djpbessems/ContainerImage.Pinniped
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
1,235 Commits 30 Branches 34 Tags 22 MiB
a0546942b8
Commit Graph

297 Commits

Author SHA1 Message Date
Andrew Keesler
a0546942b8
test/integration: skip part of test to avoid Kube 1.20 GC bug 
See comment.

Signed-off-by: Andrew Keesler <akeesler@vmware.com>
Co-authored-by: Margo Crawford <margaretc@vmware.com>
Co-authored-by: Monis Khan <i@monis.app>
 2021-01-14 10:19:26 -05:00
Monis Khan
3c3da9e75d
Wire in new env vars for user info testing 
Signed-off-by: Monis Khan <mok@vmware.com>
 2021-01-12 11:23:25 -05:00
Margo Crawford
6f04613aed Merge branch 'main' of github.com:vmware-tanzu/pinniped into kubernetes-1.20 2021-01-08 13:22:31 -08:00
Margo Crawford
5611212ea9 Changing references from 1.19 to 1.20 2021-01-07 15:25:47 -08:00
Monis Khan
bba0f3a230
Always set an owner ref back to our deployment 
This change updates our clients to always set an owner ref when:

1. The operation is a create
2. The object does not already have an owner ref set

Signed-off-by: Monis Khan <mok@vmware.com>
 2021-01-07 15:25:40 -05:00
Andrew Keesler
3d8616e75f
test/integration: fix intermittent failures on GKE 
See comment. This is at least a first step to make our GKE acceptance
environment greener. Previously, this test assumed that the Pinniped-under-test
had been deployed in (roughly) the last 10 minutes, which is not an assumption
that we make anywhere else in the integration test suite.

Signed-off-by: Andrew Keesler <akeesler@vmware.com>
 2021-01-06 12:09:11 -05:00
aram price
cc5af1a810 Fix lint error 
Signed-off-by: Ryan Richard <richardry@vmware.com>
 2020-12-18 15:28:56 -08:00
Ryan Richard
2f518b8b7c TLSCertObserverController Syncs less often by adjusting its filters 
- Only watches Secrets of type "kubernetes.io/tls"

