Commit Graph

3410 Commits

Author SHA1 Message Date
anjalitelang
454b792afb
Update ROADMAP.md
Changing the roadmap based on current priorities.
2021-09-16 08:46:03 -04:00
Ryan Richard
cb4085bfd9
Merge pull request #840 from vmware-tanzu/mod_tidy
ran `go mod tidy`
2021-09-15 14:47:22 -07:00
Ryan Richard
9b0dc92025
Merge branch 'main' into mod_tidy 2021-09-15 14:47:12 -07:00
Ryan Richard
7859a7b5c2
Merge pull request #839 from vmware-tanzu/deployment_selectors
Improve the selectors of Deployments and Services
2021-09-15 14:46:31 -07:00
Ryan Richard
bdcf468e52 Add log statement for when kube cert agent key has been loaded
Because it makes things easier to debug on a real cluster
2021-09-15 14:02:46 -07:00
Monis Khan
efaca05999
prevent kapp from altering the selector of our services
This makes it so that our service selector will match exactly the
YAML we specify instead of including an extra "kapp.k14s.io/app" key.
This will take us closer to the standard kubectl behavior which is
desirable since we want to avoid future bugs that only manifest when
kapp is not used.

Signed-off-by: Monis Khan <mok@vmware.com>
2021-09-15 16:08:49 -04:00
Monis Khan
316e6171d4
Enable aggregator routing on kind clusters
This should make it easier for us to to notice if something is wrong
with our service (especially in any future kubectl tests we add).

Signed-off-by: Monis Khan <mok@vmware.com>
2021-09-15 15:09:15 -04:00
Ryan Richard
04544b3d3c Update TestKubeCertAgent to use new "v3" label value 2021-09-15 11:09:07 -07:00
Ryan Richard
85102b0118 ran go mod tidy 2021-09-15 09:21:46 -07:00
Ryan Richard
55de160551 Bump the version number of the kube cert agent label
Not required, but within the spirit of using the version number.
Since the existing kube cert agent deployment will get deleted anyway
during an upgrade, it shouldn't hurt to change the version number.
New installations will get the new version number on the new kube cert
agent deployment.
2021-09-14 15:27:15 -07:00
Ryan Richard
cec9f3c4d7 Improve the selectors of Deployments and Services
Fixes #801. The solution is complicated by the fact that the Selector
field of Deployments is immutable. It would have been easy to just
make the Selectors of the main Concierge Deployment, the Kube cert agent
Deployment, and the various Services use more specific labels, but
that would break upgrades. Instead, we make the Pod template labels and
the Service selectors more specific, because those not immutable, and
then handle the Deployment selectors in a special way.

For the main Concierge and Supervisor Deployments, we cannot change
their selectors, so they remain "app: app_name", and we make other
changes to ensure that only the intended pods are selected. We keep the
original "app" label on those pods and remove the "app" label from the
pods of the Kube cert agent Deployment. By removing it from the Kube
cert agent pods, there is no longer any chance that they will
accidentally get selected by the main Concierge Deployment.

For the Kube cert agent Deployment, we can change the immutable selector
by deleting and recreating the Deployment. The new selector uses only
the unique label that has always been applied to the pods of that
deployment. Upon recreation, these pods no longer have the "app" label,
so they will not be selected by the main Concierge Deployment's
selector.

The selector of all Services have been updated to use new labels to
more specifically target the intended pods. For the Concierge Services,
this will prevent them from accidentally including the Kube cert agent
pods. For the Supervisor Services, we follow the same convention just
to be consistent and to help future-proof the Supervisor app in case it
ever has a second Deployment added to it.

The selector of the auto-created impersonation proxy Service was
also previously using the "app" label. There is no change to this
Service because that label will now select the correct pods, since
the Kube cert agent pods no longer have that label. It would be possible
to update that selector to use the new more specific label, but then we
would need to invent a way to pass that label into the controller, so
it seemed like more work than was justified.
2021-09-14 13:35:10 -07:00
Ryan Richard
16f562e81c
Merge pull request #838 from vmware-tanzu/dependabot/docker/golang-1.17.1
Bump golang from 1.17.0 to 1.17.1
2021-09-13 14:30:15 -07:00
dependabot[bot]
92ccc0ec84
Bump golang from 1.17.0 to 1.17.1
Bumps golang from 1.17.0 to 1.17.1.

