Commit Graph

1335 Commits

Author SHA1 Message Date
Monis Khan
d25c6d9d0a
Make kubebuilder CRDs cluster scoped
Signed-off-by: Monis Khan <mok@vmware.com>
2021-02-10 21:52:08 -05:00
Monis Khan
89b00e3702
Declare war on namespaces
Signed-off-by: Monis Khan <mok@vmware.com>
2021-02-10 21:52:07 -05:00
Monis Khan
d2480e6300
Generated
Signed-off-by: Monis Khan <mok@vmware.com>
2021-02-10 21:52:07 -05:00
Monis Khan
4205e3dedc
Make concierge APIs cluster scoped
Signed-off-by: Monis Khan <mok@vmware.com>
2021-02-10 21:52:07 -05:00
Matt Moyer
ee80920ffd
Merge pull request #409 from mattmoyer/upgrade-debian
Upgrade Debian base images from 10.7 to 10.8.
2021-02-10 16:57:09 -06:00
Matt Moyer
45f4a0528c
Upgrade Debian base images from 10.7 to 10.8.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-02-10 15:57:16 -06:00
Andrew Keesler
d0266cecdb
Merge pull request #390 from ankeesler/use-more-middleware
Use middleware to mutate TokenCredentialRequest.Spec.Authenticator.APIGroup
2021-02-10 16:38:54 -05:00
Andrew Keesler
0fc1f17866
internal/groupsuffix: mutate TokenCredentialRequest's Authenticator
This is a partial revert of 288d9c999e. For some reason it didn't occur to me
that we could do it this way earlier. Whoops.

This also contains a middleware update: mutation funcs can return an error now
and short-circuit the rest of the request/response flow. The idea here is that
if someone is configuring their kubeclient to use middleware, they are agreeing
to a narrow-er client contract by doing so (e.g., their TokenCredentialRequest's
must have an Spec.Authenticator.APIGroup set).

I also updated some internal/groupsuffix tests to be more realistic.

Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2021-02-10 15:53:44 -05:00
Andrew Keesler
ae6503e972
internal/plog: add KObj() and KRef()
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2021-02-10 14:25:39 -05:00
Mo Khan
44b7679e9f
Merge pull request #407 from ankeesler/test-flake
test/integration: make TestKubeCertAgent more stable
2021-02-10 14:24:44 -05:00
Andrew Keesler
12d5b8959d
test/integration: make TestKubeCertAgent more stable
I think the reason we were seeing flakes here is because the kube cert agent
pods had not reached a steady state even though our test assertions passed, so
the test would proceed immediately and run more assertions on top of a weird
state of the kube cert agent pods.

Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2021-02-10 12:08:34 -05:00
Andrew Keesler
5b076e7421
Merge pull request #404 from ankeesler/remove-deprecated-commands
cmd/pinniped: delete get-kubeconfig + exchange-token
2021-02-10 08:33:00 -05:00
Andrew Keesler
1ffe70bbea
cmd/pinniped: delete get-kubeconfig + exchange-token
These were deprecated in v0.3.0.

Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2021-02-09 17:01:57 -05:00
Mo Khan
cf735715f6
Merge pull request #394 from enj/enj/i/server_side_tcr_api_group
Use server scheme to handle credential request API group changes
2021-02-09 16:36:13 -05:00
Monis Khan
2679d27ced
Use server scheme to handle credential request API group changes
Signed-off-by: Monis Khan <mok@vmware.com>
2021-02-09 15:51:38 -05:00
Monis Khan
6b71b8d8ad
Revert server side token credential request API group changes
Signed-off-by: Monis Khan <mok@vmware.com>
2021-02-09 15:51:35 -05:00
Andrew Keesler
43da4ab2e0
SECURITY.md: follow established pattern
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2021-02-09 09:08:19 -05:00
Matt Moyer
e4d8af6701
Merge pull request #399 from mattmoyer/upgrade-go
Upgrade Go from 1.15.7 to 1.15.8.
2021-02-08 18:17:17 -06:00
Matt Moyer
d06c935c2c
Upgrade Go from 1.15.7 to 1.15.8.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-02-08 10:58:51 -06:00
Mo Khan
9399b5d800
Merge pull request #395 from enj/enj/i/remove_multierror
Remove multierror package and migrate callers to k8s.io/apimachinery/pkg/util/errors.NewAggregate
2021-02-05 15:14:25 -05:00
Monis Khan
05a471fdf9
Migrate callers to k8s.io/apimachinery/pkg/util/errors.NewAggregate
Signed-off-by: Monis Khan <mok@vmware.com>
2021-02-05 12:56:05 -05:00
Monis Khan
81d4e50f94
Remove multierror package
Signed-off-by: Monis Khan <mok@vmware.com>
2021-02-05 12:55:18 -05:00
Matt Moyer
850f030fe3
Merge pull request #393 from enj/enj/i/no_op_tcr_list
Add no-op list support to token credential request
2021-02-05 11:09:09 -06:00
Monis Khan
f7958ae75b
Add no-op list support to token credential request
This allows us to keep all of our resources in the pinniped category
while not having kubectl return errors for calls such as:

