Commit Graph

3468 Commits

Author SHA1 Message Date
Ryan Richard
84cc42b2ca Remove tls field from the impersonator config
- Decided that we're not going to implement this now, although
  we may decide to add it in the future
2021-03-02 15:28:13 -08:00
Margo Crawford
4c68050706 Allow all headers besides impersonation-* through impersonation proxy 2021-03-02 15:01:13 -08:00
Matt Moyer
aa826a1579
Merge pull request #472 from mattmoyer/deflake-getpinnipedcategory-test
Make TestGetPinnipedCategory and TestKubeClientOwnerRef tests more resilient.
2021-03-02 16:42:23 -06:00
Matt Moyer
60f92d5fe2
Merge branch 'main' of github.com:vmware-tanzu/pinniped into impersonation-proxy
This is more than an automatic merge. It also includes a rewrite of the CredentialIssuer API impersonation proxy fields using the new structure, and updates to the CLI to account for that new API.

Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-03-02 16:06:19 -06:00
Matt Moyer
df27c2e1fc
Use randomly generated API groups in TestKubeClientOwnerRef.
I think this is another aspect of the test flakes we're trying to fix. This matters especially for the "Multiple Pinnipeds" test environment where two copies of the test suite are running concurrently.

Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-03-02 15:48:13 -06:00
Matt Moyer
45f57939af
Make TestGetPinnipedCategory more resilient.
If the test is run immediately after the Concierge is installed, the API server can still have broken discovery data and return an error on the first call.
This commit adds a retry loop to attempt this first kubectl command for up to 60s before declaring failure.
The subsequent tests should be covered by this as well since they are not run in parallel.

Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-03-02 15:40:17 -06:00
Matt Moyer
30f5f66090
Merge pull request #471 from vmware-tanzu/change-credentialissuer-strategies-api
Deprecate status.kubeConfigInfo field in CredentialIssuer and move this data into strategies field.
2021-03-02 15:39:41 -06:00
Matt Moyer
2a29303e3f
Fix label handling in kubecertagent controllers.
These controllers were a bit inconsistent. There were cases where the controllers ran out of the expected order and the custom labels might not have been applied.

We should still plan to remove this label handling or move responsibility into the middleware layer, but this avoids any regression.

Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-03-02 13:59:46 -06:00
Matt Moyer
643c60fd7a
Drop NewKubeConfigInfoPublisherController, start populating strategy frontend from kubecertagent execer controller.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-03-02 13:09:25 -06:00
Matt Moyer
7174f857d8
Add generated code.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-03-02 13:09:25 -06:00
Matt Moyer
0be2c0d40f
Add CredentialIssuer "status.strategies[].frontend" field.
This field is a new tagged-union style field that describes how clients can connect using each successful strategy.

Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-03-02 13:09:25 -06:00
Ryan Richard
a75c2194bc Read the names of the impersonation-related resources from the config
They were previously temporarily hardcoded. Now they are set at deploy
time via the static ConfigMap in deployment.yaml
2021-03-02 09:31:24 -08:00
Ryan Richard
41140766f0 Add integration test which demonstrates double impersonation
We don't support using the impersonate headers through the impersonation
proxy yet, so this integration test is a negative test which asserts
that we get an error.
2021-03-01 17:53:26 -08:00
Ryan Richard
045c427317 Merge branch 'main' into impersonation-proxy 2021-03-01 17:03:56 -08:00
Ryan Richard
ac404af48f Add .DS_Store files to .gitignore 2021-03-01 17:03:05 -08:00
Ryan Richard
a2ecd05240 Impersonator config controller writes CA cert & key to different Secret
- The CA cert will end up in the end user's kubeconfig on their client
  machine, so if it changes they would need to fetch the new one and
  update their kubeconfig. Therefore, we should avoid changing it as
  much as possible.
- Now the controller writes the CA to a different Secret. It writes both
  the cert and the key so it can reuse them to create more TLS
  certificates in the future.
- For now, it only needs to make more TLS certificates if the old
  TLS cert Secret gets deleted or updated to be invalid. This allows
  for manual rotation of the TLS certs by simply deleting the Secret.
  In the future, we may want to implement some kind of auto rotation.
- For now, rotation of both the CA and TLS certs will also happen if
  you manually delete the CA Secret. However, this would cause the end
  users to immediately need to get the new CA into their kubeconfig,
  so this is not as elegant as a normal rotation flow where you would
  have a window of time where you have more than one CA.
2021-03-01 17:02:08 -08:00
Matt Moyer
a778a5ef81
Merge pull request #469 from mattmoyer/split-out-credentialissuer-status-helpers
Factor out issuerconfig.UpdateStrategy helper.
2021-03-01 18:14:16 -06:00
Matt Moyer
c94ee7188c
Factor out issuerconfig.UpdateStrategy helper.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-03-01 16:21:10 -06:00
Matt Moyer
7ef6a02d0a
Merge pull request #466 from mattmoyer/bump-dependencies
Upgrade Go and Go library dependencies.
2021-03-01 14:16:58 -06:00
Matt Moyer
c832cab8d0
Update internal/oidc/token_exchange.go for latest Fosite version.
The `fosite.TokenEndpointHandler` changed and now requires some additional methods.

Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-03-01 13:08:41 -06:00
Matt Moyer
234465789b
Regenerate gomock mocks with v1.5.0.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-03-01 11:44:27 -06:00
dependabot[bot]
da6d69d807
Bump github.com/golang/mock from 1.4.4 to 1.5.0
Bumps [github.com/golang/mock](https://github.com/golang/mock) from 1.4.4 to 1.5.0.
- [Release notes](https://github.com/golang/mock/releases)
- [Changelog](https://github.com/golang/mock/blob/master/.goreleaser.yml)
- [Commits](https://github.com/golang/mock/compare/v1.4.4...v1.5.0)

Signed-off-by: dependabot[bot] <support@github.com>
2021-03-01 11:44:26 -06:00
dependabot[bot]
04ef7c5456
Bump github.com/ory/fosite from 0.36.0 to 0.38.0
Bumps [github.com/ory/fosite](https://github.com/ory/fosite) from 0.36.0 to 0.38.0.
- [Release notes](https://github.com/ory/fosite/releases)
- [Changelog](https://github.com/ory/fosite/blob/master/CHANGELOG.md)
- [Commits](https://github.com/ory/fosite/compare/v0.36.0...v0.38.0)

Signed-off-by: dependabot[bot] <support@github.com>
2021-03-01 11:44:26 -06:00
dependabot[bot]
f05c3092b5
Bump github.com/go-openapi/spec from 0.19.9 to 0.20.3
Bumps [github.com/go-openapi/spec](https://github.com/go-openapi/spec) from 0.19.9 to 0.20.3.
- [Release notes](https://github.com/go-openapi/spec/releases)
- [Commits](https://github.com/go-openapi/spec/compare/v0.19.9...v0.20.3)

Signed-off-by: dependabot[bot] <support@github.com>
2021-03-01 11:44:26 -06:00
dependabot[bot]
2637dc00da
Bump golang from 1.15.8 to 1.16.0
Bumps golang from 1.15.8 to 1.16.0.

Signed-off-by: dependabot[bot] <support@github.com>
2021-03-01 11:44:26 -06:00
Matt Moyer
e8365d2c57
Merge pull request #467 from mattmoyer/fix-docs-title
Fix missing titles on website docs.
2021-03-01 11:35:56 -06:00
Matt Moyer
dd151b3f50
Fix missing titles on website docs.
Also fixes our sitemap to have correct `lastmod` times when built locally (it was already correct on Netlify).

Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-03-01 11:31:27 -06:00
Ryan Richard
f1eeae8c71 Parse out ports from impersonation proxy endpoint config
Signed-off-by: Margo Crawford <margaretc@vmware.com>
2021-02-26 15:01:38 -08:00
Ryan Richard
41e4a74b57 impersonator_config_test.go: more small refactoring of test helpers 2021-02-26 13:53:30 -08:00
Margo Crawford
fa49beb623 Change length of TLS certs and CA.
Signed-off-by: Ryan Richard <richardry@vmware.com>
2021-02-26 12:05:17 -08:00
Margo Crawford
9bd206cedb impersonator_config_test.go: small refactor of test helpers
Signed-off-by: Ryan Richard <richardry@vmware.com>
2021-02-26 11:27:19 -08:00
Ryan Richard
5b01e4be2d impersonator_config.go: handle more error cases
Signed-off-by: Margo Crawford <margaretc@vmware.com>
2021-02-26 10:58:56 -08:00
Ryan Richard
bbbb40994d Prefer hostnames over IPs when making certs to match load balancer ingress
Signed-off-by: Margo Crawford <margaretc@vmware.com>
2021-02-25 17:03:34 -08:00
Margo Crawford
f709da5569 Updated test assertions for new logger version
Signed-off-by: Ryan Richard <richardry@vmware.com>
2021-02-25 15:18:36 -08:00
Margo Crawford
ccb17843c1 Fix some lint errors that resulted from merging main
Signed-off-by: Ryan Richard <richardry@vmware.com>
2021-02-25 15:06:24 -08:00
Ryan Richard
f8111db5ff Merge branch 'main' into impersonation-proxy 2021-02-25 14:50:40 -08:00
Ryan Richard
3fcde8088c concierge_impersonation_proxy_test.go: Make it work on more clusters
Should work on cluster which have:
- load balancers not supported, has squid proxy (e.g. kind)
- load balancers supported, has squid proxy (e.g. EKS)
- load balancers supported, no squid proxy (e.g. GKE)

When testing with a load balancer, call the impersonation proxy through
the load balancer.

Also, added a new library.RequireNeverWithoutError() helper.

