Matt Moyer
e8113e3770
Add basic caching framework to ./internal/oidclient package.
...
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-10-21 13:14:16 -05:00
Matt Moyer
7f6a82aa91
Refactor and rename ./internal/oidcclient/login to ./internal/oidcclient.
2020-10-21 13:07:21 -05:00
Matt Moyer
4ef41f969d
Add a util helper for marking a CLI flag as hidden.
...
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-10-21 13:07:21 -05:00
Andrew Keesler
3e39800005
Merge pull request #164 from vmware-tanzu/virtual-hosts
...
Virtual hosts integration test
2020-10-21 09:16:59 -04:00
Ryan Richard
52ebd77527
Add optional PINNIPED_TEST_SUPERVISOR_HTTPS_CA_BUNDLE for integration tests
...
- Not used by any of our integration test clusters yet
- Planning to use it later for the kind clusters and maybe for
the acceptance clusters too (although the acceptance clusters might
not need to use self-signed certs so maybe not)
2020-10-20 16:46:33 -07:00
Ryan Richard
ec21fc8595
Also delete the final OIDCProviderConfig made by an integration test
...
- It didn't matter before because it would be cleaned up by a
t.Cleanup() function, but now that we might loop twice it will matter
during the second time through the loop
2020-10-20 15:59:25 -07:00
Ryan Richard
276dff5772
Introduce PINNIPED_TEST_SUPERVISOR_HTTPS_ADDRESS
...
- We plan to use this on acceptance clusters
- We also plan to use this for a future story in the kind-based tests,
but not yet
2020-10-20 15:57:10 -07:00
Ryan Richard
90235418b9
Add a test for when issuer hostname and supervisor public address differ
2020-10-20 15:22:03 -07:00
Ryan Richard
9ba93d66c3
test/integration: prefactoring for testing virtual hosts
...
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-10-20 17:00:36 -04:00
Ryan Richard
aff85acf37
Merge pull request #163 from vmware-tanzu/discovery_jwks
...
Implement per-issuer OIDC JWKS endpoint
2020-10-19 13:00:49 -07:00
Ryan Richard
4da64f38b5
Integration test for per-issuer OIDC JWKS endpoints
2020-10-19 12:21:18 -07:00
Ryan Richard
d9d76726c2
Implement per-issuer OIDC JWKS endpoint
2020-10-16 17:51:40 -07:00
Ryan Richard
08659a6583
Merge pull request #158 from vmware-tanzu/label_every_resource
...
Custom labels can to be applied to all k8s resources created by Pinniped
2020-10-15 14:02:29 -07:00
Andrew Keesler
e2630be00a
Update feature proposal template to work for users and contributors
2020-10-15 17:01:24 -04:00
Andrew Keesler
8fe031e73d
Do not copy pkg directory in Dockerfile
...
Signed-off-by: Ryan Richard <richardry@vmware.com>
2020-10-15 13:31:16 -07:00
Andrew Keesler
617c5608ca
Supervisor controllers apply custom labels to JWKS secrets
...
Signed-off-by: Ryan Richard <richardry@vmware.com>
2020-10-15 12:40:56 -07:00
Andrew Keesler
dda3c21a8e
Add missing parenthesis to bug report template
...
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-10-15 14:07:43 -04:00
Ryan Richard
f8e461dfc3
Merge branch 'main' into label_every_resource
2020-10-15 10:19:03 -07:00
Ryan Richard
94f20e57b1
Concierge controllers add labels to all created resources
2020-10-15 10:14:23 -07:00
Andrew Keesler
943286bbc6
Merge pull request #157 from ankeesler/generate-jwk-key
...
Pinniped federation server generates and persists a JWT signing key
2020-10-15 11:55:22 -04:00
Andrew Keesler
e05213f9dd
supervisor-generate-key: use EC keys intead of RSA
...
EC keys are smaller and take less time to generate. Our integration
tests were super flakey because generating an RSA key would take up to
10 seconds *gasp*. The main token verifier that we care about is
Kubernetes, which supports P256, so hopefully it won't be that much of
an issue that our default signing key type is EC. The OIDC spec seems
kinda squirmy when it comes to using non-RSA signing algorithms...
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-10-15 11:33:08 -04:00
Andrew Keesler
5a0dab768f
test/integration: remove unused function (see 31225ac7a
)
...
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-10-15 09:26:15 -04:00
Andrew Keesler
fbcce700dc
Fix whitespace/spelling nits in JWKS controller
...
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-10-15 09:22:17 -04:00
Andrew Keesler
a5abe9ca3e
hack/lib/tilt: fix deployment change leftover from c030551a
...
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-10-15 09:20:09 -04:00
Andrew Keesler
1b99983441
apis: fix indentation in Go type
...
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-10-15 09:19:00 -04:00
Andrew Keesler
31225ac7ae
test/integration: reuse CreateTestOIDCProvider helper
...
