Mo Khan
b8fb37b9f6
Merge pull request #233 from enj/enj/i/tmp_disable_max_flight
...
Temporarily disable max inflight checks for mutating requests
2020-11-19 22:51:03 -05:00
Monis Khan
4a28d1f800
Temporarily disable max inflight checks for mutating requests
...
Signed-off-by: Monis Khan <mok@vmware.com>
2020-11-19 21:21:10 -05:00
Mo Khan
20b62b8841
Merge pull request #231 from enj/enj/f/fosite_kube_storage
...
Add kube based storage for use with fosite
2020-11-19 15:34:55 -05:00
Monis Khan
86865d155a
Switch fuzzing test to UTC
...
Signed-off-by: Monis Khan <mok@vmware.com>
2020-11-19 14:04:25 -05:00
Monis Khan
3575be7742
Add authorization code storage
...
Signed-off-by: Monis Khan <mok@vmware.com>
2020-11-19 13:18:27 -05:00
Monis Khan
b7d823a077
Add generic Kube API based CRUD storage
...
Signed-off-by: Monis Khan <mok@vmware.com>
2020-11-19 13:18:02 -05:00
Mo Khan
3bc5952f7e
Merge pull request #227 from mattmoyer/add-authorizationconfig-omitempty
...
Use `omitempty` on UpstreamOIDCProvider `spec.authorizationConfig` field.
2020-11-18 20:10:55 -05:00
Matt Moyer
7520dadbdd
Use omitempty
on UpstreamOIDCProvider spec.authorizationConfig
field.
...
This allows you to omit the field in creation requests, which was annoying.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-11-18 17:14:35 -06:00
Mo Khan
8a4be431f6
Merge pull request #230 from vmware-tanzu/scc
...
Add nonroot SCC to work on OpenShift clusters
2020-11-18 17:46:01 -05:00
Mo Khan
c32e452db8
Add nonroot SCC to work on OpenShift clusters
2020-11-18 17:08:45 -05:00
Ryan Richard
24bd8b2e42
Merge pull request #226 from absoludity/fix-getting-started4
...
Fix demo.md and update default namespace for pinniped concierge.
2020-11-18 13:39:04 -08:00
Ryan Richard
c83cec341b
Merge branch 'main' into fix-getting-started4
2020-11-17 15:02:36 -08:00
Matt Moyer
7404ee4531
Merge pull request #224 from mattmoyer/make-oidcclient-public
...
Move `./internal/oidcclient` to `./pkg/oidcclient`.
2020-11-17 15:13:50 -06:00
Matt Moyer
e0a9bef6ce
Move ./internal/oidcclient
to ./pkg/oidcclient
.
...
This will allow it to be imported by Go code outside of our repository, which was something we have planned for since this code was written.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-11-17 14:53:32 -06:00
Matt Moyer
428b9f2758
Merge pull request #223 from mattmoyer/refactor-cert-gen
...
Refactor certificate generation for integration test Dex.
2020-11-17 12:45:20 -06:00
Matt Moyer
0d1ad6e1df
Fix some broken resource grouping/ordering in Tiltfile.
...
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-11-17 12:21:15 -06:00
Matt Moyer
6ce2f109bf
Refactor certificate generation for integration test Dex.
...
Before, we did this in an init container, which meant if the Dex pod restarted we would have fresh certs, but our Tilt/bash setup didn't account for this.
Now, the certs are generated by a Job which runs once and saves the generated files into a Secret. This should be a bit more stable.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-11-17 11:36:36 -06:00
Matt Moyer
3b9fb71dd1
Merge pull request #222 from mattmoyer/readd-supervisor-login-tests
...
Re-add the TestSupervisorLogin integration test.
2020-11-17 11:16:01 -06:00
Matt Moyer
d6d808d185
Re-add the TestSupervisorLogin integration test.
...
This is 99% Andrew's code from 4032ed32ae
, but tweaked to work with the new UpstreamOIDCProvider setup.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-11-17 09:21:17 -06:00
Matt Moyer
b75a6cdb76
Merge pull request #221 from mattmoyer/use-https-dex
...
Add support for custom CA bundle in CLI and UpstreamOIDCProvider.
2020-11-16 20:47:16 -06:00
Matt Moyer
b31deff0fb
Update integration tests to use HTTPS Dex for UpstreamOIDCProvider testing.
...
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-11-16 20:23:20 -06:00
Matt Moyer
ee978fdde8
Add controller support for spec.tls field.
...
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-11-16 20:23:20 -06:00
Matt Moyer
e867fb82b9
Add spec.tls
field to UpstreamOIDCProvider API.
...
This allows for a custom CA bundle to be used when connecting to the upstream issuer.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-11-16 20:23:20 -06:00
Matt Moyer
b17ac6ec0b
Update integration tests to run Dex over HTTPS.
...
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-11-16 20:23:20 -06:00
Matt Moyer
dd2133458e
Add --ca-bundle flag to "pinniped login oidc" command.
...
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-11-16 18:15:20 -06:00
Matt Moyer
e7ecfd3954
Merge pull request #219 from mattmoyer/add-test-proxy
...
Convert CLI tests to work through an HTTP forward proxy.
2020-11-16 17:48:16 -06:00
Matt Moyer
c8b17978a9
Convert CLI tests to work through an HTTP forward proxy.
