Compare commits

...

940 Commits

Author SHA1 Message Date
5292606ad1 Update '.drone.yml'
Some checks failed
continuous-integration/drone/push Build is failing
2023-10-31 14:59:09 +00:00
ce92965408 Update 'Dockerfile'
Some checks failed
continuous-integration/drone/push Build is failing
2023-10-31 14:45:58 +00:00
fa3143cc76 Update '.drone.yml'
Some checks failed
continuous-integration/drone/push Build is failing
2023-10-31 14:34:52 +00:00
25468e31ed Update '.drone.yml'
Some checks failed
continuous-integration/drone/push Build is failing
2023-10-31 14:31:54 +00:00
a1bc7ddf2d Update '.drone.yml'
Some checks failed
continuous-integration/drone/push Build is failing
2023-10-31 14:28:41 +00:00
6f040ff03b Update '.drone.yml'
Some checks failed
continuous-integration/drone/push Build is failing
2023-10-31 14:09:07 +00:00
92a9f8093f Update 'Dockerfile'
Some checks reported errors
continuous-integration/drone/push Build encountered an error
2023-10-31 14:08:09 +00:00
2265388f6c Update '.drone.yml'
Some checks reported errors
continuous-integration/drone/push Build encountered an error
2023-10-31 14:07:50 +00:00
089c872190 Update 'Dockerfile'
Some checks failed
continuous-integration/drone/push Build is failing
2023-10-31 13:57:38 +00:00
0a2f6e4e7a Update 'Dockerfile'
Some checks failed
continuous-integration/drone/push Build is failing
2023-10-31 13:56:11 +00:00
85e3359831 Update 'Dockerfile'
Some checks failed
continuous-integration/drone/push Build is failing
2023-10-31 13:50:59 +00:00
e165d3b2cd Update '.drone.yml'
Some checks failed
continuous-integration/drone/push Build is failing
2023-10-31 13:48:32 +00:00
a37832dafc Update '.drone.yml'
Some checks failed
continuous-integration/drone/push Build is failing
2023-10-31 13:43:08 +00:00
9ae93d1da9 Update '.drone.yml'
Some checks failed
continuous-integration/drone/push Build is failing
2023-10-31 13:37:22 +00:00
b0050312a8 Add '.drone.yml'
Some checks reported errors
continuous-integration/drone Build encountered an error
2023-10-31 13:30:21 +00:00
cb932adbb2 Update 'internal/federationdomain/oidc/oidc.go' 2023-10-31 13:18:01 +00:00
Ryan Richard
54d4879c69
Merge pull request #1742 from vmware-tanzu/idp_chooser_ui
show interstitial web page to allow user to choose IDP when multiple IDPs are configured and authorize endpoint query param to choose IDP is not used
2023-10-30 15:32:57 -07:00
Joshua Casey
78aa45a970
Merge pull request #1741 from vmware-tanzu/pinny/bump-deps
Bump go.mod direct dependencies
2023-10-30 17:10:06 -05:00
Joshua Casey
3c33c59aa9 Update unit tests 2023-10-30 15:40:17 -05:00
Pinny
b9b4d31c6b Bump go.mod direct dependencies 2023-10-30 15:40:17 -05:00
Ryan Richard
0501159ac0 Show an IDP chooser UI when appropriate from authorize endpoint 2023-10-30 11:05:53 -07:00
Ryan Richard
779b084b53
Merge pull request #1738 from vmware-tanzu/pinny/bump-deps
Bump go.mod direct dependencies
2023-10-25 08:51:52 -07:00
Pinny
f90f2334ba Bump go.mod direct dependencies 2023-10-25 08:00:49 +00:00
Ryan Richard
a8c35c6f7e
Merge pull request #1735 from vmware-tanzu/pinny/bump-deps
Bump go.mod direct dependencies
2023-10-23 09:08:51 -07:00
Pinny
ced08aeaf7 Bump go.mod direct dependencies 2023-10-23 08:02:12 +00:00
Joshua Casey
9c5bc763ac
Merge pull request #1734 from vmware-tanzu/pinny/bump-deps
Bump go.mod direct dependencies
2023-10-20 06:49:44 -05:00
Pinny
dd0039e94c Bump go.mod direct dependencies 2023-10-20 08:01:23 +00:00
Joshua Casey
9d836c789f
Merge pull request #1732 from vmware-tanzu/pinny/bump-deps
Bump go.mod direct dependencies
2023-10-19 08:46:45 -05:00
Pinny
ef291bb790 Bump go.mod direct dependencies 2023-10-19 08:02:18 +00:00
Ryan Richard
d4e3cf51b7
Merge pull request #1721 from vmware-tanzu/pinny/bump-deps
Bump go.mod direct dependencies
2023-10-18 14:45:12 -07:00
Ryan Richard
247123965e run codegen again 2023-10-18 12:47:43 -07:00
Joshua Casey
097a1ac3d3 Run k8s codegen 2023-10-18 09:23:55 -07:00
Joshua Casey
ec532f622f Bump golang to 1.21.3 in Dockerfiles 2023-10-16 08:28:13 -05:00
Pinny
d73acd6896 Bump go.mod direct dependencies 2023-10-16 08:03:25 +00:00
Pinny
0c4e3aa5f1 Updated versions in docs for v0.27.0 release 2023-10-10 20:15:37 +00:00
Joshua Casey
cbd892a4b2
Merge pull request #1716 from vmware-tanzu/pinniped-cli-path-docs
document usage of --pinniped-cli-path option
2023-10-10 12:42:19 -05:00
Ryan Richard
e46acbee43 document usage of --pinniped-cli-path option 2023-10-10 10:38:13 -07:00
Joshua Casey
c1995c1eea
Merge pull request #1715 from vmware-tanzu/pinny/bump-deps
Bump go.mod direct dependencies
2023-10-10 06:56:24 -05:00
Pinny
423e2932aa Bump go.mod direct dependencies 2023-10-10 08:02:52 +00:00
Ryan Richard
c0ac0fa183
Merge pull request #1702 from vmware-tanzu/arm64_docs
Update website docs for arm64 support
2023-10-09 21:33:22 -07:00
Ryan Richard
521dec2e04
Merge pull request #1691 from vmware-tanzu/jtc/display-idp-name-when-prompting-for-login-181927293
Display IDP name when prompting for username and password
2023-10-09 21:12:49 -07:00
Ryan Richard
0a47aa59fc add a login banner to CLI-based login prompts which shows the IDP name
Skip showing the banner when the CLI does not know the IDP name
from the CLI args (which are typically encoded in the kubeconfig).

Co-authored-by: Joshua Casey <joshuatcasey@gmail.com>
2023-10-09 20:17:55 -07:00
Ryan Richard
3a21c9a35b backfill unit tests for expected stderr output in login_test.go
Co-authored-by: Joshua Casey <joshuatcasey@gmail.com>
2023-10-09 20:17:55 -07:00
Ryan Richard
6ee1e35329 Rename username and password prompt variables
Co-authored-by: Joshua Casey <joshuatcasey@gmail.com>
2023-10-09 20:17:55 -07:00
Ryan Richard
a077972ce5
Merge pull request #1690 from vmware-tanzu/jtc/change-path-to-pinniped-binary-184673465
Increase flexibility around the 'pinniped get kubeconfig' client-go credential plugin command
2023-10-09 20:16:23 -07:00
Joshua Casey
9d89a8dea4 Shorten kubeconfigCommand func for lint funlen 2023-10-09 21:25:14 -05:00
Joshua Casey
d965b65b0a Allow 'pinniped get kubeconfig' to override the client-go credential plugin command
[#184673465]
2023-10-09 21:25:14 -05:00
Joshua Casey
bc1593e833
Merge pull request #1703 from vmware-tanzu/tools_tolerations
tolerate arm64 in tools deployments and jobs
2023-10-09 21:21:22 -05:00
Ryan Richard
de5026b90f
Merge pull request #1714 from vmware-tanzu/bump-codegen
Update kube versions for codegen
2023-10-09 16:04:10 -07:00
Ryan Richard
13f0b5e782 Update kube versions for codegen 2023-10-09 15:18:15 -07:00
Ryan Richard
6310dde4f5
Merge pull request #1713 from vmware-tanzu/jtc/bump-some-things
Bump some stray dependencies
2023-10-09 10:03:04 -07:00
Ryan Richard
bbf4412ff3 tolerate arm64 in tools deployments and jobs 2023-10-09 10:00:34 -07:00
Joshua Casey
1409f236da Bump dockerfiles to golang:1.21.2 2023-10-09 09:28:27 -05:00
Joshua Casey
0cca3a12e6 Update hack/update-go-mod/go.mod 2023-10-09 09:27:57 -05:00
Joshua Casey
5852a9e0ab
Merge pull request #1711 from vmware-tanzu/pinny/bump-deps
Bump go.mod direct dependencies
2023-10-09 08:31:07 -05:00
Pinny
8c4c99bbaf Bump go.mod direct dependencies 2023-10-09 08:02:48 +00:00
Ryan Richard
69e3627946 Update website docs for arm64 support
Also add the Hugo tmp file to the gitignore.
2023-10-05 14:48:14 -07:00
Ryan Richard
a27a355071
Merge pull request #1699 from vmware-tanzu/arm64
Support building of multi-arch linux amd64 and arm64 container images
2023-10-04 12:17:07 -07:00
Ryan Richard
826d8236d9 Use bitnami/openldap in integration tests instead of our old fork 2023-10-04 10:11:46 -07:00
Ryan Richard
776e436e35 Support building and deploying multi-arch linux amd64 and arm64 images 2023-10-04 08:55:26 -07:00
Ryan Richard
af7d3092a5
Merge pull request #1697 from vmware-tanzu/show_errors_on_formpost
Show errors from the form_post POST request on the page
2023-10-04 08:54:37 -07:00
Ryan Richard
62c597eb3b Show errors from the form_post POST request on the page 2023-10-02 09:53:53 -07:00
Joshua Casey
78cb86215b
Merge pull request #1698 from vmware-tanzu/pinny/bump-deps
Bump go.mod direct dependencies
2023-09-29 09:27:18 -05:00
Pinny
8a7f7b8842 Bump go.mod direct dependencies 2023-09-29 08:03:10 +00:00
Joshua Casey
172db05d8d
Merge pull request #1685 from vmware-tanzu/pinny/bump-deps
Bump go.mod direct dependencies
2023-09-28 10:06:23 -05:00
Pinny
113bebfb4d Bump go.mod direct dependencies 2023-09-28 09:20:13 -05:00
Ryan Richard
af7a1a1f58
Merge pull request #1696 from vmware-tanzu/contour_in_hack_prepare_supervisor
Optionally use Contour in hack/prepare-supervisor-on-kind.sh
2023-09-27 14:47:53 -07:00
Ryan Richard
0ab6311cf5 Optionally use Contour in hack/prepare-supervisor-on-kind.sh
Using Contour for ingress allows us to avoid using the hacky proxy
server approach. This makes it easy to use any web browser to complete
the login process, since there is no need to configure the proxy server
for the browser.
2023-09-27 12:32:49 -07:00
Ryan Richard
24069b56dc
Merge pull request #1695 from vmware-tanzu/fix_pod_shutdown_test_flake
fix flake seen in pod_shutdown_test.go
2023-09-27 07:23:45 -07:00
Ryan Richard
87b7ea14d5 fix flake seen in pod_shutdown_test.go 2023-09-26 14:06:04 -07:00
Ryan Richard
7513092432
Merge pull request #1693 from vmware-tanzu/concierge_pods_priorityClassName
Stop using deprecated critical-pod annotation
2023-09-26 14:05:23 -07:00
Ryan Richard
192553aed9 Stop using deprecated critical-pod annotation 2023-09-26 13:16:13 -07:00
Ben Petersen
d44882fddc
Merge pull request #1694 from vmware-tanzu/cli_login_page_errors
Same error messages shown in CLI's callback web page and in terminal
2023-09-26 14:54:01 -04:00
Ryan Richard
cede6403e1 Same error messages shown in CLI's callback web page and in terminal 2023-09-26 09:58:23 -07:00
Ryan Richard
e25ecea684
Merge pull request #1692 from vmware-tanzu/jtc/use-latest-controller-gen
Use latest controller-gen, which allows CEL validations
2023-09-26 09:56:42 -07:00
Joshua Casey
ac9887afdc Use latest controller-gen, which allows CEL validations 2023-09-25 15:58:32 -05:00
Ryan Richard
58c5146592
Merge pull request #1688 from vmware-tanzu/fix_shutdown_deadlock
Fix deadlock during shutdown which prevented leader election cleanup
2023-09-25 10:41:10 -07:00
Ryan Richard
5e06c6d5ad add integration test for graceful shutdowns which release leader leases 2023-09-25 09:51:17 -07:00
Ryan Richard
ca6c29e463 Fix deadlock during shutdown which prevented leader election cleanup
Before this fix, the deadlock would prevent the leader pod from giving
up its lease, which would make it take several minutes for new pods to
be allowed to elect a new leader. During that time, no Pinniped
controllers could write to the Kube API, so important resources were not
being updated during that window. It would also make pod shutdown take
about 1 minute.

After this fix, the leader gives up its lease immediately, and pod
shutdown takes about 1 second. This improves restart/upgrade time and
also fixes the problem where there was no leader for several minutes
after a restart/upgrade.

The deadlock was between the post-start hook and the pre-shutdown hook.
The pre-shutdown hook blocked until a certain background goroutine in
the post-start hook finished, but that goroutine could not finish until
the pre-shutdown hook finished. Thus, they were both blocked, waiting
for each other infinitely. Eventually the process would be externally
killed.

This deadlock was most likely introduced by some change in Kube's
generic api server package related to how the many complex channels used
during server shutdown interact with each other, and was not noticed
when we upgraded to the version which introduced the change.
2023-09-20 16:54:24 -07:00
Joshua Casey
1ac8691199
Merge pull request #1687 from vmware-tanzu/ben/site-blog-h1-swap-main-title
Update blog rendering to h1 the title (not h2)
2023-09-20 12:39:51 -05:00
Joshua Casey
4bb596e2cd
Merge pull request #1661 from vmware-tanzu/jtc/add-cicd-howto
Add CI/CD How-To
2023-09-20 12:17:43 -05:00
Benjamin A. Petersen
78a7d4deea
Update blog rendering to h1 the title (not h2) 2023-09-20 12:55:48 -04:00
Pinny
bed9a74b58 Updated versions in docs for v0.26.0 release 2023-09-19 22:56:05 +00:00
Ryan Richard
5af01bba4e
Merge pull request #1683 from vmware-tanzu/0.26_blog
add blog post for v0.26.0 release
2023-09-19 15:43:04 -07:00
Ryan Richard
9fe9753cbc add blog post for v0.26.0 release 2023-09-19 15:42:34 -07:00
Ben Petersen
cef5745d2d
Merge pull request #1684 from vmware-tanzu/okta_browser_login_flake
Trying to avoid test flake on Okta login page in browser
2023-09-19 13:27:29 -04:00
Ryan Richard
cd1e4bacf8 trying to avoid flake on Okta login page in browser 2023-09-19 08:58:22 -07:00
Joshua Casey
7de8f82295 Add CI/CD How-To
- https://github.com/vmware-tanzu/pinniped/discussions/1366
- https://www.pivotaltracker.com/story/show/184297690
2023-09-18 16:19:10 -05:00
Joshua Casey
62887a9cc8
Merge pull request #1682 from vmware-tanzu/exec_with_container_name
specify the container name when fetching keys from kube cert agent pod
2023-09-18 13:09:54 -05:00
Joshua Casey
c0e7a6ecbf
Merge branch 'main' into exec_with_container_name 2023-09-18 12:18:51 -05:00
Ryan Richard
465a0c3d80
Merge pull request #1674 from vmware-tanzu/pinny/bump-deps
Bump go.mod direct dependencies
2023-09-18 09:33:08 -07:00
Ryan Richard
4b4cc93ae7 specify the container name when fetching keys from kube cert agent pod
Avoid errors seen when the cluster has been configured to automatically
inject additional sidecar containers into every pod.
2023-09-18 09:19:57 -07:00
Joshua Casey
4a89a9fa16 Update LDAP integration tests for changes in github.com/go-ldap/ldap/v3 2023-09-18 10:45:32 -05:00
Joshua Casey
eb7a9f89e2 Bump k8s.io/kube-openapi and pin github.com/google/cel-go 2023-09-18 09:30:50 -05:00
Pinny
162041c794 Bump go.mod direct dependencies 2023-09-18 08:03:49 +00:00
Ryan Richard
0e7ef1637d
Merge pull request #1677 from vmware-tanzu/dependabot/go_modules/go.uber.org/zap-1.26.0
Bump go.uber.org/zap from 1.25.0 to 1.26.0
2023-09-14 21:37:05 -07:00
dependabot[bot]
91d5159743
Bump go.uber.org/zap from 1.25.0 to 1.26.0
Bumps [go.uber.org/zap](https://github.com/uber-go/zap) from 1.25.0 to 1.26.0.
- [Release notes](https://github.com/uber-go/zap/releases)
- [Changelog](https://github.com/uber-go/zap/blob/master/CHANGELOG.md)
- [Commits](https://github.com/uber-go/zap/compare/v1.25.0...v1.26.0)

---
updated-dependencies:
- dependency-name: go.uber.org/zap
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-09-15 01:57:59 +00:00
Ryan Richard
efb53d3190
Merge pull request #1660 from vmware-tanzu/multiple_idps_and_transformations_docs
multiple idps and identity transformations docs
2023-09-14 15:17:34 -07:00
Ryan Richard
c97bb58e3c
Merge pull request #1675 from vmware-tanzu/update_k8s_libs
Update deps except for cel-go
2023-09-14 15:16:15 -07:00
Ryan Richard
3cecb62705 Keep the deps updated from previous commit but keep cel-go at 0.16.x
because newer cel-go versions will not compile with latest k8s libs
2023-09-14 15:15:35 -07:00
Pinny
52db01d8ef Bump go.mod direct dependencies 2023-09-14 15:15:35 -07:00
Ben Petersen
1d500ded67
Merge pull request #1676 from vmware-tanzu/update_k8s_versions_for_codegen
update kube-versions.txt for codegen
2023-09-14 16:48:41 -04:00
Ryan Richard
edc5f3fc15 update kube-versions.txt for codegen 2023-09-14 13:01:46 -07:00
Ryan Richard
54fb03153a multiple IDPs and identity transformations docs 2023-09-13 14:33:53 -07:00
Ryan Richard
06d456fc87
Merge pull request #1419 from vmware-tanzu/multiple_idps_and_transformations
Support multiple IDPs and identity transformations on Supervisor FederationDomains
2023-09-13 14:26:23 -07:00
Ryan Richard
5573c629b5 remove extra timeoutCtx for exec.CommandContext invocations in e2e test
These extra timeout contexts were only in the new multiple IDPs e2e
test. Remove this possible cause of test cleanup flakes where the test
runs slow enough in CI that this timeout context has already expired
and then the cleanup function fails with context deadline exceeded
errors.
2023-09-13 12:48:10 -07:00
Ryan Richard
2cecc17ef0 add celformer unit test demonstrating string regexp in CEL expressions 2023-09-13 12:31:00 -07:00
Ryan Richard
c52ed93bf8 make prepare-supervisor-on-kind.sh work with older versions of bash 2023-09-12 10:24:55 -07:00
Ryan Richard
84498d5a55 fix imports grouping in manager.go 2023-09-12 09:34:19 -07:00
Ryan Richard
8faf3b0e26 add workaround in update-codegen.sh for problem seen when run on linux 2023-09-11 13:07:05 -07:00
Ryan Richard
a7bd494ec3 update FederationDomain.status.conditions to come from metav1 2023-09-11 13:06:52 -07:00
Ryan Richard
b6f0dc3ba7 Fix conflicts caused from rebasing main into multiple IDPs branch 2023-09-11 11:15:40 -07:00
Ryan Richard
e2bdab9e2d add the IDP display name to the downstream ID token's sub claim
To make the subject of the downstream ID token more unique when
there are multiple IDPs. It is possible to define two IDPs in a
FederationDomain using the same identity provider CR, in which
case the only thing that would make the subject claim different
is adding the IDP display name into the values of the subject claim.
2023-09-11 11:15:40 -07:00
Ryan Richard
28210ab14d add units tests to token_handler_test.go 2023-09-11 11:15:40 -07:00
Ryan Richard
593d55ec09 run codegen again after rebasing main branch into feature branch 2023-09-11 11:15:37 -07:00
Ryan Richard
5ad7e9a8ca started add units tests for identity transforms to token_handler_test.go 2023-09-11 11:14:06 -07:00
Ryan Richard
7f70fcf679 add units tests to post_login_handler_test.go 2023-09-11 11:14:06 -07:00
Ryan Richard
f653942065 add new unit tests in callback_handler_test.go 2023-09-11 11:14:06 -07:00
Ryan Richard
d4611b829d use slices.Contains() instead of custom func in token_handler_test.go 2023-09-11 11:14:06 -07:00
Ryan Richard
b2656b9cb1 add new unit tests in auth_handler_test.go 2023-09-11 11:14:06 -07:00
Ryan Richard
2eb82cc1d7 Add more tests with identity transformations in supervisor_login_test.go 2023-09-11 11:14:06 -07:00
Ryan Richard
0a21cb6d08 Replace more pointer.String() with the new ptr.To() 2023-09-11 11:14:06 -07:00
Ryan Richard
519aece8a5 Start adding identity transformations tests to supervisor_login_test.go 2023-09-11 11:14:06 -07:00
Ryan Richard
e6c78facfc Fix expectations in FederationDomains status test for old Kube versions
Also try to avoid flakes by using RetryOnConflict when calling Update
on the FederationDomain.
2023-09-11 11:14:05 -07:00
Ryan Richard
01ab7758d8 Add e2e test for rejecting auth using identity transformation policy 2023-09-11 11:14:05 -07:00
Ryan Richard
957892b677 handle old versions of k8s in supervisor_federationdomain_status_test.go 2023-09-11 11:14:05 -07:00
Ryan Richard
c701a4a344 remove expectation about TransformsConstantsNamesUnique status condition
Forgot to remove this in the previous commit which removed writing that
condition from the controller code.
2023-09-11 11:14:05 -07:00
Ryan Richard
92bf826ec5 rename a local variable in an integration test 2023-09-11 11:14:05 -07:00
Ryan Richard
446384a7f5 add an e2e test for a FederationDomain with multiple IDPs and transforms 2023-09-11 11:14:05 -07:00
Ryan Richard
6d82a11645 CRD already validates that IDP transform constant names are unique
- Remove that validation from the controller since the CRD already
  validates it during creates and updates.
- Also finish the supervisor_federationdomain_status_test.go by adding
  more tests for both controller validations and CRD validations
2023-09-11 11:14:05 -07:00
Ryan Richard
bd5cabf0ff fix some here.Doc string indents in federation_domain_watcher_test.go
To make things visually line up better.
2023-09-11 11:14:05 -07:00
Ryan Richard
51742366fe wordsmith some FederationDomain status messages 2023-09-11 11:14:05 -07:00
Ryan Richard
5341322071 add integration test for FederationDomain status updates
- Also fix small bug in controller where it used Sprintf wrong
- Rename WaitForTestFederationDomainStatus test helper to
  WaitForFederationDomainStatusPhase
2023-09-11 11:14:05 -07:00
Ryan Richard
23ed2856ce small refactor in supervisor_discovery_test.go 2023-09-11 11:14:05 -07:00
Ryan Richard
84041e0c55 add unit test for ApplyIdentityTransformations helper 2023-09-11 11:14:05 -07:00
Ryan Richard
4b75ced52c add unit tests for getters in federation_domain_issuer_test.go 2023-09-11 11:14:05 -07:00
Ryan Richard
61bb01b31d extract a helper function in federation_domain_watcher.go
Co-authored-by: Benjamin A. Petersen <ben@benjaminapetersen.me>
2023-09-11 11:14:05 -07:00
Ryan Richard
64f41d0d0c use multiple IDPs in manager_test.go 2023-09-11 11:14:05 -07:00
Ryan Richard
e42e3ca421 Status condition messages for IDP transforms show index of invalid IDP 2023-09-11 11:14:05 -07:00
Ryan Richard
b89e6d9d93 Make it possible to compare transformation pipelines in unit tests 2023-09-11 11:14:05 -07:00
Ryan Richard
c771328bb1 Validate transforms examples in federation_domain_watcher.go
Also changes the transformation pipeline code to sort and uniq
the transformed group names at the end of the pipeline. This makes
the results more predicable without changing the semantics.
2023-09-11 11:14:05 -07:00
Ryan Richard
52925a2a46 Validate transforms expressions in federation_domain_watcher.go 2023-09-11 11:14:05 -07:00
Benjamin A. Petersen
013030041a Add helper for happy/sad conditions to federation_domain_watcher_test.go
Co-authored-by: Ryan Richard <richardry@vmware.com>
2023-09-11 11:14:05 -07:00
Ryan Richard
be973bc87e Allow for slower CI workers in celformer_test.go 2023-09-11 11:14:05 -07:00
Ryan Richard
617f57e1c9 Validate transforms const names in federation_domain_watcher.go 2023-09-11 11:14:05 -07:00
Ryan Richard
0aacedf943 Update proposal doc statuses 2023-09-11 11:14:05 -07:00
Ryan Richard
b05e8a5e24 Replace sleep with kubectl wait in prepare-supervisor-on-kind.sh
- Now that the FederationDomain has `status.conditions`, we can use
  `kubectl wait` to wait for it to be ready in this hack script
2023-09-11 11:14:05 -07:00
Ryan Richard
8e169f9702 Validate IDP objectRef kind names in federation_domain_watcher.go
Co-authored-by: Benjamin A. Petersen <ben@benjaminapetersen.me>
2023-09-11 11:14:05 -07:00
Ryan Richard
32063db46e Validate apiGroup names are valid in federation_domain_watcher.go 2023-09-11 11:14:05 -07:00
Ryan Richard
31d67a1af3 Validate display names are unique in federation_domain_watcher.go 2023-09-11 11:14:05 -07:00
Ryan Richard
a9f2f672c7 Handle some unexpected errors in federation_domain_watcher.go 2023-09-11 11:14:05 -07:00
Ryan Richard
76709892bc Refactor: extract helper functions in federation_domain_watcher.go
Co-authored-by: Benjamin A. Petersen <ben@benjaminapetersen.me>
2023-09-11 11:14:05 -07:00
Ryan Richard
a38fb16295 Load FederationDomain endpoints before updating its status
- Avoid a possible race condition where the status says "Ready" but
  the endpoints take another moment to become available, potentially
  casing a fast client to get a 404 after observing that the status
  is "Ready" and then immediately trying to use the endpoints.

Co-authored-by: Benjamin A. Petersen <ben@benjaminapetersen.me>
2023-09-11 11:14:05 -07:00
Ryan Richard
e334ad6f7e Fix lint errors in federation_domain_watcher.go, and adjust unit test 2023-09-11 11:14:05 -07:00
Ryan Richard
40dcc8a7f1 Update integration tests for new FederationDomain phase behavior
- Refactor testlib.CreateTestFederationDomain helper
- Call testlib.WaitForTestFederationDomainStatus after each integration
  test creates an IDP and expects the FederationDomain to become ready
- Create an IDP for some tests which want the FederationDomain to be
  ready but were previously not creating any IDP
- Expect the new FederationDomain condition type
  "IdentityProvidersFound" in those tests where it is needed

Co-authored-by: Joshua Casey <joshuatcasey@gmail.com>
2023-09-11 11:14:05 -07:00
Ryan Richard
97a374c00b Refactor federation_domain_watcher_test.go and add new test to its table 2023-09-11 11:14:05 -07:00
Benjamin A. Petersen
fe9364c58b Expand IdentityProvidersFound condition in federation_domain_watcher
Co-authored-by: Ryan Richard <richardry@vmware.com>
2023-09-11 11:14:05 -07:00
Benjamin A. Petersen
e9fb4242d5 Update federation_domain_watcher with new IdentityProviderFound
- adds the truthy condition
- TODOs for falsy conditions
- addiional notes for other conditions
- tests updated to pass with the new condition

