Commit Graph

655 Commits

Author SHA1 Message Date
Matt Moyer
fabc08b01b
Merge branch 'main' of github.com:vmware-tanzu/pinniped into credentialissuer-spec-api 2021-05-24 15:49:13 -05:00
Margo Crawford
5de9bac4ac Oof... good I wrote an integration test because that's not how updating works!
Now updating the existing service in kubernetes but with the new
annotations
2021-05-24 09:41:49 -07:00
Margo Crawford
150e879a68 Add tests for deleting services 2021-05-21 13:47:06 -07:00
Margo Crawford
b4bb0db6e5 Refactor some shared code between load balancer and cluster ip creation 2021-05-21 09:57:46 -07:00
Margo Crawford
4606f1d8bd More error handling for cluster ip 2021-05-20 16:21:10 -07:00
Margo Crawford
599d70d6dc Wire generatedClusterIPServiceName through from NamesConfig 2021-05-20 14:11:35 -07:00
Ryan Richard
901ddd1870 Merge branch 'main' into ldap_starttls 2021-05-20 13:40:56 -07:00
Ryan Richard
8b549f66d4 Add integration test for LDAP StartTLS 2021-05-20 13:39:48 -07:00
Ryan Richard
7e76b66639 LDAP upstream watcher controller tries using both TLS and StartTLS
- Automatically try to fall back to using StartTLS when using TLS
  doesn't work. Only complain when both don't work.
- Remember (in-memory) which one worked and keeping using that one
  in the future (unless the pod restarts).
2021-05-20 12:46:33 -07:00
Ryan Richard
fff90ed2ca
Merge branch 'main' into initial_ldap_group_support 2021-05-20 12:36:04 -07:00
Margo Crawford
62651eddb0 Took care of some impersonation cluster ip related todos 2021-05-20 11:57:07 -07:00
Matt Moyer
ec25259901
Update impersonatorconfig controller to use new CredentialIssuer update helper.
Signed-off-by: Margo Crawford <margaretc@vmware.com>
2021-05-20 12:26:07 -05:00
Matt Moyer
e4dd83887a
Merge remote-tracking branch 'origin/main' into credentialissuer-spec-api 2021-05-20 10:53:53 -05:00
Ryan Richard
025b37f839 upstreamldap.New() now supports a StartTLS config option
- This enhances our LDAP client code to make it possible to optionally
  dial an LDAP server without TLS and then use StartTLS to upgrade
  the connection to TLS.
- The controller for LDAPIdentityProviders is not using this option
  yet. That will come in a future commit.
2021-05-19 17:17:44 -07:00
Margo Crawford
63c39454f6 WIP on impersonation clusterip service 2021-05-19 17:00:28 -07:00
Matt Moyer
657488fe90
Create CredentialIssuer at install, not runtime.
Previously, our controllers would automatically create a CredentialIssuer with a singleton name. The helpers we had for this also used "raw" client access and did not take advantage of the informer cache pattern.

With this change, the CredentialIssuer is always created at install time in the ytt YAML. The controllers now only update the existing CredentialIssuer status, and they do so using the informer cache as much as possible.

This change is targeted at only the kubecertagent controller to start. The impersonatorconfig controller will be updated in a following PR along with other changes.

Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-05-19 17:15:25 -05:00
Margo Crawford
9e61640c92 LoadBalancerIP updated dynamically 2021-05-19 14:16:15 -07:00
Ryan Richard
424c112bbc Merge branch 'main' into initial_ldap_group_support 2021-05-19 13:12:17 -07:00
Margo Crawford
0b66321902 Changes to make the linter pass 2021-05-19 11:05:35 -07:00
Matt Moyer
297a484948
Add more validation and update tests for impersonationProxy as pointer.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-05-19 12:42:31 -05:00
Margo Crawford
94c370ac85 Annotations for impersonation load balancer 2021-05-18 16:54:59 -07:00
Margo Crawford
eaea3471ec Validation for service type none and external endpoint none
Also added a few more test cases for provisioning a load balancer
2021-05-18 13:50:52 -07:00
Matt Moyer
4a785e73e6
WIP fixing impersonatorconfig tests 2021-05-18 14:54:04 -05:00
Margo Crawford
51f1a0ec13 WIP: not using impersonator.config just credentialissuer directly
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-05-18 12:16:27 -07:00
Matt Moyer
18ccf11905 Update impersonatorconfig controller to use CredentialIssuer API instead of ConfigMap.
Signed-off-by: Margo Crawford <margaretc@vmware.com>
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-05-18 09:50:35 -07:00
Monis Khan
35479e2978
cred req: disallow lossy user info translations
Signed-off-by: Monis Khan <mok@vmware.com>
2021-05-17 19:03:44 -04:00
Ryan Richard
3e1e8880f7 Initial support for upstream LDAP group membership
Reflect the upstream group membership into the Supervisor's
downstream tokens, so they can be added to the user's
identity on the workload clusters.

