Matt Moyer
8df910361c
Clean up CredentialRequest types.go
.
...
Mostly cleaned up and added doc strings, but also removed unneeded protobuf tags.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-09-15 14:30:12 -05:00
Matt Moyer
37da441e96
Merge pull request #107 from mattmoyer/tidy-go-modules
...
Tidy go.mod/go.sum.
2020-09-15 14:29:39 -05:00
Matt Moyer
6faf224e20
Merge pull request #105 from mattmoyer/extend-readiness-check
...
Wait for informers to sync before we pass readiness check.
2020-09-15 14:27:42 -05:00
Matt Moyer
92372d20a9
Tidy go.mod/go.sum.
...
I accidentally missed this in bbef017989
and it's not currently part of our CI linting.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-09-15 14:14:44 -05:00
Matt Moyer
12f0997193
Wait for informers to sync before we pass readiness check.
...
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-09-15 14:14:25 -05:00
Matt Moyer
e428877473
Merge pull request #106 from mattmoyer/fix-webhook-base64-encoding
...
Fix base64 encoding style in webhookcachefiller.
2020-09-15 14:12:02 -05:00
Matt Moyer
1c7b3c3072
Fix base64 encoding style in webhookcachefiller.
...
This was previously using the unpadded (raw) base64 encoder, which worked sometimes (if the CA happened to be a length that didn't require padding). The correct encoding is the `base64.StdEncoding` one that includes padding.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-09-15 13:54:19 -05:00
Matt Moyer
b1ea04b036
Merge pull request #83 from mattmoyer/add-idp-config-crd
...
Implement the initial version of a WebhookIdentityProvider CRD.
2020-09-15 12:53:31 -05:00
Andrew Keesler
36a66f4e8b
Merge pull request #104 from ankeesler/maintainers-doc
...
MAINTAINERS.md: add initial draft
2020-09-15 13:31:15 -04:00
Matt Moyer
b39160e4c4
Add some log output to TestCredentialIssuerConfig for troubleshooting.
...
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-09-15 12:15:42 -05:00
Andrew Keesler
a22b414b58
MAINTAINERS.md: add initial draft
...
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-09-15 13:14:50 -04:00
Matt Moyer
8de046a561
Remove static webhook config options.
...
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-09-15 12:02:34 -05:00
Matt Moyer
f7c9ae8ba3
Validate tokens using the new dynamic IDP cache instead of the static config.
...
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-09-15 12:02:34 -05:00
Matt Moyer
75ea0f48d9
Add a controller to clean up stale entries in the idpcache.Cache.
...
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-09-15 12:02:33 -05:00
Matt Moyer
acfc5acfb2
Add a controller to fill the idpcache.Cache from WebhookIdentityProvider objects.
...
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-09-15 12:02:33 -05:00
Matt Moyer
6506a82b19
Add a cache of active IDPs, which implements authenticator.Token.
...
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-09-15 12:02:33 -05:00
Matt Moyer
66f4e62c6c
Add internal/mocks/mocktokenauthenticator generated mocks.
...
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-09-15 12:02:33 -05:00
Matt Moyer
80a23bd2fd
Rename "Webhook" to "TokenAuthenticator" in our REST handler and callers.
...
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-09-15 12:02:33 -05:00
Matt Moyer
2bdbac3e15
Move the ytt webhook config out into the CRD.
...
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-09-15 12:02:33 -05:00
Matt Moyer
5b9f2ec9fc
Give our controller access to all our CRD types.
...
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-09-15 12:02:33 -05:00
Matt Moyer
fc220d5f79
Remove kubectl dry-run verify for now.
...
The dry-run fails now because we are trying to install a CRD and a custom resource (of that CRD type) in the same step.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-09-15 12:02:32 -05:00
Matt Moyer
3344b5b86a
Expect the WebhookIdentityProvider CRD to be installed.
...
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-09-15 11:44:24 -05:00
Matt Moyer
557fd0df26
Define the WebhookIdentityProvider CRD.
...
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-09-15 11:44:23 -05:00
Matt Moyer
9bb3d4ef28
Add .gitattributes as a hint to the GitHub diff viewer.
...
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-09-15 11:44:23 -05:00
Matt Moyer
21187bc28a
Merge pull request #103 from mattmoyer/add-controller-utils
...
Add new controller.SimpleFilter and controller.NoOpFilter utilities.
2020-09-14 13:59:32 -05:00
aram price
9bad0d52f7
Merge pull request #102 from mattmoyer/prefactor-test-helpers
...
Prefactor some test helpers prior to the IDP CRD PR.
2020-09-14 11:38:05 -07:00
Matt Moyer
92fabf43b3
Add new controller.SimpleFilter and controller.NoOpFilter utilities.
...
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-09-14 13:25:16 -05:00
Matt Moyer
7d8c28a9dc
Extract testutil.TLSTestServer so it can be reused elsewhere.
