djpbessems
/
ContainerImage.Pinniped
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
1,202 Commits 30 Branches 34 Tags 22 MiB
Commit Graph

1202 Commits

Author SHA1 Message Date
Andrew Keesler 35bb76ea82
Ensure labels are set correct on generated Supervisor secret 
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
 2020-12-15 15:55:14 -05:00
Andrew Keesler 3d4717b772
Merge pull request #285 from vmware-tanzu/log-unexpected-upstream 
Log when unexpected Upstream OIDC Providers found
 2020-12-15 15:30:20 -05:00
Andrew Keesler 2b7685fa23
Merge branch 'main' into log-unexpected-upstream 2020-12-15 15:30:05 -05:00
Andrew Keesler 9d9040944a Secrets owned by `Deployment` have `Controller: false` 
- This is to prevent K8s internal Deployment controller from trying to
manage these objects

Signed-off-by: Andrew Keesler <akeesler@vmware.com>
 2020-12-15 12:12:47 -08:00
Matt Moyer 2b2f1bbfc9
Merge pull request #276 from mattmoyer/extended-e2e-cli 
Enhance CLI to integrate supervisor and concierge capabilities.
 2020-12-15 13:23:51 -06:00
aram price 2edcdc92f4 Log when unexpected Upstream OIDC Providers found 
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
 2020-12-15 10:49:13 -08:00
Ryan Richard 0e60c93cef Add UsernameClaim and GroupsClaim to JWTAuthenticator CRD spec 
Signed-off-by: Margo Crawford <margaretc@vmware.com>
 2020-12-15 10:36:19 -08:00
Matt Moyer 0b38d6c763
Add TestE2EFullIntegration test which combines supervisor, concierge, and CLI. 
Signed-off-by: Matt Moyer <moyerm@vmware.com>
 2020-12-15 12:34:50 -06:00
Matt Moyer ff49647de4
Add some missing test logs in test/library/client.go. 
Signed-off-by: Matt Moyer <moyerm@vmware.com>
 2020-12-15 12:34:50 -06:00
Matt Moyer e0eba9d5a6
Refactor library.CreateTestJWTAuthenticator() so we can also use the supervisor as an upstream. 
Signed-off-by: Matt Moyer <moyerm@vmware.com>
 2020-12-15 12:34:50 -06:00
Matt Moyer 5ad3c65ae1
Close the right pipe output in runPinnipedLoginOIDC. 
Signed-off-by: Matt Moyer <moyerm@vmware.com>
 2020-12-15 12:34:50 -06:00
Matt Moyer aca9af748b
Cleanup TestSuccessfulCredentialRequest and TestCLILoginOIDC a little. 
Signed-off-by: Matt Moyer <moyerm@vmware.com>
 2020-12-15 12:34:49 -06:00
Matt Moyer 8cdcb89cef
Add a library.PinnipedCLIPath() test helper, with caching. 
Caching saves us a little bit of time now that we're using the CLI in more and more tests.

Signed-off-by: Matt Moyer <moyerm@vmware.com>
 2020-12-15 12:34:49 -06:00
Matt Moyer 70fd330178
Add library.CreateTestClusterRoleBinding test helper. 
Signed-off-by: Matt Moyer <moyerm@vmware.com>
 2020-12-15 12:34:49 -06:00
Matt Moyer ad5e257600
Add a library.RandHex() test helper. 
Signed-off-by: Matt Moyer <moyerm@vmware.com>
 2020-12-15 12:34:49 -06:00
Matt Moyer 4088793cc5
Add a .ProxyEnv() helper on the test environment. 
Signed-off-by: Matt Moyer <moyerm@vmware.com>
 2020-12-15 12:28:04 -06:00
Matt Moyer b6edc3dc08
Replace TestCLIGetKubeconfig with TestCLIGetKubeconfigStaticToken. 
It now tests both the deprecated `pinniped get-kubeconfig` and the new `pinniped get kubeconfig --static-token` flows.