LDAP group search is configurable on the
LDAPIdentityProvider resource.
2021-05-17 11:10:26 -07:00
Ryan Richard
f5bf8978a3 Cache ResourceVersion of the validated bind Secret in memory
...instead of caching it in the text of the Condition message
2021-05-13 15:22:36 -07:00
Ryan Richard
514ee5b883 Merge branch 'main' into initial_ldap 2021-05-13 14:24:10 -07:00
Margo Crawford
39d7f8b6eb
Merge pull request #614 from vmware-tanzu/gc-bug-tests
Tests for garbage collection behavior for access and refresh tokens
2021-05-13 13:08:07 -07:00
Ryan Richard
67dca688d7 Add an API version to the Supervisor IDP discovery endpoint
Also rename one of the new functional opts in login.go to more
accurately reflect the intention of the opt.
2021-05-13 10:05:56 -07:00
Margo Crawford
b391d5ae02 Also check that the authcode storage is around for a while 2021-05-12 14:22:14 -07:00
Ryan Richard
29ca8acab4 oidc_upstream_watcher.go: two methods become private funcs 2021-05-12 14:05:08 -07:00
Ryan Richard
1ae3c6a1ad Split package upstreamwatchers into four packages 2021-05-12 14:00:39 -07:00
Ryan Richard
22092e9aed Missed a usage of int64Ptr in previous commit 2021-05-12 14:00:26 -07:00
Margo Crawford
874f938fc7 unit test for garbage collection time for refresh and access tokens 2021-05-12 13:55:54 -07:00
Ryan Richard
4804c837d4 Insignificant change in ldap_upstream_watcher_test.go 2021-05-12 13:37:01 -07:00
Ryan Richard
f0652c1ce1 Replace all usages of strPtr() with pointer.StringPtr() 2021-05-12 13:20:00 -07:00
Ryan Richard
044443f315 Rename X-Pinniped-Idp-* headers to Pinniped-*
See RFC6648 which asks that people stop using `X-` on header names.
Also Matt preferred not mentioning "IDP" in the header name.

Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-05-12 13:06:08 -07:00
Ryan Richard
3008d1a85c Log slow LDAP authentication attempts for debugging purposes 2021-05-12 11:59:48 -07:00
Ryan Richard
f98aa96ed3 Merge branch 'initial_ldap' into ldap-get-kubeconfig 2021-05-11 11:10:25 -07:00
Ryan Richard
675bbb2aba Merge branch 'main' into initial_ldap 2021-05-11 11:09:37 -07:00
Ryan Richard
e25eb05450 Move Supervisor IDP discovery to its own new endpoint 2021-05-11 10:31:33 -07:00
Mo Khan
56d316e8d3
upstreamwatcher: do not truncate explicit oidc errors
This change makes it easier to understand misconfigurations caused
by issuers with extraneous trailing slashes.

Signed-off-by: Mo Khan <mok@vmware.com>
2021-05-10 01:45:19 -04:00
Mo Khan
7ece196893
upstreamwatcher: preserve oidc discovery error
Signed-off-by: Mo Khan <mok@vmware.com>
2021-05-07 16:35:12 -04:00
Margo Crawford
5240f5e84a Change access token storage lifetime to be the same as the refresh token's
to avoid garbage collection breaking the refresh flow
Also changed the access token lifetime to be 2 minutes instead of 15
since we now have cert caching.
2021-05-06 13:14:20 -07:00
Margo Crawford
1a2940c278
Merge pull request #560 from vmware-tanzu/client-debug-logging
Client debug logging
2021-05-04 13:46:47 -07:00
Monis Khan
4ce77c4837
supervisor gc: use singleton queue
The supervisor treats all events the same hence it must use a
singleton queue.

Updated the integration test to remove the data race caused by
calling methods on testing.T outside of the main test go routine.

Signed-off-by: Monis Khan <mok@vmware.com>
2021-05-04 14:44:55 -04:00
Matt Moyer
165bef7809
Split out kube-cert-agent service account and bindings.
Followup on the previous comment to split apart the ServiceAccount of the kube-cert-agent and the main concierge pod. This is a bit cleaner and ensures that in testing our main Concierge pod never requires any privileged permissions.

Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-05-04 10:09:33 -05:00
Matt Moyer
b80cbb8cc5
Run kube-cert-agent pod as Concierge ServiceAccount.
Since 0dfb3e95c5, we no longer directly create the kube-cert-agent Pod, so our "use"
permission on PodSecurityPolicies no longer has the intended effect. Since the deployments controller is now the
one creating pods for us, we need to get the permission on the PodSpec of the target pod instead, which we do somewhat
simply by using the same service account as the main Concierge pods.

We still set `automountServiceAccountToken: false`, so this should not actually give any useful permissions to the
agent pod when running.

Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-05-03 16:20:13 -05:00