Commit Graph

2356 Commits

Author SHA1 Message Date
Matt Moyer
5686591420
Avoid a rare flake in TestSupervisorLogin.
There was nothing to guarantee that _all_ Supervisor pods would be ready to handle this request. We saw a rare test flake where the LDAPIdentityProvider was marked as ready but one of the Supervisor pods didn't have it loaded yet and returned an HTTP 422 error (`Unprocessable Entity: No upstream providers are configured`).

Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-06-03 12:13:56 -05:00
Matt Moyer
6903196c18
Fix a data race in TestImpersonationProxy.
The `require.Eventually()` function runs the body of the check in a separate goroutine, so it's not safe to use other `require` assertions as we did here. Our `library.RequireEventuallyWithoutError()` function does not spawn a goroutine, so it's safer to use here.

Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-06-03 12:07:19 -05:00
Matt Moyer
af4cd1b515
Tolerate NotFound when deleting services in impersonatorconfig.
When a CredentialIssuer is switched from one service type to another (or switched to disabled mode), the `impersonatorconfig` controller will delete the previous Service, if any. Normally one Concierge pod will succeed to delete this initially and any other pods will see a NotFound error.

Before this change, the NotFound would bubble up and cause the strategy to enter a ErrorDuringSetup status until the next reconcile loop. We now handle this case without reporting an error.

Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-06-03 12:07:19 -05:00
Matt Moyer
2acfafd5a5
Merge pull request #656 from vmware-tanzu/fix-credentialissuer-test-flake
Remove an invalid test assertion in TestCredentialIssuer.
2021-06-03 12:03:22 -05:00
anjalitelang
a5067cdbb3
Update ROADMAP.md
Updating Roadmap for June to reflect Device Code Flow and AD support
2021-06-03 12:33:36 -04:00
Matt Moyer
5aa08756e0
Fix typo in CredentialIssuer ytt template.
This typo wasn't caught in testing because 1) the Kubernetes API ignores the unknown field and 2) the `type` field defaults to `LoadBalancer` anyway, so things behave as expected.

Even though this doesn't cause any large problems, it's quite confusing.

Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-06-02 14:48:18 -05:00
Matt Moyer
0e66b0b165
Remove an invalid test assertion in TestCredentialIssuer.
The LastUpdateTime is no longer updated on every resync. It only changes if the underlying status has changed, so that it effectively shows when the transition happened.

This change happened in ab750f48aa, but we missed this test. It only fails when it has been more than ten minutes since the CredentialIssuer transitioned into a healthy state, but that can happen in our long-running CI environments.

Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-06-02 12:05:02 -05:00
Matt Moyer
87660611d2
Tweak blog post to add a shoutout.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-06-02 11:28:54 -05:00
Matt Moyer
9968c0d234
Fix my fix 🤦🏻 . 2021-06-02 11:06:03 -05:00
Matt Moyer
193fcb87bb
Fix a typo on the "Community Meetings" time.
We had "PT" twice, when one of them should have been "ET".
2021-06-02 11:05:29 -05:00
Ryan Richard
a08e4ec043
Update architecture.md 2021-06-02 08:54:04 -07:00
Matt Moyer
e38a7548cc
Link the v0.9.0 release from the blog post.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-06-02 10:24:17 -05:00
Pinny
b5dea42bbe Update CLI docs for v0.9.0 release 2021-06-02 15:22:13 +00:00
Matt Moyer
d06fe15a68
Merge pull request #655 from mattmoyer/update-docs-for-v0.9.0
Update docs for v0.9.0
2021-06-02 10:07:02 -05:00
Matt Moyer
e6301f0e74
Update latest version number in docs.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-06-02 10:05:07 -05:00
Matt Moyer
aca33e45fb
Fix blog post date to match actual v0.9.0 release.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-06-02 10:02:59 -05:00
Matt Moyer
46825b1c9f
Merge pull request #653 from mattmoyer/fix-impersonation-test-flake
Fix another impersonation test flake related to `kubectl logs --tail` line count + test refactor.
2021-06-01 16:51:16 -05:00
Matt Moyer
2ee3cec5ed
Refactor TestImpersonationProxy "apply annotation" test for clarity.
This test felt overly complex and some of the cleanup logic wasn't 100% correct (it didn't clean up in all cases).