Signed-off-by: Matt Moyer <moyerm@vmware.com>
 2020-12-15 12:28:03 -06:00
Matt Moyer fe4e2d620d
Update TestCLIGetKubeconfig to ignore stderr output from `get-kubeconfig`. 
This will now have a deprecation warning, so we can't treat is as part of the YAML output.

Signed-off-by: Matt Moyer <moyerm@vmware.com>
 2020-12-15 12:28:03 -06:00
Matt Moyer f9691208d5
Add library.NewRestConfigFromKubeconfig() test helper. 
This is extracted from library.NewClientsetForKubeConfig(). It is useful so you can assert properties of the loaded, parsed kubeconfig.

Signed-off-by: Matt Moyer <moyerm@vmware.com>
 2020-12-15 12:28:03 -06:00
Matt Moyer 71850419c1
Overhaul `pinniped` CLI subcommands. 
- Adds two new subcommands: `pinniped get kubeconfig` and `pinniped login static`
- Adds concierge support to `pinniped login oidc`.
- Adds back wrapper commands for the now deprecated `pinniped get-kubeconfig` and `pinniped exchange-credential` commands. These now wrap `pinniped get kubeconfig` and `pinniped login static` respectively.

Signed-off-by: Matt Moyer <moyerm@vmware.com>
 2020-12-15 12:28:03 -06:00
Matt Moyer dfbb5b60de
Remove `pinniped get-kubeconfig` CLI subcommand. 
Signed-off-by: Matt Moyer <moyerm@vmware.com>
 2020-12-15 12:28:03 -06:00
Matt Moyer 3b5f00439c
Remove `pinniped exchange-credential` CLI subcommand. 
Signed-off-by: Matt Moyer <moyerm@vmware.com>
 2020-12-15 12:28:02 -06:00
Matt Moyer 9b7fe01648
Add a new ./pkg/conciergeclient package to replace ./internal/client. 
This is a slighly evolved version of our previous client package, exported to be public and refactored to use functional options for API maintainability.

Signed-off-by: Matt Moyer <moyerm@vmware.com>
 2020-12-15 12:28:02 -06:00
Andrew Keesler 2e784e006c
Merge remote-tracking branch 'upstream/main' into secret-generation 2020-12-15 13:24:33 -05:00
Andrew Keesler 08cf2f7cd1
Merge pull request #284 from ankeesler/oidcprovider-enum-values 
SameIssuerHostMustUseSameSecret is a valid OIDCProvider status, and help some test flakes
 2020-12-15 13:23:16 -05:00
Andrew Keesler be4e34d0c0
Retry a couple of times if we fail to get a token from the Supervisor 
I hope this will make TestSupervisorLogin less flaky. There are some instances
where the front half of the OIDC login flow happens so fast that the JWKS
controller doesn't have time to properly generate an asymmetric key.

Signed-off-by: Andrew Keesler <akeesler@vmware.com>
 2020-12-15 11:53:58 -05:00
Andrew Keesler 50f9b434e7
SameIssuerHostMustUseSameSecret is a valid OIDCProvider status 
I saw this message in our CI logs, which led me to this fix.
  could not update status: OIDCProvider.config.supervisor.pinniped.dev "acceptance-provider" is invalid: status.status: Unsupported value: "SameIssuerHostMustUseSameSecret": supported values: "Success", "Duplicate", "Invalid"

Also - correct an integration test error message that was misleading.

Signed-off-by: Andrew Keesler <akeesler@vmware.com>
 2020-12-15 11:53:53 -05:00
Ryan Richard 43bb7117b7 Allow upstream group claim values to be either arrays or strings 2020-12-15 08:34:24 -08:00
Andrew Keesler 7320928235
Get rid of TODOs in code by punting on them 
We will do these later; they have been recorded in a work tracking record.

