Ryan Richard
87f2899047
impersonator_test.go: small refactor of previous commit
2021-03-11 17:24:52 -08:00
Ryan Richard
6ddf4c04e6
impersonator_test.go: Test failed and anonymous auth
2021-03-11 17:11:38 -08:00
Ryan Richard
1d68841c78
impersonator_test.go: Test one more thing and small refactors
2021-03-11 16:44:08 -08:00
Ryan Richard
f77c92560f
Rewrite impersonator_test.go, add missing argument to IssuePEM()
...
The impersonator_test.go unit test now starts the impersonation
server and makes real HTTP requests against it using client-go.
It is backed by a fake Kube API server.
The CA IssuePEM() method was missing the argument to allow a slice
of IP addresses to be passed in.
2021-03-11 16:27:16 -08:00
Ryan Richard
c12a23725d
Fix lint errors from a previous commit
2021-03-11 16:21:40 -08:00
Matt Moyer
d5beba354b
Merge pull request #487 from vmware-tanzu/dependabot/docker/golang-1.16.1
...
Bump golang from 1.16.0 to 1.16.1
2021-03-11 16:12:07 -08:00
Andrew Keesler
71712b2d00
Add test for http2
...
Signed-off-by: Margo Crawford <margaretc@vmware.com>
2021-03-11 15:49:49 -08:00
dependabot[bot]
ad3f04a982
Bump golang from 1.16.0 to 1.16.1
...
Bumps golang from 1.16.0 to 1.16.1.
Signed-off-by: dependabot[bot] <support@github.com>
2021-03-11 22:25:17 +00:00
Matt Moyer
a52455504f
Capitalize "Concierge" in these error messages as well, for consistency.
...
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-03-11 16:24:20 -06:00
Matt Moyer
4f154100ff
Remove "--concierge-mode" flag from "pinniped login [...]" commands.
...
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-03-11 16:24:20 -06:00
Matt Moyer
d2d9b1e49e
Stop outputting "--concierge-mode" from "pinniped get kubeconfig".
...
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-03-11 16:13:29 -06:00
Matt Moyer
c9ce067a0e
Captialize "API" in this error message.
...
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-03-11 16:11:46 -06:00
Pablo Schuhmacher
1af25552a0
Update ROADMAP.md
2021-03-11 13:58:34 -08:00
Matt Moyer
a64786a728
Fix TestCLIGetKubeconfigStaticToken for new CLI log output.
...
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-03-11 15:48:04 -06:00
Monis Khan
2d28d1da19
Implement all optional methods in dynamic certs provider
...
Signed-off-by: Monis Khan <mok@vmware.com>
2021-03-11 16:24:08 -05:00
Matt Moyer
78fdc59d2d
Merge branch 'main' of github.com:vmware-tanzu/pinniped into impersonation-proxy
2021-03-11 14:56:11 -06:00
Ryan Richard
29d7f406f7
Test double impersonation as the cluster admin
2021-03-11 12:53:27 -08:00
Matt Moyer
3449b896d6
Merge pull request #488 from mattmoyer/add-retries-for-supervisor-discovery-tests
...
Add retries to TestSupervisorTLSTerminationWithSNI and TestSupervisorOIDCDiscovery.
2021-03-11 12:22:22 -08:00
Margo Crawford
22ca2da1ff
test/integration: add "kubectl attach" test to TestImpersonationProxy
...
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2021-03-11 15:10:16 -05:00
Matt Moyer
e98c6dfdd8
Add retries to TestSupervisorTLSTerminationWithSNI and TestSupervisorOIDCDiscovery.
...
These tests occasionally flake because of a conflict error such as:
```
supervisor_discovery_test.go:105:
Error Trace: supervisor_discovery_test.go:587
supervisor_discovery_test.go:105
Error: Received unexpected error:
Operation cannot be fulfilled on federationdomains.config.supervisor.pinniped.dev "test-oidc-provider-lvjfw": the object has been modified; please apply your changes to the latest version and try again
Test: TestSupervisorOIDCDiscovery
```
These retries should improve the reliability of the tests.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-03-11 13:18:15 -06:00
Andrew Keesler
fcd8c585c3
test/integration: update "kubectl port-forward" test to use non-privileged port
...
This was failing on our laptops because 443 is a privileged port.
Signed-off-by: Margo Crawford <margaretc@vmware.com>
2021-03-11 13:05:26 -05:00
Ryan Richard
a918e9fb97
concierge_impersonation_proxy_test.go: Fix lint error in previous commit
2021-03-11 10:04:24 -08:00
Ryan Richard
34accc3dee
Test using a service account token to auth to the impersonator
...
Also make each t.Run use its own namespace to slight reduce the
interdependency between them.
Use t.Cleanup instead of defer in whoami_test.go just to be consistent
with other integration tests.
2021-03-11 10:01:17 -08:00
Ryan Richard
61d64fc4c6
Use ioutil.ReadFile instead of os.ReadFile
...
Because it works on older golang versions too.
2021-03-11 08:58:54 -08:00
Andrew Keesler
b793b9a17e
test/integration: add 'kubectl logs' test to TestImpersonationProxy
...
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2021-03-11 10:42:28 -05:00
Monis Khan
7b1ecf79a6
Fix race between err chan send and re-queue
...
Signed-off-by: Monis Khan <mok@vmware.com>
2021-03-11 10:13:29 -05:00
Andrew Keesler
32b038c639
test/integration: add 'kubectl cp' test to TestImpersonationProxy
...
