Andrew Keesler
9ed52e6b4a
test/integration: declare some test helpers to fix line reporting
...
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-09-24 13:53:45 -04:00
Andrew Keesler
fab36c55f5
inernal/controller/kubecertagent: fix some godoc's
...
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-09-24 13:53:06 -04:00
Ryan Richard
409d10baf8
Merge pull request #122 from ankeesler/1-19-exec-strategy
...
Fix exec strategy for Kubernetes 1.19
2020-09-24 10:32:43 -07:00
Ryan Richard
ea762b405d
Increase some integration test timeouts so they can pass when CI is slow
2020-09-24 10:20:51 -07:00
Ryan Richard
3ff605bb39
Merge branch 'main' into 1-19-exec-strategy
2020-09-24 10:12:54 -07:00
Ryan Richard
856971e452
Replace title in README.md with project logo
2020-09-24 10:09:50 -07:00
Ryan Richard
eaf2d9a185
Improve failure message in an integration test for better debugging
...
This seems to fail on CI when the Concourse workers get slow and
kind stops working reliably. It would be interesting to see the
error message in that case to figure out if there's anything we
could do to make the test more resilient.
2020-09-24 09:44:10 -07:00
Ryan Richard
3f06be2246
Remove kubecertauthority pkg
...
All of its functionality was refactored to move elsewhere or to not
be needed anymore by previous commits
2020-09-24 09:23:29 -07:00
Andrew Keesler
69137fb6b9
kube_config_info_publisher.go no longer watches cic's with an informer
...
Simplifies the implementation, makes it more consistent with other
updaters of the cic (CredentialIssuerConfig), and also retries on
update conflicts
Signed-off-by: Ryan Richard <richardry@vmware.com>
2020-09-24 09:19:57 -07:00
Ryan Richard
253d3bb36f
Remove an accidentally committed it.Focus
2020-09-24 08:15:10 -07:00
Andrew Keesler
9f80b0ea00
Set CIC error statuses in kubecertagent annotater and creater
...
Also fix an instance where we were using an informer in a retry loop.
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-09-24 10:40:50 -04:00
Matt Moyer
6f4cf705e5
Merge pull request #133 from mattmoyer/upgrade-to-kubernetes-1.19.2
...
Upgrade client-go et al from 1.19.0 to 1.19.2.
2020-09-24 09:35:38 -05:00
Matt Moyer
ec3e4cae68
Upgrade client-go, et al from 1.19.0 to 1.19.2.
...
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-09-24 09:21:10 -05:00
Ryan Richard
381811b36f
Refactor constructor params of the kubecertagent pkg's controllers
...
- Only inject things through the constructor that the controller
will need
- Use pkg private constants when possible for things that are not
actually configurable by the user
- Make the agent pod template private to the pkg
- Introduce a test helper to reduce some duplicated test code
- Remove some `it.Focus` lines that were accidentally committed, and
repair the broken tests that they were hiding
2020-09-23 17:30:22 -07:00
Andrew Keesler
906a88f2d3
Set kube-cert-agent imagePullPolicy to IfNotPresent for CI
...
Maybe this will fix kind integration tests? It is what the main
Pinniped deployment does?
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-09-23 14:15:59 -04:00
Andrew Keesler
0f8437bc3a
Integration tests are passing ayooooooooooooooo
2020-09-23 12:47:04 -04:00
Andrew Keesler
6d047c151f
Fix kubecertagent deleter test to reconcile on pod template fields
...
I think we want to reconcile on these pod template fields so that if
someone were to redeploy Pinniped with a new image for the agent, the
agent would get updated immediately. Before this change, the agent image
wouldn't get updated until the agent pod was deleted.
2020-09-23 11:30:13 -04:00
Andrew Keesler
9735122db9
Wire in kubecertagent.NewExecerController() to server
...
Also fill in a couple of low-hanging unit tests.
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-09-23 11:01:41 -04:00
Andrew Keesler
4948e1702f
Merge remote-tracking branch 'upstream/main' into 1-19-exec-strategy
2020-09-23 09:54:45 -04:00
Andrew Keesler
406f2723ce
internal/certauthority/dynamiccertauthority: add new dynamic cert issuer
...
This thing is supposed to be used to help our CredentialRequest handler issue certs with a dynamic
CA keypair.
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-09-23 09:53:21 -04:00
Andrew Keesler
6c555f94e3
internal/provider -> internal/dynamiccert
...
3 main reasons:
- The cert and key that we store in this object are not always used for TLS.
- The package name "provider" was a little too generic.
- dynamiccert.Provider reads more go-ish than provider.DynamicCertProvider.
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-09-23 08:29:35 -04:00
Andrew Keesler
f8e872d1af
Please linter to get back to passing lint+unit-test
...
