Commit Graph

3319 Commits

Author SHA1 Message Date
Ryan Richard
43c3f1ab2e Minor test cleanup
- `Before` gives a nice place to call `require.New(t)` to make the assertion lines more terse
- Just delete the keys for testing when env vars are missing
2020-07-28 17:22:17 -07:00
Ryan Richard
b70f3aefe5 First draft of LoginDiscoveryConfig CRD 2020-07-28 16:55:50 -07:00
Matt Moyer
1e56ecfdb4
Merge pull request #32 from mattmoyer/fix-cli-bug
Fix a bug in placeholder-name CLI (wrong API version).
2020-07-28 16:22:25 -05:00
Matt Moyer
42616e7d8a Fix a bug in placeholder-name CLI (wrong API version).
This is kind of a subtle bug, but we were using the unversioned Kubernetes type package here, where we should have been using the v1beta1 version. They have the same fields, but they serialize to JSON differently.

Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-07-28 16:10:27 -05:00
Matt Moyer
271eb9b837
Merge pull request #30 from cfryanr/new_cli
Create a client CLI command
2020-07-28 15:29:13 -05:00
Matt Moyer
48433eb36b Add integration tests for the client package.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-07-28 15:15:59 -05:00
aram price
bc4351f51a Add copyright, appease the linter 2020-07-28 15:15:59 -05:00
Matt Moyer
531954511b Extract a test library helper for ErrorWriter{}.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-07-28 15:15:59 -05:00
Matt Moyer
a15a106fd3 Add a trailing newline to our CLI error output.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-07-28 15:15:59 -05:00
Matt Moyer
b0d9db1bcc Implement client.ExchangeToken.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-07-28 15:15:59 -05:00
Matt Moyer
1a349bb609 Add a context parameter so we can enforce a timeout for the token exchange.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-07-28 15:15:59 -05:00
Matt Moyer
0ee4f0417d Use require.EqualError instead of require.Error.
The type signatures of these methods make them easy to mix up. `require.Error()` asserts that there is any non-nil error -- the last parameter is an optional human-readable message to log when the assertion fails. `require.EqualError()` asserts that there is a non-nil error _and_ that when you call `err.Error()`, the string matches the expected value. It also takes an additional optional parameter to specify the log message.

Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-07-28 15:15:59 -05:00
Matt Moyer
ebe39c8663 Add a test for "failed to marshal response to stdout" error case.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-07-28 15:15:59 -05:00
Matt Moyer
1e8463ac2d Use Go's favorite version of the word "marshal".
Again, no idea why but this word has two commonly accepted spelling and Go code seems to very consistently use the one with one "l".

Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-07-28 15:15:59 -05:00
Matt Moyer
a5dbc324f6 Use the "Err*" idiomatic naming for error variables/consts.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-07-28 15:15:59 -05:00
Ryan Richard
27cd82065b Add placeholder-name CLI
- main and unit tests for main
- client package to be done in a future commit

Signed-off-by: Aram Price <pricear@vmware.com>
2020-07-28 15:15:59 -05:00
Ryan Richard
9e44bc28d9 Change the name of the placeholder-name CLI to placeholder-name-server
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-07-28 15:15:59 -05:00
Andrew Keesler
0acb8c8d3c
internal-ize apiserver and registry packages
These shouldn't need to be imported outside this project.

Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-07-28 11:29:05 -04:00
Matt Moyer
ce71a5bac8
Merge pull request #29 from mattmoyer/increase-cert-ttl
Increase client cert TTL from 5m to 1h.
2020-07-27 14:56:08 -05:00
Ryan Richard
425e95bed4 Merge remote-tracking branch 'upstream/main' into main 2020-07-27 12:35:11 -07:00
Ryan Richard
418811ef19 Use consistent verify.sh with linting between all code repos 2020-07-27 12:33:34 -07:00
Ryan Richard
c9026cd150 Remove unused handlers package 2020-07-27 12:33:33 -07:00
Matt Moyer
63a5381968 Work around k8s 1.16 limitations of priorityClassName.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-07-27 12:33:33 -07:00
Matt Moyer
74a328de41 Fix linter error in certauthority.
The error was:
```
internal/certauthority/certauthority.go:68:15: err113: do not define dynamic errors, use wrapped static errors instead: "fmt.Errorf(\"expected CA to be a single certificate, found %d certificates\", certCount)" (goerr113)
		return nil, fmt.Errorf("expected CA to be a single certificate, found %d certificates", certCount)
		            ^
exit status 1
```

I'm not sure if I love this err113 linter.
2020-07-27 12:33:33 -07:00
Matt Moyer
8a313bc653 Update loginrequest/REST.Create to issue client certificates.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-07-27 12:33:33 -07:00
Matt Moyer
6dfae48b65 Add generated mock for loginrequest.CertIssuer interface.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-07-27 12:33:33 -07:00
Matt Moyer
8a8a278029 Extend the REST service to keep a CertIssuer.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-07-27 12:33:33 -07:00
Matt Moyer
f7b0cf8f8a Fix a bad assumption in library.NewClientConfigWithCertAndKey.
It turns out these fields are not meant to be base64 encoded, even though that's how they are in the kubeconfig.

Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-07-27 12:33:33 -07:00
Matt Moyer
69f766d41d Extend certauthority to support loading an existing CA.
I think we may still split this apart into multiple packages, but for now it works pretty well in both use cases.

Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-07-27 12:33:33 -07:00
Ryan Richard
5dea51c062 Int test for LoginRequest grants permissions to test user
- Dynamically grant RBAC permission to the test user to allow them
  to make read requests via the API
- Then use the credential returned from the LoginRequest to make a
  request back to the API server which should be successful
2020-07-27 12:33:33 -07:00
Ryan Richard
b16bf52580 Fix a failing unit test and import mistake from previous commits 2020-07-27 12:33:33 -07:00
Andrew Keesler
f47927331f Condense discovery integration tests
I think these tests do roughly the same thing...

Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-07-27 12:33:00 -07:00
Matt Moyer
066bc84e2a Add "--cluster-signing-*-file" flags pointing at a host volume mount.
This is a somewhat more basic way to get access to the certificate and private key we need to issue short lived certificates.

The host path, tolerations, and node selector here should work on any kubeadm-derived cluster including TKG-S and Kind.

Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-07-27 12:31:30 -07:00
Andrew Keesler
9f0d2606b1 WIP: initial integration test for cert issuing 2020-07-27 12:31:30 -07:00
Matt Moyer
f986600d5b Increase client cert TTL from 5m to 1h.
This will make manual testing easier and seems like a reasonable tradeoff. We'll iterate more in the future.

Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-07-27 13:38:32 -05:00
Matt Moyer
349dd98a2f
Merge pull request #28 from mattmoyer/work-around-1.16
Work around k8s 1.16 limitations of priorityClassName.
2020-07-27 09:44:22 -05:00
Matt Moyer
60bbcc12d8 Work around k8s 1.16 limitations of priorityClassName.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-07-27 09:33:40 -05:00
Matt Moyer
259fc0e794
Merge pull request #27 from ankeesler/issue-cert
Issue certs for valid TMC tokens
2020-07-27 08:57:27 -05:00
Matt Moyer
a1593c4b7b Fix linter error in certauthority.
The error was:
```
internal/certauthority/certauthority.go:68:15: err113: do not define dynamic errors, use wrapped static errors instead: "fmt.Errorf(\"expected CA to be a single certificate, found %d certificates\", certCount)" (goerr113)
		return nil, fmt.Errorf("expected CA to be a single certificate, found %d certificates", certCount)
		            ^
exit status 1
```

I'm not sure if I love this err113 linter.
2020-07-27 08:21:19 -05:00
Matt Moyer
8606cc9662 Update loginrequest/REST.Create to issue client certificates.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-07-27 08:10:04 -05:00
Matt Moyer
613f324a47 Add generated mock for loginrequest.CertIssuer interface.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-07-27 08:10:04 -05:00
Matt Moyer
d8c7a25487 Extend the REST service to keep a CertIssuer.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-07-27 08:10:04 -05:00
Matt Moyer
07a71236aa Fix a bad assumption in library.NewClientConfigWithCertAndKey.
It turns out these fields are not meant to be base64 encoded, even though that's how they are in the kubeconfig.

Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-07-27 07:52:36 -05:00
Matt Moyer
757d987204 Extend certauthority to support loading an existing CA.
I think we may still split this apart into multiple packages, but for now it works pretty well in both use cases.

Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-07-27 07:50:59 -05:00
Ryan Richard
899f736b8c Int test for LoginRequest grants permissions to test user
- Dynamically grant RBAC permission to the test user to allow them
  to make read requests via the API
- Then use the credential returned from the LoginRequest to make a
  request back to the API server which should be successful
2020-07-24 15:57:29 -07:00
Ryan Richard
6001f1f456 Fix a failing unit test and import mistake from previous commits 2020-07-24 14:32:07 -07:00
Ryan Richard
99b35e1a61 Merge branch 'main' into issue-cert 2020-07-24 14:11:06 -07:00
Matt Moyer
e5902533eb Add "--cluster-signing-*-file" flags pointing at a host volume mount.
This is a somewhat more basic way to get access to the certificate and private key we need to issue short lived certificates.

The host path, tolerations, and node selector here should work on any kubeadm-derived cluster including TKG-S and Kind.

Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-07-24 15:45:49 -05:00
Andrew Keesler
0d667466e8
Merge pull request #26 from ankeesler/proposed-integration-test-cleanup
Condense discovery integration tests
2020-07-24 14:59:05 -04:00
Ryan Richard
9bfec08d90 More tests and more validations for create LoginRequest endpoint
- Mostly testing the way that the validation webhooks are called
- Also error when the auth webhook does not return user info, since we wouldn't know who you are in that case
2020-07-24 11:00:29 -07:00