Commit Graph

1780 Commits

Author SHA1 Message Date
Ryan Richard
9c13b7144e
Merge pull request #170 from vmware-tanzu/oidc_https_endpoints
Add HTTPS endpoints for OIDC providers, and terminate TLS with the configured certificates
2020-10-28 17:15:11 -07:00
Ryan Richard
059b6e885f Allow ytt templating of the loadBalancerIP for the supervisor 2020-10-28 16:45:23 -07:00
Ryan Richard
4af508981a Make default TLS secret name from app name in supervisor_discovery_test.go 2020-10-28 16:11:19 -07:00
Ryan Richard
a007fc3bd3 Form paths correctly when the path arg is empty in supervisor_discovery_test.go 2020-10-28 15:22:53 -07:00
Ryan Richard
c52874250a Fix a mistake in supervisor_discovery_test.go
- Should not fail when the default TLS cert does not exist in the
  test cluster before the test started
2020-10-28 14:25:01 -07:00
Ryan Richard
01dddd3cae Add some docs for configuring supervisor TLS
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-10-28 13:42:02 -07:00
Andrew Keesler
bd04570e51 supervisor_discovery_test.go tests hostnames are treated as case-insensitive
Signed-off-by: Ryan Richard <richardry@vmware.com>
2020-10-28 13:09:20 -07:00
Ryan Richard
8ff64d4c1a Require https scheme for OIDCProviderConfig Issuer field
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-10-28 12:49:41 -07:00
Andrew Keesler
2542a8e175 Stash and restore any pre-existing default TLS cert in supervisor_discovery_test.go
Signed-off-by: Ryan Richard <richardry@vmware.com>
2020-10-28 12:32:21 -07:00
Ryan Richard
29e0ce5662 Configure name of the supervisor default TLS cert secret via ConfigMap
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-10-28 11:56:50 -07:00
Ryan Richard
978ecda758 Test SNI & default certs being used at the same time in integration test 2020-10-28 08:58:50 -07:00
Ryan Richard
170d3a3993 Forgot to commit some test fixtures in a prior commit 2020-10-27 17:00:00 -07:00
Ryan Richard
2777c4e9f3 Update prepare-for-integration-tests.sh to use ./hack/kind-{up,down}.sh 2020-10-27 16:56:53 -07:00
Ryan Richard
38802c2184 Add a way to set a default supervisor TLS cert for when SNI won't work
- Setting a Secret in the supervisor's namespace with a special name
  will cause it to get picked up and served as the supervisor's TLS
  cert for any request which does not have a matching SNI cert.
- This is especially useful for when there is no DNS record for an
  issuer and the user will be accessing it via IP address. This
  is not how we would expect it to be used in production, but it
  might be useful for other cases.
- Includes a new integration test
- Also suppress all of the warnings about ignoring the error returned by
  Close() in lines like `defer x.Close()` to make GoLand happier
2020-10-27 16:33:08 -07:00
Andrew Keesler
7bce16737b
Get rid of WIP workflow
See d5dd65c, 45189e3, 96c4661. I pushed to the wrong remote...

Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-10-27 18:39:19 -04:00
Andrew Keesler
96c4661a25
Fix unit-tests workflow YAML.
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-10-27 18:26:11 -04:00
Andrew Keesler
45189e3e2b
No way this windows-unit-tests workflow works.
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-10-27 18:20:12 -04:00
Andrew Keesler
d5dd65cfe8
So...does this macos-unit-tests workflow work?
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-10-27 18:00:54 -04:00
Ryan Richard
1f1b6c884e Add integration test: supervisor TLS termination and SNI virtual hosting
- Also reduce the minimum allowed TLS version to v1.2, because v1.3
  is not yet supported by some common clients, e.g. the default MacOS
  curl command
2020-10-27 14:57:25 -07:00
Ryan Richard
eeb110761e Rename secretName to SNICertificateSecretName in OIDCProviderConfig 2020-10-26 17:25:45 -07:00
Ryan Richard
8b7c30cfbd Supervisor listens for HTTPS on port 443 with configurable TLS certs
- TLS certificates can be configured on the OIDCProviderConfig using
  the `secretName` field.
- When listening for incoming TLS connections, choose the TLS cert
  based on the SNI hostname of the incoming request.
- Because SNI hostname information on incoming requests does not include
  the port number of the request, we add a validation that
  OIDCProviderConfigs where the issuer hostnames (not including port
  number) are the same must use the same `secretName`.
- Note that this approach does not yet support requests made to an
  IP address instead of a hostname. Also note that `localhost` is
  considered a hostname by SNI.
- Add port 443 as a container port to the pod spec.
- A new controller watches for TLS secrets and caches them in memory.
  That same in-memory cache is used while servicing incoming connections
  on the TLS port.
- Make it easy to configure both port 443 and/or port 80 for various
  Service types using our ytt templates for the supervisor.
- When deploying to kind, add another nodeport and forward it to the
  host on another port to expose our new HTTPS supervisor port to the
  host.
2020-10-26 17:03:26 -07:00
Matt Moyer
7880f7ea41
Merge pull request #171 from danjahner/main
Rename logo file
2020-10-26 17:20:36 -05:00
Dan Jahner
13ccb07fe4
Rename logo file 2020-10-26 15:06:04 -07:00
Matt Moyer
6c092deba5
Merge pull request #169 from mattmoyer/promote-login-command
Promote the `pinniped login` command out of alpha.
2020-10-23 19:48:44 -05:00
Ryan Richard
25a91019c2 Add spec.secretName to OPC and handle case-insensitive hostnames
- When two different Issuers have the same host (i.e. they differ
  only by path) then they must have the same secretName. This is because
  it wouldn't make sense for there to be two different TLS certificates
  for one host. Find any that do not have the same secret name to
  put an error status on them and to avoid serving OIDC endpoints for
  them. The host comparison is case-insensitive.
- Issuer hostnames should be treated as case-insensitive, because
  DNS hostnames are case-insensitive. So https://me.com and
  https://mE.cOm are duplicate issuers. However, paths are
  case-sensitive, so https://me.com/A and https://me.com/a are
  different issuers. Fixed this in the issuer validations and in the
  OIDC Manager's request router logic.
2020-10-23 16:25:44 -07:00
Matt Moyer
7615667b9b
Update TestCLILoginOIDC to use new non-alpha login command.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-10-23 14:44:42 -05:00
Matt Moyer
0948457521
Promote the pinniped login command out of alpha.
This was hidden behind a `pinniped alpha` hidden subcommand, but we're comfortable enough with the CLI flag interface now to promote it.

Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-10-23 14:44:41 -05:00
Andrew Keesler
110c72a5d4
dynamiccertauthority: fix cert expiration test failure
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-10-23 15:34:25 -04:00
Andrew Keesler
f928ef4752 Also mention using a service mesh is an option for supervisor ingress
Signed-off-by: Ryan Richard <richardry@vmware.com>
2020-10-23 10:23:17 -07:00
Ryan Richard
eafdef7b11 Add docs for creating an Ingress for the Supervisor
Note that some of these new docs mention things that will not be
implemented until we finish the next story.
2020-10-22 16:57:50 -07:00
Matt Moyer
4c844ba334
Merge pull request #168 from mattmoyer/cli-session-refresh
Add support for refresh token flow in OIDC CLI client.
2020-10-22 18:13:42 -05:00
Matt Moyer
07001e5ee3
Extend TestCLILoginOIDC to test refresh flow.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-10-22 17:54:31 -05:00
Matt Moyer
3508a28369
Implement refresh flow in ./internal/oidcclient package.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-10-22 17:54:31 -05:00
Ryan Richard
397ec61e57 Specify the supervisor NodePort Service's port and nodePort separately
When using kind we forward the node's port to the host, so we only
really care about the `nodePort` value. For acceptance clusters,
we put an Ingress in front of a NodePort Service, so we only really
care about the `port` value.
2020-10-22 15:37:35 -07:00
Ryan Richard
8ae04605ca
Add comments for magic 31234 port
Also delete hack/lib/kind-config/multi-node.yaml since we don't think we will
use it...

Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-10-22 17:54:35 -04:00
Matt Moyer
8772a00824
Merge pull request #167 from mattmoyer/fix-accidental-timeout-regression
Fix a timeout in TestCLILoginOIDC that was accidentally shortened.
2020-10-22 12:24:49 -05:00
Matt Moyer
ce598eb58e
Fix a timeout in TestCLILoginOIDC that was accidentally shortened in 0adbb5234e.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-10-22 11:49:04 -05:00
Matt Moyer
4b24e9c625
Merge pull request #166 from mattmoyer/add-cli-test-debug-output
Add some verbose logging to TestCLILoginOIDC.
2020-10-22 11:17:18 -05:00
Matt Moyer
fe3b44b134
Add some verbose logging to TestCLILoginOIDC.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-10-22 10:33:37 -05:00
Ryan Richard
122f7cffdb Make the supervisor healthz endpoint public
Based on our experiences today with GKE, it will be easier for our users
to configure Ingress health checks if the healthz endpoint is available
on the same public port as the OIDC endpoints.

Also add an integration test for the healthz endpoint now that it is
public.

Also add the optional `containers[].ports.containerPort` to the
supervisor Deployment because the GKE docs say that GKE will look
at that field while inferring how to invoke the health endpoint. See
https://cloud.google.com/kubernetes-engine/docs/concepts/ingress#def_inf_hc
2020-10-21 15:24:58 -07:00
Matt Moyer
5dbc03efe9
Merge pull request #165 from mattmoyer/cli-session-cache
Add basic file-based session cache for CLI OIDC client.
2020-10-21 16:30:03 -05:00
Matt Moyer
0adbb5234e
Extend TestCLILoginOIDC to test ID token caching behavior.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-10-21 15:02:42 -05:00
Matt Moyer
e919ef6582
Add a file-based session cache.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-10-21 14:28:05 -05:00
Andrew Keesler
fa5f653de6 Implement readinessProbe and livenessProbe for supervisor
Signed-off-by: Ryan Richard <richardry@vmware.com>
2020-10-21 11:51:31 -07:00
Matt Moyer
e8113e3770
Add basic caching framework to ./internal/oidclient package.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-10-21 13:14:16 -05:00
Matt Moyer
7f6a82aa91
Refactor and rename ./internal/oidcclient/login to ./internal/oidcclient. 2020-10-21 13:07:21 -05:00
Matt Moyer
4ef41f969d
Add a util helper for marking a CLI flag as hidden.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-10-21 13:07:21 -05:00
Andrew Keesler
3e39800005
Merge pull request #164 from vmware-tanzu/virtual-hosts
Virtual hosts integration test
2020-10-21 09:16:59 -04:00
Ryan Richard
52ebd77527 Add optional PINNIPED_TEST_SUPERVISOR_HTTPS_CA_BUNDLE for integration tests
- Not used by any of our integration test clusters yet
- Planning to use it later for the kind clusters and maybe for
  the acceptance clusters too (although the acceptance clusters might
  not need to use self-signed certs so maybe not)
2020-10-20 16:46:33 -07:00
Ryan Richard
ec21fc8595 Also delete the final OIDCProviderConfig made by an integration test
- It didn't matter before because it would be cleaned up by a
  t.Cleanup() function, but now that we might loop twice it will matter
  during the second time through the loop
2020-10-20 15:59:25 -07:00