Commit Graph

1037 Commits

Author SHA1 Message Date
Joshua Casey
8fd55a1d81 Adjust test expectations for compilation differences with 1.21
- Requires some production code changes, to use pointers to function variables instead of pointers to functions
2023-09-06 14:52:01 -05:00
Joshua Casey
3908097c54 Run 'go fix ./...' with go1.21.0 2023-09-06 14:52:01 -05:00
Joshua Casey
12f18cbed8 Inline and remove testutil.TempDir 2023-09-06 14:52:01 -05:00
Joshua Casey
05a1187e2e Simplify build tags associated with unsupported golang versions 2023-09-06 14:52:01 -05:00
Joshua Casey
76933f69b9 Update comments to indicate support for newer versions of Kubernetes 2023-08-29 15:40:52 -05:00
Joshua Casey
2dcc149fee Split off helper function 2023-08-28 12:14:14 -05:00
Joshua Casey
38230fc518 Use pversion to retrieve buildtime information 2023-08-28 11:54:27 -05:00
Joshua Casey
ca05969f8d Integration tests should use 'kubectl explain --output plaintext-openapiv2'
- OpenAPIV3 discovery of aggregate APIs seems to need a little more work in K8s 1.28
2023-08-28 10:50:11 -05:00
Joshua Casey
1b504b6fbd Expose OpenAPIv3 explanations 2023-08-28 10:50:11 -05:00
Joshua Casey
23ec91dee0 K8s API Server audit events are no longer pointers 2023-08-28 10:50:10 -05:00
Joshua Casey
1707995378 Fix #1582 by not double-decoding the ca.crt field in external TLS secrets for the impersonation proxy 2023-08-08 20:17:21 -05:00
Joshua Casey
dc61d132cf Address PR feedback, especially to check that the CA bundle is some kind of valid cert 2023-08-03 14:57:21 -05:00
Joshua Casey
959f18b67b Add integration test to verify that the impersonation proxy will use an external TLS serving cert 2023-08-03 14:57:21 -05:00
Joshua Casey
ee75a63057 Test Refactor: use explicit names for mTLS signing cert 2023-08-03 14:57:21 -05:00
Joshua Casey
bd035a180e Impersonation proxy detects when the user has configured an externally provided TLS secret to serve TLS
- https://github.com/vmware-tanzu/pinniped/tree/main/proposals/1547_impersonation-proxy-external-certs
- https://joshuatcasey.medium.com/k8s-mtls-auth-with-tls-passthrough-1bc25e750f52
2023-08-03 14:57:21 -05:00
Joshua Casey
3e57716f0e The impersonation controller should sync when any secret of type kubernetes.io/tls changes in the namespace 2023-08-03 14:57:21 -05:00
Joshua Casey
63b5f921e1 Use k8s.io/utils/ptr instead of k8s.io/utils/pointer, which is deprecated 2023-07-28 09:16:02 -05:00
Ryan Richard
743cb2d250 kube cert agent pod requests 0 cpu to avoid scheduling failures 2023-07-25 10:09:30 -07:00
Joshua Casey
39912060f7 Remove untested comments 2023-07-19 15:50:12 -05:00
Joshua Casey
c142c52258 Do not name return variables 2023-07-19 15:49:22 -05:00
Joshua Casey
741ccfd2ce Fix lint 2023-07-19 15:47:48 -05:00
Joshua Casey
183c771d4e Mark untested code paths 2023-07-19 15:47:48 -05:00
Joshua Casey
3d7eb55fc2 Pass caBundle instead of an object 2023-07-19 15:47:48 -05:00
Joshua Casey
5004925444 Backfill test cases 2023-07-19 15:47:48 -05:00
Joshua Casey
10c3e482b4 Prefer early return 2023-07-19 15:47:48 -05:00
Joshua Casey
8d8e1f3abd Backfill issuer tests 2023-07-19 15:47:48 -05:00
Joshua Casey
f8ce2af08c Use go:embed for easier to read tests 2023-07-19 15:47:48 -05:00
Joshua Casey
52b0cf43ca Fix godoc 2023-07-19 15:47:47 -05:00
Joshua Casey
67cd5e70c2 Func ldap.Conn.Close() now returns an error
- https://github.com/go-ldap/ldap/compare/v3.4.4...v3.4.5
2023-07-06 16:48:25 -07:00
Ryan Richard
d30d76b7ac Increase some test timeouts 2023-05-31 17:41:36 -07:00
Ryan Richard
600d002a35 Use groupSearch.userAttributeForFilter during ActiveDirectory group searches
- Load the setting in the controller.
- The LDAP auth code is shared between AD and LDAP,
  so no new changes there in this commit.
2023-05-31 11:17:40 -07:00
Ryan Richard
c187474499 Use groupSearch.userAttributeForFilter during LDAP group searches
Load the setting in the controller.
Use the setting during authentication and during refreshes.
2023-05-25 14:25:17 -07:00
Ryan Richard
bd95f33f5e Update string "zapr@v1.2.4" in unit test expectation 2023-05-12 09:18:47 -07:00
Ryan Richard
bc9afc4554 Aggregated API endpoints now must implement rest.SingularNameProvider
This was a change in the interface requirements introduced in Kube 1.27.
2023-05-10 16:50:50 -07:00
Ryan Richard
a1a99b9eeb Replace usages of deprecated funcs from the wait pkg 2023-05-10 11:41:11 -07:00
Ryan Richard
f7fac330f5 Fix typo that prevented compiling with Go 1.19 2023-04-03 11:46:11 -07:00
Ryan Richard
f99ca61bba Upgrade dep github.com/go-logr/logr@v1.2.3 to v1.2.4 2023-03-31 10:23:58 -07:00
Joshua Casey
fc0f9d959a Bump golangci-lint to 1.51.2 and fix lint issues 2023-03-16 14:55:37 -05:00
Joshua Casey
1c8ab72f4f Update test asserts for Golang 1.19 and 1.20 TLS error messages 2023-03-07 12:25:10 -06:00
Joshua Casey
8b8af49651 Bump all direct go dependencies 2023-02-27 14:16:49 -06:00
Joshua Casey
77041760cc Ignore lint issues for deprecated Pool.Subjects()
- 4aa1efed48/src/crypto/x509/cert_pool.go (L243-L244)
2023-01-31 10:10:44 -06:00
Joshua Casey
b9c8e359ab Use sync/atomic instead of go.uber.org/atomic 2023-01-31 10:10:44 -06:00
Joshua Casey
24cf7c5bcd Remove internal/psets in favor of k8s.io/apimachinery/pkg/util/sets 2023-01-31 10:10:44 -06:00
Ryan Richard
c6e4133c5e Accept both old and new cert error strings on MacOS in test assertions
Used this as an opportunity to refactor how some tests were
making assertions about error strings.

