Commit Graph

102 Commits

Author SHA1 Message Date
Benjamin A. Petersen
f521917b5e
adjust were to call post-install script 2023-10-10 17:22:37 -04:00
Benjamin A. Petersen
4b5e869a5e
webhook_ca_bundle moved in hack script 2023-10-10 16:25:37 -04:00
Benjamin A. Petersen
231870582e
cleanup local registry in kind-down.sh 2023-10-10 16:25:36 -04:00
Benjamin A. Petersen
740463bba7
add vars back to prepare-for-integration-tests script 2023-10-10 16:25:36 -04:00
Benjamin A. Petersen
cb6d299156
Fix prepare-for-integration-tests.sh with carvel packages 2023-10-10 16:25:36 -04:00
Benjamin A. Petersen
0f0d9927c0
WIP: carvel package-repository & package files, package-install in scripts 2023-10-10 16:25:35 -04:00
Benjamin A. Petersen
530ce433ac
add --post-install to hack/prepare-for-integration-tests.sh 2023-10-10 16:25:35 -04:00
Benjamin A. Petersen
7950dc4cdb
Add hack script to build openapi-v3 files 2023-10-10 16:25:35 -04:00
Benjamin A. Petersen
0ce54bb2f3
add kind-registry.local:5000 to kind cluster
- update kind config to include local registry
- configure kind cluster to talk to local registry
- docker build & push pinniped dev code to local registry
- deploy dev code of the following via the local registry:
  - concierge
  - supervisor
  - local-user-authenticator
2023-10-10 16:23:59 -04:00
Ryan Richard
0ab6311cf5 Optionally use Contour in hack/prepare-supervisor-on-kind.sh
Using Contour for ingress allows us to avoid using the hacky proxy
server approach. This makes it easy to use any web browser to complete
the login process, since there is no need to configure the proxy server
for the browser.
2023-09-27 12:32:49 -07:00
Benjamin A. Petersen
fd1936c45f
Improve hack/prepare-for-integration-tests.sh flexibility
- move pushd/popd inside if statements for alternative-deploy methods
- add specific alternative-deploy vars for individual components
  - supervisor
  - concierge
  - local-user-authenticator
  while preserving the current alternative-deploy for all three
- doc that equals for flags does not work
  --foo=bar is invalid
  --foo bar is valid
2023-08-31 15:02:24 -04:00
Joshua Casey
23bd3e7cc9 Do not fail hack/prepare-for-integration-tests.sh without KUBE_GIT_VERSION 2023-08-29 19:58:23 -05:00
Joshua Casey
7cda8f4123 Do not fail when KUBE_GIT_VERSION is not set 2023-08-29 17:31:22 -05:00
Joshua Casey
76933f69b9 Update comments to indicate support for newer versions of Kubernetes 2023-08-29 15:40:52 -05:00
Joshua Casey
38230fc518 Use pversion to retrieve buildtime information 2023-08-28 11:54:27 -05:00
Ryan Richard
4512eeca9a Replace agouti and chromedriver with chromedp across the whole project 2023-08-01 11:27:09 -07:00
Ryan Richard
552eceabdb Add integration test for UserAttributeForFilter group search setting
Also adds new integration test env var to support the new test:
PINNIPED_TEST_LDAP_EXPECTED_DIRECT_POSIX_GROUPS_CN
2023-05-31 10:29:44 -07:00
Ryan Richard
c07cc6b8ec Update e2e_test.go for clusters which have ServerSideFieldValidation
Also update prepare-cluster-for-integration-tests.sh for new
kubectl version command options.
2022-07-25 17:25:21 -07:00
Ryan Richard
9ebf3a5b92
Merge branch 'main' into main 2022-04-13 08:41:04 -07:00
Víctor Martínez Bevià
dc24397df4 Use vmware-tanzu/carvel instead of the deprecated k14/tap to install deps with brew 2022-04-05 16:43:22 +02:00
Ryan Richard
ae7aac020a Merge branch 'main' into disable_http 2022-03-30 11:30:32 -07:00
Margo Crawford
53597bb824 Introduce FIPS compatibility
Signed-off-by: Margo Crawford <margaretc@vmware.com>
2022-03-29 16:58:41 -07:00
Ryan Richard
488f08dd6e Provide a way to override the new HTTP loopback-only validation
Add new deprecated_insecure_accept_external_unencrypted_http_requests
value in values.yaml. Allow it to be a boolean or a string to make it
easier to use (both --data-value and --data-value-yaml will work).

