Matt Moyer
f2db76a0d5
Fix typo in multiple-pinnipeds post.
...
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-02-23 11:11:07 -06:00
Matt Moyer
3721632de2
Move scope doc out of website to SCOPE.md.
...
This is contributor-focused, so we decided to move it into GitHub only for now.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-02-23 11:11:07 -06:00
Matt Moyer
4de949fe18
Rework docs sidebar to have some nesting.
...
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-02-23 11:11:07 -06:00
Andrew Keesler
069b3fba37
Merge remote-tracking branch 'upstream/main' into impersonation-proxy
...
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2021-02-23 12:10:52 -05:00
Mo Khan
e74dd47b1d
Merge pull request #439 from enj/enj/f/whoami_api
...
Add WhoAmIRequest Aggregated Virtual REST API
2021-02-23 10:40:38 -05:00
Monis Khan
6a9f57f83d
TestWhoAmI: support older clusters (CSR and impersonation)
...
Signed-off-by: Monis Khan <mok@vmware.com>
2021-02-23 10:15:17 -05:00
Ryan Richard
80ff5c1f17
Fix bug which prevented watches from working through impersonator
...
Also:
- Changed base64 encoding of impersonator bearer tokens to use
`base64.StdEncoding` to make it easier for users to manually
create a token using the unix `base64` command
- Test the headers which are and are not passed through to the Kube API
by the impersonator more carefully in the unit tests
- More WIP on concierge_impersonation_proxy_test.go
Signed-off-by: Margo Crawford <margaretc@vmware.com>
2021-02-22 17:23:11 -08:00
Monis Khan
aa22047a0f
Generated
...
Signed-off-by: Monis Khan <mok@vmware.com>
2021-02-22 20:02:42 -05:00
Monis Khan
abc941097c
Add WhoAmIRequest Aggregated Virtual REST API
...
This change adds a new virtual aggregated API that can be used by
any user to echo back who they are currently authenticated as. This
has general utility to end users and can be used in tests to
validate if authentication was successful.
Signed-off-by: Monis Khan <mok@vmware.com>
2021-02-22 20:02:41 -05:00
Monis Khan
62630d6449
getAggregatedAPIServerScheme: move group version logic internally
...
Signed-off-by: Monis Khan <mok@vmware.com>
2021-02-19 11:10:54 -05:00
Mo Khan
f228f022f5
Merge pull request #435 from enj/enj/c/bump_v0.20.4
...
Bump Kube deps to v0.20.4
2021-02-19 10:59:40 -05:00
Monis Khan
1c1decfaf1
Generated
...
Signed-off-by: Monis Khan <mok@vmware.com>
2021-02-19 10:33:10 -05:00
Monis Khan
7786c83b0d
Bump kube deps to v0.20.4
...
Signed-off-by: Monis Khan <mok@vmware.com>
2021-02-19 10:26:53 -05:00
Mo Khan
41b75e6977
Merge pull request #431 from enj/enj-patch-1
...
concierge API service: update groupPriorityMinimum and versionPriority
2021-02-19 08:48:06 -05:00
Mo Khan
a54e1145a5
concierge API service: update groupPriorityMinimum and versionPriority
...
Copy over values that I have seen used in the past.
Signed-off-by: Monis Khan <mok@vmware.com>
2021-02-19 07:47:38 -05:00
Ryan Richard
b8592a361c
Add some comments to concierge_impersonation_proxy_test.go
...
Signed-off-by: Margo Crawford <margaretc@vmware.com>
2021-02-18 16:27:03 -08:00
Margo Crawford
19881e4d7f
Increase how long we wait for loadbalancers to be deleted for int test
...
Also add some log messages which might help us debug issues like this
in the future.
Signed-off-by: Ryan Richard <richardry@vmware.com>
2021-02-18 15:58:27 -08:00
Ryan Richard
126f9c0da3
certs_manager.go: Rename some local variables
...
Signed-off-by: Margo Crawford <margaretc@vmware.com>
2021-02-18 11:16:34 -08:00
Margo Crawford
7a140bf63c
concierge_impersonation_proxy_test.go: add an eventually loop
...
Signed-off-by: Ryan Richard <richardry@vmware.com>
2021-02-18 11:08:13 -08:00
Ryan Richard
f5fedbb6b2
Add Service resource "delete" permission to Concierge RBAC
...
- Because the impersonation proxy config controller needs to be able
to delete the load balancer which it created
Signed-off-by: Margo Crawford <margaretc@vmware.com>
2021-02-18 11:00:22 -08:00
Andrew Keesler
957cb2d56c
Merge remote-tracking branch 'upstream/main' into impersonation-proxy
...
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2021-02-18 13:37:28 -05:00
Andrew Keesler
b3cdc438ce
internal/concierge/impersonator: reuse kube bearertoken.Authenticator
...
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2021-02-18 10:13:24 -05:00
Margo Crawford
22a3e73bac
impersonator_config_test.go: use require.Len() when applicable
...
Also fix a lint error in concierge_impersonation_proxy_test.go
Signed-off-by: Ryan Richard <richardry@vmware.com>
2021-02-17 17:29:56 -08:00
Margo Crawford
0ad91c43f7
ImpersonationConfigController uses servicesinformer
...