---
updated-dependencies:
- dependency-name: golang
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2021-09-13 01:13:32 +00:00
Margo Crawford
74175f2518
Merge pull request #836 from vmware-tanzu/search-base-caching
Make sure search base in the validatedSettings cache is properly updated when the bind secret changes
2021-09-10 11:42:03 -07:00
Margo Crawford
0a1ee9e37c Remove unused functions 2021-09-08 10:34:42 -07:00
Margo Crawford
05f5bac405 ValidatedSettings is all or nothing
If either the search base or the tls settings is invalid, just
recheck everything.
2021-09-07 13:09:35 -07:00
Margo Crawford
0195894a50 Test fix for ldap upstream watcher 2021-09-07 13:09:35 -07:00
Margo Crawford
27c1d2144a Make sure search base in the validatedSettings cache is properly updated when the bind secret changes 2021-09-07 13:09:35 -07:00
Matt Moyer
88aba645b8
Merge pull request #837 from mattmoyer/so-long-and-thanks-for-all-the-fish
So long and thanks for all the fish 🦭
2021-09-03 10:49:35 -07:00
Matt Moyer
402c213183
So long and thanks for all the fish 🦭
Today is my last day working full time on Pinniped (for now). This change removes me from the MAINTAINERS.md and the website.

Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-09-03 12:38:53 -05:00
Mo Khan
17acc7caa6
Merge pull request #834 from anjaltelang/main
Add release note reference in the v0.11.0 Blog Post
2021-09-02 19:16:08 -04:00
Matt Moyer
6b7a230ca5
Merge pull request #835 from mattmoyer/fix-readonly-fields
Fix broken "read only" fields added in v0.11.0.
2021-09-02 15:23:26 -07:00
Matt Moyer
c7a8c429ed
Add a dry-run 'kubectl apply' in prepare-for-integration-tests.sh so we can be sure that our manifests pass API validation.
We had this for some components, but not the ones that mattered the most.

Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-09-02 16:55:28 -05:00
Matt Moyer
f0a1555aca
Fix broken "read only" fields added in v0.11.0.
These fields were changed as a minor hardening attempt when we switched to Distroless, but I bungled the field names and we never noticed because Kapp doesn't apply API validations.

This change fixes the field names so they act as was originally intended. We should also follow up with a change that validates all of our installation manifest in CI.

Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-09-02 16:12:39 -05:00
Anjali Telang
ccd338fa50 Merge branch 'main' of github.com:anjaltelang/pinniped into main 2021-09-02 14:54:48 -04:00
Anjali Telang
4e7214c6b5 Rephrased again
Signed-off-by: Anjali Telang <atelang@vmware.com>
2021-09-02 14:54:14 -04:00
Anjali Telang
2297ee4b81 Merge branch 'main' of github.com:anjaltelang/pinniped into main 2021-09-02 14:52:01 -04:00
Anjali Telang
85daec4748 Rephrased
Signed-off-by: Anjali Telang <atelang@vmware.com>
2021-09-02 14:51:36 -04:00
Anjali Telang
cf014656af Add Reference to release notes in the v0.11.0 Blog post
Signed-off-by: Anjali Telang <atelang@vmware.com>
2021-09-02 14:44:53 -04:00
Matt Moyer
b3b3c2303f
Merge pull request #831 from anjaltelang/main
Add community info and resolve some minor issues
2021-09-02 09:02:24 -07:00
Matt Moyer
0ff66c718b
Merge pull request #832 from vmware-tanzu/dependabot/docker/distroless/static-be5d77c
Bump distroless/static from `c9f9b04` to `be5d77c`
2021-09-02 05:40:51 -07:00
dependabot[bot]
1bb8a43e04
Bump distroless/static from c9f9b04 to be5d77c
Bumps distroless/static from `c9f9b04` to `be5d77c`.

