Commit Graph

883 Commits

Author SHA1 Message Date
Matt Moyer
787cf47c39 Standardize whitespace/newlines for consistency.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-08-14 14:42:49 -05:00
Matt Moyer
9376f034ea Mask this testing-only private key so we don't alert on it.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-08-14 14:42:22 -05:00
Matt Moyer
1977dc2ce7 Add a .pre-commit-config.yaml file.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-08-14 14:41:11 -05:00
Matt Moyer
3fd4458e6a
Merge pull request #62 from suzerain-io/revert-59-pin-image-hashes
Revert "Pin images to exact hashes (Dependabot can handle this, it seems)."
2020-08-14 10:54:30 -05:00
Matt Moyer
ae0b97d807
Revert "Pin images to exact hashes (Dependabot can handle this, it seems)." 2020-08-14 10:52:29 -05:00
Matt Moyer
50e70f73ae
Merge pull request #59 from mattmoyer/pin-image-hashes
Pin images to exact hashes (Dependabot can handle this, it seems).
2020-08-14 10:33:41 -05:00
Andrew Keesler
df1a1cf1bd
LoginRequest -> CredentialRequest
- We want to follow the <noun>Request convention.
- The actual operation does not login a user, but it does retrieve a
  credential with which they can login.

- This commit includes changes to all LoginRequest-related symbols and
  constants to try to update their names to follow the new
  CredentialRequest type.

Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-08-14 11:26:09 -04:00
Matt Moyer
0d034cd18e Pin images to exact hashes (Dependabot can handle this, it seems).
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-08-14 10:04:43 -05:00
Andrew Keesler
dd8ce677ba
Remove LoginRequestStatus.User, for now
As discussed in API review, this field exists for convenience right
now.  Since the username/groups are encoded in the Credential sent in
the LoginRequestStatus, the client still has access to their
user/groups information. We want to remove this for now to be
conservative and limit our API surface area (smaller surface area =
less to maintain). We can always add this back in the future.

Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-08-14 10:01:38 -04:00
Andrew Keesler
c6f1defa9d
LoginRequestStatus.Message should be a pointer since it is +optional
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-08-14 09:18:31 -04:00
Andrew Keesler
6e46ff345a
Run ./hack/module.sh tidy
I'm assuming if any of this is wrong, someone will yell at me...

Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-08-14 09:16:48 -04:00
Ryan Richard
b6c468117e Set the type on the image pull Secret
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-08-13 13:34:23 -07:00
Matt Moyer
1b23e31464
Merge pull request #55 from mattmoyer/switch-to-debian-base
Switch to debian base images.
2020-08-13 13:56:11 -05:00
Matt Moyer
c02b6fee8f Switch to Debian base images.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-08-13 13:35:42 -05:00
Ryan Richard
87eddf8bbd Add image pull secret as a data value for our ytt templates
Signed-off-by: Aram Price <pricear@vmware.com>
2020-08-12 17:02:43 -07:00
Ryan Richard
9648db0837 Update how integration tests which use LoginRequest make their clients
- When we call the LoginRequest endpoint in loginrequest_test.go,
  do it with an unauthenticated client, to make sure that endpoint works
  with unauthenticated clients.
- For tests which want to test using certs returned by LoginRequest to
  make API calls back to kube to check if those certs are working, make
  sure they start with a bare client and then add only those certs.
  Avoid accidentally picking up other kubeconfig configuration like
  tokens, etc.

Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-08-12 14:30:07 -07:00
Matt Moyer
ba0b997234
Merge pull request #54 from mattmoyer/add-dns-san
Make sure we have an explicit DNS SAN on our API serving certificate.
2020-08-12 12:44:43 -05:00
Matt Moyer
864db74306 Make sure we have an explicit DNS SAN on our API serving certificate.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-08-12 11:01:06 -05:00
aram price
e48d9faf27 Normalize ROOT naming and calculation in hack/ 2020-08-12 08:34:17 -07:00
Matt Moyer
031129778e
Merge pull request #53 from suzerain-io/dependabot/docker/golang-1.15.0-alpine
Bump golang from 1.14.7-alpine to 1.15.0-alpine
2020-08-12 10:18:26 -05:00
Andrew Keesler
ed9fdce6a8
hack/module.sh: sort modules for deterministic runs
find(1) seems to look at directory entries in the order in which they exist
in the directory fs entry. Let's sort these so that we get the same results
regardless of the order of the directory entries.

Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-08-12 09:36:33 -04:00
dependabot[bot]
d2f6eebc66
Bump golang from 1.14.7-alpine to 1.15.0-alpine
Bumps golang from 1.14.7-alpine to 1.15.0-alpine.

