Joshua Casey
2dcc149fee
Split off helper function
2023-08-28 12:14:14 -05:00
Joshua Casey
38230fc518
Use pversion to retrieve buildtime information
2023-08-28 11:54:27 -05:00
Joshua Casey
ca05969f8d
Integration tests should use 'kubectl explain --output plaintext-openapiv2'
...
- OpenAPIV3 discovery of aggregate APIs seems to need a little more work in K8s 1.28
2023-08-28 10:50:11 -05:00
Joshua Casey
1b504b6fbd
Expose OpenAPIv3 explanations
2023-08-28 10:50:11 -05:00
Joshua Casey
23ec91dee0
K8s API Server audit events are no longer pointers
2023-08-28 10:50:10 -05:00
Joshua Casey
1707995378
Fix #1582 by not double-decoding the ca.crt field in external TLS secrets for the impersonation proxy
2023-08-08 20:17:21 -05:00
Joshua Casey
dc61d132cf
Address PR feedback, especially to check that the CA bundle is some kind of valid cert
2023-08-03 14:57:21 -05:00
Joshua Casey
959f18b67b
Add integration test to verify that the impersonation proxy will use an external TLS serving cert
2023-08-03 14:57:21 -05:00
Joshua Casey
ee75a63057
Test Refactor: use explicit names for mTLS signing cert
2023-08-03 14:57:21 -05:00
Joshua Casey
bd035a180e
Impersonation proxy detects when the user has configured an externally provided TLS secret to serve TLS
...
- https://github.com/vmware-tanzu/pinniped/tree/main/proposals/1547_impersonation-proxy-external-certs
- https://joshuatcasey.medium.com/k8s-mtls-auth-with-tls-passthrough-1bc25e750f52
2023-08-03 14:57:21 -05:00
Joshua Casey
3e57716f0e
The impersonation controller should sync when any secret of type kubernetes.io/tls changes in the namespace
2023-08-03 14:57:21 -05:00
Joshua Casey
63b5f921e1
Use k8s.io/utils/ptr instead of k8s.io/utils/pointer, which is deprecated
2023-07-28 09:16:02 -05:00
Ryan Richard
743cb2d250
kube cert agent pod requests 0 cpu to avoid scheduling failures
2023-07-25 10:09:30 -07:00
Joshua Casey
39912060f7
Remove untested comments
2023-07-19 15:50:12 -05:00
Joshua Casey
c142c52258
Do not name return variables
2023-07-19 15:49:22 -05:00
Joshua Casey
741ccfd2ce
Fix lint
2023-07-19 15:47:48 -05:00
Joshua Casey
183c771d4e
Mark untested code paths
2023-07-19 15:47:48 -05:00
Joshua Casey
3d7eb55fc2
Pass caBundle instead of an object
2023-07-19 15:47:48 -05:00
Joshua Casey
5004925444
Backfill test cases
2023-07-19 15:47:48 -05:00
Joshua Casey
10c3e482b4
Prefer early return
2023-07-19 15:47:48 -05:00
Joshua Casey
8d8e1f3abd
Backfill issuer tests
2023-07-19 15:47:48 -05:00
Joshua Casey
f8ce2af08c
Use go:embed for easier to read tests
2023-07-19 15:47:48 -05:00
Joshua Casey
52b0cf43ca
Fix godoc
2023-07-19 15:47:47 -05:00
Joshua Casey
67cd5e70c2
Func ldap.Conn.Close() now returns an error
...
- https://github.com/go-ldap/ldap/compare/v3.4.4...v3.4.5
2023-07-06 16:48:25 -07:00
Ryan Richard
d30d76b7ac
Increase some test timeouts
2023-05-31 17:41:36 -07:00
Ryan Richard
600d002a35
Use groupSearch.userAttributeForFilter during ActiveDirectory group searches
...
- Load the setting in the controller.
- The LDAP auth code is shared between AD and LDAP,
so no new changes there in this commit.
2023-05-31 11:17:40 -07:00
Ryan Richard
c187474499
Use groupSearch.userAttributeForFilter during LDAP group searches
...
Load the setting in the controller.
Use the setting during authentication and during refreshes.
2023-05-25 14:25:17 -07:00
Ryan Richard
bd95f33f5e
Update string "zapr@v1.2.4" in unit test expectation
2023-05-12 09:18:47 -07:00
Ryan Richard
bc9afc4554
Aggregated API endpoints now must implement rest.SingularNameProvider
...
This was a change in the interface requirements introduced in Kube 1.27.
