djpbessems
/
ContainerImage.Pinniped
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
694 Commits 30 Branches 34 Tags 22 MiB
Commit Graph

694 Commits

Author SHA1 Message Date
Matt Moyer 8772a00824
Merge pull request #167 from mattmoyer/fix-accidental-timeout-regression 
Fix a timeout in TestCLILoginOIDC that was accidentally shortened.
 2020-10-22 12:24:49 -05:00
Matt Moyer ce598eb58e
Fix a timeout in TestCLILoginOIDC that was accidentally shortened in 0adbb5234e. 
Signed-off-by: Matt Moyer <moyerm@vmware.com>
 2020-10-22 11:49:04 -05:00
Matt Moyer 4b24e9c625
Merge pull request #166 from mattmoyer/add-cli-test-debug-output 
Add some verbose logging to TestCLILoginOIDC.
 2020-10-22 11:17:18 -05:00
Matt Moyer fe3b44b134
Add some verbose logging to TestCLILoginOIDC. 
Signed-off-by: Matt Moyer <moyerm@vmware.com>
 2020-10-22 10:33:37 -05:00
Ryan Richard 122f7cffdb Make the supervisor healthz endpoint public 
Based on our experiences today with GKE, it will be easier for our users
to configure Ingress health checks if the healthz endpoint is available
on the same public port as the OIDC endpoints.

Also add an integration test for the healthz endpoint now that it is
public.

Also add the optional `containers[].ports.containerPort` to the
supervisor Deployment because the GKE docs say that GKE will look
at that field while inferring how to invoke the health endpoint. See
https://cloud.google.com/kubernetes-engine/docs/concepts/ingress#def_inf_hc
 2020-10-21 15:24:58 -07:00
Matt Moyer 5dbc03efe9
Merge pull request #165 from mattmoyer/cli-session-cache 
Add basic file-based session cache for CLI OIDC client.
 2020-10-21 16:30:03 -05:00
Matt Moyer 0adbb5234e
Extend TestCLILoginOIDC to test ID token caching behavior. 
Signed-off-by: Matt Moyer <moyerm@vmware.com>
 2020-10-21 15:02:42 -05:00
Matt Moyer e919ef6582
Add a file-based session cache. 
Signed-off-by: Matt Moyer <moyerm@vmware.com>
 2020-10-21 14:28:05 -05:00
Andrew Keesler fa5f653de6 Implement readinessProbe and livenessProbe for supervisor 
Signed-off-by: Ryan Richard <richardry@vmware.com>
 2020-10-21 11:51:31 -07:00
Matt Moyer e8113e3770
Add basic caching framework to ./internal/oidclient package. 
Signed-off-by: Matt Moyer <moyerm@vmware.com>
 2020-10-21 13:14:16 -05:00
Matt Moyer 7f6a82aa91
Refactor and rename ./internal/oidcclient/login to ./internal/oidcclient. 2020-10-21 13:07:21 -05:00
Matt Moyer 4ef41f969d
Add a util helper for marking a CLI flag as hidden. 
Signed-off-by: Matt Moyer <moyerm@vmware.com>
 2020-10-21 13:07:21 -05:00
Andrew Keesler 3e39800005
Merge pull request #164 from vmware-tanzu/virtual-hosts 
Virtual hosts integration test
 2020-10-21 09:16:59 -04:00
Ryan Richard 52ebd77527 Add optional PINNIPED_TEST_SUPERVISOR_HTTPS_CA_BUNDLE for integration tests 
- Not used by any of our integration test clusters yet
- Planning to use it later for the kind clusters and maybe for
  the acceptance clusters too (although the acceptance clusters might
  not need to use self-signed certs so maybe not)
 2020-10-20 16:46:33 -07:00
Ryan Richard ec21fc8595 Also delete the final OIDCProviderConfig made by an integration test 
- It didn't matter before because it would be cleaned up by a
  t.Cleanup() function, but now that we might loop twice it will matter
  during the second time through the loop
 2020-10-20 15:59:25 -07:00
Ryan Richard 276dff5772 Introduce PINNIPED_TEST_SUPERVISOR_HTTPS_ADDRESS 
- We plan to use this on acceptance clusters
- We also plan to use this for a future story in the kind-based tests,
  but not yet
 2020-10-20 15:57:10 -07:00
Ryan Richard 90235418b9 Add a test for when issuer hostname and supervisor public address differ 2020-10-20 15:22:03 -07:00
Ryan Richard 9ba93d66c3
test/integration: prefactoring for testing virtual hosts 
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
 2020-10-20 17:00:36 -04:00
Ryan Richard aff85acf37
Merge pull request #163 from vmware-tanzu/discovery_jwks 
Implement per-issuer OIDC JWKS endpoint
 2020-10-19 13:00:49 -07:00
Ryan Richard 4da64f38b5 Integration test for per-issuer OIDC JWKS endpoints 2020-10-19 12:21:18 -07:00
Ryan Richard d9d76726c2 Implement per-issuer OIDC JWKS endpoint 2020-10-16 17:51:40 -07:00
Ryan Richard 08659a6583
Merge pull request #158 from vmware-tanzu/label_every_resource 
Custom labels can to be applied to all k8s resources created by Pinniped
 2020-10-15 14:02:29 -07:00
Andrew Keesler e2630be00a Update feature proposal template to work for users and contributors 2020-10-15 17:01:24 -04:00
Andrew Keesler 8fe031e73d Do not copy pkg directory in Dockerfile 
Signed-off-by: Ryan Richard <richardry@vmware.com>
 2020-10-15 13:31:16 -07:00
Andrew Keesler 617c5608ca Supervisor controllers apply custom labels to JWKS secrets 
Signed-off-by: Ryan Richard <richardry@vmware.com>
 2020-10-15 12:40:56 -07:00
Andrew Keesler dda3c21a8e
Add missing parenthesis to bug report template 
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
 2020-10-15 14:07:43 -04:00
Ryan Richard f8e461dfc3 Merge branch 'main' into label_every_resource 2020-10-15 10:19:03 -07:00
Ryan Richard 94f20e57b1 Concierge controllers add labels to all created resources 2020-10-15 10:14:23 -07:00
Andrew Keesler 943286bbc6
Merge pull request #157 from ankeesler/generate-jwk-key 
Pinniped federation server generates and persists a JWT signing key
 2020-10-15 11:55:22 -04:00
Andrew Keesler e05213f9dd
supervisor-generate-key: use EC keys intead of RSA 
EC keys are smaller and take less time to generate. Our integration
tests were super flakey because generating an RSA key would take up to
10 seconds *gasp*. The main token verifier that we care about is
Kubernetes, which supports P256, so hopefully it won't be that much of
an issue that our default signing key type is EC. The OIDC spec seems
kinda squirmy when it comes to using non-RSA signing algorithms...

