Margo Crawford
778c194cc4
Autodetection with multiple idps in discovery document
...
Signed-off-by: Ryan Richard <richardry@vmware.com>
2021-04-30 17:14:28 -07:00
Margo Crawford
a8754b5658
Refactor: extract helper func from runGetKubeconfig()
...
- Reduces the cyclomatic complexity of the function
Signed-off-by: Ryan Richard <richardry@vmware.com>
2021-04-30 15:00:54 -07:00
Ryan Richard
1c66ffd5ff
WIP: add supervisor upstream flags to pinniped get kubeconfig
...
- And perform auto-discovery when the flags are not set
- Several TODOs remain which will be addressed in the next commit
Signed-off-by: Margo Crawford <margaretc@vmware.com>
2021-04-30 14:28:03 -07:00
Margo Crawford
ab94b97f4a
Change login.go to use logr.logger
2021-04-30 12:10:04 -07:00
Margo Crawford
d6a172214d
Merge pull request #587 from vmware-tanzu/supervisor-gitlab-docs
...
Added documentation for how to configure the Supervisor with GitLab
2021-04-30 11:01:22 -07:00
Mo Khan
638fa7ba27
Merge pull request #592 from enj/enj/t/valueless_ctx_2
...
valuelesscontext: make unit tests more clear
2021-04-30 11:07:32 -04:00
Monis Khan
b5ffab6330
valuelesscontext: make unit tests more clear
...
Signed-off-by: Monis Khan <mok@vmware.com>
2021-04-30 10:43:29 -04:00
Mo Khan
8556a638a2
Merge pull request #591 from enj/enj/t/valueless_ctx
...
valuelesscontext: add some unit tests
2021-04-30 10:10:48 -04:00
Monis Khan
44c7f8daf0
valuelesscontext: add some unit tests
...
Signed-off-by: Monis Khan <mok@vmware.com>
2021-04-30 09:45:34 -04:00
Mo Khan
1efa4da80c
Merge pull request #590 from enj/enj/f/sa_authn_impersonation_proxy
...
impersonator: add support for service account token authentication
2021-04-29 17:53:27 -04:00
Monis Khan
62785674c3
impersonator: add support for service account token authentication
...
This change updates the impersonator logic to pass through requests
that authenticated via a bearer token that asserts a UID. This
allows us to support service account tokens (as well as any other
form of token based authentication).
Signed-off-by: Monis Khan <mok@vmware.com>
2021-04-29 17:30:35 -04:00
Mo Khan
9e4f601a3f
Merge pull request #588 from enj/enj/i/webhookcachefiller_ca
...
webhookcachefiller: be stricter about CA bundle validation
2021-04-29 07:47:06 -04:00
Monis Khan
bb7e7fe81e
webhookcachefiller: be stricter about CA bundle validation
...
Signed-off-by: Monis Khan <mok@vmware.com>
2021-04-29 05:49:06 -04:00
Ryan Richard
10c4cb4493
Merge branch 'initial_ldap' into ldap-get-kubeconfig
2021-04-28 14:28:32 -07:00
Ryan Richard
36819989a3
Remove DryRunAuthenticationUsername from LDAPIdentityProviderSpec
...
Signed-off-by: Margo Crawford <margaretc@vmware.com>
2021-04-28 14:26:57 -07:00
Margo Crawford
bed2d2dd62
Incorporated PR feedback
2021-04-28 13:34:36 -07:00
Ryan Richard
4bd83add35
Add Supervisor upstream IDP discovery on the server-side
2021-04-28 13:14:21 -07:00
Margo Crawford
90b2854032
Avoid using global logger in login.go
2021-04-28 09:34:42 -07:00
Ryan Richard
5c62a9d0bd
More adjustments based on PR feedback
2021-04-27 16:54:26 -07:00
Margo Crawford
96fda6ed13
Added documentation for how to configure the Supervisor with GitLab
2021-04-27 16:18:30 -07:00
Ryan Richard
263a33cc85
Some updates based on PR review
2021-04-27 12:43:09 -07:00
Ryan Richard
b3b108500a
Merge branch 'main' into initial_ldap
2021-04-27 10:12:43 -07:00
Ryan Richard
67a568811a
Make prepare-for-integration-tests.sh work on linux too
...
- The linux base64 command is different, so avoid using it at all.
On linux the default is to split the output into multiple lines,
which messes up the integration-test-env file. The flag used to
disable this behavior on linux ("-w0") does not exist on MacOS's
base64.
- On debian linux, the latest version of Docker from apt-get still
requires DOCKER_BUILDKIT=1 or else it barfs.
2021-04-27 10:10:02 -07:00
Matt Moyer
620a4d55b7
Merge pull request #584 from mattmoyer/fix-broken-readme-link
...
Fix a broken docs link in our README.
2021-04-26 13:23:35 -07:00
Matt Moyer
a52872cd03
Fix a broken docs link in our README.
