Margo Crawford
d0df2009ac
Merge pull request #498 from vmware-tanzu/impersonation-proxy-docs
...
Impersonation proxy docs
2021-03-19 16:13:58 -07:00
Monis Khan
964d4889c4
pinniped whoami: print correct cluster info when --kubeconfig-context is used
...
Signed-off-by: Monis Khan <mok@vmware.com>
2021-03-19 18:42:40 -04:00
Margo Crawford
a537287601
Regenerate cli.md based on output of help message
2021-03-19 14:34:35 -07:00
Margo Crawford
fdfc854f8c
Incorporating suggestions:
...
- a credential that is understood by -> a credential that can be used to
authenticate to
- This is more neutral to whether its going directly to k8s
or through the impersonation proxy
2021-03-19 14:06:20 -07:00
Margo Crawford
331fef8fae
Tweaked some wording, updated the cli page
2021-03-19 14:06:20 -07:00
Margo Crawford
4470d3d2d1
Fix broken links to architecture page
2021-03-19 14:06:20 -07:00
Margo Crawford
698bffc2ad
Naming changes
2021-03-19 14:06:20 -07:00
Margo Crawford
6ff3e42602
Add description of impersonation proxy strategy to docs
2021-03-19 14:06:20 -07:00
Ryan Richard
3e50b4e129
Add -sS to the curl command in concierge_impersonation_proxy_test.go
2021-03-19 13:23:28 -07:00
Ryan Richard
d856221f56
Edit some comments in concierge_impersonation_proxy_test.go
2021-03-19 13:19:17 -07:00
Monis Khan
f519f0cb09
impersonator: disallow clients from setting the X-Forwarded-For header
...
Signed-off-by: Monis Khan <mok@vmware.com>
2021-03-19 15:35:06 -04:00
Monis Khan
c03fe2d1fe
Use http2 for all non-upgrade requests
...
Instead of using the LongRunningFunc to determine if we can safely
use http2, follow the same logic as the aggregation proxy and only
use http2 when the request is not an upgrade.
Signed-off-by: Monis Khan <mok@vmware.com>
2021-03-19 13:45:58 -04:00
Andrew Keesler
2749044625
test/integration: unparallelize impersonation kubectl test
...
Maybe this will cut down on flakes we see in CI?
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2021-03-19 13:31:28 -04:00
Andrew Keesler
f73c70d8f9
test/integration: use Ryan's 20x rule to harden simple access tests
...
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2021-03-19 13:18:10 -04:00
Andrew Keesler
ebd5e45fa6
test/integration: wait for convergence at end of impersonation test
...
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2021-03-19 12:54:37 -04:00
Andrew Keesler
6154883855
test/integration: add temporary debug 'kubectl attach' logging
...
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2021-03-19 10:42:11 -04:00
Andrew Keesler
ebe01a5aef
test/integration: catch early 'kubectl attach' return
...
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2021-03-19 09:59:24 -04:00
Andrew Keesler
28d00ce67b
Merge remote-tracking branch 'upstream/main' into impersonation-proxy
2021-03-18 20:13:49 -04:00
Mo Khan
50e4531215
Merge pull request #505 from enj/enj/i/jwt-go_cve
...
Move to github.com/form3tech-oss/jwt-go
2021-03-18 19:34:19 -04:00
Andrew Keesler
1a9922d050
test/integration: poll more quickly in f2a48aee
...
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2021-03-18 17:53:14 -04:00
Andrew Keesler
f2a48aee2b
test/integration: increase timeout to a minute to see if it helps
...
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2021-03-18 17:48:00 -04:00
Monis Khan
d162cb9adf
Move to github.com/form3tech-oss/jwt-go
...
Signed-off-by: Monis Khan <mok@vmware.com>
2021-03-18 16:56:04 -04:00
Andrew Keesler
14a28bec24
test/integration: fix second assertion from dae62929
...
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2021-03-18 16:34:30 -04:00
Andrew Keesler
dae62929e0
test/integration: error assertions pass w/ and w/o middleware
...
In the case where we are using middleware (e.g., when the api group is
different) in our kubeclient, these error messages have a "...middleware request
for..." bit in the middle.
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2021-03-18 15:35:31 -04:00
Andrew Keesler
c22ac17dfe
internal/concierge/impersonator: use http/2.0 as much as we can
...
Signed-off-by: Monis Khan <mok@vmware.com>
2021-03-18 15:35:31 -04:00
Ryan Richard
08c446a3e1
Use openssl to generate the test user password instead of /dev/urandom
...
Because it's more portable across different operating systems and
it is already pre-installed on MacOS.