Signed-off-by: Andrew Keesler <akeesler@vmware.com>
 2020-10-15 11:33:08 -04:00
Andrew Keesler 5a0dab768f
test/integration: remove unused function (see 31225ac7a) 
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
 2020-10-15 09:26:15 -04:00
Andrew Keesler fbcce700dc
Fix whitespace/spelling nits in JWKS controller 
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
 2020-10-15 09:22:17 -04:00
Andrew Keesler a5abe9ca3e
hack/lib/tilt: fix deployment change leftover from c030551a 
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
 2020-10-15 09:20:09 -04:00
Andrew Keesler 1b99983441
apis: fix indentation in Go type 
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
 2020-10-15 09:19:00 -04:00
Andrew Keesler 31225ac7ae
test/integration: reuse CreateTestOIDCProvider helper 
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
 2020-10-15 09:09:49 -04:00
Andrew Keesler f21122a309
Merge remote-tracking branch 'upstream/main' into generate-jwk-key 2020-10-15 07:51:15 -04:00
Andrew Keesler aef25163e2
Get rid of an extra dependency from c030551 
I brought this over because I copied code from work in flight on
another branch. But now the other branch doesn't use this package.
No use bringing on another dependency if we can avoid it.

Signed-off-by: Andrew Keesler <akeesler@vmware.com>
 2020-10-15 07:51:07 -04:00
Andrew Keesler 87c7e9a556
hack/prepare-for-integration-tests.sh: default COLORTERM for when not set 
Signed-off-by: Andrew Keesler <ankeesler1@gmail.com>
 2020-10-14 20:18:10 -04:00
Ryan Richard c05bdb58ac Merge branch 'main' into label_every_resource 2020-10-14 16:24:51 -07:00
Ryan Richard 84a0084703 Tilefile watches for changes in ytt templates 
- When using `local()` in the Tiltfile it will not know
  to watch those files for changes, so each time we use
  `local()` we now also use `watch_file()`
- As a result, editing a ytt template file now causes
  an immediate `kubectl apply` of the results
 2020-10-14 16:21:40 -07:00
Ryan Richard 1301018655 Support installing concierge and supervisor into existing namespace 
- New optional ytt value called `into_namespace` means install into that
  preexisting namespace rather than creating a new namespace for each app
- Also ensure that every resource that is created statically by our yaml
  at install-time by either app is labeled consistently
- Also support adding custom labels to all of those resources from a
  new ytt value called `custom_labels`
 2020-10-14 15:05:42 -07:00
Andrew Keesler 76e89b523b
Merge remote-tracking branch 'upstream/main' into generate-jwk-key 2020-10-14 17:40:17 -04:00
Andrew Keesler c030551af0
supervisor-generate-key: unit and integration tests 
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
 2020-10-14 16:41:16 -04:00
Matt Moyer cd970616da
Merge pull request #149 from mattmoyer/oidc-cli-part-2 
Finish initial OIDC CLI client implementation.
 2020-10-14 13:40:12 -05:00
Matt Moyer 68d20298f2
Fix chromedriver usage inside our test container. 
Signed-off-by: Matt Moyer <moyerm@vmware.com>
 2020-10-14 13:18:11 -05:00
Matt Moyer 19a1d569c9
Restructure this test to avoid data races. 
Signed-off-by: Matt Moyer <moyerm@vmware.com>
 2020-10-14 12:28:08 -05:00
Ryan Richard a197a26335
Change community meeting time 
And some other general cleanup
 2020-10-14 09:54:09 -07:00
Andrew Keesler 6aed025c79
supervisor-generate-key: initial spike 
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
 2020-10-14 09:47:34 -04:00
Andrew Keesler aa705afc72
hack/tilt-up.sh: let folks specify tilt flags 
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
 2020-10-14 09:22:21 -04:00
Andrew Keesler 3d5937a8e8
deploy/supervisor: type: eaxmple -> example 
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
 2020-10-14 09:22:15 -04:00