Andrew Keesler
943286bbc6
Merge pull request #157 from ankeesler/generate-jwk-key
...
Pinniped federation server generates and persists a JWT signing key
2020-10-15 11:55:22 -04:00
Andrew Keesler
e05213f9dd
supervisor-generate-key: use EC keys intead of RSA
...
EC keys are smaller and take less time to generate. Our integration
tests were super flakey because generating an RSA key would take up to
10 seconds *gasp*. The main token verifier that we care about is
Kubernetes, which supports P256, so hopefully it won't be that much of
an issue that our default signing key type is EC. The OIDC spec seems
kinda squirmy when it comes to using non-RSA signing algorithms...
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-10-15 11:33:08 -04:00
Andrew Keesler
5a0dab768f
test/integration: remove unused function (see 31225ac7a
)
...
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-10-15 09:26:15 -04:00
Andrew Keesler
fbcce700dc
Fix whitespace/spelling nits in JWKS controller
...
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-10-15 09:22:17 -04:00
Andrew Keesler
a5abe9ca3e
hack/lib/tilt: fix deployment change leftover from c030551a
...
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-10-15 09:20:09 -04:00
Andrew Keesler
1b99983441
apis: fix indentation in Go type
...
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-10-15 09:19:00 -04:00
Andrew Keesler
31225ac7ae
test/integration: reuse CreateTestOIDCProvider helper
...
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-10-15 09:09:49 -04:00
Andrew Keesler
f21122a309
Merge remote-tracking branch 'upstream/main' into generate-jwk-key
2020-10-15 07:51:15 -04:00
Andrew Keesler
aef25163e2
Get rid of an extra dependency from c030551
...
I brought this over because I copied code from work in flight on
another branch. But now the other branch doesn't use this package.
No use bringing on another dependency if we can avoid it.
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-10-15 07:51:07 -04:00
Andrew Keesler
87c7e9a556
hack/prepare-for-integration-tests.sh: default COLORTERM for when not set
...
Signed-off-by: Andrew Keesler <ankeesler1@gmail.com>
2020-10-14 20:18:10 -04:00
Ryan Richard
84a0084703
Tilefile watches for changes in ytt templates
...
- When using `local()` in the Tiltfile it will not know
to watch those files for changes, so each time we use
`local()` we now also use `watch_file()`
- As a result, editing a ytt template file now causes
an immediate `kubectl apply` of the results
2020-10-14 16:21:40 -07:00
Andrew Keesler
76e89b523b
Merge remote-tracking branch 'upstream/main' into generate-jwk-key
2020-10-14 17:40:17 -04:00
Andrew Keesler
c030551af0
supervisor-generate-key: unit and integration tests
...
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-10-14 16:41:16 -04:00
Matt Moyer
cd970616da
Merge pull request #149 from mattmoyer/oidc-cli-part-2
...
Finish initial OIDC CLI client implementation.
2020-10-14 13:40:12 -05:00
Matt Moyer
68d20298f2
Fix chromedriver usage inside our test container.
...
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-10-14 13:18:11 -05:00
Matt Moyer
19a1d569c9
Restructure this test to avoid data races.
...
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-10-14 12:28:08 -05:00
Ryan Richard
a197a26335
Change community meeting time
...
And some other general cleanup
2020-10-14 09:54:09 -07:00
Andrew Keesler
6aed025c79
supervisor-generate-key: initial spike
...
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-10-14 09:47:34 -04:00
Andrew Keesler
aa705afc72
hack/tilt-up.sh: let folks specify tilt flags
...
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-10-14 09:22:21 -04:00
Andrew Keesler
3d5937a8e8
deploy/supervisor: type: eaxmple -> example
...
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-10-14 09:22:15 -04:00
Matt Moyer
33fcc74417
Add Dex to our integration test environment and use it to test the CLI.
...
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-10-13 16:50:38 -05:00
Matt Moyer
50d80489be
Add initial CLI integration test for OIDC login.
...
This is our first test using a real browser to interact with an upstream provider.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-10-13 10:41:53 -05:00
Matt Moyer
8a16a92c01
Rename some existing CLI test code.
...
It will no longer be the only CLI test, so the names should be a bit more specific.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-10-13 10:25:39 -05:00
Matt Moyer
d1e86e2616
Rename "TestClusterCapability" to more generic "Capability."
...
This will be used for other types of "capabilities" of the test environment besides just those of the test cluster, such as those of an upstream OIDC provider.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-10-13 09:13:40 -05:00
Matt Moyer
67b692b11f
Implement the rest of an OIDC client CLI library.
...
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-10-12 16:41:46 -05:00
Matt Moyer
ce49d8bd7b
Remove the --use-pkce flag and just always use it.
...