Co-authored-by: Ryan Richard <richardry@vmware.com>
2023-09-11 11:14:04 -07:00
Ryan Richard
48e44e13c6 Change federation_domain_watcher_test.go to use a test table style 2023-09-11 11:14:04 -07:00
Ryan Richard
5e2f98af65 Update informers unit test for FederationDomainWatcherController 2023-09-11 11:14:04 -07:00
Ryan Richard
3521e129cd Change name of FederationDomain printer column back to "Status"
To be consistent with the name of the pinter columns on our other CRDs,
which call the Phase "Status" in the printer column names.
2023-09-11 11:14:04 -07:00
Ryan Richard
0b408f4fc0 Change FederationDomain.Status to use Phase and Conditions 2023-09-11 11:14:02 -07:00
Ryan Richard
022fdb9cfd Update a test assertion to make failure easier to understand 2023-09-11 11:12:27 -07:00
Ryan Richard
e4f43683d4 fix more integration tests for multiple IDPs 2023-09-11 11:12:27 -07:00
Ryan Richard
514f9964c1 update 1.27 codegen for multiple IDPs 2023-09-11 11:12:25 -07:00
Ryan Richard
2c4927debe update unit test that fails on slow CI workers 2023-09-11 11:11:56 -07:00
Ryan Richard
0f23931fe4 Fix some tests in supervisor_login_test.go 2023-09-11 11:11:56 -07:00
Ryan Richard
98ee9f0979 escape semicolons in variable values in integration-test-env-goland.sh
Co-authored-by: Benjamin A. Petersen <ben@benjaminapetersen.me>
2023-09-11 11:11:56 -07:00
Ryan Richard
048f05d39c fix callback_handler_test.go
Co-authored-by: Benjamin A. Petersen <ben@benjaminapetersen.me>
2023-09-11 11:11:56 -07:00
Ryan Richard
b71e5964aa fix token_handler_test.go 2023-09-11 11:11:56 -07:00
Benjamin A. Petersen
9d792352bf test FederationDomainIdentityProvidersListerFinder
Co-authored-by: Ryan Richard <richardry@vmware.com>
2023-09-11 11:11:56 -07:00
Ryan Richard
86c791b8a6 reorganize federation domain packages to be more intuitive
Co-authored-by: Benjamin A. Petersen <ben@benjaminapetersen.me>
2023-09-11 11:11:52 -07:00
Benjamin A. Petersen
3160b5bad1 Reorganized FederationDomain packages to avoid circular dependency
Co-authored-by: Ryan Richard <richardry@vmware.com>
2023-09-11 11:09:50 -07:00
Ryan Richard
610f886fd8 Fix auth_handler_test.go 2023-09-11 11:09:50 -07:00
Benjamin A. Petersen
770f8af62b Update auth_handler.go to return 422 error when upstream IdP not found
Co-authored-by: Ryan Richard <richardry@vmware.com>
2023-09-11 11:09:50 -07:00
Benjamin A. Petersen
6ef9cf273e Fix post_login_handler_test.go
Co-authored-by: Ryan Richard <richardry@vmware.com>
2023-09-11 11:09:50 -07:00
Ryan Richard
793d1c6a5d add a type assertion 2023-09-11 11:09:50 -07:00
Benjamin A. Petersen
8f6a12eae4 fix internal/oidc/provider/manager/manager_test.go
Co-authored-by: Ryan Richard <richardry@vmware.com>
2023-09-11 11:09:50 -07:00
Benjamin A. Petersen
5c0425fb71 refactor: rename "provider" to "federationdomain" when appropriate
Co-authored-by: Ryan Richard <richardry@vmware.com>
2023-09-11 11:09:50 -07:00
Ryan Richard
96098841dd Get tests to compile again and fix lint errors 2023-09-11 11:09:50 -07:00
Benjamin A. Petersen
b7627208ea Add tests for identity_transformation.go
Co-authored-by: Ryan Richard <richardry@vmware.com>
2023-09-11 11:09:50 -07:00
Ryan Richard
32aa015d5b Fixup unit tests for the previous commit 2023-09-11 11:09:50 -07:00
Ryan Richard
7af75dfe3c First draft of implementation of multiple IDPs support 2023-09-11 11:09:49 -07:00
Ryan Richard
1a53b4daea Allow user-defined string & stringList consts for use in CEL expressions 2023-09-11 11:09:49 -07:00
Ryan Richard
5385fb38db Add identity transformation packages idtransform and celformer
Implements Supervisor identity transformations helpers using CEL.
2023-09-11 11:09:49 -07:00
Ryan Richard
be11966a64 Add APIs for multiple IDP and id transformations to FederationDomain CRD 2023-09-11 11:09:46 -07:00
Ryan Richard
fee737b267
Merge pull request #1644 from vmware-tanzu/jtc/use-conditions-from-apimachinery
Use Conditions from apimachinery, specifically k8s.io/apimachinery/pk…
2023-09-11 11:00:32 -07:00
Joshua Casey
64f1bff13f Use Conditions from apimachinery, specifically k8s.io/apimachinery/pkg/apis/meta/v1.Conditions 2023-09-11 10:13:39 -07:00
Joshua Casey
96fcfe4d53
Merge pull request #1662 from vmware-tanzu/supervisor_tls_cert_logging
Improve pod logs related to Supervisor TLS certificate problems
2023-09-11 12:10:52 -05:00
Ryan Richard
ce567c481b Improve pod logs related to Supervisor TLS certificate problems 2023-09-11 09:13:21 -07:00
Joshua Casey
33311714e5
Merge pull request #1664 from vmware-tanzu/pinny/bump-deps
Bump go.mod direct dependencies
2023-09-10 21:22:01 -05:00
Joshua Casey
1bab4ccdb7 Bump to go1.20.1 2023-09-10 19:35:31 -05:00
Pinny
d91ebc1049 Bump go.mod direct dependencies 2023-09-10 08:04:43 +00:00
Joshua Casey
4e48388693
Merge pull request #1663 from vmware-tanzu/css_fixes
Small css changes for docs web site
2023-09-08 19:05:07 -05:00
Benjamin A. Petersen
8df2d3cc58
site: fix codeblock left padding and spacing tweak 2023-09-08 15:41:31 -04:00
Ryan Richard
f6cbc879ef Make pre code blocks have more consistent font size and line height 2023-09-08 12:12:22 -07:00
Ben Petersen
46c773aba6
Merge pull request #1647 from vmware-tanzu/jtc/bump-to-golang-1-21
Bump to golang 1.21
2023-09-06 16:39:40 -04:00
Joshua Casey
cd91edf26c [LDAP] move attributeUnchangedSinceLogin from upstreamldap to activedirectoryupstreamwatcher 2023-09-06 14:52:01 -05:00
Joshua Casey
8fd55a1d81 Adjust test expectations for compilation differences with 1.21
- Requires some production code changes, to use pointers to function variables instead of pointers to functions
2023-09-06 14:52:01 -05:00
Joshua Casey
3908097c54 Run 'go fix ./...' with go1.21.0 2023-09-06 14:52:01 -05:00
Joshua Casey
12f18cbed8 Inline and remove testutil.TempDir 2023-09-06 14:52:01 -05:00
Joshua Casey
05a1187e2e Simplify build tags associated with unsupported golang versions 2023-09-06 14:52:01 -05:00
Joshua Casey
5effb1a89b Bump to golang 1.21.0, and bump all golang deps 2023-09-06 14:52:01 -05:00
Joshua Casey
b14e86bb91
Merge pull request #1654 from vmware-tanzu/docs/configure-supervisor-with-azuread
Add docs for Supervisor with Azure AD
2023-09-06 12:33:51 -05:00
Joshua Casey
c3445a747d
Merge pull request #1650 from vmware-tanzu/ben/prepare-for-integration-tests.sh-improvements
Improve hack/prepare-for-integration-tests.sh flexibility
2023-09-06 12:30:12 -05:00
Benjamin A. Petersen
a5c481cf61
Add docs for Supervisor with Azure AD
- Note that Azure AD is being rebranded to Entra ID
2023-09-06 13:14:37 -04:00
Benjamin A. Petersen
fd1936c45f
Improve hack/prepare-for-integration-tests.sh flexibility
- move pushd/popd inside if statements for alternative-deploy methods
- add specific alternative-deploy vars for individual components
  - supervisor
  - concierge
  - local-user-authenticator
  while preserving the current alternative-deploy for all three
- doc that equals for flags does not work
  --foo=bar is invalid
  --foo bar is valid
2023-08-31 15:02:24 -04:00
Ben Petersen
fbeb45a1a0
Merge pull request #1648 from vmware-tanzu/jtc/do-not-fail-hack-script-without-KUBE_GIT_VERSION
Do not fail hack script without kube git version
2023-08-30 10:58:15 -04:00
Joshua Casey
23bd3e7cc9 Do not fail hack/prepare-for-integration-tests.sh without KUBE_GIT_VERSION 2023-08-29 19:58:23 -05:00
Joshua Casey
7cda8f4123 Do not fail when KUBE_GIT_VERSION is not set 2023-08-29 17:31:22 -05:00
Joshua Casey
a42e3edf56
Merge pull request #1646 from vmware-tanzu/jtc/support-k8s-1-21-and-up
Remove generated code prior to K8s 1.21
2023-08-29 16:29:32 -05:00
Joshua Casey
76933f69b9 Update comments to indicate support for newer versions of Kubernetes 2023-08-29 15:40:52 -05:00
Joshua Casey
5c9d26baeb Remove generated code for K8s 1.17, 1.18, 1.19, and 1.20
- Kind 0.20.0 supports 1.21 through 1.28 (inclusive)
- https://github.com/kubernetes-sigs/kind/releases/tag/v0.20.0
2023-08-28 16:56:32 -05:00
Joshua Casey
9248db971a
Merge pull request #1634 from vmware-tanzu/jtc/1633/update-pinniped-cli-version-output
#1633 Update `pinniped version` output
2023-08-28 14:19:17 -05:00
Joshua Casey
2dcc149fee Split off helper function 2023-08-28 12:14:14 -05:00
Joshua Casey
38230fc518 Use pversion to retrieve buildtime information 2023-08-28 11:54:27 -05:00
Joshua Casey
8edecffcc0
Merge pull request #1630 from vmware-tanzu/jtc/support-k8s-1-28
Support k8s 1.28
2023-08-28 11:49:18 -05:00
Joshua Casey
ca05969f8d Integration tests should use 'kubectl explain --output plaintext-openapiv2'
- OpenAPIV3 discovery of aggregate APIs seems to need a little more work in K8s 1.28
2023-08-28 10:50:11 -05:00
Joshua Casey
1b504b6fbd Expose OpenAPIv3 explanations 2023-08-28 10:50:11 -05:00
Joshua Casey
dfd3d5075d Ensure that kubegenerator scripts are executable 2023-08-28 10:50:11 -05:00
Joshua Casey
c51722a121 Run K8s codegen, adding 1.28.0 2023-08-28 10:50:11 -05:00
Joshua Casey
23ec91dee0 K8s API Server audit events are no longer pointers 2023-08-28 10:50:10 -05:00
Joshua Casey
ccba159639 Update all golang dependencies, especially k8s.io (for 1.28) 2023-08-28 10:50:10 -05:00
Ryan Richard
20cfa0a207
Merge pull request #1631 from vmware-tanzu/which_service_doc
Update docs to clarify which Supervisor port to expose outside cluster
2023-08-22 10:43:53 -07:00
Ryan Richard
835b8a5333 Update docs to clarify which Supervisor port to expose outside cluster 2023-08-22 10:00:56 -07:00
Ben Petersen
decd40bc26
Merge pull request #1621 from vmware-tanzu/site/blog-post-tags
blog: clean up tags page
2023-08-15 15:07:31 -04:00
Benjamin A. Petersen
2891da25f5
blog: clean up tags page 2023-08-15 14:18:48 -04:00
Ben Petersen
c54933bf33
Merge pull request #1606 from vmware-tanzu/jtc/add-blog-post-for-v0.25.0
Add blog post for v0.25.0
2023-08-15 11:43:50 -04:00
Benjamin A. Petersen
820c565d21
blog: add multiple author support for posts 2023-08-15 11:37:11 -04:00
Benjamin A. Petersen
e5e8c13f23
blog: impersonation-proxy spelling, grammar 2023-08-15 11:37:11 -04:00
Benjamin A. Petersen
b81206c15d
blog: impersonation-proxy post updates 2023-08-14 11:42:26 -04:00
Benjamin A. Petersen
31c144261f
add author to blog list page 2023-08-14 11:42:26 -04:00
Joshua Casey
4d0da0a5b2 Add blog post for v0.25.0 2023-08-10 09:00:16 -05:00
Pinny
8c96616b51 Updated versions in docs for v0.25.0 release 2023-08-09 21:12:41 +00:00
Ben Petersen
c7b49d9b93
Merge pull request #1615 from vmware-tanzu/jtc/fix-double-decoding-of-ca-crt
Fix #1582 by not double-decoding the ca.crt field in external TLS secrets for the impersonation proxy
2023-08-09 14:25:13 -04:00
Joshua Casey
7f0d04dba6 Address PR feedback 2023-08-09 11:42:42 -05:00
Joshua Casey
1707995378 Fix #1582 by not double-decoding the ca.crt field in external TLS secrets for the impersonation proxy 2023-08-08 20:17:21 -05:00
Ben Petersen
f24f82b25b
Merge pull request #1607 from vmware-tanzu/pinny/bump-deps
Bump go.mod direct dependencies
2023-08-08 09:22:40 -04:00
Pinny
391c38057d Bump go.mod direct dependencies 2023-08-08 08:03:24 +00:00
Joshua Casey
e2e9819c58
Merge pull request #1582 from vmware-tanzu/jtc/1547-poc
Add external certificate management for the Concierge Impersonation Proxy
2023-08-03 15:52:56 -05:00
Joshua Casey
dc61d132cf Address PR feedback, especially to check that the CA bundle is some kind of valid cert 2023-08-03 14:57:21 -05:00
Joshua Casey
959f18b67b Add integration test to verify that the impersonation proxy will use an external TLS serving cert 2023-08-03 14:57:21 -05:00
Joshua Casey
ee75a63057 Test Refactor: use explicit names for mTLS signing cert 2023-08-03 14:57:21 -05:00
Joshua Casey
bd035a180e Impersonation proxy detects when the user has configured an externally provided TLS secret to serve TLS
- https://github.com/vmware-tanzu/pinniped/tree/main/proposals/1547_impersonation-proxy-external-certs
- https://joshuatcasey.medium.com/k8s-mtls-auth-with-tls-passthrough-1bc25e750f52
2023-08-03 14:57:21 -05:00
Joshua Casey
8df9033bfc Add CredentialIssuer.Spec.ImpersonationProxy.TLS to configure an externally provided TLS secret 2023-08-03 14:57:21 -05:00
Joshua Casey
3e57716f0e The impersonation controller should sync when any secret of type kubernetes.io/tls changes in the namespace 2023-08-03 14:57:21 -05:00
Joshua Casey
c78db66665
Merge pull request #1602 from vmware-tanzu/pinny/bump-deps
Bump go.mod direct dependencies
2023-08-03 14:25:54 -05:00
Joshua Casey
8dec84b3b2 Bump golang to 1.20.7 2023-08-03 13:39:51 -05:00
Pinny
fcf707b1ce Bump go.mod direct dependencies 2023-08-03 08:08:39 +00:00
Ben Petersen
563ac77b2f
Merge pull request #1603 from vmware-tanzu/site/sidebar/reorganize
Website docs page sidebar reorganization and restyle
2023-08-02 14:50:43 -04:00
Benjamin A. Petersen
e091cd6180
site: autogenerate new sections on main docs listing page 2023-08-02 13:52:31 -04:00
Benjamin A. Petersen
a71f1f88d9
site: minor text updates 2023-08-02 13:46:51 -04:00
Benjamin A. Petersen
bb670249cf
site: reorganize /howto/idp->/howto/supervisor 2023-08-02 13:22:23 -04:00
Benjamin A. Petersen
f632698568
site: add redirects for old doc links 2023-08-02 12:42:08 -04:00
Benjamin A. Petersen
0c81cdf309
site style: code block tweaks and sidebar menu highlight 2023-08-02 12:09:34 -04:00
Benjamin A. Petersen
fbb5296f68
site sidebar: menu renaming & reorganization 2023-08-02 12:09:33 -04:00
Benjamin A. Petersen
14c353993b
site sidebar: create new How-to sub-heading for IDP config 2023-08-02 12:09:24 -04:00
Ryan Richard
2cdd7c9577
Merge pull request #1598 from vmware-tanzu/chromedp
Replace agouti and chromedriver with chromedp across the whole project
2023-08-01 12:23:38 -07:00
Ryan Richard
4512eeca9a Replace agouti and chromedriver with chromedp across the whole project 2023-08-01 11:27:09 -07:00
Ryan Richard
2c27db0c85
Merge pull request #1597 from vmware-tanzu/pinny/bump-deps
Bump go.mod direct dependencies
2023-08-01 09:21:54 -07:00
Pinny
ed3217459d Bump go.mod direct dependencies 2023-08-01 08:05:19 +00:00
Joshua Casey
411bc5cf1c
Merge pull request #1592 from vmware-tanzu/jtc/add-auth0-integration-guide
Add How To... Integrate with Auth0
2023-07-28 14:43:15 -05:00
Joshua Casey
82b39190ba Add How To... Integrate with Auth0 2023-07-28 14:41:06 -05:00
Ben Petersen
fd54caeb55
Merge pull request #1595 from vmware-tanzu/site/css/resource-page-images
site css: images on resource page should fit the grid
2023-07-28 14:56:53 -04:00
Benjamin A. Petersen
c4f221d778
site css: images on resource page should fit the grid 2023-07-28 14:08:23 -04:00
Joshua Casey
057304e9aa
Merge pull request #1593 from vmware-tanzu/pinny/bump-deps
Bump go.mod direct dependencies
2023-07-28 12:03:57 -05:00
Joshua Casey
63b5f921e1 Use k8s.io/utils/ptr instead of k8s.io/utils/pointer, which is deprecated 2023-07-28 09:16:02 -05:00
Pinny
eb87739060 Bump go.mod direct dependencies 2023-07-28 08:02:58 +00:00
Joshua Casey
122f819ed9
Merge pull request #1591 from vmware-tanzu/aws_blog
add AWS blog post to resources page of pinniped.dev
2023-07-27 19:52:10 -05:00
Ryan Richard
850b4f8510 add AWS blog post to resources page of pinniped.dev 2023-07-27 17:09:04 -05:00
Joshua Casey
6bb4e89fe2
Merge pull request #1590 from vmware-tanzu/kube_cert_agent_cpu_request
kube cert agent pod requests 0 cpu to avoid scheduling failures
2023-07-25 15:20:53 -05:00
Ryan Richard
743cb2d250 kube cert agent pod requests 0 cpu to avoid scheduling failures 2023-07-25 10:09:30 -07:00
Joshua Casey
01393aff7e
Merge pull request #1580 from vmware-tanzu/pinny/bump-deps
Bump go.mod direct dependencies
2023-07-21 13:24:33 -05:00
Joshua Casey
89b7007694 Bump K8s APIs 1.24 through 1.27 2023-07-21 10:36:18 -05:00
Pinny
947f8e2ed4 Bump go.mod direct dependencies 2023-07-21 08:05:19 +00:00
Joshua Casey
6c329ba56f
Merge pull request #1549 from vmware-tanzu/jtc/tiny-fixups-to-support-1548
Tiny fixups to support #1548
2023-07-19 16:40:59 -05:00
Joshua Casey
39912060f7 Remove untested comments 2023-07-19 15:50:12 -05:00
Joshua Casey
c142c52258 Do not name return variables 2023-07-19 15:49:22 -05:00
Joshua Casey
741ccfd2ce Fix lint 2023-07-19 15:47:48 -05:00
Joshua Casey
183c771d4e Mark untested code paths 2023-07-19 15:47:48 -05:00
Joshua Casey
3d7eb55fc2 Pass caBundle instead of an object 2023-07-19 15:47:48 -05:00
Joshua Casey
5004925444 Backfill test cases 2023-07-19 15:47:48 -05:00
Joshua Casey
10c3e482b4 Prefer early return 2023-07-19 15:47:48 -05:00
Joshua Casey
8d8e1f3abd Backfill issuer tests 2023-07-19 15:47:48 -05:00
Joshua Casey
f8ce2af08c Use go:embed for easier to read tests 2023-07-19 15:47:48 -05:00
Joshua Casey
52b0cf43ca Fix godoc 2023-07-19 15:47:47 -05:00
Joshua Casey
f6c2d40141
Merge pull request #1578 from vmware-tanzu/pinny/bump-deps
Bump go.mod direct dependencies
2023-07-19 12:15:12 -07:00
Joshua Casey
38c281331a Bump base images to go1.20.6 in Dockerfiles 2023-07-19 13:25:57 -05:00
Pinny
26686d6b94 Bump go.mod direct dependencies 2023-07-19 08:04:49 +00:00
Ryan Richard
8648cdf8e4
Merge pull request #1579 from vmware-tanzu/improve_perf_oidcclientsecret_test
Improve performance of supervisor_oidcclientsecret_test.go
2023-07-14 08:26:56 -07:00
Ryan Richard
7e5ce4b4f3
Merge pull request #1548 from vmware-tanzu/jtc/proposal/allow-external-certs-for-impersonation-proxy
Add proposal to implement #1547, Concierge Impersonation Proxy | External Certificate Management
2023-07-13 14:58:35 -07:00
Ryan Richard
6c65fd910e Improve performance of supervisor_oidcclientsecret_test.go
Co-authored-by: Benjamin A. Petersen <ben@benjaminapetersen.me>
2023-07-13 12:48:46 -07:00
Joshua Casey
95fdfba06d Add proposal to implement #1547, Concierge Impersonation Proxy | External Certificate Management 2023-07-13 10:16:11 -07:00
Joshua Casey
0f613d1823
Merge pull request #1407 from vmware-tanzu/multiple_idps_proposal
Proposal for multiple identity providers in the Supervisor
2023-07-12 19:56:31 -07:00
Ryan Richard
6db9c79fe0 Add proposal for multiple identity providers in the Supervisor 2023-07-12 15:14:21 -07:00
Joshua Casey
ab227a7c71
Merge pull request #1563 from vmware-tanzu/jtc/bump-all
Bump all dependencies and generated files
2023-07-07 09:03:18 -07:00
Joshua Casey
314ec48f46 Bump to golang:1.20.5 2023-07-06 16:48:25 -07:00
Joshua Casey
67cd5e70c2 Func ldap.Conn.Close() now returns an error
- https://github.com/go-ldap/ldap/compare/v3.4.4...v3.4.5
2023-07-06 16:48:25 -07:00
Joshua Casey
dbbaf9b969 Pin to the version of k8s.io/kube-openapi used by client-go@v0.27.3
- https://github.com/kubernetes/client-go/blob/v0.27.3/go.mod#L30
2023-07-05 21:28:23 -07:00
Joshua Casey
1ac36cfcf8 Update generated files 2023-07-05 21:28:23 -07:00
Joshua Casey
95dd5aabc2 Bump hack/update-go-mod/go.mod 2023-07-05 21:28:23 -07:00
Joshua Casey
8a755676fa Bump all go.mod dependencies 2023-07-05 21:28:22 -07:00
Pinny
c3dccbb23d Updated versions in docs for v0.24.0 release 2023-06-01 19:59:23 +00:00
Ryan Richard
914861c5da Increase a test timeout in supervisor_secrets_test.go 2023-06-01 12:54:45 -07:00
Ryan Richard
9a87a7f14f Update codeql-analysis.yml according to the latest template 2023-06-01 11:51:48 -07:00
Ryan Richard
533c41f143
Merge pull request #1538 from smeet07/patch-1
documents when to avoid setting anon auth command line option
2023-06-01 11:01:08 -07:00
Ryan Richard
4f3c081401
Merge branch 'main' into patch-1 2023-06-01 10:56:11 -07:00
Ryan Richard
d4b20b3899 Update codeql-analysis.yml
Also remove scorecards.yml because the version used is no longer
working, and the new version requires write permission to the repo.
2023-06-01 10:53:25 -07:00
Ryan Richard
86e360dc14 Increase a test timeout for when pulling container image is slow 2023-06-01 10:04:59 -07:00
Smeet nagda
c9d54de91a
backtick changes
Co-authored-by: Ryan Richard <richardry@vmware.com>
2023-06-01 22:25:24 +05:30
Ryan Richard
d30d76b7ac Increase some test timeouts 2023-05-31 17:41:36 -07:00
Ryan Richard
5fa2992bc5
Merge pull request #1534 from vmware-tanzu/ldap_userAttributeForFilter
Add LDAPIdentityProvider.spec.groupSearch.userAttributeForFilter
2023-05-31 16:42:41 -07:00
Ryan Richard
020e04baf8
Merge branch 'main' into ldap_userAttributeForFilter 2023-05-31 16:42:30 -07:00
Ryan Richard
1bdb491376
Merge pull request #1540 from vmware-tanzu/bump_kube_versions_for_codegen
bump versions in kube-versions.txt and run codegen
2023-05-31 16:41:59 -07:00
Ryan Richard
b6b11a6d0c increase timeout in a test 2023-05-31 15:59:44 -07:00
Ryan Richard
a78c677ca1 bump versions in kube-versions.txt and run codegen 2023-05-31 13:32:41 -07:00
Ryan Richard
d0048595da Add docs for UserAttributeForFilter group search setting 2023-05-31 13:01:17 -07:00
Joshua Casey
46178e91ee
Merge branch 'main' into ldap_userAttributeForFilter 2023-05-31 14:41:16 -05:00
Joshua Casey
33cc973b43
Merge pull request #1537 from vmware-tanzu/jtc/bump-deps
Bump dependencies
2023-05-31 14:32:32 -05:00
Ryan Richard
d4710cb16e Add integration test for AD UserAttributeForFilter group search setting 2023-05-31 11:36:49 -07:00
Ryan Richard
600d002a35 Use groupSearch.userAttributeForFilter during ActiveDirectory group searches
- Load the setting in the controller.
- The LDAP auth code is shared between AD and LDAP,
  so no new changes there in this commit.
2023-05-31 11:17:40 -07:00
Ryan Richard
0a1f966886 Add ActiveDirectoryIdentityProvider.spec.groupSearch.userAttributeForFilter
Add the field to the tmpl file and run codegen.
Also update the count of the fields of our APIs in an integration test.
2023-05-31 11:09:08 -07:00
Ryan Richard
552eceabdb Add integration test for UserAttributeForFilter group search setting
Also adds new integration test env var to support the new test:
PINNIPED_TEST_LDAP_EXPECTED_DIRECT_POSIX_GROUPS_CN
2023-05-31 10:29:44 -07:00
Ryan Richard
e3b7ba3677 Add group search tests for UserAttributeForFilter in ldap_client_test.go 2023-05-31 10:29:44 -07:00
Smeet nagda
6cbfde95ec
command line option. 2023-05-30 23:24:05 +05:30
Joshua Casey
6bd34fa6ea Bump dependencies 2023-05-30 09:16:53 -05:00
Ryan Richard
c187474499 Use groupSearch.userAttributeForFilter during LDAP group searches
Load the setting in the controller.
Use the setting during authentication and during refreshes.
2023-05-25 14:25:17 -07:00
Ryan Richard
bad5e60a8e Add LDAPIdentityProvider.spec.groupSearch.userAttributeForFilter
Add the field to the tmpl file and run codegen.
Also update the count of the fields of our APIs in an integration test.
2023-05-25 09:52:15 -07:00
Ryan Richard
e4dc810bff Add some posixGroups to the openldap server for use in integration tests 2023-05-23 16:47:39 -07:00
Ryan Richard
749a208773
Merge pull request #1524 from vmware-tanzu/pinny/bump-deps
Bump go.mod direct dependencies
2023-05-19 07:06:55 -07:00
Pinny
cb7732083d Bump go.mod direct dependencies 2023-05-19 08:03:46 +00:00
Ryan Richard
e9d343d80d
Merge pull request #1522 from vmware-tanzu/pinny/bump-deps
Bump go.mod direct dependencies
2023-05-16 11:30:04 -07:00
Pinny
3871e75140 Bump go.mod direct dependencies 2023-05-16 08:02:49 +00:00
Ryan Richard
b93ac16cee
Merge pull request #1520 from vmware-tanzu/pinny/bump-deps
Bump go.mod direct dependencies
2023-05-12 10:29:20 -07:00
Ryan Richard
bd95f33f5e Update string "zapr@v1.2.4" in unit test expectation 2023-05-12 09:18:47 -07:00
Pinny
e717748a3c Bump go.mod direct dependencies 2023-05-12 08:06:19 +00:00
Ryan Richard
2d2cbef8de
Merge pull request #1497 from vmware-tanzu/pinny/bump-deps
Bump go.mod direct dependencies
2023-05-10 21:12:51 -07:00
Ryan Richard
187ee80ee3 Handle the new output of kubectl explain which indents differently 2023-05-10 19:56:59 -07:00
Ryan Richard
484f134a98 Handle the new output of kubectl explain which shows GROUP separately 2023-05-10 18:03:40 -07:00
Ryan Richard
1e6e9e0c0e Change tests to expect new error format from pkg golang.org/x/oauth2 2023-05-10 16:52:09 -07:00
Ryan Richard
bc9afc4554 Aggregated API endpoints now must implement rest.SingularNameProvider
This was a change in the interface requirements introduced in Kube 1.27.
2023-05-10 16:50:50 -07:00
Ryan Richard
8c3395481b ran update.sh for new kube patch versions and adding 1.27 2023-05-10 12:39:35 -07:00
Ryan Richard
b40366d1f6 update versions in hack/lib/kube-versions.txt 2023-05-10 12:38:32 -07:00
Ryan Richard
a1a99b9eeb Replace usages of deprecated funcs from the wait pkg 2023-05-10 11:41:11 -07:00
Ryan Richard
4756df08cb Bump golang from 1.20.3 to 1.20.4 2023-05-10 10:36:03 -07:00
Ryan Richard
cf11f8ee7e Remove replace directive for k8s.io/kube-openapi 2023-05-10 10:30:48 -07:00
Pinny
6b86d91cd7 Bump go.mod direct dependencies 2023-05-10 08:18:14 +00:00
Ryan Richard
49af96b2b1
Merge pull request #1510 from vmware-tanzu/doc_to_use_supervisor_without_concierge
Add tutorial doc for how to use Supervisor without Concierge
2023-05-09 13:08:28 -07:00
Ryan Richard
c08ebc622c Add tutorial doc for how to use Supervisor without Concierge 2023-05-09 13:06:02 -07:00
Joshua Casey
7bd09ff21d
Merge pull request #1485 from vmware-tanzu/pinny/bump-deps
Bump go.mod direct dependencies
2023-04-10 14:13:16 -05:00
Pinny
6801238e3e Bump go.mod direct dependencies 2023-04-10 08:02:12 +00:00
Ryan Richard
6cac3d583f
Merge pull request #1482 from vmware-tanzu/pinny/bump-deps
Bump go.mod direct dependencies
2023-04-07 09:48:06 -07:00
Pinny
e13794cf73 Bump go.mod direct dependencies 2023-04-07 08:08:42 +00:00
Ryan Richard
5690ed7acd
Merge pull request #1477 from vmware-tanzu/jtc/bump-deps
Bump Deps
2023-04-05 13:43:27 -07:00
Joshua Casey
6b1dc9f3ce Bump update-go-mod to latest direct go dependencies 2023-04-05 09:17:04 -05:00
Joshua Casey
ff89148a93 Bump all direct go dependencies 2023-04-05 09:15:17 -05:00
Joshua Casey
93f51c1a1d Bump Dockerfiles to go1.20.3 2023-04-05 09:12:10 -05:00
Ryan Richard
e66406ffe2
Merge pull request #1446 from pnbrown/search-update
Update docsearch to v3
2023-04-04 14:56:50 -07:00
Pinny
03a2d603d3 Updated versions in docs for v0.23.0 release 2023-04-04 21:38:59 +00:00
Ryan Richard
a7b4e65521
Merge branch 'main' into search-update 2023-04-04 13:44:22 -07:00
Ryan Richard
b4f5be1332
Merge pull request #1471 from vmware-tanzu/doc_updates
Clarify audience value in Concierge-only auth doc, and other doc updates
2023-04-04 08:34:45 -07:00
Ryan Richard
eb4254b1c2 Update team members on website 2023-04-03 16:54:10 -07:00
Ryan Richard
19b60fe563 Clarify audience value in Concierge-only auth doc, and other doc updates
Also renamed a couple of integration test files to make their names
more clear.
2023-04-03 16:54:10 -07:00
Ryan Richard
985260dcea
Merge pull request #1470 from vmware-tanzu/fix_int_tests_for_1.27_prerelease
Fix integration tests to pass with Kube 1.27/1.28 pre-release builds
2023-04-03 15:21:02 -07:00
Ryan Richard
7cd16b179c Fix integration tests to pass with Kube 1.27/1.28 pre-release builds
Fix test failures that occurred in the k8s-main integration test CI job
when using Kube 1.27 and 1.28 pre-release builds.
2023-04-03 14:16:47 -07:00
Ben Petersen
64263fdb0a
Merge pull request #1469 from vmware-tanzu/fix_typo_for_go1.19
Fix typo that prevented compiling with Go 1.19
2023-04-03 16:38:59 -04:00
Ryan Richard
a04129548f Increase some test timeouts that failed once on Kind jobs in CI 2023-04-03 11:46:11 -07:00
Ryan Richard
f7fac330f5 Fix typo that prevented compiling with Go 1.19 2023-04-03 11:46:11 -07:00
Ryan Richard
6ae3c0a9c3
Merge pull request #1453 from jamieklassen/patch-1
use apiGroup without version in webapp auth howto
2023-04-03 11:08:20 -07:00
Joshua Casey
84e2f27249
Merge pull request #1468 from vmware-tanzu/update_logr_dep
Upgrade dep github.com/go-logr/logr@v1.2.3 to v1.2.4
2023-03-31 13:38:10 -05:00
Ryan Richard
f99ca61bba Upgrade dep github.com/go-logr/logr@v1.2.3 to v1.2.4 2023-03-31 10:23:58 -07:00
Joshua Casey
7d394658cc
Merge pull request #1466 from vmware-tanzu/get_kubeconfig_discover_username_group_scopes
`pinniped get kubeconfig` discovers support for username/groups scopes
2023-03-30 14:47:56 -05:00
Ryan Richard
d659b90e19 pinniped get kubeconfig discovers support for username/groups scopes 2023-03-30 11:52:53 -07:00
Joshua Casey
bd56eebb8a
Merge pull request #1465 from vmware-tanzu/jtc/bump-deps
Bump dependencies to latest
2023-03-29 10:56:22 -05:00
Ryan Richard
2ba378904d Bump dependencies to latest
Signed-off-by: Joshua T Casey <caseyj@vmware.com>
2023-03-28 15:15:27 -05:00
Joshua Casey
1ebc8e8b2e
Merge pull request #1463 from vmware-tanzu/jtc/bump-deps
Bump Dependencies
2023-03-20 21:06:06 -05:00
Joshua Casey
1699a9995e Update generated K8s API files 2023-03-20 18:44:48 -05:00
Joshua Casey
255f51f75b Bump all golang dependencies 2023-03-20 14:31:59 -05:00
Joshua Casey
5928e05d9e
Merge pull request #1436 from vmware-tanzu/jtc/bump-deps
Bump k8s.io dependencies, and add support for Go1.20 TLS error messages
2023-03-16 16:01:28 -05:00
Joshua Casey
fc0f9d959a Bump golangci-lint to 1.51.2 and fix lint issues 2023-03-16 14:55:37 -05:00
Jamie Klassen
6ee05611a1
use apiGroup without version in webapp auth howto 2023-03-16 15:51:17 -04:00
Joshua Casey
a783a5d6b2 Bump to golang 1.20.2 2023-03-16 09:42:15 -05:00
Joshua Casey
72d537f8b4 Bump all golang deps 2023-03-16 09:42:15 -05:00
Joshua Casey
1c8ab72f4f Update test asserts for Golang 1.19 and 1.20 TLS error messages 2023-03-07 12:25:10 -06:00
Nigel Brown
241a3a6cfb Update docsearch to v3
Update docsearch to v3

Signed-off-by: Nigel Brown <nigelb@vmware.com>
2023-03-06 14:56:02 -06:00
Joshua Casey
daf4be03ce Update generated kubernetes API files 2023-03-05 22:12:54 -06:00
Joshua Casey
7d48fad385 Bump k8s.io deps to 0.26.2 2023-03-05 22:12:54 -06:00
Joshua Casey
0aa4892353
Merge pull request #1435 from vmware-tanzu/jtc/add-update-go-mod
Add helper script to give you all the commands to update all go mod dependencies
2023-03-05 22:11:43 -06:00
Joshua Casey
947b4fd579 Add helper script to give you all the commands to update all go mod dependencies 2023-03-02 08:47:57 -06:00
Joshua Casey
205559b4f3
Merge pull request #1420 from vmware-tanzu/jtc/bump-deps
Bump all direct go dependencies, and use go 1.20.1 in the Docker images
2023-03-01 16:14:59 -06:00
Joshua Casey
2bd24f674a Bump golang in Dockerfiles to 1.20.1 2023-02-27 14:16:49 -06:00
Joshua Casey
8b8af49651 Bump all direct go dependencies 2023-02-27 14:16:49 -06:00
Ryan Richard
60d12d88ac
Merge pull request #1387 from vmware-tanzu/jtc/bump-to-golang-1.19-semantics
Bump to golang 1.18 semantics
2023-01-31 10:23:24 -08:00
Joshua Casey
77041760cc Ignore lint issues for deprecated Pool.Subjects()
- 4aa1efed48/src/crypto/x509/cert_pool.go (L243-L244)
2023-01-31 10:10:44 -06:00
Joshua Casey
b9c8e359ab Use sync/atomic instead of go.uber.org/atomic 2023-01-31 10:10:44 -06:00
Joshua Casey
24cf7c5bcd Remove internal/psets in favor of k8s.io/apimachinery/pkg/util/sets 2023-01-31 10:10:44 -06:00
Joshua Casey
0d4a4fd2bf Bump to go 1.18 semantics 2023-01-31 10:09:55 -06:00
Joshua Casey
d0784eaed2
Merge pull request #1395 from vmware-tanzu/cli_help_messages
Unhide login subcommand and improve several command help messages
2023-01-29 21:16:59 -06:00
Ryan Richard
2d3e53e6ac Increase timeouts in supervisor_oidcclientsecret_test.go
They were too short after enabling the race detector for integration
tests in CI.
2023-01-27 14:23:04 -08:00
Ryan Richard
7a74ca9f57 Unhide login subcommand and improve several command help messages
Co-authored-by: Ryan Richard <richardry@vmware.com>
Co-authored-by: Benjamin A. Petersen <ben@benjaminapetersen.me>
2023-01-27 13:34:04 -08:00
Joshua Casey
d9e79eac9d
Merge pull request #1391 from vmware-tanzu/dependabot/go_modules/k8s.io/klog/v2-2.90.0
Bump k8s.io/klog/v2 from 2.80.1 to 2.90.0
2023-01-27 10:36:19 -06:00
Joshua Casey
adcfedff68
Merge pull request #1394 from vmware-tanzu/jtc/add-no-cookie-banner-183755195
Website now displays that it does not use cookies
2023-01-27 10:35:14 -06:00
Joshua Casey
6d39b81b8f Website now displays that it does not use cookies.
[#183755195]

Co-authored-by: Ryan Richard <richardry@vmware.com>
2023-01-26 17:09:57 -06:00
dependabot[bot]
efeb9a9de0 Bump k8s.io/klog/v2 from 2.80.1 to 2.90.0
Bumps [k8s.io/klog/v2](https://github.com/kubernetes/klog) from 2.80.1 to 2.90.0.
- [Release notes](https://github.com/kubernetes/klog/releases)
- [Changelog](https://github.com/kubernetes/klog/blob/main/RELEASE.md)
- [Commits](https://github.com/kubernetes/klog/compare/v2.80.1...v2.90.0)

---
updated-dependencies:
- dependency-name: k8s.io/klog/v2
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-01-25 09:02:36 -06:00
Joshua Casey
d2afdfaf9a
Merge pull request #1389 from vmware-tanzu/error_assertions
Accept both old and new cert error strings on MacOS in test assertions
2023-01-24 15:06:40 -06:00
Ryan Richard
bd9d6fab27
Merge branch 'main' into error_assertions 2023-01-24 09:34:19 -08:00
Joshua Casey
5756c56497
Merge pull request #1388 from vmware-tanzu/jtc/add-presentation-to-website-183914671
Add 'Sharing is NOT Caring video presentation to website'
2023-01-22 18:04:13 -06:00
Ryan Richard
c6e4133c5e Accept both old and new cert error strings on MacOS in test assertions
Used this as an opportunity to refactor how some tests were
making assertions about error strings.

New test helpers make it easy for an error string to be expected as an
exact string, as a string built using sprintf, as a regexp, or as a
string built to include the platform-specific x509 error string.

All of these helpers can be used in a single `wantErr` field of a test
table. They can be used for both unit tests and integration tests.

Co-authored-by: Benjamin A. Petersen <ben@benjaminapetersen.me>
2023-01-20 15:01:36 -08:00
Joshua Casey
5005f94ebb Standardize video resource attribution and dates
Co-authored-by: Ryan Richard <richardry@vmware.com>
2023-01-20 12:14:00 -06:00
Joshua Casey
15d700a41c Add video to website resources - 'Sharing is NOT Caring'
Co-authored-by: Ryan Richard <richardry@vmware.com>
2023-01-20 12:13:54 -06:00
Pinny
044cbd0325 Updated versions in docs for v0.22.0 release 2023-01-20 05:17:45 +00:00
Ryan Richard
e6a18978d1
Merge pull request #1385 from vmware-tanzu/update_kube_deps_0.26.1
Update Kube deps to 0.26.1
2023-01-19 15:48:41 -08:00
Ryan Richard
14858a6db3 Increase lint timeout to 20m for CI 2023-01-19 14:41:42 -08:00
Ryan Richard
8cad5ea3c9 Update Kube deps to 0.26.1
Co-authored-by: Ryan Richard <richardry@vmware.com>
Co-authored-by: Joshua Casey <joshuatcasey@gmail.com>
2023-01-19 14:03:37 -08:00
Ryan Richard
0ffd01d993
Merge pull request #1372 from vmware-tanzu/jtc/support-k8s-0.26-and-bump-generated-code
bump k8s deps to 0.26 and bump generated code to include 1.26
2023-01-19 13:47:12 -08:00
Ryan Richard
23f6dd44a0 Use Go 1.19 for fips builds
Co-authored-by: Ryan Richard <richardry@vmware.com>
Co-authored-by: Joshua Casey <joshuatcasey@gmail.com>
2023-01-18 16:00:16 -08:00
Ryan Richard
7ff3b3d9cb Code changes to support Kube 0.26 deps 2023-01-18 14:39:22 -08:00
Joshua Casey
a430f4b730 Bump K8s deps to 0.26 and add codegen for 0.26 2023-01-18 13:41:06 -08:00
Joshua Casey
585adc96d8 Bump generated files for K8s 1.22, 1.23, 1.24, 1.25 2023-01-18 13:38:36 -08:00
Ryan Richard
3b46547efc add hack/update-copyright-year.sh 2023-01-18 13:36:23 -08:00
Ryan Richard
53f56f328b
Merge pull request #1371 from vmware-tanzu/jtc/bump-deps-except-k8s
Bump Golang and Deps (except K8s)
2023-01-18 09:19:27 -08:00
Ryan Richard
9aafff78f1 bump two more direct deps 2023-01-18 08:26:55 -08:00
Joshua Casey
a49e48c6f7 Bump FIPS Golang to 1.18.10b7
Resolves #1367
2023-01-17 21:20:50 -06:00
Joshua Casey
6926c1ab64 Bump Golang to 1.19.5
Resolves #1368
2023-01-17 21:20:37 -06:00
Joshua Casey
f9e2212882 Bump all deps except K8s
Resolves:
- #1360
- #1361
- #1362
- #1363
- #1364
- #1365
2023-01-17 21:11:39 -06:00
Joshua Casey
95d35a174d
Merge pull request #1294 from vmware-tanzu/additional_claim_mapping
Add `spec.claims.additionalClaimMappings` to OIDCIdentityProvider
2023-01-17 20:48:58 -06:00
Ryan Richard
2f9b8b105d update copyright to 2023 in files changed by this PR 2023-01-17 15:54:16 -08:00
Ryan Richard
3d20fa79a7 Two more integration tests for additionalClaimMappings
Co-authored-by: Ryan Richard <richardry@vmware.com>
Co-authored-by: Joshua Casey <joshuatcasey@gmail.com>
2023-01-17 15:36:39 -08:00
Ryan Richard
74c3156059 Assert more cluster-scoped ID token claims in supervisor_login_test.go 2023-01-17 13:10:51 -08:00
Joshua Casey
6156fdf175 Expect complex subclaims of additionalClaims to have type interface{}
Co-authored-by: Ryan Richard <richardry@vmware.com>
2023-01-17 13:27:40 -06:00
Joshua Casey
f494c61790 additionalClaims claim should not be present when no sub claims are expected
Co-authored-by: Ryan Richard <richardry@vmware.com>
Co-authored-by: Benjamin A. Petersen <ben@benjaminapetersen.me>
2023-01-17 11:58:08 -06:00
Ryan Richard
2633d72ce2 Change some test variable names related to additional claims
Co-authored-by: Ryan Richard <richardry@vmware.com>
Co-authored-by: Joshua Casey <joshuatcasey@gmail.com>
2023-01-13 14:59:59 -08:00
Joshua Casey
a94bbe70c7 Add integration test to verify that additionalClaims are present in an ID Token
Co-authored-by: Ryan Richard <richardry@vmware.com>
Co-authored-by: Joshua Casey <joshuatcasey@gmail.com>
Co-authored-by: Benjamin A. Petersen <ben@benjaminapetersen.me>
2023-01-13 14:59:59 -08:00
Joshua Casey
9acc456fd7 Update token_handler_test to check additionalClaims for bools, numbers, and slices
Co-authored-by: Ryan Richard <richardry@vmware.com>
Co-authored-by: Joshua Casey <joshuatcasey@gmail.com>
Co-authored-by: Benjamin A. Petersen <ben@benjaminapetersen.me>
2023-01-13 14:59:59 -08:00
Ryan Richard
8ff6ef32e9 Allow additional claims to map into an ID token issued by the supervisor
- Specify mappings on OIDCIdentityProvider.spec.claims.additionalClaimMappings
- Advertise additionalClaims in the OIDC discovery endpoint under claims_supported

Co-authored-by: Ryan Richard <richardry@vmware.com>
Co-authored-by: Joshua Casey <joshuatcasey@gmail.com>
2023-01-13 14:59:50 -08:00
Joshua Casey
f4c9202f49
Merge pull request #1369 from vmware-tanzu/kube_cert_agent_reduce_memory
Reduce memory consumption of pinniped-concierge-kube-cert-agent binary
2023-01-13 14:26:39 -06:00
Ryan Richard
bc7ffd37a6 Reduce memory consumption of pinniped-concierge-kube-cert-agent binary
Co-authored-by: Joshua Casey <joshuatcasey@gmail.com>
2023-01-13 11:07:42 -08:00
Pinny
f691baec74 Updated versions in docs for v0.21.0 release 2022-12-21 13:12:06 +00:00
Ryan Richard
39a95e1198
Merge pull request #1354 from vmware-tanzu/dump_more_deps_dec_2022
Bump Go 1.19.1 -> 1.19.4, and go-boringcrypto 1.18.6b7 -> 1.18.9b7
2022-12-15 10:35:54 -08:00
Ryan Richard
6d3ed73eee Bump Go 1.19.1 -> 1.19.4, and go-boringcrypto 1.18.6b7 -> 1.18.9b7 2022-12-15 09:40:32 -08:00
Ryan Richard
e3a963b73f
Merge pull request #1340 from vmware-tanzu/jtc/update-maintainers
Update maintainers
2022-12-15 09:31:14 -08:00
Ryan Richard
30818cb66d
Merge pull request #1353 from vmware-tanzu/dump_deps_dec_2022
Upgrade project Go dependencies
2022-12-15 09:23:16 -08:00
Ryan Richard
976035115e Stop using pointer pkg functions that were deprecated by dependency bump 2022-12-14 08:47:16 -08:00
Ryan Richard
85b67f254c Add more assertion to token_handler_test.go for token exchange exp claim 2022-12-14 08:47:16 -08:00
Ryan Richard
e1a0367b03 Upgrade project Go dependencies
Most of the changes in this commit are because of these fosite PRs
which changed behavior and/or APIs in fosite:
- https://github.com/ory/fosite/pull/667
- https://github.com/ory/fosite/pull/679 (from me!)
- https://github.com/ory/fosite/pull/675
- https://github.com/ory/fosite/pull/688

Due to the changes in fosite PR #688, we need to bump our storage
version for anything which stores the DefaultSession struct as JSON.
2022-12-14 08:47:16 -08:00
Joshua Casey
a9aac69c65 Add https://github.com/joshuatcasey as a Maintainer. Remove Technical Lead role. 2022-12-08 11:47:06 -06:00
Joshua Casey
d88895c4a5 Prettify MAINTAINERS.md 2022-12-08 11:43:09 -06:00
Ryan Richard
d35306aa85
Merge pull request #1322 from rooso/main
Update example configuration for Active Directory
2022-11-09 09:35:32 -08:00
rooso
3548362ce4
Update example configuration for Active Directory
there was an typo in the example configuration for Microsoft Active Directory. Attribute was `userPrincipleName` but should be `userPrincipalName`
2022-10-20 14:34:12 +02:00
Ben Petersen
4951cbe5d4
Merge pull request #1306 from vmware-tanzu/ci-updates-for-external-idps
Update TestLDAPSearch_Parallel to notice different var for external ldap server
2022-09-29 12:35:50 -04:00
Ryan Richard
66f4ee8a1b Update more tests to notice different var for external ldap server 2022-09-28 14:32:10 -07:00
Benjamin A. Petersen
09b9075abb
Update TestLDAPSearch_Parallel to notice different var for external ldap server 2022-09-28 16:02:56 -04:00
Ben Petersen
99c635c38d
Merge pull request #1304 from vmware-tanzu/site-footers
Update site footer and maintainers page
2022-09-27 16:18:18 -04:00
Benjamin A. Petersen
265c63fa54
Update site footer and maintainers page
Co-authored-by: Ryan Richard <richardry@vmware.com>
Co-authored-by: Benjamin A. Petersen <ben@benjaminapetersen.me>
2022-09-27 16:13:55 -04:00
Pinny
2995e6a48c Updated versions in docs for v0.20.0 release 2022-09-27 17:16:32 +00:00
Ryan Richard
563c193499 Fix integration test expectation for AKS clusters 2022-09-26 17:00:11 -07:00
Ryan Richard
0d215566d8 Yet another integration test fix for dynamic clients feature with Okta 2022-09-26 16:41:52 -07:00
Ryan Richard
23185d55a5 Another integration test fix for dynamic clients feature with Okta
Also increase the timeout in an integration test because it is flaking
on one of the GKE environments sometimes, probably because the
Concierge controllers aren't ready fast enough before the integration
tests start.
2022-09-26 14:43:50 -07:00
Ryan Richard
f302e71b0f Fix some integration tests' handling of groups to work with Okta 2022-09-26 12:40:07 -07:00
Ryan Richard
110681cdb8 Fix the name of the API Service updater controller in the log messages 2022-09-26 12:37:34 -07:00
Ryan Richard
36dbc7c9bf Update supervisor_storage_test.go to avoid using fuzzed value
The fuzzed value depends on which Go compiler is used. This breaks
the fips tests in CI as long as the fips compiler is a version behind
(we are still waiting for the 1.19 fips compiler to come out).

