Commit Graph

172 Commits

Author SHA1 Message Date
Margo Crawford
264778113d lookupEnv in oidclogin same as for static 2021-04-21 09:02:45 -07:00
Margo Crawford
b5889f37ff WIP on new plog 2021-04-21 09:02:45 -07:00
Margo Crawford
45e4695444 Unset pinniped debug environment variable at end of integration test
Also log when setting the debug log level fails
2021-04-21 09:02:45 -07:00
Margo Crawford
211d4fd0b6 Add more logging, integration test checks that debug flag works. 2021-04-21 09:02:45 -07:00
Margo Crawford
8ffd9fdc4e Started debug logging. 2021-04-21 09:02:45 -07:00
Ryan Richard
4c2a0b4872 Add new command-line flags to the login oidc command
- Also some light prefactoring in login.go to make room for LDAP-style
  login, which is not implemented yet in this commit. TODOs are added.
- And fix a test pollution problem in login_oidc_test.go where it was
  using a real on-disk CLI cache file, so the tests were polluted by
  the contents of that file and would sometimes cause each other to
  fail.
2021-04-16 18:30:31 -07:00
Ryan Richard
8d75825635 Merge branch 'main' into initial_ldap 2021-04-14 17:47:26 -07:00
Matt Moyer
3b461572ea
Add cluster info to cache key for cluster-specific credential cache.
This isn't strictly necessary because we currently always have the concierge endpoint and CA as CLI flags, but it doesn't hurt and it's better to err on the side of _not_ reusing a cache entry.

Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-04-08 17:12:59 -05:00
Matt Moyer
271c006b6c
Add --credential-cache flag to "pinniped get kubeconfig" and tweak usage messages.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-04-08 16:57:18 -05:00
Matt Moyer
2296faaeef
Add CLI caching of cluster-specific credentials.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-04-08 14:12:34 -05:00
Matt Moyer
4e25bcd4b2
Generate more helpful context/cluster/user names in pinniped get kubeconfig
Before this change, the "context", "cluster", and "user" fields in generated kubeconfig YAML were always hardcoded to "pinniped". This could be confusing if you generated many kubeconfigs for different clusters.

After this change, the fields will be copied from their names in the original kubeconfig, suffixed with "-pinniped". This suffix can be overridden by setting the new `--generated-name-suffix` CLI flag.

The goal of this change is that you can distinguish between kubeconfigs generated for different clusters, as well as being able to distinguish between the Pinniped and original (admin) kubeconfigs for a cluster.

Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-04-05 12:36:02 -05:00
Matt Moyer
2e79664f3d
Merge branch 'main' of github.com:vmware-tanzu/pinniped into impersonation-proxy 2021-03-23 09:05:13 -05:00
Andrew Keesler
f6646eb2b7
cmd/pinniped: add generate-markdown-help for generating CLI doc
This command is hidden. We want to use this to generate our CLI reference docs
upon release.

Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2021-03-23 09:35:58 -04:00
Ryan Richard
c9b1982767 Merge branch 'main' into impersonation-proxy 2021-03-22 09:27:18 -07:00
Monis Khan
964d4889c4
pinniped whoami: print correct cluster info when --kubeconfig-context is used
Signed-off-by: Monis Khan <mok@vmware.com>
2021-03-19 18:42:40 -04:00
Andrew Keesler
257d69045d
Reuse internal/concierge/scheme
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2021-03-18 10:40:59 -04:00
Andrew Keesler
05a188d4cd
Merge remote-tracking branch 'upstream/main' into impersonation-proxy
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2021-03-18 10:36:28 -04:00
Andrew Keesler
de6837226e
cmd/pinniped: add whoami command
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2021-03-18 08:56:34 -04:00
Ryan Richard
c82f568b2c certauthority.go: Refactor issuing client versus server certs
We were previously issuing both client certs and server certs with
both extended key usages included. Split the Issue*() methods into
separate methods for issuing server certs versus client certs so
they can have different extended key usages tailored for each use
case.

