djpbessems
/
ContainerImage.Pinniped
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
727 Commits 30 Branches 34 Tags 22 MiB
Commit Graph

727 Commits

Author SHA1 Message Date
Andrew Keesler e8f433643f
auth_handler.go: only inject oauth store into handler 
Previously we were injecting the whole oauth handler chain into this function,
which meant we were essentially writing unit tests to test our tests. Let's push
some of this logic into the source code.

Signed-off-by: Andrew Keesler <akeesler@vmware.com>
 2020-11-04 10:35:26 -05:00
Andrew Keesler 4f95e6a372
auth_handler.go: add test for invalid downstream redirect uri 
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
 2020-11-04 10:30:53 -05:00
Andrew Keesler 259ffb5267
Checkpoint: write a single negative test using fosite 
Bringing in fosite to our go.mod introduced those other go.mod changes.

Signed-off-by: Andrew Keesler <akeesler@vmware.com>
 2020-11-04 10:15:19 -05:00
Andrew Keesler aab0fd644f
Merge remote-tracking branch 'upstream/main' into authorize_endpoint 2020-11-04 10:14:54 -05:00
Andrew Keesler e7a817e67a
Merge pull request #186 from ankeesler/bump-jose 
gopkg.in/square/go-jose.v2: v2.2.2 -> v2.5.1
 2020-11-04 10:14:32 -05:00
Andrew Keesler 0bbf55e46f
gopkg.in/square/go-jose.v2: v2.2.2 -> v2.5.1 
We were behind for some reason. Probably makes sense to bump to
latest version to get bug fixes and such.
 2020-11-04 09:55:18 -05:00
Ryan Richard c34e5a727d Starting the implementation of an OIDC authorization endpoint handler 
Does not validate incoming request parameters yet. Also is not
served on the http/https ports yet. Those will come in future commits.

Signed-off-by: Andrew Keesler <akeesler@vmware.com>
 2020-11-03 16:17:38 -08:00
Andrew Keesler 0d8477ea8a Add a type for in-memory caching of upstream OIDC Identity Providers 
Signed-off-by: Ryan Richard <richardry@vmware.com>
 2020-11-03 12:06:07 -08:00
Ryan Richard 1223cf7877
Merge pull request #154 from vmware-tanzu/change_release_static_yaml_names 
Rename static yaml files in release process
 2020-11-02 17:09:11 -08:00
Ryan Richard 036845deee
Merge pull request #184 from vmware-tanzu/bump_golang_and_slim 
Upgrade golang patch release to 1.15.3 and debian 10.5-slim -> 10.6-slim
 2020-11-02 17:08:48 -08:00
Matt Moyer c451604816
Merge pull request #182 from mattmoyer/more-renames 
Rename more APIs before we cut a release with longer-term API compatibility
 2020-11-02 18:34:26 -06:00
Ryan Richard 05cf56a0fa
Merge pull request #180 from vmware-tanzu/limits 
Add CPU/memory limits to our deployments
 2020-11-02 16:22:37 -08:00
Ryan Richard 5a0e7fd358 Upgrade golang patch release to 1.15.3 and debian 10.5-slim -> 10.6-slim 2020-11-02 16:17:15 -08:00
Matt Moyer 2bf5c8b48b
Replace the OIDCProvider field SNICertificateSecretName with a TLS.SecretName field. 
Signed-off-by: Matt Moyer <moyerm@vmware.com>
 2020-11-02 18:15:03 -06:00
Ryan Richard 05233963fb Add CPU requests and limits to the Concierge and Supervisor deployments 2020-11-02 15:47:20 -08:00
Matt Moyer 2b8773aa54
Rename OIDCProviderConfig to OIDCProvider. 
Signed-off-by: Matt Moyer <moyerm@vmware.com>
 2020-11-02 17:40:39 -06:00
Matt Moyer 59263ea733
Rename CredentialIssuerConfig to CredentialIssuer. 
Signed-off-by: Matt Moyer <moyerm@vmware.com>
 2020-11-02 17:39:42 -06:00
Matt Moyer b13a8075e4
Merge pull request #183 from vmware-tanzu/non-root 
Run as non-root
 2020-11-02 17:39:14 -06:00
Ryan Richard d596f8c3e5 Empty commit to trigger CI 2020-11-02 15:18:39 -08:00
Ryan Richard 75c35e74cc Refactor and add unit tests for previous commit to run agent pod as root 2020-11-02 15:03:37 -08:00
Matt Moyer e4f4cd7ca0
Merge pull request #181 from mattmoyer/add-psp-cluster-role-permission 
Give the concierge access to use any PodSecurityPolicy.
 2020-11-02 15:35:56 -06:00
Ryan Richard a01921012d
kubecertagent: explicitly run as root 
We need root here because the files that this pod reads are
most likely restricted to root access.

Signed-off-by: Andrew Keesler <akeesler@vmware.com>
 2020-11-02 16:33:46 -05:00
Ryan Richard 2e50e8f01b
hack/lib/tilt: run Tilt images with non-root user 
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
 2020-11-02 16:32:50 -05:00
Matt Moyer 935577f8e7
Give the concierge access to use any PodSecurityPolicy. 
This is needed on clusters with PodSecurityPolicy enabled by default, but should be harmless in other cases.

This is generally needed because a restrictive PodSecurityPolicy will usually otherwise prevent the `hostPath` volume mount needed by the dynamically-created cert agent pod.

Signed-off-by: Matt Moyer <moyerm@vmware.com>
 2020-11-02 15:10:00 -06:00
Ryan Richard 781f86d18c
deploy: add memory limits 
This is the beginning of a change to add cpu/memory limits to our pods.
We are doing this because some consumers require this, and it is generally
a good practice.

