Commit Graph

1990 Commits

Author SHA1 Message Date
Dan Jahner
e97bad2198
Docs only: Fix failure response, format for clarity 2020-10-02 13:58:31 -07:00
Matt Moyer
fe12f85c70
Rename the CoC and contributor guide to the names GitHub recognizes.
These special names are recognized by GitHub, for example on https://github.com/vmware-tanzu/pinniped/community.

Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-10-02 15:53:48 -05:00
Dan Jahner
127914703e
Docs only: Use prettier URL for latest config 2020-10-02 12:00:57 -07:00
Andrew Keesler
916db74d65
Merge pull request #138 from vmware-tanzu/no_dirty_in_version
Do not append "-dirty" to the version number when the git repo is dirty
2020-10-02 13:33:21 -04:00
Ryan Richard
0bfa351eb4 Do not append "-dirty" to the version number when the git repo is dirty
- Semver version numbers do not end with "-dirty"
- Continue to include the clean/dirty status of the repo in the
  `gitTreeState` field
2020-10-01 17:23:37 -07:00
Ryan Richard
b69eb5e850
Add link to GitHub Discussions on the main README 2020-09-29 16:46:18 -07:00
Ryan Richard
d43744f8e9 Allow CI to embed version info at build time for CLI
- Prevent the server binary from lying about its version number
  by having it report "?.?.?" as its version number for now.
- Later we can devise a way for CI to inject the version number
  for the server into the container image at release time,
  not at build time, since the version number is not known
  at build time.
- Pre-release builds of the binary from before the release stage or
  builds on developer workstation will also report "?.?.?" as its
  version number, which is fine since they are not official releases
  and shouldn't find their way to the public.
2020-09-28 09:58:02 -07:00
Andrew Keesler
d23ff1f5eb
Merge pull request #136 from ankeesler/pinniped-version-command
cmd/pinniped: add version command
2020-09-28 12:21:25 -04:00
Andrew Keesler
d6571671f6
cmd/pinniped: add version command
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-09-28 10:44:33 -04:00
Andrew Keesler
38e26d7a49
test/library: use client-go anonymous rest config helper
I saw this helper function the other day and wondered if we could use it.
It does indeed look like it does what we want, because when I run this code,
I get `...User "system:anonymous" cannot get resource...`.

  c := library.NewAnonymousPinnipedClientset(t)
  _, err := c.
    ConfigV1alpha1().
    CredentialIssuerConfigs("integration").
    Get(context.Background(), "pinniped-config", metav1.GetOptions{})
  t.Log(err)

I also ran a similar test using this new helper in the context of
library.NewClientsetWithCertAndKey(). Seemed to get us what we want.

Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-09-28 09:22:01 -04:00
Andrew Keesler
efe420b737 Add mention of how to work around MacOS download security in demo.md
Signed-off-by: Ryan Richard <richardry@vmware.com>
2020-09-25 12:56:45 -07:00
Matt Moyer
42e74a02e9
Merge pull request #134 from mattmoyer/refactor-test-params
Refactor integration test environment helpers to be more structured.
2020-09-25 10:04:37 -05:00
Matt Moyer
70480260dd
Remove support for loading test context from a Secret.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-09-25 09:37:17 -05:00
Ryan Richard
82f8094de7 Update documentation to use the deployment YAML files from the releases 2020-09-24 17:56:21 -07:00
Matt Moyer
434e3fe435
Refactor integration test environment helpers to be more structured.
This change replaces our previous test helpers for checking cluster capabilities and passing external test parameters. Prior to this change, we always used `$PINNIPED_*` environment variables and these variables were accessed throughout the test code.

The new code introduces a more strongly-typed `TestEnv` structure and helpers which load and expose the parameters. Tests can now call `env := library.IntegrationEnv(t)`, then access parameters such as `env.Namespace` or `env.TestUser.Token`. This should make this data dependency easier to manage and refactor in the future. In many ways this is just an extended version of the previous cluster capabilities YAML.

