Commit Graph

1754 Commits

Author SHA1 Message Date
Ryan Richard
fec3d92f26 Add integration test for upstreamldap.Provider
- The unit tests for upstreamldap.Provider need to mock the LDAP server,
  so add an integration test which allows us to get fast feedback for
  this code against a real LDAP server.
- Automatically wrap the user search filter in parenthesis if it is not
  already wrapped in parens.
- More special handling for using "dn" as the username or UID attribute
  name.
- Also added some more comments to types_ldapidentityprovider.go.tmpl
2021-04-13 15:23:14 -07:00
Ryan Richard
7b8c86b38e Handle error cases during LDAP user search and bind 2021-04-13 08:38:04 -07:00
Ryan Richard
f0c4305e53 Started implementation of LDAP user search and bind 2021-04-12 17:50:25 -07:00
Ryan Richard
e24d5891dd ldap_upstream_watcher_test.go: add another unit test 2021-04-12 14:12:51 -07:00
Ryan Richard
25c1f0d523 Add Conditions to LDAPIdentityProvider's Status and start to fill them
- The ldap_upstream_watcher.go controller validates the bind secret and
  uses the Conditions to report errors. Shares some condition reporting
  logic with its sibling controller oidc_upstream_watcher.go, to the
  extent which is convenient without generics in golang.
2021-04-12 13:53:21 -07:00
Ryan Richard
05571abb74 Add a little more logic to ldap_upstream_watcher.go 2021-04-12 11:23:08 -07:00
Ryan Richard
05daa9eff5 More LDAP WIP: started controller and LDAP server connection code
Both are unfinished works in progress.
2021-04-09 18:49:43 -07:00
Ryan Richard
7781a2e17a Some renames in pkg upstreamwatcher to make room for a second controller 2021-04-09 08:43:19 -07:00
Andrew Keesler
4ab704b7de
ldap: add initial stub upstream LDAP connection package
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2021-04-09 11:38:53 -04:00
Ryan Richard
f6ded84f07 Implement upstream LDAP support in auth_handler.go
- When the upstream IDP is an LDAP IDP and the user's LDAP username and
  password are received as new custom headers, then authenticate the
  user and, if authentication was successful, return a redirect with
  an authcode. Handle errors according to the OAuth/OIDC specs.
- Still does not support having multiple upstream IDPs defined at the
  same time, which was an existing limitation of this endpoint.
- Does not yet include the actual LDAP authentication, which is
  hidden behind an interface from the point of view of auth_handler.go
- Move the oidctestutil package to the testutil directory.
- Add an interface for Fosite storage to avoid a cyclical test
  dependency.
- Add GetURL() to the UpstreamLDAPIdentityProviderI interface.
- Extract test helpers to be shared between callback_handler_test.go
  and auth_handler_test.go because the authcode and fosite storage
  assertions should be identical.
- Backfill Content-Type assertions in callback_handler_test.go.

Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2021-04-08 17:28:01 -07:00
Ryan Richard
064e3144a2 auth_handler.go: pre-factor to make room for upstream LDAP IDPs 2021-04-07 17:05:25 -07:00
Ryan Richard
1f5978aa1a Supervisor pre-factor to make room for upstream LDAP identity providers 2021-04-07 16:12:13 -07:00
Ryan Richard
1c55c857f4 Start to fill out LDAPIdentityProvider's fields and TestSupervisorLogin
- Add some fields to LDAPIdentityProvider that we will need to be able
  to search for users during login
- Enhance TestSupervisorLogin to test logging in using an upstream LDAP
  identity provider. Part of this new test is skipped for now because
  we haven't written the corresponding production code to make it
  pass yet.
- Some refactoring and enhancement to env.go and the corresponding env
  vars to support the new upstream LDAP provider integration tests.
- Use docker.io/bitnami/openldap for our test LDAP server instead of our
  own fork now that they have fixed the bug that we reported.

Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2021-04-07 12:56:09 -07:00
Ryan Richard
2b6859b161
Add stub LDAP API type and integration test
The goal here was to start on an integration test to get us closer to the red
test that we want so we can start working on LDAP.

Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2021-04-06 13:10:01 -04:00
Ryan Richard
9968d501f4 Merge branch 'main' into initial_ldap 2021-04-05 15:15:05 -07:00
Ryan Richard
9450048acf Fix lint error from previous commit 2021-04-05 15:14:24 -07:00
Ryan Richard
702f9965ab Deploy an OpenLDAP server for integration tests
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2021-04-05 15:05:53 -07:00
Andrew Keesler
c53507809d Rename dex namespace, add new ytt value to deploy/tools, and remove Tilt
- Rename the test/deploy/dex directory to test/deploy/tools
- Rename the dex namespace to tools
- Add a new ytt value called `pinny_ldap_password` for the tools
  ytt templates
- This new value is not used on main at this time. We intend to use
  it in the forthcoming ldap branch. We're defining it on main so
  that the CI scripts can use it across all branches and PRs.

Signed-off-by: Ryan Richard <richardry@vmware.com>
2021-04-05 15:01:49 -07:00
Matt Moyer
9cd2b6e855
Merge pull request #552 from mattmoyer/nicer-generated-kubeconfig-names
Generate more helpful context/cluster/user names in `pinniped get kubeconfig`
2021-04-05 11:35:07 -07:00
Matt Moyer
4e25bcd4b2
Generate more helpful context/cluster/user names in pinniped get kubeconfig
Before this change, the "context", "cluster", and "user" fields in generated kubeconfig YAML were always hardcoded to "pinniped". This could be confusing if you generated many kubeconfigs for different clusters.

After this change, the fields will be copied from their names in the original kubeconfig, suffixed with "-pinniped". This suffix can be overridden by setting the new `--generated-name-suffix` CLI flag.

The goal of this change is that you can distinguish between kubeconfigs generated for different clusters, as well as being able to distinguish between the Pinniped and original (admin) kubeconfigs for a cluster.

Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-04-05 12:36:02 -05:00
Matt Moyer
5add31d263
Merge pull request #545 from vmware-tanzu/dependabot/docker/golang-1.16.3
Bump golang from 1.16.2 to 1.16.3
2021-04-05 08:58:23 -07:00
Matt Moyer
88c4335b4b
Display blog posts in reverse order by date.
This is a minor style tweak.

Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-04-05 10:54:00 -05:00
Matt Moyer
623830bf1f
Fix a typo on the timezones on the website.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-04-05 10:50:10 -05:00
dependabot[bot]
30f476e1ac
Bump golang from 1.16.2 to 1.16.3
Bumps golang from 1.16.2 to 1.16.3.

Signed-off-by: dependabot[bot] <support@github.com>
2021-04-02 05:56:43 +00:00
Pinny
7b82b7a010 Update CLI docs for v0.7.0 release 2021-04-01 19:15:23 +00:00
Matt Moyer
44bf925c3e
Merge pull request #544 from mattmoyer/blog-post-v0.7.0
Add a blog post about the v0.7.0 release.
2021-04-01 11:03:09 -07:00
Matt Moyer
d2a6d7689f
Add a small note about our test grid, and mention some limitations of the first version.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-04-01 13:02:24 -05:00
Matt Moyer
23dbd7cab6
Extract out a common shortcode for the "join the community" blurb we put at the end of each blog post.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-04-01 11:55:17 -05:00
Matt Moyer
e4321cb369
Add v0.7.0 blog post.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-04-01 11:55:17 -05:00
Matt Moyer
ad66f67dc9
Rename existing posts for clarity.
This doesn't change the generated HTML at all, as far as I can tell.

Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-03-31 23:20:48 -05:00
Matt Moyer
55bc3dee7f
Merge pull request #543 from mattmoyer/fix-head-version-string-validation
Fix missing "v".
2021-03-31 14:54:26 -07:00
Ryan Richard
fdbeb213fb
Merge pull request #540 from vmware-tanzu/prepare-supervisor-on-kind.sh
Add hack/prepare-supervisor-on-kind.sh
2021-03-31 13:47:32 -07:00
Ryan Richard
1817d6c751
Merge branch 'main' into prepare-supervisor-on-kind.sh 2021-03-31 13:47:13 -07:00
Matt Moyer
476cc98e5a
Fix missing "v".
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-03-31 15:41:44 -05:00
Matt Moyer
4cbf4959f2
Merge pull request #542 from mattmoyer/fix-head-version-string-validation
Use "0.0.0" as our fake version instead of "?.?.?" to avoid a panic.
2021-03-31 13:36:22 -07:00
Matt Moyer
e4e4e686f6
Use "0.0.0" as our fake version instead of "?.?.?" to avoid a panic.
These values need to pass the validation in k8s.io/component-base/metrics: https://github.com/kubernetes/component-base/blob/v0.20.5/metrics/version_parser.go#L28-L50

Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-03-31 15:03:40 -05:00
Ryan Richard
d5be37673a
Merge branch 'main' into prepare-supervisor-on-kind.sh 2021-03-31 11:42:06 -07:00
Ryan Richard
7bb5657c4d Add hack/prepare-supervisor-on-kind.sh
A demo of running the Supervisor and Concierge on
a kind cluster. Can be used to quickly set up an
environment for manual testing.

Also added some missing copyright headers to other
hack scripts.
2021-03-31 11:39:10 -07:00
Matt Moyer
fe9f12a29c
Merge pull request #539 from mattmoyer/upgrade-kubernetes-deps
Upgrade to prereleased Kubernetes v1.20.5++ dependencies.
2021-03-31 11:21:54 -07:00
Matt Moyer
bea75bb7ac
Upgrade to prereleased Kubernetes v1.20.5++ dependencies.
These commits include security fixes (CVE-2021-3121) for code generated by github.com/gogo/protobuf.
We expect this fix to also land in v1.20.6, but we don't want to wait for it.

Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-03-31 12:53:41 -05:00
Matt Moyer
081de8da62
Merge pull request #538 from vmware-tanzu/dependabot/docker/debian-10.9-slim
Bump debian from 10.8-slim to 10.9-slim
2021-03-31 06:00:27 -07:00
dependabot[bot]
469f864de3
Bump debian from 10.8-slim to 10.9-slim
Bumps debian from 10.8-slim to 10.9-slim.

Signed-off-by: dependabot[bot] <support@github.com>
2021-03-31 05:41:15 +00:00
Margo Crawford
dc510792c4
Merge pull request #536 from vmware-tanzu/secret-deletion-not-found-flake
Do not error when trying to delete the TLS secret and you get a not found
2021-03-30 15:46:32 -07:00
Margo Crawford
8b6fe0ac70 Fix lint error 2021-03-30 14:53:26 -07:00
Margo Crawford
d47603472d Do not error when trying to delete the TLS secret and you get a not found 2021-03-30 14:44:06 -07:00
Matt Moyer
d4baeff94e
Merge pull request #534 from mattmoyer/deflake-categories-test-rate-limiting
Deflake TestGetPinnipedCategory.
2021-03-30 13:46:55 -07:00
Matt Moyer
210114dbe1
Merge pull request #535 from mattmoyer/deflake-impersonation-proxy-test-dns
Deflake TestImpersonationProxy (especially on EKS).
2021-03-30 12:31:44 -07:00
Matt Moyer
4ebd0f5f12
Deflake TestImpersonationProxy (especially on EKS).
This test could flake if the load balancer hostname was provisioned but is not yet resolving in DNS from the test process.

The fix is to retry this step for up to 5 minutes.

Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-03-30 13:48:53 -05:00
Matt Moyer
f02b39b80f
Deflake TestGetPinnipedCategory.
This test could fail when the cluster was under heavy load. This could cause kubectl to emit "Throttling request took [...]" logs that triggered a failure in the test.

The fix is to ignore these innocuous warnings.

Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-03-30 13:38:33 -05:00
Margo Crawford
608be8332e
Merge pull request #533 from vmware-tanzu/eks-load-balancer-annotation
Add annotation to make the idle timeout be over 1 hour rather than 1 minute
2021-03-30 11:12:54 -07:00