Commit Graph

3204 Commits

Author SHA1 Message Date
Ryan Richard
a918e9fb97 concierge_impersonation_proxy_test.go: Fix lint error in previous commit 2021-03-11 10:04:24 -08:00
Ryan Richard
34accc3dee Test using a service account token to auth to the impersonator
Also make each t.Run use its own namespace to slight reduce the
interdependency between them.

Use t.Cleanup instead of defer in whoami_test.go just to be consistent
with other integration tests.
2021-03-11 10:01:17 -08:00
Ryan Richard
61d64fc4c6 Use ioutil.ReadFile instead of os.ReadFile
Because it works on older golang versions too.
2021-03-11 08:58:54 -08:00
Andrew Keesler
b793b9a17e
test/integration: add 'kubectl logs' test to TestImpersonationProxy
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2021-03-11 10:42:28 -05:00
Monis Khan
7b1ecf79a6
Fix race between err chan send and re-queue
Signed-off-by: Monis Khan <mok@vmware.com>
2021-03-11 10:13:29 -05:00
Andrew Keesler
32b038c639
test/integration: add 'kubectl cp' test to TestImpersonationProxy
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2021-03-11 10:07:16 -05:00
Ryan Richard
d13bb07b3e Add integration test for using WhoAmIRequest through impersonator 2021-03-10 16:57:15 -08:00
Margo Crawford
24396b6af1 Use gorilla websocket library so squid proxy works 2021-03-10 16:03:52 -08:00
Ryan Richard
006dc8aa79 Small test refactor 2021-03-10 14:50:46 -08:00
Ryan Richard
2a2e2f532b Remove an integration test that is covered elsewhere now
The same coverage that was supplied by
TestCredentialRequest_OtherwiseValidRequestWithRealTokenShouldFailWhenTheClusterIsNotCapable
is now provided by an assertion at the end of TestImpersonationProxy,
so delete the duplicate test which was failing on GKE because the
impersonation proxy is now active by default on GKE.
2021-03-10 14:17:20 -08:00
Ryan Richard
1078bf4dfb Don't pass credentials when testing impersonation proxy port is closed
When testing that the impersonation proxy port was closed there
is no need to include credentials in the request. At the point when
we want to test that the impersonation proxy port is closed, it is
possible that we cannot perform a TokenCredentialRequest to get a
credential either.

Also add a new assertion that the TokenCredentialRequest stops handing
out credentials on clusters which have no successful strategies.

Signed-off-by: Monis Khan <mok@vmware.com>
2021-03-10 13:08:15 -08:00
Matt Moyer
c14621428f
Merge pull request #485 from vmware-tanzu/pabloschuhmacher-patch-2
Create ROADMAP.md
2021-03-10 12:43:55 -08:00
Monis Khan
6582c23edb Fix a race detector error in a unit test
Signed-off-by: Ryan Richard <richardry@vmware.com>
2021-03-10 11:24:42 -08:00
Ryan Richard
0b300cbe42 Use TokenCredentialRequest instead of base64 token with impersonator
To make an impersonation request, first make a TokenCredentialRequest
to get a certificate. That cert will either be issued by the Kube
API server's CA or by a new CA specific to the impersonator. Either
way, you can then make a request to the impersonator and present
that client cert for auth and the impersonator will accept it and
make the impesonation call on your behalf.

The impersonator http handler now borrows some Kube library code
to handle request processing. This will allow us to more closely
mimic the behavior of a real API server, e.g. the client cert
auth will work exactly like the real API server.

Signed-off-by: Monis Khan <mok@vmware.com>
2021-03-10 10:30:06 -08:00
Pablo Schuhmacher
876f0a55d8
Create ROADMAP.md in actual markdown
fixed the random html generated when converting the google doc to markdown
2021-03-09 18:41:40 -08:00
Margo Crawford
c853707889 Added integration test for using websockets via the impersonation proxy
Tested that this test passed when using the kube api server directly,
so it's just the impersonation proxy that must be improved.
2021-03-09 17:00:30 -08:00
Matt Moyer
005133fbfb
Add more debug logging when waiting for pending strategies.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-03-09 16:56:53 -06:00
Matt Moyer
0cb1538b39
Fix linter warnings, including a bit of refactoring.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-03-09 15:16:46 -06:00
Matt Moyer
0abe10e6b2
Add new behavior to "pinniped get kubeconfig" to wait for pending strategies to become non-pending.
This behavior can be disabled with "--concierge-skip-wait".

Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-03-09 14:50:35 -06:00
Margo Crawford
883b90923d Add integration test for kubectl port-forward with impersonation 2021-03-09 11:32:50 -08:00
Matt Moyer
d6a0dfa497
Add some debug logging when "pinniped get kubeconfig" fails to find a successful strategy.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-03-09 12:44:35 -06:00
Matt Moyer
29d5e43220
Fix minor typo in e2e_test.go.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-03-09 12:12:52 -06:00
Matt Moyer
eef1fd0c64
Merge pull request #481 from vmware-tanzu/dependabot/go_modules/github.com/ory/fosite-0.39.0
Bump github.com/ory/fosite from 0.38.0 to 0.39.0
2021-03-09 07:51:27 -06:00
dependabot[bot]
b2be83ee45
Bump github.com/ory/fosite from 0.38.0 to 0.39.0
Bumps [github.com/ory/fosite](https://github.com/ory/fosite) from 0.38.0 to 0.39.0.
- [Release notes](https://github.com/ory/fosite/releases)
- [Changelog](https://github.com/ory/fosite/blob/master/CHANGELOG.md)
- [Commits](https://github.com/ory/fosite/compare/v0.38.0...v0.39.0)

Signed-off-by: dependabot[bot] <support@github.com>
2021-03-09 05:50:01 +00:00
Matt Moyer
b20a8358d3
Merge branch 'main' of github.com:vmware-tanzu/pinniped into impersonation-proxy 2021-03-08 15:16:40 -06:00
Matt Moyer
a58b460bcb
Switch TestImpersonationProxy to get clients from library.NewKubeclient instead of directly from kubernetes.NewForConfig.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-03-08 15:03:34 -06:00
Matt Moyer
8fd6a71312
Use simpler prefix matching for impersonation headers.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-03-08 14:44:38 -06:00
Matt Moyer
6efbd81f75
Rename this flag types for consistency.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-03-08 14:33:38 -06:00
Matt Moyer
a059d8dfce
Refactor "get kubeconfig" a bit more to clean things up.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-03-08 14:31:13 -06:00
Matt Moyer
8c0a073cb6
Fix this constant name to match its value.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-03-08 13:31:16 -06:00
Matt Moyer
389cd3486b
Rework "pinniped get kubeconfig" so that --concierge-mode can be used even when auto-discovering other parameters.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-03-08 11:43:56 -06:00
Matt Moyer
eac108aee5
Merge pull request #478 from vmware-tanzu/prepare-script-macos-big-sur
Fix hack/prepare-for-integration-tests.sh for MacOS Big Sur
2021-03-08 10:02:52 -06:00
Ryan Richard
49ec16038c Add integration test for using "kubectl exec" through the impersonator
Signed-off-by: Margo Crawford <margaretc@vmware.com>
2021-03-05 16:14:45 -08:00
Margo Crawford
4bd68b1fa1 Use LC_ALL=C instead of LC_CTYPE=C because it works on Big Sur
It also works on the slightly older MacOS Catalina.
This script is only used on development laptops, so hopefully
this will work for more laptop OS's now.

Signed-off-by: Ryan Richard <richardry@vmware.com>
2021-03-05 15:25:52 -08:00
Matt Moyer
73419313ee
Log when the validation eventually succeeds.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-03-05 16:59:43 -06:00
Matt Moyer
4750d7d7d2
The stderr from "pinniped get kubeconfig" is no longer empty.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-03-05 16:57:24 -06:00
Matt Moyer
ba0dc3bf52
Remove this test retry loop since the "get kubeconfig" step should now wait.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-03-05 16:39:57 -06:00
Matt Moyer
5d8594b285
Add validation step to "pinniped get kubeconfig".
This adds two new flags to "pinniped get kubeconfig": --skip-validation and --timeout.

