Commit Graph

2713 Commits

Author SHA1 Message Date
Ryan Richard
3ca8c49334 Improve garbage collector log format and some comments 2021-11-23 12:11:17 -08:00
Mo Khan
f28b33bbf0
Merge branch 'main' into customize_ports 2021-11-23 08:30:48 -05:00
Mo Khan
537f85205d
Merge pull request #889 from enj/enj/i/strict_tls_acceptance
tls: fix integration tests for long lived environments
2021-11-18 16:37:15 -05:00
Ryan Richard
b8a93b6b90 Merge branch 'main' into customize_ports 2021-11-18 09:31:18 -08:00
Monis Khan
764a1ad7e4
tls: fix integration tests for long lived environments
This change updates the new TLS integration tests to:

1. Only create the supervisor default TLS serving cert if needed
2. Port forward the node port supervisor service since that is
   available in all environments

Signed-off-by: Monis Khan <mok@vmware.com>
2021-11-18 03:55:56 -05:00
Mo Khan
6a68c6532c
Merge pull request #873 from enj/enj/i/strict_tls
Force the use of secure TLS config
2021-11-17 19:17:13 -05:00
Ryan Richard
3b3641568a GC retries failed upstream revocations for a while, but not forever 2021-11-17 15:58:44 -08:00
Monis Khan
cd686ffdf3
Force the use of secure TLS config
This change updates the TLS config used by all pinniped components.
There are no configuration knobs associated with this change.  Thus
this change tightens our static defaults.

There are four TLS config levels:

1. Secure (TLS 1.3 only)
2. Default (TLS 1.2+ best ciphers that are well supported)
3. Default LDAP (TLS 1.2+ with less good ciphers)
4. Legacy (currently unused, TLS 1.2+ with all non-broken ciphers)

Highlights per component:

1. pinniped CLI
   - uses "secure" config against KAS
   - uses "default" for all other connections
2. concierge
   - uses "secure" config as an aggregated API server
   - uses "default" config as a impersonation proxy API server
   - uses "secure" config against KAS
   - uses "default" config for JWT authenticater (mostly, see code)
   - no changes to webhook authenticater (see code)
3. supervisor
   - uses "default" config as a server
   - uses "secure" config against KAS
   - uses "default" config against OIDC IDPs
   - uses "default LDAP" config against LDAP IDPs

Signed-off-by: Monis Khan <mok@vmware.com>
2021-11-17 16:55:35 -05:00
Ryan Richard
ca2cc40769 Add impersonationProxyServerPort to the Concierge's static ConfigMap
- Used to determine on which port the impersonation proxy will bind
- Defaults to 8444, which is the old hard-coded port value
- Allow the port number to be configured to any value within the
  range 1024 to 65535
- This commit does not include adding new config knobs to the ytt
  values file, so while it is possible to change this port without
  needing to recompile, it is not convenient
2021-11-17 13:27:59 -08:00
Ryan Richard
2383a88612 Add aggregatedAPIServerPort to the Concierge's static ConfigMap
- Allow the port number to be configured to any value within the
  range 1024 to 65535
- This commit does not include adding new config knobs to the ytt
  values file, so while it is possible to change this port without
  needing to recompile, it is not convenient
2021-11-16 16:43:51 -08:00
Ryan Richard
48518e9513 Add trace logging to help observe upstream OIDC refresh token revocation 2021-11-11 12:24:05 -08:00
Ryan Richard
de79f15068 Merge branch 'main' into upstream_refresh_revocation_during_gc 2021-11-10 15:35:42 -08:00
Ryan Richard
2388e25235 Revoke upstream OIDC refresh tokens during GC 2021-11-10 15:34:19 -08:00
Mo Khan
c570f08b2b
Merge pull request #885 from vmware-tanzu/dependabot/docker/golang-1.17.3
Bump golang from 1.17.2 to 1.17.3
2021-11-05 21:45:56 -04:00
dependabot[bot]
2aeb464b43
Bump golang from 1.17.2 to 1.17.3
Bumps golang from 1.17.2 to 1.17.3.

---
updated-dependencies:
- dependency-name: golang
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2021-11-06 00:55:39 +00:00
Mo Khan
5a3f83f90f
Merge pull request #877 from vmware-tanzu/upstream-ldap-refresh
Upstream ldap refresh
2021-11-05 18:08:45 -04:00
Margo Crawford
cb60a44f8a extract ldap refresh search into helper function
also added an integration test for refresh failing after updating the username attribute
2021-11-05 14:22:43 -07:00
Margo Crawford
b5b8cab717 Refactors:
- pull construction of authenticators.Response into searchAndBindUser
- remove information about the identity provider in the error that gets
  returned to users. Put it in debug instead, where it may show up in
  logs.

Signed-off-by: Margo Crawford <margaretc@vmware.com>
2021-11-05 14:22:43 -07:00
Margo Crawford
c84329d7a4 Fix broken ldap_client_test 2021-11-05 14:22:43 -07:00
Margo Crawford
f988879b6e Addressing code review changes
- changed to use custom authenticators.Response rather than the k8s one
  that doesn't include space for a DN
- Added more checking for correct idp type in token handler
- small style changes

