Commit Graph

3397 Commits

Author SHA1 Message Date
Matt Moyer
193fcb87bb
Fix a typo on the "Community Meetings" time.
We had "PT" twice, when one of them should have been "ET".
2021-06-02 11:05:29 -05:00
Ryan Richard
a08e4ec043
Update architecture.md 2021-06-02 08:54:04 -07:00
Matt Moyer
e38a7548cc
Link the v0.9.0 release from the blog post.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-06-02 10:24:17 -05:00
Pinny
b5dea42bbe Update CLI docs for v0.9.0 release 2021-06-02 15:22:13 +00:00
Matt Moyer
d06fe15a68
Merge pull request #655 from mattmoyer/update-docs-for-v0.9.0
Update docs for v0.9.0
2021-06-02 10:07:02 -05:00
Matt Moyer
e6301f0e74
Update latest version number in docs.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-06-02 10:05:07 -05:00
Matt Moyer
aca33e45fb
Fix blog post date to match actual v0.9.0 release.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-06-02 10:02:59 -05:00
Matt Moyer
46825b1c9f
Merge pull request #653 from mattmoyer/fix-impersonation-test-flake
Fix another impersonation test flake related to `kubectl logs --tail` line count + test refactor.
2021-06-01 16:51:16 -05:00
Matt Moyer
2ee3cec5ed
Refactor TestImpersonationProxy "apply annotation" test for clarity.
This test felt overly complex and some of the cleanup logic wasn't 100% correct (it didn't clean up in all cases).

The new code is essentially the same flow but hopefully easier to read.

Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-06-01 15:50:51 -05:00
Matt Moyer
75d92079e4
Allow some flexibility in "kubectl logs --tail=10" test.
We see that occasionally kubectl returns 11 lines (probably related to https://github.com/kubernetes/kubernetes/issues/72628).

This test doesn't need to be so picky, so now it allows +/- one line from the expected count.

Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-06-01 15:50:51 -05:00
Matt Moyer
0be77c3bf2
Merge pull request #651 from vmware-tanzu/dependabot/go_modules/github.com/creack/pty-1.1.13
Bump github.com/creack/pty from 1.1.12 to 1.1.13
2021-06-01 15:50:38 -05:00
dependabot[bot]
d4a6a61560
Bump github.com/creack/pty from 1.1.12 to 1.1.13
Bumps [github.com/creack/pty](https://github.com/creack/pty) from 1.1.12 to 1.1.13.
- [Release notes](https://github.com/creack/pty/releases)
- [Commits](https://github.com/creack/pty/compare/v1.1.12...v1.1.13)

Signed-off-by: dependabot[bot] <support@github.com>
2021-06-01 20:15:47 +00:00
Ryan Richard
abc3df8df9
Merge pull request #637 from vmware-tanzu/ldap_docs
LDAP docs
2021-06-01 12:59:58 -07:00
Ryan Richard
5932bce54d
Merge branch 'main' into ldap_docs 2021-06-01 12:59:38 -07:00
Matt Moyer
41ff3e0917
Merge pull request #652 from mattmoyer/fix-impersonation-test-flake
In TestImpersonationProxy tests, avoid mutating anything in parallel block of tests.
2021-06-01 14:41:07 -05:00
Matt Moyer
f62c6e806d
In TestImpersonationProxy tests, avoid mutating anything in parallel block of tests.
We had this one test that mutated the CredentialIssuer, which could cause the impersonation proxy to blip on one or both of the running concierge pods. This would sometimes break other concurrently running tests.

Instead, this bit of code is split into a separate non-concurrent test.

Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-06-01 14:02:27 -05:00
Ryan Richard
79e3980f1f Fix nil function deference in an integration test from previous commit 2021-05-28 17:06:01 -07:00
Ryan Richard
8f2e8b8a6c
Merge branch 'main' into ldap_docs 2021-05-28 16:20:02 -07:00
Ryan Richard
e4fda80fcc
Merge pull request #650 from mattmoyer/do-not-log-usernames-that-might-be-passwords
In LDAP, do not log username until we know the user exists.
2021-05-28 16:16:32 -07:00
Ryan Richard
5263e0bae5
Merge branch 'main' into do-not-log-usernames-that-might-be-passwords 2021-05-28 16:16:01 -07:00
Ryan Richard
b8205006ca Enable skipping of LDAP int tests when a firewall will block them 2021-05-28 16:13:20 -07:00
Matt Moyer
7ee1f8c441
In LDAP, do not log username until we know the user exists.
This prevents accidentally logging a password if the user enters it into the username field by mistake.

Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-05-28 16:57:48 -05:00
Ryan Richard
854903c4ed
Merge pull request #649 from vmware-tanzu/change_ldap_groupname_default
Default `groupSearch.attributes.groupName` to "dn" instead of "cn" in LDAPIdentityProvider spec
2021-05-28 14:04:37 -07:00
Ryan Richard
cedbe82bbb Default groupSearch.attributes.groupName to "dn" instead of "cn"
- DNs are more unique than CNs, so it feels like a safer default
2021-05-28 13:27:11 -07:00
Matt Moyer
a741041737
Merge pull request #648 from mattmoyer/2021-05-28-dep-upgrades
Upgrade Go dependencies (fosite and klog).
2021-05-28 14:31:58 -05:00
Matt Moyer
83f418e7f2
Upgrade k8s.io/klog/v2 to v2.9.0.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-05-28 12:53:37 -05:00
Matt Moyer
e25de9e559
Update ID token tests for latest Fosite.
The new version has different behavior for the `nonce` claim, which is now omitted if it would be empty (see https://github.com/ory/fosite/pull/570).

Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-05-28 12:53:37 -05:00
Matt Moyer
87c7e89b13
Upgrade github.com/ory/fosite to v0.40.2.
This required a weird hack because some of the Fosite tests (or a transitive dependency of them) depends on a newer version of gRPC that's incompatible with the Kubernetes runtime version we use. It wasn't as simple as just replacing the gRPC module with an older version, because in the latest versions of gRPC, they split out the "examples" packages into their own module. This new module name doesn't exist at the old version.

Ultimately, the workaround was to make a fake "examples" module locally. This module can be empty because we never actually depend on that code (it's only used in transitive dependency tests).

Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-05-28 12:53:37 -05:00
Ryan Richard
4722422aae Fix OIDC assertion bug in TestSupervisorLogin introduced by LDAP branch 2021-05-28 10:37:46 -07:00
Matt Moyer
a39b328778
Merge pull request #626 from vmware-tanzu/credentialissuer-spec-api
Add spec fields to Credentialissuer API to configure impersonation proxy behavior
2021-05-27 17:48:45 -05:00
Matt Moyer
343238fa9b
Merge branch 'credentialissuer-spec-api-docs' of github.com:vmware-tanzu/pinniped into credentialissuer-spec-api 2021-05-27 17:12:08 -05:00
Matt Moyer
a69fe68362
Merge branch 'main' of github.com:vmware-tanzu/pinniped into credentialissuer-spec-api 2021-05-27 17:11:40 -05:00
Matt Moyer
01713c7ce1
Don't reconcile Service ports in impersonatorconfig.
These are tricky because a real load balancer controller (e.g., on GKE) will overwrite and set NodePort, so we can't blindly set the desired state of this fields.

For now, we will just skip reconciling these. In the future, we could be more clever about merging them together with the current state.

Signed-off-by: Margo Crawford <margaretc@vmware.com>
2021-05-27 17:10:25 -05:00
Matt Moyer
ab750f48aa
When merging CredentialIssuer updates, don't overwrite LastUpdated.
If the only thing that has changed about a strategy is the LastUpdated timestamp, then we should not update the object.

Signed-off-by: Margo Crawford <margaretc@vmware.com>
2021-05-27 17:09:12 -05:00
Ryan Richard
d7d8630e08 Merge branch 'main' into ldap_docs 2021-05-27 14:30:02 -07:00
Ryan Richard
cd7f5741d8 Incorporate feedback into LDAP blog post 2021-05-27 14:29:40 -07:00
Ryan Richard
c8dc03b06a
Merge pull request #647 from vmware-tanzu/ldap_binary_uids
Use base64 binary-encoded value as UID for LDAP
2021-05-27 14:28:21 -07:00
Ryan Richard
83001d8cce Fix typo in LDAP blog post 2021-05-27 14:13:07 -07:00
Ryan Richard
d2251d2ea7 Use base64 binary-encoded value as UID for LDAP
This is to allow the use of binary LDAP entry attributes as the UID.
For example, a user might like to configure AD’s objectGUID or maybe
objectSid attributes as the UID attribute.

This negatively impacts the readability of the UID when it did not come
from a binary value, but we're considering this an okay trade-off to
keep things simple for now. In the future, we may offer more
customizable encoding options for binary attributes.

These UIDs are currently only used in the downstream OIDC `sub` claim.
They do not effect the user's identity on the Kubernetes cluster,
which is only based on their mapped username and group memberships from
the upstream identity provider. We are not currently supporting any
special encoding for those username and group name LDAP attributes, so
their values in the LDAP entry must be ASCII or UTF-8 in order for them
to be interpreted correctly.
2021-05-27 13:47:10 -07:00
Margo Crawford
f330b52076 Update values.yaml to include CredentialIssuer ImpersonationProxy spec. 2021-05-27 13:36:18 -07:00
Matt Moyer
af2af567be
Merge branch 'main' of github.com:vmware-tanzu/pinniped into credentialissuer-spec-api 2021-05-27 15:13:36 -05:00
Ryan Richard
ec2956d54e Forgot to mention the CLI in the LDAP blog post 2021-05-27 13:05:45 -07:00
Ryan Richard
35cf1a00c8
Merge pull request #643 from vmware-tanzu/ldap_base_in_sub
Add user search base to downstream subject for upstream LDAP
2021-05-27 12:23:27 -07:00
Ryan Richard
0d43105759 Blog post for LDAP release 2021-05-27 12:06:01 -07:00
Matt Moyer
67d5c91713
Wait for successful TCR in TestImpersonationProxy.
This test setup should tolerate when the TokenCredentialRequest API isn't quite ready to authenticate the user or issue a cert.

Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-05-27 13:03:07 -05:00
Ryan Richard
81148866e0 URL query escape the upstream OIDC subject in the downstream subject URL 2021-05-27 09:25:48 -07:00
Matt Moyer
349d3dad83
Make temporary errors return Pending in impersonatorconfig.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-05-27 11:13:10 -05:00
Matt Moyer
049abfb94c
Remove a "fail fast" check from TestImpersonationProxy.
This check is no longer valid, because there can be ephemeral, recoverable errors that show as ErrorDuringSetup.

Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-05-27 09:22:47 -05:00
Ryan Richard
033e1f0399 Add user search base to downstream subject for upstream LDAP
- Also add some tests about UTF-8 characters in LDAP attributes
2021-05-26 17:04:20 -07:00
Margo Crawford
d2d0dae4ed Wait for credentialissuer to be updated and always use proxy on clusterip test 2021-05-26 15:58:46 -07:00