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-09-23 08:02:04 -04:00
Andrew Keesler
3e45bfc97d
internal/controller/issuerconfig: Publisher -> KubeConfigInfoPublisher
...
The new symbol more specifically describes what the controller does.
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-09-23 07:58:01 -04:00
Andrew Keesler
a55e9de4fc
Use existing clock test double to get kubecertagent units passing
...
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-09-23 07:50:45 -04:00
Ryan Richard
eb0d9a15fc
WIP: start replacing the kubecertauthority pkg with a new controller
...
- Lots of TODOs added that need to be resolved to finish this WIP
- execer_test.go seems like it should be passing, but it fails (sigh)
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-09-22 17:45:20 -07:00
Matt Moyer
6063674623
Merge pull request #130 from mattmoyer/add-cla-doc
...
Add a section about our CLA.
2020-09-22 14:20:19 -05:00
Matt Moyer
d574fe05ba
Add a section about our CLA.
...
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-09-22 14:15:14 -05:00
Matt Moyer
4369cc9ff2
Merge pull request #129 from mattmoyer/test-fixes
...
Test fixes and hardening
2020-09-22 13:33:40 -05:00
Matt Moyer
adf263b566
Harden some tests against slow IDP controllers using Eventually()
.
...
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-09-22 12:43:35 -05:00
Matt Moyer
4edda802e5
Avoid a bug where long test names overflow the max label length.
...
Annotations do not have this restriction, so we can put it there instead. This only currently occurs on clusters without the cluster signing capability (GKE).
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-09-22 11:23:34 -05:00
Andrew Keesler
db9a97721f
Merge remote-tracking branch 'upstream/main' into 1-19-exec-strategy
2020-09-22 11:54:47 -04:00
Matt Moyer
3578d7cb9a
Merge pull request #128 from mattmoyer/add-idp-selector
...
Support multiple IDPs by adding IdentityProvider selector to TokenCredentialRequest spec.
2020-09-22 10:51:44 -05:00
Andrew Keesler
83920db502
Merge remote-tracking branch 'upstream/main' into 1-19-exec-strategy
2020-09-22 11:39:07 -04:00
Andrew Keesler
1a4f9e3466
kubecertagent: get integration tests passing again
...
Note: the non-kubecertagent integration tests are still failing :).
2020-09-22 11:38:13 -04:00
Matt Moyer
e574a99c5e
Add an integration test that tries to use a non-existent IDP.
...
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-09-22 10:16:47 -05:00
Matt Moyer
16ef2baf8a
Sort idpcache keys to make things as deterministic as possible.
...
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-09-22 10:03:32 -05:00
Matt Moyer
9beb3855b5
Create webhooks per-test and explicitly in demo.md
instead of with ytt in ./deploy
.
...
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-09-22 10:03:32 -05:00
Matt Moyer
81f2362543
Remove fallback support for implicitly choosing an IDP in TokenCredentialRequest.
...
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-09-22 10:03:32 -05:00
Matt Moyer
07f0181fa3
Add IDP selection to get-kubeconfig command.
...
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-09-22 10:03:32 -05:00
Matt Moyer
481308215d
Pass namespace properly in client.ExchangeToken.
...
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-09-22 10:03:32 -05:00
Matt Moyer
381fd51e13
Refactor get_kubeconfig.go.
...
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-09-22 10:03:32 -05:00
Matt Moyer
541336b997
Fix docstring for exchange credential CLI.
...
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-09-22 10:03:32 -05:00
Matt Moyer
6cdd4a9506
Add support for multiple IDPs selected using IdentityProvider field.
...
This also has fallback compatibility support if no IDP is specified and there is exactly one IDP in the cache.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-09-22 10:03:31 -05:00
Matt Moyer
fbe0551426
Add IDP selector support in client code.
...
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-09-22 10:03:31 -05:00
Matt Moyer
164f64a370
Add IdentityProvider field to TokenCredentialRequestSpec.
...
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-09-22 10:03:31 -05:00
Ryan Richard
526be79b11
Finish WIP from previous commits: agent pods created in install namespace
2020-09-21 17:15:36 -07:00
Ryan Richard
820f1e977e
Continue the WIP from the previous commit: finish adding second informer
...
- All of the `kubecertagent` controllers now take two informers
- This is moving in the direction of creating the agent pods in the
Pinniped installation namespace, but that will come in a future
commit
2020-09-21 16:37:22 -07:00
Andrew Keesler
50258fc569
WIP: start to create kube-cert-agent pods in namespace
...
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-09-21 16:27:00 -04:00
Ryan Richard
0d3ad0085d
Fix lint error from previous commit
2020-09-21 12:30:53 -07:00
Ryan Richard
cfb76a538c
Refactor kubectl exec test in TestCLI to avoid assuming any RBAC settings
2020-09-21 11:40:11 -07:00