djpbessems
/
ContainerImage.Pinniped
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
1,450 Commits 30 Branches 34 Tags 22 MiB
Commit Graph

1450 Commits

Author SHA1 Message Date
Matt Moyer 3ce3403b95
Update ./hack/update.sh to add a "latest" package. 
This is just a copy of the newest Kubernetes version, but as a plain package and not a submodule.

Signed-off-by: Matt Moyer <moyerm@vmware.com>
 2021-02-16 12:28:29 -06:00
Andrew Keesler fac571b51a
Merge pull request #410 from ankeesler/update-copyright 
generated: include 2021 in copyright
 2021-02-11 12:26:31 -05:00
Andrew Keesler c8b1f00107
generated: include 2021 in copyright 
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
 2021-02-11 10:52:01 -05:00
Mo Khan f015ad5852
Merge pull request #405 from enj/enj/i/cluster_scope_concierge 
Cluster scope all concierge APIs
 2021-02-11 08:50:42 -05:00
Monis Khan b04fd46319
Update federation domain logic to use status subresource 
Signed-off-by: Monis Khan <mok@vmware.com>
 2021-02-10 21:52:10 -05:00
Monis Khan 4c304e4224
Assert all APIs have a status subresource 
Signed-off-by: Monis Khan <mok@vmware.com>
 2021-02-10 21:52:10 -05:00
Monis Khan 0a9f446893
Update credential issuer logic to use status subresource 
Signed-off-by: Monis Khan <mok@vmware.com>
 2021-02-10 21:52:10 -05:00
Monis Khan 96cec59236
Generated 
Signed-off-by: Monis Khan <mok@vmware.com>
 2021-02-10 21:52:09 -05:00
Monis Khan 4faf724c2c
Make credential issuer status optional 
Signed-off-by: Monis Khan <mok@vmware.com>
 2021-02-10 21:52:09 -05:00
Monis Khan de88ae2f61
Fix status related RBAC 
Signed-off-by: Monis Khan <mok@vmware.com>
 2021-02-10 21:52:09 -05:00
Monis Khan dd3d1c8b1b
Generated 
Signed-off-by: Monis Khan <mok@vmware.com>
 2021-02-10 21:52:09 -05:00
Monis Khan 2e9baf9fa6
Correctly generate status subresource for all CRDs 
Signed-off-by: Monis Khan <mok@vmware.com>
 2021-02-10 21:52:08 -05:00
Monis Khan ac01186499
Use API service as owner ref for cluster scoped resources 
Signed-off-by: Monis Khan <mok@vmware.com>
 2021-02-10 21:52:08 -05:00
Monis Khan 2eb01bd307
authncache: remove namespace concept 
Signed-off-by: Monis Khan <mok@vmware.com>
 2021-02-10 21:52:08 -05:00
Monis Khan 741b8fe88d
Generated 
Signed-off-by: Monis Khan <mok@vmware.com>
 2021-02-10 21:52:08 -05:00
Monis Khan d25c6d9d0a
Make kubebuilder CRDs cluster scoped 
Signed-off-by: Monis Khan <mok@vmware.com>
 2021-02-10 21:52:08 -05:00
Monis Khan 89b00e3702
Declare war on namespaces 
Signed-off-by: Monis Khan <mok@vmware.com>
 2021-02-10 21:52:07 -05:00
Monis Khan d2480e6300
Generated 
Signed-off-by: Monis Khan <mok@vmware.com>
 2021-02-10 21:52:07 -05:00
Monis Khan 4205e3dedc
Make concierge APIs cluster scoped 
Signed-off-by: Monis Khan <mok@vmware.com>
 2021-02-10 21:52:07 -05:00
Matt Moyer ee80920ffd
Merge pull request #409 from mattmoyer/upgrade-debian 
Upgrade Debian base images from 10.7 to 10.8.
 2021-02-10 16:57:09 -06:00
Matt Moyer 45f4a0528c
Upgrade Debian base images from 10.7 to 10.8. 
Signed-off-by: Matt Moyer <moyerm@vmware.com>
 2021-02-10 15:57:16 -06:00
Andrew Keesler d0266cecdb
Merge pull request #390 from ankeesler/use-more-middleware 
Use middleware to mutate TokenCredentialRequest.Spec.Authenticator.APIGroup
 2021-02-10 16:38:54 -05:00
Andrew Keesler 0fc1f17866
internal/groupsuffix: mutate TokenCredentialRequest's Authenticator 
This is a partial revert of 288d9c999e. For some reason it didn't occur to me
that we could do it this way earlier. Whoops.