Signed-off-by: Margo Crawford <margaretc@vmware.com>
2021-02-25 14:40:18 -08:00
Matt Moyer
f937ae2c07
Add --concierge-credential-issuer flag to "pinniped get kubeconfig" command.
This flag selects a CredentialIssuer to use when detecting what mode the Concierge is in on a cluster. If not specified, the command will look for a single CredentialIssuer. If there are multiple, then the flag is required.

Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-02-25 14:31:51 -06:00
Matt Moyer
1c7c22352f
Switch "get kubeconfig" flags to use --concierge-mode flag instead of boolean flag.
This is the same as the previous change to the login commands.

Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-02-25 14:31:51 -06:00
Ryan Richard
0cae72b391 Get hostname from load balancer ingress to use for impersonator certs
Signed-off-by: Margo Crawford <margaretc@vmware.com>
2021-02-25 11:40:14 -08:00
Margo Crawford
9a8c80f20a Impersonator checks cert addresses when endpoint config is a hostname
Also update concierge_impersonation_proxy_test.go integration test
to use real TLS when calling the impersonator.

Signed-off-by: Ryan Richard <richardry@vmware.com>
2021-02-25 10:27:19 -08:00
Matt Moyer
a42e3708aa
Merge pull request #453 from mattmoyer/bump-dependencies
Bump a bunch of minor dependencies.
2021-02-25 09:33:53 -06:00
Matt Moyer
c8fc8a0b65
Reformat some log-based test assertions.
These are prone to breaking when stdr is upgraded because they rely on the exact ordering of keys in the log message. If we have more problems we can rewrite the assertions to be more robust, but for this time I'm just fixing them to match the new output.

Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-02-25 08:11:37 -06:00
Margo Crawford
8fc68a4b21 WIP improved cert management in impersonator config
- Allows Endpoint to be a hostname, not just an IP address

Signed-off-by: Ryan Richard <richardry@vmware.com>
2021-02-24 17:08:58 -08:00
Margo Crawford
975d493b8a Fix some small lint errors
Signed-off-by: Ryan Richard <richardry@vmware.com>
2021-02-24 16:09:15 -08:00
Ryan Richard
aee7a7a72b More WIP managing TLS secrets from the impersonation config controller
Signed-off-by: Margo Crawford <margaretc@vmware.com>
2021-02-24 16:03:26 -08:00
Matt Moyer
a31c24e5a0
Bump a bunch of minor dependencies.
Bumps [github.com/stretchr/testify](https://github.com/stretchr/testify) from 1.6.1 to 1.7.0.
- [Release notes](https://github.com/stretchr/testify/releases)
- [Commits](https://github.com/stretchr/testify/compare/v1.6.1...v1.7.0)

Bumps [github.com/go-logr/logr](https://github.com/go-logr/logr) from 0.3.0 to 0.4.0.
- [Release notes](https://github.com/go-logr/logr/releases)
- [Commits](https://github.com/go-logr/logr/compare/v0.3.0...v0.4.0)

Bumps [k8s.io/klog/v2](https://github.com/kubernetes/klog) from 2.4.0 to 2.5.0.
- [Release notes](https://github.com/kubernetes/klog/releases)
- [Changelog](https://github.com/kubernetes/klog/blob/master/RELEASE.md)
- [Commits](https://github.com/kubernetes/klog/compare/v2.4.0...v2.5.0)

Bumps [github.com/go-logr/stdr](https://github.com/go-logr/stdr) from 0.2.0 to 0.4.0.
- [Release notes](https://github.com/go-logr/stdr/releases)
- [Commits](https://github.com/go-logr/stdr/compare/v0.2.0...v0.4.0)

Bumps [github.com/spf13/cobra](https://github.com/spf13/cobra) from 1.1.1 to 1.1.3.
- [Release notes](https://github.com/spf13/cobra/releases)
- [Changelog](https://github.com/spf13/cobra/blob/master/CHANGELOG.md)
- [Commits](https://github.com/spf13/cobra/compare/v1.1.1...v1.1.3)

Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-02-24 17:37:29 -06:00
Matt Moyer
943b0ff6ec
Switch login flags to use --concierge-mode flag instead of boolean flag.
The login commands now expect either `--concierge-mode ImpersonationProxy` or `--concierge-mode TokenCredentialRequestAPI` (the default).

This is partly a style choice, but I also think it helps in case we need to add a third major mode of operation at some point.

I also cleaned up some other minor style items in the help text.

Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-02-24 17:09:08 -06:00
Ryan Richard
d42c533fbb WIP managing TLS secrets from the impersonation config controller
Signed-off-by: Margo Crawford <margaretc@vmware.com>
2021-02-24 10:57:36 -08:00
Matt Moyer
4dbde4cf7f
Fix TestImpersonationProxy on Kubernetes 1.20 with RootCAConfigMap.
There is a new feature in 1.20 that creates a ConfigMap by default in each namespace: https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.20.md#introducing-rootcaconfigmap

This broke this test because it assumed that all the ConfigMaps in the ephemeral test namespace were those created by the test code. The fix is to add a test label and rewrite our assertions to filter with it.

Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-02-24 12:08:41 -06:00