Also:
- Consider "ip6-localhost" and "ip6-loopback" to be loopback addresses
  for the validation
- Remove unused env.SupervisorHTTPAddress var
- Deprecate the `service_http_*` values in values.yaml by renaming them
  and causing a ytt render error when the old names are used
2022-03-28 17:03:23 -07:00
Mo Khan
61c8d54527
Fix typo in concierge deploy step 2022-03-10 09:08:40 -05:00
Jason van Zyl
0ea10c77c7 Consolidate declaration of variables 2022-02-25 11:26:53 -05:00
Jason van Zyl
782157e1df Remove debug output 2022-02-25 06:25:20 -05:00
Jason van Zyl
1e3f3555a4 Add line in help output for --alternate-deploy 2022-02-25 06:22:25 -05:00
Jason van Zyl
6491742c3a Minimal changes to allow an alternate deployment mechanism
The purpose of this change is to allow Helm to be used to deploy Pinniped
into the local KinD cluster for the local integration tests. That said,
the change allows any alternate deployment mechanism, I just happen
to be using it with Helm.

All default behavior is preserved. This won't change how anyone uses the
script today, it just allows me not to copy/paste the whole setup for the
integration tests.

Changes:

1) An option called `--alternate-deploy <path-to-deploy-script>` has been
added, that when enabled calls the specified script instead of using ytt
and kapp. The alternate deploy script is called with the app to deploy
and the tag of the docker image to use. We set the default value of
the alternate_deploy variable to undefined, and there is a check that
tests if the alternate deploy is defined. For the superivsor it looks
like this:

```
if [ "$alternate_deploy" != "undefined" ]; then
  log_note "The Pinniped Supervisor will be deployed with $alternate_deploy pinniped-supervisor $tag..."
  $alternate_deploy pinniped-supervisor $tag
else
  normal ytt/kapp deploy
fi
```

2) Additional log_note entries have been added to enumerate all values passed
into the ytt/kapp deploy. Used while I was trying to reach parity in the integration
tests, but I think they are useful for debugging.

3) The manifests produced by ytt and written to /tmp are now named individually.
This is so an easy comparison can be made between manifests produced by a ytt/kapp
run of integration tests and manifests produced by helm run of the integration tests.
If something is not working I have been comparing the manifests after these runs to
find differences.
2022-02-20 10:15:29 -05:00
Ryan Richard
b0c36c6633 Fix int test that was failing on MacOS, and some small doc changes 2022-02-15 11:19:49 -08:00
Monis Khan
1e1789f6d1
Allow configuration of supervisor endpoints
This change allows configuration of the http and https listeners
used by the supervisor.

TCP (IPv4 and IPv6 with any interface and port) and Unix domain
socket based listeners are supported.  Listeners may also be
disabled.

Binding the http listener to TCP addresses other than 127.0.0.1 or
::1 is deprecated.

The deployment now uses https health checks.  The supervisor is
always able to complete a TLS connection with the use of a bootstrap
certificate that is signed by an in-memory certificate authority.

To support sidecar containers used by service meshes, Unix domain
socket based listeners include ACLs that allow writes to the socket
file from any runAsUser specified in the pod's containers.

Signed-off-by: Monis Khan <mok@vmware.com>
2022-01-18 17:43:45 -05:00
Monis Khan
cd686ffdf3
Force the use of secure TLS config
This change updates the TLS config used by all pinniped components.
There are no configuration knobs associated with this change.  Thus
this change tightens our static defaults.

There are four TLS config levels:

1. Secure (TLS 1.3 only)
2. Default (TLS 1.2+ best ciphers that are well supported)
3. Default LDAP (TLS 1.2+ with less good ciphers)
4. Legacy (currently unused, TLS 1.2+ with all non-broken ciphers)

Highlights per component:

1. pinniped CLI
   - uses "secure" config against KAS
   - uses "default" for all other connections
2. concierge
   - uses "secure" config as an aggregated API server
   - uses "default" config as a impersonation proxy API server
   - uses "secure" config against KAS
   - uses "default" config for JWT authenticater (mostly, see code)
   - no changes to webhook authenticater (see code)
3. supervisor
   - uses "default" config as a server
   - uses "secure" config against KAS
   - uses "default" config against OIDC IDPs
   - uses "default LDAP" config against LDAP IDPs

Signed-off-by: Monis Khan <mok@vmware.com>
2021-11-17 16:55:35 -05:00
Margo Crawford
6c47c3327a Add hint to hack/prepare-for-integration-tests.sh
I keep forgetting the name of the --get-active-directory-vars flag.
2021-10-26 16:25:34 -07:00
Ryan Richard
7ec0304472 Add offline_access scope for integration tests when using Dex 2021-10-19 12:25:51 -07:00
Matt Moyer
c7a8c429ed
Add a dry-run 'kubectl apply' in prepare-for-integration-tests.sh so we can be sure that our manifests pass API validation.
We had this for some components, but not the ones that mattered the most.

Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-09-02 16:55:28 -05:00
Margo Crawford
2d32e0fa7d Merge branch 'main' of github.com:vmware-tanzu/pinniped into active-directory-identity-provider 2021-08-26 16:21:08 -07:00
Ryan Richard
d20cab10b9 Replace one-off usages of busybox and debian images in integration tests
Those images that are pulled from Dockerhub will cause pull failures
on some test clusters due to Dockerhub rate limiting.

Because we already have some images that we use for testing, and
because those images are already pre-loaded onto our CI clusters
to make the tests faster, use one of those images and always specify
PullIfNotPresent to avoid pulling the image again during the integration
test.
2021-08-25 15:12:07 -07:00
Margo Crawford
cc3875f048 PR feedback 2021-07-26 16:03:12 -07:00
Margo Crawford
8ea1bd3dfb Make prepare-for-integration-tests active directory setup accessible for anyone 2021-07-23 13:01:41 -07:00
Margo Crawford
91085e68f9 Refactoring defaulting logic 2021-07-23 13:01:41 -07:00
Margo Crawford
b3d0b28bd0 Integration test fixes, fixing objectGUID handling 2021-07-23 13:01:40 -07:00
Margo Crawford
5c283d941c Helper script for running active directory tests 2021-07-23 13:01:40 -07:00
Ryan Richard
8b549f66d4 Add integration test for LDAP StartTLS 2021-05-20 13:39:48 -07:00
Ryan Richard
67a568811a Make prepare-for-integration-tests.sh work on linux too
- The linux base64 command is different, so avoid using it at all.
  On linux the default is to split the output into multiple lines,
  which messes up the integration-test-env file. The flag used to
  disable this behavior on linux ("-w0") does not exist on MacOS's
  base64.
- On debian linux, the latest version of Docker from apt-get still
  requires DOCKER_BUILDKIT=1 or else it barfs.
2021-04-27 10:10:02 -07:00
Ryan Richard
f63ded99bc Add a flag for skipping chromedriver version check to hack script 2021-04-15 10:27:00 -07:00
Ryan Richard
923938ab26 Avoid multi-line integration test env vars
Avoid them because they can't be used in GoLand for running integration
tests in the UI, like running in the debugger.

Also adds optional PINNIPED_TEST_TOOLS_NAMESPACE because we need it
on the LDAP feature branch where we are developing the upcoming LDAP
support for the Supervisor.
2021-04-14 17:26:12 -07:00
Andrew Keesler
c53507809d Rename dex namespace, add new ytt value to deploy/tools, and remove Tilt
- Rename the test/deploy/dex directory to test/deploy/tools
- Rename the dex namespace to tools
- Add a new ytt value called `pinny_ldap_password` for the tools
  ytt templates
- This new value is not used on main at this time. We intend to use
  it in the forthcoming ldap branch. We're defining it on main so
  that the CI scripts can use it across all branches and PRs.

Signed-off-by: Ryan Richard <richardry@vmware.com>
2021-04-05 15:01:49 -07:00
Ryan Richard
7bb5657c4d Add hack/prepare-supervisor-on-kind.sh
A demo of running the Supervisor and Concierge on
a kind cluster. Can be used to quickly set up an
environment for manual testing.

Also added some missing copyright headers to other
hack scripts.
2021-03-31 11:39:10 -07:00
Margo Crawford
cd6e48bfa8 Use a random password for the dex integration test user
Signed-off-by: Ryan Richard <richardry@vmware.com>
2021-03-25 15:12:17 -07:00
Ryan Richard
75cfda0ffe prepare-for-integration-tests.sh: Check Chrome and chromedriver versions
They usually need to match, or at least be close, so added some
code to help us remember to do that.
2021-03-22 16:54:22 -07:00
Andrew Keesler
28d00ce67b
Merge remote-tracking branch 'upstream/main' into impersonation-proxy 2021-03-18 20:13:49 -04:00