Commit Graph

3236 Commits

Author SHA1 Message Date
Ryan Richard
044443f315 Rename X-Pinniped-Idp-* headers to Pinniped-*
See RFC6648 which asks that people stop using `X-` on header names.
Also Matt preferred not mentioning "IDP" in the header name.

Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-05-12 13:06:08 -07:00
Ryan Richard
9ca72fcd30 login.go: Respect overallTimeout for LDAP login-related http requests
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-05-12 12:57:10 -07:00
Ryan Richard
3008d1a85c Log slow LDAP authentication attempts for debugging purposes 2021-05-12 11:59:48 -07:00
Ryan Richard
6c2a775c9b Use proxy for pinniped get kubeconfig in hack/prepare-supervisor-on-kind.sh
Because the command now calls the discovery endpoint,
so it needs to go through the proxy to resolve the
hostname.
2021-05-12 11:34:16 -07:00
Ryan Richard
41d3e3b6ec Fix lint error in e2e_test.go 2021-05-12 11:24:00 -07:00
Ryan Richard
20b86ac0a9
Merge pull request #589 from vmware-tanzu/ldap-get-kubeconfig
WIP: Support for Supervisor upstream LDAP IDPs in `pinniped get kubeconfig`
2021-05-12 10:10:49 -07:00
Margo Crawford
df0e715bb7 Add integration test that waits for access token expiry 2021-05-12 09:05:13 -07:00
Ryan Richard
6723ed9fd8 Add end-to-end integration test for CLI-based LDAP login 2021-05-11 13:55:46 -07:00
Ryan Richard
f98aa96ed3 Merge branch 'initial_ldap' into ldap-get-kubeconfig 2021-05-11 11:10:25 -07:00
Ryan Richard
675bbb2aba Merge branch 'main' into initial_ldap 2021-05-11 11:09:37 -07:00
Ryan Richard
e25eb05450 Move Supervisor IDP discovery to its own new endpoint 2021-05-11 10:31:33 -07:00
Pinny
dbde150c38 Update CLI docs for v0.8.0 release 2021-05-10 22:01:16 +00:00
Ryan Richard
c0fcd27594
Fix typo in test/integration/e2e_test.go
Co-authored-by: Mo Khan <i@monis.app>
2021-05-10 12:51:56 -07:00
Mo Khan
1ddc85495f
Merge pull request #610 from enj/enj/t/eks_extra_nested_impersonation
impersonation proxy test: handle admin users with mixed case extra keys
2021-05-10 13:49:24 -04:00
Monis Khan
716659b74a
impersonation proxy test: handle admin users with mixed case extra keys
Signed-off-by: Monis Khan <mok@vmware.com>
2021-05-10 13:22:51 -04:00
Mo Khan
696c2b9133
Merge pull request #609 from enj/enj/t/eks_uid_nested_impersonation
impersonation proxy test: handle admin users with UID such as on EKS
2021-05-10 10:35:26 -04:00
Mo Khan
0770682bf9
impersonation proxy test: handle admin users with UID such as on EKS
Signed-off-by: Mo Khan <mok@vmware.com>
2021-05-10 09:21:45 -04:00
Mo Khan
88ff3164a2
Merge pull request #608 from enj/enj/i/discovery_keep_oidc_err
upstreamwatcher: do not truncate explicit oidc errors
2021-05-10 09:18:13 -04:00
Mo Khan
56d316e8d3
upstreamwatcher: do not truncate explicit oidc errors
This change makes it easier to understand misconfigurations caused
by issuers with extraneous trailing slashes.

Signed-off-by: Mo Khan <mok@vmware.com>
2021-05-10 01:45:19 -04:00
Matt Moyer
9fc7f43245
Merge pull request #607 from mattmoyer/fix-eks-nested-impersonation-tests
Fix TestImpersonationProxy on EKS.
2021-05-07 16:46:40 -05:00
Matt Moyer
47f5e822d0
Fix TestImpersonationProxy on EKS.
The admin kubeconfigs we have on EKS clusters are a bit different from others, because there is no certificate/key (EKS does not use certificate auth).