The new code is essentially the same flow but hopefully easier to read.

Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-06-01 15:50:51 -05:00
Matt Moyer
75d92079e4
Allow some flexibility in "kubectl logs --tail=10" test.
We see that occasionally kubectl returns 11 lines (probably related to https://github.com/kubernetes/kubernetes/issues/72628).

This test doesn't need to be so picky, so now it allows +/- one line from the expected count.

Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-06-01 15:50:51 -05:00
Matt Moyer
0be77c3bf2
Merge pull request #651 from vmware-tanzu/dependabot/go_modules/github.com/creack/pty-1.1.13
Bump github.com/creack/pty from 1.1.12 to 1.1.13
2021-06-01 15:50:38 -05:00
dependabot[bot]
d4a6a61560
Bump github.com/creack/pty from 1.1.12 to 1.1.13
Bumps [github.com/creack/pty](https://github.com/creack/pty) from 1.1.12 to 1.1.13.
- [Release notes](https://github.com/creack/pty/releases)
- [Commits](https://github.com/creack/pty/compare/v1.1.12...v1.1.13)

Signed-off-by: dependabot[bot] <support@github.com>
2021-06-01 20:15:47 +00:00
Ryan Richard
abc3df8df9
Merge pull request #637 from vmware-tanzu/ldap_docs
LDAP docs
2021-06-01 12:59:58 -07:00
Ryan Richard
5932bce54d
Merge branch 'main' into ldap_docs 2021-06-01 12:59:38 -07:00
Matt Moyer
41ff3e0917
Merge pull request #652 from mattmoyer/fix-impersonation-test-flake
In TestImpersonationProxy tests, avoid mutating anything in parallel block of tests.
2021-06-01 14:41:07 -05:00
Matt Moyer
f62c6e806d
In TestImpersonationProxy tests, avoid mutating anything in parallel block of tests.
We had this one test that mutated the CredentialIssuer, which could cause the impersonation proxy to blip on one or both of the running concierge pods. This would sometimes break other concurrently running tests.

Instead, this bit of code is split into a separate non-concurrent test.

Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-06-01 14:02:27 -05:00
Ryan Richard
79e3980f1f Fix nil function deference in an integration test from previous commit 2021-05-28 17:06:01 -07:00
Ryan Richard
8f2e8b8a6c
Merge branch 'main' into ldap_docs 2021-05-28 16:20:02 -07:00
Ryan Richard
e4fda80fcc
Merge pull request #650 from mattmoyer/do-not-log-usernames-that-might-be-passwords
In LDAP, do not log username until we know the user exists.
2021-05-28 16:16:32 -07:00
Ryan Richard
5263e0bae5
Merge branch 'main' into do-not-log-usernames-that-might-be-passwords 2021-05-28 16:16:01 -07:00
Ryan Richard
b8205006ca Enable skipping of LDAP int tests when a firewall will block them 2021-05-28 16:13:20 -07:00
Matt Moyer
7ee1f8c441
In LDAP, do not log username until we know the user exists.
This prevents accidentally logging a password if the user enters it into the username field by mistake.

Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-05-28 16:57:48 -05:00
Ryan Richard
854903c4ed
Merge pull request #649 from vmware-tanzu/change_ldap_groupname_default
Default `groupSearch.attributes.groupName` to "dn" instead of "cn" in LDAPIdentityProvider spec
2021-05-28 14:04:37 -07:00
Ryan Richard
cedbe82bbb Default groupSearch.attributes.groupName to "dn" instead of "cn"
- DNs are more unique than CNs, so it feels like a safer default
2021-05-28 13:27:11 -07:00
Matt Moyer
a741041737
Merge pull request #648 from mattmoyer/2021-05-28-dep-upgrades
Upgrade Go dependencies (fosite and klog).
2021-05-28 14:31:58 -05:00
Matt Moyer
83f418e7f2
Upgrade k8s.io/klog/v2 to v2.9.0.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-05-28 12:53:37 -05:00
Matt Moyer
e25de9e559
Update ID token tests for latest Fosite.
The new version has different behavior for the `nonce` claim, which is now omitted if it would be empty (see https://github.com/ory/fosite/pull/570).

Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-05-28 12:53:37 -05:00
Matt Moyer
87c7e89b13
Upgrade github.com/ory/fosite to v0.40.2.
This required a weird hack because some of the Fosite tests (or a transitive dependency of them) depends on a newer version of gRPC that's incompatible with the Kubernetes runtime version we use. It wasn't as simple as just replacing the gRPC module with an older version, because in the latest versions of gRPC, they split out the "examples" packages into their own module. This new module name doesn't exist at the old version.

Ultimately, the workaround was to make a fake "examples" module locally. This module can be empty because we never actually depend on that code (it's only used in transitive dependency tests).

Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-05-28 12:53:37 -05:00
Ryan Richard
4722422aae Fix OIDC assertion bug in TestSupervisorLogin introduced by LDAP branch 2021-05-28 10:37:46 -07:00
Matt Moyer
a39b328778
Merge pull request #626 from vmware-tanzu/credentialissuer-spec-api
Add spec fields to Credentialissuer API to configure impersonation proxy behavior
2021-05-27 17:48:45 -05:00
Matt Moyer
343238fa9b
Merge branch 'credentialissuer-spec-api-docs' of github.com:vmware-tanzu/pinniped into credentialissuer-spec-api 2021-05-27 17:12:08 -05:00
Matt Moyer
a69fe68362
Merge branch 'main' of github.com:vmware-tanzu/pinniped into credentialissuer-spec-api 2021-05-27 17:11:40 -05:00
Matt Moyer
01713c7ce1
Don't reconcile Service ports in impersonatorconfig.
These are tricky because a real load balancer controller (e.g., on GKE) will overwrite and set NodePort, so we can't blindly set the desired state of this fields.

For now, we will just skip reconciling these. In the future, we could be more clever about merging them together with the current state.

Signed-off-by: Margo Crawford <margaretc@vmware.com>
2021-05-27 17:10:25 -05:00
Matt Moyer
ab750f48aa
When merging CredentialIssuer updates, don't overwrite LastUpdated.
If the only thing that has changed about a strategy is the LastUpdated timestamp, then we should not update the object.

Signed-off-by: Margo Crawford <margaretc@vmware.com>
2021-05-27 17:09:12 -05:00
Ryan Richard
d7d8630e08 Merge branch 'main' into ldap_docs 2021-05-27 14:30:02 -07:00
Ryan Richard
cd7f5741d8 Incorporate feedback into LDAP blog post 2021-05-27 14:29:40 -07:00
Ryan Richard
c8dc03b06a
Merge pull request #647 from vmware-tanzu/ldap_binary_uids
Use base64 binary-encoded value as UID for LDAP
2021-05-27 14:28:21 -07:00
Ryan Richard
83001d8cce Fix typo in LDAP blog post 2021-05-27 14:13:07 -07:00
Ryan Richard
d2251d2ea7 Use base64 binary-encoded value as UID for LDAP
This is to allow the use of binary LDAP entry attributes as the UID.
For example, a user might like to configure AD’s objectGUID or maybe
objectSid attributes as the UID attribute.

This negatively impacts the readability of the UID when it did not come
from a binary value, but we're considering this an okay trade-off to
keep things simple for now. In the future, we may offer more
customizable encoding options for binary attributes.

These UIDs are currently only used in the downstream OIDC `sub` claim.
They do not effect the user's identity on the Kubernetes cluster,
which is only based on their mapped username and group memberships from
the upstream identity provider. We are not currently supporting any
special encoding for those username and group name LDAP attributes, so
their values in the LDAP entry must be ASCII or UTF-8 in order for them
to be interpreted correctly.
2021-05-27 13:47:10 -07:00
Margo Crawford
f330b52076 Update values.yaml to include CredentialIssuer ImpersonationProxy spec. 2021-05-27 13:36:18 -07:00
Matt Moyer
af2af567be
Merge branch 'main' of github.com:vmware-tanzu/pinniped into credentialissuer-spec-api 2021-05-27 15:13:36 -05:00