Commit Graph

3550 Commits

Author SHA1 Message Date
Matt Moyer
8f93fbb87b Make ./pkg/client into an internal package using the native k8s client.
This should simplify our build/test setup quite a bit, since it means we have only a single module (at the top level) with all hand-written code. I'll leave `module.sh` alone for now but we may be able to simplify that a bit more.

Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-08-27 11:48:18 -05:00
Matt Moyer
68893a1e15 Merge the ./test packages back into the main module.
We were using this at one point to control which tests ran with `go test ./...`, but now we're also using the `-short` flag to differentiate unit vs. integration tests.

Hopefully this will simplify things a bit.

Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-08-27 11:38:52 -05:00
Andrew Keesler
9440316c20
README.md: remove Pinni (for now)
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-08-27 11:49:31 -04:00
Andrew Keesler
f9554e0bde
feature-proposal.md: I need more sleep 2020-08-27 11:46:43 -04:00
Andrew Keesler
89f059ae03
Make feature proposal and bug report language more similar 2020-08-27 11:44:54 -04:00
Andrew Keesler
7360489d1b feature_proposal.md: add initial feature proposal template 2020-08-27 11:38:42 -04:00
Andrew Keesler
61b758450e
doc/contributing.md: update link to bug report template 2020-08-27 11:21:04 -04:00
Andrew Keesler
9539f29f94 bug_report.md: fix formatting and poor spelling choices 2020-08-27 11:17:55 -04:00
Andrew Keesler
6cc7bdf7d3
bug_report.md: make description more general and welcoming :) 2020-08-27 11:15:24 -04:00
Andrew Keesler
8f4a2f98d7 Update bug issue template 2020-08-27 11:13:24 -04:00
Andrew Keesler
8ddc1a1e92
internal/controller/issuerconfig: add missing invalid kubeconfig test?
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-08-27 10:43:13 -04:00
Andrew Keesler
d240796110
test: fix ci failure: "no Auth Provider found for name "gcp""
kubectl pulls these in in their main package...I wonder if we should do
the same for our main packages?

Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-08-27 09:12:34 -04:00
Andrew Keesler
7502190135
Fix some copy issues in the docs 2020-08-27 08:39:57 -04:00
Andrew Keesler
aea3f0f90d
Merge pull request #74 from ankeesler/public-readme
First draft of public README (and neighboring docs)
2020-08-26 18:22:39 -04:00
Andrew Keesler
f66f7f14f5
First draft of public README (and neighboring docs)
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-08-26 18:19:35 -04:00
Ryan Richard
d8bcea88a7
Merge pull request #70 from suzerain-io/self_test
Self test feature
2020-08-26 14:26:59 -07:00
Ryan Richard
2629a9c42f Empty commit to trigger PR CI pipeline 2020-08-26 09:17:08 -07:00
Ryan Richard
90fe733f94 Empty commit to trigger PR CI pipeline 2020-08-26 08:49:44 -07:00
Ryan Richard
5ed97f7f9e Merge branch 'main' into self_test 2020-08-25 19:02:27 -07:00
Ryan Richard
80153f9a80 Allow app to start despite failing to borrow the cluster signing key
- Controller and aggregated API server are allowed to run
- Keep retrying to borrow the cluster signing key in case the failure
  to get it was caused by a transient failure
- The CredentialRequest endpoint will always return an authentication
  failure as long as the cluster signing key cannot be borrowed
- Update which integration tests are skipped to reflect what should
  and should not work based on the cluster's capability under this
  new behavior
- Move CreateOrUpdateCredentialIssuerConfig() and related methods
  to their own file
- Update the CredentialIssuerConfig's Status every time we try to
  refresh the cluster signing key
2020-08-25 18:22:53 -07:00
Andrew Keesler
4306599396
Fix linter errors 2020-08-25 10:40:59 -04:00
Ryan Richard
6e59596285 Upon pod startup, update the Status of CredentialIssuerConfig
- Indicate the success or failure of the cluster signing key strategy
- Also introduce the concept of "capabilities" of an integration test
  cluster to allow the integration tests to be run against clusters
  that do or don't allow the borrowing of the cluster signing key
- Tests that are not expected to pass on clusters that lack the
  borrowing of the signing key capability are now ignored by
  calling the new library.SkipUnlessClusterHasCapability test helper
- Rename library.Getenv to library.GetEnv
- Add copyrights where they were missing
2020-08-24 18:07:34 -07:00
Matt Moyer
c2e6a1408d
Remove old generated directories from dependabot. (#72)
These never worked quite right, so let's disable them for now: #51

We can probably come up with some better solution now with the new codegen scripts, but I'll leave that for later.

Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-08-24 16:20:34 -05:00
Matt Moyer
4e08866e87
Merge pull request #71 from mattmoyer/multi-version-codegen
Generate API/client code for several Kubernetes versions.
2020-08-24 16:12:31 -05:00
Matt Moyer
cbd6dd3356 Use a symlink instead of directly mounting into GOPATH.
This supports CI better, where the original input dir isn't in GOPATH.

Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-08-24 15:58:52 -05:00
Matt Moyer
eb05e7a138 Reverse the order of this diff so it makes more sense.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-08-24 15:46:51 -05:00
Matt Moyer
22f1ca24d9 Remove old generated code from ./kubernetes directory.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-08-24 15:03:55 -05:00
Matt Moyer
8b36f2e8ae Convert code to use the new generated packages.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-08-24 14:42:27 -05:00
Matt Moyer
34d13f71c2 Add newly generated code.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-08-24 14:32:07 -05:00
Matt Moyer
1aef2f07d3 Add new ./apis directory and codegen scripts.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-08-24 14:32:07 -05:00
Andrew Keesler
142e9a1583
internal/certauthority: backdate certs even further
We are seeing between 1 and 2 minutes of difference between the current time
reported in the API server pod and the pinniped pods on one of our testing
environments. Hopefully this change makes our tests pass again.

Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-08-24 15:01:07 -04:00
Andrew Keesler
ed8b1be178
Revert "test/library: try another cert rest config"
Didn't fix CI. I didn't think it would.

I have never seen the integration tests fail like this locally, so I
have to imagine the failure has something to do with the environment
on which we are testing.

This reverts commit ba2e2f509a.
2020-08-24 11:52:47 -04:00
Ryan Richard
399e1d2eb8 Merge branch 'main' into self_test 2020-08-24 08:33:18 -07:00
Andrew Keesler
ba2e2f509a
test/library: try another cert rest config
We are getting these weird flakes in CI where the kube client that we
create with these helper functions doesn't work against the kube API.
The kube API tells us that we are unauthorized (401). Seems like something
is wrong with the keypair itself, but when I create a one-off kubeconfig
with the keypair, I get 200s from the API. Hmmm...I wonder what CI will
think of this change?

I also tried to align some naming in this package.

Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-08-24 11:01:37 -04:00
Ryan Richard
6d43d7ba19 Update the schema of CredentialIssuerConfig
- Move the current info from spec to status
- Add schema for new stuff that we will use in a future commit to status
- Regenerate the generated code
2020-08-21 17:00:42 -07:00
Ryan Richard
ace01c86de Rename PinnipedDiscoveryInfo to CredentialIssuerConfig
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-08-21 16:16:34 -07:00
Ryan Richard
d4b184a7d5 Allow aliases for the first argument of module.sh
- Makes it easier to guess/remember what are the legal arguments
- Also update the output a little to make it easier to tell
  when the command has succeeded
- And run tests using `-count 1` because cached test results are not
  very trustworthy
2020-08-21 16:15:48 -07:00
Andrew Keesler
76bd274fc4 Update the generated code
Mostly just fixes the imports

Signed-off-by: Ryan Richard <richardry@vmware.com>
2020-08-21 12:50:53 -07:00
Ryan Richard
0a805861ea Fix bug in code generator which prevented it from generating code
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-08-21 12:30:50 -07:00
Andrew Keesler
2b297c28d5
Get rid of TODO that was completed in ecde8fa8
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-08-21 10:38:28 -04:00
Ryan Richard
d0a9d8df33
pkg/config: force api.servingCertificate.renewBeforeSeconds to be positive
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-08-20 18:21:48 -04:00
Ryan Richard
88f3b41e71
deploy: add API cert config map values
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-08-20 17:14:16 -04:00
Andrew Keesler
89b6b9ee44
Merge pull request #68 from ankeesler/auto-rotate-ca
Use duration and renewBefore to control API cert rotation
2020-08-20 16:52:40 -04:00
Andrew Keesler
39c299a32d
Use duration and renewBefore to control API cert rotation
These configuration knobs are much more human-understandable than the
previous percentage-based threshold flag.

We now allow users to set the lifetime of the serving cert via a ConfigMap.
Previously this was hardcoded to 1 year.

Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-08-20 16:35:04 -04:00
Ryan Richard
3929fa672e Rename project 2020-08-20 10:54:15 -07:00
Andrew Keesler
43888e9e0a
Make CA age threshold delta more observable via more precision
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-08-20 11:42:29 -04:00
Andrew Keesler
a26d86044e
internal/mocks: fix go generate call
We need a way to validate that this generated code is up to date. I added
a long-term engineering TODO for this.

Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-08-20 10:48:50 -04:00
Andrew Keesler
5946c2920a
Merge pull request #66 from ankeesler/auto-rotate-ca
Auto-rotate TLS certificates of the aggregated API endpoints before they expire
2020-08-20 10:22:30 -04:00
Andrew Keesler
6b90dc8bb7
Auto-rotate serving certificate
The rotation is forced by a new controller that deletes the serving cert
secret, as other controllers will see this deletion and ensure that a new
serving cert is created.

Note that the integration tests now have an addition worst case runtime of
60 seconds. This is because of the way that the aggregated API server code
reloads certificates. We will fix this in a future story. Then, the
integration tests should hopefully get much faster.

Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-08-20 10:03:36 -04:00
Matt Moyer
1b9a70d089
Switch back to an exec-based approach to grab the controller-manager CA. (#65)
This switches us back to an approach where we use the Pod "exec" API to grab the keys we need, rather than forcing our code to run on the control plane node. It will help us fail gracefully (or dynamically switch to alternate implementations) when the cluster is not self-hosted.

Signed-off-by: Matt Moyer <moyerm@vmware.com>
Co-authored-by: Ryan Richard <richardry@vmware.com>
2020-08-19 13:21:07 -05:00