keesler
4e40c0320e
cmd/local-user-authenticator: use v1beta1 everywhere
See 63f5416b2 for a previous time where we decided to use the v1beta1
TokenReview API.

Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-09-11 16:11:42 -04:00
Andrew Keesler
a3dbb309d0
cmd/local-user-authenticator: check for invalid TokenReview type meta
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-09-11 16:11:42 -04:00
Ryan Richard
c436f84b3d Fix a nil dereference crash in rest.go 2020-09-11 13:08:54 -07:00
Ryan Richard
22bf24b775 Fix a unit test failure that only happens on golang 1.15
- Use the SAN field when creating a test cert or else the corresponding
  unit tests will fail when run with golang 1.15
2020-09-10 18:50:34 -07:00
Ryan Richard
6deaa0fb1a Fix lint errors 2020-09-10 18:34:18 -07:00
Ryan Richard
b7bdb7f3b1 Rename test-webhook to local-user-authenticator
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-09-10 15:20:02 -07:00
Ryan Richard
9baea83066 Improve the parsing of headers in test-webhook
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-09-10 15:00:53 -07:00
Andrew Keesler
56be4a6761 Add more logging to test-webhook's endpoint
- Also correct the webhook url setting in prepare-for-integration-tests.sh
- Change the bcrypt count to 10, because 16 is way too slow on old laptops

Signed-off-by: Ryan Richard <richardry@vmware.com>
2020-09-10 13:37:25 -07:00
Ryan Richard
2565f67824 Create a deployment for test-webhook
- For now, build the test-webhook binary in the same container image as
  the pinniped-server binary, to make it easier to distribute
- Also fix lots of bugs from the first draft of the test-webhook's
  `/authenticate` implementation from the previous commit
- Add a detailed README for the new deploy-test-webhook directory
2020-09-09 19:06:39 -07:00
Ryan Richard
3ee7a0d881
cmd/test-webhook: first draft of webhook
The webhook still needs to be updated to auto generate its
certificates.

We decided not to give this webhook its own go module for now since
this webhook only pulled in one more dependency, and it is a
dependency that we will most likely need in the future.

Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-09-09 15:27:30 -04:00
Matt Moyer
8f93fbb87b Make ./pkg/client into an internal package using the native k8s client.
This should simplify our build/test setup quite a bit, since it means we have only a single module (at the top level) with all hand-written code. I'll leave `module.sh` alone for now but we may be able to simplify that a bit more.

Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-08-27 11:48:18 -05:00
Ryan Richard
3929fa672e Rename project 2020-08-20 10:54:15 -07:00
Andrew Keesler
df1a1cf1bd
LoginRequest -> CredentialRequest
- We want to follow the <noun>Request convention.
- The actual operation does not login a user, but it does retrieve a
  credential with which they can login.

- This commit includes changes to all LoginRequest-related symbols and
  constants to try to update their names to follow the new
  CredentialRequest type.

Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-08-14 11:26:09 -04:00