djpbessems/ContainerImage.Pinniped
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
1,822 Commits 30 Branches 34 Tags 22 MiB
c0fcd27594
Commit Graph

83 Commits

Author SHA1 Message Date
Ryan Richard
b3b108500a Merge branch 'main' into initial_ldap 2021-04-27 10:12:43 -07:00
Monis Khan
521adffb17
impersonation proxy: add nested impersonation support 
This change updates the impersonator logic to use the delegated
authorizer for all non-rest verbs such as impersonate.  This allows
it to correctly perform authorization checks for incoming requests
that set impersonation headers while not performing unnecessary
checks that are already handled by KAS.

The audit layer is enabled to track the original user who made the
request.  This information is then included in a reserved extra
field original-user-info.impersonation-proxy.concierge.pinniped.dev
as a JSON blob.

Signed-off-by: Monis Khan <mok@vmware.com>
 2021-04-19 15:52:46 -04:00
Ryan Richard
5c28d36c9b Redact some params of URLs in logs to avoid printing sensitive info 2021-04-15 07:59:38 -07:00
Ryan Richard
9450048acf Fix lint error from previous commit 2021-04-05 15:14:24 -07:00
Andrew Keesler
c53507809d Rename dex namespace, add new ytt value to deploy/tools, and remove Tilt 
- Rename the test/deploy/dex directory to test/deploy/tools
- Rename the dex namespace to tools
- Add a new ytt value called `pinny_ldap_password` for the tools
  ytt templates
- This new value is not used on main at this time. We intend to use
  it in the forthcoming ldap branch. We're defining it on main so
  that the CI scripts can use it across all branches and PRs.

Signed-off-by: Ryan Richard <richardry@vmware.com>
 2021-04-05 15:01:49 -07:00
Matt Moyer
4ebd0f5f12
Deflake TestImpersonationProxy (especially on EKS). 
This test could flake if the load balancer hostname was provisioned but is not yet resolving in DNS from the test process.

The fix is to retry this step for up to 5 minutes.

Signed-off-by: Matt Moyer <moyerm@vmware.com>
 2021-03-30 13:48:53 -05:00
Margo Crawford
d8baa43903 Add new non-idle timeout integration test for impersonation proxy 
Signed-off-by: Ryan Richard <richardry@vmware.com>
 2021-03-29 09:30:51 -07:00
Ryan Richard
95bb4c4be5 Fix concierge_impersonation_proxy_test.go on AKS 
Also send the correct instance of `t` into a helper function which
makes assertions.
 2021-03-26 19:32:46 -07:00
Matt Moyer
c6d7724b67
In TestImpersonationProxy, instead of failing in this case just skip the test. 
Signed-off-by: Matt Moyer <moyerm@vmware.com>
 2021-03-26 16:28:33 -05:00
Ryan Richard
3359311228 concierge_impersonation_proxy_test.go: fix typo in previous commit 2021-03-26 09:49:49 -07:00
Ryan Richard
7e16619146 concierge_impersonation_proxy_test.go: handle TKGS test clusters 
Handle any test cluster which supports load balancers but should
not automatically start the impersonator, e.g. TKGS clusters.
 2021-03-26 09:28:42 -07:00
Margo Crawford
b6e217e13a Hardcode type "webhook" in concierge_impersonation_proxy_test.go 
Signed-off-by: Ryan Richard <richardry@vmware.com>
 2021-03-25 17:19:47 -07:00
Margo Crawford
6f2882b831 Explicitly set the correct authenticator for impersonator test 
Signed-off-by: Ryan Richard <richardry@vmware.com>
 2021-03-25 16:57:37 -07:00
Margo Crawford
d90398815b Nothing in parallel in the impersonation proxy integration test 2021-03-22 10:48:09 -07:00
Margo Crawford
7683a98792 Unparallelize run all the verbs and port-forward tests 2021-03-22 09:45:51 -07:00
Margo Crawford
d7e9568137 Unparallelize a couple 2021-03-22 09:43:40 -07:00
Ryan Richard
3e50b4e129 Add -sS to the curl command in concierge_impersonation_proxy_test.go 2021-03-19 13:23:28 -07:00
Ryan Richard
d856221f56 Edit some comments in concierge_impersonation_proxy_test.go 2021-03-19 13:19:17 -07:00
Andrew Keesler
2749044625
test/integration: unparallelize impersonation kubectl test 
Maybe this will cut down on flakes we see in CI?

Signed-off-by: Andrew Keesler <akeesler@vmware.com>
 2021-03-19 13:31:28 -04:00
Andrew Keesler
ebd5e45fa6
test/integration: wait for convergence at end of impersonation test 
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
 2021-03-19 12:54:37 -04:00
Andrew Keesler
6154883855
test/integration: add temporary debug 'kubectl attach' logging 
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
 2021-03-19 10:42:11 -04:00
Andrew Keesler
ebe01a5aef
test/integration: catch early 'kubectl attach' return 
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
 2021-03-19 09:59:24 -04:00
Andrew Keesler
1a9922d050
test/integration: poll more quickly in f2a48aee 
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
 2021-03-18 17:53:14 -04:00
Andrew Keesler
f2a48aee2b
test/integration: increase timeout to a minute to see if it helps 
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
 2021-03-18 17:48:00 -04:00
Andrew Keesler
14a28bec24
test/integration: fix second assertion from dae62929 
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
 2021-03-18 16:34:30 -04:00
Andrew Keesler
dae62929e0
test/integration: error assertions pass w/ and w/o middleware 
In the case where we are using middleware (e.g., when the api group is
different) in our kubeclient, these error messages have a "...middleware request
for..." bit in the middle.

