Commit Graph

2254 Commits

Author SHA1 Message Date
Matt Moyer
5c2e890ecd
Add "Extended IDP support" to the roadmap. 2021-07-01 10:48:13 -05:00
Matt Moyer
715cf7748a
Add "Identity transforms" feature to roadmap. 2021-07-01 10:17:40 -05:00
Matt Moyer
e0456b4485
Update ROADMAP given current state of work 2021-07-01 10:05:30 -05:00
Ryan Richard
629bf61655 Extract some trivial helpers for identical code usages 2021-06-30 15:02:14 -07:00
Matt Moyer
738e6aa3cc
Merge pull request #685 from vmware-tanzu/dependabot/go_modules/github.com/gofrs/flock-0.8.1
Bump github.com/gofrs/flock from 0.8.0 to 0.8.1
2021-06-30 10:53:39 -07:00
Guangyuan Wang
76dc39ac2d Use hostname instead of host and split on ":"
Co-authored-by: Christian Ang <angc@vmware.com>
Co-authored-by: Tyler Schultz <tschultz@vmware.com>
2021-06-28 23:03:05 +00:00
dependabot[bot]
43fee6bb94
Bump github.com/gofrs/flock from 0.8.0 to 0.8.1
Bumps [github.com/gofrs/flock](https://github.com/gofrs/flock) from 0.8.0 to 0.8.1.
- [Release notes](https://github.com/gofrs/flock/releases)
- [Commits](https://github.com/gofrs/flock/compare/v0.8.0...v0.8.1)

---
updated-dependencies:
- dependency-name: github.com/gofrs/flock
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2021-06-28 01:28:52 +00:00
Christian Ang
8026729c43 Use net.JoinHostPort instead of Sprintf
Co-authored-by: Guangyuan Wang <wguangyuan@vmware.com>
2021-06-24 23:19:11 +00:00
Guangyuan Wang
d19d63ad7d Set Proxy on oidc upstream watcher transport
- this allows the oidc upsream watcher to honor the
HTTP_PROXY,HTTPS_PROXY,NO_PROXY environment variables

Co-authored-by: Christian Ang <angc@vmware.com>
2021-06-24 22:35:16 +00:00
Mo Khan
a6141e911c
Merge pull request #683 from enj/enj/i/credentialrequest_notafter
credentialrequest: use safer approximation for ExpirationTimestamp
2021-06-23 11:55:29 -04:00
Monis Khan
5ff2be973c
credentialrequest: use safer approximation for ExpirationTimestamp
We want the value of time.Now() to be calculated before the call to
IssueClientCertPEM to prevent the ExpirationTimestamp from being
later than the notAfter timestamp on the issued certificate.

Signed-off-by: Monis Khan <mok@vmware.com>
2021-06-23 11:07:00 -04:00
Matt Moyer
73201ba575
Merge pull request #682 from vmware-tanzu/dependabot/docker/debian-10.10-slim
Bump debian from 10.9-slim to 10.10-slim
2021-06-22 19:39:13 -07:00
dependabot[bot]
125d891cd5
Bump debian from 10.9-slim to 10.10-slim
Bumps debian from 10.9-slim to 10.10-slim.

---
updated-dependencies:
- dependency-name: debian
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
2021-06-23 01:02:44 +00:00
Matt Moyer
682a47f739
Merge pull request #680 from mattmoyer/update-k8s-1.21.2
Update to Kubernetes 1.21.2 runtime components.
2021-06-22 10:23:14 -07:00
Matt Moyer
594e47efdf
Update to Kubernetes 1.21.2 runtime components.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-06-22 11:55:22 -05:00
Mo Khan
f09a45382e
Merge pull request #681 from enj/enj/i/fix_bad_name
Fix bad test package name
2021-06-22 12:54:29 -04:00
Monis Khan
d78b845575
Fix bad test package name
Signed-off-by: Monis Khan <mok@vmware.com>
2021-06-22 11:23:19 -04:00
Mo Khan
1929b47dda
Merge pull request #674 from mattmoyer/new-eventual-assertion-helpers
Improve our integration test "Eventually" assertions.
2021-06-22 11:15:06 -04:00
Matt Moyer
3efa7bdcc2
Improve our integration test "Eventually" assertions.
This fixes some rare test flakes caused by a data race inherent in the way we use `assert.Eventually()` with extra variables for followup assertions. This function is tricky to use correctly because it runs the passed function in a separate goroutine, and you have no guarantee that any shared variables are in a coherent state when the `assert.Eventually()` call returns. Even if you add manual mutexes, it's tricky to get the semantics right. This has been a recurring pain point and the cause of several test flakes.

