Commit Graph

1392 Commits

Author SHA1 Message Date
Matt Moyer
f7b0cf8f8a Fix a bad assumption in library.NewClientConfigWithCertAndKey.
It turns out these fields are not meant to be base64 encoded, even though that's how they are in the kubeconfig.

Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-07-27 12:33:33 -07:00
Matt Moyer
69f766d41d Extend certauthority to support loading an existing CA.
I think we may still split this apart into multiple packages, but for now it works pretty well in both use cases.

Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-07-27 12:33:33 -07:00
Ryan Richard
5dea51c062 Int test for LoginRequest grants permissions to test user
- Dynamically grant RBAC permission to the test user to allow them
  to make read requests via the API
- Then use the credential returned from the LoginRequest to make a
  request back to the API server which should be successful
2020-07-27 12:33:33 -07:00
Ryan Richard
b16bf52580 Fix a failing unit test and import mistake from previous commits 2020-07-27 12:33:33 -07:00
Andrew Keesler
f47927331f Condense discovery integration tests
I think these tests do roughly the same thing...

Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-07-27 12:33:00 -07:00
Matt Moyer
066bc84e2a Add "--cluster-signing-*-file" flags pointing at a host volume mount.
This is a somewhat more basic way to get access to the certificate and private key we need to issue short lived certificates.

The host path, tolerations, and node selector here should work on any kubeadm-derived cluster including TKG-S and Kind.

Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-07-27 12:31:30 -07:00
Andrew Keesler
9f0d2606b1 WIP: initial integration test for cert issuing 2020-07-27 12:31:30 -07:00
Matt Moyer
f986600d5b Increase client cert TTL from 5m to 1h.
This will make manual testing easier and seems like a reasonable tradeoff. We'll iterate more in the future.

Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-07-27 13:38:32 -05:00
Matt Moyer
349dd98a2f
Merge pull request #28 from mattmoyer/work-around-1.16
Work around k8s 1.16 limitations of priorityClassName.
2020-07-27 09:44:22 -05:00
Matt Moyer
60bbcc12d8 Work around k8s 1.16 limitations of priorityClassName.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-07-27 09:33:40 -05:00
Matt Moyer
259fc0e794
Merge pull request #27 from ankeesler/issue-cert
Issue certs for valid TMC tokens
2020-07-27 08:57:27 -05:00
Matt Moyer
a1593c4b7b Fix linter error in certauthority.
The error was:
```
internal/certauthority/certauthority.go:68:15: err113: do not define dynamic errors, use wrapped static errors instead: "fmt.Errorf(\"expected CA to be a single certificate, found %d certificates\", certCount)" (goerr113)
		return nil, fmt.Errorf("expected CA to be a single certificate, found %d certificates", certCount)
		            ^
exit status 1
```

I'm not sure if I love this err113 linter.
2020-07-27 08:21:19 -05:00
Matt Moyer
8606cc9662 Update loginrequest/REST.Create to issue client certificates.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-07-27 08:10:04 -05:00
Matt Moyer
613f324a47 Add generated mock for loginrequest.CertIssuer interface.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-07-27 08:10:04 -05:00
Matt Moyer
d8c7a25487 Extend the REST service to keep a CertIssuer.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-07-27 08:10:04 -05:00
Matt Moyer
07a71236aa Fix a bad assumption in library.NewClientConfigWithCertAndKey.
It turns out these fields are not meant to be base64 encoded, even though that's how they are in the kubeconfig.

Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-07-27 07:52:36 -05:00
Matt Moyer
757d987204 Extend certauthority to support loading an existing CA.
I think we may still split this apart into multiple packages, but for now it works pretty well in both use cases.

Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-07-27 07:50:59 -05:00
Ryan Richard
899f736b8c Int test for LoginRequest grants permissions to test user
- Dynamically grant RBAC permission to the test user to allow them
  to make read requests via the API
- Then use the credential returned from the LoginRequest to make a
  request back to the API server which should be successful
2020-07-24 15:57:29 -07:00
Ryan Richard
6001f1f456 Fix a failing unit test and import mistake from previous commits 2020-07-24 14:32:07 -07:00
Ryan Richard
99b35e1a61 Merge branch 'main' into issue-cert 2020-07-24 14:11:06 -07:00
Matt Moyer
e5902533eb Add "--cluster-signing-*-file" flags pointing at a host volume mount.
This is a somewhat more basic way to get access to the certificate and private key we need to issue short lived certificates.

The host path, tolerations, and node selector here should work on any kubeadm-derived cluster including TKG-S and Kind.

Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-07-24 15:45:49 -05:00
Andrew Keesler
0d667466e8
Merge pull request #26 from ankeesler/proposed-integration-test-cleanup
Condense discovery integration tests
2020-07-24 14:59:05 -04:00
Ryan Richard
9bfec08d90 More tests and more validations for create LoginRequest endpoint
- Mostly testing the way that the validation webhooks are called
- Also error when the auth webhook does not return user info, since we wouldn't know who you are in that case
2020-07-24 11:00:29 -07:00
Andrew Keesler
6cc8a2f8dd WIP: initial integration test for cert issuing 2020-07-24 13:01:58 -04:00
Matt Moyer
6fe7a4c9dc Add a test for when a validation function is passed.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-07-24 11:53:06 -05:00
Matt Moyer
924eb1abaa
Merge pull request #25 from cfryanr/finishing_webhook_invocation
Finishing touches on webhook invocation
2020-07-24 11:30:11 -05:00
Matt Moyer
a7748a360e Extend integration tests to check new LoginRequest API semantics.
Signed-off-by: Ryan Richard <richardry@vmware.com>
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-07-24 11:15:41 -05:00
Matt Moyer
84bb0a9a21 Start returning user info in LoginRequest response.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
Signed-off-by: Ryan Richard <richardry@vmware.com>
2020-07-24 11:15:41 -05:00
Andrew Keesler
e1f44e2654
Condense discovery integration tests
I think these tests do roughly the same thing...

Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-07-24 11:17:32 -04:00
Ryan Richard
9af3637403 Bump version of -api dependency
Signed-off-by: Aram Price <pricear@vmware.com>
2020-07-23 17:12:25 -07:00
Ryan Richard
6a93de3931 More validations and error handling for create LoginRequest endpoint 2020-07-23 16:01:55 -07:00
Ryan Richard
6c87c793db Extract test helper for asserting API errors in rest_test.go
Signed-off-by: Aram Price <pricear@vmware.com>
2020-07-23 09:50:23 -07:00
Mo Khan
5fdc20886d
Initial aggregated API server (#15)
Add initial aggregated API server (squashed from a bunch of commits).

Signed-off-by: Andrew Keesler <akeesler@vmware.com>
Signed-off-by: Aram Price <pricear@vmware.com>
Signed-off-by: Ryan Richard <richardry@vmware.com>
2020-07-23 10:05:21 -05:00
Mo Khan
23c1b32a02
Merge pull request #24 from enj/enj/f/controller_lib
Add controller library code
2020-07-22 22:40:33 -04:00
Monis Khan
d4eeb74641
Add initial controller boilerplate and example controller
Signed-off-by: Monis Khan <mok@vmware.com>
2020-07-22 22:27:55 -04:00
Matt Moyer
31c4e6560d Drop GitHub Actions (we now have Concourse for PRs).
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-07-20 09:40:07 -05:00
Mo Khan
4b1a7436a9
Merge pull request #22 from enj/enj/i/user_agent
Encode git version info into binary and user agent
2020-07-20 00:41:41 -04:00
Monis Khan
549da37805
Encode git version info into binary and user agent
Signed-off-by: Monis Khan <mok@vmware.com>
2020-07-20 00:32:11 -04:00
Mo Khan
240f9f86b1
Merge pull request #21 from enj/enj/i/cleanup_apimachinery
Various clean ups
2020-07-19 01:39:05 -04:00
Monis Khan
b638bd7eeb
Describe why/how we recover type meta using scheme
Signed-off-by: Monis Khan <mok@vmware.com>
2020-07-19 01:28:25 -04:00
Monis Khan
5fa5b9a9a9
Do not hard code API version
Signed-off-by: Monis Khan <mok@vmware.com>
2020-07-19 01:28:24 -04:00
Monis Khan
9118869d04
Use protobuf with built-in Kube REST APIs
Signed-off-by: Monis Khan <mok@vmware.com>
2020-07-19 01:28:24 -04:00
Mo Khan
e92bdbea64
Merge pull request #20 from enj/enj/i/fix_gvk
Restore GVK info that apimachinery decoder unsets
2020-07-18 01:28:27 -04:00
Monis Khan
d71a620a18
Restore GVK info that apimachinery decoder unsets
Signed-off-by: Monis Khan <mok@vmware.com>
2020-07-18 01:05:11 -04:00
Ryan Richard
7cac20fc89
Merge pull request #18 from cfryanr/fix_deploy_errors
Fix deploy errors
2020-07-17 14:56:18 -07:00
Ryan Richard
260a271859 Add RBAC for autoregistration
- Also fix mistakes in the deployment.yaml
- Also hardcode the ownerRef kind and version because otherwise we get an error

Signed-off-by: Monis Khan <mok@vmware.com>
2020-07-17 14:42:02 -07:00
Monis Khan
611859f04a Update dockerfile to use netrc
Signed-off-by: Monis Khan <mok@vmware.com>
2020-07-17 13:26:30 -07:00
Matt Moyer
fd4c6f6a71
Merge pull request #17 from suzerain-io/feature/autoregistration
Add automatic registration of an APIService.
2020-07-17 12:16:23 -05:00
Matt Moyer
092cc26789 Refactor app.go and wire in autoregistration.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-07-17 12:10:33 -05:00
Matt Moyer
a3bce5f42e Add autoregistration package to manage APIService.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-07-17 10:53:13 -05:00