Also took the opportunity to clean up the parameters of the Issue*()
methods and New() methods to more closely match how we prefer to call
them. We were always only passing the common name part of the
pkix.Name to New(), so now the New() method just takes the common name
as a string. When making a server cert, we don't need to set the
deprecated common name field, so remove that param. When making a client
cert, we're always making it in the format expected by the Kube API
server, so just accept the username and group as parameters directly.
2021-03-12 16:09:37 -08:00
Matt Moyer
a52455504f
Capitalize "Concierge" in these error messages as well, for consistency.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-03-11 16:24:20 -06:00
Matt Moyer
4f154100ff
Remove "--concierge-mode" flag from "pinniped login [...]" commands.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-03-11 16:24:20 -06:00
Matt Moyer
d2d9b1e49e
Stop outputting "--concierge-mode" from "pinniped get kubeconfig".
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-03-11 16:13:29 -06:00
Matt Moyer
c9ce067a0e
Captialize "API" in this error message.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-03-11 16:11:46 -06:00
Matt Moyer
005133fbfb
Add more debug logging when waiting for pending strategies.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-03-09 16:56:53 -06:00
Matt Moyer
0cb1538b39
Fix linter warnings, including a bit of refactoring.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-03-09 15:16:46 -06:00
Matt Moyer
0abe10e6b2
Add new behavior to "pinniped get kubeconfig" to wait for pending strategies to become non-pending.
This behavior can be disabled with "--concierge-skip-wait".

Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-03-09 14:50:35 -06:00
Matt Moyer
d6a0dfa497
Add some debug logging when "pinniped get kubeconfig" fails to find a successful strategy.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-03-09 12:44:35 -06:00
Matt Moyer
6efbd81f75
Rename this flag types for consistency.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-03-08 14:33:38 -06:00
Matt Moyer
a059d8dfce
Refactor "get kubeconfig" a bit more to clean things up.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-03-08 14:31:13 -06:00
Matt Moyer
389cd3486b
Rework "pinniped get kubeconfig" so that --concierge-mode can be used even when auto-discovering other parameters.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-03-08 11:43:56 -06:00
Matt Moyer
73419313ee
Log when the validation eventually succeeds.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-03-05 16:59:43 -06:00
Matt Moyer
5d8594b285
Add validation step to "pinniped get kubeconfig".
This adds two new flags to "pinniped get kubeconfig": --skip-validation and --timeout.

By default, at the end of the kubeconfig generation process, we validate that we can reach the configured cluster. In the future this might also validate that the TokenCredentialRequest API is running, but for not it just verifies that the DNS name resolves, and the TLS connection is available on the given port.

If there is an error during this check, we block and retry for up to 10 minutes. This duration can be changed with --timeout an the entire process can be skipped with --skip-validation.

Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-03-05 16:35:42 -06:00
Matt Moyer
ce1b6303d9
Add an "--output" flag to "pinniped get kubeconfig".
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-03-05 15:53:30 -06:00
Matt Moyer
36bc679142
Add diagnostic logging to "pinniped get kubeconfig".
These stderr logs should help clarify all the autodetection logic that's happening in a particular run.

Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-03-05 15:52:17 -06:00
Matt Moyer
6a8f377781
Fix a linter warning.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-03-04 16:16:03 -06:00
Matt Moyer
34e15f03c3
Simplify const declarations in flag_types.go.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-03-04 15:21:50 -06:00
Matt Moyer
ddd1d29e5d
Fix "pinniped get kubeconfig" strategy detection to pick the _first_ working strategy.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-03-04 12:24:57 -06:00
Ryan Richard
8bf03257f4 Add new impersonation-related constants to api types and run codegen 2021-03-02 15:28:13 -08:00
Matt Moyer
60f92d5fe2
Merge branch 'main' of github.com:vmware-tanzu/pinniped into impersonation-proxy
This is more than an automatic merge. It also includes a rewrite of the CredentialIssuer API impersonation proxy fields using the new structure, and updates to the CLI to account for that new API.

Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-03-02 16:06:19 -06:00
Margo Crawford
ccb17843c1 Fix some lint errors that resulted from merging main
Signed-off-by: Ryan Richard <richardry@vmware.com>
2021-02-25 15:06:24 -08:00
Matt Moyer
f937ae2c07
Add --concierge-credential-issuer flag to "pinniped get kubeconfig" command.
This flag selects a CredentialIssuer to use when detecting what mode the Concierge is in on a cluster. If not specified, the command will look for a single CredentialIssuer. If there are multiple, then the flag is required.

Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-02-25 14:31:51 -06:00
Matt Moyer
1c7c22352f
Switch "get kubeconfig" flags to use --concierge-mode flag instead of boolean flag.
This is the same as the previous change to the login commands.

Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-02-25 14:31:51 -06:00
Margo Crawford
975d493b8a Fix some small lint errors
Signed-off-by: Ryan Richard <richardry@vmware.com>
2021-02-24 16:09:15 -08:00
Matt Moyer
943b0ff6ec
Switch login flags to use --concierge-mode flag instead of boolean flag.
The login commands now expect either `--concierge-mode ImpersonationProxy` or `--concierge-mode TokenCredentialRequestAPI` (the default).

This is partly a style choice, but I also think it helps in case we need to add a third major mode of operation at some point.

I also cleaned up some other minor style items in the help text.

Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-02-24 17:09:08 -06:00
Andrew Keesler
069b3fba37
Merge remote-tracking branch 'upstream/main' into impersonation-proxy
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2021-02-23 12:10:52 -05:00
Ryan Richard
80ff5c1f17 Fix bug which prevented watches from working through impersonator
Also:
- Changed base64 encoding of impersonator bearer tokens to use
  `base64.StdEncoding` to make it easier for users to manually
  create a token using the unix `base64` command
- Test the headers which are and are not passed through to the Kube API
  by the impersonator more carefully in the unit tests
- More WIP on concierge_impersonation_proxy_test.go

Signed-off-by: Margo Crawford <margaretc@vmware.com>
2021-02-22 17:23:11 -08:00
Monis Khan
abc941097c
Add WhoAmIRequest Aggregated Virtual REST API
This change adds a new virtual aggregated API that can be used by
any user to echo back who they are currently authenticated as.  This
has general utility to end users and can be used in tests to
validate if authentication was successful.

Signed-off-by: Monis Khan <mok@vmware.com>
2021-02-22 20:02:41 -05:00
Andrew Keesler
957cb2d56c
Merge remote-tracking branch 'upstream/main' into impersonation-proxy
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2021-02-18 13:37:28 -05:00
Matt Moyer
6565265bee
Use new 'go.pinniped.dev/generated/latest' package.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-02-16 13:00:08 -06:00
Andrew Keesler
fdd8ef5835
internal/concierge/impersonator: handle custom login API group
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2021-02-16 07:55:09 -05:00
Andrew Keesler
9b87906a30
Merge remote-tracking branch 'upstream/main' into impersonation-proxy
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2021-02-11 11:03:33 -05:00
Monis Khan
89b00e3702
Declare war on namespaces
Signed-off-by: Monis Khan <mok@vmware.com>
2021-02-10 21:52:07 -05:00
Andrew Keesler
1ffe70bbea
cmd/pinniped: delete get-kubeconfig + exchange-token
These were deprecated in v0.3.0.

Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2021-02-09 17:01:57 -05:00
Ryan Richard
e4c49c37b9 Merge branch 'main' into impersonation-proxy 2021-02-09 13:45:37 -08:00
Monis Khan
05a471fdf9
Migrate callers to k8s.io/apimachinery/pkg/util/errors.NewAggregate
Signed-off-by: Monis Khan <mok@vmware.com>
2021-02-05 12:56:05 -05:00
Margo Crawford
343c275f46 Path to ci bundle rather than the actual value for get kubeconfig
Also changed a function param to a pointer
2021-02-03 09:37:36 -08:00
Margo Crawford
12e41d783f Refactored execCredentialForImpersonationProxy to be shared 2021-02-03 09:34:48 -08:00
Margo Crawford
2f891b4bfb Add --concierge-use-impersonation-proxy to static login
- also renamed --use-impersonation-proxy to
--concierge-use-impersonation-proxy
2021-02-03 09:34:47 -08:00
Margo Crawford
170b86d0c6 Add happy path test for login oidc 2021-02-03 09:34:47 -08:00
Margo Crawford
07b7b743b4 Impersonation proxy cli arguments 2021-02-03 09:34:39 -08:00
Monis Khan
efe1fa89fe Allow multiple Pinnipeds to work on same cluster
Yes, this is a huge commit.

