Commit Graph

3347 Commits

Author SHA1 Message Date
Margo Crawford
a8754b5658 Refactor: extract helper func from runGetKubeconfig()
- Reduces the cyclomatic complexity of the function

Signed-off-by: Ryan Richard <richardry@vmware.com>
2021-04-30 15:00:54 -07:00
Ryan Richard
1c66ffd5ff WIP: add supervisor upstream flags to pinniped get kubeconfig
- And perform auto-discovery when the flags are not set
- Several TODOs remain which will be addressed in the next commit

Signed-off-by: Margo Crawford <margaretc@vmware.com>
2021-04-30 14:28:03 -07:00
Margo Crawford
ab94b97f4a Change login.go to use logr.logger 2021-04-30 12:10:04 -07:00
Margo Crawford
d6a172214d
Merge pull request #587 from vmware-tanzu/supervisor-gitlab-docs
Added documentation for how to configure the Supervisor with GitLab
2021-04-30 11:01:22 -07:00
Mo Khan
638fa7ba27
Merge pull request #592 from enj/enj/t/valueless_ctx_2
valuelesscontext: make unit tests more clear
2021-04-30 11:07:32 -04:00
Monis Khan
b5ffab6330
valuelesscontext: make unit tests more clear
Signed-off-by: Monis Khan <mok@vmware.com>
2021-04-30 10:43:29 -04:00
Mo Khan
8556a638a2
Merge pull request #591 from enj/enj/t/valueless_ctx
valuelesscontext: add some unit tests
2021-04-30 10:10:48 -04:00
Monis Khan
44c7f8daf0
valuelesscontext: add some unit tests
Signed-off-by: Monis Khan <mok@vmware.com>
2021-04-30 09:45:34 -04:00
Mo Khan
1efa4da80c
Merge pull request #590 from enj/enj/f/sa_authn_impersonation_proxy
impersonator: add support for service account token authentication
2021-04-29 17:53:27 -04:00
Monis Khan
62785674c3
impersonator: add support for service account token authentication
This change updates the impersonator logic to pass through requests
that authenticated via a bearer token that asserts a UID.  This
allows us to support service account tokens (as well as any other
form of token based authentication).

Signed-off-by: Monis Khan <mok@vmware.com>
2021-04-29 17:30:35 -04:00
Mo Khan
9e4f601a3f
Merge pull request #588 from enj/enj/i/webhookcachefiller_ca
webhookcachefiller: be stricter about CA bundle validation
2021-04-29 07:47:06 -04:00
Monis Khan
bb7e7fe81e
webhookcachefiller: be stricter about CA bundle validation
Signed-off-by: Monis Khan <mok@vmware.com>
2021-04-29 05:49:06 -04:00
Ryan Richard
10c4cb4493 Merge branch 'initial_ldap' into ldap-get-kubeconfig 2021-04-28 14:28:32 -07:00
Ryan Richard
36819989a3 Remove DryRunAuthenticationUsername from LDAPIdentityProviderSpec
Signed-off-by: Margo Crawford <margaretc@vmware.com>
2021-04-28 14:26:57 -07:00
Margo Crawford
bed2d2dd62 Incorporated PR feedback 2021-04-28 13:34:36 -07:00
Ryan Richard
4bd83add35 Add Supervisor upstream IDP discovery on the server-side 2021-04-28 13:14:21 -07:00
Margo Crawford
90b2854032 Avoid using global logger in login.go 2021-04-28 09:34:42 -07:00
Ryan Richard
5c62a9d0bd More adjustments based on PR feedback 2021-04-27 16:54:26 -07:00
Margo Crawford
96fda6ed13 Added documentation for how to configure the Supervisor with GitLab 2021-04-27 16:18:30 -07:00
Ryan Richard
263a33cc85 Some updates based on PR review 2021-04-27 12:43:09 -07:00
Ryan Richard
b3b108500a Merge branch 'main' into initial_ldap 2021-04-27 10:12:43 -07:00
Ryan Richard
67a568811a Make prepare-for-integration-tests.sh work on linux too
- The linux base64 command is different, so avoid using it at all.
  On linux the default is to split the output into multiple lines,
  which messes up the integration-test-env file. The flag used to
  disable this behavior on linux ("-w0") does not exist on MacOS's
  base64.
- On debian linux, the latest version of Docker from apt-get still
  requires DOCKER_BUILDKIT=1 or else it barfs.
2021-04-27 10:10:02 -07:00
Matt Moyer
620a4d55b7
Merge pull request #584 from mattmoyer/fix-broken-readme-link
Fix a broken docs link in our README.
2021-04-26 13:23:35 -07:00
Matt Moyer
a52872cd03
Fix a broken docs link in our README.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-04-26 13:48:17 -06:00
Matt Moyer
0dfb3e95c5
Merge pull request #569 from mattmoyer/use-deployment-for-kube-cert-agent
Refactor kube-cert-agent controllers to use a Deployment.
2021-04-26 09:25:37 -07:00
Matt Moyer
e532a88647
Add a new "legacy pod cleaner" controller.
This controller is responsible for cleaning up kube-cert-agent pods that were deployed by previous versions.

