ContainerImage.Pinniped

Author	SHA1	Message	Date
Andrew Keesler	fcea48c8f9	Run as non-root I tried to follow a principle of encapsulation here - we can still default to peeps making connections to 80/443 on a Service object, but internally we will use 8080/8443. Signed-off-by: Andrew Keesler <akeesler@vmware.com>	2020-11-02 12:51:15 -05:00
Andrew Keesler	fb3c5749e8	test/integration: protect from NPE and follow doc conventions Signed-off-by: Andrew Keesler <akeesler@vmware.com>	2020-11-02 11:51:02 -05:00
Matt Moyer	9e1922f1ed	Split the config CRDs into two API groups. Signed-off-by: Matt Moyer <moyerm@vmware.com>	2020-10-30 19:22:46 -05:00
Matt Moyer	ad95bb44b0	Merge pull request #174 from mattmoyer/rename-webhook-idp Rename webhook configuration CRD "WebhookAuthenticator" in group "authentication.concierge.pinniped.dev".	2020-10-30 15:50:39 -05:00
Ryan Richard	4b7592feaf	Skip a part of an integration test which is not so easy with real Ingress Signed-off-by: Andrew Keesler <akeesler@vmware.com>	2020-10-30 13:19:34 -07:00
Matt Moyer	34da8c7877	Rename existing references to "IDP" and "Identity Provider". Signed-off-by: Matt Moyer <moyerm@vmware.com>	2020-10-30 15:12:01 -05:00
Matt Moyer	f3a83882a4	Rename the IdentityProvider field to Authenticator in TokenCredentialRequest. Signed-off-by: Matt Moyer <moyerm@vmware.com>	2020-10-30 15:11:53 -05:00
Matt Moyer	0f25657a35	Rename WebhookIdentityProvider to WebhookAuthenticator. Signed-off-by: Matt Moyer <moyerm@vmware.com>	2020-10-30 15:11:53 -05:00
Matt Moyer	e69183aa8a	Rename `idp.concierge.pinniped.dev` to `authentication.concierge.pinniped.dev`. Signed-off-by: Matt Moyer <moyerm@vmware.com>	2020-10-30 14:07:40 -05:00
Matt Moyer	81390bba89	Rename `idp.pinniped.dev` to `idp.concierge.pinniped.dev`. Signed-off-by: Matt Moyer <moyerm@vmware.com>	2020-10-30 14:07:39 -05:00
Matt Moyer	f0320dfbd8	Rename login API to `login.concierge.pinniped.dev`. This is the first of a few related changes that re-organize our API after the big recent changes that introduced the supervisor component. Signed-off-by: Matt Moyer <moyerm@vmware.com>	2020-10-30 09:58:28 -05:00
Ryan Richard	3277e778ea	Add a comment to an integration test	2020-10-29 15:42:22 -07:00
Ryan Richard	9c13b7144e	Merge pull request #170 from vmware-tanzu/oidc_https_endpoints Add HTTPS endpoints for OIDC providers, and terminate TLS with the configured certificates	2020-10-28 17:15:11 -07:00
Ryan Richard	4af508981a	Make default TLS secret name from app name in supervisor_discovery_test.go	2020-10-28 16:11:19 -07:00
Ryan Richard	a007fc3bd3	Form paths correctly when the path arg is empty in supervisor_discovery_test.go	2020-10-28 15:22:53 -07:00
Ryan Richard	c52874250a	Fix a mistake in supervisor_discovery_test.go - Should not fail when the default TLS cert does not exist in the test cluster before the test started	2020-10-28 14:25:01 -07:00
Andrew Keesler	bd04570e51	supervisor_discovery_test.go tests hostnames are treated as case-insensitive Signed-off-by: Ryan Richard <richardry@vmware.com>	2020-10-28 13:09:20 -07:00
Ryan Richard	8ff64d4c1a	Require `https` scheme for OIDCProviderConfig Issuer field Signed-off-by: Andrew Keesler <akeesler@vmware.com>	2020-10-28 12:49:41 -07:00
Andrew Keesler	2542a8e175	Stash and restore any pre-existing default TLS cert in supervisor_discovery_test.go Signed-off-by: Ryan Richard <richardry@vmware.com>	2020-10-28 12:32:21 -07:00
