Andrew Keesler
d5dd65cfe8
So...does this macos-unit-tests workflow work?
...
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-10-27 18:00:54 -04:00
Matt Moyer
7880f7ea41
Merge pull request #171 from danjahner/main
...
Rename logo file
2020-10-26 17:20:36 -05:00
Dan Jahner
13ccb07fe4
Rename logo file
2020-10-26 15:06:04 -07:00
Matt Moyer
6c092deba5
Merge pull request #169 from mattmoyer/promote-login-command
...
Promote the `pinniped login` command out of alpha.
2020-10-23 19:48:44 -05:00
Matt Moyer
7615667b9b
Update TestCLILoginOIDC to use new non-alpha login command.
...
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-10-23 14:44:42 -05:00
Matt Moyer
0948457521
Promote the pinniped login
command out of alpha.
...
This was hidden behind a `pinniped alpha` hidden subcommand, but we're comfortable enough with the CLI flag interface now to promote it.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-10-23 14:44:41 -05:00
Andrew Keesler
110c72a5d4
dynamiccertauthority: fix cert expiration test failure
...
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-10-23 15:34:25 -04:00
Andrew Keesler
f928ef4752
Also mention using a service mesh is an option for supervisor ingress
...
Signed-off-by: Ryan Richard <richardry@vmware.com>
2020-10-23 10:23:17 -07:00
Ryan Richard
eafdef7b11
Add docs for creating an Ingress for the Supervisor
...
Note that some of these new docs mention things that will not be
implemented until we finish the next story.
2020-10-22 16:57:50 -07:00
Matt Moyer
4c844ba334
Merge pull request #168 from mattmoyer/cli-session-refresh
...
Add support for refresh token flow in OIDC CLI client.
2020-10-22 18:13:42 -05:00
Matt Moyer
07001e5ee3
Extend TestCLILoginOIDC to test refresh flow.
...
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-10-22 17:54:31 -05:00
Matt Moyer
3508a28369
Implement refresh flow in ./internal/oidcclient package.
...
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-10-22 17:54:31 -05:00
Ryan Richard
397ec61e57
Specify the supervisor NodePort Service's port
and nodePort
separately
...
When using kind we forward the node's port to the host, so we only
really care about the `nodePort` value. For acceptance clusters,
we put an Ingress in front of a NodePort Service, so we only really
care about the `port` value.
2020-10-22 15:37:35 -07:00
Ryan Richard
8ae04605ca
Add comments for magic 31234 port
...
Also delete hack/lib/kind-config/multi-node.yaml since we don't think we will
use it...
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-10-22 17:54:35 -04:00
Matt Moyer
8772a00824
Merge pull request #167 from mattmoyer/fix-accidental-timeout-regression
...
Fix a timeout in TestCLILoginOIDC that was accidentally shortened.
2020-10-22 12:24:49 -05:00
Matt Moyer
ce598eb58e
Fix a timeout in TestCLILoginOIDC that was accidentally shortened in 0adbb5234e
.
...
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-10-22 11:49:04 -05:00
Matt Moyer
4b24e9c625
Merge pull request #166 from mattmoyer/add-cli-test-debug-output
...
Add some verbose logging to TestCLILoginOIDC.
2020-10-22 11:17:18 -05:00
Matt Moyer
fe3b44b134
Add some verbose logging to TestCLILoginOIDC.
...
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-10-22 10:33:37 -05:00
Ryan Richard
122f7cffdb
Make the supervisor healthz endpoint public
...
Based on our experiences today with GKE, it will be easier for our users
to configure Ingress health checks if the healthz endpoint is available
on the same public port as the OIDC endpoints.
Also add an integration test for the healthz endpoint now that it is
public.
Also add the optional `containers[].ports.containerPort` to the
supervisor Deployment because the GKE docs say that GKE will look
at that field while inferring how to invoke the health endpoint. See
https://cloud.google.com/kubernetes-engine/docs/concepts/ingress#def_inf_hc
2020-10-21 15:24:58 -07:00
Matt Moyer
5dbc03efe9
Merge pull request #165 from mattmoyer/cli-session-cache
...
Add basic file-based session cache for CLI OIDC client.
2020-10-21 16:30:03 -05:00
Matt Moyer
0adbb5234e
Extend TestCLILoginOIDC to test ID token caching behavior.
...
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-10-21 15:02:42 -05:00
Matt Moyer
e919ef6582
Add a file-based session cache.
...
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-10-21 14:28:05 -05:00
Andrew Keesler
fa5f653de6
Implement readinessProbe and livenessProbe for supervisor
...
Signed-off-by: Ryan Richard <richardry@vmware.com>
2020-10-21 11:51:31 -07:00
Matt Moyer
e8113e3770
Add basic caching framework to ./internal/oidclient package.
...
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-10-21 13:14:16 -05:00
Matt Moyer
7f6a82aa91
Refactor and rename ./internal/oidcclient/login to ./internal/oidcclient.
