Commit Graph

2283 Commits

Author SHA1 Message Date
Nanci Lancaster
8b4024bf82 Updated the community meeting info with new zoom link and agenda notes
Signed-off-by: Nanci Lancaster <nancil@vmware.com>
2021-01-29 16:07:23 -06:00
Ryan Richard
d89c6546e7
Merge pull request #373 from microwavables/main
Updated text on community meetings and added YouTube link
2021-01-28 09:49:12 -08:00
Nanci Lancaster
2710591429 Updated text on community meetings and added YouTube link
Signed-off-by: Nanci Lancaster <nancil@vmware.com>
2021-01-28 11:22:44 -06:00
Matt Moyer
02815cfb26
Revert "Use GitHub's "latest" handling so this doesn't get out of sync."
This reverts commit 46ad41e813.

This turns out not to work, so we have to use a hardcoded version here.
2021-01-28 10:28:46 -06:00
Matt Moyer
3f7cb5d9f8
Merge pull request #372 from mattmoyer/fix-redirects-version
Fix get.pinniped.dev latest version redirects.
2021-01-28 10:26:51 -06:00
Matt Moyer
46ad41e813
Use GitHub's "latest" handling so this doesn't get out of sync.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-01-28 10:25:33 -06:00
Matt Moyer
d4eca3a82a
Fix get.pinniped.dev latest version redirects.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-01-28 10:23:48 -06:00
Matt Moyer
c03a088399
Merge pull request #370 from mattmoyer/cleanup-docs
Clean up docs using https://get.pinniped.dev redirects.
2021-01-28 10:17:46 -06:00
Matt Moyer
f81dda4eda
Add syntax highlighting CSS.
This was generated via `hugo gen chromastyles --style=monokailight > ./site/themes/pinniped/assets/scss/_syntax.css`.

Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-01-28 10:15:39 -06:00
Matt Moyer
1ceef5874e
Clean up docs using https://get.pinniped.dev redirects.
We have these redirects set up to make the `kubectl apply -f [...]` commands cleaner, but we never went back and fixed up the documentation to use them until now.

Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-01-28 10:15:39 -06:00
Matt Moyer
1b224bc4f2
Merge pull request #369 from mattmoyer/cleanup-go-sum
Prune unused versions from go.sum.
2021-01-28 10:09:06 -06:00
Matt Moyer
530d6961c2
Prune unused versions from go.sum.
The broken github.com/oleiade/reflections v1.0.0 package was still causing problems with Dependabot.

Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-01-28 09:03:00 -06:00
Matt Moyer
fe500882ef
Merge pull request #365 from mattmoyer/upgrade-oleiade-reflections-dep
Upgrade github.com/oleiade/reflections to v1.0.1.
2021-01-27 15:56:49 -06:00
Matt Moyer
8358c26107
Upgrade github.com/oleiade/reflections to v1.0.1.
This project overwrote the v1.0.0 tag with a different commit ID, which has caused issues with the Go module sum DB (which accurately detected the issue).

This has been one of the reasons why Dependabot is not updating our Go dependencies.

Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-01-27 13:49:30 -06:00
Matt Moyer
ad9a187522
Merge pull request #335 from mattmoyer/optimize-dockerfile
Optimize image build using .dockerignore and BuildKit features.
2021-01-27 11:35:42 -06:00
Matt Moyer
8a41419b94
Optimize image build using .dockerignore and BuildKit features.
This optimizes our image in a few different ways:

- It adds a bunch of files and directories to the `.dockerignore` file.
  This lets us have a single `COPY . .` but still be very aggressive about pruning what files end up in the build context.

- It adds build-time cache mounts to the `go build` commands using BuildKit's `--mount=type=cache` flag.
  This requires BuildKit-capable Docker, but means that our Go builds can all be incremental builds.
  This replaces the previous flow we had where we needed to split out `go mod download`.

- Instead of letting the full `apt-get install ca-certificates` layer end up in our final image, we copy just the single file we need.

Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-01-27 10:42:56 -06:00
Ryan Richard
6ef7ec21cd Merge branch 'release-0.4' into main 2021-01-25 15:13:14 -08:00
Ryan Richard
b77297c68d Validate the upstream email_verified claim when it makes sense 2021-01-25 15:10:41 -08:00
Ryan Richard
df1d15ebd1
Merge pull request from GHSA-wp53-6256-whf9
This is a fake PR for testing - please ignore
2021-01-22 12:46:53 -08:00
Ryan Richard
b3732e8b6c Trivial change to a comment 2021-01-22 12:43:35 -08:00
Matt Moyer
7e887666ce
Merge pull request #349 from microwavables/main
Add Google Group for meetings
2021-01-21 15:15:01 -06:00
Nanci Lancaster
d6e6f51ced Add Google Group for meetings
Signed-off-by: Nanci Lancaster <nancil@vmware.com>
2021-01-21 14:57:14 -06:00
Matt Moyer
9e21de9c47
Merge pull request #347 from mattmoyer/upgrade-go-oidc-library
Upgrade to github.com/coreos/go-oidc v3.0.0.
2021-01-21 14:39:22 -06:00
Matt Moyer
04c4cd9534
Upgrade to github.com/coreos/go-oidc v3.0.0.
See https://github.com/coreos/go-oidc/releases/tag/v3.0.0 for release notes.

Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-01-21 12:08:14 -06:00
Matt Moyer
5821faec03
Merge pull request #342 from vmware-tanzu/pre-commit-fix
Remove pre-commit hooks file to de-duplicate from pre-commit-config
2021-01-21 12:02:11 -06:00
Matt Moyer
8bca244d59
Merge pull request #345 from vmware-tanzu/dependabot/docker/golang-1.15.7
Bump golang from 1.15.6 to 1.15.7
2021-01-21 11:31:06 -06:00
dependabot[bot]
79fa96cfbc
Bump golang from 1.15.6 to 1.15.7
Bumps golang from 1.15.6 to 1.15.7.

Signed-off-by: dependabot[bot] <support@github.com>
2021-01-21 13:56:04 +00:00
Ryan Richard
b5cbe018e3
Allow passing multiple redirect URIs to Dex
We need this in CI when we want to configure Dex with the redirect URI for both
primary and secondary deploys at one time (since we only stand up Dex once).

Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2021-01-20 17:06:50 -05:00
Andrew Keesler
33f4b671d1
Merge pull request #327 from ankeesler/reenable-max-inflight-checks
Restore max in flight check when updating to 0.19.5 #243
2021-01-19 18:29:38 -05:00
Andrew Keesler
50c3e4c00f
Merge branch 'main' into reenable-max-inflight-checks 2021-01-19 18:14:27 -05:00
Andrew Keesler
5486427d88
Merge pull request #344 from vmware-tanzu/wire-api-group-suffix
Wire api group suffix through YTT/server components/CLI/integration tests
2021-01-19 18:06:12 -05:00
Andrew Keesler
906bfa023c
test: wire API group suffix through to tests
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2021-01-19 17:23:20 -05:00
Andrew Keesler
1c3518e18a
cmd/pinniped: wire API group suffix through to client components
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2021-01-19 17:23:20 -05:00
Andrew Keesler
88fd9e5c5e
internal/config: wire API group suffix through to server components
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2021-01-19 17:23:20 -05:00
Ryan Richard
616211c1bc
deploy: wire API group suffix through YTT templates
I didn't advertise this feature in the deploy README's since (hopefully) not
many people will want to use it?

Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2021-01-19 17:23:06 -05:00
Andrew Keesler
7a9c0e8c69
Merge branch 'main' into reenable-max-inflight-checks 2021-01-19 13:53:00 -05:00
Margo Crawford
c09020102c Remove pre-commit hooks file 2021-01-19 09:43:11 -08:00
Andrew Keesler
af11d8cd58
Run Tilt images as root for faster reload
Previously, when triggering a Tilt reload via a *.go file change, a reload would
take ~13 seconds and we would see this error message in the Tilt logs for each
component.

  Live Update failed with unexpected error:
    command terminated with exit code 2
  Falling back to a full image build + deploy

Now, Tilt should reload images a lot faster (~3 seconds) since we are running
the images as root.

