Commit Graph

2101 Commits

Author SHA1 Message Date
Monis Khan
6a9f57f83d
TestWhoAmI: support older clusters (CSR and impersonation)
Signed-off-by: Monis Khan <mok@vmware.com>
2021-02-23 10:15:17 -05:00
Ryan Richard
80ff5c1f17 Fix bug which prevented watches from working through impersonator
Also:
- Changed base64 encoding of impersonator bearer tokens to use
  `base64.StdEncoding` to make it easier for users to manually
  create a token using the unix `base64` command
- Test the headers which are and are not passed through to the Kube API
  by the impersonator more carefully in the unit tests
- More WIP on concierge_impersonation_proxy_test.go

Signed-off-by: Margo Crawford <margaretc@vmware.com>
2021-02-22 17:23:11 -08:00
Monis Khan
aa22047a0f
Generated
Signed-off-by: Monis Khan <mok@vmware.com>
2021-02-22 20:02:42 -05:00
Monis Khan
abc941097c
Add WhoAmIRequest Aggregated Virtual REST API
This change adds a new virtual aggregated API that can be used by
any user to echo back who they are currently authenticated as.  This
has general utility to end users and can be used in tests to
validate if authentication was successful.

Signed-off-by: Monis Khan <mok@vmware.com>
2021-02-22 20:02:41 -05:00
Monis Khan
62630d6449
getAggregatedAPIServerScheme: move group version logic internally
Signed-off-by: Monis Khan <mok@vmware.com>
2021-02-19 11:10:54 -05:00
Mo Khan
f228f022f5
Merge pull request #435 from enj/enj/c/bump_v0.20.4
Bump Kube deps to v0.20.4
2021-02-19 10:59:40 -05:00
Monis Khan
1c1decfaf1
Generated
Signed-off-by: Monis Khan <mok@vmware.com>
2021-02-19 10:33:10 -05:00
Monis Khan
7786c83b0d
Bump kube deps to v0.20.4
Signed-off-by: Monis Khan <mok@vmware.com>
2021-02-19 10:26:53 -05:00
Mo Khan
41b75e6977
Merge pull request #431 from enj/enj-patch-1
concierge API service: update groupPriorityMinimum and versionPriority
2021-02-19 08:48:06 -05:00
Mo Khan
a54e1145a5
concierge API service: update groupPriorityMinimum and versionPriority
Copy over values that I have seen used in the past.
Signed-off-by: Monis Khan <mok@vmware.com>
2021-02-19 07:47:38 -05:00
Ryan Richard
b8592a361c Add some comments to concierge_impersonation_proxy_test.go
Signed-off-by: Margo Crawford <margaretc@vmware.com>
2021-02-18 16:27:03 -08:00
Margo Crawford
19881e4d7f Increase how long we wait for loadbalancers to be deleted for int test
Also add some log messages which might help us debug issues like this
in the future.

Signed-off-by: Ryan Richard <richardry@vmware.com>
2021-02-18 15:58:27 -08:00
Ryan Richard
126f9c0da3 certs_manager.go: Rename some local variables
Signed-off-by: Margo Crawford <margaretc@vmware.com>
2021-02-18 11:16:34 -08:00
Margo Crawford
7a140bf63c concierge_impersonation_proxy_test.go: add an eventually loop
Signed-off-by: Ryan Richard <richardry@vmware.com>
2021-02-18 11:08:13 -08:00
Ryan Richard
f5fedbb6b2 Add Service resource "delete" permission to Concierge RBAC
- Because the impersonation proxy config controller needs to be able
  to delete the load balancer which it created

Signed-off-by: Margo Crawford <margaretc@vmware.com>
2021-02-18 11:00:22 -08:00
Andrew Keesler
957cb2d56c
Merge remote-tracking branch 'upstream/main' into impersonation-proxy
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2021-02-18 13:37:28 -05:00
Andrew Keesler
b3cdc438ce
internal/concierge/impersonator: reuse kube bearertoken.Authenticator
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2021-02-18 10:13:24 -05:00
Margo Crawford
22a3e73bac impersonator_config_test.go: use require.Len() when applicable
Also fix a lint error in concierge_impersonation_proxy_test.go

Signed-off-by: Ryan Richard <richardry@vmware.com>
2021-02-17 17:29:56 -08:00
Margo Crawford
0ad91c43f7 ImpersonationConfigController uses servicesinformer
This is a more reliable way to determine whether the load balancer
is already running.
Also added more unit tests for the load balancer.

Signed-off-by: Ryan Richard <richardry@vmware.com>
2021-02-17 17:22:13 -08:00
Matt Moyer
2b208807a6
Merge pull request #426 from mattmoyer/website-accessibility-tweaks
Tweak website styles for accessibility.
2021-02-17 17:28:03 -06:00
Matt Moyer
25f841d063
Tweak website styles for accessibility.
Makes most of the fonts a bit bigger, increases contrast, fixes some nits about the spacing in numbered/bulletted lists, and adds some image alt texts.

Overall this improves our Lighthouse accessibility score from 71 to 95 and I think it's subjectively more readable.

Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-02-17 17:19:58 -06:00
Margo Crawford
10b769c676 Fixed integration tests for load balancer capabilities 2021-02-17 10:55:49 -08:00
Margo Crawford
67da840097 Add loadbalancer for impersonation proxy when needed 2021-02-16 15:57:02 -08:00
Matt Moyer
93d4581721
Workaround a bad module version to fix Dependabot.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-02-16 17:05:33 -06:00
Matt Moyer
0a7c5b0604
Merge pull request #403 from mattmoyer/add-latest-generated-package
Add "go.pinniped.dev/generated/latest" package that is not a nested module.
2021-02-16 15:30:48 -06:00
Matt Moyer
acbeb93f79
Don't lint generated code.
This wasn't needed before because the other code wasn't in the main module and golangci-lint won't cross a module boundary.

Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-02-16 13:18:18 -06:00
Matt Moyer
6565265bee
Use new 'go.pinniped.dev/generated/latest' package.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-02-16 13:00:08 -06:00
Matt Moyer
b42a34d822
Add generated client code for 'latest'.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-02-16 12:34:33 -06:00
Matt Moyer
3ce3403b95
Update ./hack/update.sh to add a "latest" package.
This is just a copy of the newest Kubernetes version, but as a plain package and not a submodule.

Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-02-16 12:28:29 -06:00
Andrew Keesler
eb19980110
internal/concierge/impersonator: set user extra impersonation headers
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2021-02-16 09:26:47 -05:00
Andrew Keesler
c7905c6638
internal/concierge/impersonator: fail if impersonation headers set
If someone has already set impersonation headers in their request, then
we should fail loudly so the client knows that its existing impersonation
headers will not work.

Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2021-02-16 08:15:50 -05:00
Andrew Keesler
fdd8ef5835
internal/concierge/impersonator: handle custom login API group
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2021-02-16 07:55:09 -05:00
Andrew Keesler
25bc8dd8a9
test/integration: hopefully fix TestImpersonationProxy
I think we were assuming the name of our Concierge app, and getting lucky
because it was the name we use when testing locally (but not in CI).

Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2021-02-15 18:04:21 -05:00
Andrew Keesler
6512ab1351
internal/concierge/impersonator: don't care about namespace
Concierge APIs are no longer namespaced (see f015ad5852).

Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2021-02-15 17:11:59 -05:00
Ryan Richard
5cd60fa5f9 Move starting/stopping impersonation proxy server to a new controller
- Watch a configmap to read the configuration of the impersonation
  proxy and reconcile it.
- Implements "auto" mode by querying the API for control plane nodes.
- WIP: does not create a load balancer or proper TLS certificates yet.
  Those will come in future commits.

Signed-off-by: Margo Crawford <margaretc@vmware.com>
2021-02-11 17:25:52 -08:00
Andrew Keesler
fac571b51a
Merge pull request #410 from ankeesler/update-copyright
generated: include 2021 in copyright
2021-02-11 12:26:31 -05:00
Andrew Keesler
9b87906a30
Merge remote-tracking branch 'upstream/main' into impersonation-proxy
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2021-02-11 11:03:33 -05:00
Andrew Keesler
c8b1f00107
generated: include 2021 in copyright
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2021-02-11 10:52:01 -05:00
Mo Khan
f015ad5852
Merge pull request #405 from enj/enj/i/cluster_scope_concierge
Cluster scope all concierge APIs
2021-02-11 08:50:42 -05:00
Monis Khan
b04fd46319
Update federation domain logic to use status subresource
Signed-off-by: Monis Khan <mok@vmware.com>
2021-02-10 21:52:10 -05:00
Monis Khan
4c304e4224
Assert all APIs have a status subresource
Signed-off-by: Monis Khan <mok@vmware.com>
2021-02-10 21:52:10 -05:00
Monis Khan
0a9f446893
Update credential issuer logic to use status subresource
Signed-off-by: Monis Khan <mok@vmware.com>
2021-02-10 21:52:10 -05:00
Monis Khan
96cec59236
Generated
Signed-off-by: Monis Khan <mok@vmware.com>
2021-02-10 21:52:09 -05:00
Monis Khan
4faf724c2c
Make credential issuer status optional
Signed-off-by: Monis Khan <mok@vmware.com>
2021-02-10 21:52:09 -05:00
Monis Khan
de88ae2f61
Fix status related RBAC
Signed-off-by: Monis Khan <mok@vmware.com>
2021-02-10 21:52:09 -05:00
Monis Khan
dd3d1c8b1b
Generated
Signed-off-by: Monis Khan <mok@vmware.com>
2021-02-10 21:52:09 -05:00
Monis Khan
2e9baf9fa6
Correctly generate status subresource for all CRDs
Signed-off-by: Monis Khan <mok@vmware.com>
2021-02-10 21:52:08 -05:00
Monis Khan
ac01186499
Use API service as owner ref for cluster scoped resources
Signed-off-by: Monis Khan <mok@vmware.com>
2021-02-10 21:52:08 -05:00
Monis Khan
2eb01bd307
authncache: remove namespace concept
Signed-off-by: Monis Khan <mok@vmware.com>
2021-02-10 21:52:08 -05:00
Monis Khan
741b8fe88d
Generated
Signed-off-by: Monis Khan <mok@vmware.com>
2021-02-10 21:52:08 -05:00