This also contains a middleware update: mutation funcs can return an error now
and short-circuit the rest of the request/response flow. The idea here is that
if someone is configuring their kubeclient to use middleware, they are agreeing
to a narrow-er client contract by doing so (e.g., their TokenCredentialRequest's
must have an Spec.Authenticator.APIGroup set).

I also updated some internal/groupsuffix tests to be more realistic.

Signed-off-by: Andrew Keesler <akeesler@vmware.com>
 2021-02-10 15:53:44 -05:00
Andrew Keesler ae6503e972
internal/plog: add KObj() and KRef() 
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
 2021-02-10 14:25:39 -05:00
Mo Khan 44b7679e9f
Merge pull request #407 from ankeesler/test-flake 
test/integration: make TestKubeCertAgent more stable
 2021-02-10 14:24:44 -05:00
Andrew Keesler 12d5b8959d
test/integration: make TestKubeCertAgent more stable 
I think the reason we were seeing flakes here is because the kube cert agent
pods had not reached a steady state even though our test assertions passed, so
the test would proceed immediately and run more assertions on top of a weird
state of the kube cert agent pods.

Signed-off-by: Andrew Keesler <akeesler@vmware.com>
 2021-02-10 12:08:34 -05:00
Andrew Keesler 5b076e7421
Merge pull request #404 from ankeesler/remove-deprecated-commands 
cmd/pinniped: delete get-kubeconfig + exchange-token
 2021-02-10 08:33:00 -05:00
Andrew Keesler 1ffe70bbea
cmd/pinniped: delete get-kubeconfig + exchange-token 
These were deprecated in v0.3.0.

Signed-off-by: Andrew Keesler <akeesler@vmware.com>
 2021-02-09 17:01:57 -05:00
Mo Khan cf735715f6
Merge pull request #394 from enj/enj/i/server_side_tcr_api_group 
Use server scheme to handle credential request API group changes
 2021-02-09 16:36:13 -05:00
Monis Khan 2679d27ced
Use server scheme to handle credential request API group changes 
Signed-off-by: Monis Khan <mok@vmware.com>
 2021-02-09 15:51:38 -05:00
Monis Khan 6b71b8d8ad
Revert server side token credential request API group changes 
Signed-off-by: Monis Khan <mok@vmware.com>
 2021-02-09 15:51:35 -05:00
Andrew Keesler 43da4ab2e0
SECURITY.md: follow established pattern 
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
 2021-02-09 09:08:19 -05:00
Matt Moyer e4d8af6701
Merge pull request #399 from mattmoyer/upgrade-go 
Upgrade Go from 1.15.7 to 1.15.8.
 2021-02-08 18:17:17 -06:00
Matt Moyer d06c935c2c
Upgrade Go from 1.15.7 to 1.15.8. 
Signed-off-by: Matt Moyer <moyerm@vmware.com>
 2021-02-08 10:58:51 -06:00
Mo Khan 9399b5d800
Merge pull request #395 from enj/enj/i/remove_multierror 
Remove multierror package and migrate callers to k8s.io/apimachinery/pkg/util/errors.NewAggregate
 2021-02-05 15:14:25 -05:00
Monis Khan 05a471fdf9
Migrate callers to k8s.io/apimachinery/pkg/util/errors.NewAggregate 
Signed-off-by: Monis Khan <mok@vmware.com>
 2021-02-05 12:56:05 -05:00
Monis Khan 81d4e50f94
Remove multierror package 
Signed-off-by: Monis Khan <mok@vmware.com>
 2021-02-05 12:55:18 -05:00
Matt Moyer 850f030fe3
Merge pull request #393 from enj/enj/i/no_op_tcr_list 
Add no-op list support to token credential request
 2021-02-05 11:09:09 -06:00
Monis Khan f7958ae75b
Add no-op list support to token credential request 
This allows us to keep all of our resources in the pinniped category
while not having kubectl return errors for calls such as:

