Matt Moyer
c5b784465b
Describe "anonymousAuthenticationSupported" test cluster capability and add more managed cluster types.
...
This new capability describes whether a cluster is expected to allow anonymous requests (most do since k8s 1.6.x, but AKS has it disabled).
This commit also contains new capability YAML files for AKS and EKS, mostly to document publicly how we expect our tests to function in those environments.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-03-16 13:54:29 -05:00
Monis Khan
236dbdb2c4
impersonator: test UID impersonation and header canonicalization
...
Signed-off-by: Monis Khan <mok@vmware.com>
2021-03-16 13:00:51 -04:00
Ryan Richard
6887d0aca2
Repeat the method and url in the log line for the userinfo username
2021-03-15 17:12:03 -07:00
Margo Crawford
64e0dbb481
Sleep for 1 minute 10 seconds instead of a minute in timeout test
2021-03-15 16:33:47 -07:00
Ryan Richard
e47543233c
Merge branch 'main' into impersonation-proxy
2021-03-15 16:28:25 -07:00
Ryan Richard
2460568be3
Add some debug logging
2021-03-15 16:26:51 -07:00
Ryan Richard
1b31489347
Add prepare-impersonator-on-kind.sh for manually starting impersonator
...
It takes a lot of manual steps to get ready to manually test the
impersonation proxy on a kind cluster, which makes it error prone,
so encapsulate them into a script to make it easier.
2021-03-15 16:26:51 -07:00
Ryan Richard
ab6452ace7
Remove linting from pre-commit because it is slow and messes up GoLand
...
It seems to confusing committing in the GoLand IDE.
2021-03-15 16:25:45 -07:00
Matt Moyer
c46aa1c29d
Merge pull request #490 from vmware-tanzu/dependabot/docker/golang-1.16.2
...
Bump golang from 1.16.1 to 1.16.2
2021-03-15 15:08:03 -07:00
Margo Crawford
939ea30030
Make all tests but disable test parallelized
...
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2021-03-15 14:34:41 -07:00
Andrew Keesler
efd973fa17
Test waiting for a minute and keeping connection open
...
Signed-off-by: Margo Crawford <margaretc@vmware.com>
2021-03-15 14:34:41 -07:00
Monis Khan
4f671f5dca
dynamiccert: unit test with DynamicServingCertificateController
...
Signed-off-by: Monis Khan <mok@vmware.com>
2021-03-15 17:23:37 -04:00
Ryan Richard
a5384a6e38
Merge branch 'main' into impersonation-proxy
2021-03-15 13:06:36 -07:00
dependabot[bot]
e64f2fe7fb
Bump golang from 1.16.1 to 1.16.2
...
Bumps golang from 1.16.1 to 1.16.2.
Signed-off-by: dependabot[bot] <support@github.com>
2021-03-15 19:55:44 +00:00
Matt Moyer
035362f4d3
Merge pull request #494 from vmware-tanzu/dependabot/go_modules/k8s.io/klog/v2-2.8.0
...
Bump k8s.io/klog/v2 from 2.6.0 to 2.8.0
2021-03-15 12:54:46 -07:00
Ryan Richard
8065a8d2e6
TestKubeCertAgent waits for CredentialIssuer strategy to be successful
...
At the end of the test, wait for the KubeClusterSigningCertificate
strategy on the CredentialIssuer to go back to being healthy, to avoid
polluting other integration tests which follow this one.
2021-03-15 11:43:12 -07:00
Ryan Richard
e22ad6171a
Fix a race detector warning by re-declaring err
in a t.Cleanup()
2021-03-15 11:43:12 -07:00
dependabot[bot]
c2b0acf241
Bump k8s.io/klog/v2 from 2.6.0 to 2.8.0
...
Bumps [k8s.io/klog/v2](https://github.com/kubernetes/klog ) from 2.6.0 to 2.8.0.
- [Release notes](https://github.com/kubernetes/klog/releases )
- [Changelog](https://github.com/kubernetes/klog/blob/master/RELEASE.md )
- [Commits](https://github.com/kubernetes/klog/compare/v2.6.0...v2.8.0 )
Signed-off-by: dependabot[bot] <support@github.com>
2021-03-15 17:36:36 +00:00
Monis Khan
00694c9cb6
dynamiccert: split into serving cert and CA providers
...
Signed-off-by: Monis Khan <mok@vmware.com>
2021-03-15 12:24:07 -04:00
Matt Moyer
dc96f398da
Merge pull request #497 from mattmoyer/ignore-local-user-authenticator-coverage
...
Ignore test coverage for local-user-authenticator.
2021-03-15 08:46:28 -07:00
Matt Moyer
755a87cdbb
Ignore test coverage for local-user-authenticator.
...
This should ignore coverage changes in this test-only component, using the syntax described here: https://docs.codecov.io/docs/ignoring-paths .
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-03-15 10:43:17 -05:00
Matt Moyer
c538a4e8e8
Merge pull request #495 from mattmoyer/add-golangci-lint-to-pre-commit-hooks
...
Add golangci-lint to .pre-commit-config.yaml.
2021-03-15 08:23:09 -07:00
Matt Moyer
41949d8e07
Add golangci-lint to .pre-commit-config.yaml.
...
This is the configuration for https://pre-commit.com/ , which now also runs golangci-lint using the same version as CI (currently v1.33.0).