Signed-off-by: Margo Crawford <margaretc@vmware.com>
2021-11-05 14:22:43 -07:00
Margo Crawford
84edfcb541 Refactor out a function, add tests for getting the wrong idp uid 2021-11-05 14:22:43 -07:00
Margo Crawford
722b5dcc1b Test for change to stored username or subject.
All of this is still done staticly.
2021-11-05 14:22:43 -07:00
Margo Crawford
8396937503 Updates to tests and some error assertions 2021-11-05 14:22:43 -07:00
Margo Crawford
2c4dc2951d resolved a couple of testing related todos 2021-11-05 14:22:43 -07:00
Margo Crawford
7a58086040 Check that username and subject remain the same for ldap refresh 2021-11-05 14:22:43 -07:00
Margo Crawford
19281313dd Basic upstream LDAP/AD refresh
This stores the user DN in the session data upon login and checks that
the entry still exists upon refresh. It doesn't check anything
else about the entry yet.
2021-11-05 14:22:42 -07:00
Mo Khan
71f7ea686d
Fix typo in community meeting time 2021-11-04 12:02:46 -04:00
Mo Khan
d5d957f6ee
Fix CONTRIBUTING zoom link 2021-11-04 11:53:14 -04:00
Mo Khan
e371c34237
Fix README zoom link 2021-11-04 11:52:28 -04:00
Mo Khan
b5be763631
Fix typo in community meeting time 2021-11-04 08:38:33 -04:00
Mo Khan
f03e5f4fef
Merge pull request #883 from enj/enj/i/dockerfile_tweaks
Dockerfile: build all files and trim file system paths
2021-11-03 14:45:23 -04:00
Monis Khan
a042f74a88
Dockerfile: build all files and trim file system paths
Use "..." instead of "main.go" as the build target since we may have
extra files in the future.

https://pkg.go.dev/cmd/go#hdr-Compile_packages_and_dependencies

-trimpath
	remove all file system paths from the resulting executable.
	Instead of absolute file system paths, the recorded file names
	will begin with either "go" (for the standard library),
	or a module path@version (when using modules),
	or a plain import path (when using GOPATH).

Signed-off-by: Monis Khan <mok@vmware.com>
2021-11-03 10:26:13 -04:00
Mo Khan
aae586b4ef
Merge pull request #879 from vmware-tanzu/dependabot/docker/distroless/static-bca3c20
Bump distroless/static from `07869ab` to `bca3c20`
2021-11-02 09:54:48 -04:00
dependabot[bot]
1c3545e234
Bump distroless/static from 07869ab to bca3c20
Bumps distroless/static from `07869ab` to `bca3c20`.

---
updated-dependencies:
- dependency-name: distroless/static
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
2021-10-28 01:02:33 +00:00
anjalitelang
c494f65b84
Update ROADMAP.md
Updating roadmap to reflect dates when we will have Upstream Refresh released
2021-10-27 10:43:31 -04:00
Margo Crawford
6c47c3327a Add hint to hack/prepare-for-integration-tests.sh
I keep forgetting the name of the --get-active-directory-vars flag.
2021-10-26 16:25:34 -07:00
Mo Khan
3f698d24e5
Merge pull request #878 from enj/enj/i/cli_link
Change default install hint to use get.pinniped.dev/cli
2021-10-26 17:42:53 -04:00
Monis Khan
2ba5d51120
Change default install hint to use get.pinniped.dev/cli
This avoids a hard link against a docs page that may change over
time.

Signed-off-by: Monis Khan <mok@vmware.com>
2021-10-26 17:14:13 -04:00
Margo Crawford
c3060e3474
Merge pull request #872 from anjaltelang/main
Architecture should be on top on the documentation webpage
2021-10-26 13:41:17 -07:00
Anjali Telang
59256264ec Changing the architecture.md weight back to 100
Signed-off-by: Anjali Telang <atelang@vmware.com>
2021-10-26 16:34:32 -04:00
Mo Khan
3aa14accd7
Merge pull request #875 from siddhant94/add-install-hint-kubeconfig
Add --install-hint flag to `get kubeconfig` command
2021-10-26 15:38:39 -04:00
Anjali Telang
f93cdcb9c5 Merge remote-tracking branch 'upstream/main' into main 2021-10-26 15:29:56 -04:00
vagrant
1b6b4106db
Add --install-hint flag to get kubeconfig command
This populates the installHint attribute in the exec section of the
generated kubeconfig.

For more details, see installHint documentation:
https://kubernetes.io/docs/reference/access-authn-authz/authentication/#configuration

Reviewed-by: Monis Khan <mok@vmware.com>
2021-10-26 14:26:47 -04:00
Mo Khan
f25d2870ce
Merge pull request #874 from enj/enj/i/distroless_nonroot
Use 65532 instead of 1001 as non-root user
2021-10-25 16:54:47 -04:00
Monis Khan
7921a58988
Use 65532 instead of 1001 as non-root user
Signed-off-by: Monis Khan <mok@vmware.com>
2021-10-25 16:21:54 -04:00
Mo Khan
7d30bfc22c
Start using CodeQL 2021-10-25 16:05:12 -04:00
Mo Khan
bdb199c53a
Merge pull request #858 from vmware-tanzu/upstream_refresh
For OIDCIdenitityProviders perform an upstream refresh during downstream refresh
2021-10-25 12:32:35 -04:00
Monis Khan
1e17418585
TestSupervisorUpstreamOIDCDiscovery: include AdditionalAuthorizeParametersValid condition
Signed-off-by: Monis Khan <mok@vmware.com>
2021-10-25 10:21:51 -04:00
Ryan Richard
d0ced1fd74 WIP towards revoking upstream refresh tokens during GC
- Discover the revocation endpoint of the upstream provider in
  oidc_upstream_watcher.go and save it into the cache for future use
  by the garbage collector controller
- Adds RevokeRefreshToken to UpstreamOIDCIdentityProviderI
- Implements the production version of RevokeRefreshToken
- Implements test doubles for RevokeRefreshToken for future use in
  garbage collector's unit tests
- Prefactors the crud and session storage types for future use in the
  garbage collector controller
- See remaining TODOs in garbage_collector.go
2021-10-22 14:32:26 -07:00
Ryan Richard
303b1f07d3 Fix mistake in previous commit 2021-10-22 14:06:31 -07:00