The fuzzing is still being tested by a separate unit test, so we are
not losing fuzzing test coverage.
2022-09-26 11:19:39 -07:00
Ryan Richard
1e05012bdb
Merge pull request #1303 from vmware-tanzu/dependabot/go_modules/github.com/tdewolff/minify/v2-2.12.2
Bump github.com/tdewolff/minify/v2 from 2.12.1 to 2.12.2
2022-09-26 07:56:37 -07:00
dependabot[bot]
e122e65b0a
Bump github.com/tdewolff/minify/v2 from 2.12.1 to 2.12.2
Bumps [github.com/tdewolff/minify/v2](https://github.com/tdewolff/minify) from 2.12.1 to 2.12.2.
- [Release notes](https://github.com/tdewolff/minify/releases)
- [Commits](https://github.com/tdewolff/minify/compare/v2.12.1...v2.12.2)

---
updated-dependencies:
- dependency-name: github.com/tdewolff/minify/v2
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-09-26 01:34:52 +00:00
Ryan Richard
d444242431
Merge pull request #1302 from vmware-tanzu/bump_deps_sept_2022
Bump deps sept 2022
2022-09-23 16:38:41 -07:00
Ryan Richard
3b507dab4a Upgrade generated code to use the latest available versions of Kube libs
Manually kube-versions.txt and then ran ./hack/update.sh to update the
generated code.
2022-09-23 14:55:23 -07:00
Ryan Richard
bad95c072e Upgrade project dependencies to latest
- Upgrade Go used in CI from 1.19.0 to 1.19.1
- Upgrade all go.mod direct dependencies to latest available versions
- Upgrade distroless base image to latest available version
- Upgrade Go fips compiler to to latest available version

Note that upgrading the go-oidc library changed an error message
returned by that library, so update the places where tests were
expecting that error message.
2022-09-23 14:41:54 -07:00
Ryan Richard
eb62f04f21
Merge pull request #1181 from vmware-tanzu/dynamic_clients
Dynamic OIDC clients feature
2022-09-23 14:03:08 -07:00
Ryan Richard
208a566bdf Merge branch 'main' into dynamic_clients 2022-09-23 14:01:11 -07:00
Ryan Richard
510286570a
Merge pull request #1286 from vmware-tanzu/psa
Make Pinniped compatible with Kube clusters which have enabled PSAs
2022-09-23 13:56:23 -07:00
Ryan Richard
66b1df2dd9 Fix a test assertion in supervisor_oidcclientsecret_test.go 2022-09-23 07:59:05 -07:00
Ryan Richard
a7eb16dde1
Merge pull request #1255 from vmware-tanzu/dynamic_clients_docs
Add docs for dynamic clients
2022-09-22 12:34:17 -07:00
Ryan Richard
b46a2f0267 Add more details about OIDCClients to configure-auth-for-webapps.md
Co-authored-by: Ryan Richard <richardry@vmware.com>
Co-authored-by: Benjamin A. Petersen <ben@benjaminapetersen.me>
2022-09-22 12:31:31 -07:00
Ryan Richard
e27b04cb41
Merge pull request #1273 from vmware-tanzu/dynamic_client_create_secret
Implement OIDCClientSecretRequest API for managing dynamic client secrets
2022-09-22 11:31:47 -07:00
Ryan Richard
3a7b373a7d Add OIDCClientSecretRequest to code-walkthrough.md
Co-authored-by: Ryan Richard <richardry@vmware.com>
Co-authored-by: Benjamin A. Petersen <ben@benjaminapetersen.me>
2022-09-22 11:26:17 -07:00
Ryan Richard
ba98c8cc14 Enhance Kube middleware to rewrite API group of ownerRefs on update verb
When oidcclientsecretstorage.Set() wants to update the contents of the
storage Secret, it also wants to keep the original ownerRef of the
storage Secret, so it needs the middleware to rewrite the API group
of the ownerRef again during the update (just like it had initially done
during the create of the Secret).
2022-09-21 21:30:44 -07:00
Ryan Richard
31716358a9 Make the assertNoRestartsDuringTest() helper ignore terminating pods 2022-09-21 21:27:02 -07:00
Ryan Richard
12b3079377 integration tests for oidcclientsecretrequest endpoint
Co-authored-by: Ryan Richard <richardry@vmware.com>
Co-authored-by: Benjamin A. Petersen <ben@benjaminapetersen.me>
2022-09-21 16:25:41 -07:00
Benjamin A. Petersen
a7ca2cf2dd fix test name in clientsecretrequest unit tests
Co-authored-by: Ryan Richard <richardry@vmware.com>
Co-authored-by: Benjamin A. Petersen <ben@benjaminapetersen.me>
2022-09-21 15:17:23 -07:00
Ryan Richard
b49dcc7d45 Resolve a todo in oidcclientsecretstorage.go 2022-09-21 15:17:21 -07:00
Ryan Richard
90f13225ef Update integration test helper to call new OIDCClientSecretRequest API 2022-09-21 15:17:21 -07:00
Ryan Richard
ee3515f23b Create OIDCClientSecretRequest returns metadata
Sets the Name, Namespace, CreationTimestamp fields in the object meta
of the return value.

Co-authored-by: Ryan Richard <richardry@vmware.com>
Co-authored-by: Benjamin A. Petersen <ben@benjaminapetersen.me>
2022-09-21 15:17:10 -07:00
Ryan Richard
7997285b19 Make fields optional on OIDCClientSecretRequest 2022-09-21 15:17:08 -07:00
Benjamin A. Petersen
6d863a159b Add unit tests for clientsecretrequest logs
Co-authored-by: Ryan Richard <richardry@vmware.com>
Co-authored-by: Benjamin A. Petersen <ben@benjaminapetersen.me>
2022-09-21 15:17:02 -07:00
Benjamin A. Petersen
5e3a912200 Add unit tests for clientsecretrequest
Co-authored-by: Ryan Richard <richardry@vmware.com>
Co-authored-by: Benjamin A. Petersen <ben@benjaminapetersen.me>
2022-09-21 15:16:48 -07:00
Benjamin A. Petersen
a812646dd1 Update pre-commit-config
Co-authored-by: Ryan Richard <richardry@vmware.com>
Co-authored-by: Benjamin A. Petersen <ben@benjaminapetersen.me>
2022-09-21 15:16:39 -07:00
Benjamin A. Petersen
488296a480 adding tests
Co-authored-by: Ryan Richard <richardry@vmware.com>
Co-authored-by: Benjamin A. Petersen <ben@benjaminapetersen.me>
2022-09-21 15:16:12 -07:00
Benjamin A. Petersen
55fb62d060 Fix OIDCClientSecretStorage.Get to check version, add tests for OIDCClientSecretStorage
Co-authored-by: Ryan Richard <richardry@vmware.com>
Co-authored-by: Benjamin A. Petersen <ben@benjaminapetersen.me>
2022-09-21 15:15:50 -07:00
Ryan Richard
af01c3aeb6 Make kubectl explain work for Pinniped aggregated APIs
- Change update-codegen.sh script to also generated openapi code for the
  aggregated API types
- Update both aggregated API servers' configuration to make them serve
  the openapi docs for the aggregated APIs
- Add new integration test which runs `kubectl explain` for all Pinniped
  API resources, and all fields and subfields of those resources
- Update some the comments on the API structs
- Change some names of the tmpl files to make the filename better match
  the struct names
2022-09-21 15:15:37 -07:00
Ryan Richard
1c296e5c4c Implement the OIDCClientSecretRequest API
This commit is a WIP commit because it doesn't include many tests
for the new feature.

Co-authored-by: Ryan Richard <richardry@vmware.com>
Co-authored-by: Benjamin A. Petersen <ben@benjaminapetersen.me>
2022-09-21 15:15:07 -07:00
Ryan Richard
b564454bab Make Pinniped compatible with Kube clusters which have enabled PSAs
Where possible, use securityContext settings which will work with the
most restrictive Pod Security Admission policy level (as of Kube 1.25).
Where privileged containers are needed, use the namespace-level
annotation to allow them.

Also adjust some integration tests to make similar changes to allow the
integration tests to pass on test clusters which use restricted PSAs.
2022-09-15 14:58:15 -07:00
Ryan Richard
7c247e9000 Merge branch 'main' into dynamic_clients 2022-09-15 12:00:41 -07:00
anjalitelang
6b3a2e87c0
Update ROADMAP.md 2022-09-09 11:18:48 -04:00
anjalitelang
3c2820fdae
Update ROADMAP.md
Updating the roadmap based on current needs of users 9/9/2022
2022-09-09 11:18:19 -04:00
Pinny
4441ac0600 Updated versions in docs for v0.19.0 release 2022-08-26 20:08:48 +00:00
Ryan Richard
dc39162597 Rerun codegen after merging main into dynamic_clients
Needed to update the new v1.25 generated code to include the new APIs
that were added in the dynamic_clients branch.
2022-08-26 12:13:53 -07:00
Ryan Richard
8d8f980e86 Merge branch 'main' into dynamic_clients 2022-08-26 11:35:35 -07:00
Ryan Richard
a5ac710831 Add unit test for expired refresh tokens used in refresh flow 2022-08-26 09:23:25 -07:00
Ryan Richard
5246ff9005 Give more time for slow envs to update in concierge_api_serving_certs_test.go
This test is a little flaky in slow Kubernetes clusters. Try giving a
little more time for things to update before failing the test, to
hopefully make this test a little more reliable.
2022-08-25 11:20:54 -07:00
Ryan Richard
24a3588eb0 Run codegen again using Go 1.19, causes whitespace diffs in generated code 2022-08-25 09:36:54 -07:00
Ryan Richard
8f27219ac9 Change allowed gcp auth plugin is deprecation warning text
It seems that google changed it from "the gcp auth plugin is deprecated
in v1.22+, unavailable in v1.25+; use gcloud instead" to instead say
"unavailable in v1.26+". Make the matcher in category_test.go more loose
to allow both to match.
2022-08-25 08:11:37 -07:00
Ryan Richard
736b385d7b
Merge pull request #1264 from vmware-tanzu/access_token_validation
Improve token exchange error messages and error test cases
2022-08-24 17:53:53 -07:00
Ryan Richard
c40465127e Merge branch 'main' into access_token_validation 2022-08-24 16:50:21 -07:00
Ryan Richard
af7cf673e0
Merge pull request #1192 from vmware-tanzu/dependabot/docker/distroless/static-66cd130
Bump distroless/static from `2556293` to `66cd130`
2022-08-24 16:49:37 -07:00
Ryan Richard
ee99106160
Merge pull request #1193 from vmware-tanzu/dependabot/docker/hack/distroless/static-66cd130
Bump distroless/static from `2556293` to `66cd130` in /hack
2022-08-24 16:49:18 -07:00
Ryan Richard
65197d0f9d Merge branch 'main' into access_token_validation 2022-08-24 16:41:12 -07:00
dependabot[bot]
f320a04125
Bump distroless/static from 2556293 to 66cd130
Bumps distroless/static from `2556293` to `66cd130`.

---
updated-dependencies:
- dependency-name: distroless/static
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-08-24 23:40:35 +00:00
dependabot[bot]
036c937db5
Bump distroless/static from 2556293 to 66cd130 in /hack
Bumps distroless/static from `2556293` to `66cd130`.

---
updated-dependencies:
- dependency-name: distroless/static
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-08-24 23:40:34 +00:00
Ryan Richard
4e8601e73b
Merge pull request #1272 from vmware-tanzu/bump_deps_aug_2022
Bump all deps
2022-08-24 16:39:45 -07:00
Ryan Richard
138f1d263f Rerun godegen using Go 1.19, causes whitespace diffs in generated code 2022-08-24 16:06:42 -07:00
Ryan Richard
43af297b44 Add codegen for Kube 1.25, and update patch versions on older codegen 2022-08-24 15:13:21 -07:00
Ryan Richard
c6c2c525a6 Upgrade the linter and fix all new linter warnings
Also fix some tests that were broken by bumping golang and dependencies
in the previous commits.

Note that in addition to changes made to satisfy the linter which do not
impact the behavior of the code, this commit also adds ReadHeaderTimeout
to all usages of http.Server to satisfy the linter (and because it
seemed like a good suggestion).
2022-08-24 14:45:55 -07:00
Ryan Richard
03694d78a8 Implement new Destroy() interface from rest.Storage from Kube v1.25 2022-08-24 12:04:38 -07:00
Ryan Richard
fe083f73fc Bump to golang 1.19.0 and to latest distroless base image
For fips dockerfile, the fips 1.19 compiler has not been released yet,
so bump to the latest available.
2022-08-24 11:18:53 -07:00
Ryan Richard
c1ebf5b737 Run go mod tidy -compat=1.17 2022-08-24 10:06:56 -07:00
Ryan Richard
dd7902faa0 bump golang deps 2022-08-24 10:03:09 -07:00
Ryan Richard
1384f75731 Improve token exchange error messages and error test cases 2022-08-23 17:20:30 -07:00
Ryan Richard
91cf439b31
Merge pull request #1249 from vmware-tanzu/username_scope
Add the new `username` scope to the Supervisor and exclude usernames from dynamic clients which are not granted the scope, and other dynamic client related changes
2022-08-19 10:21:45 -07:00
Ryan Richard
02a27e0186 Add docs for dynamic clients 2022-08-11 14:35:18 -07:00
Ryan Richard
0bb2c7beb7 Always add the azp claim to ID tokens to show the original client ID
When the token exchange grant type is used to get a cluster-scoped
ID token, the returned token has a new audience value. The client ID
of the client which performed the authorization was lost. This didn't
matter before, since the only client was `pinniped-cli`, but now that
dynamic clients can be registered, the information would be lost in the
cluster-scoped ID token. It could be useful for logging, tracing, or
auditing, so preserve the information by putting the client ID into the
`azp` claim in every ID token (authcode exchange, clsuter-scoped, and
refreshed ID tokens).
2022-08-09 16:07:23 -07:00
Ryan Richard
8a5db99abf get kubeconfig cmd errors on audience values with reserved substring 2022-08-09 09:12:25 -07:00
Ryan Richard
22fbced863 Create username scope, required for clients to get username in ID token
- For backwards compatibility with older Pinniped CLIs, the pinniped-cli
  client does not need to request the username or groups scopes for them
  to be granted. For dynamic clients, the usual OAuth2 rules apply:
  the client must be allowed to request the scopes according to its
  configuration, and the client must actually request the scopes in the
  authorization request.
- If the username scope was not granted, then there will be no username
  in the ID token, and the cluster-scoped token exchange will fail since
  there would be no username in the resulting cluster-scoped ID token.
- The OIDC well-known discovery endpoint lists the username and groups
  scopes in the scopes_supported list, and lists the username and groups
  claims in the claims_supported list.
- Add username and groups scopes to the default list of scopes
  put into kubeconfig files by "pinniped get kubeconfig" CLI command,
  and the default list of scopes used by "pinniped login oidc" when
  no list of scopes is specified in the kubeconfig file
- The warning header about group memberships changing during upstream
  refresh will only be sent to the pinniped-cli client, since it is
  only intended for kubectl and it could leak the username to the
  client (which may not have the username scope granted) through the
  warning message text.
- Add the user's username to the session storage as a new field, so that
  during upstream refresh we can compare the original username from the
  initial authorization to the refreshed username, even in the case when
  the username scope was not granted (and therefore the username is not
  stored in the ID token claims of the session storage)
- Bump the Supervisor session storage format version from 2 to 3
  due to the username field being added to the session struct
- Extract commonly used string constants related to OIDC flows to api
  package.
- Change some import names to make them consistent:
  - Always import github.com/coreos/go-oidc/v3/oidc as "coreosoidc"
  - Always import go.pinniped.dev/generated/latest/apis/supervisor/oidc
    as "oidcapi"
  - Always import go.pinniped.dev/internal/oidc as "oidc"
2022-08-08 16:29:22 -07:00
Ryan Richard
6b29082c27
Merge pull request #1236 from vmware-tanzu/dynamic_clients_in_downstream_flows
Allow dynamic clients to be used in downstream OIDC flows
2022-07-26 11:18:15 -07:00
Ryan Richard
bda233482d Merge branch 'dynamic_clients' into dynamic_clients_in_downstream_flows 2022-07-26 09:31:39 -07:00
Ryan Richard
57f8e18dbc Merge branch 'main' into dynamic_clients 2022-07-26 09:31:18 -07:00
Ryan Richard
a876591765
Merge pull request #1126 from vmware-tanzu/dynamic_clients_proposal
Dynamic Supervisor OIDC Clients proposal
2022-07-26 09:27:37 -07:00
Ryan Richard
b5c0b4b90e
Merge pull request #1240 from vmware-tanzu/pause_community_meeting
pause community meeting for a little while
2022-07-26 09:24:19 -07:00
Ryan Richard
c07cc6b8ec Update e2e_test.go for clusters which have ServerSideFieldValidation
Also update prepare-cluster-for-integration-tests.sh for new
kubectl version command options.
2022-07-25 17:25:21 -07:00
Ryan Richard
8c7fbd2c0c pause community meeting for a little while 2022-07-25 12:07:18 -07:00
Ryan Richard
88f611d31a Be extra defensive and don't lookup dynamic client ID's lacking prefix 2022-07-22 15:19:19 -07:00
Ryan Richard
2f1966dbc8 Merge branch 'dynamic_clients' into dynamic_clients_in_downstream_flows 2022-07-22 10:01:26 -07:00
Ryan Richard
f1cd4eebb0 Merge branch 'main' into dynamic_clients 2022-07-22 10:00:53 -07:00
Ryan Richard
075bc824e7 Merge branch 'main' into dynamic_clients_proposal 2022-07-22 09:56:40 -07:00
Ryan Richard
7ccd41b5f2 docs gen tool changed its output, so rerun codegen 2022-07-22 09:56:20 -07:00
Ryan Richard
ae917bfd8d Merge branch 'main' into dynamic_clients_proposal 2022-07-22 09:33:45 -07:00
Ryan Richard
7450fb6c8e A few more small changes to the dynamic clients proposal 2022-07-22 09:26:24 -07:00
Mo Khan
ee3646ef13
Merge pull request #1239 from enj/goodbye
Update current maintainers ✌️👋🫡
2022-07-22 10:39:55 -04:00
Ryan Richard
b65f872dcd Configure printer columns for OIDCClient CRD 2022-07-21 16:40:03 -07:00
Monis Khan
1e56968491
Update current maintainers ✌️👋🫡
Signed-off-by: Monis Khan <mok@vmware.com>
2022-07-21 18:07:54 -04:00
Ryan Richard
0495286f97 Fix lint error and remove accidental direct dep on ory/x
Fixing some mistakes from previous commit on feature branch.
2022-07-21 13:50:33 -07:00
Ryan Richard
b507604b90 Update dynamic clients proposal with a link to the LDAP/AD UI release
Also fix a typos.
2022-07-21 11:37:58 -07:00
Ryan Richard
1eefba537d Update dynamic clients proposal with details learned during implementation
Also fix some typos and add some clarifying comments.
2022-07-21 11:26:04 -07:00
Ryan Richard
c12ffad29e Add integration test for failed client auth for a dynamic client 2022-07-21 10:13:34 -07:00
Ryan Richard
e42f5488fa More unit tests for dynamic clients
- Add dynamic client unit tests for the upstream OIDC callback and
  POST login endpoints.
- Enhance a few log statements to print the full fosite error messages
  into the logs where they were previously only printing the name of
  the error type.
2022-07-21 09:26:00 -07:00
Ryan Richard
34509e7430 Add more unit tests for dynamic clients and enhance token exchange
- Enhance the token exchange to check that the same client is used
  compared to the client used during the original authorization and
  token requests, and also check that the client has the token-exchange
  grant type allowed in its configuration.
- Reduce the minimum required bcrypt cost for OIDCClient secrets
  because 15 is too slow for real-life use, especially considering
  that every login and every refresh flow will require two client auths.
- In unit tests, use bcrypt hashes with a cost of 4, because bcrypt
  slows down by 13x when run with the race detector, and we run our
  tests with the race detector enabled, causing the tests to be
  unacceptably slow. The production code uses a higher minimum cost.
- Centralize all pre-computed bcrypt hashes used by unit tests to a
  single place. Also extract some other useful test helpers for
  unit tests related to OIDCClients.
- Add tons of unit tests for the token endpoint related to dynamic
  clients for authcode exchanges, token exchanges, and refreshes.
2022-07-20 13:55:56 -07:00
Ryan Richard
32ea6090ad Merge branch 'dynamic_clients' into dynamic_clients_in_downstream_flows 2022-07-15 10:28:30 -07:00
Mo Khan
f9dfd68420
Merge pull request #1221 from vmware-tanzu/oidcclient_controller2
Enhancements to OIDCClient controller
2022-07-15 08:51:44 -04:00
Ryan Richard
f5f55176af Enhance integration tests for OIDCClients in supervisor_login_test.go 2022-07-14 18:50:23 -07:00
Ryan Richard
e0ecdc004b Allow dynamic clients to be used in downstream OIDC flows
This is only a first commit towards making this feature work.
- Hook dynamic clients into fosite by returning them from the storage
  interface (after finding and validating them)
- In the auth endpoint, prevent the use of the username and password
  headers for dynamic clients to force them to use the browser-based
  login flows for all the upstream types
- Add happy path integration tests in supervisor_login_test.go
- Add lots of comments (and some small refactors) in
  supervisor_login_test.go to make it much easier to understand
- Add lots of unit tests for the auth endpoint regarding dynamic clients
  (more unit tests to be added for other endpoints in follow-up commits)
- Enhance crud.go to make lifetime=0 mean never garbage collect,
  since we want client secret storage Secrets to last forever
- Move the OIDCClient validation code to a package where it can be
  shared between the controller and the fosite storage interface
- Make shared test helpers for tests that need to create OIDC client
  secret storage Secrets
- Create a public const for "pinniped-cli" now that we are using that
  string in several places in the production code
2022-07-14 09:51:11 -07:00
Ryan Richard
be85e1ed0a TotalClientSecrets field gets omitempty and becomes int32 2022-07-14 09:30:03 -07:00
Ryan Richard
93939ccbd8 OIDCClient watcher controller updates based on PR feedback 2022-07-06 10:34:24 -07:00
Ryan Richard
8a23f244f3
Merge pull request #1215 from vmware-tanzu/prepare_supervisor_on_kind_linux
fix usage of base64 in hack script for linux
2022-06-29 10:51:16 -07:00
Ryan Richard
5b0c165dc8 fix usage of base64 in hack script 2022-06-28 12:44:41 -07:00
Ryan Richard
4878ae77e5
Merge pull request #1142 from vmware-tanzu/audit_logging_proposal
Audit logging proposal
2022-06-28 12:33:55 -07:00
Ryan Richard
18a1f3a43a
Merge branch 'main' into audit_logging_proposal 2022-06-28 12:33:02 -07:00
Mo Khan
43a76648d5
Merge pull request #1213 from vmware-tanzu/fix-groups-scope-integration-tests
One line fix to the supervisor warnings test
2022-06-24 11:12:07 -04:00
Margo Crawford
98b0b6b21c One line fix to the supervisor warnings test
Make the scopes in the cache key include the new groups scope

Signed-off-by: Margo Crawford <margaretc@vmware.com>
2022-06-24 08:09:32 -07:00
Monis Khan
f13c5e3f06
Fix supervisor scheme comment
Signed-off-by: Monis Khan <mok@vmware.com>
2022-06-24 09:56:44 -04:00
Mo Khan
d576e44f0a
Merge pull request #1197 from vmware-tanzu/require-groups-scope
Require groups scope
2022-06-23 14:06:46 -04:00
Margo Crawford
8adc1ce345 Fix failing active directory integration test
Signed-off-by: Margo Crawford <margaretc@vmware.com>
2022-06-22 16:16:32 -07:00
Ryan Richard
3cf3b28c5b Update audit log proposal 2022-06-22 15:12:28 -07:00
Margo Crawford
a010e72b29 Merge branch 'dynamic_clients' into require-groups-scope 2022-06-22 14:27:06 -07:00
Margo Crawford
dac0395680 Add a couple tests, address pr comments
Signed-off-by: Margo Crawford <margaretc@vmware.com>
2022-06-22 14:19:55 -07:00
Margo Crawford
f2005b4c7f Merge branch 'dynamic_clients' into require-groups-scope 2022-06-22 12:30:54 -07:00
Margo Crawford
c70a0b99a8 Don't do ldap group search when group scope not specified
Signed-off-by: Margo Crawford <margaretc@vmware.com>
2022-06-22 10:58:08 -07:00
Margo Crawford
9903c5f79e Handle refresh requests without groups scope
Signed-off-by: Margo Crawford <margaretc@vmware.com>
2022-06-22 08:21:16 -07:00
Mo Khan
0a2aa9338d
Merge pull request #1198 from vmware-tanzu/oidcclient_controller
New controller watches OIDCClients and updates validation Conditions
2022-06-17 13:39:49 -04:00
Ryan Richard
5aa0d91267
New controller watches OIDCClients and updates validation Conditions 2022-06-17 13:11:26 -04:00
Mo Khan
f8183e0fab
Merge pull request #1199 from enj/enj/f/dynamic_clients_name_fix
Fix TestOIDCClientStaticValidation on old servers
2022-06-17 09:05:08 -04:00
Monis Khan
36a5c4c20d
Fix TestOIDCClientStaticValidation on old servers
Signed-off-by: Monis Khan <mok@vmware.com>
2022-06-17 09:04:03 -04:00
Mo Khan
4bf734061d
Merge pull request #1190 from vmware-tanzu/client-secret-api-noop
aggregated api for oidcclientsecretrequest
2022-06-16 10:30:13 -04:00
Mo Khan
90077f7135
Merge pull request #1195 from enj/enj/f/dynamic_clients_name
Static validation for OIDC clients
2022-06-16 10:29:03 -04:00
Margo Crawford
64cd8b0b9f Add e2e test for groups scope
Signed-off-by: Margo Crawford <margaretc@vmware.com>
2022-06-15 13:41:22 -07:00
Monis Khan
59d67322d3
Static validation for OIDC clients
The following validation is enforced:

1. Names must start with client.oauth.pinniped.dev-
2. Redirect URIs must start with https://
   or http://127.0.0.1
   or http://::1
3. All spec lists must not have duplicates

Added an integration test to assert all static validations.

Signed-off-by: Monis Khan <mok@vmware.com>
2022-06-15 15:09:40 -04:00
Margo Crawford
ff26c424ae Remove unused role binding
Signed-off-by: Margo Crawford <margaretc@vmware.com>
2022-06-15 10:19:56 -07:00
Margo Crawford
424f925a14 Merge branch 'dynamic_clients' into client-secret-api-noop 2022-06-15 09:38:55 -07:00
Margo Crawford
c117329553 Updates based on code review
Signed-off-by: Margo Crawford <margaretc@vmware.com>
2022-06-15 09:38:21 -07:00
Margo Crawford
4d0c2e16f4 require groups scope to get groups back from supervisor
Signed-off-by: Margo Crawford <margaretc@vmware.com>
2022-06-15 08:00:17 -07:00
Mo Khan
c77bee67c1
Merge pull request #1189 from vmware-tanzu/token_exchange_aud
Disallow certain requested audience strings in token exchange
2022-06-14 16:41:51 -04:00
Margo Crawford
c95efad180 Merge branch 'dynamic_clients' into client-secret-api-noop
Signed-off-by: Margo Crawford <margaretc@vmware.com>
2022-06-13 17:12:00 -07:00
Ryan Richard
268e1108d1
Merge pull request #1194 from vmware-tanzu/config_oidcclient
Move oidcclient into config.supervisor.pinniped.dev
2022-06-13 16:03:05 -07:00
Margo Crawford
104e08b0f6 Merge branch 'dynamic_clients' into client-secret-api-noop 2022-06-13 15:52:34 -07:00
Margo Crawford
0c1f48cbc1 Move oidcclient into config.supervisor.pinniped.dev
Signed-off-by: Margo Crawford <margaretc@vmware.com>
2022-06-13 15:48:54 -07:00
Margo Crawford
8f4285dbff Change group names
Signed-off-by: Margo Crawford <margaretc@vmware.com>
2022-06-13 14:28:05 -07:00
Ryan Richard
aceea7888b Merge branch 'main' into dynamic_clients 2022-06-13 12:29:09 -07:00
Ryan Richard
b9272b2729 Reserve all of *.pinniped.dev for requested aud in token exchanges
Our previous plan was to reserve only *.oauth.pinniped.dev but we
changed our minds during PR review.
2022-06-13 12:08:11 -07:00
Margo Crawford
ba371423d9 Add integration test for OIDCClientSecretRequest
Signed-off-by: Margo Crawford <margaretc@vmware.com>
2022-06-10 13:56:15 -07:00
Margo Crawford
018bdacc6d
Merge pull request #1191 from vmware-tanzu/codegen-docker-pull-always
Always attempt to docker pull before codegen
2022-06-10 13:31:47 -07:00
Ryan Richard
e7096c61a8 Merge branch 'main' into dynamic_clients 2022-06-10 12:52:59 -07:00
Margo Crawford
b3ad29fe1c Always attempt to docker pull before codegen
Signed-off-by: Margo Crawford <margaretc@vmware.com>
2022-06-10 12:26:40 -07:00
Margo Crawford
479b6c421d fix out of date codegen images
Signed-off-by: Margo Crawford <margaretc@vmware.com>
2022-06-10 09:51:37 -07:00
Margo Crawford
157b5a7079 Update 1.24 codegen
Signed-off-by: Margo Crawford <margaretc@vmware.com>
2022-06-10 07:55:46 -07:00
Margo Crawford
37884e7015 reran update.sh to get the codegen up to date
Signed-off-by: Margo Crawford <margaretc@vmware.com>
2022-06-09 14:39:06 -07:00
Margo Crawford
889348e999 WIP aggregated api for oidcclientsecretrequest
Signed-off-by: Margo Crawford <margaretc@vmware.com>
2022-06-09 13:47:19 -07:00
Ryan Richard
484c8f4bf3
Merge pull request #1183 from anjaltelang/main
Blog for v0.18.0
2022-06-08 15:14:31 -07:00
Ryan Richard
221f174768
Update v0.18.0 blog post date 2022-06-08 15:14:02 -07:00
Pinny
3ebf5ad4c3 Updated versions in docs for v0.18.0 release 2022-06-08 22:13:13 +00:00
Ryan Richard
ec533cd781 Skip some recently added integration tests when LDAP is unavailable
Also refactor to use shared test helper for skipping LDAP and AD tests.
2022-06-08 12:57:00 -07:00
Ryan Richard
1f505fc065 Update audience confusion section of proposal doc 2022-06-08 11:36:50 -07:00
Ryan Richard
dd61ada540 Allow new warning messages about GCP plugin in TestGetPinnipedCategory 2022-06-08 10:22:15 -07:00
Ryan Richard
0b6b8b4fcd Merge branch 'dynamic_clients' into token_exchange_aud 2022-06-08 09:58:38 -07:00
Ryan Richard
77f37b5a57 run codegen 2022-06-08 09:41:35 -07:00
Ryan Richard
321abfc98d Merge branch 'dynamic_clients' into token_exchange_aud 2022-06-08 09:03:29 -07:00
Ryan Richard
97d17bbda8 Merge branch 'main' into dynamic_clients 2022-06-08 09:03:06 -07:00
Mo Khan
cc1163e326
Merge pull request #1179 from vmware-tanzu/auth_handler_form_post_csp
Fix bug in certain error handling for authorize endpoint when response_mode=form_post is requested
2022-06-08 08:47:56 -04:00
Ryan Richard
ea45e5dfef Disallow certain requested audience strings in token exchange 2022-06-07 16:32:19 -07:00
Mo Khan
472ab229e7
Merge branch 'main' into auth_handler_form_post_csp 2022-06-07 18:26:52 -04:00
Mo Khan
2c7b52dce8
Merge pull request #1186 from vmware-tanzu/bump_deps
Bump all project dependencies
2022-06-07 18:25:12 -04:00
Ryan Richard
2c048bcb4f
Bump all deps to latest
Signed-off-by: Monis Khan <mok@vmware.com>
2022-06-07 15:26:30 -04:00
Ryan Richard
e78c7d4e0e
update kube codegen versions and add 1.24 codegen
Signed-off-by: Monis Khan <mok@vmware.com>
2022-06-07 15:26:30 -04:00
Ryan Richard
7751c0bf59
Bump project deps, including kube 0.23.6->0.24.1 and Go 1.18.1->1.18.3
Several API changes in Kube required changes in Pinniped code.