...
This change deploys a small Squid-based proxy into the `dex` namespace in our integration test environment. This lets us use the cluster-local DNS name (`http://dex.dex.svc.cluster.local/dex `) as the OIDC issuer. It will make generating certificates easier, and most importantly it will mean that our CLI can see Dex at the same name/URL as the supervisor running inside the cluster.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-11-16 17:16:58 -06:00
Matt Moyer
a4733025ce
Merge pull request #220 from jonasrosland/fix-landing-text
...
Fix landing page use cases
2020-11-16 16:36:44 -06:00
jonasrosland
332ed8e50b
Fix landing page use cases
...
Signed-off-by: jonasrosland <jrosland@vmware.com>
2020-11-16 12:00:06 -05:00
Michael Nelson
57a2dc9fc1
Update default namespace for pinniped-concierge to match install-pinniped-concierge.yaml
2020-11-16 11:05:53 +11:00
Michael Nelson
9bb9402e89
Updated doc/demo.md with required namespace
2020-11-16 11:05:53 +11:00
Matt Moyer
84b61fac88
Merge pull request #215 from mattmoyer/fix-upstream-oidc-provider
...
Fix some issues in the UpstreamOIDCProvider CRD and controller
2020-11-13 17:23:10 -06:00
Matt Moyer
c10393b495
Mask the raw error messages from go-oidc, since they are dangerous.
...
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-11-13 16:22:34 -06:00
Matt Moyer
d3d8ef44a0
Make more fields in UpstreamOIDCProvider optional.
...
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-11-13 15:28:37 -06:00
Mo Khan
d5ee925e62
Merge pull request #213 from mattmoyer/more-categories
...
Add our TokenCredentialRequest to the "pinniped" API category as well.
2020-11-13 15:51:42 -05:00
Mo Khan
47d216caae
Merge pull request #209 from alexbrand/doc-fixes
...
Fix broken links in the project's website
2020-11-13 15:51:13 -05:00
Alexander Brand
406d6b5544
docs/scope.md: Fix link to contrib guide
...
Signed-off-by: Alexander Brand <alexbrand09@gmail.com>
2020-11-13 15:25:01 -05:00
Matt Moyer
ab87977c08
Put our TokenCredentialRequest API into the "pinniped" category.
...
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-11-13 14:22:26 -06:00
Matt Moyer
f4dfc22f8e
Merge pull request #212 from enj/enj/i/restore_cert_ttl
...
Reduce client cert TTL back to 5 mins
2020-11-13 14:11:44 -06:00
Matt Moyer
785a1d14fb
Merge pull request #199 from mattmoyer/add-oidc-upstream-crd
...
Add UpstreamOIDCProvider API and initial controller.
2020-11-13 13:01:13 -06:00
Matt Moyer
d68a4b85f4
Add integration tests for UpstreamOIDCProvider status.
...
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-11-13 12:30:38 -06:00
Matt Moyer
cbd71df574
Add "upstream-watcher" controller to supervisor.
...
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-11-13 12:30:38 -06:00
Monis Khan
c05cbca0b0
Reduce client cert TTL back to 5 mins
...
Signed-off-by: Monis Khan <mok@vmware.com>
2020-11-13 13:30:02 -05:00
Matt Moyer
2e7d869ccc
Add generated API/client code for new UpstreamOIDCProvider CRD.
...
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-11-13 11:38:50 -06:00
Matt Moyer
bac3c19bec
Add UpstreamOIDCProvider API type definition.
...
This is essentially just a copy of Andrew's work from https://github.com/vmware-tanzu/pinniped/pull/135 .
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-11-13 11:38:49 -06:00
Alexander Brand
271640b66d
docs/architecture.md: Fix broken link
2020-11-13 09:17:47 -05:00
Alexander Brand
6b0d4184d5
docs/architecture.md: Fix broken link
2020-11-13 09:15:46 -05:00
Ryan Richard
d351ef430c
Merge pull request #206 from vmware-tanzu/authorize_endpoint_reuse_cookie
...
Supervisor authorize endpoint reuses existing CSRF cookies and signs new ones
2020-11-12 16:26:01 -08:00
Matt Moyer
e6f128e2a7
Merge pull request #205 from mattmoyer/more-careful-categories
...
Put all of our APIs into a "pinniped" category, and never use "all".
2020-11-12 17:37:20 -06:00
Andrew Keesler
080bb594b2
Supervisor authorize endpoint reuses existing CSRF cookies and signs new ones
...
- To better support having multiple downstream providers configured,
the authorize endpoint will share a CSRF cookie between all
downstream providers' authorize endpoints. The first time a
user's browser hits the authorize endpoint of any downstream
provider, that endpoint will set the cookie. Then if the user
starts an authorize flow with that same downstream provider or with
any other downstream provider which shares the same domain name
(i.e. differentiated by issuer path), then the same cookie will be
submitted and respected.
- Just in case we are sharing the domain name with some other app,
we sign the value of any new CSRF cookie and check the signature
when we receive the cookie. This wasn't strictly necessary since
we probably won't share a domain name with other apps, but it
wasn't hard to add this cookie signing.
Signed-off-by: Ryan Richard <richardry@vmware.com>
2020-11-12 15:36:59 -08:00