Ryan Richard	29e0ce5662	Configure name of the supervisor default TLS cert secret via ConfigMap Signed-off-by: Andrew Keesler <akeesler@vmware.com>	2020-10-28 11:56:50 -07:00
Ryan Richard	978ecda758	Test SNI & default certs being used at the same time in integration test	2020-10-28 08:58:50 -07:00
Ryan Richard	38802c2184	Add a way to set a default supervisor TLS cert for when SNI won't work - Setting a Secret in the supervisor's namespace with a special name will cause it to get picked up and served as the supervisor's TLS cert for any request which does not have a matching SNI cert. - This is especially useful for when there is no DNS record for an issuer and the user will be accessing it via IP address. This is not how we would expect it to be used in production, but it might be useful for other cases. - Includes a new integration test - Also suppress all of the warnings about ignoring the error returned by Close() in lines like `defer x.Close()` to make GoLand happier	2020-10-27 16:33:08 -07:00
Ryan Richard	1f1b6c884e	Add integration test: supervisor TLS termination and SNI virtual hosting - Also reduce the minimum allowed TLS version to v1.2, because v1.3 is not yet supported by some common clients, e.g. the default MacOS curl command	2020-10-27 14:57:25 -07:00
Matt Moyer	7615667b9b	Update TestCLILoginOIDC to use new non-alpha login command. Signed-off-by: Matt Moyer <moyerm@vmware.com>	2020-10-23 14:44:42 -05:00
Andrew Keesler	110c72a5d4	dynamiccertauthority: fix cert expiration test failure Signed-off-by: Andrew Keesler <akeesler@vmware.com>	2020-10-23 15:34:25 -04:00
Matt Moyer	07001e5ee3	Extend TestCLILoginOIDC to test refresh flow. Signed-off-by: Matt Moyer <moyerm@vmware.com>	2020-10-22 17:54:31 -05:00
Matt Moyer	ce598eb58e	Fix a timeout in TestCLILoginOIDC that was accidentally shortened in `0adbb5234e`. Signed-off-by: Matt Moyer <moyerm@vmware.com>	2020-10-22 11:49:04 -05:00
Matt Moyer	fe3b44b134	Add some verbose logging to TestCLILoginOIDC. Signed-off-by: Matt Moyer <moyerm@vmware.com>	2020-10-22 10:33:37 -05:00
Ryan Richard	122f7cffdb	Make the supervisor healthz endpoint public Based on our experiences today with GKE, it will be easier for our users to configure Ingress health checks if the healthz endpoint is available on the same public port as the OIDC endpoints. Also add an integration test for the healthz endpoint now that it is public. Also add the optional `containers[].ports.containerPort` to the supervisor Deployment because the GKE docs say that GKE will look at that field while inferring how to invoke the health endpoint. See https://cloud.google.com/kubernetes-engine/docs/concepts/ingress#def_inf_hc	2020-10-21 15:24:58 -07:00
Matt Moyer	0adbb5234e	Extend TestCLILoginOIDC to test ID token caching behavior. Signed-off-by: Matt Moyer <moyerm@vmware.com>	2020-10-21 15:02:42 -05:00
Ryan Richard	52ebd77527	Add optional PINNIPED_TEST_SUPERVISOR_HTTPS_CA_BUNDLE for integration tests - Not used by any of our integration test clusters yet - Planning to use it later for the kind clusters and maybe for the acceptance clusters too (although the acceptance clusters might not need to use self-signed certs so maybe not)	2020-10-20 16:46:33 -07:00
Ryan Richard	ec21fc8595	Also delete the final OIDCProviderConfig made by an integration test - It didn't matter before because it would be cleaned up by a t.Cleanup() function, but now that we might loop twice it will matter during the second time through the loop	2020-10-20 15:59:25 -07:00
