Commit Graph

3204 Commits

Author SHA1 Message Date
Matt Moyer
935577f8e7
Give the concierge access to use any PodSecurityPolicy.
This is needed on clusters with PodSecurityPolicy enabled by default, but should be harmless in other cases.

This is generally needed because a restrictive PodSecurityPolicy will usually otherwise prevent the `hostPath` volume mount needed by the dynamically-created cert agent pod.

Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-11-02 15:10:00 -06:00
Ryan Richard
781f86d18c
deploy: add memory limits
This is the beginning of a change to add cpu/memory limits to our pods.
We are doing this because some consumers require this, and it is generally
a good practice.

The limits == requests for "Guaranteed" QoS.

Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-11-02 14:57:39 -05:00
Andrew Keesler
fcea48c8f9
Run as non-root
I tried to follow a principle of encapsulation here - we can still default to
peeps making connections to 80/443 on a Service object, but internally we will
use 8080/8443.

Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-11-02 12:51:15 -05:00
Andrew Keesler
7639d5e161
Merge pull request #178 from ankeesler/test-cleanup
test/integration: protect from NPE and follow doc conventions
2020-11-02 12:22:34 -05:00
Ryan Richard
ab5c04b1f3
Merge pull request #176 from vmware-tanzu/agent_pod_additional_label_handling
Handle custom labels better in the agent pod controllers
2020-11-02 09:08:42 -08:00
Andrew Keesler
fb3c5749e8
test/integration: protect from NPE and follow doc conventions
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-11-02 11:51:02 -05:00
Ryan Richard
7597b12a51 Small unit test changes for deleter_test.go 2020-11-02 08:40:39 -08:00
Matt Moyer
5bbfc35d27
Merge pull request #175 from mattmoyer/split-config-apis
Split the config CRDs into two API groups.
2020-10-30 19:42:03 -05:00
Ryan Richard
f76b9857da Don't use custom labels when selecting an agent pod
And delete the agent pod when it needs its custom labels to be
updated, so that the creator controller will notice that it is missing
and immediately create it with the new custom labels.
2020-10-30 17:41:17 -07:00
Matt Moyer
9e1922f1ed
Split the config CRDs into two API groups.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-10-30 19:22:46 -05:00
Ryan Richard
01f4fdb5c3 Remove namespace from a ClusterRoleBinding, which are not namespaced 2020-10-30 16:10:04 -07:00
Andrew Keesler
a5379c08e2 Whitespace-only change in two files
Signed-off-by: Ryan Richard <richardry@vmware.com>
2020-10-30 15:18:40 -07:00
Matt Moyer
ad95bb44b0
Merge pull request #174 from mattmoyer/rename-webhook-idp
Rename webhook configuration CRD "WebhookAuthenticator" in group "authentication.concierge.pinniped.dev".
2020-10-30 15:50:39 -05:00
Ryan Richard
4b7592feaf Skip a part of an integration test which is not so easy with real Ingress
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-10-30 13:19:34 -07:00
Matt Moyer
34da8c7877
Rename existing references to "IDP" and "Identity Provider".
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-10-30 15:12:01 -05:00
Matt Moyer
f3a83882a4
Rename the IdentityProvider field to Authenticator in TokenCredentialRequest.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-10-30 15:11:53 -05:00
Matt Moyer
0f25657a35
Rename WebhookIdentityProvider to WebhookAuthenticator.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-10-30 15:11:53 -05:00
Matt Moyer
e69183aa8a
Rename idp.concierge.pinniped.dev to authentication.concierge.pinniped.dev.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-10-30 14:07:40 -05:00
Matt Moyer
81390bba89
Rename idp.pinniped.dev to idp.concierge.pinniped.dev.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-10-30 14:07:39 -05:00
Matt Moyer
59431a3d3d
Merge pull request #173 from mattmoyer/parallel-codegen
Do codegen across all version in parallel.
2020-10-30 13:45:21 -05:00
Matt Moyer
9760c03617
Do codegen across all version in parallel.
This only matters for local development, since we don't use this script directly in CI. Makes the full codegen ste take ~90s on my laptop.

Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-10-30 11:12:53 -05:00
Matt Moyer
8b8ffc21c4
Merge pull request #172 from mattmoyer/rename-login-api
Rename login API to `login.concierge.pinniped.dev`.
2020-10-30 10:23:45 -05:00
Matt Moyer
f0320dfbd8
Rename login API to login.concierge.pinniped.dev.
This is the first of a few related changes that re-organize our API after the big recent changes that introduced the supervisor component.

Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-10-30 09:58:28 -05:00
Ryan Richard
3277e778ea Add a comment to an integration test 2020-10-29 15:42:22 -07:00
Ryan Richard
9c13b7144e
Merge pull request #170 from vmware-tanzu/oidc_https_endpoints
Add HTTPS endpoints for OIDC providers, and terminate TLS with the configured certificates
2020-10-28 17:15:11 -07:00
Ryan Richard
059b6e885f Allow ytt templating of the loadBalancerIP for the supervisor 2020-10-28 16:45:23 -07:00
Ryan Richard
4af508981a Make default TLS secret name from app name in supervisor_discovery_test.go 2020-10-28 16:11:19 -07:00
Ryan Richard
a007fc3bd3 Form paths correctly when the path arg is empty in supervisor_discovery_test.go 2020-10-28 15:22:53 -07:00
Ryan Richard
c52874250a Fix a mistake in supervisor_discovery_test.go
- Should not fail when the default TLS cert does not exist in the
  test cluster before the test started
2020-10-28 14:25:01 -07:00
Ryan Richard
01dddd3cae Add some docs for configuring supervisor TLS
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-10-28 13:42:02 -07:00
Andrew Keesler
bd04570e51 supervisor_discovery_test.go tests hostnames are treated as case-insensitive
Signed-off-by: Ryan Richard <richardry@vmware.com>
2020-10-28 13:09:20 -07:00
Ryan Richard
8ff64d4c1a Require https scheme for OIDCProviderConfig Issuer field
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-10-28 12:49:41 -07:00
Andrew Keesler
2542a8e175 Stash and restore any pre-existing default TLS cert in supervisor_discovery_test.go
Signed-off-by: Ryan Richard <richardry@vmware.com>
2020-10-28 12:32:21 -07:00
Ryan Richard
29e0ce5662 Configure name of the supervisor default TLS cert secret via ConfigMap
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-10-28 11:56:50 -07:00
Ryan Richard
978ecda758 Test SNI & default certs being used at the same time in integration test 2020-10-28 08:58:50 -07:00
Ryan Richard
170d3a3993 Forgot to commit some test fixtures in a prior commit 2020-10-27 17:00:00 -07:00
Ryan Richard
2777c4e9f3 Update prepare-for-integration-tests.sh to use ./hack/kind-{up,down}.sh 2020-10-27 16:56:53 -07:00
Ryan Richard
38802c2184 Add a way to set a default supervisor TLS cert for when SNI won't work
- Setting a Secret in the supervisor's namespace with a special name
  will cause it to get picked up and served as the supervisor's TLS
  cert for any request which does not have a matching SNI cert.
- This is especially useful for when there is no DNS record for an
  issuer and the user will be accessing it via IP address. This
  is not how we would expect it to be used in production, but it
  might be useful for other cases.
- Includes a new integration test
- Also suppress all of the warnings about ignoring the error returned by
  Close() in lines like `defer x.Close()` to make GoLand happier
2020-10-27 16:33:08 -07:00
Andrew Keesler
7bce16737b
Get rid of WIP workflow
See d5dd65c, 45189e3, 96c4661. I pushed to the wrong remote...

Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-10-27 18:39:19 -04:00
Andrew Keesler
96c4661a25
Fix unit-tests workflow YAML.
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-10-27 18:26:11 -04:00
Andrew Keesler
45189e3e2b
No way this windows-unit-tests workflow works.
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-10-27 18:20:12 -04:00
Andrew Keesler
d5dd65cfe8
So...does this macos-unit-tests workflow work?
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-10-27 18:00:54 -04:00
Ryan Richard
1f1b6c884e Add integration test: supervisor TLS termination and SNI virtual hosting
- Also reduce the minimum allowed TLS version to v1.2, because v1.3
  is not yet supported by some common clients, e.g. the default MacOS
  curl command
2020-10-27 14:57:25 -07:00
Ryan Richard
eeb110761e Rename secretName to SNICertificateSecretName in OIDCProviderConfig 2020-10-26 17:25:45 -07:00
Ryan Richard
8b7c30cfbd Supervisor listens for HTTPS on port 443 with configurable TLS certs
- TLS certificates can be configured on the OIDCProviderConfig using
  the `secretName` field.
- When listening for incoming TLS connections, choose the TLS cert
  based on the SNI hostname of the incoming request.
- Because SNI hostname information on incoming requests does not include
  the port number of the request, we add a validation that
  OIDCProviderConfigs where the issuer hostnames (not including port
  number) are the same must use the same `secretName`.
- Note that this approach does not yet support requests made to an
  IP address instead of a hostname. Also note that `localhost` is
  considered a hostname by SNI.
- Add port 443 as a container port to the pod spec.
- A new controller watches for TLS secrets and caches them in memory.
  That same in-memory cache is used while servicing incoming connections
  on the TLS port.
- Make it easy to configure both port 443 and/or port 80 for various
  Service types using our ytt templates for the supervisor.
- When deploying to kind, add another nodeport and forward it to the
  host on another port to expose our new HTTPS supervisor port to the
  host.
2020-10-26 17:03:26 -07:00
Matt Moyer
7880f7ea41
Merge pull request #171 from danjahner/main
Rename logo file
2020-10-26 17:20:36 -05:00
Dan Jahner
13ccb07fe4
Rename logo file 2020-10-26 15:06:04 -07:00
Matt Moyer
6c092deba5
Merge pull request #169 from mattmoyer/promote-login-command
Promote the `pinniped login` command out of alpha.
2020-10-23 19:48:44 -05:00
Ryan Richard
25a91019c2 Add spec.secretName to OPC and handle case-insensitive hostnames
- When two different Issuers have the same host (i.e. they differ
  only by path) then they must have the same secretName. This is because
  it wouldn't make sense for there to be two different TLS certificates
  for one host. Find any that do not have the same secret name to
  put an error status on them and to avoid serving OIDC endpoints for
  them. The host comparison is case-insensitive.
- Issuer hostnames should be treated as case-insensitive, because
  DNS hostnames are case-insensitive. So https://me.com and
  https://mE.cOm are duplicate issuers. However, paths are
  case-sensitive, so https://me.com/A and https://me.com/a are
  different issuers. Fixed this in the issuer validations and in the
  OIDC Manager's request router logic.
2020-10-23 16:25:44 -07:00
Matt Moyer
7615667b9b
Update TestCLILoginOIDC to use new non-alpha login command.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-10-23 14:44:42 -05:00