Commit Graph

1781 Commits

Author SHA1 Message Date
Mo Khan
9e4f601a3f
Merge pull request #588 from enj/enj/i/webhookcachefiller_ca
webhookcachefiller: be stricter about CA bundle validation
2021-04-29 07:47:06 -04:00
Monis Khan
bb7e7fe81e
webhookcachefiller: be stricter about CA bundle validation
Signed-off-by: Monis Khan <mok@vmware.com>
2021-04-29 05:49:06 -04:00
Ryan Richard
67a568811a Make prepare-for-integration-tests.sh work on linux too
- The linux base64 command is different, so avoid using it at all.
  On linux the default is to split the output into multiple lines,
  which messes up the integration-test-env file. The flag used to
  disable this behavior on linux ("-w0") does not exist on MacOS's
  base64.
- On debian linux, the latest version of Docker from apt-get still
  requires DOCKER_BUILDKIT=1 or else it barfs.
2021-04-27 10:10:02 -07:00
Matt Moyer
620a4d55b7
Merge pull request #584 from mattmoyer/fix-broken-readme-link
Fix a broken docs link in our README.
2021-04-26 13:23:35 -07:00
Matt Moyer
a52872cd03
Fix a broken docs link in our README.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-04-26 13:48:17 -06:00
Matt Moyer
0dfb3e95c5
Merge pull request #569 from mattmoyer/use-deployment-for-kube-cert-agent
Refactor kube-cert-agent controllers to use a Deployment.
2021-04-26 09:25:37 -07:00
Matt Moyer
e532a88647
Add a new "legacy pod cleaner" controller.
This controller is responsible for cleaning up kube-cert-agent pods that were deployed by previous versions.

They are easily identified because they use a different `kube-cert-agent.pinniped.dev` label compared to the new agent pods (`true` vs. `v2`).

Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-04-26 08:19:45 -06:00
Matt Moyer
54a8297cc4
Add generated mocks for kubecertagent.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-04-26 08:19:45 -06:00
Matt Moyer
2843c4f8cb
Refactor kube-cert-agent controllers to use a Deployment.
This is a relatively large rewrite of much of the kube-cert-agent controllers. Instead of managing raw Pod objects, they now create a single Deployment and let the builtin k8s controller handle it from there.

This reduces the amount of code we need and should handle a number of edge cases better, especially those where a Pod becomes "wedged" and needs to be recreated.

Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-04-26 08:19:45 -06:00
Matt Moyer
cc51c72c12
Merge pull request #576 from ankeesler/prepare-webhook-script
hack: add prepare-webhook-on-kind.sh
2021-04-22 14:07:38 -07:00
Matt Moyer
0ab9927115
Merge branch 'main' into prepare-webhook-script 2021-04-22 13:05:55 -07:00
Matt Moyer
204c8e8dbc
Merge pull request #578 from mattmoyer/remove-unneeded-test-sleep
Remove unneeded sleeps in TestE2EFullIntegration and jwtcachefiller tests.
2021-04-22 12:59:40 -07:00
Matt Moyer
638d9235a2
Remove unneeded OIDC-related sleeps in tests.
Now that we have the fix from https://github.com/kubernetes/kubernetes/pull/97693, we no longer need these sleeps.
The underlying authenticator initialization is still asynchronous, but should happen within a few milliseconds.

Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-04-22 10:25:44 -05:00
Andrew Keesler
81a4c84f46
Merge pull request #579 from ankeesler/log-level
internal/kubeclient: match plog level with klog level
2021-04-21 17:37:41 -04:00
Andrew Keesler
9f509d3f13
internal/kubeclient: match plog level with klog level
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2021-04-21 16:25:08 -04:00
Mo Khan
d76ac56df2
Merge pull request #573 from enj/enj/f/nested_impersonation
impersonation proxy: add nested impersonation support
2021-04-19 17:46:10 -04:00
Andrew Keesler
d86b24ca2f
hack: add prepare-webhook-on-kind.sh
Inspired from 7bb5657c4d. I used this to help accept 2 stories today.

Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2021-04-19 16:10:20 -04:00
Monis Khan
73716f1b91
Ignore client-side throttling in kubectl stderr
Signed-off-by: Monis Khan <mok@vmware.com>
2021-04-19 15:52:47 -04:00
Monis Khan
521adffb17
impersonation proxy: add nested impersonation support
This change updates the impersonator logic to use the delegated
authorizer for all non-rest verbs such as impersonate.  This allows
it to correctly perform authorization checks for incoming requests
that set impersonation headers while not performing unnecessary
checks that are already handled by KAS.

The audit layer is enabled to track the original user who made the
request.  This information is then included in a reserved extra
field original-user-info.impersonation-proxy.concierge.pinniped.dev
as a JSON blob.

Signed-off-by: Monis Khan <mok@vmware.com>
2021-04-19 15:52:46 -04:00
Ryan Richard
70d607d87e prepare-supervisor-on-kind.sh was accidentally double base64 encoding
$PINNIPED_TEST_SUPERVISOR_UPSTREAM_OIDC_ISSUER_CA_BUNDLE was recently
changed to be a base64 encoded value, so this script does not need to
base64 encode the value itself anymore.
2021-04-16 18:32:30 -07:00
Matt Moyer
9dfa1f5ee5
Update ROADMAP.md
Update ROADMAP.md with Pablo.
2021-04-15 13:43:01 -05:00
Ryan Richard
f63ded99bc Add a flag for skipping chromedriver version check to hack script 2021-04-15 10:27:00 -07:00
Andrew Keesler
e7b7b597ff
Merge pull request #570 from vmware-tanzu/add-ok-amba-to-adopters
Add OK a.m.b.a. to adopters.md file
2021-04-15 09:22:16 -04:00
Andrew Keesler
e5da119000
Merge branch 'main' into add-ok-amba-to-adopters 2021-04-15 08:56:02 -04:00
Ryan Richard
923938ab26 Avoid multi-line integration test env vars
Avoid them because they can't be used in GoLand for running integration
tests in the UI, like running in the debugger.

Also adds optional PINNIPED_TEST_TOOLS_NAMESPACE because we need it
on the LDAP feature branch where we are developing the upcoming LDAP
support for the Supervisor.
2021-04-14 17:26:12 -07:00
Nanci Lancaster
352d4dc5b1
Add OK a.m.b.a. to adopters.md file
Adding just logo for now. Use case will come at a later time.
2021-04-14 18:38:11 -05:00
Matt Moyer
dab7b57da0
Merge pull request #556 from microwavables/add-search-function-to-docs
added search functionality to docs on Pinniped.dev
2021-04-09 12:42:27 -07:00
Matt Moyer
12d35583c5
Merge pull request #566 from mattmoyer/upgrade-kubernetes-1.21
Upgrade to client-go and apimachinery from Kubernetes 1.21.0.
2021-04-09 11:27:09 -07:00
Matt Moyer
599c537d24
Remove metav1.ExportOptions from scheme tests.
This type was removed in Kubernetes v1.21.0 (see https://github.com/kubernetes/kubernetes/pull/98312).

Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-04-09 13:00:50 -05:00
Matt Moyer
38f3ea3f2f
Upgrade to client-go and apimachinery from Kubernetes 1.21.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-04-09 13:00:49 -05:00
Matt Moyer
e450a348c5
Merge pull request #565 from mattmoyer/cleanup-test-file
Remove proxy-kubeconfig.yaml.
2021-04-09 09:59:56 -07:00
Matt Moyer
11d820be06
Remove proxy-kubeconfig.yaml.
I don't believe this is used by any tests or docs. I think it was for some initial local testing of the impersonation proxy?

Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-04-09 11:33:50 -05:00
Matt Moyer
63816aa3ba
Disable Content-Security-Policy for now.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-04-09 10:58:39 -05:00
Nanci Lancaster
e5314164c5
added search functionality to docs on Pinniped.dev
Signed-off-by: Nanci Lancaster <nancil@vmware.com>
2021-04-09 10:58:39 -05:00
Matt Moyer
abf606ab72
Merge pull request #563 from mattmoyer/cli-caching-enhancements
CLI cluster-specific credentials enhancements (followup to #562)
2021-04-08 16:48:48 -07:00
Matt Moyer
b59a4f3fec
Use a temporary directory for credential cache in CLI tests.
This avoids polluting the main cache directory on developer machines.

Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-04-08 18:14:21 -05:00
Matt Moyer
3b461572ea
Add cluster info to cache key for cluster-specific credential cache.
This isn't strictly necessary because we currently always have the concierge endpoint and CA as CLI flags, but it doesn't hurt and it's better to err on the side of _not_ reusing a cache entry.

Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-04-08 17:12:59 -05:00
Matt Moyer
271c006b6c
Add --credential-cache flag to "pinniped get kubeconfig" and tweak usage messages.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-04-08 16:57:18 -05:00
Matt Moyer
043cefcd9f
Merge pull request #562 from mattmoyer/add-cluster-credential-caching
Add cluster-specific credential caching to login subcommands.
2021-04-08 12:59:23 -07:00
Matt Moyer
2296faaeef
Add CLI caching of cluster-specific credentials.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-04-08 14:12:34 -05:00
Matt Moyer
fec24d307e
Fix missing normalization in pkg/oidcclient/filesession.
We have some nice normalization code in this package to remove expired or otherwise malformed cache entries, but we weren't calling it in the appropriate place.

Added calls to normalize the cache data structure before and after each transaction, and added test cases to ensure that it's being called.

Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-04-08 14:12:34 -05:00
Margo Crawford
64b13043ed
Merge pull request #561 from vmware-tanzu/Adding-OK-amba-to-adopters-file
Added Ok amba logo for adopters file
2021-04-08 11:51:40 -07:00
Nanci Lancaster
5501b5aa13
Added Ok amba logo for adopters file 2021-04-08 11:48:06 -05:00
Ryan Richard
9450048acf Fix lint error from previous commit 2021-04-05 15:14:24 -07:00
Andrew Keesler
c53507809d Rename dex namespace, add new ytt value to deploy/tools, and remove Tilt
- Rename the test/deploy/dex directory to test/deploy/tools
- Rename the dex namespace to tools
- Add a new ytt value called `pinny_ldap_password` for the tools
  ytt templates
- This new value is not used on main at this time. We intend to use
  it in the forthcoming ldap branch. We're defining it on main so
  that the CI scripts can use it across all branches and PRs.

Signed-off-by: Ryan Richard <richardry@vmware.com>
2021-04-05 15:01:49 -07:00
Matt Moyer
9cd2b6e855
Merge pull request #552 from mattmoyer/nicer-generated-kubeconfig-names
Generate more helpful context/cluster/user names in `pinniped get kubeconfig`
2021-04-05 11:35:07 -07:00
Matt Moyer
4e25bcd4b2
Generate more helpful context/cluster/user names in pinniped get kubeconfig
Before this change, the "context", "cluster", and "user" fields in generated kubeconfig YAML were always hardcoded to "pinniped". This could be confusing if you generated many kubeconfigs for different clusters.

After this change, the fields will be copied from their names in the original kubeconfig, suffixed with "-pinniped". This suffix can be overridden by setting the new `--generated-name-suffix` CLI flag.

The goal of this change is that you can distinguish between kubeconfigs generated for different clusters, as well as being able to distinguish between the Pinniped and original (admin) kubeconfigs for a cluster.

Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-04-05 12:36:02 -05:00
Matt Moyer
5add31d263
Merge pull request #545 from vmware-tanzu/dependabot/docker/golang-1.16.3
Bump golang from 1.16.2 to 1.16.3
2021-04-05 08:58:23 -07:00
Matt Moyer
88c4335b4b
Display blog posts in reverse order by date.
This is a minor style tweak.

Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-04-05 10:54:00 -05:00
Matt Moyer
623830bf1f
Fix a typo on the timezones on the website.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-04-05 10:50:10 -05:00