2023-05-10 16:50:50 -07:00
Ryan Richard
a1a99b9eeb
Replace usages of deprecated funcs from the wait pkg
2023-05-10 11:41:11 -07:00
Ryan Richard
f7fac330f5
Fix typo that prevented compiling with Go 1.19
2023-04-03 11:46:11 -07:00
Ryan Richard
f99ca61bba
Upgrade dep github.com/go-logr/logr@v1.2.3 to v1.2.4
2023-03-31 10:23:58 -07:00
Joshua Casey
fc0f9d959a
Bump golangci-lint to 1.51.2 and fix lint issues
2023-03-16 14:55:37 -05:00
Joshua Casey
1c8ab72f4f
Update test asserts for Golang 1.19 and 1.20 TLS error messages
2023-03-07 12:25:10 -06:00
Joshua Casey
8b8af49651
Bump all direct go dependencies
2023-02-27 14:16:49 -06:00
Joshua Casey
77041760cc
Ignore lint issues for deprecated Pool.Subjects()
...
- 4aa1efed48/src/crypto/x509/cert_pool.go (L243-L244)
2023-01-31 10:10:44 -06:00
Joshua Casey
b9c8e359ab
Use sync/atomic instead of go.uber.org/atomic
2023-01-31 10:10:44 -06:00
Joshua Casey
24cf7c5bcd
Remove internal/psets in favor of k8s.io/apimachinery/pkg/util/sets
2023-01-31 10:10:44 -06:00
Ryan Richard
c6e4133c5e
Accept both old and new cert error strings on MacOS in test assertions
...
Used this as an opportunity to refactor how some tests were
making assertions about error strings.
New test helpers make it easy for an error string to be expected as an
exact string, as a string built using sprintf, as a regexp, or as a
string built to include the platform-specific x509 error string.
All of these helpers can be used in a single `wantErr` field of a test
table. They can be used for both unit tests and integration tests.
Co-authored-by: Benjamin A. Petersen <ben@benjaminapetersen.me>
2023-01-20 15:01:36 -08:00
Ryan Richard
7ff3b3d9cb
Code changes to support Kube 0.26 deps
2023-01-18 14:39:22 -08:00
Ryan Richard
2f9b8b105d
update copyright to 2023 in files changed by this PR
2023-01-17 15:54:16 -08:00
Ryan Richard
2633d72ce2
Change some test variable names related to additional claims
...
Co-authored-by: Ryan Richard <richardry@vmware.com>
Co-authored-by: Joshua Casey <joshuatcasey@gmail.com>
2023-01-13 14:59:59 -08:00
Joshua Casey
9acc456fd7
Update token_handler_test to check additionalClaims for bools, numbers, and slices
...
Co-authored-by: Ryan Richard <richardry@vmware.com>
Co-authored-by: Joshua Casey <joshuatcasey@gmail.com>
Co-authored-by: Benjamin A. Petersen <ben@benjaminapetersen.me>
2023-01-13 14:59:59 -08:00
Ryan Richard
8ff6ef32e9
Allow additional claims to map into an ID token issued by the supervisor
...
- Specify mappings on OIDCIdentityProvider.spec.claims.additionalClaimMappings
- Advertise additionalClaims in the OIDC discovery endpoint under claims_supported
Co-authored-by: Ryan Richard <richardry@vmware.com>
Co-authored-by: Joshua Casey <joshuatcasey@gmail.com>
2023-01-13 14:59:50 -08:00
Ryan Richard
bc7ffd37a6
Reduce memory consumption of pinniped-concierge-kube-cert-agent binary
...
Co-authored-by: Joshua Casey <joshuatcasey@gmail.com>
2023-01-13 11:07:42 -08:00
Ryan Richard
976035115e
Stop using pointer pkg functions that were deprecated by dependency bump
2022-12-14 08:47:16 -08:00
Ryan Richard
85b67f254c
Add more assertion to token_handler_test.go for token exchange exp claim
2022-12-14 08:47:16 -08:00
Ryan Richard
e1a0367b03
Upgrade project Go dependencies
...
Most of the changes in this commit are because of these fosite PRs
which changed behavior and/or APIs in fosite:
- https://github.com/ory/fosite/pull/667
- https://github.com/ory/fosite/pull/679 (from me!)
- https://github.com/ory/fosite/pull/675
- https://github.com/ory/fosite/pull/688
Due to the changes in fosite PR #688 , we need to bump our storage
version for anything which stores the DefaultSession struct as JSON.
2022-12-14 08:47:16 -08:00
Ryan Richard
110681cdb8
Fix the name of the API Service updater controller in the log messages
2022-09-26 12:37:34 -07:00
Ryan Richard
bad95c072e
Upgrade project dependencies to latest
...
- Upgrade Go used in CI from 1.19.0 to 1.19.1
- Upgrade all go.mod direct dependencies to latest available versions
- Upgrade distroless base image to latest available version
- Upgrade Go fips compiler to to latest available version
Note that upgrading the go-oidc library changed an error message
returned by that library, so update the places where tests were
expecting that error message.
2022-09-23 14:41:54 -07:00