djpbessems
/
ContainerImage.Pinniped
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
902 Commits 30 Branches 34 Tags 22 MiB
Commit Graph

902 Commits

Author SHA1 Message Date
Andrew Keesler 005225d5f9 Use the new plog pkg in auth_handler.go 
- Add a new helper method to plog to make a consistent way to log
  expected errors at the info level (as opposed to unexpected
  system errors that would be logged using plog.Error)

Signed-off-by: Ryan Richard <richardry@vmware.com>
 2020-11-10 10:33:52 -08:00
Ryan Richard b9726615dd Merge branch 'main' into authorize_endpoint 2020-11-10 09:29:21 -08:00
Ryan Richard 01941d6b2a Run Tilt containers as root because live-reload breaks otherwise 2020-11-10 09:27:44 -08:00
Ryan Richard b21c27b219 Merge branch 'main' into authorize_endpoint 2020-11-10 09:24:19 -08:00
Mo Khan 9bfcaa33c6
Merge pull request #190 from enj/enj/f/klog_levels 
Add log level support
 2020-11-10 12:14:02 -05:00
Monis Khan 1c60e09f13
Make race detector happy by removing parallelism 
Signed-off-by: Monis Khan <mok@vmware.com>
 2020-11-10 11:23:42 -05:00
Monis Khan 15a5332428
Reduce log spam 
Signed-off-by: Monis Khan <mok@vmware.com>
 2020-11-10 10:22:27 -05:00
Monis Khan a5643e3738
Add log level support 
Signed-off-by: Monis Khan <mok@vmware.com>
 2020-11-10 10:22:27 -05:00
Monis Khan 9356f64c55
Remove global klog --log-flush-frequency flag 
Signed-off-by: Monis Khan <mok@vmware.com>
 2020-11-10 08:48:42 -05:00
Ryan Richard 246471bc91 Also run OIDC validations in supervisor authorize endpoint 
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
 2020-11-06 14:44:58 -08:00
Adam Powell 896e1b45f0 Hugo version of Pinniped site 2020-11-06 12:42:57 -10:00
Andrew Keesler 4032ed32ae
Auth endpoint integration test initial thoughts 
This is awaiting the new upstream OIDC provider CRD in order
to pass, however hopefully this is a starting point for us.

Signed-off-by: Andrew Keesler <akeesler@vmware.com>
 2020-11-05 11:00:05 -05:00
Ryan Richard 33ce79f89d Expose the Supervisor OIDC authorization endpoint to the public 2020-11-04 17:06:47 -08:00
Andrew Keesler 3bc13517b2
prepare-for-integration-tests.sh: add check for chromedriver 
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
 2020-11-04 15:53:32 -08:00
Andrew Keesler a36f7c6c07 Test that the port of localhost redirect URI is ignored during validation 
Also move definition of our oauth client and the general fosite
configuration to a helper so we can use the same config to construct
the handler for both test and production code.

Signed-off-by: Ryan Richard <richardry@vmware.com>
 2020-11-04 15:04:50 -08:00
Ryan Richard ba688f56aa Supervisor authorize endpoint errors when PKCE code_challenge_method is invalid 
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
 2020-11-04 12:29:43 -08:00
Matt Moyer 8684f8f628
Merge pull request #139 from enj/enj/i/use_parent_func 
Use parent func to indicate when the controller queue is a singleton
 2020-11-04 14:21:50 -06:00
Andrew Keesler 2564d1be42 Supervisor authorize endpoint errors when missing PKCE params 
Signed-off-by: Ryan Richard <richardry@vmware.com>
 2020-11-04 12:19:07 -08:00
Matt Moyer 4da3d93f6e
The supervisor JWKS observer and TLS cert controllers use the ctx after all, whoops. 
Signed-off-by: Matt Moyer <moyerm@vmware.com>
 2020-11-04 13:08:50 -06:00
Ryan Richard 0045ce4286 Refactor auth_handler_test.go's creation of paths and urls to use helpers 2020-11-04 09:58:40 -08:00
Monis Khan 418f4d20ae
Use parent func to indicate when the controller queue is a singleton 
This prevents unnecessary sync loop runs when the controller is
running with a single worker.  When the controller is running with
more than one worker, it prevents subtle bugs that can cause the
controller to go "back in time."

Signed-off-by: Monis Khan <mok@vmware.com>
Signed-off-by: Matt Moyer <moyerm@vmware.com>
 2020-11-04 11:08:10 -06:00
Ryan Richard 8a7e22e63e @ankeesler: Maybe, but not this time ;) 2020-11-04 08:43:45 -08:00
Andrew Keesler 9e4ffd1cce
One of these days I will get here.Doc() spacing correct 
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
 2020-11-04 11:29:33 -05:00
Andrew Keesler 6fe455c687
auth_handler.go: comment out currently unused fosite wiring 
See e8f4336 for why this is here in the first place.

Signed-off-by: Andrew Keesler <akeesler@vmware.com>
 2020-11-04 11:20:03 -05:00
Andrew Keesler d8c8f04860
auth_handler.go: write some more negative tests 
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
 2020-11-04 11:12:26 -05:00
Andrew Keesler e8f433643f
auth_handler.go: only inject oauth store into handler 
Previously we were injecting the whole oauth handler chain into this function,
which meant we were essentially writing unit tests to test our tests. Let's push
some of this logic into the source code.

