djpbessems/ContainerImage.Pinniped
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
1,903 Commits 30 Branches 34 Tags 22 MiB
ac431ddc6d
Commit Graph

1903 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Ryan Richard
ac431ddc6d Add more to failure message in test which only fails in main CI 2021-05-17 12:57:34 -07:00
Ryan Richard
14b8fcc472
Merge pull request #555 from vmware-tanzu/initial_ldap 
Initial `LDAPIdentityProvider` support for the Supervisor and CLI
 2021-05-17 10:40:50 -07:00
Ryan Richard
20b1c41bf5 Experiment to see if we can ignore read /dev/ptmx: input/output error 
This error seems to always happen on linux, but never on MacOS.
 2021-05-13 16:02:24 -07:00
Ryan Richard
f5bf8978a3 Cache ResourceVersion of the validated bind Secret in memory 
...instead of caching it in the text of the Condition message
 2021-05-13 15:22:36 -07:00
Ryan Richard
514ee5b883 Merge branch 'main' into initial_ldap 2021-05-13 14:24:10 -07:00
Margo Crawford
39d7f8b6eb
Merge pull request #614 from vmware-tanzu/gc-bug-tests 
Tests for garbage collection behavior for access and refresh tokens
 2021-05-13 13:08:07 -07:00
Ryan Richard
609883c49e Update TestSupervisorOIDCDiscovery for versioned IDP discovery endpoint 2021-05-13 13:07:31 -07:00
Ryan Richard
f15fc66e06 pinniped get kubeconfig refactor to use oidc.NewProvider for discovery 
- Note that this adds an extra check of the response, which is that
  the issuer string in the response must match issuer of the requested
  URL.
- Some of the error messages also changed to match the errors provided
  by oidc.NewProvider
 2021-05-13 12:27:42 -07:00
Margo Crawford
6479015caf Remove timeout so this test doesnt take forever 2021-05-13 10:23:44 -07:00
Ryan Richard
67dca688d7 Add an API version to the Supervisor IDP discovery endpoint 
Also rename one of the new functional opts in login.go to more
accurately reflect the intention of the opt.
 2021-05-13 10:05:56 -07:00
Margo Crawford
b391d5ae02 Also check that the authcode storage is around for a while 2021-05-12 14:22:14 -07:00
Ryan Richard
29ca8acab4 oidc_upstream_watcher.go: two methods become private funcs 2021-05-12 14:05:08 -07:00
Ryan Richard
1ae3c6a1ad Split package upstreamwatchers into four packages 2021-05-12 14:00:39 -07:00
Ryan Richard
22092e9aed Missed a usage of int64Ptr in previous commit 2021-05-12 14:00:26 -07:00
Margo Crawford
874f938fc7 unit test for garbage collection time for refresh and access tokens 2021-05-12 13:55:54 -07:00
Ryan Richard
4804c837d4 Insignificant change in ldap_upstream_watcher_test.go 2021-05-12 13:37:01 -07:00
Ryan Richard
f0652c1ce1 Replace all usages of strPtr() with pointer.StringPtr() 2021-05-12 13:20:00 -07:00
Ryan Richard
044443f315 Rename X-Pinniped-Idp-* headers to Pinniped-* 
See RFC6648 which asks that people stop using `X-` on header names.
Also Matt preferred not mentioning "IDP" in the header name.

Signed-off-by: Matt Moyer <moyerm@vmware.com>
 2021-05-12 13:06:08 -07:00
Ryan Richard
9ca72fcd30 login.go: Respect overallTimeout for LDAP login-related http requests 
Signed-off-by: Matt Moyer <moyerm@vmware.com>
 2021-05-12 12:57:10 -07:00
Ryan Richard
3008d1a85c Log slow LDAP authentication attempts for debugging purposes 2021-05-12 11:59:48 -07:00
Ryan Richard
6c2a775c9b Use proxy for pinniped get kubeconfig in hack/prepare-supervisor-on-kind.sh 
Because the command now calls the discovery endpoint,
so it needs to go through the proxy to resolve the
hostname.
 2021-05-12 11:34:16 -07:00
Ryan Richard
41d3e3b6ec Fix lint error in e2e_test.go 2021-05-12 11:24:00 -07:00
Ryan Richard
20b86ac0a9
Merge pull request #589 from vmware-tanzu/ldap-get-kubeconfig 
WIP: Support for Supervisor upstream LDAP IDPs in `pinniped get kubeconfig`
 2021-05-12 10:10:49 -07:00
Margo Crawford
df0e715bb7 Add integration test that waits for access token expiry 2021-05-12 09:05:13 -07:00
Ryan Richard
6723ed9fd8 Add end-to-end integration test for CLI-based LDAP login 2021-05-11 13:55:46 -07:00
Ryan Richard
f98aa96ed3 Merge branch 'initial_ldap' into ldap-get-kubeconfig 2021-05-11 11:10:25 -07:00
Ryan Richard
675bbb2aba Merge branch 'main' into initial_ldap 2021-05-11 11:09:37 -07:00
Ryan Richard
e25eb05450 Move Supervisor IDP discovery to its own new endpoint 2021-05-11 10:31:33 -07:00
Pinny
dbde150c38 Update CLI docs for v0.8.0 release 2021-05-10 22:01:16 +00:00
Ryan Richard
c0fcd27594
Fix typo in test/integration/e2e_test.go 
Co-authored-by: Mo Khan <i@monis.app>
 2021-05-10 12:51:56 -07:00
Mo Khan
1ddc85495f
Merge pull request #610 from enj/enj/t/eks_extra_nested_impersonation 
impersonation proxy test: handle admin users with mixed case extra keys
 2021-05-10 13:49:24 -04:00
Monis Khan
716659b74a
impersonation proxy test: handle admin users with mixed case extra keys 
Signed-off-by: Monis Khan <mok@vmware.com>
 2021-05-10 13:22:51 -04:00
Mo Khan
696c2b9133
Merge pull request #609 from enj/enj/t/eks_uid_nested_impersonation 
impersonation proxy test: handle admin users with UID such as on EKS
 2021-05-10 10:35:26 -04:00
Mo Khan
0770682bf9
impersonation proxy test: handle admin users with UID such as on EKS 
Signed-off-by: Mo Khan <mok@vmware.com>
 2021-05-10 09:21:45 -04:00
Mo Khan
88ff3164a2
Merge pull request #608 from enj/enj/i/discovery_keep_oidc_err 
upstreamwatcher: do not truncate explicit oidc errors
 2021-05-10 09:18:13 -04:00
Mo Khan
56d316e8d3
upstreamwatcher: do not truncate explicit oidc errors 
This change makes it easier to understand misconfigurations caused
by issuers with extraneous trailing slashes.

