Commit Graph

1221 Commits

Author SHA1 Message Date
Ryan Richard
67de7f5646 Further explain the webhook API in architecture.md 2020-09-15 16:18:48 -07:00
Ryan Richard
43c69ec339 Update the architecture diagram
- Also update the instructions for editing the documentation images
2020-09-15 16:07:09 -07:00
Ryan Richard
014fb518bc Change one usage of "external" back to "upstream" 2020-09-15 14:04:05 -07:00
Ryan Richard
321c6a5392 Merge remote-tracking branch 'origin/main' into arch-doc 2020-09-15 14:02:26 -07:00
Ryan Richard
db98f2810f
Merge pull request #98 from suzerain-io/get_kubeconfig_cli
Organize Pinniped CLI into subcommands; Add get-kubeconfig subcommand
2020-09-15 13:34:14 -07:00
Andrew Keesler
062dfa3e75
Merge pull request #100 from ankeesler/adopters-doc
ADOPTERS.md: add initial draft
2020-09-15 16:20:35 -04:00
Matt Moyer
1244a950e7
Merge pull request #108 from mattmoyer/cleanup-credential-request-api
Clean up CredentialRequest `types.go`.
2020-09-15 15:03:07 -05:00
Matt Moyer
8df910361c
Clean up CredentialRequest types.go.
Mostly cleaned up and added doc strings, but also removed unneeded protobuf tags.

Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-09-15 14:30:12 -05:00
Matt Moyer
37da441e96
Merge pull request #107 from mattmoyer/tidy-go-modules
Tidy go.mod/go.sum.
2020-09-15 14:29:39 -05:00
Matt Moyer
6faf224e20
Merge pull request #105 from mattmoyer/extend-readiness-check
Wait for informers to sync before we pass readiness check.
2020-09-15 14:27:42 -05:00
Matt Moyer
92372d20a9
Tidy go.mod/go.sum.
I accidentally missed this in bbef017989 and it's not currently part of our CI linting.

Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-09-15 14:14:44 -05:00
Matt Moyer
12f0997193
Wait for informers to sync before we pass readiness check.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-09-15 14:14:25 -05:00
Matt Moyer
e428877473
Merge pull request #106 from mattmoyer/fix-webhook-base64-encoding
Fix base64 encoding style in webhookcachefiller.
2020-09-15 14:12:02 -05:00
Ryan Richard
cecd691a84 Add demo instructions
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-09-15 12:10:20 -07:00
Matt Moyer
1c7b3c3072
Fix base64 encoding style in webhookcachefiller.
This was previously using the unpadded (raw) base64 encoder, which worked sometimes (if the CA happened to be a length that didn't require padding). The correct encoding is the `base64.StdEncoding` one that includes padding.

Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-09-15 13:54:19 -05:00
Matt Moyer
b1ea04b036
Merge pull request #83 from mattmoyer/add-idp-config-crd
Implement the initial version of a WebhookIdentityProvider CRD.
2020-09-15 12:53:31 -05:00
Andrew Keesler
36a66f4e8b
Merge pull request #104 from ankeesler/maintainers-doc
MAINTAINERS.md: add initial draft
2020-09-15 13:31:15 -04:00
Matt Moyer
b39160e4c4
Add some log output to TestCredentialIssuerConfig for troubleshooting.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-09-15 12:15:42 -05:00
Andrew Keesler
a22b414b58
MAINTAINERS.md: add initial draft
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-09-15 13:14:50 -04:00
Matt Moyer
8de046a561
Remove static webhook config options.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-09-15 12:02:34 -05:00
Matt Moyer
f7c9ae8ba3
Validate tokens using the new dynamic IDP cache instead of the static config.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-09-15 12:02:34 -05:00
Matt Moyer
75ea0f48d9
Add a controller to clean up stale entries in the idpcache.Cache.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-09-15 12:02:33 -05:00
Matt Moyer
acfc5acfb2
Add a controller to fill the idpcache.Cache from WebhookIdentityProvider objects.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-09-15 12:02:33 -05:00
Matt Moyer
6506a82b19
Add a cache of active IDPs, which implements authenticator.Token.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-09-15 12:02:33 -05:00
Matt Moyer
66f4e62c6c
Add internal/mocks/mocktokenauthenticator generated mocks.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-09-15 12:02:33 -05:00
Matt Moyer
80a23bd2fd
Rename "Webhook" to "TokenAuthenticator" in our REST handler and callers.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-09-15 12:02:33 -05:00
Matt Moyer
2bdbac3e15
Move the ytt webhook config out into the CRD.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-09-15 12:02:33 -05:00
Matt Moyer
5b9f2ec9fc
Give our controller access to all our CRD types.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-09-15 12:02:33 -05:00
Matt Moyer
fc220d5f79
Remove kubectl dry-run verify for now.
The dry-run fails now because we are trying to install a CRD and a custom resource (of that CRD type) in the same step.

Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-09-15 12:02:32 -05:00
Matt Moyer
3344b5b86a
Expect the WebhookIdentityProvider CRD to be installed.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-09-15 11:44:24 -05:00
Matt Moyer
557fd0df26
Define the WebhookIdentityProvider CRD.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-09-15 11:44:23 -05:00
Matt Moyer
9bb3d4ef28
Add .gitattributes as a hint to the GitHub diff viewer.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-09-15 11:44:23 -05:00
Ryan Richard
4ced58b5b7 Add help/usage units for CLI exchange-credential subcommand 2020-09-15 09:05:40 -07:00
Andrew Keesler
831df90c93
test/integration: add integration test for pinniped cli 2020-09-15 11:00:38 -04:00
Andrew Keesler
82ef9e4806
cmd/pinniped/cmd: fix some linting errors
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-09-15 11:00:00 -04:00
Andrew Keesler
879d847ffb
cmd/pinniped/cmd: add get-kubeconfig cli tests
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-09-15 10:04:25 -04:00
Ryan Richard
4379d2772c CLI get-kubeconfig command reads kubeconfig and CredentialIssuerConfig 2020-09-14 19:07:18 -07:00
Matt Moyer
21187bc28a
Merge pull request #103 from mattmoyer/add-controller-utils
Add new controller.SimpleFilter and controller.NoOpFilter utilities.
2020-09-14 13:59:32 -05:00
aram price
9bad0d52f7
Merge pull request #102 from mattmoyer/prefactor-test-helpers
Prefactor some test helpers prior to the IDP CRD PR.
2020-09-14 11:38:05 -07:00
Matt Moyer
92fabf43b3
Add new controller.SimpleFilter and controller.NoOpFilter utilities.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-09-14 13:25:16 -05:00
Matt Moyer
7d8c28a9dc
Extract testutil.TLSTestServer so it can be reused elsewhere.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-09-14 13:23:12 -05:00
Matt Moyer
bbef017989
Add a testlogger util package for testing go-logr.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-09-14 13:23:06 -05:00
Andrew Keesler
7515af639a
ADOPTERS.md: add initial draft
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-09-14 10:46:05 -04:00
Andrew Keesler
39b66086cc
doc/architecture.md: first draft
I tried to follow the following principles.
- Use existing wordsmithing.
- Only document things that we support today.
- Grab our README.md reader's attention using a picture.
- Use "upstream" when referring to OSS and "external" when referring to
  IDP integrations.

Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-09-14 09:54:28 -04:00
Ryan Richard
872330bee9 Require newer version of kubectl in prepare-for-integration-tests.sh
- Using the dry run option requires version 1.18+
2020-09-13 10:22:27 -07:00
Ryan Richard
2cdc3defb7 Use here.Doc() in a few more places that were begging for it 2020-09-11 18:15:24 -07:00
Ryan Richard
da7c981f14 Organize Pinniped CLI into subcommands; Add get-kubeconfig subcommand
- Add flag parsing and help messages for root command,
  `exchange-credential` subcommand, and new `get-kubeconfig` subcommand
- The new `get-kubeconfig` subcommand is a work in progress in this
  commit
- Also add here.Doc() and here.Docf() to enable nice heredocs in
  our code
2020-09-11 17:56:05 -07:00
Andrew Keesler
19c671a60a
cmd/local-user-authenticator: go back to use TokenReview structs
So I looked into other TokenReview webhook implementations, and most
of them just use the json stdlib package to unmarshal/marshal
TokenReview payloads. I'd say let's follow that pattern, even though
it leads to extra fields in the JSON payload (these are not harmful).

Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-09-11 16:12:43 -04:00
Andrew Keesler
17d40b7a73
cmd/local-user-authenticator: protect against nil-body
I saw this while reading other TokenReview code.
2020-09-11 16:11:42 -04:00
Andrew Keesler
4e40c0320e
cmd/local-user-authenticator: use v1beta1 everywhere
See 63f5416b2 for a previous time where we decided to use the v1beta1
TokenReview API.

Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-09-11 16:11:42 -04:00