This is a more reliable way to determine whether the load balancer
is already running.
Also added more unit tests for the load balancer.
Signed-off-by: Ryan Richard <richardry@vmware.com>
2021-02-17 17:22:13 -08:00
Matt Moyer
2b208807a6
Merge pull request #426 from mattmoyer/website-accessibility-tweaks
...
Tweak website styles for accessibility.
2021-02-17 17:28:03 -06:00
Matt Moyer
25f841d063
Tweak website styles for accessibility.
...
Makes most of the fonts a bit bigger, increases contrast, fixes some nits about the spacing in numbered/bulletted lists, and adds some image alt texts.
Overall this improves our Lighthouse accessibility score from 71 to 95 and I think it's subjectively more readable.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-02-17 17:19:58 -06:00
Margo Crawford
10b769c676
Fixed integration tests for load balancer capabilities
2021-02-17 10:55:49 -08:00
Margo Crawford
67da840097
Add loadbalancer for impersonation proxy when needed
2021-02-16 15:57:02 -08:00
Matt Moyer
93d4581721
Workaround a bad module version to fix Dependabot.
...
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-02-16 17:05:33 -06:00
Matt Moyer
0a7c5b0604
Merge pull request #403 from mattmoyer/add-latest-generated-package
...
Add "go.pinniped.dev/generated/latest" package that is not a nested module.
2021-02-16 15:30:48 -06:00
Matt Moyer
acbeb93f79
Don't lint generated code.
...
This wasn't needed before because the other code wasn't in the main module and golangci-lint won't cross a module boundary.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-02-16 13:18:18 -06:00
Matt Moyer
6565265bee
Use new 'go.pinniped.dev/generated/latest' package.
...
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-02-16 13:00:08 -06:00
Matt Moyer
b42a34d822
Add generated client code for 'latest'.
...
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-02-16 12:34:33 -06:00
Matt Moyer
3ce3403b95
Update ./hack/update.sh to add a "latest" package.
...
This is just a copy of the newest Kubernetes version, but as a plain package and not a submodule.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-02-16 12:28:29 -06:00
Andrew Keesler
eb19980110
internal/concierge/impersonator: set user extra impersonation headers
...
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2021-02-16 09:26:47 -05:00
Andrew Keesler
c7905c6638
internal/concierge/impersonator: fail if impersonation headers set
...
If someone has already set impersonation headers in their request, then
we should fail loudly so the client knows that its existing impersonation
headers will not work.
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2021-02-16 08:15:50 -05:00
Andrew Keesler
fdd8ef5835
internal/concierge/impersonator: handle custom login API group
...
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2021-02-16 07:55:09 -05:00
Andrew Keesler
25bc8dd8a9
test/integration: hopefully fix TestImpersonationProxy
...
I think we were assuming the name of our Concierge app, and getting lucky
because it was the name we use when testing locally (but not in CI).
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2021-02-15 18:04:21 -05:00
Andrew Keesler
6512ab1351
internal/concierge/impersonator: don't care about namespace
...
Concierge APIs are no longer namespaced (see f015ad5852
).
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2021-02-15 17:11:59 -05:00
Ryan Richard
5cd60fa5f9
Move starting/stopping impersonation proxy server to a new controller
...
- Watch a configmap to read the configuration of the impersonation
proxy and reconcile it.
- Implements "auto" mode by querying the API for control plane nodes.
- WIP: does not create a load balancer or proper TLS certificates yet.
Those will come in future commits.
Signed-off-by: Margo Crawford <margaretc@vmware.com>
2021-02-11 17:25:52 -08:00
Andrew Keesler
fac571b51a
Merge pull request #410 from ankeesler/update-copyright
...
generated: include 2021 in copyright
2021-02-11 12:26:31 -05:00
Andrew Keesler
9b87906a30
Merge remote-tracking branch 'upstream/main' into impersonation-proxy
...
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2021-02-11 11:03:33 -05:00
Andrew Keesler
c8b1f00107
generated: include 2021 in copyright
...
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2021-02-11 10:52:01 -05:00
Mo Khan
f015ad5852
Merge pull request #405 from enj/enj/i/cluster_scope_concierge
...
Cluster scope all concierge APIs
2021-02-11 08:50:42 -05:00
Monis Khan
b04fd46319
Update federation domain logic to use status subresource
...
Signed-off-by: Monis Khan <mok@vmware.com>
2021-02-10 21:52:10 -05:00
Monis Khan
4c304e4224
Assert all APIs have a status subresource
...
Signed-off-by: Monis Khan <mok@vmware.com>
2021-02-10 21:52:10 -05:00
Monis Khan
0a9f446893
Update credential issuer logic to use status subresource
...
Signed-off-by: Monis Khan <mok@vmware.com>
2021-02-10 21:52:10 -05:00
Monis Khan
96cec59236
Generated
...
Signed-off-by: Monis Khan <mok@vmware.com>
2021-02-10 21:52:09 -05:00
Monis Khan
4faf724c2c
Make credential issuer status optional
...
Signed-off-by: Monis Khan <mok@vmware.com>
2021-02-10 21:52:09 -05:00
Monis Khan
de88ae2f61
Fix status related RBAC
...
Signed-off-by: Monis Khan <mok@vmware.com>
2021-02-10 21:52:09 -05:00