kubectl get pinniped -A

Signed-off-by: Monis Khan <mok@vmware.com>
2021-02-05 10:59:39 -05:00
Andrew Keesler
ee05f155ca
Merge pull request #392 from ankeesler/flowcontrol-rbac
deploy/concierge: add RBAC for flowschemas and prioritylevelconfigurations
2021-02-05 09:19:50 -05:00
Andrew Keesler
2ae631b603
deploy/concierge: add RBAC for flowschemas and prioritylevelconfigurations
As of upgrading to Kubernetes 1.20, our aggregated API server nows runs some
controllers for the two flowcontrol.apiserver.k8s.io resources in the title of
this commit, so it needs RBAC to read them.

This should get rid of the following error messages in our Concierge logs:
  Failed to watch *v1beta1.FlowSchema: failed to list *v1beta1.FlowSchema: flowschemas.flowcontrol.apiserver.k8s.io is forbidden: User "system:serviceaccount:concierge:concierge" cannot list resource "flowschemas" in API group "flowcontrol.apiserver.k8s.io" at the cluster scope
  Failed to watch *v1beta1.PriorityLevelConfiguration: failed to list *v1beta1.PriorityLevelConfiguration: prioritylevelconfigurations.flowcontrol.apiserver.k8s.io is forbidden: User "system:serviceaccount:concierge:concierge" cannot list resource "prioritylevelconfigurations" in API group "flowcontrol.apiserver.k8s.io" at the cluster scope

Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2021-02-05 08:19:12 -05:00
Matt Moyer
9c64476aee
Tweak some small bits in the blog post.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-02-04 17:51:35 -06:00
Matt Moyer
b6e98b5783
Update the get.pinniped.dev redirect to always point at the latest version.
I messed this up before because the ordering of the path components is a bit different than in the specific version case.

Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-02-04 17:48:41 -06:00
Matt Moyer
9addb4d6e0
Merge pull request #385 from vmware-tanzu/credential_request_spec_api_group
Use custom suffix in `Spec.Authenticator.APIGroup` of `TokenCredentialRequest`
2021-02-04 16:19:20 -06:00
Ryan Richard
2a921f7090
Merge branch 'main' into credential_request_spec_api_group 2021-02-04 13:44:53 -08:00
Matt Moyer
bb8b65cca6
Merge pull request #387 from vmware-tanzu/blog/multiple-pinnipeds
Add a v0.5.0 "multiple Pinnipeds" blog post.
2021-02-04 15:22:52 -06:00
Matt Moyer
5c331e9002
Fix go.pinniped.dev redirects.
Our meeting notes are now on HackMD, our Zoom link changed, and I added a YouTube link.

Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-02-04 14:56:50 -06:00
Matt Moyer
1382fc6e5f
Add a v0.5.0 "multiple Pinnipeds" blog post. 2021-02-04 14:56:49 -06:00
Andrew Keesler
cc8c917249
Merge pull request #325 from ankeesler/restart-test
Add an integration test helper to assert that no pods restart during the test
2021-02-04 13:07:40 -05:00
Andrew Keesler
ae498f14b4
test/integration: ensure no pods restart during integration tests
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2021-02-04 10:24:33 -05:00
Ryan Richard
288d9c999e Use custom suffix in Spec.Authenticator.APIGroup of TokenCredentialRequest
When the Pinniped server has been installed with the `api_group_suffix`
option, for example using `mysuffix.com`, then clients who would like to
submit a `TokenCredentialRequest` to the server should set the
`Spec.Authenticator.APIGroup` field as `authentication.concierge.mysuffix.com`.

This makes more sense from the client's point of view than using the
default `authentication.concierge.pinniped.dev` because
`authentication.concierge.mysuffix.com` is the name of the API group
that they can observe their cluster and `authentication.concierge.pinniped.dev`
does not exist as an API group on their cluster.

This commit includes both the client and server-side changes to make
this work, as well as integration test updates.