Based on the spec, it seems like it's required that OAuth2 servers which do not support PKCE should just ignore the parameters, so this should always work.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-10-12 16:41:46 -05:00
Matt Moyer
a13d7ec5a1
Remove temporary --debug-auth-code-exchange flag for OIDC client CLI.
...
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-10-12 16:41:46 -05:00
Ryan Richard
ff545db869
Merge pull request #148 from vmware-tanzu/supervisor-with-discovery
...
Beginning of a Pinniped Supervisor Server, starting with an OIDC Discovery Endpoint
2020-10-09 18:58:15 -07:00
Ryan Richard
6b135b93cf
Binding both kind workers to the same localhost port fails, so just bind one
2020-10-09 18:42:15 -07:00
Ryan Richard
d81d395c80
Get ready to deploy Supervisor in CI and run its integration tests
...
- Also use ./test/integration instead of ./test/... everywhere because
it will stream the output of the tests while they run
2020-10-09 18:07:13 -07:00
Ryan Richard
171f3ed906
Add some docs for how to configure the Supervisor app after installing
2020-10-09 16:28:34 -07:00
Ryan Richard
354b922e48
Allow creation of different Service types in Supervisor ytt templates
...
- Tiltfile and prepare-for-integration-tests.sh both specify the
NodePort Service using `--data-value-yaml 'service_nodeport_port=31234'`
- Also rename the namespaces used by the Concierge and Supervisor apps
during integration tests running locally
2020-10-09 16:00:11 -07:00
Ryan Richard
34549b779b
Make tilt work with the supervisor app and add more uninstall testing
...
- Also continue renaming things related to the concierge app
- Enhance the uninstall test to also test uninstalling the supervisor
and local-user-authenticator apps
2020-10-09 14:25:34 -07:00
Ryan Richard
72b2d02777
Rename integration test env variables
...
- Variables specific to concierge add it to their name
- All variables now start with `PINNIPED_TEST_` which makes it clear
that they are for tests and also helps them not conflict with the
env vars that are used in the Pinniped CLI code
2020-10-09 10:11:47 -07:00
Ryan Richard
b71959961d
Merge branch 'main' into supervisor-with-discovery
2020-10-09 10:00:50 -07:00
Ryan Richard
f5a6a0bb1e
Move all three deployment dirs under a new top-level deploy/
dir
2020-10-09 10:00:22 -07:00
Andrew Keesler
c555c14ccb
supervisor-oidc: add OIDCProviderConfig.Status.LastUpdateTime
...
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-10-09 11:54:50 -04:00
Andrew Keesler
bb015adf4e
Backfill tests to OIDCProviderConfig controller
...
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-10-09 10:39:17 -04:00
Andrew Keesler
fac4d074d0
internal/multierror: add tests
...
Signed-off-by: Andrew Keesler <ankeesler1@gmail.com>
2020-10-09 08:00:41 -04:00
Ryan Richard
b74486f305
Start back-filling unit tests for OIDCProviderConfigWatcherController
...
- Left some TODOs for more things that it should test
2020-10-08 17:40:58 -07:00
Ryan Richard
a4389562e3
Fix mistake in deployment.yaml where service selector was hardcoded
2020-10-08 16:20:21 -07:00
Andrew Keesler
05141592f8
Refactor provider.Manager
...
- And also handle when an issuer's path is a subpath of another issuer
Signed-off-by: Ryan Richard <richardry@vmware.com>
2020-10-08 14:40:56 -07:00
Ryan Richard
8b7d96f42c
Several small refactors related to OIDC providers
2020-10-08 11:28:21 -07:00
Andrew Keesler
da00fc708f
supervisor-oidc: checkpoint: add status to provider CRD
...
Signed-off-by: Ryan Richard <richardry@vmware.com>
2020-10-08 13:27:45 -04:00
Ryan Richard
6b653fc663
Creation and deletion of OIDC Provider discovery endpoints from config
...
- The OIDCProviderConfigWatcherController synchronizes the
OIDCProviderConfig settings to dynamically mount and unmount the
OIDC discovery endpoints for each provider
- Integration test passes but unit tests need to be added still
2020-10-07 19:18:34 -07:00
Andrew Keesler
154de991e4
Make concierge_api_discovery_test.go less sensitive to order in a list
...
Signed-off-by: Ryan Richard <richardry@vmware.com>
2020-10-07 11:42:30 -07:00
Andrew Keesler
f48a4e445e
Fix linting and unit tests
...
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-10-07 11:48:21 -04:00
Andrew Keesler
20ce142f90
Merge remote-tracking branch 'upstream/main' into supervisor-with-discovery
2020-10-07 11:37:33 -04:00
Andrew Keesler
c49ebf4b57
supervisor-oidc: int test passes, but impl needs refactor
...
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-10-07 11:33:50 -04:00
Andrew Keesler
019f44982c
supervisor-oidc: checkpoint: controller watches OIDCProviderConfig
...
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-10-07 10:54:56 -04:00