Matt Moyer
59263ea733
Rename CredentialIssuerConfig to CredentialIssuer.
...
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-11-02 17:39:42 -06:00
Matt Moyer
b13a8075e4
Merge pull request #183 from vmware-tanzu/non-root
...
Run as non-root
2020-11-02 17:39:14 -06:00
Ryan Richard
d596f8c3e5
Empty commit to trigger CI
2020-11-02 15:18:39 -08:00
Ryan Richard
75c35e74cc
Refactor and add unit tests for previous commit to run agent pod as root
2020-11-02 15:03:37 -08:00
Matt Moyer
e4f4cd7ca0
Merge pull request #181 from mattmoyer/add-psp-cluster-role-permission
...
Give the concierge access to use any PodSecurityPolicy.
2020-11-02 15:35:56 -06:00
Ryan Richard
a01921012d
kubecertagent: explicitly run as root
...
We need root here because the files that this pod reads are
most likely restricted to root access.
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-11-02 16:33:46 -05:00
Ryan Richard
2e50e8f01b
hack/lib/tilt: run Tilt images with non-root user
...
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-11-02 16:32:50 -05:00
Matt Moyer
935577f8e7
Give the concierge access to use any PodSecurityPolicy.
...
This is needed on clusters with PodSecurityPolicy enabled by default, but should be harmless in other cases.
This is generally needed because a restrictive PodSecurityPolicy will usually otherwise prevent the `hostPath` volume mount needed by the dynamically-created cert agent pod.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-11-02 15:10:00 -06:00
Ryan Richard
781f86d18c
deploy: add memory limits
...
This is the beginning of a change to add cpu/memory limits to our pods.
We are doing this because some consumers require this, and it is generally
a good practice.
The limits == requests for "Guaranteed" QoS.
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-11-02 14:57:39 -05:00
Andrew Keesler
fcea48c8f9
Run as non-root
...
I tried to follow a principle of encapsulation here - we can still default to
peeps making connections to 80/443 on a Service object, but internally we will
use 8080/8443.
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-11-02 12:51:15 -05:00
Andrew Keesler
7639d5e161
Merge pull request #178 from ankeesler/test-cleanup
...
test/integration: protect from NPE and follow doc conventions
2020-11-02 12:22:34 -05:00
Ryan Richard
ab5c04b1f3
Merge pull request #176 from vmware-tanzu/agent_pod_additional_label_handling
...
Handle custom labels better in the agent pod controllers
2020-11-02 09:08:42 -08:00
Andrew Keesler
fb3c5749e8
test/integration: protect from NPE and follow doc conventions
...
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-11-02 11:51:02 -05:00
Ryan Richard
7597b12a51
Small unit test changes for deleter_test.go
2020-11-02 08:40:39 -08:00
Matt Moyer
5bbfc35d27
Merge pull request #175 from mattmoyer/split-config-apis
...
Split the config CRDs into two API groups.
2020-10-30 19:42:03 -05:00
Ryan Richard
f76b9857da
Don't use custom labels when selecting an agent pod
...
And delete the agent pod when it needs its custom labels to be
updated, so that the creator controller will notice that it is missing
and immediately create it with the new custom labels.
2020-10-30 17:41:17 -07:00
Matt Moyer
9e1922f1ed
Split the config CRDs into two API groups.
...
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-10-30 19:22:46 -05:00
Ryan Richard
01f4fdb5c3
Remove namespace from a ClusterRoleBinding, which are not namespaced
2020-10-30 16:10:04 -07:00
Andrew Keesler
a5379c08e2
Whitespace-only change in two files
...
Signed-off-by: Ryan Richard <richardry@vmware.com>
2020-10-30 15:18:40 -07:00
Matt Moyer
ad95bb44b0
Merge pull request #174 from mattmoyer/rename-webhook-idp
...
Rename webhook configuration CRD "WebhookAuthenticator" in group "authentication.concierge.pinniped.dev".
2020-10-30 15:50:39 -05:00
Ryan Richard
4b7592feaf
Skip a part of an integration test which is not so easy with real Ingress
...
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-10-30 13:19:34 -07:00
Matt Moyer
34da8c7877
Rename existing references to "IDP" and "Identity Provider".
...
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-10-30 15:12:01 -05:00
Matt Moyer
f3a83882a4
Rename the IdentityProvider field to Authenticator in TokenCredentialRequest.
...
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-10-30 15:11:53 -05:00
Matt Moyer
0f25657a35
Rename WebhookIdentityProvider to WebhookAuthenticator.
...
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-10-30 15:11:53 -05:00
Matt Moyer
e69183aa8a
Rename idp.concierge.pinniped.dev
to authentication.concierge.pinniped.dev
.
...
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-10-30 14:07:40 -05:00
Matt Moyer
81390bba89
Rename idp.pinniped.dev
to idp.concierge.pinniped.dev
.