This code didn't quite work correctly in that case. The fix is to allow the case where `tlsConfig.GetClientCertificate` is non-nil, but returns a value with no certificates.

Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-05-07 16:22:08 -05:00
Mo Khan
cc99d9aeb4
Merge pull request #606 from enj/enj/i/log_discovery_err
upstreamwatcher: preserve oidc discovery error
2021-05-07 16:56:52 -04:00
Mo Khan
7ece196893
upstreamwatcher: preserve oidc discovery error
Signed-off-by: Mo Khan <mok@vmware.com>
2021-05-07 16:35:12 -04:00
Matt Moyer
a08a28d67b
Merge pull request #603 from vmware-tanzu/dependabot/docker/golang-1.16.4
Bump golang from 1.16.3 to 1.16.4
2021-05-07 06:58:13 -05:00
dependabot[bot]
2634c9f04a
Bump golang from 1.16.3 to 1.16.4
Bumps golang from 1.16.3 to 1.16.4.

Signed-off-by: dependabot[bot] <support@github.com>
2021-05-07 05:49:58 +00:00
Margo Crawford
29a1ca5168
Merge pull request #602 from vmware-tanzu/access-token-lifetime
Change access token storage lifetime to be the same as the refresh token's
2021-05-06 14:39:52 -07:00
Margo Crawford
5240f5e84a Change access token storage lifetime to be the same as the refresh token's
to avoid garbage collection breaking the refresh flow
Also changed the access token lifetime to be 2 minutes instead of 15
since we now have cert caching.
2021-05-06 13:14:20 -07:00
Matt Moyer
a8bccc5432
Merge pull request #599 from mattmoyer/docs-tweak-configure-supervisor-with-gitlab
Do some minor copyediting on "configure-supervisor-with-gitlab.md".
2021-05-04 17:32:14 -05:00
Matt Moyer
f167a075dd
Clean up this language in configure-supervisor-with-gitlab.md a bit more.
This was duplicitive.

Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-05-04 15:49:45 -05:00
Matt Moyer
8136c787a7
More adjustments to configure-supervisor-with-gitlab.md.
- Use `nickname` claim as an example, which means we only need the `openid` scope.
  This is also more stable since emails can change over time.

- Put the OIDCIdentityProvider and Secret into one YAML blob, since they will likely be copy-pasted together anyway.

- Add a separate section for using alternate claims.

- Add a separate section for using a private GitLab instance.

Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-05-04 15:49:45 -05:00
Matt Moyer
3e13b5f39d
Do some minor copyediting on "configure-supervisor-with-gitlab.md".
Some minor edits I came across while reviewing this:

- Capitalize "GitLab" the way they do.

- Use `{{< ref "xyz" >}}` references when linking internally. The advantage of these is that they're "type checked" by Hugo when the site is rendered, so we'll know if we ever break one.

- Add links to the GitLab docs about creating an OAuth client. These also cover adding a group-level or instance-wide application.

- Re-wrap the YAML lines to fit a bit more naturally.

- Add a `namespace` to the YAML examples, so they're more likely to work without tweaks.

- Use "gitlab" instead of "my-oidc-identity-provider" as the example name, for clarity.

- Re-word a few small bits. These are 100% subjective but hopefully an improvement?

Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-05-04 15:49:45 -05:00
Margo Crawford
1a2940c278
Merge pull request #560 from vmware-tanzu/client-debug-logging
Client debug logging
2021-05-04 13:46:47 -07:00
Mo Khan
4bb0fdeddd
Merge pull request #598 from enj/enj/i/gc_tz
supervisor gc: use singleton queue
2021-05-04 15:08:06 -04:00
Monis Khan
4ce77c4837
supervisor gc: use singleton queue
The supervisor treats all events the same hence it must use a
singleton queue.

Updated the integration test to remove the data race caused by
calling methods on testing.T outside of the main test go routine.