...
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-04-26 13:48:17 -06:00
Matt Moyer
0dfb3e95c5
Merge pull request #569 from mattmoyer/use-deployment-for-kube-cert-agent
...
Refactor kube-cert-agent controllers to use a Deployment.
2021-04-26 09:25:37 -07:00
Matt Moyer
e532a88647
Add a new "legacy pod cleaner" controller.
...
This controller is responsible for cleaning up kube-cert-agent pods that were deployed by previous versions.
They are easily identified because they use a different `kube-cert-agent.pinniped.dev` label compared to the new agent pods (`true` vs. `v2`).
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-04-26 08:19:45 -06:00
Matt Moyer
54a8297cc4
Add generated mocks for kubecertagent.
...
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-04-26 08:19:45 -06:00
Matt Moyer
2843c4f8cb
Refactor kube-cert-agent controllers to use a Deployment.
...
This is a relatively large rewrite of much of the kube-cert-agent controllers. Instead of managing raw Pod objects, they now create a single Deployment and let the builtin k8s controller handle it from there.
This reduces the amount of code we need and should handle a number of edge cases better, especially those where a Pod becomes "wedged" and needs to be recreated.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-04-26 08:19:45 -06:00
Ryan Richard
9b818dbf10
Remove another 10s sleep related to JWTAuthenticator initialization
2021-04-22 16:59:42 -07:00
Ryan Richard
6a350aa4e1
Fix some LDAP CA bundle handling
...
- Make PINNIPED_TEST_LDAP_LDAPS_CA_BUNDLE optional for integration tests
- When there is no CA bundle provided, be careful to use nil instead of
an empty bundle, because nil means to use the OS defaults
2021-04-22 16:58:48 -07:00
Matt Moyer
cc51c72c12
Merge pull request #576 from ankeesler/prepare-webhook-script
...
hack: add prepare-webhook-on-kind.sh
2021-04-22 14:07:38 -07:00
Matt Moyer
0ab9927115
Merge branch 'main' into prepare-webhook-script
2021-04-22 13:05:55 -07:00
Matt Moyer
204c8e8dbc
Merge pull request #578 from mattmoyer/remove-unneeded-test-sleep
...
Remove unneeded sleeps in TestE2EFullIntegration and jwtcachefiller tests.
2021-04-22 12:59:40 -07:00
Matt Moyer
638d9235a2
Remove unneeded OIDC-related sleeps in tests.
...
Now that we have the fix from https://github.com/kubernetes/kubernetes/pull/97693 , we no longer need these sleeps.
The underlying authenticator initialization is still asynchronous, but should happen within a few milliseconds.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-04-22 10:25:44 -05:00
Andrew Keesler
81a4c84f46
Merge pull request #579 from ankeesler/log-level
...
internal/kubeclient: match plog level with klog level
2021-04-21 17:37:41 -04:00
Andrew Keesler
9f509d3f13
internal/kubeclient: match plog level with klog level
...
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2021-04-21 16:25:08 -04:00
Margo Crawford
5f3eab2538
Fix expected number of log lines in TestCLILoginOIDC
2021-04-21 13:05:32 -07:00
Margo Crawford
c45d48d027
Change test log expectations
2021-04-21 10:58:48 -07:00
Margo Crawford
09560fd8dc
Log lines about using cached credential
2021-04-21 09:02:45 -07:00
Margo Crawford
264778113d
lookupEnv in oidclogin same as for static
2021-04-21 09:02:45 -07:00
Margo Crawford
b5889f37ff
WIP on new plog
2021-04-21 09:02:45 -07:00
Margo Crawford
45e4695444
Unset pinniped debug environment variable at end of integration test
...
Also log when setting the debug log level fails
2021-04-21 09:02:45 -07:00
Margo Crawford
6a21499ed3
Add check for number of log lines.
2021-04-21 09:02:45 -07:00
Margo Crawford
211d4fd0b6
Add more logging, integration test checks that debug flag works.
2021-04-21 09:02:45 -07:00
Margo Crawford
8ffd9fdc4e
Started debug logging.
2021-04-21 09:02:45 -07:00
Ryan Richard
ddc632b99c
Show the error_description when it is included in authorization response
2021-04-19 18:08:52 -07:00
Ryan Richard
c176d15aa7
Add Supervisor upstream LDAP login to the Pinniped CLI
...
- Also enhance prepare-supervisor-on-kind.sh to allow setup of
a working LDAP upstream IDP.
2021-04-19 17:59:46 -07:00
Mo Khan
d76ac56df2
Merge pull request #573 from enj/enj/f/nested_impersonation
...
impersonation proxy: add nested impersonation support
2021-04-19 17:46:10 -04:00
Andrew Keesler
d86b24ca2f
hack: add prepare-webhook-on-kind.sh
...
Inspired from 7bb5657c4d
. I used this to help accept 2 stories today.
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2021-04-19 16:10:20 -04:00