kubectl get pinniped -A

Signed-off-by: Monis Khan <mok@vmware.com>
 2021-02-05 10:59:39 -05:00
Andrew Keesler ee05f155ca
Merge pull request #392 from ankeesler/flowcontrol-rbac 
deploy/concierge: add RBAC for flowschemas and prioritylevelconfigurations
 2021-02-05 09:19:50 -05:00
Andrew Keesler 2ae631b603
deploy/concierge: add RBAC for flowschemas and prioritylevelconfigurations 
As of upgrading to Kubernetes 1.20, our aggregated API server nows runs some
controllers for the two flowcontrol.apiserver.k8s.io resources in the title of
this commit, so it needs RBAC to read them.

This should get rid of the following error messages in our Concierge logs:
  Failed to watch *v1beta1.FlowSchema: failed to list *v1beta1.FlowSchema: flowschemas.flowcontrol.apiserver.k8s.io is forbidden: User "system:serviceaccount:concierge:concierge" cannot list resource "flowschemas" in API group "flowcontrol.apiserver.k8s.io" at the cluster scope
  Failed to watch *v1beta1.PriorityLevelConfiguration: failed to list *v1beta1.PriorityLevelConfiguration: prioritylevelconfigurations.flowcontrol.apiserver.k8s.io is forbidden: User "system:serviceaccount:concierge:concierge" cannot list resource "prioritylevelconfigurations" in API group "flowcontrol.apiserver.k8s.io" at the cluster scope

Signed-off-by: Andrew Keesler <akeesler@vmware.com>
 2021-02-05 08:19:12 -05:00
Matt Moyer 9c64476aee
Tweak some small bits in the blog post. 
Signed-off-by: Matt Moyer <moyerm@vmware.com>
 2021-02-04 17:51:35 -06:00
Matt Moyer b6e98b5783
Update the get.pinniped.dev redirect to always point at the latest version. 
I messed this up before because the ordering of the path components is a bit different than in the specific version case.

Signed-off-by: Matt Moyer <moyerm@vmware.com>
 2021-02-04 17:48:41 -06:00
Matt Moyer 9addb4d6e0
Merge pull request #385 from vmware-tanzu/credential_request_spec_api_group 
Use custom suffix in `Spec.Authenticator.APIGroup` of `TokenCredentialRequest`
 2021-02-04 16:19:20 -06:00
Ryan Richard 2a921f7090
Merge branch 'main' into credential_request_spec_api_group 2021-02-04 13:44:53 -08:00
Matt Moyer bb8b65cca6
Merge pull request #387 from vmware-tanzu/blog/multiple-pinnipeds 
Add a v0.5.0 "multiple Pinnipeds" blog post.
 2021-02-04 15:22:52 -06:00
Matt Moyer 5c331e9002
Fix go.pinniped.dev redirects. 
Our meeting notes are now on HackMD, our Zoom link changed, and I added a YouTube link.

Signed-off-by: Matt Moyer <moyerm@vmware.com>
 2021-02-04 14:56:50 -06:00
Matt Moyer 1382fc6e5f
Add a v0.5.0 "multiple Pinnipeds" blog post. 2021-02-04 14:56:49 -06:00
Andrew Keesler cc8c917249
Merge pull request #325 from ankeesler/restart-test 
Add an integration test helper to assert that no pods restart during the test
 2021-02-04 13:07:40 -05:00
Andrew Keesler ae498f14b4
test/integration: ensure no pods restart during integration tests 
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
 2021-02-04 10:24:33 -05:00