Ryan Richard	276dff5772	Introduce PINNIPED_TEST_SUPERVISOR_HTTPS_ADDRESS - We plan to use this on acceptance clusters - We also plan to use this for a future story in the kind-based tests, but not yet	2020-10-20 15:57:10 -07:00
Ryan Richard	90235418b9	Add a test for when issuer hostname and supervisor public address differ	2020-10-20 15:22:03 -07:00
Ryan Richard	9ba93d66c3	test/integration: prefactoring for testing virtual hosts Signed-off-by: Andrew Keesler <akeesler@vmware.com>	2020-10-20 17:00:36 -04:00
Ryan Richard	4da64f38b5	Integration test for per-issuer OIDC JWKS endpoints	2020-10-19 12:21:18 -07:00
Andrew Keesler	617c5608ca	Supervisor controllers apply custom labels to JWKS secrets Signed-off-by: Ryan Richard <richardry@vmware.com>	2020-10-15 12:40:56 -07:00
Ryan Richard	f8e461dfc3	Merge branch 'main' into label_every_resource	2020-10-15 10:19:03 -07:00
Ryan Richard	94f20e57b1	Concierge controllers add labels to all created resources	2020-10-15 10:14:23 -07:00
Andrew Keesler	e05213f9dd	supervisor-generate-key: use EC keys intead of RSA EC keys are smaller and take less time to generate. Our integration tests were super flakey because generating an RSA key would take up to 10 seconds gasp. The main token verifier that we care about is Kubernetes, which supports P256, so hopefully it won't be that much of an issue that our default signing key type is EC. The OIDC spec seems kinda squirmy when it comes to using non-RSA signing algorithms... Signed-off-by: Andrew Keesler <akeesler@vmware.com>	2020-10-15 11:33:08 -04:00
Andrew Keesler	5a0dab768f	test/integration: remove unused function (see `31225ac7a`) Signed-off-by: Andrew Keesler <akeesler@vmware.com>	2020-10-15 09:26:15 -04:00
Andrew Keesler	31225ac7ae	test/integration: reuse CreateTestOIDCProvider helper Signed-off-by: Andrew Keesler <akeesler@vmware.com>	2020-10-15 09:09:49 -04:00
Andrew Keesler	76e89b523b	Merge remote-tracking branch 'upstream/main' into generate-jwk-key	2020-10-14 17:40:17 -04:00
Andrew Keesler	c030551af0	supervisor-generate-key: unit and integration tests Signed-off-by: Andrew Keesler <akeesler@vmware.com>	2020-10-14 16:41:16 -04:00
Matt Moyer	68d20298f2	Fix chromedriver usage inside our test container. Signed-off-by: Matt Moyer <moyerm@vmware.com>	2020-10-14 13:18:11 -05:00
Matt Moyer	19a1d569c9	Restructure this test to avoid data races. Signed-off-by: Matt Moyer <moyerm@vmware.com>	2020-10-14 12:28:08 -05:00
Matt Moyer	33fcc74417	Add Dex to our integration test environment and use it to test the CLI. Signed-off-by: Matt Moyer <moyerm@vmware.com>	2020-10-13 16:50:38 -05:00
Matt Moyer	50d80489be	Add initial CLI integration test for OIDC login. This is our first test using a real browser to interact with an upstream provider. Signed-off-by: Matt Moyer <moyerm@vmware.com>	2020-10-13 10:41:53 -05:00
Matt Moyer	8a16a92c01	Rename some existing CLI test code. It will no longer be the only CLI test, so the names should be a bit more specific. Signed-off-by: Matt Moyer <moyerm@vmware.com>	2020-10-13 10:25:39 -05:00
Ryan Richard	34549b779b	Make tilt work with the supervisor app and add more uninstall testing - Also continue renaming things related to the concierge app - Enhance the uninstall test to also test uninstalling the supervisor and local-user-authenticator apps	2020-10-09 14:25:34 -07:00

1 2 3 4

162 Commits