Signed-off-by: Aram Price <pricear@vmware.com>
 2020-12-18 15:10:48 -08:00
Ryan Richard
1056cef384 Sync garbage collector controller less often by adjusting its filters 
- Only sync on add/update of secrets in the same namespace which
  have the "storage.pinniped.dev/garbage-collect-after" annotation, and
  also during a full resync of the informer whenever secrets in the
  same namespace with that annotation exist.
- Ignore deleted secrets to avoid having this controller trigger itself
  unnecessarily when it deletes a secret. This controller is never
  interested in deleted secrets, since its only job is to delete
  existing secrets.
- No change to the self-imposed rate limit logic. That still applies
  because secrets with this annotation will be created and updated
  regularly while the system is running (not just during rare system
  configuration steps).
 2020-12-18 09:36:28 -08:00
Ryan Richard
3a4405659e
Merge branch 'main' into typed-secrets 2020-12-17 17:42:04 -08:00
aram price
187bd9060c All FederationDomain Secrets have distinct Types 
Signed-off-by: Ryan Richard <richardry@vmware.com>
 2020-12-17 17:07:38 -08:00
Matt Moyer
e0b94f4780
Move our main image references to the VMware Harbor registry. 
Signed-off-by: Matt Moyer <moyerm@vmware.com>
 2020-12-17 17:51:09 -06:00
aram price
587cced768 Add extra type info where SecretType is used 2020-12-17 15:43:20 -08:00
Ryan Richard
50964c6677 Supervisor CSRF Secret has unique Type 
Signed-off-by: aram price <pricear@vmware.com>
 2020-12-17 15:30:26 -08:00
Ryan Richard
b27e3e1a89 Put a Type on the Secrets that we create for FederationDomain JWKS 
Signed-off-by: Aram Price <pricear@vmware.com>
 2020-12-17 14:48:49 -08:00
Aram Price
55483b726b More "op" and "opc" local variable renames 
Signed-off-by: Ryan Richard <richardry@vmware.com>
 2020-12-17 13:49:53 -08:00
Ryan Richard
65e7df1417
Merge branch 'main' into more-opc-rename 2020-12-17 12:10:19 -08:00
Ryan Richard
b96d49df0f Rename all "op" and "opc" usages 
Signed-off-by: Aram Price <pricear@vmware.com>
 2020-12-17 11:34:49 -08:00
Matt Moyer
41832369fd
Upgrade the Dex we use for local testing to v2.27.0. 
Signed-off-by: Matt Moyer <moyerm@vmware.com>
 2020-12-17 12:04:09 -06:00
Ryan Richard
4c6e1e5fb3 supervisor_login_test.go: wait for the /jwks.json endpoint to be ready 
- Also fail in a more obvious way if the token exchanged failed by
  adding an assertion about its status code
 2020-12-16 17:59:39 -08:00
Ryan Richard
b2b906f4fe supervisor_discovery_test.go: make test timeouts longer to avoid flakes 2020-12-16 15:13:02 -08:00
Margo Crawford
196e43aa48 Rename off of main 
Signed-off-by: Ryan Richard <richardry@vmware.com>
 2020-12-16 14:27:09 -08:00
Matt Moyer
7dae166a69
Merge branch 'main' into username-and-subject-claims 2020-12-16 15:23:19 -06:00
Matt Moyer
72ce69410e
Merge pull request #273 from vmware-tanzu/secret-generation 
Generate secrets for Pinniped Supervisor
 2020-12-16 15:22:23 -06:00
Matt Moyer
7bb0d649c0
Merge pull request #290 from mattmoyer/rename-token-exchange-scope 
Rename the "pinniped.sts.unrestricted" scope to "pinniped:request-audience".
 2020-12-16 15:22:05 -06:00
Matt Moyer
111f6513ac
Upgrade base images to Debian 10.7-slim. 
Signed-off-by: Matt Moyer <moyerm@vmware.com>
 2020-12-16 15:16:31 -06:00
Andrew Keesler
095ba14cc8
Merge remote-tracking branch 'upstream/main' into secret-generation 2020-12-16 15:40:34 -05:00
Matt Moyer
8527c363bb
Rename the "pinniped.sts.unrestricted" scope to "pinniped:request-audience". 
This is a bit more clear. We're changing this now because it is a non-backwards-compatible change that we can make now since none of this RFC8693 token exchange stuff has been released yet.

There is also a small typo fix in some flag usages (s/RF8693/RFC8693/)

Signed-off-by: Matt Moyer <moyerm@vmware.com>
 2020-12-16 14:24:13 -06:00
Matt Moyer
24c01d3e54
Add an integration test to verify security headers on the supervisor authorize endpoint. 
It would be great to do this for the supervisor's callback endpoint as well, but it's difficult to get at those since the request happens inside the spawned browser.

Signed-off-by: Matt Moyer <moyerm@vmware.com>
 2020-12-16 12:41:06 -06:00
Ryan Richard
dcb19150fc Nest claim configs one level deeper in JWTAuthenticatorSpec 
Signed-off-by: Margo Crawford <margaretc@vmware.com>
 2020-12-16 09:42:19 -08:00
Andrew Keesler
fec80113c7
Revert "Retry a couple of times if we fail to get a token from the Supervisor" 
This reverts commit be4e34d0c0.

Roll back this change that was supposed to make the test more robust. If we
retry multiple token exchanges with the same auth code, of course we are going
to get failures on the second try onwards because the auth code was invalidated
on the first try.