This change introduces a new `library.RequireEventually()` that works by internally constructing a per-loop `*require.Assertions` and running everything on a single goroutine (using `wait.PollImmediate()`). This makes it very easy to write eventual assertions.

Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-06-17 16:56:03 -05:00
Matt Moyer
6a9eb87c35
Update ROADMAP.md 2021-06-17 10:17:04 -05:00
Matt Moyer
3eba3e07c6
Merge pull request #669 from vmware-tanzu/dependabot/go_modules/github.com/golang/mock-1.6.0
Bump github.com/golang/mock from 1.5.0 to 1.6.0
2021-06-15 18:49:23 -07:00
dependabot[bot]
9f06869f76
Bump github.com/golang/mock from 1.5.0 to 1.6.0
Bumps [github.com/golang/mock](https://github.com/golang/mock) from 1.5.0 to 1.6.0.
- [Release notes](https://github.com/golang/mock/releases)
- [Changelog](https://github.com/golang/mock/blob/master/.goreleaser.yml)
- [Commits](https://github.com/golang/mock/compare/v1.5.0...v1.6.0)

---
updated-dependencies:
- dependency-name: github.com/golang/mock
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2021-06-16 01:22:04 +00:00
Matt Moyer
3f41261580
Merge pull request #673 from mattmoyer/refactor-static-client-struct-second-attempt
Use a custom type for our static CLI client.
2021-06-15 17:37:08 -07:00
Matt Moyer
551249fb69
Use a custom type for our static CLI client (smaller change).
Before this change, we used the `fosite.DefaultOpenIDConnectClient{}` struct, which implements the  `fosite.Client` and `fosite.OpenIDConnectClient` interfaces. For a future change, we also need to implement some additional optional interfaces, so we can no longer use the provided default types. Instead, we now use a custom `clientregistry.Client{}` struct, which implements all the requisite interfaces and can be extended to handle the new functionality (in a future change).

There is also a new `clientregistry.StaticRegistry{}` struct, which implements the `fosite.ClientManager` and looks up our single static client. We could potentially extend this in the future with a registry backed by Kubernetes API, for example.

This should be 100% refactor, with no user-observable change.

Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-06-15 15:31:48 -05:00
Mo Khan
1a610022cf
Merge pull request #671 from enj/enj/i/eks_rbac
TestServiceAccountPermissions: handle extra permissions on EKS
2021-06-15 11:46:24 -04:00
Monis Khan
524ff21b7f
TestServiceAccountPermissions: handle extra permissions on EKS
Signed-off-by: Monis Khan <mok@vmware.com>
2021-06-15 11:17:59 -04:00
Matt Moyer
913c140be8
Update the latest version number in the docs.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-06-15 09:46:51 -05:00
Mo Khan
e06c696bea
Merge pull request #670 from enj/enj/f/impersonator_always_authz
impersonator: always authorize every request
2021-06-14 16:16:12 -04:00
Monis Khan
269db6b7c2
impersonator: always authorize every request
This change updates the impersonator to always authorize every
request instead of relying on the Kuberentes API server to perform
the check on the impersonated request.  This protects us from
scenarios where we fail to correctly impersonate the user due to
some bug in our proxy logic.  We still rely completely on the API
server to perform admission checks on the impersonated requests.

Signed-off-by: Monis Khan <mok@vmware.com>
2021-06-14 12:53:09 -04:00
Monis Khan
addf632e7c
impersonator: add docs regarding limited serivce account
Signed-off-by: Monis Khan <mok@vmware.com>
2021-06-11 15:37:55 -04:00
Mo Khan
87489da316
Merge pull request #667 from enj/enj/f/impersonator_distinct_sa
impersonator: run as a distinct SA with minimal permissions
2021-06-11 15:36:28 -04:00
Monis Khan
898f2bf942
impersonator: run as a distinct SA with minimal permissions
This change updates the impersonation proxy code to run as a
distinct service account that only has permission to impersonate
identities.  Thus any future vulnerability that causes the
impersonation headers to be dropped will fail closed instead of
escalating to the concierge's default service account which has
significantly more permissions.