The middleware allows you to customize the API groups of all of the
*.pinniped.dev API groups.

Some notes about other small things in this commit:
- We removed the internal/client package in favor of pkg/conciergeclient. The
  two packages do basically the same thing. I don't think we use the former
  anymore.
- We re-enabled cluster-scoped owner assertions in the integration tests.
  This code was added in internal/ownerref. See a0546942 for when this
  assertion was removed.
- Note: the middlware code is in charge of restoring the GV of a request object,
  so we should never need to write mutations that do that.
- We updated the supervisor secret generation to no longer manually set an owner
  reference to the deployment since the middleware code now does this. I think we
  still need some way to make an initial event for the secret generator
  controller, which involves knowing the namespace and the name of the generated
  secret, so I still wired the deployment through. We could use a namespace/name
  tuple here, but I was lazy.

Signed-off-by: Andrew Keesler <akeesler@vmware.com>
Co-authored-by: Ryan Richard <richardry@vmware.com>
2021-02-02 15:18:41 -08:00
Matt Moyer
04c4cd9534
Upgrade to github.com/coreos/go-oidc v3.0.0.
See https://github.com/coreos/go-oidc/releases/tag/v3.0.0 for release notes.

Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-01-21 12:08:14 -06:00
Andrew Keesler
1c3518e18a
cmd/pinniped: wire API group suffix through to client components
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2021-01-19 17:23:20 -05:00
Margo Crawford
9051342d6d Ignore lint error 2021-01-08 14:13:04 -08:00
Margo Crawford
6f04613aed Merge branch 'main' of github.com:vmware-tanzu/pinniped into kubernetes-1.20 2021-01-08 13:22:31 -08:00
Margo Crawford
326f10bbbf Resolving code review suggestions:
- set provideClusterInfo to true
- kubernetes library versions to 0.20.1
- version timestamps back to v0.0.0-00010101000000-000000000000
2021-01-08 10:21:59 -08:00
Margo Crawford
1b770b01ae Fix failing kubeconfig unit test 2021-01-07 16:23:41 -08:00
Margo Crawford
5611212ea9 Changing references from 1.19 to 1.20 2021-01-07 15:25:47 -08:00
Monis Khan
bba0f3a230
Always set an owner ref back to our deployment
This change updates our clients to always set an owner ref when:

1. The operation is a create
2. The object does not already have an owner ref set

Signed-off-by: Monis Khan <mok@vmware.com>
2021-01-07 15:25:40 -05:00
Matt Moyer
3e15e184ef
Update test assertions related to spf13/cobra.
It now correctly prints errors to stderr (https://github.com/spf13/cobra/pull/894).

Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-12-17 16:31:08 -06:00
Matt Moyer
8527c363bb
Rename the "pinniped.sts.unrestricted" scope to "pinniped:request-audience".
This is a bit more clear. We're changing this now because it is a non-backwards-compatible change that we can make now since none of this RFC8693 token exchange stuff has been released yet.

There is also a small typo fix in some flag usages (s/RF8693/RFC8693/)

Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-12-16 14:24:13 -06:00
Matt Moyer
71850419c1
Overhaul pinniped CLI subcommands.
- Adds two new subcommands: `pinniped get kubeconfig` and `pinniped login static`
- Adds concierge support to `pinniped login oidc`.
- Adds back wrapper commands for the now deprecated `pinniped get-kubeconfig` and `pinniped exchange-credential` commands. These now wrap `pinniped get kubeconfig` and `pinniped login static` respectively.

Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-12-15 12:28:03 -06:00
Matt Moyer
dfbb5b60de
Remove pinniped get-kubeconfig CLI subcommand.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-12-15 12:28:03 -06:00
Matt Moyer
3b5f00439c
Remove pinniped exchange-credential CLI subcommand.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-12-15 12:28:02 -06:00
Matt Moyer
e7338da3dc
Tweak default CLI --scopes parameter to match supervisor use case.
This should be a better default for most cases.

Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-12-10 10:48:11 -06:00
Matt Moyer
4395d5a0ca
Add a default --client-id in pinniped login oidc command.
This default matches the static client we have defined in the supervisor, which will be the correct value in most cases.

Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-12-10 09:46:07 -06:00
Andrew Keesler
0efc19a1b7
Support JWTAuthenticator in pinniped CLI
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-12-08 15:41:48 -05:00
aram price
8d2b8ae6b5 Use constants for scope values 2020-12-08 10:46:05 -08:00
Matt Moyer
bfcd2569e9
Add a --request-audience flag to the pinniped login oidc CLI command.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
Signed-off-by: Margo Crawford <margaretc@vmware.com>
2020-12-08 10:22:20 -06:00
Matt Moyer
c6ead9d7dd
Remove "email" and "profile" from default scopes requested by CLI.
We decided that we don't really need these in every case, since we'll be returning username and groups in a custom claim.

Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-12-04 16:02:16 -06:00
Matt Moyer
d32583dd7f
Move OIDC Token structs into a new oidctypes package.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-11-30 17:02:03 -06:00
Rajat Goyal
53bece2186 Avoid printing the error message twice from client 2020-11-21 00:05:26 +05:30
Ryan Richard
c83cec341b
Merge branch 'main' into fix-getting-started4 2020-11-17 15:02:36 -08:00
Matt Moyer
e0a9bef6ce
Move ./internal/oidcclient to ./pkg/oidcclient.
This will allow it to be imported by Go code outside of our repository, which was something we have planned for since this code was written.

Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-11-17 14:53:32 -06:00
Matt Moyer
dd2133458e
Add --ca-bundle flag to "pinniped login oidc" command.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-11-16 18:15:20 -06:00
Michael Nelson
57a2dc9fc1 Update default namespace for pinniped-concierge to match install-pinniped-concierge.yaml 2020-11-16 11:05:53 +11:00
Monis Khan
1c60e09f13
Make race detector happy by removing parallelism
Signed-off-by: Monis Khan <mok@vmware.com>
2020-11-10 11:23:42 -05:00
Matt Moyer
59263ea733
Rename CredentialIssuerConfig to CredentialIssuer.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-11-02 17:39:42 -06:00
Matt Moyer
9e1922f1ed
Split the config CRDs into two API groups.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-10-30 19:22:46 -05:00
Matt Moyer
34da8c7877
Rename existing references to "IDP" and "Identity Provider".
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-10-30 15:12:01 -05:00
Matt Moyer
0f25657a35
Rename WebhookIdentityProvider to WebhookAuthenticator.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-10-30 15:11:53 -05:00
Matt Moyer
e69183aa8a
Rename idp.concierge.pinniped.dev to authentication.concierge.pinniped.dev.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-10-30 14:07:40 -05:00
Matt Moyer
81390bba89
Rename idp.pinniped.dev to idp.concierge.pinniped.dev.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-10-30 14:07:39 -05:00
Matt Moyer
0948457521
Promote the pinniped login command out of alpha.
This was hidden behind a `pinniped alpha` hidden subcommand, but we're comfortable enough with the CLI flag interface now to promote it.

Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-10-23 14:44:41 -05:00
Matt Moyer
e919ef6582
Add a file-based session cache.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-10-21 14:28:05 -05:00
Matt Moyer
7f6a82aa91
Refactor and rename ./internal/oidcclient/login to ./internal/oidcclient. 2020-10-21 13:07:21 -05:00
Matt Moyer
4ef41f969d
Add a util helper for marking a CLI flag as hidden.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-10-21 13:07:21 -05:00
Matt Moyer
67b692b11f
Implement the rest of an OIDC client CLI library.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-10-12 16:41:46 -05:00
Matt Moyer
ce49d8bd7b
Remove the --use-pkce flag and just always use it.
Based on the spec, it seems like it's required that OAuth2 servers which do not support PKCE should just ignore the parameters, so this should always work.

Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-10-12 16:41:46 -05:00
Matt Moyer
a13d7ec5a1
Remove temporary --debug-auth-code-exchange flag for OIDC client CLI.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-10-12 16:41:46 -05:00