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2021-03-11 10:07:16 -05:00
Ryan Richard
d13bb07b3e
Add integration test for using WhoAmIRequest through impersonator
2021-03-10 16:57:15 -08:00
Margo Crawford
24396b6af1
Use gorilla websocket library so squid proxy works
2021-03-10 16:03:52 -08:00
Ryan Richard
006dc8aa79
Small test refactor
2021-03-10 14:50:46 -08:00
Ryan Richard
2a2e2f532b
Remove an integration test that is covered elsewhere now
...
The same coverage that was supplied by
TestCredentialRequest_OtherwiseValidRequestWithRealTokenShouldFailWhenTheClusterIsNotCapable
is now provided by an assertion at the end of TestImpersonationProxy,
so delete the duplicate test which was failing on GKE because the
impersonation proxy is now active by default on GKE.
2021-03-10 14:17:20 -08:00
Ryan Richard
1078bf4dfb
Don't pass credentials when testing impersonation proxy port is closed
...
When testing that the impersonation proxy port was closed there
is no need to include credentials in the request. At the point when
we want to test that the impersonation proxy port is closed, it is
possible that we cannot perform a TokenCredentialRequest to get a
credential either.
Also add a new assertion that the TokenCredentialRequest stops handing
out credentials on clusters which have no successful strategies.
Signed-off-by: Monis Khan <mok@vmware.com>
2021-03-10 13:08:15 -08:00
Matt Moyer
c14621428f
Merge pull request #485 from vmware-tanzu/pabloschuhmacher-patch-2
...
Create ROADMAP.md
2021-03-10 12:43:55 -08:00
Monis Khan
6582c23edb
Fix a race detector error in a unit test
...
Signed-off-by: Ryan Richard <richardry@vmware.com>
2021-03-10 11:24:42 -08:00
Ryan Richard
0b300cbe42
Use TokenCredentialRequest instead of base64 token with impersonator
...
To make an impersonation request, first make a TokenCredentialRequest
to get a certificate. That cert will either be issued by the Kube
API server's CA or by a new CA specific to the impersonator. Either
way, you can then make a request to the impersonator and present
that client cert for auth and the impersonator will accept it and
make the impesonation call on your behalf.
The impersonator http handler now borrows some Kube library code
to handle request processing. This will allow us to more closely
mimic the behavior of a real API server, e.g. the client cert
auth will work exactly like the real API server.
Signed-off-by: Monis Khan <mok@vmware.com>
2021-03-10 10:30:06 -08:00
Pablo Schuhmacher
876f0a55d8
Create ROADMAP.md in actual markdown
...
fixed the random html generated when converting the google doc to markdown
2021-03-09 18:41:40 -08:00
Margo Crawford
c853707889
Added integration test for using websockets via the impersonation proxy
...
Tested that this test passed when using the kube api server directly,
so it's just the impersonation proxy that must be improved.
2021-03-09 17:00:30 -08:00
Matt Moyer
005133fbfb
Add more debug logging when waiting for pending strategies.
...
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-03-09 16:56:53 -06:00
Matt Moyer
0cb1538b39
Fix linter warnings, including a bit of refactoring.
...
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-03-09 15:16:46 -06:00
Matt Moyer
0abe10e6b2
Add new behavior to "pinniped get kubeconfig" to wait for pending strategies to become non-pending.
...
This behavior can be disabled with "--concierge-skip-wait".
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-03-09 14:50:35 -06:00
Margo Crawford
883b90923d
Add integration test for kubectl port-forward with impersonation
2021-03-09 11:32:50 -08:00
Matt Moyer
d6a0dfa497
Add some debug logging when "pinniped get kubeconfig" fails to find a successful strategy.
...
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-03-09 12:44:35 -06:00
Matt Moyer
29d5e43220
Fix minor typo in e2e_test.go.
...
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-03-09 12:12:52 -06:00
Matt Moyer
eef1fd0c64
Merge pull request #481 from vmware-tanzu/dependabot/go_modules/github.com/ory/fosite-0.39.0
...
Bump github.com/ory/fosite from 0.38.0 to 0.39.0
2021-03-09 07:51:27 -06:00
dependabot[bot]
b2be83ee45
Bump github.com/ory/fosite from 0.38.0 to 0.39.0
...
Bumps [github.com/ory/fosite](https://github.com/ory/fosite ) from 0.38.0 to 0.39.0.
- [Release notes](https://github.com/ory/fosite/releases )
- [Changelog](https://github.com/ory/fosite/blob/master/CHANGELOG.md )
- [Commits](https://github.com/ory/fosite/compare/v0.38.0...v0.39.0 )
Signed-off-by: dependabot[bot] <support@github.com>
2021-03-09 05:50:01 +00:00
Matt Moyer
b20a8358d3
Merge branch 'main' of github.com:vmware-tanzu/pinniped into impersonation-proxy
2021-03-08 15:16:40 -06:00
Matt Moyer
a58b460bcb
Switch TestImpersonationProxy to get clients from library.NewKubeclient instead of directly from kubernetes.NewForConfig.
...
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-03-08 15:03:34 -06:00
Matt Moyer
8fd6a71312
Use simpler prefix matching for impersonation headers.
...
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-03-08 14:44:38 -06:00
Matt Moyer
6efbd81f75
Rename this flag types for consistency.
...
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-03-08 14:33:38 -06:00
Matt Moyer
a059d8dfce
Refactor "get kubeconfig" a bit more to clean things up.
...
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-03-08 14:31:13 -06:00