Commit Graph

1257 Commits

Author SHA1 Message Date
Andrew Keesler
39c299a32d
Use duration and renewBefore to control API cert rotation
These configuration knobs are much more human-understandable than the
previous percentage-based threshold flag.

We now allow users to set the lifetime of the serving cert via a ConfigMap.
Previously this was hardcoded to 1 year.

Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-08-20 16:35:04 -04:00
Ryan Richard
3929fa672e Rename project 2020-08-20 10:54:15 -07:00
Andrew Keesler
43888e9e0a
Make CA age threshold delta more observable via more precision
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-08-20 11:42:29 -04:00
Andrew Keesler
a26d86044e
internal/mocks: fix go generate call
We need a way to validate that this generated code is up to date. I added
a long-term engineering TODO for this.

Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-08-20 10:48:50 -04:00
Andrew Keesler
5946c2920a
Merge pull request #66 from ankeesler/auto-rotate-ca
Auto-rotate TLS certificates of the aggregated API endpoints before they expire
2020-08-20 10:22:30 -04:00
Andrew Keesler
6b90dc8bb7
Auto-rotate serving certificate
The rotation is forced by a new controller that deletes the serving cert
secret, as other controllers will see this deletion and ensure that a new
serving cert is created.

Note that the integration tests now have an addition worst case runtime of
60 seconds. This is because of the way that the aggregated API server code
reloads certificates. We will fix this in a future story. Then, the
integration tests should hopefully get much faster.

Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-08-20 10:03:36 -04:00
Matt Moyer
1b9a70d089
Switch back to an exec-based approach to grab the controller-manager CA. (#65)
This switches us back to an approach where we use the Pod "exec" API to grab the keys we need, rather than forcing our code to run on the control plane node. It will help us fail gracefully (or dynamically switch to alternate implementations) when the cluster is not self-hosted.

Signed-off-by: Matt Moyer <moyerm@vmware.com>
Co-authored-by: Ryan Richard <richardry@vmware.com>
2020-08-19 13:21:07 -05:00
Andrew Keesler
40d1360b74
hack/lib/codegen.sh: get rid of TODO about K8S_PKG_VERSION
See c43946c in the CI repo.
2020-08-18 13:18:41 -04:00
Ryan Richard
57578f16d4
Merge pull request #64 from suzerain-io/probes
Implement basic liveness and readiness probes
2020-08-18 09:19:24 -07:00
Ryan Richard
003aef75d2 For liveness and readiness, succeed quickly and fail slowly
- No reason to wait a long time before the first check, since our
  app should start quickly
2020-08-18 09:18:51 -07:00
Andrew Keesler
e3397c1c35
Hide codegen.sh in hack/lib
We don't want people to run codegen.sh directly, because it is meant
to be driven by hack/module.sh. To discourage this behavior, we will hide
codegen.sh away in hack/lib. I don't think this is actually what the
hack/lib directory is for, though...meh.

Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-08-18 11:06:59 -04:00
Andrew Keesler
c4ce97f1a5
Remove old hack/{update,verify}-codegen.sh scripts
We now use hack/module.sh codegen{,_verify}. See f95f585.

Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-08-18 10:56:47 -04:00
Andrew Keesler
f95f5857ef
Merge pull request #57 from suzerain-io/module-aware-codegen
`./hack/module.sh` learns `codegen` command
2020-08-18 10:11:05 -04:00
Andrew Keesler
cedd47b92e
hack/codegen.sh: fix stashing, symlinking, failure, and usage
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-08-18 09:50:07 -04:00
aram price
7fa8f7797a
hack/module.sh learns codegen_verify 2020-08-18 09:50:07 -04:00
aram price
a456daa0b2
./hack/module.sh learns codegen command
Runs code generation on a per-module basis. If `CONTAINED` is not set
the code generation is run in a container.

Mount point in docker is randomzied to simulate Concourse.