They are easily identified because they use a different `kube-cert-agent.pinniped.dev` label compared to the new agent pods (`true` vs. `v2`).

Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-04-26 08:19:45 -06:00
Matt Moyer
54a8297cc4
Add generated mocks for kubecertagent.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-04-26 08:19:45 -06:00
Matt Moyer
2843c4f8cb
Refactor kube-cert-agent controllers to use a Deployment.
This is a relatively large rewrite of much of the kube-cert-agent controllers. Instead of managing raw Pod objects, they now create a single Deployment and let the builtin k8s controller handle it from there.

This reduces the amount of code we need and should handle a number of edge cases better, especially those where a Pod becomes "wedged" and needs to be recreated.

Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-04-26 08:19:45 -06:00
Ryan Richard
9b818dbf10 Remove another 10s sleep related to JWTAuthenticator initialization 2021-04-22 16:59:42 -07:00
Ryan Richard
6a350aa4e1 Fix some LDAP CA bundle handling
- Make PINNIPED_TEST_LDAP_LDAPS_CA_BUNDLE optional for integration tests
- When there is no CA bundle provided, be careful to use nil instead of
  an empty bundle, because nil means to use the OS defaults
2021-04-22 16:58:48 -07:00
Matt Moyer
cc51c72c12
Merge pull request #576 from ankeesler/prepare-webhook-script
hack: add prepare-webhook-on-kind.sh
2021-04-22 14:07:38 -07:00
Matt Moyer
0ab9927115
Merge branch 'main' into prepare-webhook-script 2021-04-22 13:05:55 -07:00
Matt Moyer
204c8e8dbc
Merge pull request #578 from mattmoyer/remove-unneeded-test-sleep
Remove unneeded sleeps in TestE2EFullIntegration and jwtcachefiller tests.
2021-04-22 12:59:40 -07:00
Matt Moyer
638d9235a2
Remove unneeded OIDC-related sleeps in tests.
Now that we have the fix from https://github.com/kubernetes/kubernetes/pull/97693, we no longer need these sleeps.
The underlying authenticator initialization is still asynchronous, but should happen within a few milliseconds.

Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-04-22 10:25:44 -05:00
Andrew Keesler
81a4c84f46
Merge pull request #579 from ankeesler/log-level
internal/kubeclient: match plog level with klog level
2021-04-21 17:37:41 -04:00
Andrew Keesler
9f509d3f13
internal/kubeclient: match plog level with klog level
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2021-04-21 16:25:08 -04:00
Margo Crawford
5f3eab2538 Fix expected number of log lines in TestCLILoginOIDC 2021-04-21 13:05:32 -07:00
Margo Crawford
c45d48d027 Change test log expectations 2021-04-21 10:58:48 -07:00
Margo Crawford
09560fd8dc Log lines about using cached credential 2021-04-21 09:02:45 -07:00
Margo Crawford
264778113d lookupEnv in oidclogin same as for static 2021-04-21 09:02:45 -07:00
Margo Crawford
b5889f37ff WIP on new plog 2021-04-21 09:02:45 -07:00
Margo Crawford
45e4695444 Unset pinniped debug environment variable at end of integration test
Also log when setting the debug log level fails
2021-04-21 09:02:45 -07:00
Margo Crawford
6a21499ed3 Add check for number of log lines. 2021-04-21 09:02:45 -07:00
Margo Crawford
211d4fd0b6 Add more logging, integration test checks that debug flag works. 2021-04-21 09:02:45 -07:00
Margo Crawford
8ffd9fdc4e Started debug logging. 2021-04-21 09:02:45 -07:00
Ryan Richard
ddc632b99c Show the error_description when it is included in authorization response 2021-04-19 18:08:52 -07:00
Ryan Richard
c176d15aa7 Add Supervisor upstream LDAP login to the Pinniped CLI
- Also enhance prepare-supervisor-on-kind.sh to allow setup of
  a working LDAP upstream IDP.
2021-04-19 17:59:46 -07:00
Mo Khan
d76ac56df2
Merge pull request #573 from enj/enj/f/nested_impersonation
impersonation proxy: add nested impersonation support
2021-04-19 17:46:10 -04:00
Andrew Keesler
d86b24ca2f
hack: add prepare-webhook-on-kind.sh
Inspired from 7bb5657c4d. I used this to help accept 2 stories today.

Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2021-04-19 16:10:20 -04:00
Monis Khan
73716f1b91
Ignore client-side throttling in kubectl stderr
Signed-off-by: Monis Khan <mok@vmware.com>
2021-04-19 15:52:47 -04:00