Signed-off-by: Monis Khan <mok@vmware.com>
2022-06-07 15:26:30 -04:00
Ryan Richard
8170889aef Update CSP header expectations in TestSupervisorLogin_Browser int test 2022-06-07 11:20:59 -07:00
Mo Khan
38bfdd6b70
Merge branch 'main' into auth_handler_form_post_csp 2022-06-07 11:42:09 -04:00
Margo Crawford
e5a96e353c
Merge pull request #1185 from vmware-tanzu/oidc_client_crd
OIDC client crd
2022-06-06 14:16:10 -07:00
Anjali Telang
52bbbcf7e8 margo's suggestions 2022-06-06 17:03:52 -04:00
Mo Khan
a3ec15862d
Run CodeQL on dynamic_clients branch 2022-06-06 16:41:38 -04:00
Ryan Richard
98c45fefe9 Merge branch 'main' into auth_handler_form_post_csp 2022-06-06 11:51:51 -07:00
Margo Crawford
d6442ed53d
Merge pull request #1180 from vmware-tanzu/cli_flow_env_var
Allow `PINNIPED_UPSTREAM_IDENTITY_PROVIDER_FLOW` env var to override `--upstream-identity-provider-flow` CLI flag
2022-06-06 11:49:00 -07:00
Margo Crawford
0dec2eee32 Add enum validation for scopes and grant types
Signed-off-by: Margo Crawford <margaretc@vmware.com>
2022-06-06 10:15:25 -07:00
Ryan Richard
fd9d641b5c Add doc for PINNIPED_UPSTREAM_IDENTITY_PROVIDER_FLOW env var 2022-06-06 09:47:50 -07:00
Ryan Richard
326cc194e9 Merge branch 'main' into cli_flow_env_var 2022-06-06 09:38:57 -07:00
Margo Crawford
3cacb5b022 Fix typo in oidcclient spec and status descriptions
Signed-off-by: Margo Crawford <margaretc@vmware.com>
2022-06-06 07:38:57 -07:00
Margo Crawford
ca3da0bc90 Fix some disallowed kubebuilder annotations, fix kube api discovery test
Signed-off-by: Margo Crawford <margaretc@vmware.com>
2022-06-04 21:04:40 -07:00
Margo Crawford
cd47ba53c2 Add CRD for OIDCClient
Signed-off-by: Margo Crawford <margaretc@vmware.com>
2022-06-03 16:22:15 -07:00
anjalitelang
2f6349c96d
Merge pull request #1166 from anjaltelang/main
Roadmap updates for future
2022-06-02 17:27:14 -04:00
anjalitelang
225bbdd36b
Merge branch 'main' into main 2022-06-02 17:25:43 -04:00
Ryan Richard
30d09b2b7e Empty commit 2022-06-02 13:10:34 -07:00
Ryan Richard
cb8685b942 Add e2e test for PINNIPED_UPSTREAM_IDENTITY_PROVIDER_FLOW env var 2022-06-02 11:27:54 -07:00
Ryan Richard
6e461821d6 Allow PINNIPED_UPSTREAM_IDENTITY_PROVIDER_FLOW env var to override flow
Env var may be used with CLI to override the flow selected by the
--upstream-identity-provider-flow CLI flag.
2022-06-02 10:30:03 -07:00
Ryan Richard
b99c4773a2 Use CSP headers in auth handler response
When response_mode=form_post is requested, some error cases will be
returned to the client using the form_post web page to POST the result
back to the client's redirect URL.
2022-06-02 09:23:34 -07:00
Monis Khan
212f00ebde
Recommend a single approach to address all goals
Signed-off-by: Monis Khan <mok@vmware.com>
2022-06-01 10:26:37 -04:00
Mo Khan
75a32ae243
Merge pull request #1145 from enj/enj/f/json_logs
Switch to go.uber.org/zap for JSON formatted logging
2022-05-24 13:15:22 -04:00
Monis Khan
0674215ef3
Switch to go.uber.org/zap for JSON formatted logging
Signed-off-by: Monis Khan <mok@vmware.com>
2022-05-24 11:17:42 -04:00
Ryan Richard
03ccef03fe
Merge pull request #1163 from vmware-tanzu/ldap-login-ui
Support a browser-based login flow for LDAP and Active Directory providers
2022-05-24 10:19:34 -04:00
Ryan Richard
438ab0a0e1
Merge branch 'main' into ldap-login-ui 2022-05-20 08:40:34 -07:00
Ryan Richard
39fd9ba270 Small refactors and comments for LDAP/AD UI 2022-05-19 16:02:08 -07:00
Anjali Telang
cc985aa98a Roadmap updates for future
Signed-off-by: Anjali Telang <atelang@vmware.com>
2022-05-19 15:53:53 -04:00
Ryan Richard
7388097de7
Merge pull request #1116 from vmware-tanzu/proposal-ldap-web-ui
ldap/ad web ui proposal
2022-05-16 16:22:17 -07:00
Ryan Richard
f008c081b3
Accept LDAP UI proposal 2022-05-16 16:21:33 -07:00
Ryan Richard
1092fc4a9e
Add PR link to LDAP UI proposal 2022-05-16 16:21:17 -07:00
Ryan Richard
dc6874e9cd
Move remaining open q's to answered q's 2022-05-16 16:20:42 -07:00
Ryan Richard
0f2a984308 Merge branch 'main' into ldap-login-ui 2022-05-11 11:32:15 -07:00
Ryan Richard
4101a55001 Update docs for new LDAP/AD browser-based login flow
Also fix some comments that didn't fit onto one line in the yaml
examples, be consistent about putting a blank line above `---` yaml
separators, and some other small doc improvements.
2022-05-11 11:19:08 -07:00
Ryan Richard
aa732a41fb Add LDAP browser flow login failure tests to supervisor_login_test.go
Also do some refactoring to share more common test setup code in
supervisor_login_test.go.
2022-05-10 16:28:08 -07:00
Ryan Richard
0b106c245e Add LDAP browser flow login test to supervisor_login_test.go 2022-05-10 12:54:40 -07:00
Ryan Richard
ab302cf2b7 Add AD via browser login e2e test and refactor e2e tests to share code 2022-05-10 10:30:32 -07:00
Ryan Richard
a4e32d8f3d Extract browsertest.LoginToUpstreamLDAP() integration test helper 2022-05-09 15:43:36 -07:00
Ryan Richard
831abc315e Update audit log proposal key names and timestamp format 2022-05-09 14:45:18 -07:00
Monis Khan
6bb34130fe
Add asymmetric crypto based client secret generation
Signed-off-by: Monis Khan <mok@vmware.com>
2022-05-09 15:58:52 -04:00
Margo Crawford
22aea6ab9d Address some small comments to make the doc more understandable
Signed-off-by: Margo Crawford <margaretc@vmware.com>
2022-05-09 12:55:32 -07:00
Monis Khan
58f8a10919
Add data model and secret generation alternatives
Signed-off-by: Monis Khan <mok@vmware.com>
2022-05-09 00:05:06 -04:00
Monis Khan
1c4ed8b404
Add recommendation for solving the audience confusion problem
Signed-off-by: Monis Khan <mok@vmware.com>
2022-05-06 22:26:59 -04:00
Pinny
afc73221d6 Updated versions in docs for v0.17.0 release 2022-05-06 19:28:56 +00:00
Ryan Richard
4c44f583e9 Don't add pinniped_idp_name pinniped_idp_type params into upstream state 2022-05-06 12:00:46 -07:00
Margo Crawford
408e390094 Add more detail on how we should display errors
Signed-off-by: Margo Crawford <margaretc@vmware.com>
2022-05-06 11:00:01 -07:00
Ryan Richard
ec22b5715b Add Pinniped favicon to login UI page 🦭 2022-05-05 14:46:07 -07:00
Ryan Richard
6e6e1f4add Update login page CSS selectors in e2e test 2022-05-05 13:56:38 -07:00
Ryan Richard
00d68845c4 Add --flow to choose login flow in prepare-supervisor-on-kind.sh 2022-05-05 13:42:23 -07:00
Ryan Richard
cffa353ffb Login page styling/structure for users, screen readers, passwd managers
Also:
- Add CSS to login page
- Refactor login page HTML and CSS into a new package
- New custom CSP headers for the login page, because the requirements
  are different from the form_post page
2022-05-05 13:13:25 -07:00
Ryan Richard
6ca7c932ae Add unit test for rendering form_post response from POST /login 2022-05-05 13:13:25 -07:00
Margo Crawford
b458cd43b9
Merge pull request #1159 from vmware-tanzu/fix-openldap-typo
Tiny fix to openldap group name: pinninpeds->pinnipeds
2022-05-05 12:50:43 -07:00
Margo Crawford
07a3faf449
Merge branch 'main' into fix-openldap-typo 2022-05-05 10:51:09 -07:00
Margo Crawford
329d41aac7 Add the full end to end test for ldap web ui
Signed-off-by: Margo Crawford <margaretc@vmware.com>
2022-05-05 08:49:58 -07:00
Margo Crawford
079908fb50 Update to reflect further conversations we've had
Signed-off-by: Margo Crawford <margaretc@vmware.com>
2022-05-04 13:28:54 -07:00
anjalitelang
1a59b6a686
Update ROADMAP.md
Changes made to reflect status as of May 4th, 2022
2022-05-04 16:06:33 -04:00
Margo Crawford
eb891d77a5 Tiny fix: pinninpeds->pinnipeds
Signed-off-by: Margo Crawford <margaretc@vmware.com>
2022-05-04 12:42:55 -07:00
Ryan Richard
572474605f
Merge pull request #1151 from vmware-tanzu/more_unit_tests_for_ldap_escaping
More unit tests for LDAP DNs which contain special chars
2022-05-04 09:49:20 -07:00
Ryan Richard
656f221fb7 Merge branch 'main' into ldap-login-ui 2022-05-04 09:29:15 -07:00
Ryan Richard
a36688573b
Merge pull request #1150 from vmware-tanzu/prepare_supervisor_on_kind_active_directory
Support AD in hack/prepare-supervisor-on-kind.sh
2022-05-04 09:16:13 -07:00
Ryan Richard
2e031f727b Use security headers for the form_post page in the POST /login endpoint
Also use more specific test assertions where security headers are
expected. And run the unit tests for the login package in parallel.
2022-05-03 16:46:09 -07:00
Ryan Richard
acc6c50e48 More unit tests for LDAP DNs which contain special chars
Adding explicit coverage for PerformRefresh().
2022-05-03 15:43:01 -07:00
Margo Crawford
388cdb6ddd Fix bug where form was posting to the wrong path
Signed-off-by: Margo Crawford <margaretc@vmware.com>
2022-05-03 15:18:38 -07:00
Ryan Richard
eaa87c7628 support AD in hack/prepare-supervisor-on-kind.sh 2022-05-03 12:59:39 -07:00
Ryan Richard
d6e61012c6
Merge pull request #1149 from vmware-tanzu/update_kube_versions
Update kube codegen versions
2022-05-02 15:35:49 -07:00
Ryan Richard
cc1f0b8db9
Merge pull request #1148 from vmware-tanzu/ldap_group_search_escape
Escape special characters in LDAP DNs when used in search filters
2022-05-02 14:44:45 -07:00
Ryan Richard
90e88bb83c Update kube codegen versions
Note that attempting to update 1.18.18 to 1.18.20 didn't work for some
reason, so I skipped that one. The code generator didn't like 1.18.20
and it deleted all the generated code. Avoiding 1.18.19 because it is
listed as having a regression at
https://kubernetes.io/releases/patch-releases/#non-active-branch-history
2022-05-02 14:33:33 -07:00
Ryan Richard
2ad181c7dd Merge branch 'main' into ldap_group_search_escape 2022-05-02 13:49:55 -07:00
Mo Khan
ee881aa406
Merge pull request #1146 from enj/enj/i/bump_0007
Bump deps to latest and go mod compat to 1.17
2022-05-02 16:44:49 -04:00
Ryan Richard
c74dea6405 Escape special characters in LDAP DNs when used in search filters 2022-05-02 13:37:32 -07:00
Ryan Richard
dfbc33b933
Apply suggestions from code review
Co-authored-by: Mo Khan <i@monis.app>
2022-05-02 09:47:09 -07:00
Ryan Richard
69e5169fc5 Implement post_login_handler.go to accept form post and auth to LDAP/AD
Also extract some helpers from auth_handler.go so they can be shared
with the new handler.
2022-04-29 16:02:00 -07:00
Ryan Richard
56c8b9f884
Add recommendations to dynamic client proposal 2022-04-29 12:48:03 -07:00
Margo Crawford
646c6ec9ed Show error message on login page
Also add autocomplete attribute and title element

Signed-off-by: Margo Crawford <margaretc@vmware.com>
2022-04-29 10:36:13 -07:00
Monis Khan
2cdb55e7da
Bump deps to latest and go mod compat to 1.17
Signed-off-by: Monis Khan <mok@vmware.com>
2022-04-28 15:37:51 -04:00
Margo Crawford
453c69af7d Fix some errors and pass state as form element
Signed-off-by: Margo Crawford <margaretc@vmware.com>
2022-04-28 12:07:04 -07:00
Margo Crawford
07b2306254 Add basic outline of login get handler
Signed-off-by: Margo Crawford <margaretc@vmware.com>
2022-04-28 11:51:36 -07:00
Margo Crawford
77f016fb64 Allow browser_authcode flow for pinniped login command
Signed-off-by: Margo Crawford <margaretc@vmware.com>
2022-04-27 08:53:53 -07:00
Margo Crawford
ae60d4356b Some refactoring of shared code between OIDC and LDAP browser flows
Signed-off-by: Margo Crawford <margaretc@vmware.com>
2022-04-27 08:51:37 -07:00
Margo Crawford
379a803509 when password header but not username is sent to password grant, error
also add more unit tests

Signed-off-by: Margo Crawford <margaretc@vmware.com>
2022-04-26 16:46:58 -07:00
Ryan Richard
65eed7e742 Implement login_handler.go to defer to other handlers
The other handlers for GET and POST requests are not yet implemented in
this commit. The shared handler code in login_handler.go takes care of
things checking the method, checking the CSRF cookie, decoding the state
param, and adding security headers on behalf of both the GET and POST
handlers.

Some code has been extracted from callback_handler.go to be shared.
2022-04-26 15:37:30 -07:00
Margo Crawford
eb1d3812ec Update authorization endpoint to redirect to new login page
Also fix some test failures on the callback handler, register the
new login handler in manager.go and add a (half baked) integration test

Signed-off-by: Margo Crawford <margaretc@vmware.com>
2022-04-26 12:51:56 -07:00
Margo Crawford
8832362b94 WIP: Add login handler for LDAP/AD web login
Also change state param to include IDP type
2022-04-25 16:41:55 -07:00
Margo Crawford
694e4d6df6 Advertise browser_authcode flow in ldap idp discovery
To keep this backwards compatible, this PR changes how
the cli deals with ambiguous flows. Previously, if there
was more than one flow advertised, the cli would require users
to set the flag --upstream-identity-provider-flow. Now it
chooses the first one in the list.

Signed-off-by: Margo Crawford <margaretc@vmware.com>
2022-04-25 14:54:21 -07:00
Ryan Richard
973c3102bb add audit logging proposal 2022-04-21 14:50:48 -07:00
Ryan Richard
24b0ddf600
Merge pull request #1140 from vmware-tanzu/bump_kube_deps_v0.23.6
bump kube deps from v0.23.5 to v0.23.6
2022-04-21 10:18:43 -07:00
Ryan Richard
cab9ac8368 bump kube deps from v0.23.5 to v0.23.6 2022-04-21 09:17:24 -07:00
Margo Crawford
444cf111d0 Add more detail about how the flow should work
Signed-off-by: Margo Crawford <margaretc@vmware.com>
2022-04-20 16:17:49 -07:00
Ryan Richard
793b8b9260
Merge pull request #1121 from anjaltelang/main
v0.16.0 Blog
2022-04-20 11:54:20 -07:00
Pinny
4071b48f01 Updated versions in docs for v0.16.0 release 2022-04-20 18:52:59 +00:00
Ryan Richard
46e61bdea9
Update 2022-04-15-fips-and-more.md
Update release date
2022-04-20 10:56:21 -07:00
Ryan Richard
52341f4e49
Merge pull request #1083 from vmware-tanzu/dependabot/go_modules/k8s.io/klog/v2-2.60.1
Bump k8s.io/klog/v2 from 2.40.1 to 2.60.1
2022-04-19 15:22:08 -07:00
dependabot[bot]
cd982655a2
Bump k8s.io/klog/v2 from 2.40.1 to 2.60.1
Bumps [k8s.io/klog/v2](https://github.com/kubernetes/klog) from 2.40.1 to 2.60.1.
- [Release notes](https://github.com/kubernetes/klog/releases)
- [Changelog](https://github.com/kubernetes/klog/blob/main/RELEASE.md)
- [Commits](https://github.com/kubernetes/klog/compare/v2.40.1...v2.60.1)

---
updated-dependencies:
- dependency-name: k8s.io/klog/v2
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-04-19 20:33:38 +00:00
Margo Crawford
311bb05993
Merge pull request #1130 from vmware-tanzu/kube-versions-april-22
Update kube versions to latest patch
2022-04-19 13:30:40 -07:00
Ryan Richard
0ec5e57114
Merge pull request #1131 from vmware-tanzu/bump_some_deps
Bump some deps
2022-04-19 13:29:28 -07:00
Margo Crawford
63779ddac2
Merge pull request #1129 from vmware-tanzu/jwt-authenticator-client-field
JWTAuthenticator distributed claims resolution honors tls config
2022-04-19 13:28:43 -07:00
Ryan Richard
4de8004094 Empty commit to trigger CI 2022-04-19 12:12:45 -07:00
Margo Crawford
0b72f7084c JWTAuthenticator distributed claims resolution honors tls config
Kube 1.23 introduced a new field on the OIDC Authenticator which
allows us to pass in a client with our own TLS config. See
https://github.com/kubernetes/kubernetes/pull/106141.

Signed-off-by: Margo Crawford <margaretc@vmware.com>
2022-04-19 11:36:46 -07:00
Ryan Richard
132d2aac72 add a code comment 2022-04-19 11:35:46 -07:00
Ryan Richard
2d4f4e4efd Merge branch 'main' into bump_some_deps 2022-04-19 11:32:53 -07:00
Margo Crawford
c40bca5e65
Merge pull request #1127 from hectorj2f/add_code_challenge_method_support
oidc: add code challenge supported methods to the discovery doc
2022-04-19 11:23:57 -07:00
Margo Crawford
019750a292 Update kube versions to latest patch
Signed-off-by: Margo Crawford <margaretc@vmware.com>
2022-04-19 11:19:24 -07:00
Anjali Telang
9e5d4ae51c Blog for v0.16.0
Signed-off-by: Anjali Telang <atelang@vmware.com>
2022-04-19 14:16:45 -04:00
Ryan Richard
5b9831d319 bump the kube direct deps 2022-04-19 11:13:52 -07:00
Ryan Richard
fb8083d024 bump some direct deps 2022-04-19 11:09:24 -07:00
hectorj2f
a3f7afaec4 oidc: add code challenge supported methods
Signed-off-by: hectorj2f <hectorf@vmware.com>
2022-04-19 01:21:39 +02:00
Ryan Richard
19149ff043 Update proposal state to "in-review" 2022-04-15 13:35:07 -07:00
Ryan Richard
e2836fbdb5 Dynamic Supervisor OIDC Clients proposal 2022-04-15 13:23:40 -07:00
Margo Crawford
f5cf3276d5
Merge pull request #1123 from vmware-tanzu/macos-untrusted-certificate-errors 2022-04-14 20:15:31 -07:00
Margo Crawford
d5337c9c19 Error format of untrusted certificate errors should depend on OS
Go 1.18.1 started using MacOS' x509 verification APIs on Macs
rather than Go's own. The error messages are different.

Signed-off-by: Margo Crawford <margaretc@vmware.com>
2022-04-14 17:37:36 -07:00
Margo Crawford
96137cd0ee ldap/ad web ui proposal
Signed-off-by: Margo Crawford <margaretc@vmware.com>
2022-04-14 13:58:31 -07:00
Mo Khan
c624846eaa
Merge pull request #1122 from vmware-tanzu/impersonator-only-http2
the http2RoundTripper should only use http2
2022-04-14 16:55:50 -04:00
Margo Crawford
03f19da21c the http2RoundTripper should only use http2
Signed-off-by: Margo Crawford <margaretc@vmware.com>
2022-04-14 10:51:25 -07:00
Mo Khan
8fe635e7ce
Merge pull request #1096 from vmware-tanzu/dependabot/docker/distroless/static-2556293
Bump distroless/static from `80c956f` to `2556293`
2022-04-14 12:53:59 -04:00
dependabot[bot]
2fa81546f3
Bump distroless/static from 80c956f to 2556293
Bumps distroless/static from `80c956f` to `2556293`.

---
updated-dependencies:
- dependency-name: distroless/static
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-04-14 14:51:17 +00:00
Mo Khan
43485563ff
Merge pull request #1120 from vmware-tanzu/dependabot/docker/hack/google.com/api-project-999119582588/go-boringcrypto/golang-1.18.1b7
Bump google.com/api-project-999119582588/go-boringcrypto/golang from 1.17.8b7 to 1.18.1b7 in /hack
2022-04-14 10:26:04 -04:00
dependabot[bot]
5621c1161a
Bump google.com/api-project-999119582588/go-boringcrypto/golang in /hack
Bumps google.com/api-project-999119582588/go-boringcrypto/golang from 1.17.8b7 to 1.18.1b7.

---
updated-dependencies:
- dependency-name: google.com/api-project-999119582588/go-boringcrypto/golang
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-04-14 13:26:21 +00:00
Mo Khan
79fd8e2901
Merge pull request #1119 from enj/enj/i/fips_log_errs
Only emit FIPS startup log when running a server component
2022-04-14 09:19:40 -04:00
Monis Khan
e0886c6948
Only emit FIPS startup log when running a server component
Signed-off-by: Monis Khan <mok@vmware.com>
2022-04-13 18:31:02 -04:00
Mo Khan
f5cc2f20f7
Merge pull request #1118 from enj/enj/i/go1.18_linter_fix
Bump to go1.18.1 and fix linter errors
2022-04-13 18:15:20 -04:00
Monis Khan
8fd77b72df
Bump to go1.18.1 and fix linter errors
Signed-off-by: Monis Khan <mok@vmware.com>
2022-04-13 16:43:06 -04:00
Mo Khan
8ecf18521c
Merge pull request #1112 from vmware-tanzu/fips-website-docs
document how to use the fips dockerfile on our website
2022-04-13 16:41:25 -04:00
Margo Crawford
96c705bf94 document how to use the fips dockerfile on our website
Signed-off-by: Margo Crawford <margaretc@vmware.com>
2022-04-13 12:45:58 -07:00
Mo Khan
d0d20e00e4
Merge pull request #1117 from vmware-tanzu/prefix_tokens
Add custom prefix to downstream access and refresh tokens and authcodes
2022-04-13 15:34:42 -04:00
Ryan Richard
53348b8464 Add custom prefix to downstream access and refresh tokens and authcodes 2022-04-13 10:13:27 -07:00
Ryan Richard
13daf59217
Merge pull request #1108 from vicmarbev/main
Use vmware-tanzu/carvel instead of the deprecated k14s/tap to install deps with brew
2022-04-13 08:43:39 -07:00
Ryan Richard
9ebf3a5b92
Merge branch 'main' into main 2022-04-13 08:41:04 -07:00
Mo Khan
6af1aaeb20
Merge pull request #1114 from enj/enj/i/fips_init_log
Use klog to make sure FIPS init log is emitted
2022-04-12 16:23:38 -04:00
Monis Khan
6b4fbb6e0e
Use klog to make sure FIPS init log is emitted
We cannot use plog until the log level config has been setup, but
that occurs after this init function has run.

Signed-off-by: Monis Khan <mok@vmware.com>
2022-04-12 14:36:06 -04:00
Mo Khan
edf4ffb018
Merge pull request #1101 from vmware-tanzu/dependabot/docker/hack/distroless/static-2556293
Bump distroless/static from `80c956f` to `2556293` in /hack
2022-04-11 12:37:25 -04:00
dependabot[bot]
721526b7e7
Bump distroless/static from 80c956f to 2556293 in /hack
Bumps distroless/static from `80c956f` to `2556293`.

---
updated-dependencies:
- dependency-name: distroless/static
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-04-07 14:13:12 +00:00
anjalitelang
91681b9368
Update ROADMAP.md
Edits to the wiki based on our current backlog 4/5/2022
2022-04-06 16:08:04 -04:00
Mo Khan
3c6f97a457
Target hack/Dockerfile_fips correctly 2022-04-06 15:32:08 -04:00
Mo Khan
12cbd744b7
Syntax highlighting for Dockerfile_fips 2022-04-06 15:31:07 -04:00
Ryan Richard
103538858f
Merge pull request #1094 from vmware-tanzu/disable_http
Supervisor HTTP listener disabled by default and may only bind to loopback interfaces
2022-04-05 12:39:04 -07:00
Ryan Richard
bdabdf0f42 Update comment in FederationDomainTLSSpec 2022-04-05 09:53:22 -07:00
Ryan Richard
25d20d4081 Merge branch 'main' into disable_http 2022-04-05 09:00:26 -07:00
Víctor Martínez Bevià
dc24397df4 Use vmware-tanzu/carvel instead of the deprecated k14/tap to install deps with brew 2022-04-05 16:43:22 +02:00
Mo Khan
c0874706d9
Merge pull request #1106 from enj/enj/i/fips_followup
Add more details to FIPS comments
2022-04-01 13:16:50 -04:00
Monis Khan
07066e020d
Explicitly set defaultServing ciphers in FIPS mode
This is a no-op today, but could change in the future when we add
support for FIPS in non-strict mode.

Signed-off-by: Monis Khan <mok@vmware.com>
2022-04-01 10:59:47 -04:00
Monis Khan
3f0753ec5a
Remove duplication in secure TLS tests
Signed-off-by: Monis Khan <mok@vmware.com>
2022-04-01 10:56:38 -04:00
Monis Khan
15bc6a4a67
Add more details to FIPS comments
Signed-off-by: Monis Khan <mok@vmware.com>
2022-04-01 10:56:38 -04:00
Mo Khan
ce82d799c9
Run OSSF scorecard on release branches 2022-04-01 10:41:23 -04:00
Mo Khan
a453522d81
Add OSSF Scorecard GitHub Action 2022-04-01 10:30:01 -04:00
Ryan Richard
51c527a965 Change to camel-case for insecureAcceptExternalUnencryptedHttpRequests
- Use camel-case in the static configmap
- Parse the value into a boolean in the go struct instead of a string
- Add test for when unsupported value is used in the configmap
- Run the config_test.go tests in parallel
- Update some paragraphs in configure-supervisor.md for clarity
2022-03-31 16:23:45 -07:00
Ryan Richard
ae7aac020a Merge branch 'main' into disable_http 2022-03-30 11:30:32 -07:00
Mo Khan
17e8faa0fe
Have dependabot keep the FIPS dockerfile updated 2022-03-30 13:55:19 -04:00
Mo Khan
6639ce2a1f
Merge pull request #1061 from vmware-tanzu/fips-boringcrypto
FIPs compatibility
2022-03-30 13:43:23 -04:00
Margo Crawford
53597bb824 Introduce FIPS compatibility
Signed-off-by: Margo Crawford <margaretc@vmware.com>
2022-03-29 16:58:41 -07:00
Ryan Richard
0e54ba1a20 Slightly fancier way to prevent old values.yaml names from being used 2022-03-29 14:24:40 -07:00
Ryan Richard
b07a4131e5 Merge branch 'main' into disable_http 2022-03-29 12:47:53 -07:00
Mo Khan
2cffea5880
Merge pull request #1099 from vmware-tanzu/remove_supervisorhttpaddress_var
Remove unused env.SupervisorHTTPAddress integration test var
2022-03-29 13:36:00 -04:00
Ryan Richard
5f34efc0b7 Empty commit to trigger CI 2022-03-29 09:39:18 -07:00
Ryan Richard
cf471d6422 Remove unused env.SupervisorHTTPAddress integration test var 2022-03-29 09:13:44 -07:00
Ryan Richard
3592f80457 Merge branch 'main' into disable_http 2022-03-28 17:03:59 -07:00
Ryan Richard
488f08dd6e Provide a way to override the new HTTP loopback-only validation
Add new deprecated_insecure_accept_external_unencrypted_http_requests
value in values.yaml. Allow it to be a boolean or a string to make it
easier to use (both --data-value and --data-value-yaml will work).

Also:
- Consider "ip6-localhost" and "ip6-loopback" to be loopback addresses
  for the validation
- Remove unused env.SupervisorHTTPAddress var
- Deprecate the `service_http_*` values in values.yaml by renaming them
  and causing a ytt render error when the old names are used
2022-03-28 17:03:23 -07:00
Mo Khan
cd25cb89c4
Merge pull request #1093 from enj/enj/d/ws1
Add Workspace ONE Access docs
2022-03-24 20:24:29 -04:00
Monis Khan
57fb085bef
Add Workspace ONE Access docs
Signed-off-by: Monis Khan <mok@vmware.com>
2022-03-24 20:17:54 -04:00
Ryan Richard
8d12c1b674 HTTP listener: default disabled and may only bind to loopback interfaces 2022-03-24 15:46:10 -07:00
Mo Khan
9c5adad062
Merge pull request #1092 from vmware-tanzu/remove_oryx_direct_dep
Remove direct dependency on ory/x
2022-03-24 15:16:34 -04:00
Mo Khan
4649b8e0e4
Merge pull request #1085 from pnbrown/community-page-update
Update _index.html
2022-03-24 14:02:51 -04:00
Ryan Richard
48c5a625a5 Remove our direct dependency on ory/x
ory/x has new releases very often, sometimes multiple times per week,
causing a lot of noise from dependabot. We were barely using it
directly, so replace our direct usages with equivalent code.
2022-03-24 10:24:54 -07:00
Ryan Richard
42bd385cbd
Merge pull request #1088 from vmware-tanzu/pty_int_test_flakes
WIP: Try to fix recent integration test flakes
2022-03-22 18:10:08 -07:00
Ryan Richard
bedf4e5a39 Try to avoid getting a second username prompt in a test in e2e_test.go 2022-03-22 14:23:50 -07:00
Ryan Richard
2715741c2c Increase a test timeout in e2e_test.go 2022-03-22 12:13:10 -07:00
Ryan Richard
d20b2056f2
Merge branch 'main' into pty_int_test_flakes 2022-03-22 11:14:19 -07:00
Margo Crawford
a9b054e2f4
Merge pull request #1087 from vmware-tanzu/update-install-linter-1.45.0
Update install-linter.sh to use v1.45.0
2022-03-22 10:57:34 -07:00
Margo Crawford
051a228a8c Update install-linter.sh to use v1.45.0
Signed-off-by: Margo Crawford <margaretc@vmware.com>
2022-03-22 10:29:08 -07:00
Ryan Richard
d162e294ed Split up the context timeouts per test in e2e_test.go 2022-03-22 10:17:45 -07:00
Margo Crawford
636d2014a7
Merge pull request #1086 from pnbrown/patch-1
Update MAINTAINERS.md
2022-03-21 15:02:05 -07:00
Nigel Brown
f981f63b90
Update MAINTAINERS.md 2022-03-21 13:17:14 -05:00
Nigel Brown
b5be8c6c9b Update _index.html
Add current community meeting info
2022-03-21 13:08:54 -05:00
Ryan Richard
ff4ceb5d0b
Merge pull request #1079 from vmware-tanzu/contributor_guide_updates2
Small updates to CONTRIBUTING.md
2022-03-21 10:45:17 -07:00
Ryan Richard
d24f82fff5
Merge branch 'main' into contributor_guide_updates2 2022-03-21 10:45:10 -07:00
Ryan Richard
0ac37fd169
Merge pull request #1059 from vmware-tanzu/2022-readme
Update main README.md for 2022
2022-03-21 10:44:41 -07:00
Ryan Richard
bcfddec0a2
Merge branch 'main' into 2022-readme 2022-03-21 10:44:32 -07:00
Ryan Richard
b1310877d8 Add docs for how to run specific integration test(s) to CONTRIBUTING.md 2022-03-21 09:33:26 -07:00
Ryan Richard
f64779cba7 small updates to CONTRIBUTING.md 2022-03-18 14:27:33 -07:00
anjalitelang
c710cfbc70
Update ROADMAP.md
Changed last updated field for March
2022-03-18 10:12:50 -04:00
anjalitelang
3052763020
Update ROADMAP.md
Updated roadmap with current priorities
2022-03-17 09:36:24 -04:00
Ryan Richard
8b80a01d0a
Merge pull request #1065 from vmware-tanzu/kind-update
Use kubeadm.k8s.io/v1beta3 in addition to v1beta2 for kind config
2022-03-16 09:18:40 -07:00
Ryan Richard
e465056943 Use both kubeadm.k8s.io/v1beta2 and v1beta3 to allow old versions of K8s
You can use an older version of K8s on your development workstation
by temporarily editing kind-up.sh to add the `--image` flag. By defining
both v1beta2 and v1beta3 you should continue to be able to use old
versions of K8s in this way with Kind v0.12.0.
2022-03-15 15:09:39 -07:00
Ryan Richard
16c4c67af1 Use kubeadm.k8s.io/v1beta3 instead of v1beta2 for kind config
It appears that kind completely ignores kubeadm.k8s.io/v1beta2 config
starting in Kind v0.12.0.

You can observe the config being ignored or used by adding `-v 10` to
the command-line arguments of `kind create cluster` in kind-up.sh.
2022-03-15 09:37:27 -07:00
Mo Khan
c5dce9cab4
Merge pull request #1057 from enj/enj/i/turn_off_http
Rework or remove tests that rely on the http port
2022-03-10 20:06:34 -05:00
Monis Khan
8fac6cb9a4
Rework or remove tests that rely on the http port
Signed-off-by: Monis Khan <mok@vmware.com>
2022-03-10 19:43:12 -05:00
Ryan Richard
9805f6d6b2 Update main README.md for 2022 2022-03-10 14:23:27 -08:00
Mo Khan
61c8d54527
Fix typo in concierge deploy step 2022-03-10 09:08:40 -05:00
Ryan Richard
7c1f7447c5
Merge pull request #1054 from vmware-tanzu/update-linter
Update to github.com/golangci/golangci-lint/cmd/golangci-lint@v1.44.2
2022-03-08 13:52:14 -08:00
Ryan Richard
1c2dd12f32 Merge branch 'main' into update-linter 2022-03-08 12:57:22 -08:00
Ryan Richard
e312ac6c46
Merge pull request #1053 from vmware-tanzu/upgrade-controllergen
Regenerate code after updating controller-gen to v0.8.0
2022-03-08 12:56:11 -08:00
Ryan Richard
fffcb7f5b4 Update to github.com/golangci/golangci-lint/cmd/golangci-lint@v1.44.2
- Two of the linters changed their names
- Updated code and nolint comments to make all linters pass with 1.44.2
- Added a new hack/install-linter.sh script to help developers install
  the expected version of the linter for local development
2022-03-08 12:28:09 -08:00
Ryan Richard
0ec5b31c40 Regenerate code after updating controller-gen to v0.8.0
- Note that v0.8.0 no longer supports the "trivialVersions=true"
  command-line option, so remove that from update-codegen.sh.
  It doesn't seem to impact the output (our generated CRD yaml files).
2022-03-08 11:27:05 -08:00
Mo Khan
93aaa9e509
Merge pull request #1050 from vmware-tanzu/dependabot/docker/golang-1.17.8
Bump golang from 1.17.7 to 1.17.8
2022-03-07 10:41:29 -05:00
dependabot[bot]
8182a233d1
Bump golang from 1.17.7 to 1.17.8
Bumps golang from 1.17.7 to 1.17.8.

---
updated-dependencies:
- dependency-name: golang
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-03-07 01:20:25 +00:00
Mo Khan
853cc753b8
Merge pull request #1024 from anjaltelang/main
Blog changes for Group refresh
2022-03-04 13:28:18 -05:00
Pinny
cdfb3b75cb Updated versions in docs for v0.15.0 release 2022-03-04 17:36:24 +00:00
Pinny
89e68489ea Updated versions in docs for v0.14.0 release 2022-03-03 21:57:36 +00:00
Mo Khan
eec5f0fa26
Fix v0.15.0 release link 2022-03-03 15:28:01 -05:00
Ryan Richard
7e8eba3244
Update 2022-01-18-idp-refresh-tls-ciphers-for-compliance.md 2022-03-03 12:23:42 -08:00
Margo Crawford
b987783c62
Merge pull request #1047 from vmware-tanzu/docs-k8s-codegen-version
Update docs to reference the latest k8s codegen version
2022-03-03 11:14:33 -08:00
Margo Crawford
b8bdfa1b9a Update docs to reference the latest k8s codegen version
Signed-off-by: Margo Crawford <margaretc@vmware.com>
2022-03-03 10:36:42 -08:00
Mo Khan
6347d7c0e2
Merge pull request #1044 from vmware-tanzu/upgrade-crd-ref-docs
Regenerate reference docs and escape pipe characters
2022-03-03 13:04:09 -05:00
Anjali Telang
27f04e9ab9 Blog changes for Group refresh
Signed-off-by: Anjali Telang <atelang@vmware.com>
2022-03-03 12:49:01 -05:00
anjalitelang
ab4a66131b
Update ROADMAP.md
Updated roadmap for March
2022-03-03 11:51:24 -05:00
Margo Crawford
60d2b852ae Corresponds with making our CI use the head of the master branch of crd-ref-docs
This fixes #906

Signed-off-by: Margo Crawford <margaretc@vmware.com>
2022-03-02 14:31:58 -08:00
Mo Khan
ec74158ebc
Merge pull request #1043 from vmware-tanzu/active-directory-group-change-warning
Add group change warning test for Active Directory
2022-03-02 15:43:59 -05:00
Margo Crawford
f6ad5d5c45 Add group change warning test for Active Directory
Also refactor some of the AD test helper functions

Signed-off-by: Margo Crawford <margaretc@vmware.com>
2022-03-02 11:54:36 -08:00
Mo Khan
dd4394a0d6
Merge pull request #1042 from enj/enj/i/group_warn_typo
Fix typo in group removed warning
2022-03-02 14:41:22 -05:00
Monis Khan
eae55a8595
Fix typo in group removed warning
Signed-off-by: Monis Khan <mok@vmware.com>
2022-03-02 12:58:30 -05:00
Ryan Richard
541811a7a6
Merge pull request #1028 from jvanzyl/main
Minimal changes to allow an alternate deployment mechanism
2022-03-02 09:23:16 -08:00
Ryan Richard
0a63784ca2
Merge branch 'main' into main 2022-03-02 08:41:06 -08:00
Mo Khan
be2aee957c
Bump API docs to 1.23
Seems like this should be automated.
2022-03-02 09:04:41 -05:00
Margo Crawford
9a4a862808
Merge pull request #1039 from vmware-tanzu/group-change-warning
Group change warning
2022-03-01 14:38:35 -08:00
Margo Crawford
609b55a6d7 Pinniped Supervisor should issue a warning when groups change during refresh 2022-03-01 14:01:57 -08:00
Ryan Richard
d1f756c9ab
Merge pull request #1040 from vmware-tanzu/codegen-21-22-23
Add generated code for Kube 1.21, 1.22, and 1.23
2022-03-01 12:53:54 -08:00
Ryan Richard
58f790c1c6 generate code for 1.17-1.20 using Go 1.17 2022-03-01 10:39:58 -08:00
Ryan Richard
956d046cf0 Merge branch 'main' into codegen-21-22-23 2022-03-01 10:02:05 -08:00
Ryan Richard
bf7457db59 expose env var for debug level of codegen 2022-03-01 10:01:49 -08:00
Mo Khan
0c866a6f98
Merge pull request #1041 from enj/enj/i/bump_0004
Bump kube to v0.23.4, rest to latest
2022-03-01 12:25:30 -05:00
Monis Khan
8179a7e802
Bump kube to v0.23.4, rest to latest
Signed-off-by: Monis Khan <mok@vmware.com>
2022-03-01 09:25:56 -05:00
Ryan Richard
f501c76acc Add generated code for Kube 1.21, 1.22, and 1.23
Also:
- Make our code generator script work with Go 1.17
- Make our update.sh script work on linux
- Update the patch versions of the old Kube versions that we were using
  to generate code (see kube-versions.txt)
- Use our container images from ghcr instead of
  projects.registry.vmware.com for codegen purposes
- Make it easier to debug in the future by passing "-v" to the Kube
  codegen scripts
- Updated copyright years to make commit checks pass
2022-02-28 17:58:48 -08:00
Mo Khan
04c6b3331b
Merge pull request #1031 from vmware-tanzu/tolerate-control-plane
Add toleration for new "control-plane" node label for Concierge deploy
2022-02-26 12:56:14 -05:00
Jason van Zyl
0ea10c77c7 Consolidate declaration of variables 2022-02-25 11:26:53 -05:00
Jason van Zyl
782157e1df Remove debug output 2022-02-25 06:25:20 -05:00
Jason van Zyl
1e3f3555a4 Add line in help output for --alternate-deploy 2022-02-25 06:22:25 -05:00
Ryan Richard
8dc4a890ed
Merge branch 'main' into tolerate-control-plane 2022-02-24 10:12:31 -08:00
Mo Khan
619b8c19ad
Merge pull request #1032 from vmware-tanzu/increase-e2e-timeout
Increase a test timeout to account for slower test on EKS in CI
2022-02-23 11:36:39 -05:00
Ryan Richard
e1e3342b3d Increase a test timeout to account for slower test on EKS in CI
The test takes longer on EKS because it has to wait about 2 minutes for
the EKS load balancer to be ready during the test.
2022-02-22 11:46:15 -08:00
Ryan Richard
0651b9a912 Add toleration for new "control-plane" node label for Concierge deploy 2022-02-22 11:24:26 -08:00
Jason van Zyl
6491742c3a Minimal changes to allow an alternate deployment mechanism
The purpose of this change is to allow Helm to be used to deploy Pinniped
into the local KinD cluster for the local integration tests. That said,
the change allows any alternate deployment mechanism, I just happen
to be using it with Helm.

All default behavior is preserved. This won't change how anyone uses the
script today, it just allows me not to copy/paste the whole setup for the
integration tests.

Changes:

1) An option called `--alternate-deploy <path-to-deploy-script>` has been
added, that when enabled calls the specified script instead of using ytt
and kapp. The alternate deploy script is called with the app to deploy
and the tag of the docker image to use. We set the default value of
the alternate_deploy variable to undefined, and there is a check that
tests if the alternate deploy is defined. For the superivsor it looks
like this:

```
if [ "$alternate_deploy" != "undefined" ]; then
  log_note "The Pinniped Supervisor will be deployed with $alternate_deploy pinniped-supervisor $tag..."
  $alternate_deploy pinniped-supervisor $tag
else
  normal ytt/kapp deploy
fi
```

2) Additional log_note entries have been added to enumerate all values passed
into the ytt/kapp deploy. Used while I was trying to reach parity in the integration
tests, but I think they are useful for debugging.