Signed-off-by: Monis Khan <mok@vmware.com>
2021-05-04 14:44:55 -04:00
Matt Moyer
1586171876
Merge pull request #595 from mattmoyer/fix-psp-related-regression
Fix PSP-related regression since kube-cert-agent change in #569.
2021-05-04 11:04:16 -05:00
Matt Moyer
165bef7809
Split out kube-cert-agent service account and bindings.
Followup on the previous comment to split apart the ServiceAccount of the kube-cert-agent and the main concierge pod. This is a bit cleaner and ensures that in testing our main Concierge pod never requires any privileged permissions.

Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-05-04 10:09:33 -05:00
Matt Moyer
b80cbb8cc5
Run kube-cert-agent pod as Concierge ServiceAccount.
Since 0dfb3e95c5, we no longer directly create the kube-cert-agent Pod, so our "use"
permission on PodSecurityPolicies no longer has the intended effect. Since the deployments controller is now the
one creating pods for us, we need to get the permission on the PodSpec of the target pod instead, which we do somewhat
simply by using the same service account as the main Concierge pods.

We still set `automountServiceAccountToken: false`, so this should not actually give any useful permissions to the
agent pod when running.

Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-05-03 16:20:13 -05:00
Ryan Richard
71e38d232e login.go discards logs by default
Signed-off-by: Margo Crawford <margaretc@vmware.com>
2021-05-03 09:13:18 -07:00
Margo Crawford
778c194cc4 Autodetection with multiple idps in discovery document
Signed-off-by: Ryan Richard <richardry@vmware.com>
2021-04-30 17:14:28 -07:00
Margo Crawford
a8754b5658 Refactor: extract helper func from runGetKubeconfig()
- Reduces the cyclomatic complexity of the function

Signed-off-by: Ryan Richard <richardry@vmware.com>
2021-04-30 15:00:54 -07:00
Ryan Richard
1c66ffd5ff WIP: add supervisor upstream flags to pinniped get kubeconfig
- And perform auto-discovery when the flags are not set
- Several TODOs remain which will be addressed in the next commit

Signed-off-by: Margo Crawford <margaretc@vmware.com>
2021-04-30 14:28:03 -07:00
Margo Crawford
ab94b97f4a Change login.go to use logr.logger 2021-04-30 12:10:04 -07:00
Margo Crawford
d6a172214d
Merge pull request #587 from vmware-tanzu/supervisor-gitlab-docs
Added documentation for how to configure the Supervisor with GitLab
2021-04-30 11:01:22 -07:00
Mo Khan
638fa7ba27
Merge pull request #592 from enj/enj/t/valueless_ctx_2
valuelesscontext: make unit tests more clear
2021-04-30 11:07:32 -04:00
Monis Khan
b5ffab6330
valuelesscontext: make unit tests more clear
Signed-off-by: Monis Khan <mok@vmware.com>
2021-04-30 10:43:29 -04:00
Mo Khan
8556a638a2
Merge pull request #591 from enj/enj/t/valueless_ctx
valuelesscontext: add some unit tests
2021-04-30 10:10:48 -04:00
Monis Khan
44c7f8daf0
valuelesscontext: add some unit tests
Signed-off-by: Monis Khan <mok@vmware.com>
2021-04-30 09:45:34 -04:00
Mo Khan
1efa4da80c
Merge pull request #590 from enj/enj/f/sa_authn_impersonation_proxy
impersonator: add support for service account token authentication
2021-04-29 17:53:27 -04:00
Monis Khan
62785674c3
impersonator: add support for service account token authentication
This change updates the impersonator logic to pass through requests
that authenticated via a bearer token that asserts a UID.  This
allows us to support service account tokens (as well as any other
form of token based authentication).

Signed-off-by: Monis Khan <mok@vmware.com>
2021-04-29 17:30:35 -04:00
Mo Khan
9e4f601a3f
Merge pull request #588 from enj/enj/i/webhookcachefiller_ca
webhookcachefiller: be stricter about CA bundle validation
2021-04-29 07:47:06 -04:00