...
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-09-14 13:23:12 -05:00
Matt Moyer
bbef017989
Add a testlogger util package for testing go-logr.
...
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-09-14 13:23:06 -05:00
Andrew Keesler
19c671a60a
cmd/local-user-authenticator: go back to use TokenReview structs
...
So I looked into other TokenReview webhook implementations, and most
of them just use the json stdlib package to unmarshal/marshal
TokenReview payloads. I'd say let's follow that pattern, even though
it leads to extra fields in the JSON payload (these are not harmful).
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-09-11 16:12:43 -04:00
Andrew Keesler
17d40b7a73
cmd/local-user-authenticator: protect against nil-body
...
I saw this while reading other TokenReview code.
2020-09-11 16:11:42 -04:00
Andrew Keesler
4e40c0320e
cmd/local-user-authenticator: use v1beta1 everywhere
...
See 63f5416b2
for a previous time where we decided to use the v1beta1
TokenReview API.
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-09-11 16:11:42 -04:00
Andrew Keesler
a3dbb309d0
cmd/local-user-authenticator: check for invalid TokenReview type meta
...
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-09-11 16:11:42 -04:00
Ryan Richard
c436f84b3d
Fix a nil dereference crash in rest.go
2020-09-11 13:08:54 -07:00
Ryan Richard
f685cd228f
More integration test script updates
...
- Don't need to `cd test` anymore before running the integration
tests because it's not a separate Go module anymore
2020-09-11 08:43:53 -07:00
Ryan Richard
63f9db72e8
Improvements and simplifications to prepare-for-integration-tests.sh
2020-09-11 08:19:49 -07:00
Andrew Keesler
004cfe380d
doc/contributing.md: add a tiny blurb about integration tests
...
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-09-11 10:29:21 -04:00
Andrew Keesler
b1d9665b03
Merge pull request #90 from suzerain-io/easy_demo
...
Add <20 minutes Pinniped demo
2020-09-11 10:26:20 -04:00
Andrew Keesler
4fa7e1bd76
hack/prepare-for-integration-tests.sh: use log helper
...
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-09-11 10:09:22 -04:00
Ryan Richard
22bf24b775
Fix a unit test failure that only happens on golang 1.15
...
- Use the SAN field when creating a test cert or else the corresponding
unit tests will fail when run with golang 1.15
2020-09-10 18:50:34 -07:00
Ryan Richard
6deaa0fb1a
Fix lint errors
2020-09-10 18:34:18 -07:00
Ryan Richard
4fe609a043
Remove mentions of uninstall tests and other repos from prepare-for-integration-tests.sh
2020-09-10 17:36:22 -07:00
Andrew Keesler
e6cb2f8220
Assert on specific expected username and groups in integration tests
...
Signed-off-by: Ryan Richard <richardry@vmware.com>
2020-09-10 17:10:27 -07:00
Ryan Richard
b7bdb7f3b1
Rename test-webhook
to local-user-authenticator
...
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-09-10 15:20:02 -07:00
Ryan Richard
9baea83066
Improve the parsing of headers in test-webhook
...
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-09-10 15:00:53 -07:00
Andrew Keesler
56be4a6761
Add more logging to test-webhook's endpoint
...
- Also correct the webhook url setting in prepare-for-integration-tests.sh
- Change the bcrypt count to 10, because 16 is way too slow on old laptops
Signed-off-by: Ryan Richard <richardry@vmware.com>
2020-09-10 13:37:25 -07:00
Andrew Keesler
b506ac5823
Port integration test setup script from CI repo
...
I also started updating the script to deploy the test-webhook instead of
doing TMC stuff. I think the script should live in this repo so that
Pinniped contributors only need to worry about one repo for running
integration tests.
There are a bunch of TODOs in the script, but I figured this was a good
checkpoint. The script successfully runs on my machine and sets up the
test-webhook and pinniped on a local kind cluster. The integration tests
are failing because of some issue with pinniped talking to the test-webhook,
but this is step in the right direction.
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-09-10 11:30:15 -04:00
Andrew Keesler
fec31b71c0
deploy-test-webhook/README.md: add another tool needed for the demo
...
The other diffs in this comment were dictated by pre-commit.
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-09-10 09:50:17 -04:00
Andrew Keesler
89d01b84f8
deploy/README.md: fix markdown link to test webhook README.md
...
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-09-10 09:33:46 -04:00
Andrew Keesler
fc3b4e9ae1
hack/test-unit.sh: remove this alias to cut down on scripts
...
This script was basically an alias for `./hack/module.sh unittest`. We even
tell people to run the unit tests via module.sh in our contributing doc.
Let's ditch it - the best line of (shell code) is the one you don't write.
An analagous change was made in CI to use module.sh in place of test-unit.sh.
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-09-10 09:26:18 -04:00