Signed-off-by: Monis Khan <mok@vmware.com>
2021-06-11 12:13:53 -04:00
Matt Moyer
918c50f6a7
Merge pull request #666 from vmware-tanzu/dependabot/go_modules/gopkg.in/square/go-jose.v2-2.6.0
Bump gopkg.in/square/go-jose.v2 from 2.5.1 to 2.6.0
2021-06-10 15:06:55 -07:00
Matt Moyer
9ca82116f1
Update ROADMAP.md 2021-06-10 12:45:23 -05:00
Matt Moyer
564c1f8ae5
Update ROADMAP.md 2021-06-10 10:27:20 -05:00
dependabot[bot]
c88aad873b
Bump gopkg.in/square/go-jose.v2 from 2.5.1 to 2.6.0
Bumps [gopkg.in/square/go-jose.v2](https://github.com/square/go-jose) from 2.5.1 to 2.6.0.
- [Release notes](https://github.com/square/go-jose/releases)
- [Commits](https://github.com/square/go-jose/compare/v2.5.1...v2.6.0)

---
updated-dependencies:
- dependency-name: gopkg.in/square/go-jose.v2
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2021-06-08 05:41:45 +00:00
Mo Khan
9d27e6b4c6
Merge pull request #665 from enj/enj/i/impersonator_dead_code
impersonator: remove redundant deleteKnownImpersonationHeaders logic
2021-06-04 16:12:08 -04:00
Monis Khan
5b327a2b37
impersonator: remove redundant deleteKnownImpersonationHeaders logic
WithImpersonation already deletes impersonation headers and has done
so since the early days:

https://github.com/kubernetes/kubernetes/pull/36769

ensureNoImpersonationHeaders will still reject any request that has
impersonation headers set so we will always fail closed.

Signed-off-by: Monis Khan <mok@vmware.com>
2021-06-04 15:22:01 -04:00
Matt Moyer
7114988eec
Merge pull request #663 from vmware-tanzu/dependabot/docker/golang-1.16.5
Bump golang from 1.16.4 to 1.16.5
2021-06-04 09:20:44 -05:00
Mo Khan
3a47060256
Merge pull request #645 from enj/enj/f/anon_impersonation_proxy
impersonator: honor anonymous authentication being disabled
2021-06-04 09:28:14 -04:00
Benjamin A. Petersen
492f6cfddf
impersonator: honor anonymous authentication being disabled
When anonymous authentication is disabled, the impersonation proxy
will no longer authenticate anonymous requests other than calls to
the token credential request API (this API is used to retrieve
credentials and thus must be accessed anonymously).

Signed-off-by: Benjamin A. Petersen <ben@benjaminapetersen.me>
Signed-off-by: Monis Khan <mok@vmware.com>
2021-06-04 09:00:56 -04:00
dependabot[bot]
f417f706b9
Bump golang from 1.16.4 to 1.16.5
Bumps golang from 1.16.4 to 1.16.5.

---
updated-dependencies:
- dependency-name: golang
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2021-06-04 06:00:24 +00:00
Matt Moyer
02335e2ade
Bump the latest version referenced in the docs.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-06-03 17:25:32 -05:00
Matt Moyer
9b9e733a7d
Merge pull request #662 from mattmoyer/parameterize-test-images
Parameterize our test images in ytt.
2021-06-03 15:53:13 -05:00
Matt Moyer
df78e00df3
Parameterize our test images in ytt.
These are images we use for local and some CI testing.

Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-06-03 15:25:09 -05:00
Matt Moyer
b5ed4e6a13
Merge pull request #660 from mattmoyer/fix-credentialissuer-service-type-field-typo
Fix typo in CredentialIssuer ytt template.
2021-06-03 14:01:14 -05:00
Matt Moyer
500b444bad
Merge pull request #657 from vmware-tanzu/fix-ldap-supervisor-login-test-flake
Avoid a rare flake in TestSupervisorLogin.
2021-06-03 13:31:15 -05:00
Matt Moyer
d3e2859238
Merge pull request #658 from vmware-tanzu/fix-impersonation-notfound-handling
Tolerate NotFound when deleting services in `impersonatorconfig`.
2021-06-03 13:30:54 -05:00
Matt Moyer
5686591420
Avoid a rare flake in TestSupervisorLogin.
There was nothing to guarantee that _all_ Supervisor pods would be ready to handle this request. We saw a rare test flake where the LDAPIdentityProvider was marked as ready but one of the Supervisor pods didn't have it loaded yet and returned an HTTP 422 error (`Unprocessable Entity: No upstream providers are configured`).

Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-06-03 12:13:56 -05:00
Matt Moyer
6903196c18
Fix a data race in TestImpersonationProxy.
The `require.Eventually()` function runs the body of the check in a separate goroutine, so it's not safe to use other `require` assertions as we did here. Our `library.RequireEventuallyWithoutError()` function does not spawn a goroutine, so it's safer to use here.

Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-06-03 12:07:19 -05:00