Signed-off-by: Mo Khan <mok@vmware.com>
 2021-05-10 01:45:19 -04:00
Matt Moyer
9fc7f43245
Merge pull request #607 from mattmoyer/fix-eks-nested-impersonation-tests 
Fix TestImpersonationProxy on EKS.
 2021-05-07 16:46:40 -05:00
Matt Moyer
47f5e822d0
Fix TestImpersonationProxy on EKS. 
The admin kubeconfigs we have on EKS clusters are a bit different from others, because there is no certificate/key (EKS does not use certificate auth).

This code didn't quite work correctly in that case. The fix is to allow the case where `tlsConfig.GetClientCertificate` is non-nil, but returns a value with no certificates.

Signed-off-by: Matt Moyer <moyerm@vmware.com>
 2021-05-07 16:22:08 -05:00
Mo Khan
cc99d9aeb4
Merge pull request #606 from enj/enj/i/log_discovery_err 
upstreamwatcher: preserve oidc discovery error
 2021-05-07 16:56:52 -04:00
Mo Khan
7ece196893
upstreamwatcher: preserve oidc discovery error 
Signed-off-by: Mo Khan <mok@vmware.com>
 2021-05-07 16:35:12 -04:00
Matt Moyer
a08a28d67b
Merge pull request #603 from vmware-tanzu/dependabot/docker/golang-1.16.4 
Bump golang from 1.16.3 to 1.16.4
 2021-05-07 06:58:13 -05:00
dependabot[bot]
2634c9f04a
Bump golang from 1.16.3 to 1.16.4 
Bumps golang from 1.16.3 to 1.16.4.

Signed-off-by: dependabot[bot] <support@github.com>
 2021-05-07 05:49:58 +00:00
Margo Crawford
29a1ca5168
Merge pull request #602 from vmware-tanzu/access-token-lifetime 
Change access token storage lifetime to be the same as the refresh token's
 2021-05-06 14:39:52 -07:00
Margo Crawford
5240f5e84a Change access token storage lifetime to be the same as the refresh token's 
to avoid garbage collection breaking the refresh flow
Also changed the access token lifetime to be 2 minutes instead of 15
since we now have cert caching.
 2021-05-06 13:14:20 -07:00
Matt Moyer
a8bccc5432
Merge pull request #599 from mattmoyer/docs-tweak-configure-supervisor-with-gitlab 
Do some minor copyediting on "configure-supervisor-with-gitlab.md".
 2021-05-04 17:32:14 -05:00
Matt Moyer
f167a075dd
Clean up this language in configure-supervisor-with-gitlab.md a bit more. 
This was duplicitive.

Signed-off-by: Matt Moyer <moyerm@vmware.com>
 2021-05-04 15:49:45 -05:00
Matt Moyer
8136c787a7
More adjustments to configure-supervisor-with-gitlab.md. 
- Use `nickname` claim as an example, which means we only need the `openid` scope.
  This is also more stable since emails can change over time.

- Put the OIDCIdentityProvider and Secret into one YAML blob, since they will likely be copy-pasted together anyway.

- Add a separate section for using alternate claims.

- Add a separate section for using a private GitLab instance.

Signed-off-by: Matt Moyer <moyerm@vmware.com>
 2021-05-04 15:49:45 -05:00
Matt Moyer
3e13b5f39d
Do some minor copyediting on "configure-supervisor-with-gitlab.md". 
Some minor edits I came across while reviewing this:

- Capitalize "GitLab" the way they do.

- Use `{{< ref "xyz" >}}` references when linking internally. The advantage of these is that they're "type checked" by Hugo when the site is rendered, so we'll know if we ever break one.

- Add links to the GitLab docs about creating an OAuth client. These also cover adding a group-level or instance-wide application.

- Re-wrap the YAML lines to fit a bit more naturally.

- Add a `namespace` to the YAML examples, so they're more likely to work without tweaks.

- Use "gitlab" instead of "my-oidc-identity-provider" as the example name, for clarity.

- Re-word a few small bits. These are 100% subjective but hopefully an improvement?

Signed-off-by: Matt Moyer <moyerm@vmware.com>
 2021-05-04 15:49:45 -05:00
Margo Crawford
1a2940c278
Merge pull request #560 from vmware-tanzu/client-debug-logging 
Client debug logging
 2021-05-04 13:46:47 -07:00
Mo Khan
4bb0fdeddd
Merge pull request #598 from enj/enj/i/gc_tz 
supervisor gc: use singleton queue
 2021-05-04 15:08:06 -04:00