2021-03-18 11:20:33 -07:00
Ryan Richard
bd8c243636
concierge_impersonation_proxy_test.go: small refactor
2021-03-18 10:46:27 -07:00
Ryan Richard
e4bf6e068f
Add a comment to impersonator.go
2021-03-18 10:46:27 -07:00
Monis Khan
120e46b5f7
test/integration: fix race condition
...
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2021-03-18 11:27:52 -04:00
Andrew Keesler
257d69045d
Reuse internal/concierge/scheme
...
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2021-03-18 10:40:59 -04:00
Andrew Keesler
05a188d4cd
Merge remote-tracking branch 'upstream/main' into impersonation-proxy
...
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2021-03-18 10:36:28 -04:00
Monis Khan
205c22ddbe
impersonator config: catch panics when running impersonator
...
Signed-off-by: Monis Khan <mok@vmware.com>
2021-03-18 10:28:28 -04:00
Andrew Keesler
aa79bc7609
internal/concierge/impersonator: ensure log statement is printed
...
When the frontend connection to our proxy is closed, the proxy falls through to
a panic(), which means the HTTP handler goroutine is killed, so we were not
seeing this log statement.
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2021-03-18 10:14:11 -04:00
Andrew Keesler
a36914f5ca
Merge pull request #476 from ankeesler/whoami-cli
...
cmd/pinniped: add whoami cli command
2021-03-18 09:46:48 -04:00
Andrew Keesler
cc8f0b623c
test/integration: add pinniped whoami tests
...
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2021-03-18 08:56:35 -04:00
Andrew Keesler
de6837226e
cmd/pinniped: add whoami command
...
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2021-03-18 08:56:34 -04:00
Matt Moyer
3a32833306
Merge pull request #503 from mattmoyer/rework-restart-assertions-helper
...
Rework integration test assertions for pod restarts.
2021-03-17 14:38:39 -07:00
Matt Moyer
74df6d138b
Memoize library.IntegrationEnv so it's only constructed once per test.
...
This is probably a good idea regardless, but it also avoids an infinite recursion from IntegrationEnv() -> assertNoRestartsDuringTest() -> NewKubeclient() -> IntegrationEnv() -> ...
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-03-17 13:37:48 -05:00
Matt Moyer
0dd2b358fb
Extend assertNoRestartsDuringTest to dump logs from containers that restarted.
...
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-03-17 13:37:47 -05:00
Matt Moyer
6520c5a3a1
Extend library.DumpLogs() to dump logs from the previous container, if one exists.
...
This is important in case the container has crashed and has been restarted.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-03-17 11:46:40 -05:00
Matt Moyer
5a43a5d53a
Remove library.AssertNoRestartsDuringTest and make that assertion implicit in library.IntegrationEnv.
...
This means we (hopefully) can't forget to include these assertions in any integration test.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-03-17 11:18:10 -05:00
Margo Crawford
897340860b
Small refactor to impersonation proxy integration test
2021-03-16 16:57:46 -07:00
Matt Moyer
4d2035ab2a
Merge branch 'main' of github.com:vmware-tanzu/pinniped into impersonation-proxy
2021-03-16 18:19:40 -05:00
Matt Moyer
d85135c12e
Merge pull request #501 from mattmoyer/deflake-get-category-test
...
Improve the reliability of TestGetPinnipedCategory.
2021-03-16 16:18:22 -07:00
Matt Moyer
30a392b900
Improve the reliability of TestGetPinnipedCategory.
...
This test could flake in some rare scenarios. This change adds a bunch of retries, improves the debugging output if the tests fail, and puts all of the subtests in parallel which saves ~10s on my local machine.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-03-16 17:39:02 -05:00
Mo Khan
4ab3c64b70
Merge pull request #500 from mattmoyer/deflake-cert-rotation-test
...
Make TestAPIServingCertificateAutoCreationAndRotation more reliable.
2021-03-16 17:03:07 -04:00
Matt Moyer
2515b2d710
Make TestAPIServingCertificateAutoCreationAndRotation more reliable.
...
This test has occasionally flaked because it only waited for the APIService GET to finish, but did not wait for the controller to successfully update the target object.
The new code should be more patient and allow the controller up to 10s to perform the expected action.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-03-16 15:14:24 -05:00
Matt Moyer
10a1e29e15
Merge branch 'main' of github.com:vmware-tanzu/pinniped into impersonation-proxy
...
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-03-16 14:35:07 -05:00
Matt Moyer
2319606cd2
Fix some nits from the previous commit that I accidentally merged before fixing.
...
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-03-16 14:24:13 -05:00
Matt Moyer
10168ab2e7
Merge pull request #499 from vmware-tanzu/add-anon-auth-capability
...
Describe "anonymousAuthenticationSupported" test cluster capability and add more managed cluster types.
2021-03-16 12:21:47 -07:00