Tests can also check for cluster capabilities easily by using `env := library.IntegrationEnv(t).WithCapability(xyz)`.

The actual parameters are still loaded from OS environment variables by default (for compatibility), but the code now also tries to load the data from a Kubernetes Secret (`integration/pinniped-test-env` by default). I'm hoping this will be a more convenient way to pass data between various scripts than the local `/tmp` directory. I hope to remove the OS environment code in a future commit.

Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-09-24 18:03:45 -05:00
Andrew Keesler
b21b43c654
Fix expected CIC status message on non-hosted control planes 2020-09-24 17:56:55 -04:00
Andrew Keesler
9e0195e024
kubecertagent: use initial event for when key can't be found
This should fix integration tests running on clusters that don't have
visible controller manager pods (e.g., GKE). Pinniped should boot, not
find any controller manager pods, but still post a status in the CIC.

I also updated a test helper so that we could tell the difference
between when an event was not added and when an event was added with
an empty key.

Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-09-24 16:54:20 -04:00
Andrew Keesler
d853cbc7ff
Plumb through ImagePullSecrets to agent pod
Right now in the YTT templates we assume that the agent pods are gonna use
the same image as the main Pinniped deployment, so we can use the same logic
for the image pull secrets.

Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-09-24 15:52:05 -04:00
Andrew Keesler
9ed52e6b4a
test/integration: declare some test helpers to fix line reporting
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-09-24 13:53:45 -04:00
Andrew Keesler
fab36c55f5
inernal/controller/kubecertagent: fix some godoc's
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-09-24 13:53:06 -04:00
Ryan Richard
409d10baf8
Merge pull request #122 from ankeesler/1-19-exec-strategy
Fix exec strategy for Kubernetes 1.19
2020-09-24 10:32:43 -07:00
Ryan Richard
ea762b405d Increase some integration test timeouts so they can pass when CI is slow 2020-09-24 10:20:51 -07:00
Ryan Richard
3ff605bb39 Merge branch 'main' into 1-19-exec-strategy 2020-09-24 10:12:54 -07:00
Ryan Richard
856971e452 Replace title in README.md with project logo 2020-09-24 10:09:50 -07:00
Ryan Richard
eaf2d9a185 Improve failure message in an integration test for better debugging
This seems to fail on CI when the Concourse workers get slow and
kind stops working reliably. It would be interesting to see the
error message in that case to figure out if there's anything we
could do to make the test more resilient.
2020-09-24 09:44:10 -07:00
Ryan Richard
3f06be2246 Remove kubecertauthority pkg
All of its functionality was refactored to move elsewhere or to not
be needed anymore by previous commits
2020-09-24 09:23:29 -07:00
Andrew Keesler
69137fb6b9 kube_config_info_publisher.go no longer watches cic's with an informer
Simplifies the implementation, makes it more consistent with other
updaters of the cic (CredentialIssuerConfig), and also retries on
update conflicts

Signed-off-by: Ryan Richard <richardry@vmware.com>
2020-09-24 09:19:57 -07:00
Ryan Richard
253d3bb36f Remove an accidentally committed it.Focus 2020-09-24 08:15:10 -07:00
Andrew Keesler
9f80b0ea00
Set CIC error statuses in kubecertagent annotater and creater
Also fix an instance where we were using an informer in a retry loop.

Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-09-24 10:40:50 -04:00
Matt Moyer
6f4cf705e5
Merge pull request #133 from mattmoyer/upgrade-to-kubernetes-1.19.2
Upgrade client-go et al from 1.19.0 to 1.19.2.
2020-09-24 09:35:38 -05:00
Matt Moyer
ec3e4cae68
Upgrade client-go, et al from 1.19.0 to 1.19.2.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-09-24 09:21:10 -05:00
Ryan Richard
381811b36f Refactor constructor params of the kubecertagent pkg's controllers
- Only inject things through the constructor that the controller
  will need
- Use pkg private constants when possible for things that are not
  actually configurable by the user
- Make the agent pod template private to the pkg
- Introduce a test helper to reduce some duplicated test code
- Remove some `it.Focus` lines that were accidentally committed, and
  repair the broken tests that they were hiding
2020-09-23 17:30:22 -07:00
Andrew Keesler
906a88f2d3
Set kube-cert-agent imagePullPolicy to IfNotPresent for CI
Maybe this will fix kind integration tests? It is what the main
Pinniped deployment does?

Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-09-23 14:15:59 -04:00
Andrew Keesler
0f8437bc3a
Integration tests are passing ayooooooooooooooo 2020-09-23 12:47:04 -04:00
Andrew Keesler
6d047c151f
Fix kubecertagent deleter test to reconcile on pod template fields
I think we want to reconcile on these pod template fields so that if
someone were to redeploy Pinniped with a new image for the agent, the
agent would get updated immediately. Before this change, the agent image
wouldn't get updated until the agent pod was deleted.
2020-09-23 11:30:13 -04:00
Andrew Keesler
9735122db9
Wire in kubecertagent.NewExecerController() to server
Also fill in a couple of low-hanging unit tests.

Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-09-23 11:01:41 -04:00
Andrew Keesler
4948e1702f
Merge remote-tracking branch 'upstream/main' into 1-19-exec-strategy 2020-09-23 09:54:45 -04:00
Andrew Keesler
406f2723ce
internal/certauthority/dynamiccertauthority: add new dynamic cert issuer
This thing is supposed to be used to help our CredentialRequest handler issue certs with a dynamic
CA keypair.

Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-09-23 09:53:21 -04:00
Andrew Keesler
6c555f94e3
internal/provider -> internal/dynamiccert
3 main reasons:
- The cert and key that we store in this object are not always used for TLS.
- The package name "provider" was a little too generic.
- dynamiccert.Provider reads more go-ish than provider.DynamicCertProvider.

Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-09-23 08:29:35 -04:00
Andrew Keesler
f8e872d1af
Please linter to get back to passing lint+unit-test
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-09-23 08:02:04 -04:00
Andrew Keesler
3e45bfc97d
internal/controller/issuerconfig: Publisher -> KubeConfigInfoPublisher
The new symbol more specifically describes what the controller does.

Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-09-23 07:58:01 -04:00
Andrew Keesler
a55e9de4fc
Use existing clock test double to get kubecertagent units passing
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-09-23 07:50:45 -04:00
Ryan Richard
eb0d9a15fc WIP: start replacing the kubecertauthority pkg with a new controller
- Lots of TODOs added that need to be resolved to finish this WIP
- execer_test.go seems like it should be passing, but it fails (sigh)

Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-09-22 17:45:20 -07:00
Matt Moyer
6063674623
Merge pull request #130 from mattmoyer/add-cla-doc
Add a section about our CLA.
2020-09-22 14:20:19 -05:00
Matt Moyer
d574fe05ba
Add a section about our CLA.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-09-22 14:15:14 -05:00
Matt Moyer
4369cc9ff2
Merge pull request #129 from mattmoyer/test-fixes
Test fixes and hardening
2020-09-22 13:33:40 -05:00
Matt Moyer
adf263b566
Harden some tests against slow IDP controllers using Eventually().
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-09-22 12:43:35 -05:00
Matt Moyer
4edda802e5
Avoid a bug where long test names overflow the max label length.
Annotations do not have this restriction, so we can put it there instead. This only currently occurs on clusters without the cluster signing capability (GKE).

Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-09-22 11:23:34 -05:00
Andrew Keesler
db9a97721f
Merge remote-tracking branch 'upstream/main' into 1-19-exec-strategy 2020-09-22 11:54:47 -04:00
Matt Moyer
3578d7cb9a
Merge pull request #128 from mattmoyer/add-idp-selector
Support multiple IDPs by adding IdentityProvider selector to TokenCredentialRequest spec.
2020-09-22 10:51:44 -05:00