Co-authored-by: Andrew Keesler <akeesler@vmware.com>
Co-authored-by: Ryan Richard <richardry@vmware.com>
Co-authored-by: Margo Crawford <margaretc@vmware.com>
2021-02-03 15:49:15 -08:00
Andrew Keesler
26922307ad prepare-for-integration-tests.sh: New cmdline option --api_group_suffix
Makes it easy to deploy Pinniped under a different API group for manual
testing and iterating on integration tests on your laptop.

Signed-off-by: Ryan Richard <richardry@vmware.com>
2021-02-03 12:07:38 -08:00
Ryan Richard
5549a262b9 Rename client_test.go to concierge_client_test.go
Because it is a test of the conciergeclient package, and the naming
convention for integration test files is supervisor_*_test.go,
concierge_*_test.go, or cli_*_test.go to identify which component
the test is primarily covering.

Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2021-02-03 12:07:38 -08:00
Mo Khan
c5df66fbd5
Merge pull request #383 from enj/enj/i/avoid_scheme_double_register
Avoid double registering types in server scheme
2021-02-03 13:55:33 -05:00
Monis Khan
300d7bd99c
Drop duplicate logic for unversioned type registration
Signed-off-by: Monis Khan <mok@vmware.com>
2021-02-03 12:16:57 -05:00
Monis Khan
012bebd66e
Avoid double registering types in server scheme
This makes sure that if our clients ever send types with the wrong
group, the server will refuse to decode it.

Signed-off-by: Monis Khan <mok@vmware.com>
2021-02-03 12:16:57 -05:00
Andrew Keesler
e1d06ce4d8
internal/mocks/mockroundtripper: we don't need these anymore
We thought we needed these to test the middleware, but we don't.

Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2021-02-03 08:55:38 -05:00
Andrew Keesler
52b98bdb87
Merge pull request #330 from enj/enj/f/better_middleware
Enhance middleware to allow multiple Pinnipeds
2021-02-03 08:53:00 -05:00
Andrew Keesler
62c117421a
internal/kubeclient: fix not found test and request body closing bug
- I realized that the hardcoded fakekubeapi 404 not found response was invalid,
  so we were getting a default error message. I fixed it so the tests follow a
  higher fidelity code path.
- I caved and added a test for making sure the request body was always closed,
  and believe it or not, we were double closing a body. I don't *think* this will
  matter in production, since client-go will pass us ioutil.NopReader()'s, but
  at least we know now.

Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2021-02-03 08:19:34 -05:00
Monis Khan
efe1fa89fe Allow multiple Pinnipeds to work on same cluster
Yes, this is a huge commit.

The middleware allows you to customize the API groups of all of the
*.pinniped.dev API groups.

Some notes about other small things in this commit:
- We removed the internal/client package in favor of pkg/conciergeclient. The
  two packages do basically the same thing. I don't think we use the former
  anymore.
- We re-enabled cluster-scoped owner assertions in the integration tests.
  This code was added in internal/ownerref. See a0546942 for when this
  assertion was removed.
- Note: the middlware code is in charge of restoring the GV of a request object,
  so we should never need to write mutations that do that.
- We updated the supervisor secret generation to no longer manually set an owner
  reference to the deployment since the middleware code now does this. I think we
  still need some way to make an initial event for the secret generator
  controller, which involves knowing the namespace and the name of the generated
  secret, so I still wired the deployment through. We could use a namespace/name
  tuple here, but I was lazy.

Signed-off-by: Andrew Keesler <akeesler@vmware.com>
Co-authored-by: Ryan Richard <richardry@vmware.com>
2021-02-02 15:18:41 -08:00
Andrew Keesler
93d25a349f
hack: fix docker most recent tag check
I think this stopped working when we starting using a specific registry in e0b94f47.

Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2021-02-02 18:01:07 -05:00
Andrew Keesler
93ebd0f949
internal/plog: add Enabled()
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2021-02-02 18:01:06 -05:00
Matt Moyer
74a8005f92
Merge pull request #376 from mattmoyer/add-csrftoken-test
Add some trivial unit tests to internal/oidc/csrftoken.
2021-02-02 11:02:39 -06:00
Matt Moyer
5b4e58f0b8
Add some trivial unit tests to internal/oidc/csrftoken.
This change is primarily to test that our test coverage reporting is working as expected.

Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-02-02 09:38:17 -06:00
Matt Moyer
b871a02ca3
Merge pull request #375 from mattmoyer/test-coverage
Add Codecov configuration file.
2021-02-01 15:19:37 -06:00