By default, at the end of the kubeconfig generation process, we validate that we can reach the configured cluster. In the future this might also validate that the TokenCredentialRequest API is running, but for not it just verifies that the DNS name resolves, and the TLS connection is available on the given port.

If there is an error during this check, we block and retry for up to 10 minutes. This duration can be changed with --timeout an the entire process can be skipped with --skip-validation.

Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-03-05 16:35:42 -06:00
Matt Moyer
ce1b6303d9
Add an "--output" flag to "pinniped get kubeconfig".
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-03-05 15:53:30 -06:00
Matt Moyer
36bc679142
Add diagnostic logging to "pinniped get kubeconfig".
These stderr logs should help clarify all the autodetection logic that's happening in a particular run.

Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-03-05 15:52:17 -06:00
Matt Moyer
c4f6fd5b3c
Add a bit nicer assertion helper in testutil/testlogger.
This makes output that's easier to copy-paste into the test. We could also make it ignore the order of key/value pairs in the future.

Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-03-05 15:49:45 -06:00
Matt Moyer
52f58477b8
Wait for the ELB to become available _before_ starting the kubectl command.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-03-05 09:32:49 -06:00
Matt Moyer
d848499176
Close this HTTP response body in TestE2EFullIntegration.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-03-05 08:45:25 -06:00
Matt Moyer
c3b7d21037
Be less picky about what error code is returned here.
The thing we're waiting for is mostly that DNS is resolving, the ELB is listening, and connections are making it to the proxy.

Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-03-05 08:40:29 -06:00
Matt Moyer
832bc2726e
Merge pull request #477 from vmware-tanzu/dependabot/go_modules/github.com/google/go-cmp-0.5.5
Bump github.com/google/go-cmp from 0.5.4 to 0.5.5
2021-03-05 08:20:51 -06:00
dependabot[bot]
3833ba0430
Bump github.com/google/go-cmp from 0.5.4 to 0.5.5
Bumps [github.com/google/go-cmp](https://github.com/google/go-cmp) from 0.5.4 to 0.5.5.
- [Release notes](https://github.com/google/go-cmp/releases)
- [Commits](https://github.com/google/go-cmp/compare/v0.5.4...v0.5.5)

Signed-off-by: dependabot[bot] <support@github.com>
2021-03-05 05:59:54 +00:00
Ryan Richard
ec133b9743 Resolve some new linter errors 2021-03-04 17:44:01 -08:00
Ryan Richard
d8c6894cbc All controller unit tests should not cancel context until test is over
All controller unit tests were accidentally using a timeout context
for the informers, instead of a cancel context which stays alive until
each test is completely finished. There is no reason to risk
unpredictable behavior of a timeout being reached during an individual
test, even though with the previous 3 second timeout it could only be
reached on a machine which is running orders of magnitude slower than
usual, since each test usually runs in about 100-300 ms. Unfortunately,
sometimes our CI workers might get that slow.

This sparked a review of other usages of timeout contexts in other
tests, and all of them were increased to a minimum value of 1 minute,
under the rule of thumb that our tests will be more reliable on slow
machines if they "pass fast and fail slow".
2021-03-04 17:26:01 -08:00
Ryan Richard
b102aa8991 In unit test, wait for obj from informer instead of resource version
In impersonator_config_test.go, instead of waiting for the resource
version to appear in the informers, wait for the actual object to
appear.

This is an attempt to resolve flaky failures that only happen in CI,
but it also cleans up the test a bit by avoiding inventing fake resource
version numbers all over the test.

Signed-off-by: Monis Khan <mok@vmware.com>
2021-03-04 17:26:01 -08:00
Ryan Richard
9eb97e2683 Use Eventually when making tls connections and avoid resource version 0
- Use `Eventually` when making tls connections because the production
  code's handling of starting and stopping the TLS server port
  has some async behavior.
- Don't use resource version "0" because that has special meaning
  in the informer libraries.
2021-03-04 17:26:01 -08:00