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-03-15 10:20:59 -05:00
Monis Khan
4c162be8bf
impersonator: add comment about long running func
...
Signed-off-by: Monis Khan <mok@vmware.com>
2021-03-15 09:43:06 -04:00
Monis Khan
b530cef3b1
impersonator: encode proper API status on failure
...
Signed-off-by: Monis Khan <mok@vmware.com>
2021-03-13 20:25:23 -05:00
Ryan Richard
c82f568b2c
certauthority.go: Refactor issuing client versus server certs
...
We were previously issuing both client certs and server certs with
both extended key usages included. Split the Issue*() methods into
separate methods for issuing server certs versus client certs so
they can have different extended key usages tailored for each use
case.
Also took the opportunity to clean up the parameters of the Issue*()
methods and New() methods to more closely match how we prefer to call
them. We were always only passing the common name part of the
pkix.Name to New(), so now the New() method just takes the common name
as a string. When making a server cert, we don't need to set the
deprecated common name field, so remove that param. When making a client
cert, we're always making it in the format expected by the Kube API
server, so just accept the username and group as parameters directly.
2021-03-12 16:09:37 -08:00
Monis Khan
5e4746e96b
impersonator: match kube API server long running func
...
Signed-off-by: Monis Khan <mok@vmware.com>
2021-03-12 16:36:37 -05:00
Matt Moyer
077aa8a42e
Fix a copy-paste typo in the ImpersonationProxyInfo JSON field name.
...
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-03-12 13:24:05 -06:00
Margo Crawford
d509e7012e
Add eventually loop to port-forward test
...
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2021-03-12 10:44:11 -08:00
Monis Khan
8c0bafd5be
impersonator: prep work for future SA token support
...
Signed-off-by: Monis Khan <mok@vmware.com>
2021-03-12 10:47:07 -05:00
Monis Khan
12b13b1ea5
impersonator: wire in genericapiserver.Config
...
Signed-off-by: Monis Khan <mok@vmware.com>
2021-03-12 10:47:07 -05:00
Andrew Keesler
5b1dc0abdf
test/integration: add some more debugging to kubectl impersonation test
...
I think this is nondeterministic...
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2021-03-12 10:45:36 -05:00
Andrew Keesler
253e0f8e9a
test/integration: TestImpersonationProxy/websocket_client passes on my machine now
...
I'm kinda surprised this is working with our current implementation of the
impersonator, but regardless this seems like a step forward.
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2021-03-12 09:54:59 -05:00
Ryan Richard
87f2899047
impersonator_test.go: small refactor of previous commit
2021-03-11 17:24:52 -08:00
Ryan Richard
6ddf4c04e6
impersonator_test.go: Test failed and anonymous auth
2021-03-11 17:11:38 -08:00
Ryan Richard
1d68841c78
impersonator_test.go: Test one more thing and small refactors
2021-03-11 16:44:08 -08:00
Ryan Richard
f77c92560f
Rewrite impersonator_test.go, add missing argument to IssuePEM()
...
The impersonator_test.go unit test now starts the impersonation
server and makes real HTTP requests against it using client-go.
It is backed by a fake Kube API server.
The CA IssuePEM() method was missing the argument to allow a slice
of IP addresses to be passed in.
2021-03-11 16:27:16 -08:00
Ryan Richard
c12a23725d
Fix lint errors from a previous commit
2021-03-11 16:21:40 -08:00
Matt Moyer
d5beba354b
Merge pull request #487 from vmware-tanzu/dependabot/docker/golang-1.16.1
...
Bump golang from 1.16.0 to 1.16.1
2021-03-11 16:12:07 -08:00
Andrew Keesler
71712b2d00
Add test for http2
...
Signed-off-by: Margo Crawford <margaretc@vmware.com>
2021-03-11 15:49:49 -08:00
dependabot[bot]
ad3f04a982
Bump golang from 1.16.0 to 1.16.1
...
Bumps golang from 1.16.0 to 1.16.1.
Signed-off-by: dependabot[bot] <support@github.com>
2021-03-11 22:25:17 +00:00
Matt Moyer
a52455504f
Capitalize "Concierge" in these error messages as well, for consistency.
...
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-03-11 16:24:20 -06:00
Matt Moyer
4f154100ff
Remove "--concierge-mode" flag from "pinniped login [...]" commands.
...
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-03-11 16:24:20 -06:00
Matt Moyer
d2d9b1e49e
Stop outputting "--concierge-mode" from "pinniped get kubeconfig".
...
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-03-11 16:13:29 -06:00
Matt Moyer
c9ce067a0e
Captialize "API" in this error message.
...
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-03-11 16:11:46 -06:00
Pablo Schuhmacher
1af25552a0
Update ROADMAP.md
2021-03-11 13:58:34 -08:00
Matt Moyer
a64786a728
Fix TestCLIGetKubeconfigStaticToken for new CLI log output.
...
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-03-11 15:48:04 -06:00
Monis Khan
2d28d1da19
Implement all optional methods in dynamic certs provider
...
Signed-off-by: Monis Khan <mok@vmware.com>
2021-03-11 16:24:08 -05:00
Matt Moyer
78fdc59d2d
Merge branch 'main' of github.com:vmware-tanzu/pinniped into impersonation-proxy
2021-03-11 14:56:11 -06:00
Ryan Richard
29d7f406f7
Test double impersonation as the cluster admin
2021-03-11 12:53:27 -08:00