Signed-off-by: Andrew Keesler <akeesler@vmware.com>
 2020-11-04 10:35:26 -05:00
Andrew Keesler 4f95e6a372
auth_handler.go: add test for invalid downstream redirect uri 
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
 2020-11-04 10:30:53 -05:00
Andrew Keesler 259ffb5267
Checkpoint: write a single negative test using fosite 
Bringing in fosite to our go.mod introduced those other go.mod changes.

Signed-off-by: Andrew Keesler <akeesler@vmware.com>
 2020-11-04 10:15:19 -05:00
Andrew Keesler aab0fd644f
Merge remote-tracking branch 'upstream/main' into authorize_endpoint 2020-11-04 10:14:54 -05:00
Andrew Keesler e7a817e67a
Merge pull request #186 from ankeesler/bump-jose 
gopkg.in/square/go-jose.v2: v2.2.2 -> v2.5.1
 2020-11-04 10:14:32 -05:00
Andrew Keesler 0bbf55e46f
gopkg.in/square/go-jose.v2: v2.2.2 -> v2.5.1 
We were behind for some reason. Probably makes sense to bump to
latest version to get bug fixes and such.
 2020-11-04 09:55:18 -05:00
Ryan Richard c34e5a727d Starting the implementation of an OIDC authorization endpoint handler 
Does not validate incoming request parameters yet. Also is not
served on the http/https ports yet. Those will come in future commits.

Signed-off-by: Andrew Keesler <akeesler@vmware.com>
 2020-11-03 16:17:38 -08:00
Andrew Keesler 0d8477ea8a Add a type for in-memory caching of upstream OIDC Identity Providers 
Signed-off-by: Ryan Richard <richardry@vmware.com>
 2020-11-03 12:06:07 -08:00
Ryan Richard 1223cf7877
Merge pull request #154 from vmware-tanzu/change_release_static_yaml_names 
Rename static yaml files in release process
 2020-11-02 17:09:11 -08:00
Ryan Richard 036845deee
Merge pull request #184 from vmware-tanzu/bump_golang_and_slim 
Upgrade golang patch release to 1.15.3 and debian 10.5-slim -> 10.6-slim
 2020-11-02 17:08:48 -08:00
Matt Moyer c451604816
Merge pull request #182 from mattmoyer/more-renames 
Rename more APIs before we cut a release with longer-term API compatibility
 2020-11-02 18:34:26 -06:00
Ryan Richard 05cf56a0fa
Merge pull request #180 from vmware-tanzu/limits 
Add CPU/memory limits to our deployments
 2020-11-02 16:22:37 -08:00
Ryan Richard 5a0e7fd358 Upgrade golang patch release to 1.15.3 and debian 10.5-slim -> 10.6-slim 2020-11-02 16:17:15 -08:00
Matt Moyer 2bf5c8b48b
Replace the OIDCProvider field SNICertificateSecretName with a TLS.SecretName field. 
Signed-off-by: Matt Moyer <moyerm@vmware.com>
 2020-11-02 18:15:03 -06:00
Ryan Richard 05233963fb Add CPU requests and limits to the Concierge and Supervisor deployments 2020-11-02 15:47:20 -08:00
Matt Moyer 2b8773aa54
Rename OIDCProviderConfig to OIDCProvider. 
Signed-off-by: Matt Moyer <moyerm@vmware.com>
 2020-11-02 17:40:39 -06:00
Matt Moyer 59263ea733
Rename CredentialIssuerConfig to CredentialIssuer. 
Signed-off-by: Matt Moyer <moyerm@vmware.com>
 2020-11-02 17:39:42 -06:00
Matt Moyer b13a8075e4
Merge pull request #183 from vmware-tanzu/non-root 
Run as non-root
 2020-11-02 17:39:14 -06:00
Ryan Richard d596f8c3e5 Empty commit to trigger CI 2020-11-02 15:18:39 -08:00
Ryan Richard 75c35e74cc Refactor and add unit tests for previous commit to run agent pod as root 2020-11-02 15:03:37 -08:00
Matt Moyer e4f4cd7ca0
Merge pull request #181 from mattmoyer/add-psp-cluster-role-permission 
Give the concierge access to use any PodSecurityPolicy.
 2020-11-02 15:35:56 -06:00
Ryan Richard a01921012d
kubecertagent: explicitly run as root 
We need root here because the files that this pod reads are
most likely restricted to root access.

Signed-off-by: Andrew Keesler <akeesler@vmware.com>
 2020-11-02 16:33:46 -05:00
Ryan Richard 2e50e8f01b
hack/lib/tilt: run Tilt images with non-root user 
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
 2020-11-02 16:32:50 -05:00
Matt Moyer 935577f8e7
Give the concierge access to use any PodSecurityPolicy. 
This is needed on clusters with PodSecurityPolicy enabled by default, but should be harmless in other cases.

This is generally needed because a restrictive PodSecurityPolicy will usually otherwise prevent the `hostPath` volume mount needed by the dynamically-created cert agent pod.

Signed-off-by: Matt Moyer <moyerm@vmware.com>
 2020-11-02 15:10:00 -06:00
Ryan Richard 781f86d18c
deploy: add memory limits 
This is the beginning of a change to add cpu/memory limits to our pods.
We are doing this because some consumers require this, and it is generally
a good practice.

The limits == requests for "Guaranteed" QoS.

Signed-off-by: Andrew Keesler <akeesler@vmware.com>
 2020-11-02 14:57:39 -05:00