Signed-off-by: dependabot[bot] <support@github.com>
2020-08-12 05:50:33 +00:00
Ryan Richard
4cb0fd3949 Use a DaemonSet instead of a Deployment to deploy our app
- For high availability reasons, we would like our app to scale linearly
  with the size of the control plane. Using a DaemonSet allows us to run
  one pod on each node-role.kubernetes.io/master node.
- The hope is that the Service that we create should load balance
  between these pods appropriately.
2020-08-11 17:55:34 -07:00
Ryan Richard
e0f0eca512 Add another assertion to certs_manager_test.go 2020-08-11 17:33:06 -07:00
Ryan Richard
bfabcdcdd1 Add unittest_no_race option to module.sh
- Because the race detector is slow when running on a laptop and
  sometimes you want quick feedback
2020-08-11 17:28:00 -07:00
Andrew Keesler
224b59e740
test/integration: bump (another) cert expiration delta to help flake
Related: 553b519.
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-08-11 17:22:25 -04:00
Andrew Keesler
553b519d0f
test/integration: bump cert expiration delta to help flake
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-08-11 16:09:31 -04:00
Ryan Richard
b80f3148fd
Merge pull request #43 from suzerain-io/cert_controllers
Refactor cert generation code into controllers
2020-08-11 12:36:30 -07:00
Andrew Keesler
d6e745203d
Revert "Add a FAKE API change to test codegen verification in CI"
This reverts commit 28a500fce9.
2020-08-11 14:57:14 -04:00
Aram Price
0806074d94
hack/update-codegen.sh: really fix symlink paths
This is totally gonna be it.

Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-08-11 14:50:43 -04:00
Aram Price
13d4a38eca
hack/update-codegen.sh: fix symlink paths
Wow fun times with symlinks. We *think* this script should work in CI
now...but we'll see.

Previously we were seeing a false positive where even though the generated
code was out of date, the CI step did not report failure.

Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-08-11 14:41:04 -04:00
Ryan Richard
5ec1fbd1ca Add an assertion that the private key and cert chain match in certs_manager_test.go
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-08-11 10:39:50 -07:00
Ryan Richard
fadd718d08 Add integration and more unit tests
- Add integration test for serving cert auto-generation and rotation
- Add unit test for `WithInitialEvent` of the cert manager controller
- Move UpdateAPIService() into the `apicerts` package, since that is
  the only user of the function.
2020-08-11 10:14:57 -07:00
Andrew Keesler
28a500fce9
Add a FAKE API change to test codegen verification in CI
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-08-11 11:19:52 -04:00
Andrew Keesler
745775bf4b
Merge pull request #44 from ankeesler/verify-in-ci
hack/verify-codegen.sh: make this script runnable from CI
2020-08-11 11:00:49 -04:00
Andrew Keesler
ce3de2b516
hack/verify-codegen.sh: updates to be run in CI
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-08-11 10:18:47 -04:00
Ryan Richard
8034ef24ff Fix a mistake from the previous commit
- Got the order of multiple return values backwards, which was caught
  by the integration tests
2020-08-10 19:34:45 -07:00
Ryan Richard
626fc6aa8d Merge branch 'main' into cert_controllers 2020-08-10 19:01:36 -07:00
Ryan Richard
cc9ae23a0c Add tests for the new cert controllers and some other small refactorings
- Add a unit test for each cert controller
- Make DynamicTLSServingCertProvider an interface and use a mutex
  internally
- Create a shared ToPEM function instead of having two very similar
  functions
- Move the ObservableWithInformerOption test helper to testutils
- Rename some variables and imports
2020-08-10 18:53:53 -07:00
Matt Moyer
7152ffd730
Merge pull request #48 from mattmoyer/extend-dependabot-config
Add additional go.mod directories to dependabot.
2020-08-10 12:11:27 -05:00
Matt Moyer
6300898810 Add additional go.mod directories to dependabot.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-08-10 12:09:32 -05:00
Matt Moyer
7c8876a812
Merge pull request #47 from suzerain-io/dependabot/docker/golang-1.14.7-alpine
Bump golang from 1.14.6-alpine to 1.14.7-alpine
2020-08-10 12:00:28 -05:00
dependabot[bot]
b3df59ca13
Bump golang from 1.14.6-alpine to 1.14.7-alpine
Bumps golang from 1.14.6-alpine to 1.14.7-alpine.

Signed-off-by: dependabot[bot] <support@github.com>
2020-08-10 16:46:08 +00:00
Matt Moyer
b4130af2bf
Merge pull request #46 from mattmoyer/downgrade-base-image
Temporarily downgrade our Docker base image to trigger dependabot.
2020-08-10 11:45:35 -05:00
Matt Moyer
5394008d6f Temporarily downgrade our Docker base image to trigger dependabot.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-08-10 11:44:47 -05:00
Matt Moyer
3583f7a09f
Merge pull request #45 from mattmoyer/add-dependabot-config
Add dependabot YAML configuration.
2020-08-10 11:38:35 -05:00
Matt Moyer
df3c387f2e Add dependabot YAML configuration.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-08-10 11:37:52 -05:00
Andrew Keesler
fa0533fae9
hack/module.sh: update usage with unittest command
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-08-10 10:18:36 -04:00
Ryan Richard
86c3f89b2e First draft of moving API server TLS cert generation to controllers
- Refactors the existing cert generation code into controllers
  which read and write a Secret containing the certs
- Does not add any new functionality yet, e.g. no new handling
  for cert expiration, and no leader election to allow for
  multiple servers running simultaneously
- This commit also doesn't add new tests for the cert generation
  code, but it should be more unit testable now as controllers
2020-08-09 10:04:05 -07:00
Ryan Richard
b00cec954e Pre-factor server.go
- No functional changes
- Move all the stuff about clients and controllers into the controller
  package
- Add more comments and organize the code more into more helper
  functions to make each function smaller
2020-08-07 14:49:04 -07:00