3) The manifests produced by ytt and written to /tmp are now named individually.
This is so an easy comparison can be made between manifests produced by a ytt/kapp
run of integration tests and manifests produced by helm run of the integration tests.
If something is not working I have been comparing the manifests after these runs to
find differences.
2022-02-20 10:15:29 -05:00
Margo Crawford
339bb84765
Merge pull request #982 from vmware-tanzu/upstream-ldap-group-refresh-skip
Only run group refresh when the skipGroupRefresh boolean isn't set
2022-02-17 13:59:07 -08:00
Margo Crawford
b9582f864e Update comment for skipGroupRefresh 2022-02-17 12:50:28 -08:00
Margo Crawford
e2c6dcd6e6 Add integration test 2022-02-17 12:50:28 -08:00
Margo Crawford
fdac4d16f0 Only run group refresh when the skipGroupRefresh boolean isn't set
for AD and LDAP
2022-02-17 12:50:28 -08:00
Ryan Richard
67085e9dbb
Merge pull request #973 from vmware-tanzu/proposal_process
Introduce a proposal process in the governance doc
2022-02-17 12:49:23 -08:00
Ryan Richard
dec89b5378
Merge branch 'main' into proposal_process 2022-02-17 12:48:58 -08:00
Margo Crawford
c7aaa69b4b
Merge pull request #975 from vmware-tanzu/upstream-ldap-group-refresh
Inline upstream ldap group refresh
2022-02-17 12:47:22 -08:00
Margo Crawford
662f2cef9c Integration test for updating group search base
Also a small change to a comment
2022-02-17 11:29:59 -08:00
Margo Crawford
ca523b1f20 Always update groups even if it's nil
Also de-dup groups and various small formatting changes
2022-02-17 11:29:59 -08:00
Margo Crawford
c28602f275 Add unit tests for group parsing overrides 2022-02-17 11:29:59 -08:00
Margo Crawford
dd11c02b6a Add back entries because I think it's actually necessary 2022-02-17 11:29:59 -08:00
Margo Crawford
f890fad90c Rename a function, sort strings inside searchGroupsForUserDN 2022-02-17 11:29:59 -08:00
Margo Crawford
cd7538861a Add integration test where we don't get groups back 2022-02-17 11:29:59 -08:00
Margo Crawford
013b521838 Upstream ldap group refresh:
- Doing it inline on the refresh request
2022-02-17 11:29:59 -08:00
Ryan Richard
9526009f74
Fix spelling typo in proposals/README.md
Co-authored-by: Mo Khan <i@monis.app>
2022-02-17 10:59:23 -08:00
Ryan Richard
2f7713889a Remove an unnecessary step from the proposal lifecycle 2022-02-17 10:56:13 -08:00
Ryan Richard
60cc61cdaa Add the concept of a tracking issue to the proposal process 2022-02-17 10:42:10 -08:00
Ryan Richard
bc6827b2e1 Auto-format GOVERNANCE.md 2022-02-17 10:08:37 -08:00
Ryan Richard
9dbf7d6bf5 Merge branch 'main' into proposal_process 2022-02-17 10:07:37 -08:00
Ryan Richard
46dd73de70
Merge pull request #1006 from vmware-tanzu/fix_int_test_macos
Fix int test that was failing on MacOS, and some small doc changes
2022-02-16 12:56:30 -08:00
Ryan Richard
9a6136761d Merge branch 'main' into fix_int_test_macos 2022-02-16 12:01:47 -08:00
Ryan Richard
eaa3e9f612
Merge pull request #1013 from vmware-tanzu/cli_require_https_issuers
CLI requires HTTPS OIDC issuer, authorize, and token URLS
2022-02-16 11:22:26 -08:00
Ryan Richard
c09daa8513 Merge branch 'main' into fix_int_test_macos 2022-02-16 11:09:11 -08:00
Ryan Richard
e5a60a8c84 Update a comment 2022-02-16 11:09:05 -08:00
Ryan Richard
79467318f4 CLI requires HTTPS OIDC issuer, authorize, and token URLS 2022-02-16 10:41:51 -08:00
Mo Khan
cc50fc980c
Merge pull request #1009 from enj/enj/i/chrome_beta_build_5
Enforce naming convention for browser based tests
2022-02-16 11:21:27 -05:00
Monis Khan
b8202d89d9
Enforce naming convention for browser based tests
This allows us to target browser based tests with the regex:

go test -v -race -count 1 -timeout 0 ./test/integration -run '/_Browser'

New tests that call browsertest.Open will automatically be forced to
follow this convention.

Signed-off-by: Monis Khan <mok@vmware.com>
2022-02-16 09:20:28 -05:00
Ryan Richard
f1f42052fb Merge branch 'main' into fix_int_test_macos 2022-02-15 16:45:59 -08:00
Ryan Richard
3f4e6cf367 Fix a typo in CONTRIBUTING.md from a recent commit: comma in wrong place 2022-02-15 16:45:49 -08:00
Ryan Richard
1aa17bd84d Check for darwin before relaxing stderr vs stdout assertion in e2e test 2022-02-15 13:45:04 -08:00
Mo Khan
c4ae5cfebb
Merge pull request #1003 from enj/enj/d/dex_password
Update dex docs regarding password grant
2022-02-15 15:45:54 -05:00
Ryan Richard
b0c36c6633 Fix int test that was failing on MacOS, and some small doc changes 2022-02-15 11:19:49 -08:00
Ryan Richard
461c0ae56c Merge branch 'main' into proposal_process 2022-02-15 10:15:46 -08:00
Ryan Richard
42db13d044 Move the proposal process doc to the proposals directory's README.md 2022-02-15 10:14:59 -08:00
Ryan Richard
82cdc870a6
Merge pull request #996 from vmware-tanzu/gke_tutorial
Replace old tutorial with a new Supervisor + Concierge tutorial which uses GKE to demonstrate both
2022-02-15 09:37:29 -08:00
Ryan Richard
0175445ece Merge branch 'main' into gke_tutorial 2022-02-15 09:22:52 -08:00
Ryan Richard
f728ea743f Add --ignore-not-found to delete Supervisor app command 2022-02-15 09:04:47 -08:00
Ryan Richard
230e563ab7 Another draft of the new tutorial guide 2022-02-14 17:23:57 -08:00
Ryan Richard
26dcbd9ec1 Try using ``markdown instead of ``md for coloring 2022-02-14 13:45:30 -08:00
Monis Khan
a21a5bca1e
Update dex docs regarding password grant
Signed-off-by: Monis Khan <mok@vmware.com>
2022-02-13 12:48:20 -05:00
Ryan Richard
05ec8cba8c Add a new subheading to the tutorial doc 2022-02-11 17:16:40 -08:00
Ryan Richard
e57a1a7891 Overwrite the old Supervisor+Concierge tutorial with the new one
And make it easier for web site readers to find by adding prominent
links to it from several places.
2022-02-11 17:03:13 -08:00
Mo Khan
11d9b4f21a
Merge pull request #999 from vmware-tanzu/dependabot/docker/golang-1.17.7
Bump golang from 1.17.6 to 1.17.7
2022-02-10 21:55:27 -05:00
dependabot[bot]
93e4d5d956
Bump golang from 1.17.6 to 1.17.7
Bumps golang from 1.17.6 to 1.17.7.

---
updated-dependencies:
- dependency-name: golang
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-02-11 01:13:54 +00:00
Mo Khan
390af8f476
Merge pull request #997 from enj/enj/i/bump_0003
Bump Kube to v0.23.3 and rest to latest
2022-02-10 18:19:54 -05:00
Monis Khan
49e88dd74a
Change some single quotes to double quotes in minified JS
Signed-off-by: Monis Khan <mok@vmware.com>
2022-02-10 16:15:26 -05:00
Monis Khan
4be2dd3b2a
Bump Kube to v0.23.3 and rest to latest
Signed-off-by: Monis Khan <mok@vmware.com>
2022-02-10 16:15:26 -05:00
Mo Khan
2c0b5b733b
Bump site latest_version to v0.14.0 2022-02-10 16:13:39 -05:00
Ryan Richard
c56ef5c40c First draft of a Supervisor on GKE + Concierge on GKE tutorial
Including ingress, DNS, cert-manager + letsencrypt for TLS certs,
Okta, multiple workload clusters, etc.
2022-02-09 17:13:40 -08:00
Mo Khan
e1080e1225
Allow dependabot to open more pull requests 2022-02-09 16:15:57 -05:00
Mo Khan
59be3008fd
Merge pull request #985 from microwavables/update-docs
updated search functionality of docs on site
2022-02-09 12:01:59 -05:00
Nanci Lancaster
d728c89ba6
updated search functionality of docs on site
Signed-off-by: Nanci Lancaster <nancil@vmware.com>
2022-02-09 11:01:37 -05:00
Mo Khan
863aadd9ea
Merge pull request #989 from vmware-tanzu/chrome_cors2
Followup for CORS request handling to CLI's localhost listener
2022-02-09 10:27:00 -05:00
Ryan Richard
5d79d4b9dc Fix form_post.js mistake from recent commit; Better CORS on callback 2022-02-08 17:30:48 -08:00
Ryan Richard
f6f188565b
Merge pull request #987 from vmware-tanzu/chrome_cors
Add CORS request handling to CLI's localhost listener
2022-02-08 14:31:45 -08:00
Mo Khan
29368e8242
Make the linter happy 2022-02-08 16:31:04 -05:00
Ryan Richard
cd825c5e51 Use "-v6" for kubectl for an e2e test so we can get more failure output 2022-02-08 13:00:49 -08:00
Mo Khan
874b567974
Merge pull request #988 from enj/enj/t/e2e_hung
e2e_test: handle hung go routines and readers
2022-02-08 12:57:54 -05:00
Monis Khan
8ee461ae8a
e2e_test: handle hung go routines and readers
Signed-off-by: Monis Khan <mok@vmware.com>
2022-02-08 11:40:10 -05:00
Mo Khan
1388183bf1
TestE2EFullIntegration: reduce timeout
This causes the test to timeout before concourse terminates the entire test run.
2022-02-07 20:53:03 -05:00
Ryan Richard
f1962ccf86 Merge branch 'main' into chrome_cors 2022-02-07 16:35:44 -08:00
Ryan Richard
0431a072ae Remove an unnecessary nolint comment 2022-02-07 16:26:39 -08:00
Ryan Richard
6781bfd7d8 Fix JS bug: form post UI shows manual copy/paste UI upon failed callback
When the POST to the CLI's localhost callback endpoint results in a
non-2XX status code, then treat that as a failed login attempt and
automatically show the manual copy/paste UI.
2022-02-07 16:21:23 -08:00
Ryan Richard
aa56f174db Capture and print the full kubectl output in an e2e test upon failure 2022-02-07 16:17:38 -08:00
Ryan Richard
3c7e387137 Keep the CLI localhost listener running after requests with wrong verb
Just in case some future browser change sends some new kind of request
to our CLI, just ignore them by returning StatusMethodNotAllowed and
continuing to listen.
2022-02-07 13:32:31 -08:00
Ryan Richard
2b93fdf357 Fix a bug in the e2e tests
When the test was going to fail, a goroutine would accidentally block
on writing to an unbuffered channel, and the spawnTestGoroutine helper
would wait for that goroutine to end on cleanup, causing the test to
hang forever while it was trying to fail.
2022-02-07 11:57:54 -08:00
Ryan Richard
7b97f1533e Add CORS request handling to CLI's localhost listener
This is to support the new changes in Google Chrome v98 which now
performs CORS preflight requests for the Javascript form submission
on the Supervisor's login page, even though the form is being submitted
to a localhost listener.
2022-02-04 16:57:37 -08:00
anjalitelang
7c246784dc
Update ROADMAP.md
Updated roadmap to reflect changes planned for v0.14 release and beyond.
2022-02-03 08:57:47 -05:00
anjalitelang
0dd3b40694
Update ROADMAP.md 2022-01-31 12:13:18 -05:00
Ryan Richard
a2a05548f9 More updates to draft proposal process based on feedback 2022-01-27 14:56:10 -08:00
Ryan Richard
d4725423a9 More updates to draft proposal process based on feedback 2022-01-27 14:51:52 -08:00
Ryan Richard
e9e56689cf Update draft proposal process based on feedback 2022-01-25 11:22:19 -08:00
Ryan Richard
31bd50c011 first draft of proposal process 2022-01-24 15:17:09 -08:00
Margo Crawford
3b1153cd91 Update latest version to v0.13.0 2022-01-21 15:19:40 -08:00
anjalitelang
6590230bcd
Merge pull request #954 from anjaltelang/main
Blog for v0.13.0
2022-01-21 15:17:18 -08:00
Pinny
4f06cd3c2e Update CLI docs for v0.13.0 release 2022-01-21 23:12:12 +00:00
Margo Crawford
dea9bf9b90
Merge pull request #970 from vmware-tanzu/kubectl-apply-resources
When instructing users how to install the concierge with kubectl apply,
2022-01-21 13:36:52 -08:00
Margo Crawford
726e88ea03 When instructing users how to install the concierge with kubectl apply,
reccommend using install-pinniped-concierge-crds.yaml, then
install-pinniped-concierge-resources.yaml.

Previously we recommended install-pinniped-concierge-crds (a subset),
then install-pinniped-concierge (everything concierge related, including
the crds). This works fine for install, but not uninstall. Instead we
should use a separate yaml file that contains everything in
install-pinniped-concierge but *not* in install-pinniped-concierge-crds.

We have been generating this file in CI since a5ced4286b6febc7474b7adee34eeb1b62ec82b7
but we haven't released since then so we haven't been able to recommend
its use.
2022-01-21 10:26:45 -08:00
Margo Crawford
70c99c6d44
Merge pull request #969 from vmware-tanzu/request-offline-access-in-docs
Request offline_access in the concierge with supervisor demo
2022-01-21 10:24:04 -08:00
Margo Crawford
62a8967db1 Request offline_access in the concierge with supervisor demo
It's a generic config and not OIDC provider specific
but since most providers require it it seems like the
best default.
2022-01-21 09:58:04 -08:00
Mo Khan
3fc73c21d2
Merge pull request #968 from enj/enj/i/bump_0002
Bump to Kube v0.23.2
2022-01-21 12:16:49 -05:00
Monis Khan
d55ae3f8bb
Bump all deps to latest
Signed-off-by: Monis Khan <mok@vmware.com>
2022-01-21 11:25:56 -05:00
Ryan Richard
c8d4b73f94
Merge pull request #967 from vmware-tanzu/refresh-token-test-warnings
Fix new refresh token grace period test to have warnings
2022-01-21 04:20:46 -08:00
Margo Crawford
b30dad72ed Fix new refresh token grace period test to have warnings 2022-01-20 14:54:59 -08:00
Margo Crawford
31cdd808ac
Merge pull request #951 from vmware-tanzu/short-session-warning
Supervisor should emit a warning when access token lifetime is too short
2022-01-20 14:44:32 -08:00
Ryan Richard
e85a6c09f6
Merge pull request #953 from vmware-tanzu/dependabot/go_modules/github.com/tdewolff/minify/v2-2.9.29
Bump github.com/tdewolff/minify/v2 from 2.9.26 to 2.9.29
2022-01-20 14:16:05 -08:00
Mo Khan
025ef6311b
Merge pull request #943 from vmware-tanzu/dependabot/go_modules/github.com/ory/fosite-0.42.0
Bump github.com/ory/fosite from 0.41.0 to 0.42.0
2022-01-20 17:03:52 -05:00
Margo Crawford
842ef38868 Ensure warning is on stderr and not stdout. 2022-01-20 13:48:50 -08:00
Margo Crawford
acd23c4c37 Separate test for access token refresh 2022-01-20 13:48:50 -08:00
Margo Crawford
38d184fe81 Integration test + making sure we get the session correctly in token handler 2022-01-20 13:48:50 -08:00
Margo Crawford
b0ea7063c7 Supervisor should emit a warning when access token lifetime is too short 2022-01-20 13:48:50 -08:00
Ryan Richard
fe819e3512 Empty commit to trigger CI 2022-01-20 13:37:15 -08:00
Ryan Richard
42ca31055a Empty commit to trigger CI 2022-01-20 13:25:29 -08:00
Ryan Richard
652797ba0b
Merge branch 'main' into dependabot/go_modules/github.com/tdewolff/minify/v2-2.9.29 2022-01-20 12:23:02 -08:00
Ryan Richard
89c40259f3 Use latest github.com/ory/x v0.0.336 2022-01-20 12:21:19 -08:00
Ryan Richard
520fcf195a Merge branch 'main' into dependabot/go_modules/github.com/ory/fosite-0.42.0 2022-01-20 12:16:54 -08:00
Ryan Richard
db789dc2bf
Merge branch 'main' into dependabot/go_modules/github.com/tdewolff/minify/v2-2.9.29 2022-01-20 12:10:24 -08:00
Ryan Richard
6ddc953989
Merge branch 'main' into dependabot/go_modules/github.com/ory/fosite-0.42.0 2022-01-20 12:10:01 -08:00
Ryan Richard
dff53b8144 Changes for Fosite's new RevokeRefreshTokenMaybeGracePeriod() interface
Fosite v0.42.0 introduced a new RevokeRefreshTokenMaybeGracePeriod()
interface function. Updated our code to support this change. We didn't
support grace periods on refresh tokens before, so implemented it by
making the new RevokeRefreshTokenMaybeGracePeriod() method just call
the old RevokeRefreshToken() method, therefore keeping our old behavior.
2022-01-19 13:57:01 -08:00
Ryan Richard
3b1cc30e8d Update unit test to match new JS minify output after minify upgrade 2022-01-19 13:29:07 -08:00
dependabot[bot]
4ce2f9db50
Bump github.com/tdewolff/minify/v2 from 2.9.26 to 2.9.29
Bumps [github.com/tdewolff/minify/v2](https://github.com/tdewolff/minify) from 2.9.26 to 2.9.29.
- [Release notes](https://github.com/tdewolff/minify/releases)
- [Commits](https://github.com/tdewolff/minify/compare/v2.9.26...v2.9.29)

---
updated-dependencies:
- dependency-name: github.com/tdewolff/minify/v2
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-01-19 01:05:43 +00:00
dependabot[bot]
b2bdf01152
Bump github.com/ory/fosite from 0.41.0 to 0.42.0
Bumps [github.com/ory/fosite](https://github.com/ory/fosite) from 0.41.0 to 0.42.0.
- [Release notes](https://github.com/ory/fosite/releases)
- [Changelog](https://github.com/ory/fosite/blob/master/CHANGELOG.md)
- [Commits](https://github.com/ory/fosite/compare/v0.41.0...v0.42.0)

---
updated-dependencies:
- dependency-name: github.com/ory/fosite
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-01-18 23:53:34 +00:00
2842 changed files with 359504 additions and 77206 deletions

View File

@ -21,3 +21,6 @@
# MacOS Desktop Services Store
.DS_Store
# Hugo temp file
.hugo_build.lock

19
.drone.yml Normal file
View File

@ -0,0 +1,19 @@
kind: pipeline
type: kubernetes
name: Container
steps:
- name: build & publish
image: spritsail/docker-build
context: .
settings:
repo: bv11-cr01.bessems.eu/library/pinniped-server
registry: bv11-cr01.bessems.eu
tags: latest
build_args:
- BUILDPLATFORM=linux/amd64
mtu: 1450
username:
from_secret: harbor_username
password:
from_secret: harbor_password

1
.gitattributes vendored
View File

@ -1,2 +1,3 @@
*.go.tmpl linguist-language=Go
hack/Dockerfile_fips linguist-language=Dockerfile
generated/** linguist-generated

View File

@ -1,35 +0,0 @@
---
name: Feature proposal
about: Suggest a way to improve this project
title: ''
labels: ''
assignees: ''
---
<!--
Hey! Thanks for opening an issue!
It is recommended that you include screenshots and logs to help everyone achieve a shared understanding of the improvement.
-->
**Is your feature request related to a problem? Please describe.**
A clear and concise description of what the problem is. Ex. I'm always frustrated when [...]
**Describe the solution you'd like**
A clear and concise description of what you want to happen.
**Describe alternatives you've considered**
A clear and concise description of any alternative solutions or features you've considered.
**Are you considering submitting a PR for this feature?**
- **How will this project improvement be tested?**
- **How does this change the current architecture?**
- **How will this change be backwards compatible?**
- **How will this feature be documented?**
**Additional context**
Add any other context or screenshots about the feature request here.

View File

@ -0,0 +1,39 @@
---
name: Feature request
about: Suggest a way to improve this project
title: ''
labels: ''
assignees: ''
---
<!--
Hey! Thanks for opening an issue!
It is recommended that you include screenshots and logs to help everyone achieve a shared understanding of the improvement.
-->
**Is your feature request related to a problem? Please describe.**
A clear and concise description of what the problem is. Ex. I'm always frustrated when [...]
**Describe the solution you'd like**
A clear and concise description of what you want to happen.
**Describe alternatives you've considered**
A clear and concise description of any alternative solutions or features you've considered.
**Are you considering submitting a PR for this feature?**
- **How will this project improvement be tested?**
- **How does this change the current architecture?**
- **How will this change be backwards compatible?**
- **How will this feature be documented?**
**Additional context**
Add any other context or screenshots about the feature request here.

View File

@ -0,0 +1,34 @@
---
name: Proposal tracking
about: A tracking issue for a proposal document
title: '[Proposal] Your proposal title'
labels: 'proposal-tracking'
assignees: ''
---
<!--
Hey! Thanks for opening an issue!
This type of issue should only be opened if you intend to create a
formal proposal document. Please refer to the proposal process in
[proposals/README.md](proposals/README.md).
Please title this issue starting with `[Proposal]` followed by a
title for what you are going to propose. For example:
`[Proposal] Lunar landing module authentication via Pinniped`.
-->
### Proposal Tracking Issue
- Proposal: <!-- this starts empty, then please update to link to proposal PR, then also link to proposal doc file after it is merged -->
- Discussion Links: <!-- link to any mailing list threads, Slack conversations, community meetings, or other places where the proposal was discussed, if any -->
- <!-- A -->
- <!-- B -->
- Pull requests: <!-- link to all PRs related to this proposal such as updates to the proposal doc, implementation PRs, etc. - keep this list up to date -->
- <!-- #123: briefly describe this PR -->
- <!-- #456: briefly describe this PR -->

View File

@ -3,11 +3,23 @@
version: 2
updates:
- package-ecosystem: "gomod"
open-pull-requests-limit: 100
directory: "/"
schedule:
interval: "daily"
- package-ecosystem: "gomod"
open-pull-requests-limit: 2
directory: "/hack/update-go-mod"
schedule:
interval: "daily"
- package-ecosystem: "docker"
directory: "/"
schedule:
interval: "daily"
- package-ecosystem: "docker"
directory: "/hack" # this should keep the FIPS dockerfile updated per https://github.com/dependabot/feedback/issues/145#issuecomment-414738498
schedule:
interval: "daily"

View File

@ -1,18 +1,23 @@
# See https://codeql.github.com and https://github.com/github/codeql-action
# This action runs GitHub's industry-leading semantic code analysis engine, CodeQL, against a
# repository's source code to find security vulnerabilities. It then automatically uploads the
# results to GitHub so they can be displayed in the repository's security tab.
name: "CodeQL"
on:
push:
branches: [ main, release* ]
branches: [ "main", release* ]
pull_request:
# The branches below must be a subset of the branches above
branches: [ main, release* ]
branches: [ "main" ]
schedule:
- cron: '39 13 * * 2'
- cron: '24 3 * * 3'
jobs:
analyze:
name: Analyze
runs-on: ubuntu-latest
runs-on: ${{ (matrix.language == 'swift' && 'macos-latest') || 'ubuntu-latest' }}
timeout-minutes: ${{ (matrix.language == 'swift' && 120) || 360 }}
permissions:
actions: read
contents: read
@ -25,33 +30,35 @@ jobs:
steps:
- name: Checkout repository
uses: actions/checkout@v2
uses: actions/checkout@v3
- name: Initialize CodeQL
uses: github/codeql-action/init@v1
uses: github/codeql-action/init@v2
with:
languages: ${{ matrix.language }}
# If you wish to specify custom queries, you can do so here or in a config file.
# By default, queries listed here will override any specified in a config file.
# Prefix the list here with "+" to use these queries and those in the config file.
# queries: ./path/to/local/query, your-org/your-repo/queries@main
# For more details on CodeQL's query packs, refer to: https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#using-queries-in-ql-packs
# queries: security-extended,security-and-quality
# Autobuild attempts to build any compiled languages (C/C++, C#, or Java).
# If this step fails, then you should remove it and run the build manually (see below)
- name: Autobuild
uses: github/codeql-action/autobuild@v1
uses: github/codeql-action/autobuild@v2
# Command-line programs to run using the OS shell.
# 📚 https://git.io/JvXDl
# ✏️ If the Autobuild fails above, remove it and uncomment the following three lines
# and modify them (or add more) to build your code if your project
# uses a compiled language
# If the Autobuild fails above, remove it and uncomment the following three lines.
# modify them (or add more) to build your code if your project, please refer to the EXAMPLE below for guidance.
#- run: |
# make bootstrap
# make release
# - run: |
# echo "Run, Build Application using script"
# ./location_of_script_within_repo/buildscript.sh
- name: Perform CodeQL Analysis
uses: github/codeql-action/analyze@v1
uses: github/codeql-action/analyze@v2
with:
category: "/language:${{matrix.language}}"

3
.gitignore vendored
View File

@ -19,3 +19,6 @@
# MacOS Desktop Services Store
.DS_Store
# Hugo temp file
.hugo_build.lock

View File

@ -8,16 +8,13 @@ linters:
disable-all: true
enable:
# default linters
- deadcode
- errcheck
- gosimple
- govet
- ineffassign
- staticcheck
- structcheck
- typecheck
- unused
- varcheck
# additional linters for this project (we should disable these if they get annoying).
- asciicheck
@ -34,7 +31,7 @@ linters:
- godot
- goheader
- goimports
- golint
- revive
- goprintffuncname
- gosec
- misspell
@ -44,7 +41,7 @@ linters:
- nolintlint
- prealloc
- rowserrcheck
- scopelint
- exportloopref
- sqlclosecheck
- unconvert
- whitespace

View File

@ -2,7 +2,7 @@
# On macOS, try `brew install pre-commit` and then run `pre-commit install`.
exclude: '^(site|generated)/'
repos:
- repo: git://github.com/pre-commit/pre-commit-hooks
- repo: https://github.com/pre-commit/pre-commit-hooks
rev: v3.2.0
hooks:
# TODO: find a version of this to validate ytt templates?
@ -11,6 +11,7 @@ repos:
- id: check-json
- id: end-of-file-fixer
- id: trailing-whitespace
exclude: 'securetls*' # prevent the linter from running in this file because it's not smart enough not to trim the nmap test output.
- id: check-merge-conflict
- id: check-added-large-files
- id: check-byte-order-marker