2020-10-21 13:07:21 -05:00
Matt Moyer
4ef41f969d
Add a util helper for marking a CLI flag as hidden.
...
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-10-21 13:07:21 -05:00
Andrew Keesler
3e39800005
Merge pull request #164 from vmware-tanzu/virtual-hosts
...
Virtual hosts integration test
2020-10-21 09:16:59 -04:00
Ryan Richard
52ebd77527
Add optional PINNIPED_TEST_SUPERVISOR_HTTPS_CA_BUNDLE for integration tests
...
- Not used by any of our integration test clusters yet
- Planning to use it later for the kind clusters and maybe for
the acceptance clusters too (although the acceptance clusters might
not need to use self-signed certs so maybe not)
2020-10-20 16:46:33 -07:00
Ryan Richard
ec21fc8595
Also delete the final OIDCProviderConfig made by an integration test
...
- It didn't matter before because it would be cleaned up by a
t.Cleanup() function, but now that we might loop twice it will matter
during the second time through the loop
2020-10-20 15:59:25 -07:00
Ryan Richard
276dff5772
Introduce PINNIPED_TEST_SUPERVISOR_HTTPS_ADDRESS
...
- We plan to use this on acceptance clusters
- We also plan to use this for a future story in the kind-based tests,
but not yet
2020-10-20 15:57:10 -07:00
Ryan Richard
90235418b9
Add a test for when issuer hostname and supervisor public address differ
2020-10-20 15:22:03 -07:00
Ryan Richard
9ba93d66c3
test/integration: prefactoring for testing virtual hosts
...
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-10-20 17:00:36 -04:00
Ryan Richard
aff85acf37
Merge pull request #163 from vmware-tanzu/discovery_jwks
...
Implement per-issuer OIDC JWKS endpoint
2020-10-19 13:00:49 -07:00
Ryan Richard
4da64f38b5
Integration test for per-issuer OIDC JWKS endpoints
2020-10-19 12:21:18 -07:00
Ryan Richard
d9d76726c2
Implement per-issuer OIDC JWKS endpoint
2020-10-16 17:51:40 -07:00
Ryan Richard
08659a6583
Merge pull request #158 from vmware-tanzu/label_every_resource
...
Custom labels can to be applied to all k8s resources created by Pinniped
2020-10-15 14:02:29 -07:00
Andrew Keesler
e2630be00a
Update feature proposal template to work for users and contributors
2020-10-15 17:01:24 -04:00
Andrew Keesler
8fe031e73d
Do not copy pkg directory in Dockerfile
...
Signed-off-by: Ryan Richard <richardry@vmware.com>
2020-10-15 13:31:16 -07:00
Andrew Keesler
617c5608ca
Supervisor controllers apply custom labels to JWKS secrets
...
Signed-off-by: Ryan Richard <richardry@vmware.com>
2020-10-15 12:40:56 -07:00
Andrew Keesler
dda3c21a8e
Add missing parenthesis to bug report template
...
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-10-15 14:07:43 -04:00
Ryan Richard
f8e461dfc3
Merge branch 'main' into label_every_resource
2020-10-15 10:19:03 -07:00
Ryan Richard
94f20e57b1
Concierge controllers add labels to all created resources
2020-10-15 10:14:23 -07:00
Andrew Keesler
943286bbc6
Merge pull request #157 from ankeesler/generate-jwk-key
...
Pinniped federation server generates and persists a JWT signing key
2020-10-15 11:55:22 -04:00
Andrew Keesler
e05213f9dd
supervisor-generate-key: use EC keys intead of RSA
...
EC keys are smaller and take less time to generate. Our integration
tests were super flakey because generating an RSA key would take up to
10 seconds *gasp*. The main token verifier that we care about is
Kubernetes, which supports P256, so hopefully it won't be that much of
an issue that our default signing key type is EC. The OIDC spec seems
kinda squirmy when it comes to using non-RSA signing algorithms...
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-10-15 11:33:08 -04:00
Andrew Keesler
5a0dab768f
test/integration: remove unused function (see 31225ac7a
)
...
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-10-15 09:26:15 -04:00
Andrew Keesler
fbcce700dc
Fix whitespace/spelling nits in JWKS controller
...
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-10-15 09:22:17 -04:00
Andrew Keesler
a5abe9ca3e
hack/lib/tilt: fix deployment change leftover from c030551a
...
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-10-15 09:20:09 -04:00
Andrew Keesler
1b99983441
apis: fix indentation in Go type
...
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-10-15 09:19:00 -04:00
Andrew Keesler
31225ac7ae
test/integration: reuse CreateTestOIDCProvider helper
...
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-10-15 09:09:49 -04:00
Andrew Keesler
f21122a309
Merge remote-tracking branch 'upstream/main' into generate-jwk-key
2020-10-15 07:51:15 -04:00