Commit Graph

96 Commits

Author SHA1 Message Date
Joshua Casey
c51722a121 Run K8s codegen, adding 1.28.0 2023-08-28 10:50:11 -05:00
Joshua Casey
dc61d132cf Address PR feedback, especially to check that the CA bundle is some kind of valid cert 2023-08-03 14:57:21 -05:00
Joshua Casey
8df9033bfc Add CredentialIssuer.Spec.ImpersonationProxy.TLS to configure an externally provided TLS secret 2023-08-03 14:57:21 -05:00
Ryan Richard
0a1f966886 Add ActiveDirectoryIdentityProvider.spec.groupSearch.userAttributeForFilter
Add the field to the tmpl file and run codegen.
Also update the count of the fields of our APIs in an integration test.
2023-05-31 11:09:08 -07:00
Ryan Richard
bad5e60a8e Add LDAPIdentityProvider.spec.groupSearch.userAttributeForFilter
Add the field to the tmpl file and run codegen.
Also update the count of the fields of our APIs in an integration test.
2023-05-25 09:52:15 -07:00
Ryan Richard
8c3395481b ran update.sh for new kube patch versions and adding 1.27 2023-05-10 12:39:35 -07:00
Ryan Richard
8ff6ef32e9 Allow additional claims to map into an ID token issued by the supervisor
- Specify mappings on OIDCIdentityProvider.spec.claims.additionalClaimMappings
- Advertise additionalClaims in the OIDC discovery endpoint under claims_supported

Co-authored-by: Ryan Richard <richardry@vmware.com>
Co-authored-by: Joshua Casey <joshuatcasey@gmail.com>
2023-01-13 14:59:50 -08:00
Ryan Richard
af01c3aeb6 Make kubectl explain work for Pinniped aggregated APIs
- Change update-codegen.sh script to also generated openapi code for the
  aggregated API types
- Update both aggregated API servers' configuration to make them serve
  the openapi docs for the aggregated APIs
- Add new integration test which runs `kubectl explain` for all Pinniped
  API resources, and all fields and subfields of those resources
- Update some the comments on the API structs
- Change some names of the tmpl files to make the filename better match
  the struct names
2022-09-21 15:15:37 -07:00
Ryan Richard
be85e1ed0a TotalClientSecrets field gets omitempty and becomes int32 2022-07-14 09:30:03 -07:00
Ryan Richard
93939ccbd8 OIDCClient watcher controller updates based on PR feedback 2022-07-06 10:34:24 -07:00
Ryan Richard
5aa0d91267
New controller watches OIDCClients and updates validation Conditions 2022-06-17 13:11:26 -04:00
Mo Khan
4bf734061d
Merge pull request #1190 from vmware-tanzu/client-secret-api-noop
aggregated api for oidcclientsecretrequest
2022-06-16 10:30:13 -04:00
Monis Khan
59d67322d3
Static validation for OIDC clients
The following validation is enforced:

1. Names must start with client.oauth.pinniped.dev-
2. Redirect URIs must start with https://
   or http://127.0.0.1
   or http://::1
3. All spec lists must not have duplicates

Added an integration test to assert all static validations.

Signed-off-by: Monis Khan <mok@vmware.com>
2022-06-15 15:09:40 -04:00
Margo Crawford
c117329553 Updates based on code review
Signed-off-by: Margo Crawford <margaretc@vmware.com>
2022-06-15 09:38:21 -07:00
Margo Crawford
0c1f48cbc1 Move oidcclient into config.supervisor.pinniped.dev
Signed-off-by: Margo Crawford <margaretc@vmware.com>
2022-06-13 15:48:54 -07:00
Margo Crawford
8f4285dbff Change group names
Signed-off-by: Margo Crawford <margaretc@vmware.com>
2022-06-13 14:28:05 -07:00
Margo Crawford
479b6c421d fix out of date codegen images
Signed-off-by: Margo Crawford <margaretc@vmware.com>
2022-06-10 09:51:37 -07:00
Margo Crawford
37884e7015 reran update.sh to get the codegen up to date
Signed-off-by: Margo Crawford <margaretc@vmware.com>
2022-06-09 14:39:06 -07:00
Margo Crawford
889348e999 WIP aggregated api for oidcclientsecretrequest
Signed-off-by: Margo Crawford <margaretc@vmware.com>
2022-06-09 13:47:19 -07:00
Ryan Richard
77f37b5a57 run codegen 2022-06-08 09:41:35 -07:00
Margo Crawford
0dec2eee32 Add enum validation for scopes and grant types
Signed-off-by: Margo Crawford <margaretc@vmware.com>
2022-06-06 10:15:25 -07:00
Margo Crawford
3cacb5b022 Fix typo in oidcclient spec and status descriptions
Signed-off-by: Margo Crawford <margaretc@vmware.com>
2022-06-06 07:38:57 -07:00
Margo Crawford
cd47ba53c2 Add CRD for OIDCClient
Signed-off-by: Margo Crawford <margaretc@vmware.com>
2022-06-03 16:22:15 -07:00
Ryan Richard
bdabdf0f42 Update comment in FederationDomainTLSSpec 2022-04-05 09:53:22 -07:00
Margo Crawford
60d2b852ae Corresponds with making our CI use the head of the master branch of crd-ref-docs
This fixes #906