New test helpers make it easy for an error string to be expected as an
exact string, as a string built using sprintf, as a regexp, or as a
string built to include the platform-specific x509 error string.

All of these helpers can be used in a single `wantErr` field of a test
table. They can be used for both unit tests and integration tests.

Co-authored-by: Benjamin A. Petersen <ben@benjaminapetersen.me>
2023-01-20 15:01:36 -08:00
Ryan Richard
7ff3b3d9cb Code changes to support Kube 0.26 deps 2023-01-18 14:39:22 -08:00
Ryan Richard
2f9b8b105d update copyright to 2023 in files changed by this PR 2023-01-17 15:54:16 -08:00
Ryan Richard
2633d72ce2 Change some test variable names related to additional claims
Co-authored-by: Ryan Richard <richardry@vmware.com>
Co-authored-by: Joshua Casey <joshuatcasey@gmail.com>
2023-01-13 14:59:59 -08:00
Joshua Casey
9acc456fd7 Update token_handler_test to check additionalClaims for bools, numbers, and slices
Co-authored-by: Ryan Richard <richardry@vmware.com>
Co-authored-by: Joshua Casey <joshuatcasey@gmail.com>
Co-authored-by: Benjamin A. Petersen <ben@benjaminapetersen.me>
2023-01-13 14:59:59 -08:00
Ryan Richard
8ff6ef32e9 Allow additional claims to map into an ID token issued by the supervisor
- Specify mappings on OIDCIdentityProvider.spec.claims.additionalClaimMappings
- Advertise additionalClaims in the OIDC discovery endpoint under claims_supported

Co-authored-by: Ryan Richard <richardry@vmware.com>
Co-authored-by: Joshua Casey <joshuatcasey@gmail.com>
2023-01-13 14:59:50 -08:00
Ryan Richard
bc7ffd37a6 Reduce memory consumption of pinniped-concierge-kube-cert-agent binary
Co-authored-by: Joshua Casey <joshuatcasey@gmail.com>
2023-01-13 11:07:42 -08:00