View File

@ -1,5 +1,8 @@
# Contributing to Pinniped
Pinniped is better because of our contributors and [maintainers](MAINTAINERS.md). It is because of you that we can bring
great software to the community.
Contributions to Pinniped are welcome. Here are some things to help you get started.
## Code of Conduct
@ -14,24 +17,13 @@ See [SCOPE.md](./SCOPE.md) for some guidelines about what we consider in and out
The near-term and mid-term roadmap for the work planned for the project [maintainers](MAINTAINERS.md) is documented in [ROADMAP.md](ROADMAP.md).
## Community Meetings
Pinniped is better because of our contributors and [maintainers](MAINTAINERS.md). It is because of you that we can bring great
software to the community. Please join us during our online community meetings,
occurring every first and third Thursday of the month at 9 AM PT / 12 PM ET.
Use [this Zoom Link](https://go.pinniped.dev/community/zoom)
to attend and add any agenda items you wish to discuss
to [the notes document](https://hackmd.io/rd_kVJhjQfOvfAWzK8A3tQ?view).
Join our [Google Group](https://groups.google.com/g/project-pinniped) to receive invites to this meeting.
If the meeting day falls on a US holiday, please consider that occurrence of the meeting to be canceled.
## Discussion
Got a question, comment, or idea? Please don't hesitate to reach out
via GitHub [Discussions](https://github.com/vmware-tanzu/pinniped/discussions),
GitHub [Issues](https://github.com/vmware-tanzu/pinniped/issues),
or in the Kubernetes Slack Workspace within the [#pinniped channel](https://kubernetes.slack.com/archives/C01BW364RJA).
or in the Kubernetes Slack Workspace within the [#pinniped channel](https://go.pinniped.dev/community/slack).
Join our [Google Group](https://go.pinniped.dev/community/group) to receive updates and meeting invitations.
## Issues
@ -72,23 +64,38 @@ Please follow the procedure described in [SECURITY.md](SECURITY.md).
## CLA
We welcome contributions from everyone but we can only accept them if you sign
We welcome contributions from everyone, but we can only accept them if you sign
our Contributor License Agreement (CLA). If you would like to contribute and you
have not signed it, our CLA-bot will walk you through the process when you open
a Pull Request. For questions about the CLA process, see the
[FAQ](https://cla.vmware.com/faq) or submit a question through the GitHub issue
tracker.
## Learning about Pinniped
New to Pinniped?
- Start here to learn how to install and use Pinniped: [Learn to use Pinniped for federated authentication to Kubernetes clusters](https://pinniped.dev/docs/tutorials/concierge-and-supervisor-demo/)
- Start here to learn how to navigate the source code: [Code Walk-through](https://pinniped.dev/docs/reference/code-walkthrough/)
- Other more detailed documentation can be found at: [Pinniped Docs](https://pinniped.dev/docs/)
## Building
The [Dockerfile](Dockerfile) at the root of the repo can be used to build and
package the code. After making a change to the code, rebuild the docker image with the following command.
package the server-side code. After making a change to the code, rebuild the
docker image with the following command.
```bash
# From the root directory of the repo...
docker build .
```
The Pinniped CLI client can be built for local use with the following command.
```bash
# From the root directory of the repo...
go build -o pinniped ./cmd/pinniped
```
## Testing
### Running Lint
@ -107,7 +114,6 @@ docker build .
1. Install dependencies:
- [`chromedriver`](https://chromedriver.chromium.org/) (and [Chrome](https://www.google.com/chrome/))
- [`docker`](https://www.docker.com/)
- `htpasswd` (installed by default on MacOS, usually found in `apache2-utils` package for linux)
- [`kapp`](https://carvel.dev/#getting-started)
@ -115,14 +121,16 @@ docker build .
- [`kubectl`](https://kubernetes.io/docs/tasks/tools/install-kubectl/)
- [`ytt`](https://carvel.dev/#getting-started)
- [`nmap`](https://nmap.org/download.html)
- [`openssl`](https://www.openssl.org) (installed by default on MacOS)
- [Chrome](https://www.google.com/chrome/)
On macOS, these tools can be installed with [Homebrew](https://brew.sh/) (assuming you have Chrome installed already):
```bash
brew install kind k14s/tap/ytt k14s/tap/kapp kubectl chromedriver nmap && brew cask install docker
brew install kind vmware-tanzu/carvel/ytt vmware-tanzu/carvel/kapp kubectl nmap && brew cask install docker
```
1. Create a kind cluster, compile, create container images, and install Pinniped and supporting dependencies using:
1. Create a kind cluster, compile, create container images, and install Pinniped and supporting test dependencies using:
```bash
./hack/prepare-for-integration-tests.sh
@ -131,9 +139,14 @@ docker build .
1. Run the Pinniped integration tests:
```bash
source /tmp/integration-test-env && go test -v -count 1 -timeout 0 ./test/integration
ulimit -n 512 && source /tmp/integration-test-env && go test -v -count 1 -timeout 0 ./test/integration
```
To run specific integration tests, add the `-run` flag to the above command to specify a regexp for the test names.
Use a leading `/` on the regexp because the Pinniped integration tests are automatically nested under several parent tests
(see [integration/main_test.go](https://github.com/vmware-tanzu/pinniped/blob/main/test/integration/main_test.go)).
For example, to run an integration test called `TestE2E`, add `-run /TestE2E` to the command shown above.
1. After making production code changes, recompile, redeploy, and run tests again by repeating the same
commands described above. If there are only test code changes, then simply run the tests again.

View File

@ -1,22 +1,31 @@
# syntax = docker/dockerfile:1.0-experimental
# syntax=docker/dockerfile:1
# Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.
# Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
# SPDX-License-Identifier: Apache-2.0
FROM golang:1.17.6 as build-env
# Prepare to cross-compile by always running the build stage in the build platform, not the target platform.
FROM --platform=linux/amd64 golang:1.21.3 as build-env
WORKDIR /work
COPY . .
ARG GOPROXY
# Build the executable binary (CGO_ENABLED=0 means static linking)
# Pass in GOCACHE (build cache) and GOMODCACHE (module cache) so they
# can be re-used between image builds.
ARG KUBE_GIT_VERSION
ENV KUBE_GIT_VERSION=$KUBE_GIT_VERSION
# These will be set by buildkit automatically, e.g. TARGETOS set to "linux" and TARGETARCH set to "amd64" or "arm64".
# Useful for building multi-arch container images.
ARG TARGETOS
ARG TARGETARCH
# Build the statically linked (CGO_ENABLED=0) binary.
# Mount source, build cache, and module cache for performance reasons.
# See https://www.docker.com/blog/faster-multi-platform-builds-dockerfile-cross-compilation-guide/
RUN \
--mount=target=. \
--mount=type=cache,target=/cache/gocache \
--mount=type=cache,target=/cache/gomodcache \
mkdir out && \
export GOCACHE=/cache/gocache GOMODCACHE=/cache/gomodcache CGO_ENABLED=0 GOOS=linux GOARCH=amd64 && \
export GOCACHE=/cache/gocache GOMODCACHE=/cache/gomodcache CGO_ENABLED=0 GOOS=$TARGETOS GOARCH=$TARGETARCH && \
go build -v -trimpath -ldflags "$(hack/get-ldflags.sh) -w -s" -o /usr/local/bin/pinniped-concierge-kube-cert-agent ./cmd/pinniped-concierge-kube-cert-agent/... && \
go build -v -trimpath -ldflags "$(hack/get-ldflags.sh) -w -s" -o /usr/local/bin/pinniped-server ./cmd/pinniped-server/... && \
ln -s /usr/local/bin/pinniped-server /usr/local/bin/pinniped-concierge && \
@ -24,13 +33,16 @@ RUN \
ln -s /usr/local/bin/pinniped-server /usr/local/bin/local-user-authenticator
# Use a distroless runtime image with CA certificates, timezone data, and not much else.
FROM gcr.io/distroless/static:nonroot@sha256:80c956fb0836a17a565c43a4026c9c80b2013c83bea09f74fa4da195a59b7a99
# Note that we are not using --platform here, so it will choose the base image for the target platform, not the build platform.
# By using "distroless/static" instead of "distroless/static-debianXX" we can float on the latest stable version of debian.
# See https://github.com/GoogleContainerTools/distroless#base-operating-system
FROM gcr.io/distroless/static:nonroot@sha256:2a9e2b4fa771d31fe3346a873be845bfc2159695b9f90ca08e950497006ccc2e
# Copy the server binary from the build-env stage.
COPY --from=build-env /usr/local/bin /usr/local/bin
# Document the default server ports for the various server apps
EXPOSE 8080 8443 8444 10250
EXPOSE 8443 8444 10250
# Run as non-root for security posture
# Use the same non-root user as https://github.com/GoogleContainerTools/distroless/blob/fc3c4eaceb0518900f886aae90407c43be0a42d9/base/base.bzl#L9

View File

@ -4,48 +4,65 @@ This document defines the project governance for Pinniped.
# Overview
**Pinniped** is committed to building an open, inclusive, productive and self-governing open source community focused on building authentication services for Kubernetes clusters. The
community is governed by this document which defines how all members should work together to achieve this goal.
**Pinniped** is committed to building an open, inclusive, productive and self-governing open source community focused on
building authentication services for Kubernetes clusters. The community is governed by this document which defines how
all members should work together to achieve this goal.
# Code of Conduct
The Pinniped community abides by this [code of conduct](https://github.com/vmware-tanzu/pinniped/blob/main/CODE_OF_CONDUCT.md).
The Pinniped community abides by this
[code of conduct](https://github.com/vmware-tanzu/pinniped/blob/main/CODE_OF_CONDUCT.md).
# Community Roles
* **Users:** Members that engage with the Pinniped community via any medium (Slack, GitHub, mailing lists, etc.).
* **Contributors:** Do regular contributions to the Pinniped project (documentation, code reviews, responding to issues, participating in proposal discussions, contributing code, etc.).
* **Maintainers:** Responsible for the overall health and direction of the project. They are the final reviewers of PRs and responsible for Pinniped releases.
* **Contributors:** Do regular contributions to the Pinniped project (documentation, code reviews, responding to issues,
participating in proposal discussions, contributing code, etc.).
* **Maintainers:** Responsible for the overall health and direction of the project. They are the final reviewers of PRs
and responsible for Pinniped releases.
# Maintainers
New maintainers must be nominated by an existing maintainer and must be elected by a supermajority of existing maintainers. Likewise, maintainers can be removed by a supermajority of the existing maintainers or can resign by notifying one of the maintainers.
**Note:** If a maintainer leaves their employer they are still considered a maintainer of Pinniped, unless they voluntarily resign. Employment is not taken into consideration when determining maintainer eligibility unless the company itself violates our [Code of Conduct](https://github.com/vmware-tanzu/pinniped/blob/main/CODE_OF_CONDUCT.md).
New maintainers must be nominated by an existing maintainer and must be elected by a supermajority of existing
maintainers. Likewise, maintainers can be removed by a supermajority of the existing maintainers or can resign by
notifying one of the maintainers.
---
# Supermajority
A supermajority is defined as two-thirds of members in the group. A supermajority of Maintainers is required for certain decisions as outlined above. A supermajority vote is equivalent to the number of votes in favor of being at least twice the number of votes against. For example, if you have 5 maintainers, a supermajority vote is 4 votes. Voting on decisions can happen on the mailing list, GitHub, Slack, email, or via a voting service, when appropriate. Maintainers can either vote "agree, yes, +1", "disagree, no, -1", or "abstain". A vote passes when supermajority is met. An abstain vote equals not voting at all.
**Note:** If a maintainer leaves their employer they are still considered a maintainer of Pinniped, unless they
voluntarily resign. Employment is not taken into consideration when determining maintainer eligibility unless the
company itself violates our [Code of Conduct](https://github.com/vmware-tanzu/pinniped/blob/main/CODE_OF_CONDUCT.md).
---
# Decision Making
Ideally, all project decisions are resolved by consensus. If impossible, any maintainer may call a vote. Unless otherwise specified in this document, any vote will be decided by a supermajority of maintainers.
---
# Proposal Process
The proposal process is currently being worked on. No formal process is available at this time. You may reach out to the maintainers in the Kubernetes Slack Workspace within the [#pinniped](https://kubernetes.slack.com/archives/C01BW364RJA) channel or on the [Pinniped mailing list](project-pinniped@googlegroups.com) with any questions you may have or to send us your proposals.
Ideally, all project decisions are resolved by consensus. If impossible, any maintainer may call a vote. Unless
otherwise specified in this document, any vote will be decided by a supermajority of maintainers.
---
# Lazy Consensus
To maintain velocity in Pinniped, the concept of [Lazy Consensus](http://en.osswiki.info/concepts/lazy_consensus) is practiced. Ideas and / or proposals should be shared by maintainers via GitHub. Out of respect for other contributors, major changes should also be accompanied by a ping on the Kubernetes Slack in [#Pinniped](https://kubernetes.slack.com/archives/C01BW364RJA) or a note on the [Pinniped mailing list](project-pinniped@googlegroups.com) as appropriate. Author(s) of proposals for major changes will give a time period of no less than five (5) working days for comment and remain cognizant of popular observed world holidays.
## Supermajority
**What constitutes the need for a proposal?**
If there is significant risk with a potential feature or track of work (such as complexity, cost to implement, product viability, etc.), then we recommend creating a proposal for feedback and approval. If a potential feature is well understood and doesn't impose risk, then we recommend a **standard GitHub issue** to clarify the details.
A supermajority is defined as two-thirds of members in the group. A supermajority of maintainers is required for certain
decisions as outlined in this document. A supermajority vote is equivalent to the number of votes in favor being at
least twice the number of votes against. A vote to abstain equals not voting at all. For example, if you have 5
maintainers who all cast non-abstaining votes, then a supermajority vote is at least 4 votes in favor. Voting on
decisions can happen on the mailing list, GitHub, Slack, email, or via a voting service, when appropriate. Maintainers
can either vote "agree, yes, +1", "disagree, no, -1", or "abstain". A vote passes when supermajority is met.
Other maintainers may chime in and request additional time for review, but should remain cognizant of blocking progress and abstain from delaying progress unless absolutely needed. The expectation is that blocking progress is accompanied by a guarantee to review and respond to the relevant action in short order.
## Lazy Consensus
To maintain velocity in Pinniped, the concept of [Lazy Consensus](http://en.osswiki.info/concepts/lazy_consensus) is
practiced.
Other maintainers may chime in and request additional time for review, but should remain cognizant of blocking progress
and abstain from delaying progress unless absolutely needed. The expectation is that blocking progress is accompanied by
a guarantee to review and respond to the relevant action in short order.
Lazy consensus does not apply to the process of:
* Removal of maintainers from Pinniped
---
# Updating Governance
All substantive changes in Governance require a supermajority agreement by all maintainers.
## Updating Governance
All substantive changes in Governance, including substantive changes to the proposal process, require a supermajority
agreement by all maintainers.
# Proposal Process
The proposal process is defined in [proposals/README.md](proposals/README.md).

View File

@ -1,24 +1,18 @@
# Pinniped Maintainers
This is the current list of maintainers for the Pinniped project.
# Current Pinniped Maintainers
| Maintainer | GitHub ID | Affiliation |
| --------------- | --------- | ----------- |
| Margo Crawford | [margocrawf](https://github.com/margocrawf) | [VMware](https://www.github.com/vmware/) |
| Mo Khan | [enj](https://github.com/enj) | [VMware](https://www.github.com/vmware/) |
| Anjali Telang | [anjaltelang](https://github.com/anjaltelang) | [VMware](https://www.github.com/vmware/) |
|-----------------|-----------------------------------------------------------|------------------------------------------|
| Ben Petersen | [benjaminapetersen](https://github.com/benjaminapetersen) | [VMware](https://www.github.com/vmware/) |
| Ryan Richard | [cfryanr](https://github.com/cfryanr) | [VMware](https://www.github.com/vmware/) |
| Joshua T. Casey | [joshuatcasey](https://github.com/joshuatcasey) | [VMware](https://www.github.com/vmware/) |
## Emeritus Maintainers
* Andrew Keesler, [ankeesler](https://github.com/ankeesler)
* Pablo Schuhmacher, [pabloschuhmacher](https://github.com/pabloschuhmacher)
* Matt Moyer, [mattmoyer](https://github.com/mattmoyer)
## Pinniped Contributors & Stakeholders
| Feature Area | Lead |
| ----------------------------- | :---------------------: |
| Technical Lead | Mo Khan (enj) |
| Product Management | Anjali Telang (anjaltelang) |
| Community Management | Nanci Lancaster (microwavables) |
| Maintainer | GitHub ID |
|-------------------|---------------------------------------------------------|
| Andrew Keesler | [ankeesler](https://github.com/ankeesler) |
| Anjali Telang | [anjaltelang](https://github.com/anjaltelang) |
| Margo Crawford | [margocrawf](https://github.com/margocrawf) |
| Matt Moyer | [mattmoyer](https://github.com/mattmoyer) |
| Mo Khan | [enj](https://github.com/enj) |
| Pablo Schuhmacher | [pabloschuhmacher](https://github.com/pabloschuhmacher) |

View File

@ -21,29 +21,19 @@ Care to kick the tires? It's easy to [install and try Pinniped](https://pinniped
Got a question, comment, or idea? Please don't hesitate to reach out
via GitHub [Discussions](https://github.com/vmware-tanzu/pinniped/discussions),
GitHub [Issues](https://github.com/vmware-tanzu/pinniped/issues),
or in the Kubernetes Slack Workspace within the [#pinniped channel](https://kubernetes.slack.com/archives/C01BW364RJA).
or in the Kubernetes Slack Workspace within the [#pinniped channel](https://go.pinniped.dev/community/slack).
Join our [Google Group](https://go.pinniped.dev/community/group) to receive updates and meeting invitations.
## Contributions
Pinniped is better because of our contributors and [maintainers](MAINTAINERS.md). It is because of you that we can bring
great software to the community.
Want to get involved? Contributions are welcome.
Please see the [contributing guide](CONTRIBUTING.md) for more information about reporting bugs, requesting features,
building and testing the code, submitting PRs, and other contributor topics.
## Community meetings
Pinniped is better because of our contributors and [maintainers](MAINTAINERS.md). It is because of you that we can bring great
software to the community. Please join us during our online community meetings, occurring every first and third
Thursday of the month at 9 AM PT / 12 PM ET.
**Note:** Community meetings are currently paused until early 2022 as we wind down 2021!
Use [this Zoom Link](https://go.pinniped.dev/community/zoom) to attend and add any agenda items you wish to
discuss to [the notes document](https://go.pinniped.dev/community/agenda).
Join our [Google Group](https://groups.google.com/g/project-pinniped) to receive invites to this meeting.
If the meeting day falls on a US holiday, please consider that occurrence of the meeting to be canceled.
## Adopters
Some organizations and products using Pinniped are featured in [ADOPTERS.md](ADOPTERS.md).
@ -57,4 +47,4 @@ Please follow the procedure described in [SECURITY.md](SECURITY.md).
Pinniped is open source and licensed under Apache License Version 2.0. See [LICENSE](LICENSE).
Copyright 2020-2021 the Pinniped contributors. All Rights Reserved.
Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.

View File

@ -1,69 +1,41 @@
## Pinniped Project Roadmap
## **Pinniped Project Roadmap**
### About this document
This document provides a high-level overview of the next big features the maintainers are planning to work on. This
should serve as a reference point for Pinniped users and contributors to understand where the project is heading, and
help determine if a contribution could be conflicting with a longer term plan.
The [Pinniped project backlog](https://github.com/orgs/vmware-tanzu/projects/43/) is prioritized based on this roadmap,
and it provides a more granular view of what the maintainers are working on a day-to-day basis.
###
**About this document**
### How to help
This document provides a link to the[ Pinniped Project issues](https://github.com/vmware-tanzu/pinniped/issues) list that serves as the up to date description of items that are in the Pinniped release pipeline. Most items are gathered from the community or include a feedback loop with the community. This should serve as a reference point for Pinniped users and contributors to understand where the project is heading, and help determine if a contribution could be conflicting with a longer term plan.
Discussion on the roadmap is welcomed. If you want to provide suggestions, use cases, and feedback to an item in the
roadmap, please reach out to the maintainers using one of the methods described in the project's
[README.md](https://github.com/vmware-tanzu/pinniped#discussion).
[Contributions](https://github.com/vmware-tanzu/pinniped/blob/main/CONTRIBUTING.md) to Pinniped are also welcomed.
### How to add an item to the roadmap
###
**How to help?**
One of the most important aspects in any open source community is the concept of proposals. Large changes to the
codebase and / or new features should be preceded by
a [proposal](https://github.com/vmware-tanzu/pinniped/tree/main/proposals) in our repo.
For smaller enhancements, you can open an issue to track that initiative or feature request.
We work with and rely on community feedback to focus our efforts to improve Pinniped and maintain a healthy roadmap.
Discussion on the roadmap can take place in threads under [Issues](https://github.com/vmware-tanzu/pinniped/issues) or in [community meetings](https://github.com/vmware-tanzu/pinniped/blob/main/CONTRIBUTING.md#meeting-with-the-maintainers). Please open and comment on an issue if you want to provide suggestions and feedback to an item in the roadmap. Please review the roadmap to avoid potential duplicated effort.
### Current Roadmap
The following table includes the current roadmap for Pinniped. Please take the timelines and dates as proposals and
goals. Priorities and requirements change based on community feedback, roadblocks encountered, community contributions,
etc. If you depend on a specific item, we encourage you to reach out for updated status information, or help us deliver
that feature by [contributing](https://github.com/vmware-tanzu/pinniped/blob/main/CONTRIBUTING.md) to Pinniped.
###
**Need an idea for a contribution?**
Weve created an [Opportunity Areas](https://github.com/vmware-tanzu/pinniped/discussions/483) discussion thread that outlines some areas we believe are excellent starting points for the community to get involved. In that discussion weve included specific work items that one might consider that also support the high-level items presented in our roadmap.
###
**How to add an item to the roadmap?**
Please open an issue to track any initiative on the roadmap of Pinniped (usually driven by new feature requests). We will work with and rely on our community to focus our efforts to improve Pinniped.
###
**Current Roadmap**
The following table includes the current roadmap for Pinniped. If you have any questions or would like to contribute to Pinniped, please attend a [community meeting](https://github.com/vmware-tanzu/pinniped/blob/main/CONTRIBUTING.md#meeting-with-the-maintainers) to discuss with our team. If you don't know where to start, we are always looking for contributors that will help us reduce technical, automation, and documentation debt. Please take the timelines & dates as proposals and goals. Priorities and requirements change based on community feedback, roadblocks encountered, community contributions, etc. If you depend on a specific item, we encourage you to attend community meetings to get updated status information, or help us deliver that feature by contributing to Pinniped.
Last Updated: Sept 2021
Last Updated: Sept 2022
|Theme|Description|Timeline|
|--|--|--|
|Improving Security Posture|Supervisor token refresh fails when the upstream refresh token no longer works for OIDC |Jan 2022|
|Improving Security Posture|Supervisor token refresh fails when the upstream user is in an invalid state for LDAP/AD |Jan 2022|
|Improving Security Posture|Set stricter default TLS versions and Ciphers |Jan 2022|
|Improving Security Posture|Support FIPS compliant Boring crypto libraries |Feb 2022|
|Multiple IDP support|Support multiple IDPs configured on a single Supervisor|March/April 2022|
|Improving Security Posture|TLS hardening |March/April 2022|
|Improving Security Posture|Support Audit logging of security events related to Authentication |April/May 2022|
|Improving Security Posture|mTLS for Supervisor sessions |Exploring/Ongoing|
|Improving Security Posture|Key management/rotation for Pinniped components with minimal downtime |Exploring/Ongoing|
|Improving Security Posture|Support for Session Logout |Exploring/Ongoing|
|Improving Security Posture|Support for Idle Session/ Inactivity timeout|Exploring/Ongoing|
|Improving Security Posture|Support for Max Concurrent Sessions|Exploring/Ongoing|
|Improving Security Posture|Support for configurable Session Length |Exploring/Ongoing|
|Improving Security Posture|Reject use of username and groups with system: prefix |Exploring/Ongoing|
|Improving Security Posture|Support for using external KMS for Supervisor signing keys |Exploring/Ongoing|
|Improving Security Posture|Client side use of Secure Enclaves for Session data |Exploring/Ongoing|
|Improving Security Posture|Enforce the use of HTTP Strict Transport (HSTS) |Exploring/Ongoing|
|Improving Security Posture|Assert that Pinniped runs under the restricted PSP version2 levels |Exploring/Ongoing|
|Wider Concierge cluster support|Support for OpenShift cluster types in the Concierge|Exploring/Ongoing|
|Identity transforms|Support prefixing, filtering, or performing coarse-grained checks on upstream users and groups|Exploring/Ongoing|
|CLI SSO|Support Kerberos based authentication on CLI |Exploring/Ongoing|
|Extended IDP support|Support more types of identity providers on the Supervisor|Exploring/Ongoing|
|Improved Documentation|Reorganizing and improving Pinniped docs; new how-to guides and tutorials|Exploring/Ongoing|
|Improve our CI/CD systems|Upgrade tests; make Kind more efficient and reliable for CI ; Windows tests; performance tests; scale tests; soak tests|Exploring/Ongoing|
|CLI Improvements|Improving CLI UX for setting up Supervisor IDPs|Exploring/Ongoing|
|Telemetry|Adding some useful phone home metrics as well as some vanity metrics|Exploring/Ongoing|
|Observability|Expose Pinniped metrics through Prometheus Integration|Exploring/Ongoing|
|Device Code Flow|Add support for OAuth 2.0 Device Authorization Grant in the Pinniped CLI and Supervisor|Exploring/Ongoing|
|Supervisor with New Clients|Enable registering new clients with Supervisor|Exploring/Ongoing|
|Improving Usability|Dynamic Oauth Client Support for integrating with UI/Dashboards |Sept/Oct 2022|
|Improving Usability|Support for custom claim mappings in OIDCIdentityProvider |Q4 2022|
|Improving Usability|Support for Multiple Identity Providers |Q4 2022|
|Improving Security Posture|Support Audit logging of security events related to Authentication |Q4 2022|
|Improving Security Posture|Session Management |2022/2023|
|Improving Security Posture|Secrets Rotation and Management |2022/2023|

View File

@ -1,4 +1,4 @@
// Copyright 2020 the Pinniped contributors. All Rights Reserved.
// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.
// SPDX-License-Identifier: Apache-2.0
// +k8s:openapi-gen=true

View File

@ -1,4 +1,4 @@
// Copyright 2020 the Pinniped contributors. All Rights Reserved.
// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.
// SPDX-License-Identifier: Apache-2.0
package v1alpha1

View File

@ -1,4 +1,4 @@
// Copyright 2020-2021 the Pinniped contributors. All Rights Reserved.
// Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
// SPDX-License-Identifier: Apache-2.0
package v1alpha1
@ -12,7 +12,7 @@ type JWTAuthenticatorStatus struct {
// +patchStrategy=merge
// +listType=map
// +listMapKey=type
Conditions []Condition `json:"conditions,omitempty" patchStrategy:"merge" patchMergeKey:"type"`
Conditions []metav1.Condition `json:"conditions,omitempty" patchStrategy:"merge" patchMergeKey:"type"`
}
// Spec for configuring a JWT authenticator.

View File

@ -1,75 +0,0 @@
// Copyright 2020 the Pinniped contributors. All Rights Reserved.
// SPDX-License-Identifier: Apache-2.0
package v1alpha1
import metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
// ConditionStatus is effectively an enum type for Condition.Status.
type ConditionStatus string
// These are valid condition statuses. "ConditionTrue" means a resource is in the condition.
// "ConditionFalse" means a resource is not in the condition. "ConditionUnknown" means kubernetes
// can't decide if a resource is in the condition or not. In the future, we could add other
// intermediate conditions, e.g. ConditionDegraded.
const (
ConditionTrue ConditionStatus = "True"
ConditionFalse ConditionStatus = "False"
ConditionUnknown ConditionStatus = "Unknown"
)
// Condition status of a resource (mirrored from the metav1.Condition type added in Kubernetes 1.19). In a future API
// version we can switch to using the upstream type.
// See https://github.com/kubernetes/apimachinery/blob/v0.19.0/pkg/apis/meta/v1/types.go#L1353-L1413.
type Condition struct {
// type of condition in CamelCase or in foo.example.com/CamelCase.
// ---
// Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be
// useful (see .node.status.conditions), the ability to deconflict is important.
// The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)
// +required
// +kubebuilder:validation:Required
// +kubebuilder:validation:Pattern=`^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$`
// +kubebuilder:validation:MaxLength=316
Type string `json:"type"`
// status of the condition, one of True, False, Unknown.
// +required
// +kubebuilder:validation:Required
// +kubebuilder:validation:Enum=True;False;Unknown
Status ConditionStatus `json:"status"`
// observedGeneration represents the .metadata.generation that the condition was set based upon.
// For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
// with respect to the current state of the instance.
// +optional
// +kubebuilder:validation:Minimum=0
ObservedGeneration int64 `json:"observedGeneration,omitempty"`
// lastTransitionTime is the last time the condition transitioned from one status to another.
// This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.
// +required
// +kubebuilder:validation:Required
// +kubebuilder:validation:Type=string
// +kubebuilder:validation:Format=date-time
LastTransitionTime metav1.Time `json:"lastTransitionTime"`
// reason contains a programmatic identifier indicating the reason for the condition's last transition.
// Producers of specific condition types may define expected values and meanings for this field,
// and whether the values are considered a guaranteed API.
// The value should be a CamelCase string.
// This field may not be empty.
// +required
// +kubebuilder:validation:Required
// +kubebuilder:validation:MaxLength=1024
// +kubebuilder:validation:MinLength=1
// +kubebuilder:validation:Pattern=`^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$`
Reason string `json:"reason"`
// message is a human readable message indicating details about the transition.
// This may be an empty string.
// +required
// +kubebuilder:validation:Required
// +kubebuilder:validation:MaxLength=32768
Message string `json:"message"`
}

View File

@ -1,4 +1,4 @@
// Copyright 2020 the Pinniped contributors. All Rights Reserved.
// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.
// SPDX-License-Identifier: Apache-2.0
package v1alpha1

View File

@ -1,4 +1,4 @@
// Copyright 2020-2021 the Pinniped contributors. All Rights Reserved.
// Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
// SPDX-License-Identifier: Apache-2.0
package v1alpha1
@ -12,7 +12,7 @@ type WebhookAuthenticatorStatus struct {
// +patchStrategy=merge
// +listType=map
// +listMapKey=type
Conditions []Condition `json:"conditions,omitempty" patchStrategy:"merge" patchMergeKey:"type"`
Conditions []metav1.Condition `json:"conditions,omitempty" patchStrategy:"merge" patchMergeKey:"type"`
}
// Spec for configuring a webhook authenticator.

View File

@ -1,4 +1,4 @@
// Copyright 2020 the Pinniped contributors. All Rights Reserved.
// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.
// SPDX-License-Identifier: Apache-2.0
// +k8s:openapi-gen=true

View File

@ -1,4 +1,4 @@
// Copyright 2020 the Pinniped contributors. All Rights Reserved.
// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.
// SPDX-License-Identifier: Apache-2.0
package v1alpha1

View File

@ -1,4 +1,4 @@
// Copyright 2020-2021 the Pinniped contributors. All Rights Reserved.
// Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
// SPDX-License-Identifier: Apache-2.0
package v1alpha1
@ -80,6 +80,28 @@ const (
ImpersonationProxyServiceTypeNone = ImpersonationProxyServiceType("None")
)
// ImpersonationProxyTLSSpec contains information about how the Concierge impersonation proxy should
// serve TLS.
//
// If CertificateAuthorityData is not provided, the Concierge impersonation proxy will check the secret
// for a field called "ca.crt", which will be used as the CertificateAuthorityData.
//
// If neither CertificateAuthorityData nor ca.crt is provided, no CA bundle will be advertised for
// the impersonation proxy endpoint.
type ImpersonationProxyTLSSpec struct {
// X.509 Certificate Authority (base64-encoded PEM bundle).
// Used to advertise the CA bundle for the impersonation proxy endpoint.
//
// +optional
CertificateAuthorityData string `json:"certificateAuthorityData,omitempty"`
// SecretName is the name of a Secret in the same namespace, of type `kubernetes.io/tls`, which contains
// the TLS serving certificate for the Concierge impersonation proxy endpoint.
//
// +kubebuilder:validation:MinLength=1
SecretName string `json:"secretName,omitempty"`
}
// ImpersonationProxySpec describes the intended configuration of the Concierge impersonation proxy.
type ImpersonationProxySpec struct {
// Mode configures whether the impersonation proxy should be started:
@ -100,6 +122,13 @@ type ImpersonationProxySpec struct {
//
// +optional
ExternalEndpoint string `json:"externalEndpoint,omitempty"`
// TLS contains information about how the Concierge impersonation proxy should serve TLS.
//
// If this field is empty, the impersonation proxy will generate its own TLS certificate.
//
// +optional
TLS *ImpersonationProxyTLSSpec `json:"tls,omitempty"`
}
// ImpersonationProxyServiceSpec describes how the Concierge should provision a Service to expose the impersonation proxy.

View File

@ -1,4 +1,4 @@
// Copyright 2021 the Pinniped contributors. All Rights Reserved.
// Copyright 2021-2022 the Pinniped contributors. All Rights Reserved.
// SPDX-License-Identifier: Apache-2.0
// +k8s:deepcopy-gen=package

View File

@ -1,4 +1,4 @@
// Copyright 2021 the Pinniped contributors. All Rights Reserved.
// Copyright 2021-2022 the Pinniped contributors. All Rights Reserved.
// SPDX-License-Identifier: Apache-2.0
package identity

View File

@ -1,4 +1,4 @@
// Copyright 2021 the Pinniped contributors. All Rights Reserved.
// Copyright 2021-2022 the Pinniped contributors. All Rights Reserved.
// SPDX-License-Identifier: Apache-2.0
package identity

View File

@ -1,40 +0,0 @@
// Copyright 2021 the Pinniped contributors. All Rights Reserved.
// SPDX-License-Identifier: Apache-2.0
package identity
import (
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
)
// WhoAmIRequest submits a request to echo back the current authenticated user.
// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
type WhoAmIRequest struct {
metav1.TypeMeta
metav1.ObjectMeta
Spec WhoAmIRequestSpec
Status WhoAmIRequestStatus
}
type WhoAmIRequestSpec struct {
// empty for now but we may add some config here in the future
// any such config must be safe in the context of an unauthenticated user
}
type WhoAmIRequestStatus struct {
// The current authenticated user, exactly as Kubernetes understands it.
KubernetesUserInfo KubernetesUserInfo
// We may add concierge specific information here in the future.
}
// WhoAmIRequestList is a list of WhoAmIRequest objects.
// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
type WhoAmIRequestList struct {
metav1.TypeMeta
metav1.ListMeta
// Items is a list of WhoAmIRequest
Items []WhoAmIRequest
}

View File

@ -0,0 +1,42 @@
// Copyright 2021-2022 the Pinniped contributors. All Rights Reserved.
// SPDX-License-Identifier: Apache-2.0
package identity
import (
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
)
// WhoAmIRequest submits a request to echo back the current authenticated user.
// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
type WhoAmIRequest struct {
metav1.TypeMeta
metav1.ObjectMeta
Spec WhoAmIRequestSpec
Status WhoAmIRequestStatus
}
// Spec is always empty for a WhoAmIRequest.
type WhoAmIRequestSpec struct {
// empty for now but we may add some config here in the future
// any such config must be safe in the context of an unauthenticated user
}
// Status is set by the server in the response to a WhoAmIRequest.
type WhoAmIRequestStatus struct {
// The current authenticated user, exactly as Kubernetes understands it.
KubernetesUserInfo KubernetesUserInfo
// We may add concierge specific information here in the future.
}
// WhoAmIRequestList is a list of WhoAmIRequest objects.
// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
type WhoAmIRequestList struct {
metav1.TypeMeta
metav1.ListMeta
// Items is a list of WhoAmIRequest.
Items []WhoAmIRequest
}

View File

@ -1,4 +1,4 @@
// Copyright 2021 the Pinniped contributors. All Rights Reserved.
// Copyright 2021-2022 the Pinniped contributors. All Rights Reserved.
// SPDX-License-Identifier: Apache-2.0
package v1alpha1

View File

@ -1,4 +1,4 @@
// Copyright 2021 the Pinniped contributors. All Rights Reserved.
// Copyright 2021-2022 the Pinniped contributors. All Rights Reserved.
// SPDX-License-Identifier: Apache-2.0
package v1alpha1

View File

@ -1,4 +1,4 @@
// Copyright 2021 the Pinniped contributors. All Rights Reserved.
// Copyright 2021-2022 the Pinniped contributors. All Rights Reserved.
// SPDX-License-Identifier: Apache-2.0
// +k8s:openapi-gen=true

View File

@ -1,4 +1,4 @@
// Copyright 2021 the Pinniped contributors. All Rights Reserved.
// Copyright 2021-2022 the Pinniped contributors. All Rights Reserved.
// SPDX-License-Identifier: Apache-2.0
package v1alpha1

View File

@ -1,4 +1,4 @@
// Copyright 2021 the Pinniped contributors. All Rights Reserved.
// Copyright 2021-2022 the Pinniped contributors. All Rights Reserved.
// SPDX-License-Identifier: Apache-2.0
package v1alpha1

View File

@ -1,43 +0,0 @@
// Copyright 2021 the Pinniped contributors. All Rights Reserved.
// SPDX-License-Identifier: Apache-2.0
package v1alpha1
import (
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
)
// WhoAmIRequest submits a request to echo back the current authenticated user.
// +genclient
// +genclient:nonNamespaced
// +genclient:onlyVerbs=create
// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
type WhoAmIRequest struct {
metav1.TypeMeta `json:",inline"`
metav1.ObjectMeta `json:"metadata,omitempty"`
Spec WhoAmIRequestSpec `json:"spec,omitempty"`
Status WhoAmIRequestStatus `json:"status,omitempty"`
}
type WhoAmIRequestSpec struct {
// empty for now but we may add some config here in the future
// any such config must be safe in the context of an unauthenticated user
}
type WhoAmIRequestStatus struct {
// The current authenticated user, exactly as Kubernetes understands it.
KubernetesUserInfo KubernetesUserInfo `json:"kubernetesUserInfo"`
// We may add concierge specific information here in the future.
}
// WhoAmIRequestList is a list of WhoAmIRequest objects.
// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
type WhoAmIRequestList struct {
metav1.TypeMeta `json:",inline"`
metav1.ListMeta `json:"metadata,omitempty"`
// Items is a list of WhoAmIRequest
Items []WhoAmIRequest `json:"items"`
}

View File

@ -0,0 +1,45 @@
// Copyright 2021-2022 the Pinniped contributors. All Rights Reserved.
// SPDX-License-Identifier: Apache-2.0
package v1alpha1
import (
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
)
// WhoAmIRequest submits a request to echo back the current authenticated user.
// +genclient
// +genclient:nonNamespaced
// +genclient:onlyVerbs=create
// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
type WhoAmIRequest struct {
metav1.TypeMeta `json:",inline"`
metav1.ObjectMeta `json:"metadata,omitempty"`
Spec WhoAmIRequestSpec `json:"spec,omitempty"`
Status WhoAmIRequestStatus `json:"status,omitempty"`
}
// Spec is always empty for a WhoAmIRequest.
type WhoAmIRequestSpec struct {
// empty for now but we may add some config here in the future
// any such config must be safe in the context of an unauthenticated user
}
// Status is set by the server in the response to a WhoAmIRequest.
type WhoAmIRequestStatus struct {
// The current authenticated user, exactly as Kubernetes understands it.
KubernetesUserInfo KubernetesUserInfo `json:"kubernetesUserInfo"`
// We may add concierge specific information here in the future.
}
// WhoAmIRequestList is a list of WhoAmIRequest objects.
// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
type WhoAmIRequestList struct {
metav1.TypeMeta `json:",inline"`
metav1.ListMeta `json:"metadata,omitempty"`
// Items is a list of WhoAmIRequest.
Items []WhoAmIRequest `json:"items"`
}

View File

@ -1,4 +1,4 @@
// Copyright 2021 the Pinniped contributors. All Rights Reserved.
// Copyright 2021-2022 the Pinniped contributors. All Rights Reserved.
// SPDX-License-Identifier: Apache-2.0
package validation

View File

@ -1,4 +1,4 @@
// Copyright 2020 the Pinniped contributors. All Rights Reserved.
// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.
// SPDX-License-Identifier: Apache-2.0
// +k8s:deepcopy-gen=package

View File

@ -1,4 +1,4 @@
// Copyright 2020 the Pinniped contributors. All Rights Reserved.
// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.
// SPDX-License-Identifier: Apache-2.0
package login

View File

@ -1,21 +0,0 @@
// Copyright 2020 the Pinniped contributors. All Rights Reserved.
// SPDX-License-Identifier: Apache-2.0
package login
import metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
// ClusterCredential is a credential (token or certificate) which is valid on the Kubernetes cluster.
type ClusterCredential struct {
// ExpirationTimestamp indicates a time when the provided credentials expire.
ExpirationTimestamp metav1.Time
// Token is a bearer token used by the client for request authentication.
Token string
// PEM-encoded client TLS certificates (including intermediates, if any).
ClientCertificateData string
// PEM-encoded private key for the above certificate.
ClientKeyData string
}

View File

@ -0,0 +1,22 @@
// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.
// SPDX-License-Identifier: Apache-2.0
package login
import metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
// ClusterCredential is the cluster-specific credential returned on a successful credential request. It
// contains either a valid bearer token or a valid TLS certificate and corresponding private key for the cluster.
type ClusterCredential struct {
// ExpirationTimestamp indicates a time when the provided credentials expire.