Signed-off-by: Margo Crawford <margaretc@vmware.com>
2022-03-02 14:31:58 -08:00
Margo Crawford
b9582f864e Update comment for skipGroupRefresh 2022-02-17 12:50:28 -08:00
Margo Crawford
fdac4d16f0 Only run group refresh when the skipGroupRefresh boolean isn't set
for AD and LDAP
2022-02-17 12:50:28 -08:00
Ryan Richard
dec43289f6 Lots of small updates based on PR feedback 2021-10-20 15:53:25 -07:00
Ryan Richard
c43e019d3a Change default of additionalScopes and disallow "hd" in additionalAuthorizeParameters 2021-10-18 16:41:31 -07:00
Ryan Richard
ddb23bd2ed Add upstream refresh related config to OIDCIdentityProvider CRD
Also update related docs.
2021-10-14 15:49:44 -07:00
Margo Crawford
43694777d5 Change some comments on API docs, fix lint error by ignoring it 2021-08-26 16:55:43 -07:00
Margo Crawford
c590c8ff41 Merge branch 'main' of github.com:vmware-tanzu/pinniped into active-directory-identity-provider 2021-08-24 12:19:29 -07:00
Margo Crawford
05afae60c2 Review comments--
- Change list of attributeParsingOverrides to a map
- Add unit test for sAMAccountName as group name without the override
- Change some comments in the the type definition.
2021-08-19 14:21:18 -07:00
Margo Crawford
90e6298e29 Update text on CRD templates to reflect new defaults 2021-08-18 10:39:01 -07:00
Ryan Richard
964d16110e Some refactors based on PR feedback from @enj 2021-08-17 13:14:09 -07:00
Ryan Richard
84c3c3aa9c Optionally allow OIDC password grant for CLI-based login experience
- Add `AllowPasswordGrant` boolean field to OIDCIdentityProvider's spec
- The oidc upstream watcher controller copies the value of
  `AllowPasswordGrant` into the configuration of the cached provider
- Add password grant to the UpstreamOIDCIdentityProviderI interface
  which is implemented by the cached provider instance for use in the
  authorization endpoint
- Enhance the IDP discovery endpoint to return the supported "flows"
  for each IDP ("cli_password" and/or "browser_authcode")
- Enhance `pinniped get kubeconfig` to help the user choose the desired
  flow for the selected IDP, and to write the flow into the resulting
  kubeconfg
- Enhance `pinniped login oidc` to have a flow flag to tell it which
  client-side flow it should use for auth (CLI-based or browser-based)
- In the Dex config, allow the resource owner password grant, which Dex
  implements to also return ID tokens, for use in integration tests
- Enhance the authorize endpoint to perform password grant when
  requested by the incoming headers. This commit does not include unit
  tests for the enhancements to the authorize endpoint, which will come
  in the next commit
- Extract some shared helpers from the callback endpoint to share the
  code with the authorize endpoint
- Add new integration tests
2021-08-12 10:45:39 -07:00
Margo Crawford
00978c15f7 Update wording for ActiveDirectoryIdentityProvider crd 2021-07-23 13:01:41 -07:00
Margo Crawford
8fb35c6569 Active Directory cli options 2021-07-23 13:01:40 -07:00
Margo Crawford
b06de69f6a ActiveDirectoryIdentityProvider
- Create CRD
- Create implementation of AD-specific user search defaults
2021-07-23 13:01:40 -07:00
Matt Moyer
ff9095f9c4
Fix typo in generated API docs (s/mode/type/).
This CredentialIssuer field is called `spec.impersonationProxy.service.type`, not `spec.impersonationProxy.service.mode`.

Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-07-09 11:28:02 -05:00
Ryan Richard
cedbe82bbb Default groupSearch.attributes.groupName to "dn" instead of "cn"
- DNs are more unique than CNs, so it feels like a safer default
2021-05-28 13:27:11 -07:00
Matt Moyer
fabc08b01b
Merge branch 'main' of github.com:vmware-tanzu/pinniped into credentialissuer-spec-api 2021-05-24 15:49:13 -05:00
Matt Moyer
13372a43e6
Update generated code from previous commit. 2021-05-19 11:41:35 -05:00
Matt Moyer
e885114221
Add generated code from adding spec fields to CredentialIssuer.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-05-18 11:12:18 -05:00
Matt Moyer
4a456446ff
Update doc comments for types_credentialissuer.go.tmpl.
Update to follow https://golang.org/doc/effective_go#commentary:

> The first sentence should be a one-sentence summary that starts with the name being declared.

Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-05-18 11:12:18 -05:00
Ryan Richard
3e1e8880f7 Initial support for upstream LDAP group membership
Reflect the upstream group membership into the Supervisor's
downstream tokens, so they can be added to the user's
identity on the workload clusters.

LDAP group search is configurable on the
LDAPIdentityProvider resource.
2021-05-17 11:10:26 -07:00
Ryan Richard
36819989a3 Remove DryRunAuthenticationUsername from LDAPIdentityProviderSpec
Signed-off-by: Margo Crawford <margaretc@vmware.com>
2021-04-28 14:26:57 -07:00
Ryan Richard
263a33cc85 Some updates based on PR review 2021-04-27 12:43:09 -07:00
Ryan Richard
e9d5743845 Add authentication dry run validation to LDAPIdentityProvider
Also force the LDAP server pod to restart whenever the LDIF file
changes, so whenever you redeploy the tools deployment with a new test
user password the server will be updated.
2021-04-16 14:04:05 -07:00
Ryan Richard
fec3d92f26 Add integration test for upstreamldap.Provider
- The unit tests for upstreamldap.Provider need to mock the LDAP server,
  so add an integration test which allows us to get fast feedback for
  this code against a real LDAP server.
- Automatically wrap the user search filter in parenthesis if it is not
  already wrapped in parens.
- More special handling for using "dn" as the username or UID attribute
  name.
- Also added some more comments to types_ldapidentityprovider.go.tmpl
2021-04-13 15:23:14 -07:00