Matt Moyer
8fd6a71312
Use simpler prefix matching for impersonation headers.
...
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-03-08 14:44:38 -06:00
Ryan Richard
1b3103c9b5
Remove a nolint comment to satisfy the version of the linter used in CI
2021-03-03 13:37:03 -08:00
Ryan Richard
730092f39c
impersonator_config.go: refactor to clean up cert name handling
2021-03-03 09:22:35 -08:00
Ryan Richard
84cc42b2ca
Remove tls
field from the impersonator config
...
- Decided that we're not going to implement this now, although
we may decide to add it in the future
2021-03-02 15:28:13 -08:00
Margo Crawford
4c68050706
Allow all headers besides impersonation-* through impersonation proxy
2021-03-02 15:01:13 -08:00
Margo Crawford
f709da5569
Updated test assertions for new logger version
...
Signed-off-by: Ryan Richard <richardry@vmware.com>
2021-02-25 15:18:36 -08:00
Ryan Richard
aee7a7a72b
More WIP managing TLS secrets from the impersonation config controller
...
Signed-off-by: Margo Crawford <margaretc@vmware.com>
2021-02-24 16:03:26 -08:00
Andrew Keesler
069b3fba37
Merge remote-tracking branch 'upstream/main' into impersonation-proxy
...
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2021-02-23 12:10:52 -05:00
Ryan Richard
80ff5c1f17
Fix bug which prevented watches from working through impersonator
...
Also:
- Changed base64 encoding of impersonator bearer tokens to use
`base64.StdEncoding` to make it easier for users to manually
create a token using the unix `base64` command
- Test the headers which are and are not passed through to the Kube API
by the impersonator more carefully in the unit tests
- More WIP on concierge_impersonation_proxy_test.go
Signed-off-by: Margo Crawford <margaretc@vmware.com>
2021-02-22 17:23:11 -08:00
Andrew Keesler
957cb2d56c
Merge remote-tracking branch 'upstream/main' into impersonation-proxy
...
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2021-02-18 13:37:28 -05:00
Andrew Keesler
b3cdc438ce
internal/concierge/impersonator: reuse kube bearertoken.Authenticator
...
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2021-02-18 10:13:24 -05:00
Andrew Keesler
eb19980110
internal/concierge/impersonator: set user extra impersonation headers
...
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2021-02-16 09:26:47 -05:00
Andrew Keesler
c7905c6638
internal/concierge/impersonator: fail if impersonation headers set
...
If someone has already set impersonation headers in their request, then
we should fail loudly so the client knows that its existing impersonation
headers will not work.
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2021-02-16 08:15:50 -05:00
Andrew Keesler
fdd8ef5835
internal/concierge/impersonator: handle custom login API group
...
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2021-02-16 07:55:09 -05:00
Andrew Keesler
6512ab1351
internal/concierge/impersonator: don't care about namespace
...
Concierge APIs are no longer namespaced (see f015ad5852
).
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2021-02-15 17:11:59 -05:00
Ryan Richard
5cd60fa5f9
Move starting/stopping impersonation proxy server to a new controller
...
- Watch a configmap to read the configuration of the impersonation
proxy and reconcile it.
- Implements "auto" mode by querying the API for control plane nodes.
- WIP: does not create a load balancer or proper TLS certificates yet.
Those will come in future commits.
Signed-off-by: Margo Crawford <margaretc@vmware.com>
2021-02-11 17:25:52 -08:00
Andrew Keesler
9b87906a30
Merge remote-tracking branch 'upstream/main' into impersonation-proxy
...
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2021-02-11 11:03:33 -05:00
Ryan Richard
268ca5b7f6
Add config structs in impersonator package
...
Signed-off-by: Margo Crawford <margaretc@vmware.com>
2021-02-09 13:44:19 -08:00
Andrew Keesler
8697488126
internal/concierge/impersonator: use kubeconfig from kubeclient
...
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2021-02-09 15:28:56 -05:00
Andrew Keesler
812f5084a1
internal/concierge/impersonator: don't mutate ServeHTTP() req
...
I added that test helper to create an http.Request since I wanted to properly
initialize the http.Request's context.
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2021-02-09 13:25:32 -05:00
Matt Moyer
64aff7b983
Only log user ID, not user name/groups.
...
Signed-off-by: Margo Crawford <margaretc@vmware.com>
2021-02-03 09:31:30 -08:00
Margo Crawford
b6abb022f6
Add initial implementation of impersonation proxy.
...
Signed-off-by: Margo Crawford <margaretc@vmware.com>
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-02-03 09:31:13 -08:00