Ryan Richard
8b549f66d4
Add integration test for LDAP StartTLS
2021-05-20 13:39:48 -07:00
Ryan Richard
4780c39640
Merge pull request #618 from vmware-tanzu/initial_ldap_group_support
...
Initial support for upstream LDAP group membership
2021-05-20 13:10:23 -07:00
Ryan Richard
7e76b66639
LDAP upstream watcher controller tries using both TLS and StartTLS
...
- Automatically try to fall back to using StartTLS when using TLS
doesn't work. Only complain when both don't work.
- Remember (in-memory) which one worked and keeping using that one
in the future (unless the pod restarts).
2021-05-20 12:46:33 -07:00
Ryan Richard
fff90ed2ca
Merge branch 'main' into initial_ldap_group_support
2021-05-20 12:36:04 -07:00
Margo Crawford
62651eddb0
Took care of some impersonation cluster ip related todos
2021-05-20 11:57:07 -07:00
Matt Moyer
ec25259901
Update impersonatorconfig controller to use new CredentialIssuer update helper.
...
Signed-off-by: Margo Crawford <margaretc@vmware.com>
2021-05-20 12:26:07 -05:00
Matt Moyer
e4dd83887a
Merge remote-tracking branch 'origin/main' into credentialissuer-spec-api
2021-05-20 10:53:53 -05:00
Matt Moyer
562942cdbf
Merge pull request #627 from mattmoyer/use-informers-for-credentialissuer-updates
...
Create CredentialIssuer at install, not runtime.
2021-05-20 10:13:41 -05:00
Ryan Richard
025b37f839
upstreamldap.New() now supports a StartTLS config option
...
- This enhances our LDAP client code to make it possible to optionally
dial an LDAP server without TLS and then use StartTLS to upgrade
the connection to TLS.
- The controller for LDAPIdentityProviders is not using this option
yet. That will come in a future commit.
2021-05-19 17:17:44 -07:00
Margo Crawford
63c39454f6
WIP on impersonation clusterip service
2021-05-19 17:00:28 -07:00
Matt Moyer
657488fe90
Create CredentialIssuer at install, not runtime.
...
Previously, our controllers would automatically create a CredentialIssuer with a singleton name. The helpers we had for this also used "raw" client access and did not take advantage of the informer cache pattern.
With this change, the CredentialIssuer is always created at install time in the ytt YAML. The controllers now only update the existing CredentialIssuer status, and they do so using the informer cache as much as possible.
This change is targeted at only the kubecertagent controller to start. The impersonatorconfig controller will be updated in a following PR along with other changes.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-05-19 17:15:25 -05:00
Margo Crawford
9e61640c92
LoadBalancerIP updated dynamically
2021-05-19 14:16:15 -07:00
Ryan Richard
94d6b76958
Merge branch 'initial_ldap_group_support' into ldap_starttls
2021-05-19 13:12:56 -07:00
Ryan Richard
424c112bbc
Merge branch 'main' into initial_ldap_group_support
2021-05-19 13:12:17 -07:00
Margo Crawford
3bb95f1de2
Give kubeclient_test some default values for credentialissuer spec
2021-05-19 11:56:54 -07:00
Margo Crawford
0b66321902
Changes to make the linter pass
2021-05-19 11:05:35 -07:00
Matt Moyer
297a484948
Add more validation and update tests for impersonationProxy as pointer.
...
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-05-19 12:42:31 -05:00
Matt Moyer
13372a43e6
Update generated code from previous commit.
2021-05-19 11:41:35 -05:00
Matt Moyer
54e0b83146
Update API so that impersonationProxy spec is a pointer.
2021-05-19 11:41:17 -05:00
Margo Crawford
94c370ac85
Annotations for impersonation load balancer
2021-05-18 16:54:59 -07:00
Ryan Richard
b5063e59ab
Merge branch 'initial_ldap_group_support' into ldap_starttls
2021-05-18 16:39:59 -07:00
Ryan Richard
a6f95cfff1
Configure openldap to disallow non-TLS clients
...
- For testing purposes, we would like to ensure that when we connect
to the LDAP server we cannot accidentally avoid using TLS or StartTLS.
- Also enabled the openldap `memberOf` overlay in case we want to
support group search using `memberOf` in the future.
- This required changes to the docker.io/bitnami/openldap container
image, so we're using our own fork for now. Will submit a PR to
bitnami/openldap to see if they will accept it (or something similar)
upstream.
2021-05-18 16:38:12 -07:00
Margo Crawford
eaea3471ec
Validation for service type none and external endpoint none
...
Also added a few more test cases for provisioning a load balancer
2021-05-18 13:50:52 -07:00
Matt Moyer
4a785e73e6
WIP fixing impersonatorconfig tests
2021-05-18 14:54:04 -05:00
Margo Crawford
51f1a0ec13
WIP: not using impersonator.config just credentialissuer directly
...