...
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-10-30 14:07:39 -05:00
Matt Moyer
59431a3d3d
Merge pull request #173 from mattmoyer/parallel-codegen
...
Do codegen across all version in parallel.
2020-10-30 13:45:21 -05:00
Matt Moyer
9760c03617
Do codegen across all version in parallel.
...
This only matters for local development, since we don't use this script directly in CI. Makes the full codegen ste take ~90s on my laptop.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-10-30 11:12:53 -05:00
Matt Moyer
8b8ffc21c4
Merge pull request #172 from mattmoyer/rename-login-api
...
Rename login API to `login.concierge.pinniped.dev`.
2020-10-30 10:23:45 -05:00
Matt Moyer
f0320dfbd8
Rename login API to login.concierge.pinniped.dev
.
...
This is the first of a few related changes that re-organize our API after the big recent changes that introduced the supervisor component.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-10-30 09:58:28 -05:00
Ryan Richard
3277e778ea
Add a comment to an integration test
2020-10-29 15:42:22 -07:00
Ryan Richard
9c13b7144e
Merge pull request #170 from vmware-tanzu/oidc_https_endpoints
...
Add HTTPS endpoints for OIDC providers, and terminate TLS with the configured certificates
2020-10-28 17:15:11 -07:00
Ryan Richard
059b6e885f
Allow ytt templating of the loadBalancerIP
for the supervisor
2020-10-28 16:45:23 -07:00
Ryan Richard
4af508981a
Make default TLS secret name from app name in supervisor_discovery_test.go
2020-10-28 16:11:19 -07:00
Ryan Richard
a007fc3bd3
Form paths correctly when the path arg is empty in supervisor_discovery_test.go
2020-10-28 15:22:53 -07:00
Ryan Richard
c52874250a
Fix a mistake in supervisor_discovery_test.go
...
- Should not fail when the default TLS cert does not exist in the
test cluster before the test started
2020-10-28 14:25:01 -07:00
Ryan Richard
01dddd3cae
Add some docs for configuring supervisor TLS
...
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-10-28 13:42:02 -07:00
Andrew Keesler
bd04570e51
supervisor_discovery_test.go tests hostnames are treated as case-insensitive
...
Signed-off-by: Ryan Richard <richardry@vmware.com>
2020-10-28 13:09:20 -07:00
Ryan Richard
8ff64d4c1a
Require https
scheme for OIDCProviderConfig Issuer field
...
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-10-28 12:49:41 -07:00
Andrew Keesler
2542a8e175
Stash and restore any pre-existing default TLS cert in supervisor_discovery_test.go
...
Signed-off-by: Ryan Richard <richardry@vmware.com>
2020-10-28 12:32:21 -07:00
Ryan Richard
29e0ce5662
Configure name of the supervisor default TLS cert secret via ConfigMap
...
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-10-28 11:56:50 -07:00
Ryan Richard
978ecda758
Test SNI & default certs being used at the same time in integration test
2020-10-28 08:58:50 -07:00
Ryan Richard
170d3a3993
Forgot to commit some test fixtures in a prior commit
2020-10-27 17:00:00 -07:00
Ryan Richard
2777c4e9f3
Update prepare-for-integration-tests.sh to use ./hack/kind-{up,down}.sh
2020-10-27 16:56:53 -07:00
Ryan Richard
38802c2184
Add a way to set a default supervisor TLS cert for when SNI won't work
...
- Setting a Secret in the supervisor's namespace with a special name
will cause it to get picked up and served as the supervisor's TLS
cert for any request which does not have a matching SNI cert.
- This is especially useful for when there is no DNS record for an
issuer and the user will be accessing it via IP address. This
is not how we would expect it to be used in production, but it
might be useful for other cases.
- Includes a new integration test
- Also suppress all of the warnings about ignoring the error returned by
Close() in lines like `defer x.Close()` to make GoLand happier
2020-10-27 16:33:08 -07:00
Andrew Keesler
7bce16737b
Get rid of WIP workflow
...
See d5dd65c
, 45189e3
, 96c4661
. I pushed to the wrong remote...
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-10-27 18:39:19 -04:00
Andrew Keesler
96c4661a25
Fix unit-tests workflow YAML.
...
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-10-27 18:26:11 -04:00
Andrew Keesler
45189e3e2b
No way this windows-unit-tests workflow works.
...
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-10-27 18:20:12 -04:00
Andrew Keesler
d5dd65cfe8
So...does this macos-unit-tests workflow work?
...
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-10-27 18:00:54 -04:00
Ryan Richard
1f1b6c884e
Add integration test: supervisor TLS termination and SNI virtual hosting
...
- Also reduce the minimum allowed TLS version to v1.2, because v1.3
is not yet supported by some common clients, e.g. the default MacOS
curl command
2020-10-27 14:57:25 -07:00