Introduce K8S_PKG_VERSION to make room to build different versions
eventually.
2020-08-18 09:50:07 -04:00
Ryan Richard
ecde8fa8af Implement basic liveness and readiness probes
- Call the auto-generated /healthz endpoint of our aggregated API server
- Use http for liveness even though tcp seems like it might be
  more appropriate, because tcp probes cause TLS handshake errors
  to appear in our logs every few seconds
- Use conservative timeouts and retries on the liveness probe to avoid
  having our container get restarted when it is temporarily slow due
  to running in an environment under resource pressure
- Use less conservative timeouts and retries for the readiness probe
  to remove an unhealthy pod from the service less conservatively than
  restarting the container
- Tuning the settings for retries and timeouts seem to be a mysterious
  art, so these are just a first draft
2020-08-17 16:44:42 -07:00
Ryan Richard
29654c39a5 Update a CRD validation
- Allow both http and https because a user using `kubectl proxy` would
  want to use http, since the proxy upgrades requests from http to https
2020-08-17 16:29:21 -07:00
Ryan Richard
d8d49be5d9 Make an integration test more reliable
- It would sometimes fail with this error:
  namespaces is forbidden: User "tanzu-user-authentication@groups.vmware.com"
  cannot list resource "namespaces" in API group "" at the cluster scope
- Seems like it was because the RBAC rule added by the test needs a
  moment before it starts to take effect, so change the test to retry
  the API until it succeeds or fail after 3 seconds of trying.
2020-08-17 16:28:12 -07:00
Matt Moyer
769ef71db7
Merge pull request #58 from ankeesler/api-review-updates
Update API for pre-release
2020-08-17 15:52:52 -05:00
aram price
87b9ff2131 Set MOD_DIR correctly 2020-08-14 15:58:50 -07:00
aram price
a45748f020 hack/module.sh sets MOD_DIR for module tasks
This is to allow tasks which need to be executed in a module-specific
context to detect that they are being invoked appropriately.
2020-08-14 15:08:24 -07:00
Matt Moyer
ccefc29eb0
Merge pull request #63 from mattmoyer/add-pre-commit
Add pre-commit hooks config.
2020-08-14 15:05:02 -05:00
Matt Moyer
76a44ecd58 Add some development notes to the README for now.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-08-14 14:49:13 -05:00
Matt Moyer
787cf47c39 Standardize whitespace/newlines for consistency.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-08-14 14:42:49 -05:00
Matt Moyer
9376f034ea Mask this testing-only private key so we don't alert on it.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-08-14 14:42:22 -05:00
Matt Moyer
1977dc2ce7 Add a .pre-commit-config.yaml file.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-08-14 14:41:11 -05:00
Matt Moyer
3fd4458e6a
Merge pull request #62 from suzerain-io/revert-59-pin-image-hashes
Revert "Pin images to exact hashes (Dependabot can handle this, it seems)."
2020-08-14 10:54:30 -05:00
Matt Moyer
ae0b97d807
Revert "Pin images to exact hashes (Dependabot can handle this, it seems)." 2020-08-14 10:52:29 -05:00
Matt Moyer
50e70f73ae
Merge pull request #59 from mattmoyer/pin-image-hashes
Pin images to exact hashes (Dependabot can handle this, it seems).
2020-08-14 10:33:41 -05:00
Andrew Keesler
df1a1cf1bd
LoginRequest -> CredentialRequest
- We want to follow the <noun>Request convention.
- The actual operation does not login a user, but it does retrieve a
  credential with which they can login.

- This commit includes changes to all LoginRequest-related symbols and
  constants to try to update their names to follow the new
  CredentialRequest type.

Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-08-14 11:26:09 -04:00
Matt Moyer
0d034cd18e Pin images to exact hashes (Dependabot can handle this, it seems).
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-08-14 10:04:43 -05:00
Andrew Keesler
dd8ce677ba
Remove LoginRequestStatus.User, for now
As discussed in API review, this field exists for convenience right
now.  Since the username/groups are encoded in the Credential sent in
the LoginRequestStatus, the client still has access to their
user/groups information. We want to remove this for now to be
conservative and limit our API surface area (smaller surface area =
less to maintain). We can always add this back in the future.

Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-08-14 10:01:38 -04:00
Andrew Keesler
c6f1defa9d
LoginRequestStatus.Message should be a pointer since it is +optional
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-08-14 09:18:31 -04:00
Andrew Keesler
6e46ff345a
Run ./hack/module.sh tidy
I'm assuming if any of this is wrong, someone will yell at me...

Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-08-14 09:16:48 -04:00
Ryan Richard
b6c468117e Set the type on the image pull Secret
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-08-13 13:34:23 -07:00
Matt Moyer
1b23e31464
Merge pull request #55 from mattmoyer/switch-to-debian-base
Switch to debian base images.
2020-08-13 13:56:11 -05:00
Matt Moyer
c02b6fee8f Switch to Debian base images.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-08-13 13:35:42 -05:00
Ryan Richard
87eddf8bbd Add image pull secret as a data value for our ytt templates
Signed-off-by: Aram Price <pricear@vmware.com>
2020-08-12 17:02:43 -07:00
Ryan Richard
9648db0837 Update how integration tests which use LoginRequest make their clients
- When we call the LoginRequest endpoint in loginrequest_test.go,
  do it with an unauthenticated client, to make sure that endpoint works
  with unauthenticated clients.
- For tests which want to test using certs returned by LoginRequest to
  make API calls back to kube to check if those certs are working, make
  sure they start with a bare client and then add only those certs.
  Avoid accidentally picking up other kubeconfig configuration like
  tokens, etc.

Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-08-12 14:30:07 -07:00
Matt Moyer
ba0b997234
Merge pull request #54 from mattmoyer/add-dns-san
Make sure we have an explicit DNS SAN on our API serving certificate.
2020-08-12 12:44:43 -05:00
Matt Moyer
864db74306 Make sure we have an explicit DNS SAN on our API serving certificate.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-08-12 11:01:06 -05:00
aram price
e48d9faf27 Normalize ROOT naming and calculation in hack/ 2020-08-12 08:34:17 -07:00
Matt Moyer
031129778e
Merge pull request #53 from suzerain-io/dependabot/docker/golang-1.15.0-alpine
Bump golang from 1.14.7-alpine to 1.15.0-alpine
2020-08-12 10:18:26 -05:00
Andrew Keesler
ed9fdce6a8
hack/module.sh: sort modules for deterministic runs
find(1) seems to look at directory entries in the order in which they exist
in the directory fs entry. Let's sort these so that we get the same results
regardless of the order of the directory entries.

Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-08-12 09:36:33 -04:00
dependabot[bot]
d2f6eebc66
Bump golang from 1.14.7-alpine to 1.15.0-alpine
Bumps golang from 1.14.7-alpine to 1.15.0-alpine.

Signed-off-by: dependabot[bot] <support@github.com>
2020-08-12 05:50:33 +00:00
Ryan Richard
4cb0fd3949 Use a DaemonSet instead of a Deployment to deploy our app
- For high availability reasons, we would like our app to scale linearly
  with the size of the control plane. Using a DaemonSet allows us to run
  one pod on each node-role.kubernetes.io/master node.
- The hope is that the Service that we create should load balance
  between these pods appropriately.
2020-08-11 17:55:34 -07:00
Ryan Richard
e0f0eca512 Add another assertion to certs_manager_test.go 2020-08-11 17:33:06 -07:00
Ryan Richard
bfabcdcdd1 Add unittest_no_race option to module.sh
- Because the race detector is slow when running on a laptop and
  sometimes you want quick feedback
2020-08-11 17:28:00 -07:00
Andrew Keesler
224b59e740
test/integration: bump (another) cert expiration delta to help flake
Related: 553b519.
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-08-11 17:22:25 -04:00