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-05-18 12:16:27 -07:00
Matt Moyer
9af3cb1115
Change impersonation integration test to use CredentialIssuer spec
...
rather than a configmap
Signed-off-by: Margo Crawford <margaretc@vmware.com>
2021-05-18 09:51:11 -07:00
Matt Moyer
18ccf11905
Update impersonatorconfig controller to use CredentialIssuer API instead of ConfigMap.
...
Signed-off-by: Margo Crawford <margaretc@vmware.com>
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-05-18 09:50:35 -07:00
Matt Moyer
1a131e64fe
Start deploying an initial CredentialIssuer in our install YAML.
...
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-05-18 11:12:18 -05:00
Matt Moyer
e885114221
Add generated code from adding spec fields to CredentialIssuer.
...
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-05-18 11:12:18 -05:00
Matt Moyer
26da763962
Add spec fields to CredentialIssuer.
...
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-05-18 11:12:18 -05:00
Matt Moyer
4a456446ff
Update doc comments for types_credentialissuer.go.tmpl.
...
Update to follow https://golang.org/doc/effective_go#commentary :
> The first sentence should be a one-sentence summary that starts with the name being declared.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-05-18 11:12:18 -05:00
Matt Moyer
efeb25b8eb
Merge pull request #619 from vmware-tanzu/dependabot/go_modules/github.com/creack/pty-1.1.12
...
Bump github.com/creack/pty from 1.1.11 to 1.1.12
2021-05-18 09:16:27 -05:00
dependabot[bot]
f595e81dbb
Bump github.com/creack/pty from 1.1.11 to 1.1.12
...
Bumps [github.com/creack/pty](https://github.com/creack/pty ) from 1.1.11 to 1.1.12.
- [Release notes](https://github.com/creack/pty/releases )
- [Commits](https://github.com/creack/pty/compare/v1.1.11...v1.1.12 )
Signed-off-by: dependabot[bot] <support@github.com>
2021-05-18 05:56:45 +00:00
Mo Khan
0f5f72829b
Merge pull request #594 from enj/enj/i/tcr_strict_user_info
...
cred req: disallow lossy user info translations
2021-05-17 19:28:21 -04:00
Monis Khan
f40fd29c7c
local-user-authenticator: stop setting UID
...
Signed-off-by: Monis Khan <mok@vmware.com>
2021-05-17 19:03:45 -04:00
Monis Khan
35479e2978
cred req: disallow lossy user info translations
...
Signed-off-by: Monis Khan <mok@vmware.com>
2021-05-17 19:03:44 -04:00
Ryan Richard
742b70d6a4
Merge branch 'main' into initial_ldap_group_support
2021-05-17 14:24:56 -07:00
Ryan Richard
dab5ff3788
ldap_client_test.go: Forgot to change an assertion related to groups
2021-05-17 14:21:57 -07:00
Ryan Richard
99099fd32f
Yet more debugging of tests which only fail in main CI
2021-05-17 14:20:41 -07:00
Ryan Richard
65cab53a11
Merge branch 'main' into initial_ldap_group_support
2021-05-17 14:12:20 -07:00
Ryan Richard
8c660f09bc
More debugging of tests which only fail in main CI
2021-05-17 13:53:17 -07:00
Ryan Richard
ac431ddc6d
Add more to failure message in test which only fails in main CI
2021-05-17 12:57:34 -07:00
Ryan Richard
3e1e8880f7
Initial support for upstream LDAP group membership
...
Reflect the upstream group membership into the Supervisor's
downstream tokens, so they can be added to the user's
identity on the workload clusters.
LDAP group search is configurable on the
LDAPIdentityProvider resource.
2021-05-17 11:10:26 -07:00
Ryan Richard
14b8fcc472
Merge pull request #555 from vmware-tanzu/initial_ldap
...
Initial `LDAPIdentityProvider` support for the Supervisor and CLI
2021-05-17 10:40:50 -07:00
Ryan Richard
20b1c41bf5
Experiment to see if we can ignore read /dev/ptmx: input/output error
...
This error seems to always happen on linux, but never on MacOS.
2021-05-13 16:02:24 -07:00
Ryan Richard
f5bf8978a3
Cache ResourceVersion of the validated bind Secret in memory
...
...instead of caching it in the text of the Condition message
2021-05-13 15:22:36 -07:00
Ryan Richard
514ee5b883
Merge branch 'main' into initial_ldap
2021-05-13 14:24:10 -07:00
Margo Crawford
39d7f8b6eb
Merge pull request #614 from vmware-tanzu/gc-bug-tests
...
Tests for garbage collection behavior for access and refresh tokens
2021-05-13 13:08:07 -07:00
Ryan Richard
609883c49e
Update TestSupervisorOIDCDiscovery for versioned IDP discovery endpoint
2021-05-13 13:07:31 -07:00
Ryan Richard
f15fc66e06
pinniped get kubeconfig
refactor to use oidc.NewProvider for discovery
...
- Note that this adds an extra check of the response, which is that
the issuer string in the response must match issuer of the requested
URL.
- Some of the error messages also changed to match the errors provided
by oidc.NewProvider
2021-05-13 12:27:42 -07:00