ExpirationTimestamp metav1.Time
// Token is a bearer token used by the client for request authentication.
Token string
// PEM-encoded client TLS certificates (including intermediates, if any).
ClientCertificateData string
// PEM-encoded private key for the above certificate.
ClientKeyData string
}

View File

@ -1,47 +0,0 @@
// Copyright 2020 the Pinniped contributors. All Rights Reserved.
// SPDX-License-Identifier: Apache-2.0
package login
import (
corev1 "k8s.io/api/core/v1"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
)
type TokenCredentialRequestSpec struct {
// Bearer token supplied with the credential request.
Token string
// Reference to an authenticator which can validate this credential request.
Authenticator corev1.TypedLocalObjectReference
}
type TokenCredentialRequestStatus struct {
// A ClusterCredential will be returned for a successful credential request.
// +optional
Credential *ClusterCredential
// An error message will be returned for an unsuccessful credential request.
// +optional
Message *string
}
// TokenCredentialRequest submits an IDP-specific credential to Pinniped in exchange for a cluster-specific credential.
// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
type TokenCredentialRequest struct {
metav1.TypeMeta
metav1.ObjectMeta
Spec TokenCredentialRequestSpec
Status TokenCredentialRequestStatus
}
// TokenCredentialRequestList is a list of TokenCredentialRequest objects.
// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
type TokenCredentialRequestList struct {
metav1.TypeMeta
metav1.ListMeta
// Items is a list of TokenCredentialRequest
Items []TokenCredentialRequest
}

View File

@ -0,0 +1,49 @@
// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.
// SPDX-License-Identifier: Apache-2.0
package login
import (
corev1 "k8s.io/api/core/v1"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
)
// Specification of a TokenCredentialRequest, expected on requests to the Pinniped API.
type TokenCredentialRequestSpec struct {
// Bearer token supplied with the credential request.
Token string
// Reference to an authenticator which can validate this credential request.
Authenticator corev1.TypedLocalObjectReference
}
// Status of a TokenCredentialRequest, returned on responses to the Pinniped API.
type TokenCredentialRequestStatus struct {
// A Credential will be returned for a successful credential request.
// +optional
Credential *ClusterCredential
// An error message will be returned for an unsuccessful credential request.
// +optional
Message *string
}
// TokenCredentialRequest submits an IDP-specific credential to Pinniped in exchange for a cluster-specific credential.
// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
type TokenCredentialRequest struct {
metav1.TypeMeta
metav1.ObjectMeta
Spec TokenCredentialRequestSpec
Status TokenCredentialRequestStatus
}
// TokenCredentialRequestList is a list of TokenCredentialRequest objects.
// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
type TokenCredentialRequestList struct {
metav1.TypeMeta
metav1.ListMeta
// Items is a list of TokenCredentialRequest.
Items []TokenCredentialRequest
}

View File

@ -1,4 +1,4 @@
// Copyright 2020 the Pinniped contributors. All Rights Reserved.
// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.
// SPDX-License-Identifier: Apache-2.0
package v1alpha1

View File

@ -1,4 +1,4 @@
// Copyright 2020 the Pinniped contributors. All Rights Reserved.
// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.
// SPDX-License-Identifier: Apache-2.0
package v1alpha1

View File

@ -1,4 +1,4 @@
// Copyright 2020 the Pinniped contributors. All Rights Reserved.
// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.
// SPDX-License-Identifier: Apache-2.0
// +k8s:openapi-gen=true

View File

@ -1,4 +1,4 @@
// Copyright 2020 the Pinniped contributors. All Rights Reserved.
// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.
// SPDX-License-Identifier: Apache-2.0
package v1alpha1

View File

@ -1,22 +0,0 @@
// Copyright 2020 the Pinniped contributors. All Rights Reserved.
// SPDX-License-Identifier: Apache-2.0
package v1alpha1
import metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
// ClusterCredential is the cluster-specific credential returned on a successful credential request. It
// contains either a valid bearer token or a valid TLS certificate and corresponding private key for the cluster.
type ClusterCredential struct {
// ExpirationTimestamp indicates a time when the provided credentials expire.
ExpirationTimestamp metav1.Time `json:"expirationTimestamp,omitempty"`
// Token is a bearer token used by the client for request authentication.
Token string `json:"token,omitempty"`
// PEM-encoded client TLS certificates (including intermediates, if any).
ClientCertificateData string `json:"clientCertificateData,omitempty"`
// PEM-encoded private key for the above certificate.
ClientKeyData string `json:"clientKeyData,omitempty"`
}

View File

@ -0,0 +1,22 @@
// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.
// SPDX-License-Identifier: Apache-2.0
package v1alpha1
import metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
// ClusterCredential is the cluster-specific credential returned on a successful credential request. It
// contains either a valid bearer token or a valid TLS certificate and corresponding private key for the cluster.
type ClusterCredential struct {
// ExpirationTimestamp indicates a time when the provided credentials expire.
ExpirationTimestamp metav1.Time `json:"expirationTimestamp,omitempty"`
// Token is a bearer token used by the client for request authentication.
Token string `json:"token,omitempty"`
// PEM-encoded client TLS certificates (including intermediates, if any).
ClientCertificateData string `json:"clientCertificateData,omitempty"`
// PEM-encoded private key for the above certificate.
ClientKeyData string `json:"clientKeyData,omitempty"`
}

View File

@ -1,51 +0,0 @@
// Copyright 2020 the Pinniped contributors. All Rights Reserved.
// SPDX-License-Identifier: Apache-2.0
package v1alpha1
import (
corev1 "k8s.io/api/core/v1"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
)
// TokenCredentialRequestSpec is the specification of a TokenCredentialRequest, expected on requests to the Pinniped API.
type TokenCredentialRequestSpec struct {
// Bearer token supplied with the credential request.
Token string `json:"token,omitempty"`
// Reference to an authenticator which can validate this credential request.
Authenticator corev1.TypedLocalObjectReference `json:"authenticator"`
}
// TokenCredentialRequestStatus is the status of a TokenCredentialRequest, returned on responses to the Pinniped API.
type TokenCredentialRequestStatus struct {
// A Credential will be returned for a successful credential request.
// +optional
Credential *ClusterCredential `json:"credential,omitempty"`
// An error message will be returned for an unsuccessful credential request.
// +optional
Message *string `json:"message,omitempty"`
}
// TokenCredentialRequest submits an IDP-specific credential to Pinniped in exchange for a cluster-specific credential.
// +genclient
// +genclient:nonNamespaced
// +genclient:onlyVerbs=create
// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
type TokenCredentialRequest struct {
metav1.TypeMeta `json:",inline"`
metav1.ObjectMeta `json:"metadata,omitempty"`
Spec TokenCredentialRequestSpec `json:"spec,omitempty"`
Status TokenCredentialRequestStatus `json:"status,omitempty"`
}
// TokenCredentialRequestList is a list of TokenCredentialRequest objects.
// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
type TokenCredentialRequestList struct {
metav1.TypeMeta `json:",inline"`
metav1.ListMeta `json:"metadata,omitempty"`
Items []TokenCredentialRequest `json:"items"`
}

View File

@ -0,0 +1,52 @@
// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.
// SPDX-License-Identifier: Apache-2.0
package v1alpha1
import (
corev1 "k8s.io/api/core/v1"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
)
// Specification of a TokenCredentialRequest, expected on requests to the Pinniped API.
type TokenCredentialRequestSpec struct {
// Bearer token supplied with the credential request.
Token string `json:"token,omitempty"`
// Reference to an authenticator which can validate this credential request.
Authenticator corev1.TypedLocalObjectReference `json:"authenticator"`
}
// Status of a TokenCredentialRequest, returned on responses to the Pinniped API.
type TokenCredentialRequestStatus struct {
// A Credential will be returned for a successful credential request.
// +optional
Credential *ClusterCredential `json:"credential,omitempty"`
// An error message will be returned for an unsuccessful credential request.
// +optional
Message *string `json:"message,omitempty"`
}
// TokenCredentialRequest submits an IDP-specific credential to Pinniped in exchange for a cluster-specific credential.
// +genclient
// +genclient:nonNamespaced
// +genclient:onlyVerbs=create
// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
type TokenCredentialRequest struct {
metav1.TypeMeta `json:",inline"`
metav1.ObjectMeta `json:"metadata,omitempty"`
Spec TokenCredentialRequestSpec `json:"spec,omitempty"`
Status TokenCredentialRequestStatus `json:"status,omitempty"`
}
// TokenCredentialRequestList is a list of TokenCredentialRequest objects.
// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
type TokenCredentialRequestList struct {
metav1.TypeMeta `json:",inline"`
metav1.ListMeta `json:"metadata,omitempty"`
// Items is a list of TokenCredentialRequest.
Items []TokenCredentialRequest `json:"items"`
}

View File

@ -0,0 +1,8 @@
// Copyright 2022 the Pinniped contributors. All Rights Reserved.
// SPDX-License-Identifier: Apache-2.0
// +k8s:deepcopy-gen=package
// +groupName=clientsecret.supervisor.pinniped.dev
// Package clientsecret is the internal version of the Pinniped client secret API.
package clientsecret

View File

@ -0,0 +1,38 @@
// Copyright 2022 the Pinniped contributors. All Rights Reserved.
// SPDX-License-Identifier: Apache-2.0
package clientsecret
import (
"k8s.io/apimachinery/pkg/runtime"
"k8s.io/apimachinery/pkg/runtime/schema"
)
const GroupName = "clientsecret.supervisor.pinniped.dev"
// SchemeGroupVersion is group version used to register these objects.
var SchemeGroupVersion = schema.GroupVersion{Group: GroupName, Version: runtime.APIVersionInternal}
// Kind takes an unqualified kind and returns back a Group qualified GroupKind.
func Kind(kind string) schema.GroupKind {
return SchemeGroupVersion.WithKind(kind).GroupKind()
}
// Resource takes an unqualified resource and returns back a Group qualified GroupResource.
func Resource(resource string) schema.GroupResource {
return SchemeGroupVersion.WithResource(resource).GroupResource()
}
var (
SchemeBuilder = runtime.NewSchemeBuilder(addKnownTypes)
AddToScheme = SchemeBuilder.AddToScheme
)
// Adds the list of known types to the given scheme.
func addKnownTypes(scheme *runtime.Scheme) error {
scheme.AddKnownTypes(SchemeGroupVersion,
&OIDCClientSecretRequest{},
&OIDCClientSecretRequestList{},
)
return nil
}

View File

@ -0,0 +1,50 @@
// Copyright 2022 the Pinniped contributors. All Rights Reserved.
// SPDX-License-Identifier: Apache-2.0
package clientsecret
import (
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
)
// OIDCClientSecretRequest can be used to update the client secrets associated with an OIDCClient.
// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
type OIDCClientSecretRequest struct {
metav1.TypeMeta
metav1.ObjectMeta // metadata.name must be set to the client ID
Spec OIDCClientSecretRequestSpec
// +optional
Status OIDCClientSecretRequestStatus
}
// Spec of the OIDCClientSecretRequest.
type OIDCClientSecretRequestSpec struct {
// Request a new client secret to for the OIDCClient referenced by the metadata.name field.
// +optional
GenerateNewSecret bool
// Revoke the old client secrets associated with the OIDCClient referenced by the metadata.name field.
// +optional
RevokeOldSecrets bool
}
// Status of the OIDCClientSecretRequest.
type OIDCClientSecretRequestStatus struct {
// The unencrypted OIDC Client Secret. This will only be shared upon creation and cannot be recovered if lost.
GeneratedSecret string
// The total number of client secrets associated with the OIDCClient referenced by the metadata.name field.
TotalClientSecrets int
}
// OIDCClientSecretRequestList is a list of OIDCClientSecretRequest objects.
// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
type OIDCClientSecretRequestList struct {
metav1.TypeMeta
metav1.ListMeta
// Items is a list of OIDCClientSecretRequest.
Items []OIDCClientSecretRequest
}

View File

@ -0,0 +1,4 @@
// Copyright 2022 the Pinniped contributors. All Rights Reserved.
// SPDX-License-Identifier: Apache-2.0
package v1alpha1

View File

@ -0,0 +1,12 @@
// Copyright 2022 the Pinniped contributors. All Rights Reserved.
// SPDX-License-Identifier: Apache-2.0
package v1alpha1
import (
"k8s.io/apimachinery/pkg/runtime"
)
func addDefaultingFuncs(scheme *runtime.Scheme) error {
return RegisterDefaults(scheme)
}

View File

@ -0,0 +1,11 @@
// Copyright 2022 the Pinniped contributors. All Rights Reserved.
// SPDX-License-Identifier: Apache-2.0
// +k8s:openapi-gen=true
// +k8s:deepcopy-gen=package
// +k8s:conversion-gen=go.pinniped.dev/GENERATED_PKG/apis/supervisor/clientsecret
// +k8s:defaulter-gen=TypeMeta
// +groupName=clientsecret.supervisor.pinniped.dev
// Package v1alpha1 is the v1alpha1 version of the Pinniped client secret API.
package v1alpha1

View File

@ -0,0 +1,43 @@
// Copyright 2022 the Pinniped contributors. All Rights Reserved.
// SPDX-License-Identifier: Apache-2.0
package v1alpha1
import (
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"k8s.io/apimachinery/pkg/runtime"
"k8s.io/apimachinery/pkg/runtime/schema"
)
const GroupName = "clientsecret.supervisor.pinniped.dev"
// SchemeGroupVersion is group version used to register these objects.
var SchemeGroupVersion = schema.GroupVersion{Group: GroupName, Version: "v1alpha1"}
var (
SchemeBuilder runtime.SchemeBuilder
localSchemeBuilder = &SchemeBuilder
AddToScheme = SchemeBuilder.AddToScheme
)
func init() {
// We only register manually written functions here. The registration of the
// generated functions takes place in the generated files. The separation
// makes the code compile even when the generated files are missing.
localSchemeBuilder.Register(addKnownTypes, addDefaultingFuncs)
}
// Adds the list of known types to the given scheme.
func addKnownTypes(scheme *runtime.Scheme) error {
scheme.AddKnownTypes(SchemeGroupVersion,
&OIDCClientSecretRequest{},
&OIDCClientSecretRequestList{},
)
metav1.AddToGroupVersion(scheme, SchemeGroupVersion)
return nil
}
// Resource takes an unqualified resource and returns back a Group qualified GroupResource.
func Resource(resource string) schema.GroupResource {
return SchemeGroupVersion.WithResource(resource).GroupResource()
}

View File

@ -0,0 +1,53 @@
// Copyright 2022 the Pinniped contributors. All Rights Reserved.
// SPDX-License-Identifier: Apache-2.0
package v1alpha1
import (
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
)
// OIDCClientSecretRequest can be used to update the client secrets associated with an OIDCClient.
// +genclient
// +genclient:onlyVerbs=create
// +kubebuilder:subresource:status
// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
type OIDCClientSecretRequest struct {
metav1.TypeMeta `json:",inline"`
metav1.ObjectMeta `json:"metadata,omitempty"` // metadata.name must be set to the client ID
Spec OIDCClientSecretRequestSpec `json:"spec"`
// +optional
Status OIDCClientSecretRequestStatus `json:"status"`
}
// Spec of the OIDCClientSecretRequest.
type OIDCClientSecretRequestSpec struct {
// Request a new client secret to for the OIDCClient referenced by the metadata.name field.
// +optional
GenerateNewSecret bool `json:"generateNewSecret"`
// Revoke the old client secrets associated with the OIDCClient referenced by the metadata.name field.
// +optional
RevokeOldSecrets bool `json:"revokeOldSecrets"`
}
// Status of the OIDCClientSecretRequest.
type OIDCClientSecretRequestStatus struct {
// The unencrypted OIDC Client Secret. This will only be shared upon creation and cannot be recovered if lost.
GeneratedSecret string `json:"generatedSecret,omitempty"`
// The total number of client secrets associated with the OIDCClient referenced by the metadata.name field.
TotalClientSecrets int `json:"totalClientSecrets"`
}
// OIDCClientSecretRequestList is a list of OIDCClientSecretRequest objects.
// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
type OIDCClientSecretRequestList struct {
metav1.TypeMeta `json:",inline"`
metav1.ListMeta `json:"metadata,omitempty"`
// Items is a list of OIDCClientSecretRequest.
Items []OIDCClientSecretRequest `json:"items"`
}

View File

@ -1,4 +1,4 @@
// Copyright 2020 the Pinniped contributors. All Rights Reserved.
// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.
// SPDX-License-Identifier: Apache-2.0
// +k8s:openapi-gen=true

View File

@ -1,4 +1,4 @@
// Copyright 2020 the Pinniped contributors. All Rights Reserved.
// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.
// SPDX-License-Identifier: Apache-2.0
package v1alpha1
@ -32,6 +32,8 @@ func addKnownTypes(scheme *runtime.Scheme) error {
scheme.AddKnownTypes(SchemeGroupVersion,
&FederationDomain{},
&FederationDomainList{},
&OIDCClient{},
&OIDCClientList{},
)
metav1.AddToGroupVersion(scheme, SchemeGroupVersion)
return nil

View File

@ -1,4 +1,4 @@
// Copyright 2020-2021 the Pinniped contributors. All Rights Reserved.
// Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
// SPDX-License-Identifier: Apache-2.0
package v1alpha1
@ -8,14 +8,17 @@ import (
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
)
// +kubebuilder:validation:Enum=Success;Duplicate;Invalid;SameIssuerHostMustUseSameSecret
type FederationDomainStatusCondition string
type FederationDomainPhase string
const (
SuccessFederationDomainStatusCondition = FederationDomainStatusCondition("Success")
DuplicateFederationDomainStatusCondition = FederationDomainStatusCondition("Duplicate")
SameIssuerHostMustUseSameSecretFederationDomainStatusCondition = FederationDomainStatusCondition("SameIssuerHostMustUseSameSecret")
InvalidFederationDomainStatusCondition = FederationDomainStatusCondition("Invalid")
// FederationDomainPhasePending is the default phase for newly-created FederationDomain resources.
FederationDomainPhasePending FederationDomainPhase = "Pending"
// FederationDomainPhaseReady is the phase for an FederationDomain resource in a healthy state.
FederationDomainPhaseReady FederationDomainPhase = "Ready"
// FederationDomainPhaseError is the phase for an FederationDomain in an unhealthy state.
FederationDomainPhaseError FederationDomainPhase = "Error"
)
// FederationDomainTLSSpec is a struct that describes the TLS configuration for an OIDC Provider.
@ -31,8 +34,9 @@ type FederationDomainTLSSpec struct {
// SNI requests do not include port numbers, so all issuers with the same DNS hostname must use the same
// SecretName value even if they have different port numbers.
//
// SecretName is not required when you would like to use only the HTTP endpoints (e.g. when terminating TLS at an
// Ingress). It is also not required when you would like all requests to this OIDC Provider's HTTPS endpoints to
// SecretName is not required when you would like to use only the HTTP endpoints (e.g. when the HTTP listener is
// configured to listen on loopback interfaces or UNIX domain sockets for traffic from a service mesh sidecar).
// It is also not required when you would like all requests to this OIDC Provider's HTTPS endpoints to
// use the default TLS certificate, which is configured elsewhere.
//
// When your Issuer URL's host is an IP address, then this field is ignored. SNI does not work for IP addresses.
@ -41,6 +45,157 @@ type FederationDomainTLSSpec struct {
SecretName string `json:"secretName,omitempty"`
}
// FederationDomainTransformsConstant defines a constant variable and its value which will be made available to
// the transform expressions. This is a union type, and Type is the discriminator field.
type FederationDomainTransformsConstant struct {
// Name determines the name of the constant. It must be a valid identifier name.
// +kubebuilder:validation:Pattern=`^[a-zA-Z][_a-zA-Z0-9]*$`
// +kubebuilder:validation:MinLength=1
// +kubebuilder:validation:MaxLength=64
Name string `json:"name"`
// Type determines the type of the constant, and indicates which other field should be non-empty.
// +kubebuilder:validation:Enum=string;stringList
Type string `json:"type"`
// StringValue should hold the value when Type is "string", and is otherwise ignored.
// +optional
StringValue string `json:"stringValue,omitempty"`
// StringListValue should hold the value when Type is "stringList", and is otherwise ignored.
// +optional
StringListValue []string `json:"stringListValue,omitempty"`
}
// FederationDomainTransformsExpression defines a transform expression.
type FederationDomainTransformsExpression struct {
// Type determines the type of the expression. It must be one of the supported types.
// +kubebuilder:validation:Enum=policy/v1;username/v1;groups/v1
Type string `json:"type"`
// Expression is a CEL expression that will be evaluated based on the Type during an authentication.
// +kubebuilder:validation:MinLength=1
Expression string `json:"expression"`
// Message is only used when Type is policy/v1. It defines an error message to be used when the policy rejects
// an authentication attempt. When empty, a default message will be used.
// +optional
Message string `json:"message,omitempty"`
}
// FederationDomainTransformsExample defines a transform example.
type FederationDomainTransformsExample struct {
// Username is the input username.
// +kubebuilder:validation:MinLength=1
Username string `json:"username"`
// Groups is the input list of group names.
// +optional
Groups []string `json:"groups,omitempty"`
// Expects is the expected output of the entire sequence of transforms when they are run against the
// input Username and Groups.
Expects FederationDomainTransformsExampleExpects `json:"expects"`
}
// FederationDomainTransformsExampleExpects defines the expected result for a transforms example.
type FederationDomainTransformsExampleExpects struct {
// Username is the expected username after the transformations have been applied.
// +optional
Username string `json:"username,omitempty"`
// Groups is the expected list of group names after the transformations have been applied.
// +optional
Groups []string `json:"groups,omitempty"`
// Rejected is a boolean that indicates whether authentication is expected to be rejected by a policy expression
// after the transformations have been applied. True means that it is expected that the authentication would be
// rejected. The default value of false means that it is expected that the authentication would not be rejected
// by any policy expression.
// +optional
Rejected bool `json:"rejected,omitempty"`
// Message is the expected error message of the transforms. When Rejected is true, then Message is the expected
// message for the policy which rejected the authentication attempt. When Rejected is true and Message is blank,
// then Message will be treated as the default error message for authentication attempts which are rejected by a
// policy. When Rejected is false, then Message is the expected error message for some other non-policy
// transformation error, such as a runtime error. When Rejected is false, there is no default expected Message.
// +optional
Message string `json:"message,omitempty"`
}
// FederationDomainTransforms defines identity transformations for an identity provider's usage on a FederationDomain.
type FederationDomainTransforms struct {
// Constants defines constant variables and their values which will be made available to the transform expressions.
// +patchMergeKey=name
// +patchStrategy=merge
// +listType=map
// +listMapKey=name
// +optional
Constants []FederationDomainTransformsConstant `json:"constants,omitempty"`
// Expressions are an optional list of transforms and policies to be executed in the order given during every
// authentication attempt, including during every session refresh.
// Each is a CEL expression. It may use the basic CEL language as defined in
// https://github.com/google/cel-spec/blob/master/doc/langdef.md plus the CEL string extensions defined in
// https://github.com/google/cel-go/tree/master/ext#strings.
//
// The username and groups extracted from the identity provider, and the constants defined in this CR, are
// available as variables in all expressions. The username is provided via a variable called `username` and
// the list of group names is provided via a variable called `groups` (which may be an empty list).
// Each user-provided constants is provided via a variable named `strConst.varName` for string constants
// and `strListConst.varName` for string list constants.
//
// The only allowed types for expressions are currently policy/v1, username/v1, and groups/v1.
// Each policy/v1 must return a boolean, and when it returns false, no more expressions from the list are evaluated
// and the authentication attempt is rejected.
// Transformations of type policy/v1 do not return usernames or group names, and therefore cannot change the
// username or group names.
// Each username/v1 transform must return the new username (a string), which can be the same as the old username.
// Transformations of type username/v1 do not return group names, and therefore cannot change the group names.
// Each groups/v1 transform must return the new groups list (list of strings), which can be the same as the old
// groups list.
// Transformations of type groups/v1 do not return usernames, and therefore cannot change the usernames.
// After each expression, the new (potentially changed) username or groups get passed to the following expression.
//
// Any compilation or static type-checking failure of any expression will cause an error status on the FederationDomain.
// During an authentication attempt, any unexpected runtime evaluation errors (e.g. division by zero) cause the
// authentication attempt to fail. When all expressions evaluate successfully, then the (potentially changed) username
// and group names have been decided for that authentication attempt.
//
// +optional
Expressions []FederationDomainTransformsExpression `json:"expressions,omitempty"`
// Examples can optionally be used to ensure that the sequence of transformation expressions are working as
// expected. Examples define sample input identities which are then run through the expression list, and the
// results are compared to the expected results. If any example in this list fails, then this
// identity provider will not be available for use within this FederationDomain, and the error(s) will be
// added to the FederationDomain status. This can be used to help guard against programming mistakes in the
// expressions, and also act as living documentation for other administrators to better understand the expressions.
// +optional
Examples []FederationDomainTransformsExample `json:"examples,omitempty"`
}
// FederationDomainIdentityProvider describes how an identity provider is made available in this FederationDomain.
type FederationDomainIdentityProvider struct {
// DisplayName is the name of this identity provider as it will appear to clients. This name ends up in the
// kubeconfig of end users, so changing the name of an identity provider that is in use by end users will be a
// disruptive change for those users.
// +kubebuilder:validation:MinLength=1
DisplayName string `json:"displayName"`
// ObjectRef is a reference to a Pinniped identity provider resource. A valid reference is required.
// If the reference cannot be resolved then the identity provider will not be made available.
// Must refer to a resource of one of the Pinniped identity provider types, e.g. OIDCIdentityProvider,
// LDAPIdentityProvider, ActiveDirectoryIdentityProvider.
ObjectRef corev1.TypedLocalObjectReference `json:"objectRef"`
// Transforms is an optional way to specify transformations to be applied during user authentication and
// session refresh.
// +optional
Transforms FederationDomainTransforms `json:"transforms,omitempty"`
}
// FederationDomainSpec is a struct that describes an OIDC Provider.
type FederationDomainSpec struct {
// Issuer is the OIDC Provider's issuer, per the OIDC Discovery Metadata document, as well as the
@ -54,9 +209,35 @@ type FederationDomainSpec struct {
// +kubebuilder:validation:MinLength=1
Issuer string `json:"issuer"`
// TLS configures how this FederationDomain is served over Transport Layer Security (TLS).
// TLS specifies a secret which will contain Transport Layer Security (TLS) configuration for the FederationDomain.
// +optional
TLS *FederationDomainTLSSpec `json:"tls,omitempty"`
// IdentityProviders is the list of identity providers available for use by this FederationDomain.
//
// An identity provider CR (e.g. OIDCIdentityProvider or LDAPIdentityProvider) describes how to connect to a server,
// how to talk in a specific protocol for authentication, and how to use the schema of that server/protocol to
// extract a normalized user identity. Normalized user identities include a username and a list of group names.
// In contrast, IdentityProviders describes how to use that normalized identity in those Kubernetes clusters which
// belong to this FederationDomain. Each entry in IdentityProviders can be configured with arbitrary transformations
// on that normalized identity. For example, a transformation can add a prefix to all usernames to help avoid
// accidental conflicts when multiple identity providers have different users with the same username (e.g.
// "idp1:ryan" versus "idp2:ryan"). Each entry in IdentityProviders can also implement arbitrary authentication
// rejection policies. Even though a user was able to authenticate with the identity provider, a policy can disallow
// the authentication to the Kubernetes clusters that belong to this FederationDomain. For example, a policy could
// disallow the authentication unless the user belongs to a specific group in the identity provider.
//
// For backwards compatibility with versions of Pinniped which predate support for multiple identity providers,
// an empty IdentityProviders list will cause the FederationDomain to use all available identity providers which
// exist in the same namespace, but also to reject all authentication requests when there is more than one identity
// provider currently defined. In this backwards compatibility mode, the name of the identity provider resource
// (e.g. the Name of an OIDCIdentityProvider resource) will be used as the name of the identity provider in this
// FederationDomain. This mode is provided to make upgrading from older versions easier. However, instead of
// relying on this backwards compatibility mode, please consider this mode to be deprecated and please instead
// explicitly list the identity provider using this IdentityProviders field.
//
// +optional
IdentityProviders []FederationDomainIdentityProvider `json:"identityProviders,omitempty"`
}
// FederationDomainSecrets holds information about this OIDC Provider's secrets.
@ -85,20 +266,17 @@ type FederationDomainSecrets struct {
// FederationDomainStatus is a struct that describes the actual state of an OIDC Provider.
type FederationDomainStatus struct {
// Status holds an enum that describes the state of this OIDC Provider. Note that this Status can
// represent success or failure.
// +optional
Status FederationDomainStatusCondition `json:"status,omitempty"`
// Phase summarizes the overall status of the FederationDomain.
// +kubebuilder:default=Pending
// +kubebuilder:validation:Enum=Pending;Ready;Error
Phase FederationDomainPhase `json:"phase,omitempty"`
// Message provides human-readable details about the Status.
// +optional
Message string `json:"message,omitempty"`
// LastUpdateTime holds the time at which the Status was last updated. It is a pointer to get
// around some undesirable behavior with respect to the empty metav1.Time value (see
// https://github.com/kubernetes/kubernetes/issues/86811).
// +optional
LastUpdateTime *metav1.Time `json:"lastUpdateTime,omitempty"`
// Conditions represent the observations of an FederationDomain's current state.
// +patchMergeKey=type
// +patchStrategy=merge
// +listType=map
// +listMapKey=type
Conditions []metav1.Condition `json:"conditions,omitempty" patchStrategy:"merge" patchMergeKey:"type"`
// Secrets contains information about this OIDC Provider's secrets.
// +optional
@ -110,7 +288,7 @@ type FederationDomainStatus struct {
// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
// +kubebuilder:resource:categories=pinniped
// +kubebuilder:printcolumn:name="Issuer",type=string,JSONPath=`.spec.issuer`
// +kubebuilder:printcolumn:name="Status",type=string,JSONPath=`.status.status`
// +kubebuilder:printcolumn:name="Status",type=string,JSONPath=`.status.phase`
// +kubebuilder:printcolumn:name="Age",type=date,JSONPath=`.metadata.creationTimestamp`
// +kubebuilder:subresource:status
type FederationDomain struct {

View File

@ -0,0 +1,122 @@
// Copyright 2022-2023 the Pinniped contributors. All Rights Reserved.
// SPDX-License-Identifier: Apache-2.0
package v1alpha1
import metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
type OIDCClientPhase string
const (
// OIDCClientPhasePending is the default phase for newly-created OIDCClient resources.
OIDCClientPhasePending OIDCClientPhase = "Pending"
// OIDCClientPhaseReady is the phase for an OIDCClient resource in a healthy state.
OIDCClientPhaseReady OIDCClientPhase = "Ready"
// OIDCClientPhaseError is the phase for an OIDCClient in an unhealthy state.
OIDCClientPhaseError OIDCClientPhase = "Error"
)
// +kubebuilder:validation:Pattern=`^https://.+|^http://(127\.0\.0\.1|\[::1\])(:\d+)?/`
type RedirectURI string
// +kubebuilder:validation:Enum="authorization_code";"refresh_token";"urn:ietf:params:oauth:grant-type:token-exchange"
type GrantType string
// +kubebuilder:validation:Enum="openid";"offline_access";"username";"groups";"pinniped:request-audience"
type Scope string
// OIDCClientSpec is a struct that describes an OIDCClient.
type OIDCClientSpec struct {
// allowedRedirectURIs is a list of the allowed redirect_uri param values that should be accepted during OIDC flows with this
// client. Any other uris will be rejected.
// Must be a URI with the https scheme, unless the hostname is 127.0.0.1 or ::1 which may use the http scheme.
// Port numbers are not required for 127.0.0.1 or ::1 and are ignored when checking for a matching redirect_uri.
// +listType=set
// +kubebuilder:validation:MinItems=1
AllowedRedirectURIs []RedirectURI `json:"allowedRedirectURIs"`
// allowedGrantTypes is a list of the allowed grant_type param values that should be accepted during OIDC flows with this
// client.
//
// Must only contain the following values:
// - authorization_code: allows the client to perform the authorization code grant flow, i.e. allows the webapp to
// authenticate users. This grant must always be listed.
// - refresh_token: allows the client to perform refresh grants for the user to extend the user's session.
// This grant must be listed if allowedScopes lists offline_access.
// - urn:ietf:params:oauth:grant-type:token-exchange: allows the client to perform RFC8693 token exchange,
// which is a step in the process to be able to get a cluster credential for the user.
// This grant must be listed if allowedScopes lists pinniped:request-audience.
// +listType=set
// +kubebuilder:validation:MinItems=1
AllowedGrantTypes []GrantType `json:"allowedGrantTypes"`
// allowedScopes is a list of the allowed scopes param values that should be accepted during OIDC flows with this client.
//
// Must only contain the following values:
// - openid: The client is allowed to request ID tokens. ID tokens only include the required claims by default (iss, sub, aud, exp, iat).
// This scope must always be listed.
// - offline_access: The client is allowed to request an initial refresh token during the authorization code grant flow.
// This scope must be listed if allowedGrantTypes lists refresh_token.
// - pinniped:request-audience: The client is allowed to request a new audience value during a RFC8693 token exchange,
// which is a step in the process to be able to get a cluster credential for the user.
// openid, username and groups scopes must be listed when this scope is present.
// This scope must be listed if allowedGrantTypes lists urn:ietf:params:oauth:grant-type:token-exchange.
// - username: The client is allowed to request that ID tokens contain the user's username.
// Without the username scope being requested and allowed, the ID token will not contain the user's username.
// - groups: The client is allowed to request that ID tokens contain the user's group membership,
// if their group membership is discoverable by the Supervisor.
// Without the groups scope being requested and allowed, the ID token will not contain groups.
// +listType=set
// +kubebuilder:validation:MinItems=1
AllowedScopes []Scope `json:"allowedScopes"`
}
// OIDCClientStatus is a struct that describes the actual state of an OIDCClient.
type OIDCClientStatus struct {
// phase summarizes the overall status of the OIDCClient.
// +kubebuilder:default=Pending
// +kubebuilder:validation:Enum=Pending;Ready;Error
Phase OIDCClientPhase `json:"phase,omitempty"`
// conditions represent the observations of an OIDCClient's current state.
// +patchMergeKey=type
// +patchStrategy=merge
// +listType=map
// +listMapKey=type
Conditions []metav1.Condition `json:"conditions,omitempty" patchStrategy:"merge" patchMergeKey:"type"`
// totalClientSecrets is the current number of client secrets that are detected for this OIDCClient.
// +optional
TotalClientSecrets int32 `json:"totalClientSecrets"` // do not omitempty to allow it to show in the printer column even when it is 0
}
// OIDCClient describes the configuration of an OIDC client.
// +genclient
// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
// +kubebuilder:resource:categories=pinniped
// +kubebuilder:printcolumn:name="Privileged Scopes",type=string,JSONPath=`.spec.allowedScopes[?(@ == "pinniped:request-audience")]`
// +kubebuilder:printcolumn:name="Client Secrets",type=integer,JSONPath=`.status.totalClientSecrets`
// +kubebuilder:printcolumn:name="Status",type=string,JSONPath=`.status.phase`
// +kubebuilder:printcolumn:name="Age",type=date,JSONPath=`.metadata.creationTimestamp`
// +kubebuilder:subresource:status
type OIDCClient struct {
metav1.TypeMeta `json:",inline"`
metav1.ObjectMeta `json:"metadata,omitempty"`
// Spec of the OIDC client.
Spec OIDCClientSpec `json:"spec"`
// Status of the OIDC client.
Status OIDCClientStatus `json:"status,omitempty"`
}
// List of OIDCClient objects.
// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
type OIDCClientList struct {
metav1.TypeMeta `json:",inline"`
metav1.ListMeta `json:"metadata,omitempty"`
Items []OIDCClient `json:"items"`
}

View File

@ -1,4 +1,4 @@
// Copyright 2020 the Pinniped contributors. All Rights Reserved.
// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.
// SPDX-License-Identifier: Apache-2.0
// +k8s:openapi-gen=true

View File

@ -1,4 +1,4 @@
// Copyright 2020-2021 the Pinniped contributors. All Rights Reserved.
// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.
// SPDX-License-Identifier: Apache-2.0
package v1alpha1

View File

@ -1,4 +1,4 @@
// Copyright 2021 the Pinniped contributors. All Rights Reserved.
// Copyright 2021-2023 the Pinniped contributors. All Rights Reserved.
// SPDX-License-Identifier: Apache-2.0
package v1alpha1
@ -32,7 +32,7 @@ type ActiveDirectoryIdentityProviderStatus struct {
// +patchStrategy=merge
// +listType=map
// +listMapKey=type
Conditions []Condition `json:"conditions,omitempty" patchStrategy:"merge" patchMergeKey:"type"`
Conditions []metav1.Condition `json:"conditions,omitempty" patchStrategy:"merge" patchMergeKey:"type"`
}
type ActiveDirectoryIdentityProviderBind struct {
@ -114,9 +114,10 @@ type ActiveDirectoryIdentityProviderGroupSearch struct {
// Filter is the ActiveDirectory search filter which should be applied when searching for groups for a user.
// The pattern "{}" must occur in the filter at least once and will be dynamically replaced by the
// dn (distinguished name) of the user entry found as a result of the user search. E.g. "member={}" or
// "&(objectClass=groupOfNames)(member={})". For more information about ActiveDirectory filters, see
// https://ldap.com/ldap-filters.
// value of an attribute of the user entry found as a result of the user search. Which attribute's
// value is used to replace the placeholder(s) depends on the value of UserAttributeForFilter.
// E.g. "member={}" or "&(objectClass=groupOfNames)(member={})".
// For more information about ActiveDirectory filters, see https://ldap.com/ldap-filters.
// Note that the dn (distinguished name) is not an attribute of an entry, so "dn={}" cannot be used.
// Optional. When not specified, the default will act as if the filter were specified as
// "(&(objectClass=group)(member:1.2.840.113556.1.4.1941:={})".
@ -127,10 +128,46 @@ type ActiveDirectoryIdentityProviderGroupSearch struct {
// +optional
Filter string `json:"filter,omitempty"`
// UserAttributeForFilter specifies which attribute's value from the user entry found as a result of
// the user search will be used to replace the "{}" placeholder(s) in the group search Filter.
// For example, specifying "uid" as the UserAttributeForFilter while specifying
// "&(objectClass=posixGroup)(memberUid={})" as the Filter would search for groups by replacing
// the "{}" placeholder in the Filter with the value of the user's "uid" attribute.
// Optional. When not specified, the default will act as if "dn" were specified. For example, leaving
// UserAttributeForFilter unspecified while specifying "&(objectClass=groupOfNames)(member={})" as the Filter
// would search for groups by replacing the "{}" placeholder(s) with the dn (distinguished name) of the user.
// +optional
UserAttributeForFilter string `json:"userAttributeForFilter,omitempty"`
// Attributes specifies how the group's information should be read from each ActiveDirectory entry which was found as
// the result of the group search.
// +optional
Attributes ActiveDirectoryIdentityProviderGroupSearchAttributes `json:"attributes,omitempty"`
// The user's group membership is refreshed as they interact with the supervisor
// to obtain new credentials (as their old credentials expire). This allows group
// membership changes to be quickly reflected into Kubernetes clusters. Since
// group membership is often used to bind authorization policies, it is important
// to keep the groups observed in Kubernetes clusters in-sync with the identity
// provider.
//
// In some environments, frequent group membership queries may result in a
// significant performance impact on the identity provider and/or the supervisor.
// The best approach to handle performance impacts is to tweak the group query
// to be more performant, for example by disabling nested group search or by
// using a more targeted group search base.
//
// If the group search query cannot be made performant and you are willing to
// have group memberships remain static for approximately a day, then set
// skipGroupRefresh to true. This is an insecure configuration as authorization
// policies that are bound to group membership will not notice if a user has
// been removed from a particular group until their next login.
//
// This is an experimental feature that may be removed or significantly altered
// in the future. Consumers of this configuration should carefully read all
// release notes before upgrading to ensure that the meaning of this field has
// not changed.
SkipGroupRefresh bool `json:"skipGroupRefresh,omitempty"`
}
// Spec for configuring an ActiveDirectory identity provider.

View File

@ -1,4 +1,4 @@
// Copyright 2021 the Pinniped contributors. All Rights Reserved.
// Copyright 2021-2023 the Pinniped contributors. All Rights Reserved.
// SPDX-License-Identifier: Apache-2.0
package v1alpha1
@ -32,7 +32,7 @@ type LDAPIdentityProviderStatus struct {
// +patchStrategy=merge
// +listType=map
// +listMapKey=type