Signed-off-by: Andrew Keesler <akeesler@vmware.com>
 2020-12-15 09:58:46 -05:00
Andrew Keesler d2498c96e0
Merge remote-tracking branch 'upstream/main' into secret-generation 2020-12-15 09:27:23 -05:00
Andrew Keesler 82ae98d9d0
Set secret names on OIDCProvider status field 
We believe this API is more forwards compatible with future secrets management
use cases. The implementation is a cry for help, but I was trying to follow the
previously established pattern of encapsulating the secret generation
functionality to a single group of packages.

This commit makes a breaking change to the current OIDCProvider API, but that
OIDCProvider API was added after the latest release, so it is technically still
in development until we release, and therefore we can continue to thrash on it.

I also took this opportunity to make some things private that didn't need to be
public.

Signed-off-by: Andrew Keesler <akeesler@vmware.com>
 2020-12-15 09:13:01 -05:00
Andrew Keesler 60d4a7beac
Test more filters in SupervisorSecretsController (see 6e8d564013) 
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
 2020-12-15 07:58:33 -05:00
Andrew Keesler 9a3e60d4df
go.mod: unnecessary dependency slipped in (c3f73ff) 
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
 2020-12-15 07:56:31 -05:00
aram price e03e344dcd SecretHelper depends less on OIDCProvider 
This should allow the helper to be more generic so that it can be used
with the SupervisorSecretsController
 2020-12-14 19:35:45 -08:00
aram price bf86bc3383 Rename for clarity 2020-12-14 18:36:56 -08:00
Ryan Richard 16dfab0aff token_handler_test.go: Add tests for username and groups custom claims 2020-12-14 18:27:14 -08:00
aram price b799515f84 Pull symmetricsecrethelper package up to generator 
- rename symmetricsecrethelper.New => generator.NewSymmetricSecretHelper
 2020-12-14 17:41:02 -08:00
Ryan Richard 417e6b1fee
Merge pull request #282 from vmware-tanzu/security-headers 
Add Cache-Control, Pragma, Expires, and X-DNS-Prefetch-Control headers
 2020-12-14 17:22:09 -08:00
Margo Crawford afcd5e3e36 WIP: Adjust subject and username claims 
Signed-off-by: Ryan Richard <richardry@vmware.com>
 2020-12-14 17:05:53 -08:00
aram price b1ee434ddf Rename in preparation for refactor 2020-12-14 16:44:27 -08:00
aram price 6e8d564013 Test filters in SupervisorSecretsController 2020-12-14 16:08:48 -08:00
Ryan Richard 16907e4453 Add Cache-Control, Pragma, Expires, and X-DNS-Prefetch-Control headers 
Signed-off-by: Margo Crawford <margaretc@vmware.com>
 2020-12-14 15:28:32 -08:00
Andrew Keesler 9c79adcb26 Rename and move some code to perpare for refactor 
Signed-off-by: aram price <pricear@vmware.com>
 2020-12-14 14:24:13 -08:00
Aram Price 5b7a86ecc1
Integration test for Supervisor secret controllers 
This forced us to add labels to the CSRF cookie secret, just as we do
for other Supervisor secrets. Yay tests.

Signed-off-by: Andrew Keesler <akeesler@vmware.com>
 2020-12-14 15:53:12 -05:00
Andrew Keesler cae0023234
Merge remote-tracking branch 'upstream/main' into secret-generation 
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
 2020-12-14 11:44:01 -05:00
Andrew Keesler 2f28d2a96b
Synchronize the OIDCProvider secrets cache 
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
 2020-12-14 11:32:33 -05:00
Andrew Keesler e3ea141bf3
Reuse helper filter in generic secret gen controller 
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
 2020-12-14 10:37:27 -05:00
Andrew Keesler b043dae149
Finish first implementation of generic secret generator controller 
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
 2020-12-14 10:36:45 -05:00
aram price 3ca877f1df
WIP - preliminary OIDCProviderSecrets controller 
Tests not yet passing, controller is incomplete and expectations may be
incorrect.
 2020-12-13 17:37:49 -05:00
aram price 3e31668eb0
Refactor some utilitiy methods for sharing. 2020-12-13 17:37:48 -05:00