Signed-off-by: Andrew Keesler <akeesler@vmware.com>
 2021-03-18 15:35:31 -04:00
Ryan Richard
bd8c243636 concierge_impersonation_proxy_test.go: small refactor 2021-03-18 10:46:27 -07:00
Monis Khan
120e46b5f7
test/integration: fix race condition 
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
 2021-03-18 11:27:52 -04:00
Margo Crawford
897340860b Small refactor to impersonation proxy integration test 2021-03-16 16:57:46 -07:00
Margo Crawford
64e0dbb481 Sleep for 1 minute 10 seconds instead of a minute in timeout test 2021-03-15 16:33:47 -07:00
Margo Crawford
939ea30030 Make all tests but disable test parallelized 
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
 2021-03-15 14:34:41 -07:00
Andrew Keesler
efd973fa17 Test waiting for a minute and keeping connection open 
Signed-off-by: Margo Crawford <margaretc@vmware.com>
 2021-03-15 14:34:41 -07:00
Ryan Richard
8065a8d2e6 TestKubeCertAgent waits for CredentialIssuer strategy to be successful 
At the end of the test, wait for the KubeClusterSigningCertificate
strategy on the CredentialIssuer to go back to being healthy, to avoid
polluting other integration tests which follow this one.
 2021-03-15 11:43:12 -07:00
Ryan Richard
e22ad6171a Fix a race detector warning by re-declaring err in a t.Cleanup() 2021-03-15 11:43:12 -07:00
Monis Khan
b530cef3b1
impersonator: encode proper API status on failure 
Signed-off-by: Monis Khan <mok@vmware.com>
 2021-03-13 20:25:23 -05:00
Margo Crawford
d509e7012e Add eventually loop to port-forward test 
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
 2021-03-12 10:44:11 -08:00
Andrew Keesler
5b1dc0abdf
test/integration: add some more debugging to kubectl impersonation test 
I think this is nondeterministic...

Signed-off-by: Andrew Keesler <akeesler@vmware.com>
 2021-03-12 10:45:36 -05:00
Andrew Keesler
253e0f8e9a
test/integration: TestImpersonationProxy/websocket_client passes on my machine now 
I'm kinda surprised this is working with our current implementation of the
impersonator, but regardless this seems like a step forward.

Signed-off-by: Andrew Keesler <akeesler@vmware.com>
 2021-03-12 09:54:59 -05:00
Ryan Richard
f77c92560f Rewrite impersonator_test.go, add missing argument to IssuePEM() 
The impersonator_test.go unit test now starts the impersonation
server and makes real HTTP requests against it using client-go.
It is backed by a fake Kube API server.

The CA IssuePEM() method was missing the argument to allow a slice
of IP addresses to be passed in.
 2021-03-11 16:27:16 -08:00
Ryan Richard
c12a23725d Fix lint errors from a previous commit 2021-03-11 16:21:40 -08:00
Andrew Keesler
71712b2d00 Add test for http2 
Signed-off-by: Margo Crawford <margaretc@vmware.com>
 2021-03-11 15:49:49 -08:00
Ryan Richard
29d7f406f7 Test double impersonation as the cluster admin 2021-03-11 12:53:27 -08:00
Margo Crawford
22ca2da1ff
test/integration: add "kubectl attach" test to TestImpersonationProxy 
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
 2021-03-11 15:10:16 -05:00
Andrew Keesler
fcd8c585c3
test/integration: update "kubectl port-forward" test to use non-privileged port 
This was failing on our laptops because 443 is a privileged port.

Signed-off-by: Margo Crawford <margaretc@vmware.com>
 2021-03-11 13:05:26 -05:00
Ryan Richard
a918e9fb97 concierge_impersonation_proxy_test.go: Fix lint error in previous commit 2021-03-11 10:04:24 -08:00
Ryan Richard
34accc3dee Test using a service account token to auth to the impersonator 
Also make each t.Run use its own namespace to slight reduce the
interdependency between them.

Use t.Cleanup instead of defer in whoami_test.go just to be consistent
with other integration tests.
 2021-03-11 10:01:17 -08:00
Ryan Richard
61d64fc4c6 Use ioutil.ReadFile instead of os.ReadFile 
Because it works on older golang versions too.
 2021-03-11 08:58:54 -08:00
Andrew Keesler
b793b9a17e
test/integration: add 'kubectl logs' test to TestImpersonationProxy 
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
 2021-03-11 10:42:28 -05:00
Andrew Keesler
32b038c639
test/integration: add 'kubectl cp' test to TestImpersonationProxy 
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
 2021-03-11 10:07:16 -05:00
Ryan Richard
d13bb07b3e Add integration test for using WhoAmIRequest through impersonator 2021-03-10 16:57:15 -08:00