---
updated-dependencies:
- dependency-name: distroless/static
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
2021-09-02 03:00:24 +00:00
anjalitelang
655bbce42a
Update ROADMAP.md
Updated September roadmap to reflect work on Improving Security Posture. Added CLI SSO as Future roadmap item.
2021-09-01 21:35:47 -04:00
Mo Khan
9258745ec7
Fix roadmap table formatting
We seem to have missed a `|` at the start of the table.
2021-09-01 15:33:23 -04:00
Anjali Telang
fcffab9a4c Add community info and resolve some minor issues
Signed-off-by: Anjali Telang <atelang@vmware.com>
2021-09-01 13:23:26 -04:00
Ryan Richard
92f7f12bab Update latest release tag in site/config.yaml, used by docs 2021-08-31 16:47:40 -07:00
Ryan Richard
7c40185676
Merge pull request #825 from anjaltelang/main
Add Blog post for v0.11.0 release
2021-08-31 16:46:23 -07:00
Pinny
abf19f649d Update CLI docs for v0.11.0 release 2021-08-31 23:40:00 +00:00
Pinny
0a2a716796 Update CLI docs for v0.10.0 release 2021-08-31 23:21:54 +00:00
Anjali Telang
a27e398923 Changed date and cleaned up some more AD format
Signed-off-by: Anjali Telang <atelang@vmware.com>
2021-08-31 15:02:57 -04:00
Ryan Richard
b19af2e135
Merge pull request #829 from enj/enj/i/wait_shutdown
Ensure concierge and supervisor gracefully exit
2021-08-31 11:30:35 -07:00
Ryan Richard
883007aa1b
Merge pull request #756 from vmware-tanzu/ad-identity-provider-docs
Document how to configure the ActiveDirectoryIdentityProvider
2021-08-31 10:48:25 -07:00
Anjali Telang
ba1470ea9d Add AD changes
Signed-off-by: Anjali Telang <atelang@vmware.com>
2021-08-30 21:04:48 -04:00
Monis Khan
0d285ce993
Ensure concierge and supervisor gracefully exit
Changes made to both components:

1. Logs are always flushed on process exit
2. Informer cache sync can no longer hang process start up forever

Changes made to concierge:

1. Add pre-shutdown hook that waits for controllers to exit cleanly
2. Informer caches are synced in post-start hook

Changes made to supervisor:

1. Add shutdown code that waits for controllers to exit cleanly
2. Add shutdown code that waits for active connections to become idle

Waiting for controllers to exit cleanly is critical as this allows
the leader election logic to release the lock on exit.  This reduces
the time needed for the next leader to be elected.

Signed-off-by: Monis Khan <mok@vmware.com>
2021-08-30 20:29:52 -04:00
Matt Moyer
e43bd59688
Merge pull request #830 from mattmoyer/update-youtube-demo-link
Update YouTube demo link to our official page.
2021-08-30 14:30:15 -07:00
Matt Moyer
0c8d885c26
Update YouTube demo link to our official page.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-08-30 16:29:32 -05:00
Anjali Telang
23fb84029b changes made on ryan's review comments
Signed-off-by: Anjali Telang <atelang@vmware.com>
2021-08-28 15:59:04 -04:00
Mo Khan
d2dfe3634a
Merge pull request #828 from enj/enj/i/supervisor_graceful_exit
supervisor: ensure graceful exit
2021-08-28 13:40:13 -04:00
Monis Khan
5489f68e2f
supervisor: ensure graceful exit
The kubelet will send the SIGTERM signal when it wants a process to
exit.  After a grace period, it will send the SIGKILL signal to
force the process to terminate.  The concierge has always handled
both SIGINT and SIGTERM as indicators for it to gracefully exit
(i.e. stop watches, controllers, etc).  This change updates the
supervisor to do the same (previously it only handled SIGINT).  This
is required to allow the leader election lock release logic to run.
Otherwise it can take a few minutes for new pods to acquire the
lease since they believe it is already held.

Signed-off-by: Monis Khan <mok@vmware.com>
2021-08-28 11:23:11 -04:00
Ryan Richard
4eb500cc41
Merge pull request #826 from vmware-tanzu/simplify_readme
Simplify the main README.md to reduce duplication with website
2021-08-27 16:40:53 -07:00