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-10-15 09:09:49 -04:00
Andrew Keesler
f21122a309
Merge remote-tracking branch 'upstream/main' into generate-jwk-key
2020-10-15 07:51:15 -04:00
Andrew Keesler
aef25163e2
Get rid of an extra dependency from c030551
...
I brought this over because I copied code from work in flight on
another branch. But now the other branch doesn't use this package.
No use bringing on another dependency if we can avoid it.
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-10-15 07:51:07 -04:00
Andrew Keesler
87c7e9a556
hack/prepare-for-integration-tests.sh: default COLORTERM for when not set
...
Signed-off-by: Andrew Keesler <ankeesler1@gmail.com>
2020-10-14 20:18:10 -04:00
Ryan Richard
c05bdb58ac
Merge branch 'main' into label_every_resource
2020-10-14 16:24:51 -07:00
Ryan Richard
84a0084703
Tilefile watches for changes in ytt templates
...
- When using `local()` in the Tiltfile it will not know
to watch those files for changes, so each time we use
`local()` we now also use `watch_file()`
- As a result, editing a ytt template file now causes
an immediate `kubectl apply` of the results
2020-10-14 16:21:40 -07:00
Ryan Richard
1301018655
Support installing concierge and supervisor into existing namespace
...
- New optional ytt value called `into_namespace` means install into that
preexisting namespace rather than creating a new namespace for each app
- Also ensure that every resource that is created statically by our yaml
at install-time by either app is labeled consistently
- Also support adding custom labels to all of those resources from a
new ytt value called `custom_labels`
2020-10-14 15:05:42 -07:00
Andrew Keesler
76e89b523b
Merge remote-tracking branch 'upstream/main' into generate-jwk-key
2020-10-14 17:40:17 -04:00
Andrew Keesler
c030551af0
supervisor-generate-key: unit and integration tests
...
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-10-14 16:41:16 -04:00
Matt Moyer
cd970616da
Merge pull request #149 from mattmoyer/oidc-cli-part-2
...
Finish initial OIDC CLI client implementation.
2020-10-14 13:40:12 -05:00
Matt Moyer
68d20298f2
Fix chromedriver usage inside our test container.
...
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-10-14 13:18:11 -05:00
Matt Moyer
19a1d569c9
Restructure this test to avoid data races.
...
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-10-14 12:28:08 -05:00
Ryan Richard
a197a26335
Change community meeting time
...
And some other general cleanup
2020-10-14 09:54:09 -07:00
Andrew Keesler
6aed025c79
supervisor-generate-key: initial spike
...
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-10-14 09:47:34 -04:00
Andrew Keesler
aa705afc72
hack/tilt-up.sh: let folks specify tilt flags
...
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-10-14 09:22:21 -04:00
Andrew Keesler
3d5937a8e8
deploy/supervisor: type: eaxmple -> example
...
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-10-14 09:22:15 -04:00
Matt Moyer
33fcc74417
Add Dex to our integration test environment and use it to test the CLI.
...
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-10-13 16:50:38 -05:00
Matt Moyer
50d80489be
Add initial CLI integration test for OIDC login.
...
This is our first test using a real browser to interact with an upstream provider.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-10-13 10:41:53 -05:00
Matt Moyer
8a16a92c01
Rename some existing CLI test code.
...
It will no longer be the only CLI test, so the names should be a bit more specific.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-10-13 10:25:39 -05:00
Matt Moyer
d1e86e2616
Rename "TestClusterCapability" to more generic "Capability."
...
This will be used for other types of "capabilities" of the test environment besides just those of the test cluster, such as those of an upstream OIDC provider.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-10-13 09:13:40 -05:00
Matt Moyer
67b692b11f
Implement the rest of an OIDC client CLI library.
...
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-10-12 16:41:46 -05:00
Matt Moyer
ce49d8bd7b
Remove the --use-pkce flag and just always use it.
...
Based on the spec, it seems like it's required that OAuth2 servers which do not support PKCE should just ignore the parameters, so this should always work.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-10-12 16:41:46 -05:00
Matt Moyer
a13d7ec5a1
Remove temporary --debug-auth-code-exchange flag for OIDC client CLI.
...
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-10-12 16:41:46 -05:00
Ryan Richard
478b0a0fd8
Add supervisor yaml and rename concierge yaml in release process
...
Add install-pinniped-supervisor.yaml and rename install-pinniped.yaml
to install-pinniped-concierge.yaml in the release process and
installation/demo documentation.
2020-10-12 09:43:52 -07:00
Ryan Richard
ff545db869
Merge pull request #148 from vmware-tanzu/supervisor-with-discovery
...
Beginning of a Pinniped Supervisor Server, starting with an OIDC Discovery Endpoint
2020-10-09 18:58:15 -07:00