The limits == requests for "Guaranteed" QoS.

Signed-off-by: Andrew Keesler <akeesler@vmware.com>
 2020-11-02 14:57:39 -05:00
Andrew Keesler fcea48c8f9
Run as non-root 
I tried to follow a principle of encapsulation here - we can still default to
peeps making connections to 80/443 on a Service object, but internally we will
use 8080/8443.

Signed-off-by: Andrew Keesler <akeesler@vmware.com>
 2020-11-02 12:51:15 -05:00
Andrew Keesler 7639d5e161
Merge pull request #178 from ankeesler/test-cleanup 
test/integration: protect from NPE and follow doc conventions
 2020-11-02 12:22:34 -05:00
Ryan Richard ab5c04b1f3
Merge pull request #176 from vmware-tanzu/agent_pod_additional_label_handling 
Handle custom labels better in the agent pod controllers
 2020-11-02 09:08:42 -08:00
Andrew Keesler fb3c5749e8
test/integration: protect from NPE and follow doc conventions 
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
 2020-11-02 11:51:02 -05:00
Ryan Richard 7597b12a51 Small unit test changes for deleter_test.go 2020-11-02 08:40:39 -08:00
Matt Moyer 5bbfc35d27
Merge pull request #175 from mattmoyer/split-config-apis 
Split the config CRDs into two API groups.
 2020-10-30 19:42:03 -05:00
Ryan Richard f76b9857da Don't use custom labels when selecting an agent pod 
And delete the agent pod when it needs its custom labels to be
updated, so that the creator controller will notice that it is missing
and immediately create it with the new custom labels.
 2020-10-30 17:41:17 -07:00
Matt Moyer 9e1922f1ed
Split the config CRDs into two API groups. 
Signed-off-by: Matt Moyer <moyerm@vmware.com>
 2020-10-30 19:22:46 -05:00
Ryan Richard 01f4fdb5c3 Remove namespace from a ClusterRoleBinding, which are not namespaced 2020-10-30 16:10:04 -07:00
Andrew Keesler a5379c08e2 Whitespace-only change in two files 
Signed-off-by: Ryan Richard <richardry@vmware.com>
 2020-10-30 15:18:40 -07:00
Matt Moyer ad95bb44b0
Merge pull request #174 from mattmoyer/rename-webhook-idp 
Rename webhook configuration CRD "WebhookAuthenticator" in group "authentication.concierge.pinniped.dev".
 2020-10-30 15:50:39 -05:00
Ryan Richard 4b7592feaf Skip a part of an integration test which is not so easy with real Ingress 
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
 2020-10-30 13:19:34 -07:00
Matt Moyer 34da8c7877
Rename existing references to "IDP" and "Identity Provider". 
Signed-off-by: Matt Moyer <moyerm@vmware.com>
 2020-10-30 15:12:01 -05:00
Matt Moyer f3a83882a4
Rename the IdentityProvider field to Authenticator in TokenCredentialRequest. 
Signed-off-by: Matt Moyer <moyerm@vmware.com>
 2020-10-30 15:11:53 -05:00
Matt Moyer 0f25657a35
Rename WebhookIdentityProvider to WebhookAuthenticator. 
Signed-off-by: Matt Moyer <moyerm@vmware.com>
 2020-10-30 15:11:53 -05:00
Matt Moyer e69183aa8a
Rename `idp.concierge.pinniped.dev` to `authentication.concierge.pinniped.dev`. 
Signed-off-by: Matt Moyer <moyerm@vmware.com>
 2020-10-30 14:07:40 -05:00
Matt Moyer 81390bba89
Rename `idp.pinniped.dev` to `idp.concierge.pinniped.dev`. 
Signed-off-by: Matt Moyer <moyerm@vmware.com>
 2020-10-30 14:07:39 -05:00
Matt Moyer 59431a3d3d
Merge pull request #173 from mattmoyer/parallel-codegen 
Do codegen across all version in parallel.
 2020-10-30 13:45:21 -05:00
Matt Moyer 9760c03617
Do codegen across all version in parallel. 
This only matters for local development, since we don't use this script directly in CI. Makes the full codegen ste take ~90s on my laptop.

Signed-off-by: Matt Moyer <moyerm@vmware.com>
 2020-10-30 11:12:53 -05:00
Matt Moyer 8b8ffc21c4
Merge pull request #172 from mattmoyer/rename-login-api 
Rename login API to `login.concierge.pinniped.dev`.
 2020-10-30 10:23:45 -05:00
Matt Moyer f0320dfbd8
Rename login API to `login.concierge.pinniped.dev`. 
This is the first of a few related changes that re-organize our API after the big recent changes that introduced the supervisor component.

Signed-off-by: Matt Moyer <moyerm@vmware.com>
 2020-10-30 09:58:28 -05:00
Ryan Richard 3277e778ea Add a comment to an integration test 2020-10-29 15:42:22 -07:00
Ryan Richard 9c13b7144e
Merge pull request #170 from vmware-tanzu/oidc_https_endpoints 
Add HTTPS endpoints for OIDC providers, and terminate TLS with the configured certificates
 2020-10-28 17:15:11 -07:00
Ryan Richard 059b6e885f Allow ytt templating of the `loadBalancerIP` for the supervisor 2020-10-28 16:45:23 -07:00
Ryan Richard 4af508981a Make default TLS secret name from app name in supervisor_discovery_test.go 2020-10-28 16:11:19 -07:00