Note! Reloading the Concierge component still takes ~13 seconds because there
are 2 containers running in the Concierge namespace that use the Concierge
image: the main Concierge app and the kube cert agent pod. Tilt can't live
reload both of these at once, so the reload takes longer and we see this error
message.

  Will not perform Live Update because:
    Error retrieving container info: can only get container info for a single pod; image target image:image/concierge has 2 pods
  Falling back to a full image build + deploy

Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2021-01-15 11:34:53 -05:00
Matt Moyer
93ba1b54f2
Merge branch 'main' into reenable-max-inflight-checks 2021-01-15 10:19:17 -06:00
Matt Moyer
156e8d9df4
Merge pull request #334 from mattmoyer/fix-test-e2e-full-integration-groups-assertion
Fix an issue in TestE2EFullIntegration groups assertions.
2021-01-14 21:22:13 -06:00
Matt Moyer
6a0dc1e2bb
Fix an issue in TestE2EFullIntegration groups assertions.
The group claims read from the session cache file are loaded as `[]interface{}` (slice of empty interfaces) so when we previously did a `groups, _ := idTokenClaims[oidc.DownstreamGroupsClaim].([]string)`, then `groups` would always end up nil.

The solution I tried here was to convert the expected value to also be `[]interface{}` so that `require.Equal(t, ...)` does the right thing.

This bug only showed up in our acceptance environnment against Okta, since we don't have any other integration test coverage with IDPs that pass a groups claim.

Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-01-14 21:06:02 -06:00
Margo Crawford
b95f2c97b9
Merge pull request #333 from vmware-tanzu/groups-claim-parsing
groups claim parsing
2021-01-14 15:55:42 -08:00
Margo Crawford
d11a73c519 PR feedback-- omit empty groups, keep groups as nil until last minute
Also log keys and values for claims
2021-01-14 15:11:00 -08:00
Andrew Keesler
6fce1bd6bb
Allow arrays of type interface
and always set the groups claim to an
array in the downstream token

Signed-off-by: Margo Crawford <margaretc@vmware.com>
2021-01-14 17:21:41 -05:00
Margo Crawford
5e60c14ce7
internal/upstreamoidc: log claims from ID token and userinfo
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2021-01-14 16:47:39 -05:00
Andrew Keesler
434448a2f9
Merge pull request #331 from ankeesler/1-20-owner-ref-test
Update test/integration/kubeclient_test.go to work with Kube 1.20 GC behavior
2021-01-14 10:59:02 -05:00
Andrew Keesler
8a916ce8ae
test/integration: add test helper to avoid race conditions
We were seeing a race in this test code since the require.NoError() and
require.Eventually() would write to the same testing.T state on separate
goroutines. Hopefully this helper function should cover the cases when we want
to require.NoError() inside a require.Eventually() without causing a race.

Signed-off-by: Andrew Keesler <akeesler@vmware.com>
Co-authored-by: Margo Crawford <margaretc@vmware.com>
Co-authored-by: Monis Khan <i@monis.app>
2021-01-14 10:19:35 -05:00
Andrew Keesler
a0546942b8
test/integration: skip part of test to avoid Kube 1.20 GC bug
See comment.

Signed-off-by: Andrew Keesler <akeesler@vmware.com>
Co-authored-by: Margo Crawford <margaretc@vmware.com>
Co-authored-by: Monis Khan <i@monis.app>
2021-01-14 10:19:26 -05:00
Andrew Keesler
792bb98680
Revert "Temporarily disable max inflight checks for mutating requests"
This reverts commit 4a28d1f800.

This commit was originally made to fix a bug that caused TokenCredentialRequest
to become slow when the server was idle for an extended period of time. This was
to address a Kubernetes issue that was fixed in 1.19.5 and onward. We are now
running with Kubernetes 1.20, so we should be able to pick up this fix.
2021-01-13 11:12:09 -05:00
Andrew Keesler
3151ca92db
Merge pull request #322 from enj/enj/f/user_info_test
Wire in new env vars for user info testing
2021-01-12 11:51:46 -05:00