Signed-off-by: Andrew Keesler <akeesler@vmware.com>
 2020-12-16 09:04:29 -05:00
Andrew Keesler
5bdbfe1bc6
test/integration: more verbosity to try to track down flakes... 
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
 2020-12-16 09:04:25 -05:00
aram price
78df80f128 Tests ensure OIDCProvider secrets exist 
... whenever one is successfully created.
 2020-12-15 18:26:27 -08:00
Ryan Richard
40c6a67631 Merge branch 'main' into username-and-subject-claims 2020-12-15 18:09:44 -08:00
Ryan Richard
91af51d38e Fix integration tests to work with the username and sub claims 
Signed-off-by: Margo Crawford <margaretc@vmware.com>
 2020-12-15 17:16:08 -08:00
Andrew Keesler
0758ecfea8 Tests wait for OIDCProvider secrets to be set 
Signed-off-by: aram price <pricear@vmware.com>
 2020-12-15 15:46:55 -08:00
Aram Price
0bd428e45d
test/integration: more logging to track down flakes 
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
 2020-12-15 16:52:57 -05:00
Andrew Keesler
056afc17bd
Merge remote-tracking branch 'upstream/main' into secret-generation 2020-12-15 15:55:46 -05:00
Matt Moyer
0b38d6c763
Add TestE2EFullIntegration test which combines supervisor, concierge, and CLI. 
Signed-off-by: Matt Moyer <moyerm@vmware.com>
 2020-12-15 12:34:50 -06:00
Matt Moyer
ff49647de4
Add some missing test logs in test/library/client.go. 
Signed-off-by: Matt Moyer <moyerm@vmware.com>
 2020-12-15 12:34:50 -06:00
Matt Moyer
e0eba9d5a6
Refactor library.CreateTestJWTAuthenticator() so we can also use the supervisor as an upstream. 
Signed-off-by: Matt Moyer <moyerm@vmware.com>
 2020-12-15 12:34:50 -06:00
Matt Moyer
5ad3c65ae1
Close the right pipe output in runPinnipedLoginOIDC. 
Signed-off-by: Matt Moyer <moyerm@vmware.com>
 2020-12-15 12:34:50 -06:00
Matt Moyer
aca9af748b
Cleanup TestSuccessfulCredentialRequest and TestCLILoginOIDC a little. 
Signed-off-by: Matt Moyer <moyerm@vmware.com>
 2020-12-15 12:34:49 -06:00
Matt Moyer
8cdcb89cef
Add a library.PinnipedCLIPath() test helper, with caching. 
Caching saves us a little bit of time now that we're using the CLI in more and more tests.

Signed-off-by: Matt Moyer <moyerm@vmware.com>
 2020-12-15 12:34:49 -06:00
Matt Moyer
70fd330178
Add library.CreateTestClusterRoleBinding test helper. 
Signed-off-by: Matt Moyer <moyerm@vmware.com>
 2020-12-15 12:34:49 -06:00
Matt Moyer
ad5e257600
Add a library.RandHex() test helper. 
Signed-off-by: Matt Moyer <moyerm@vmware.com>
 2020-12-15 12:34:49 -06:00
Matt Moyer
4088793cc5
Add a .ProxyEnv() helper on the test environment. 
Signed-off-by: Matt Moyer <moyerm@vmware.com>
 2020-12-15 12:28:04 -06:00
Matt Moyer
b6edc3dc08
Replace TestCLIGetKubeconfig with TestCLIGetKubeconfigStaticToken. 
It now tests both the deprecated `pinniped get-kubeconfig` and the new `pinniped get kubeconfig --static-token` flows.

Signed-off-by: Matt Moyer <moyerm@vmware.com>
 2020-12-15 12:28:03 -06:00
Matt Moyer
fe4e2d620d
Update TestCLIGetKubeconfig to ignore stderr output from get-kubeconfig. 
This will now have a deprecation warning, so we can't treat is as part of the YAML output.

Signed-off-by: Matt Moyer <moyerm@vmware.com>
 2020-12-15 12:28:03 -06:00
Matt Moyer
f9691208d5
Add library.NewRestConfigFromKubeconfig() test helper. 
This is extracted from library.NewClientsetForKubeConfig(). It is useful so you can assert properties of the loaded, parsed kubeconfig.

Signed-off-by: Matt Moyer <moyerm@vmware.com>
 2020-12-15 12:28:03 -06:00