Conditions []Condition `json:"conditions,omitempty" patchStrategy:"merge" patchMergeKey:"type"`
Conditions []metav1.Condition `json:"conditions,omitempty" patchStrategy:"merge" patchMergeKey:"type"`
}
type LDAPIdentityProviderBind struct {
@ -101,24 +101,60 @@ type LDAPIdentityProviderGroupSearch struct {
// Base is the dn (distinguished name) that should be used as the search base when searching for groups. E.g.
// "ou=groups,dc=example,dc=com". When not specified, no group search will be performed and
// authenticated users will not belong to any groups from the LDAP provider. Also, when not specified,
// the values of Filter and Attributes are ignored.
// the values of Filter, UserAttributeForFilter, Attributes, and SkipGroupRefresh are ignored.
// +optional
Base string `json:"base,omitempty"`
// Filter is the LDAP search filter which should be applied when searching for groups for a user.
// The pattern "{}" must occur in the filter at least once and will be dynamically replaced by the
// dn (distinguished name) of the user entry found as a result of the user search. E.g. "member={}" or
// "&(objectClass=groupOfNames)(member={})". For more information about LDAP filters, see
// https://ldap.com/ldap-filters.
// value of an attribute of the user entry found as a result of the user search. Which attribute's
// value is used to replace the placeholder(s) depends on the value of UserAttributeForFilter.
// For more information about LDAP filters, see https://ldap.com/ldap-filters.
// Note that the dn (distinguished name) is not an attribute of an entry, so "dn={}" cannot be used.
// Optional. When not specified, the default will act as if the Filter were specified as "member={}".
// +optional
Filter string `json:"filter,omitempty"`
// UserAttributeForFilter specifies which attribute's value from the user entry found as a result of
// the user search will be used to replace the "{}" placeholder(s) in the group search Filter.
// For example, specifying "uid" as the UserAttributeForFilter while specifying
// "&(objectClass=posixGroup)(memberUid={})" as the Filter would search for groups by replacing
// the "{}" placeholder in the Filter with the value of the user's "uid" attribute.
// Optional. When not specified, the default will act as if "dn" were specified. For example, leaving
// UserAttributeForFilter unspecified while specifying "&(objectClass=groupOfNames)(member={})" as the Filter
// would search for groups by replacing the "{}" placeholder(s) with the dn (distinguished name) of the user.
// +optional
UserAttributeForFilter string `json:"userAttributeForFilter,omitempty"`
// Attributes specifies how the group's information should be read from each LDAP entry which was found as
// the result of the group search.
// +optional
Attributes LDAPIdentityProviderGroupSearchAttributes `json:"attributes,omitempty"`
// The user's group membership is refreshed as they interact with the supervisor
// to obtain new credentials (as their old credentials expire). This allows group
// membership changes to be quickly reflected into Kubernetes clusters. Since
// group membership is often used to bind authorization policies, it is important
// to keep the groups observed in Kubernetes clusters in-sync with the identity
// provider.
//
// In some environments, frequent group membership queries may result in a
// significant performance impact on the identity provider and/or the supervisor.
// The best approach to handle performance impacts is to tweak the group query
// to be more performant, for example by disabling nested group search or by
// using a more targeted group search base.
//
// If the group search query cannot be made performant and you are willing to
// have group memberships remain static for approximately a day, then set
// skipGroupRefresh to true. This is an insecure configuration as authorization
// policies that are bound to group membership will not notice if a user has
// been removed from a particular group until their next login.
//
// This is an experimental feature that may be removed or significantly altered
// in the future. Consumers of this configuration should carefully read all
// release notes before upgrading to ensure that the meaning of this field has
// not changed.
SkipGroupRefresh bool `json:"skipGroupRefresh,omitempty"`
}
// Spec for configuring an LDAP identity provider.

View File

@ -1,75 +0,0 @@
// Copyright 2020-2021 the Pinniped contributors. All Rights Reserved.
// SPDX-License-Identifier: Apache-2.0
package v1alpha1
import metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
// ConditionStatus is effectively an enum type for Condition.Status.
type ConditionStatus string
// These are valid condition statuses. "ConditionTrue" means a resource is in the condition.
// "ConditionFalse" means a resource is not in the condition. "ConditionUnknown" means kubernetes
// can't decide if a resource is in the condition or not. In the future, we could add other
// intermediate conditions, e.g. ConditionDegraded.
const (
ConditionTrue ConditionStatus = "True"
ConditionFalse ConditionStatus = "False"
ConditionUnknown ConditionStatus = "Unknown"
)
// Condition status of a resource (mirrored from the metav1.Condition type added in Kubernetes 1.19). In a future API
// version we can switch to using the upstream type.
// See https://github.com/kubernetes/apimachinery/blob/v0.19.0/pkg/apis/meta/v1/types.go#L1353-L1413.
type Condition struct {
// type of condition in CamelCase or in foo.example.com/CamelCase.
// ---
// Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be
// useful (see .node.status.conditions), the ability to deconflict is important.
// The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)
// +required
// +kubebuilder:validation:Required
// +kubebuilder:validation:Pattern=`^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$`
// +kubebuilder:validation:MaxLength=316
Type string `json:"type"`
// status of the condition, one of True, False, Unknown.
// +required
// +kubebuilder:validation:Required
// +kubebuilder:validation:Enum=True;False;Unknown
Status ConditionStatus `json:"status"`
// observedGeneration represents the .metadata.generation that the condition was set based upon.
// For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
// with respect to the current state of the instance.
// +optional
// +kubebuilder:validation:Minimum=0
ObservedGeneration int64 `json:"observedGeneration,omitempty"`
// lastTransitionTime is the last time the condition transitioned from one status to another.
// This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.
// +required
// +kubebuilder:validation:Required
// +kubebuilder:validation:Type=string
// +kubebuilder:validation:Format=date-time
LastTransitionTime metav1.Time `json:"lastTransitionTime"`
// reason contains a programmatic identifier indicating the reason for the condition's last transition.
// Producers of specific condition types may define expected values and meanings for this field,
// and whether the values are considered a guaranteed API.
// The value should be a CamelCase string.
// This field may not be empty.
// +required
// +kubebuilder:validation:Required
// +kubebuilder:validation:MaxLength=1024
// +kubebuilder:validation:MinLength=1
// +kubebuilder:validation:Pattern=`^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$`
Reason string `json:"reason"`
// message is a human readable message indicating details about the transition.
// This may be an empty string.
// +required
// +kubebuilder:validation:Required
// +kubebuilder:validation:MaxLength=32768
Message string `json:"message"`
}

View File

@ -1,4 +1,4 @@
// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.
// Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
// SPDX-License-Identifier: Apache-2.0
package v1alpha1
@ -32,7 +32,7 @@ type OIDCIdentityProviderStatus struct {
// +patchStrategy=merge
// +listType=map
// +listMapKey=type
Conditions []Condition `json:"conditions,omitempty" patchStrategy:"merge" patchMergeKey:"type"`
Conditions []metav1.Condition `json:"conditions,omitempty" patchStrategy:"merge" patchMergeKey:"type"`
}
// OIDCAuthorizationConfig provides information about how to form the OAuth2 authorization
@ -138,6 +138,17 @@ type OIDCClaims struct {
// the ID token.
// +optional
Username string `json:"username"`
// AdditionalClaimMappings allows for additional arbitrary upstream claim values to be mapped into the
// "additionalClaims" claim of the ID tokens generated by the Supervisor. This should be specified as a map of
// new claim names as the keys, and upstream claim names as the values. These new claim names will be nested
// under the top-level "additionalClaims" claim in ID tokens generated by the Supervisor when this
// OIDCIdentityProvider was used for user authentication. These claims will be made available to all clients.
// This feature is not required to use the Supervisor to provide authentication for Kubernetes clusters, but can be
// used when using the Supervisor for other authentication purposes. When this map is empty or the upstream claims
// are not available, the "additionalClaims" claim will be excluded from the ID tokens generated by the Supervisor.
// +optional
AdditionalClaimMappings map[string]string `json:"additionalClaimMappings,omitempty"`
}
// OIDCClient contains information about an OIDC client (e.g., client ID and client

View File

@ -1,4 +1,4 @@
// Copyright 2020 the Pinniped contributors. All Rights Reserved.
// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.
// SPDX-License-Identifier: Apache-2.0
package v1alpha1

View File

@ -1,4 +1,4 @@
// Copyright 2021 the Pinniped contributors. All Rights Reserved.
// Copyright 2021-2022 the Pinniped contributors. All Rights Reserved.
// SPDX-License-Identifier: Apache-2.0
package v1alpha1

View File

@ -1,4 +1,4 @@
// Copyright 2021 the Pinniped contributors. All Rights Reserved.
// Copyright 2021-2023 the Pinniped contributors. All Rights Reserved.
// SPDX-License-Identifier: Apache-2.0
package oidc
@ -15,11 +15,72 @@ const (
// or an LDAPIdentityProvider.
AuthorizePasswordHeaderName = "Pinniped-Password" //nolint:gosec // this is not a credential
// AuthorizeUpstreamIDPNameParamName is the name of the HTTP request parameter which can be used to help select which
// identity provider should be used for authentication by sending the name of the desired identity provider.
// AuthorizeUpstreamIDPNameParamName is the name of the HTTP request parameter which can be used to help select
// which identity provider should be used for authentication by sending the name of the desired identity provider.
AuthorizeUpstreamIDPNameParamName = "pinniped_idp_name"
// AuthorizeUpstreamIDPTypeParamName is the name of the HTTP request parameter which can be used to help select which
// identity provider should be used for authentication by sending the type of the desired identity provider.
// AuthorizeUpstreamIDPTypeParamName is the name of the HTTP request parameter which can be used to help select
// which identity provider should be used for authentication by sending the type of the desired identity provider.
AuthorizeUpstreamIDPTypeParamName = "pinniped_idp_type"
// IDTokenClaimIssuer is name of the issuer claim defined by the OIDC spec.
IDTokenClaimIssuer = "iss"
// IDTokenClaimSubject is name of the subject claim defined by the OIDC spec.
IDTokenClaimSubject = "sub"
// IDTokenClaimAuthorizedParty is name of the authorized party claim defined by the OIDC spec.
IDTokenClaimAuthorizedParty = "azp"
// IDTokenClaimUsername is the name of a custom claim in the downstream ID token whose value will contain the user's
// username which was mapped from the upstream identity provider.
IDTokenClaimUsername = "username"
// IDTokenClaimGroups is the name of a custom claim in the downstream ID token whose value will contain the user's
// group names which were mapped from the upstream identity provider.
IDTokenClaimGroups = "groups"
// IDTokenClaimAdditionalClaims is the top level claim used to hold additional claims in the downstream ID
// token, if any claims are present.
IDTokenClaimAdditionalClaims = "additionalClaims"
// GrantTypeAuthorizationCode is the name of the grant type for authorization code flows defined by the OIDC spec.
GrantTypeAuthorizationCode = "authorization_code"
// GrantTypeRefreshToken is the name of the grant type for refresh flow defined by the OIDC spec.
GrantTypeRefreshToken = "refresh_token"
// GrantTypeTokenExchange is the name of a custom grant type for RFC8693 token exchanges.
GrantTypeTokenExchange = "urn:ietf:params:oauth:grant-type:token-exchange" //nolint:gosec // this is not a credential
// ScopeOpenID is name of the openid scope defined by the OIDC spec.
ScopeOpenID = "openid"
// ScopeOfflineAccess is name of the offline access scope defined by the OIDC spec, used for requesting refresh
// tokens.
ScopeOfflineAccess = "offline_access"
// ScopeEmail is name of the email scope defined by the OIDC spec.
ScopeEmail = "email"
// ScopeProfile is name of the profile scope defined by the OIDC spec.
ScopeProfile = "profile"
// ScopeUsername is the name of a custom scope that determines whether the username claim will be returned inside
// ID tokens.
ScopeUsername = "username"
// ScopeGroups is the name of a custom scope that determines whether the groups claim will be returned inside
// ID tokens.
ScopeGroups = "groups"
// ScopeRequestAudience is the name of a custom scope that determines whether a RFC8693 token exchange is allowed to
// be used to request a different audience.
ScopeRequestAudience = "pinniped:request-audience"
// ClientIDPinnipedCLI is the client ID of the statically defined public OIDC client which is used by the CLI.
ClientIDPinnipedCLI = "pinniped-cli"
// ClientIDRequiredOIDCClientPrefix is the required prefix for the metadata.name of OIDCClient CRs.
ClientIDRequiredOIDCClientPrefix = "client.oauth.pinniped.dev-"
)

View File

@ -1,4 +1,4 @@
// Copyright 2021 the Pinniped contributors. All Rights Reserved.
// Copyright 2021-2023 the Pinniped contributors. All Rights Reserved.
// SPDX-License-Identifier: Apache-2.0
// Package main is the combined entrypoint for the Pinniped "kube-cert-agent" component.
@ -8,14 +8,31 @@ import (
"encoding/base64"
"encoding/json"
"io"
"io/ioutil"
"log"
"math"
"os"
"time"
// This side effect import ensures that we use fipsonly crypto during TLS in fips_strict mode.
//
// Commenting this out because it causes the runtime memory consumption of this binary to increase
// from ~1 MB to ~8 MB (as measured when running the sleep subcommand). This binary does not use TLS,
// so it should not be needed. If this binary is ever changed to make use of TLS client and/or server
// code, then we should bring this import back to support the use of the ptls library for client and
// server code, and we should also increase the memory limits on the kube cert agent deployment (as
// decided by the kube cert agent controller in the Concierge).
//
//nolint:godot // This is not sentence, it is a commented out line of import code.
// _ "go.pinniped.dev/internal/crypto/ptls"
// This side effect imports cgo so that runtime/cgo gets linked, when in fips_strict mode.
// Without this line, the binary will exit 133 upon startup in fips_strict mode.
// It also enables fipsonly tls mode, just to be absolutely sure that the fips code is enabled,
// even though it shouldn't be used currently by this binary.
_ "go.pinniped.dev/internal/crypto/fips"
)
//nolint: gochecknoglobals // these are swapped during unit tests.
//nolint:gochecknoglobals // these are swapped during unit tests.
var (
getenv = os.Getenv
fail = log.Fatalf
@ -32,11 +49,11 @@ func main() {
case "sleep":
sleep(math.MaxInt64)
case "print":
certBytes, err := ioutil.ReadFile(getenv("CERT_PATH"))
certBytes, err := os.ReadFile(getenv("CERT_PATH"))
if err != nil {
fail("could not read CERT_PATH: %v", err)
}
keyBytes, err := ioutil.ReadFile(getenv("KEY_PATH"))
keyBytes, err := os.ReadFile(getenv("KEY_PATH"))
if err != nil {
fail("could not read KEY_PATH: %v", err)
}

View File

@ -1,4 +1,4 @@
// Copyright 2021 the Pinniped contributors. All Rights Reserved.
// Copyright 2021-2023 the Pinniped contributors. All Rights Reserved.
// SPDX-License-Identifier: Apache-2.0
// Package main is the combined entrypoint for all Pinniped server components.
@ -8,20 +8,23 @@
package main
import (
"fmt"
"os"
"path/filepath"
"k8s.io/apimachinery/pkg/util/sets"
"k8s.io/klog/v2"
concierge "go.pinniped.dev/internal/concierge/server"
// this side effect import ensures that we use fipsonly crypto in fips_strict mode.
_ "go.pinniped.dev/internal/crypto/ptls"
lua "go.pinniped.dev/internal/localuserauthenticator"
"go.pinniped.dev/internal/plog"
supervisor "go.pinniped.dev/internal/supervisor/server"
)
//nolint: gochecknoglobals // these are swapped during unit tests.
//nolint:gochecknoglobals // these are swapped during unit tests.
var (
fail = klog.Fatalf
fail = plog.Fatal
subcommands = map[string]func(){
"pinniped-concierge": concierge.Main,
"pinniped-supervisor": supervisor.Main,
@ -31,11 +34,11 @@ var (
func main() {
if len(os.Args) == 0 {
fail("missing os.Args")
fail(fmt.Errorf("missing os.Args"))
}
binary := filepath.Base(os.Args[0])
if subcommands[binary] == nil {
fail("must be invoked as one of %v, not %q", sets.StringKeySet(subcommands).List(), binary)
fail(fmt.Errorf("must be invoked as one of %v, not %q", sets.StringKeySet(subcommands).List(), binary))
}
subcommands[binary]()
}

View File

@ -43,8 +43,11 @@ func TestEntrypoint(t *testing.T) {
var logBuf bytes.Buffer
testLog := log.New(&logBuf, "", 0)
exited := "exiting via fatal"
fail = func(format string, v ...interface{}) {
testLog.Printf(format, v...)
fail = func(err error, keysAndValues ...interface{}) {
testLog.Print(err)
if len(keysAndValues) > 0 {
testLog.Print(keysAndValues...)
}
panic(exited)
}

View File

@ -1,22 +0,0 @@
// Copyright 2020 the Pinniped contributors. All Rights Reserved.
// SPDX-License-Identifier: Apache-2.0
package cmd
import (
"github.com/spf13/cobra"
)
//nolint: gochecknoglobals
var alphaCmd = &cobra.Command{
Use: "alpha",
Short: "alpha",
Long: "alpha subcommands (syntax or flags are still subject to change)",
SilenceUsage: true, // do not print usage message when commands fail
Hidden: true,
}
//nolint: gochecknoinits
func init() {
rootCmd.AddCommand(alphaCmd)
}

View File

@ -1,4 +1,4 @@
// Copyright 2021 the Pinniped contributors. All Rights Reserved.
// Copyright 2021-2022 the Pinniped contributors. All Rights Reserved.
// SPDX-License-Identifier: Apache-2.0
package cmd
@ -8,7 +8,7 @@ import (
"crypto/x509"
"flag"
"fmt"
"io/ioutil"
"os"
"strings"
"github.com/spf13/pflag"
@ -85,7 +85,7 @@ func (f *caBundleFlag) String() string {
}
func (f *caBundleFlag) Set(path string) error {
pem, err := ioutil.ReadFile(path)
pem, err := os.ReadFile(path)
if err != nil {
return fmt.Errorf("could not read CA bundle path: %w", err)
}

View File

@ -1,4 +1,4 @@
// Copyright 2021 the Pinniped contributors. All Rights Reserved.
// Copyright 2021-2023 the Pinniped contributors. All Rights Reserved.
// SPDX-License-Identifier: Apache-2.0
package cmd
@ -6,7 +6,7 @@ package cmd
import (
"bytes"
"fmt"
"io/ioutil"
"os"
"path/filepath"
"testing"
"time"
@ -15,7 +15,6 @@ import (
configv1alpha1 "go.pinniped.dev/generated/latest/apis/concierge/config/v1alpha1"
"go.pinniped.dev/internal/certauthority"
"go.pinniped.dev/internal/testutil"
)
func TestConciergeModeFlag(t *testing.T) {
@ -52,12 +51,12 @@ func TestConciergeModeFlag(t *testing.T) {
func TestCABundleFlag(t *testing.T) {
testCA, err := certauthority.New("Test CA", 1*time.Hour)
require.NoError(t, err)
tmpdir := testutil.TempDir(t)
tmpdir := t.TempDir()
emptyFilePath := filepath.Join(tmpdir, "empty")
require.NoError(t, ioutil.WriteFile(emptyFilePath, []byte{}, 0600))
require.NoError(t, os.WriteFile(emptyFilePath, []byte{}, 0600))
testCAPath := filepath.Join(tmpdir, "testca.pem")
require.NoError(t, ioutil.WriteFile(testCAPath, testCA.Bundle(), 0600))
require.NoError(t, os.WriteFile(testCAPath, testCA.Bundle(), 0600))
f := caBundleFlag{}
require.Equal(t, "path", f.Type())

View File

@ -1,4 +1,4 @@
// Copyright 2020-2021 the Pinniped contributors. All Rights Reserved.
// Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
// SPDX-License-Identifier: Apache-2.0
package cmd
@ -14,7 +14,7 @@ import (
"github.com/spf13/cobra/doc"
)
//nolint: gochecknoinits
//nolint:gochecknoinits
func init() {
rootCmd.AddCommand(generateMarkdownHelpCommand())
}
@ -24,7 +24,7 @@ func generateMarkdownHelpCommand() *cobra.Command {
Args: cobra.NoArgs,
Use: "generate-markdown-help",
Short: "Generate markdown help for the current set of non-hidden CLI commands",
SilenceUsage: true,
SilenceUsage: true, // do not print usage message when commands fail
Hidden: true,
RunE: runGenerateMarkdownHelp,
}

View File

@ -1,4 +1,4 @@
// Copyright 2020 the Pinniped contributors. All Rights Reserved.
// Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
// SPDX-License-Identifier: Apache-2.0
package cmd
@ -7,10 +7,14 @@ import (
"github.com/spf13/cobra"
)
//nolint: gochecknoglobals
var getCmd = &cobra.Command{Use: "get", Short: "get"}
//nolint:gochecknoglobals
var getCmd = &cobra.Command{
Use: "get",
Short: "Gets one of [kubeconfig]",
SilenceUsage: true, // Do not print usage message when commands fail.
}
//nolint: gochecknoinits
//nolint:gochecknoinits
func init() {
rootCmd.AddCommand(getCmd)
}

View File

@ -1,4 +1,4 @@
// Copyright 2020-2021 the Pinniped contributors. All Rights Reserved.
// Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
// SPDX-License-Identifier: Apache-2.0
package cmd
@ -10,47 +10,46 @@ import (
"encoding/json"
"fmt"
"io"
"io/ioutil"
"log"
"net/http"
"os"
"strconv"
"strings"
"time"
"github.com/coreos/go-oidc/v3/oidc"
"github.com/go-logr/logr"
"github.com/go-logr/stdr"
coreosoidc "github.com/coreos/go-oidc/v3/oidc"
"github.com/spf13/cobra"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
clientauthenticationv1beta1 "k8s.io/client-go/pkg/apis/clientauthentication/v1beta1"
_ "k8s.io/client-go/plugin/pkg/client/auth" // Adds handlers for various dynamic auth plugins in client-go
"k8s.io/client-go/tools/clientcmd"
clientcmdapi "k8s.io/client-go/tools/clientcmd/api"
"k8s.io/utils/strings/slices"
conciergev1alpha1 "go.pinniped.dev/generated/latest/apis/concierge/authentication/v1alpha1"
configv1alpha1 "go.pinniped.dev/generated/latest/apis/concierge/config/v1alpha1"
idpdiscoveryv1alpha1 "go.pinniped.dev/generated/latest/apis/supervisor/idpdiscovery/v1alpha1"
oidcapi "go.pinniped.dev/generated/latest/apis/supervisor/oidc"
conciergeclientset "go.pinniped.dev/generated/latest/client/concierge/clientset/versioned"
"go.pinniped.dev/internal/groupsuffix"
"go.pinniped.dev/internal/net/phttp"
"go.pinniped.dev/internal/plog"
)
type kubeconfigDeps struct {
getPathToSelf func() (string, error)
getClientset getConciergeClientsetFunc
log logr.Logger
log plog.MinLogger
}
func kubeconfigRealDeps() kubeconfigDeps {
return kubeconfigDeps{
getPathToSelf: os.Executable,
getClientset: getRealConciergeClientset,
log: stdr.New(log.New(os.Stderr, "", 0)),
log: plog.New(),
}
}
//nolint: gochecknoinits
//nolint:gochecknoinits
func init() {
getCmd.AddCommand(kubeconfigCommand(kubeconfigRealDeps()))
}
@ -97,6 +96,12 @@ type getKubeconfigParams struct {
credentialCachePath string
credentialCachePathSet bool
installHint string
pinnipedCliPath string
}
type discoveryResponseScopesSupported struct {
// Same as ScopesSupported in the Supervisor's discovery handler's struct.
ScopesSupported []string `json:"scopes_supported"`
}
func kubeconfigCommand(deps kubeconfigDeps) *cobra.Command {
@ -105,7 +110,7 @@ func kubeconfigCommand(deps kubeconfigDeps) *cobra.Command {
Args: cobra.NoArgs,
Use: "kubeconfig",
Short: "Generate a Pinniped-based kubeconfig for a cluster",
SilenceUsage: true,
SilenceUsage: true, // do not print usage message when commands fail
}
flags getKubeconfigParams
namespace string // unused now
@ -128,9 +133,9 @@ func kubeconfigCommand(deps kubeconfigDeps) *cobra.Command {
f.Var(&flags.concierge.mode, "concierge-mode", "Concierge mode of operation")
f.StringVar(&flags.oidc.issuer, "oidc-issuer", "", "OpenID Connect issuer URL (default: autodiscover)")
f.StringVar(&flags.oidc.clientID, "oidc-client-id", "pinniped-cli", "OpenID Connect client ID (default: autodiscover)")
f.StringVar(&flags.oidc.clientID, "oidc-client-id", oidcapi.ClientIDPinnipedCLI, "OpenID Connect client ID (default: autodiscover)")
f.Uint16Var(&flags.oidc.listenPort, "oidc-listen-port", 0, "TCP port for localhost listener (authorization code flow only)")
f.StringSliceVar(&flags.oidc.scopes, "oidc-scopes", []string{oidc.ScopeOfflineAccess, oidc.ScopeOpenID, "pinniped:request-audience"}, "OpenID Connect scopes to request during login")
f.StringSliceVar(&flags.oidc.scopes, "oidc-scopes", []string{oidcapi.ScopeOfflineAccess, oidcapi.ScopeOpenID, oidcapi.ScopeRequestAudience, oidcapi.ScopeUsername, oidcapi.ScopeGroups}, "OpenID Connect scopes to request during login")
f.BoolVar(&flags.oidc.skipBrowser, "oidc-skip-browser", false, "During OpenID Connect login, skip opening the browser (just print the URL)")
f.BoolVar(&flags.oidc.skipListen, "oidc-skip-listen", false, "During OpenID Connect login, skip starting a localhost callback listener (manual copy/paste flow only)")
f.StringVar(&flags.oidc.sessionCachePath, "oidc-session-cache", "", "Path to OpenID Connect session cache file")
@ -147,14 +152,16 @@ func kubeconfigCommand(deps kubeconfigDeps) *cobra.Command {
f.StringVarP(&flags.outputPath, "output", "o", "", "Output file path (default: stdout)")
f.StringVar(&flags.generatedNameSuffix, "generated-name-suffix", "-pinniped", "Suffix to append to generated cluster, context, user kubeconfig entries")
f.StringVar(&flags.credentialCachePath, "credential-cache", "", "Path to cluster-specific credentials cache")
f.StringVar(&flags.pinnipedCliPath, "pinniped-cli-path", "", "Full path or executable name for the Pinniped CLI binary to be embedded in the resulting kubeconfig output (e.g. 'pinniped') (default: full path of the binary used to execute this command)")
f.StringVar(&flags.installHint, "install-hint", "The pinniped CLI does not appear to be installed. See https://get.pinniped.dev/cli for more details", "This text is shown to the user when the pinniped CLI is not installed.")
mustMarkHidden(cmd, "oidc-debug-session-cache")
// --oidc-skip-listen is mainly needed for testing. We'll leave it hidden until we have a non-testing use case.
mustMarkHidden(cmd, "oidc-skip-listen")
mustMarkHidden(cmd,
"oidc-debug-session-cache",
"oidc-skip-listen", // --oidc-skip-listen is mainly needed for testing. We'll leave it hidden until we have a non-testing use case.
"concierge-namespace",
)
mustMarkDeprecated(cmd, "concierge-namespace", "not needed anymore")
mustMarkHidden(cmd, "concierge-namespace")
cmd.RunE = func(cmd *cobra.Command, args []string) error {
if flags.outputPath != "" {
@ -171,11 +178,15 @@ func kubeconfigCommand(deps kubeconfigDeps) *cobra.Command {
return cmd
}
//nolint:funlen
func runGetKubeconfig(ctx context.Context, out io.Writer, deps kubeconfigDeps, flags getKubeconfigParams) error {
ctx, cancel := context.WithTimeout(ctx, flags.timeout)
defer cancel()
// the log statements in this file assume that Info logs are unconditionally printed so we set the global level to info
if err := plog.ValidateAndSetLogLevelAndFormatGlobally(ctx, plog.LogSpec{Level: plog.LevelInfo, Format: plog.FormatCLI}); err != nil {
return err
}
// Validate api group suffix and immediately return an error if it is invalid.
if err := groupsuffix.Validate(flags.concierge.apiGroupSuffix); err != nil {
return fmt.Errorf("invalid API group suffix: %w", err)
@ -230,11 +241,9 @@ func runGetKubeconfig(ctx context.Context, out io.Writer, deps kubeconfigDeps, f
cluster.CertificateAuthorityData = flags.concierge.caBundle
}
// If there is an issuer, and if any upstream IDP flags are not already set, then try to discover Supervisor upstream IDP details.
// When all the upstream IDP flags are set by the user, then skip discovery and don't validate their input. Maybe they know something
// that we can't know, like the name of an IDP that they are going to define in the future.
if len(flags.oidc.issuer) > 0 && (flags.oidc.upstreamIDPType == "" || flags.oidc.upstreamIDPName == "" || flags.oidc.upstreamIDPFlow == "") {
if err := discoverSupervisorUpstreamIDP(ctx, &flags); err != nil {
if len(flags.oidc.issuer) > 0 {
err = pinnipedSupervisorDiscovery(ctx, &flags, deps.log)
if err != nil {
return err
}
}
@ -262,7 +271,12 @@ func newExecConfig(deps kubeconfigDeps, flags getKubeconfigParams) (*clientcmdap
execConfig.InstallHint = flags.installHint
var err error
execConfig.Command, err = deps.getPathToSelf()
execConfig.Command, err = func() (string, error) {
if flags.pinnipedCliPath != "" {
return flags.pinnipedCliPath, nil
}
return deps.getPathToSelf()
}()
if err != nil {
return nil, fmt.Errorf("could not determine the Pinniped executable path: %w", err)
}
@ -328,6 +342,9 @@ func newExecConfig(deps kubeconfigDeps, flags getKubeconfigParams) (*clientcmdap
execConfig.Args = append(execConfig.Args, "--debug-session-cache")
}
if flags.oidc.requestAudience != "" {
if strings.Contains(flags.oidc.requestAudience, ".pinniped.dev") {
return nil, fmt.Errorf("request audience is not allowed to include the substring '.pinniped.dev': %s", flags.oidc.requestAudience)
}
execConfig.Args = append(execConfig.Args, "--request-audience="+flags.oidc.requestAudience)
}
if flags.oidc.upstreamIDPName != "" {
@ -399,7 +416,7 @@ func waitForCredentialIssuer(ctx context.Context, clientset conciergeclientset.I
return credentialIssuer, nil
}
func discoverConciergeParams(credentialIssuer *configv1alpha1.CredentialIssuer, flags *getKubeconfigParams, v1Cluster *clientcmdapi.Cluster, log logr.Logger) error {
func discoverConciergeParams(credentialIssuer *configv1alpha1.CredentialIssuer, flags *getKubeconfigParams, v1Cluster *clientcmdapi.Cluster, log plog.MinLogger) error {
// Autodiscover the --concierge-mode.
frontend, err := getConciergeFrontend(credentialIssuer, flags.concierge.mode)
if err != nil {
@ -447,7 +464,7 @@ func discoverConciergeParams(credentialIssuer *configv1alpha1.CredentialIssuer,
return nil
}
func logStrategies(credentialIssuer *configv1alpha1.CredentialIssuer, log logr.Logger) {
func logStrategies(credentialIssuer *configv1alpha1.CredentialIssuer, log plog.MinLogger) {
for _, strategy := range credentialIssuer.Status.Strategies {
log.Info("found CredentialIssuer strategy",
"type", strategy.Type,
@ -458,7 +475,7 @@ func logStrategies(credentialIssuer *configv1alpha1.CredentialIssuer, log logr.L
}
}
func discoverAuthenticatorParams(authenticator metav1.Object, flags *getKubeconfigParams, log logr.Logger) error {
func discoverAuthenticatorParams(authenticator metav1.Object, flags *getKubeconfigParams, log plog.MinLogger) error {
switch auth := authenticator.(type) {
case *conciergev1alpha1.WebhookAuthenticator:
// If the --concierge-authenticator-type/--concierge-authenticator-name flags were not set explicitly, set
@ -557,7 +574,7 @@ func newExecKubeconfig(cluster *clientcmdapi.Cluster, execConfig *clientcmdapi.E
}
}
func lookupCredentialIssuer(clientset conciergeclientset.Interface, name string, log logr.Logger) (*configv1alpha1.CredentialIssuer, error) {
func lookupCredentialIssuer(clientset conciergeclientset.Interface, name string, log plog.MinLogger) (*configv1alpha1.CredentialIssuer, error) {
ctx, cancelFunc := context.WithTimeout(context.Background(), time.Second*20)
defer cancelFunc()
@ -583,7 +600,7 @@ func lookupCredentialIssuer(clientset conciergeclientset.Interface, name string,
return result, nil
}
func lookupAuthenticator(clientset conciergeclientset.Interface, authType, authName string, log logr.Logger) (metav1.Object, error) {
func lookupAuthenticator(clientset conciergeclientset.Interface, authType, authName string, log plog.MinLogger) (metav1.Object, error) {
ctx, cancelFunc := context.WithTimeout(context.Background(), time.Second*20)
defer cancelFunc()
@ -644,7 +661,7 @@ func writeConfigAsYAML(out io.Writer, config clientcmdapi.Config) error {
return nil
}
func validateKubeconfig(ctx context.Context, flags getKubeconfigParams, kubeconfig clientcmdapi.Config, log logr.Logger) error {
func validateKubeconfig(ctx context.Context, flags getKubeconfigParams, kubeconfig clientcmdapi.Config, log plog.MinLogger) error {
if flags.skipValidate {
return nil
}
@ -707,7 +724,7 @@ func validateKubeconfig(ctx context.Context, flags getKubeconfigParams, kubeconf
log.Info("validated connection to the cluster", "attempts", attempts)
return nil
}
log.Error(err, "could not connect to cluster, retrying...", "attempts", attempts, "remaining", time.Until(deadline).Round(time.Second).String())
log.Info("could not connect to cluster, retrying...", "error", err, "attempts", attempts, "remaining", time.Until(deadline).Round(time.Second).String())
}
}
}
@ -715,6 +732,7 @@ func validateKubeconfig(ctx context.Context, flags getKubeconfigParams, kubeconf
func countCACerts(pemData []byte) int {
pool := x509.NewCertPool()
pool.AppendCertsFromPEM(pemData)
//nolint:staticcheck // since we're not using .Subjects() to access the system pool
return len(pool.Subjects())
}
@ -727,21 +745,75 @@ func hasPendingStrategy(credentialIssuer *configv1alpha1.CredentialIssuer) bool
return false
}
func discoverSupervisorUpstreamIDP(ctx context.Context, flags *getKubeconfigParams) error {
httpClient, err := newDiscoveryHTTPClient(flags.oidc.caBundle)
func pinnipedSupervisorDiscovery(ctx context.Context, flags *getKubeconfigParams, log plog.MinLogger) error {
// Make a client suitable for calling the provider, which may or may not be a Pinniped Supervisor.
oidcProviderHTTPClient, err := newDiscoveryHTTPClient(flags.oidc.caBundle)
if err != nil {
return err
}
pinnipedIDPsEndpoint, err := discoverIDPsDiscoveryEndpointURL(ctx, flags.oidc.issuer, httpClient)
// Call the provider's discovery endpoint, but don't parse the results yet.
discoveredProvider, err := discoverOIDCProvider(ctx, flags.oidc.issuer, oidcProviderHTTPClient)
if err != nil {
return err
}
// Parse the discovery response to find the Supervisor IDP discovery endpoint.
pinnipedIDPsEndpoint, err := discoverIDPsDiscoveryEndpointURL(discoveredProvider)
if err != nil {
return err
}
if pinnipedIDPsEndpoint == "" {
// The issuer is not advertising itself as a Pinniped Supervisor which supports upstream IDP discovery.
// Since this field is not present, then assume that the provider is not a Pinniped Supervisor. This field
// was added to the discovery response in v0.9.0, which is so long ago that we can assume there are no such
// old Supervisors in the wild which need to work with this CLI command anymore. Since the issuer is not a
// Supervisor, then there is no need to do the rest of the Supervisor-specific business logic below related
// to username/groups scopes or IDP types/names/flows.
return nil
}
// Now that we know that the provider is a Supervisor, perform an additional check based on its response.
// The username and groups scopes were added to the Supervisor in v0.20.0, and were also added to the
// "scopes_supported" field in the discovery response in that same version. If this CLI command is talking
// to an older Supervisor, then remove the username and groups scopes from the list of requested scopes
// since they will certainly cause an error from the old Supervisor during authentication.
supervisorSupportsBothUsernameAndGroupsScopes, err := discoverScopesSupportedIncludesBothUsernameAndGroups(discoveredProvider)
if err != nil {
return err
}
if !supervisorSupportsBothUsernameAndGroupsScopes {
flags.oidc.scopes = slices.Filter(nil, flags.oidc.scopes, func(scope string) bool {
if scope == oidcapi.ScopeUsername || scope == oidcapi.ScopeGroups {
log.Info("removed scope from --oidc-scopes list because it is not supported by this Supervisor", "scope", scope)
return false // Remove username and groups scopes if there were present in the flags.
}
return true // Keep any other scopes in the flag list.
})
}
// If any upstream IDP flags are not already set, then try to discover Supervisor upstream IDP details.
// When all the upstream IDP flags are set by the user, then skip discovery and don't validate their input.
// Maybe they know something that we can't know, like the name of an IDP that they are going to define in the
// future.
if flags.oidc.upstreamIDPType == "" || flags.oidc.upstreamIDPName == "" || flags.oidc.upstreamIDPFlow == "" {
if err := discoverSupervisorUpstreamIDP(ctx, pinnipedIDPsEndpoint, oidcProviderHTTPClient, flags, log); err != nil {
return err
}
}
return nil
}
func discoverOIDCProvider(ctx context.Context, issuer string, httpClient *http.Client) (*coreosoidc.Provider, error) {
discoveredProvider, err := coreosoidc.NewProvider(coreosoidc.ClientContext(ctx, httpClient), issuer)
if err != nil {
return nil, fmt.Errorf("while fetching OIDC discovery data from issuer: %w", err)
}
return discoveredProvider, nil
}
func discoverSupervisorUpstreamIDP(ctx context.Context, pinnipedIDPsEndpoint string, httpClient *http.Client, flags *getKubeconfigParams, log plog.MinLogger) error {
discoveredUpstreamIDPs, err := discoverAllAvailableSupervisorUpstreamIDPs(ctx, pinnipedIDPsEndpoint, httpClient)
if err != nil {
return err
@ -759,7 +831,7 @@ func discoverSupervisorUpstreamIDP(ctx context.Context, flags *getKubeconfigPara
return err
}
selectedIDPFlow, err := selectUpstreamIDPFlow(discoveredIDPFlows, selectedIDPName, selectedIDPType, flags.oidc.upstreamIDPFlow)
selectedIDPFlow, err := selectUpstreamIDPFlow(discoveredIDPFlows, selectedIDPName, selectedIDPType, flags.oidc.upstreamIDPFlow, log)
if err != nil {
return err
}
@ -781,21 +853,24 @@ func newDiscoveryHTTPClient(caBundleFlag caBundleFlag) (*http.Client, error) {
return phttp.Default(rootCAs), nil
}
func discoverIDPsDiscoveryEndpointURL(ctx context.Context, issuer string, httpClient *http.Client) (string, error) {
discoveredProvider, err := oidc.NewProvider(oidc.ClientContext(ctx, httpClient), issuer)
if err != nil {
return "", fmt.Errorf("while fetching OIDC discovery data from issuer: %w", err)
}
func discoverIDPsDiscoveryEndpointURL(discoveredProvider *coreosoidc.Provider) (string, error) {
var body idpdiscoveryv1alpha1.OIDCDiscoveryResponse
err = discoveredProvider.Claims(&body)
err := discoveredProvider.Claims(&body)
if err != nil {
return "", fmt.Errorf("while fetching OIDC discovery data from issuer: %w", err)
}
return body.SupervisorDiscovery.PinnipedIDPsEndpoint, nil
}
func discoverScopesSupportedIncludesBothUsernameAndGroups(discoveredProvider *coreosoidc.Provider) (bool, error) {
var body discoveryResponseScopesSupported
err := discoveredProvider.Claims(&body)
if err != nil {
return false, fmt.Errorf("while fetching OIDC discovery data from issuer: %w", err)
}
return slices.Contains(body.ScopesSupported, oidcapi.ScopeUsername) && slices.Contains(body.ScopesSupported, oidcapi.ScopeGroups), nil
}
func discoverAllAvailableSupervisorUpstreamIDPs(ctx context.Context, pinnipedIDPsEndpoint string, httpClient *http.Client) ([]idpdiscoveryv1alpha1.PinnipedIDP, error) {
request, err := http.NewRequestWithContext(ctx, http.MethodGet, pinnipedIDPsEndpoint, nil)
if err != nil {
@ -813,7 +888,7 @@ func discoverAllAvailableSupervisorUpstreamIDPs(ctx context.Context, pinnipedIDP
return nil, fmt.Errorf("unable to fetch IDP discovery data from issuer: unexpected http response status: %s", response.Status)
}
rawBody, err := ioutil.ReadAll(response.Body)
rawBody, err := io.ReadAll(response.Body)
if err != nil {
return nil, fmt.Errorf("unable to fetch IDP discovery data from issuer: could not read response body: %w", err)
}
@ -899,7 +974,7 @@ func selectUpstreamIDPNameAndType(pinnipedIDPs []idpdiscoveryv1alpha1.PinnipedID
}
}
func selectUpstreamIDPFlow(discoveredIDPFlows []idpdiscoveryv1alpha1.IDPFlow, selectedIDPName string, selectedIDPType idpdiscoveryv1alpha1.IDPType, specifiedFlow string) (idpdiscoveryv1alpha1.IDPFlow, error) {
func selectUpstreamIDPFlow(discoveredIDPFlows []idpdiscoveryv1alpha1.IDPFlow, selectedIDPName string, selectedIDPType idpdiscoveryv1alpha1.IDPType, specifiedFlow string, log plog.MinLogger) (idpdiscoveryv1alpha1.IDPFlow, error) {
switch {
case len(discoveredIDPFlows) == 0:
// No flows listed by discovery means that we are talking to an old Supervisor from before this feature existed.
@ -923,10 +998,9 @@ func selectUpstreamIDPFlow(discoveredIDPFlows []idpdiscoveryv1alpha1.IDPFlow, se
return discoveredIDPFlows[0], nil
default:
// The user did not specify a flow, and more than one was found.
return "", fmt.Errorf(
"multiple client flows for Supervisor upstream identity provider %q of type %q were found, "+
"so the --upstream-identity-provider-flow flag must be specified. "+
"Found these flows: %v",
selectedIDPName, selectedIDPType, discoveredIDPFlows)
log.Info("multiple client flows found, selecting first value as default",
"idpName", selectedIDPName, "idpType", selectedIDPType,
"selectedFlow", discoveredIDPFlows[0].String(), "availableFlows", discoveredIDPFlows)
return discoveredIDPFlows[0], nil
}
}

File diff suppressed because it is too large Load Diff

View File

@ -1,4 +1,4 @@
// Copyright 2020-2021 the Pinniped contributors. All Rights Reserved.
// Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
// SPDX-License-Identifier: Apache-2.0
package cmd
@ -7,18 +7,30 @@ import (
"github.com/spf13/cobra"
clientauthv1beta1 "k8s.io/client-go/pkg/apis/clientauthentication/v1beta1"
"k8s.io/client-go/tools/auth/exec"
"go.pinniped.dev/internal/here"
)
//nolint: gochecknoglobals
//nolint:gochecknoglobals
var loginCmd = &cobra.Command{
Use: "login",
Short: "login",
Long: "Login to a Pinniped server",
Short: "Authenticates with one of [oidc, static]",
Long: here.Doc(
`Authenticates with one of [oidc, static]
Use "pinniped get kubeconfig" to generate a kubeconfig file which will include
one of these login subcommands in its configuration. The oidc and static
subcommands are not meant to be invoked directly by a user.
The oidc and static subcommands are Kubernetes client-go credential plugins
which are meant to be configured inside a kubeconfig file. (See the Kubernetes
authentication documentation for more information about client-go credential
plugins.)`,
),
SilenceUsage: true, // Do not print usage message when commands fail.
Hidden: true, // These commands are not really meant to be used directly by users, so it's confusing to have them discoverable.
}
//nolint: gochecknoinits
//nolint:gochecknoinits
func init() {
rootCmd.AddCommand(loginCmd)
}

View File

@ -1,4 +1,4 @@
// Copyright 2020-2021 the Pinniped contributors. All Rights Reserved.
// Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
// SPDX-License-Identifier: Apache-2.0
package cmd
@ -9,22 +9,21 @@ import (
"encoding/base64"
"encoding/json"
"fmt"
"io/ioutil"
"net/http"
"os"
"path/filepath"
"strings"
"time"
"github.com/coreos/go-oidc/v3/oidc"
"github.com/spf13/cobra"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
clientauthv1beta1 "k8s.io/client-go/pkg/apis/clientauthentication/v1beta1"
"k8s.io/klog/v2/klogr"
idpdiscoveryv1alpha1 "go.pinniped.dev/generated/latest/apis/supervisor/idpdiscovery/v1alpha1"
oidcapi "go.pinniped.dev/generated/latest/apis/supervisor/oidc"
"go.pinniped.dev/internal/execcredcache"
"go.pinniped.dev/internal/groupsuffix"
"go.pinniped.dev/internal/here"
"go.pinniped.dev/internal/net/phttp"
"go.pinniped.dev/internal/plog"
"go.pinniped.dev/pkg/conciergeclient"
@ -33,7 +32,16 @@ import (
"go.pinniped.dev/pkg/oidcclient/oidctypes"
)
//nolint: gochecknoinits
const (
// The user may override the flow selection made by `--upstream-identity-provider-flow` using an env var.
// This allows the user to override their default flow selected inside their Pinniped-compatible kubeconfig file.
// A user might want to use this env var, for example, to choose the "browser_authcode" flow when using a kubeconfig
// which specifies "cli_password" when using an IDE plugin where there is no interactive CLI available. This allows
// the user to use one kubeconfig file for both flows.
upstreamIdentityProviderFlowEnvVarName = "PINNIPED_UPSTREAM_IDENTITY_PROVIDER_FLOW"
)
//nolint:gochecknoinits
func init() {
loginCmd.AddCommand(oidcLoginCommand(oidcLoginCommandRealDeps()))
}
@ -84,15 +92,26 @@ func oidcLoginCommand(deps oidcLoginCommandDeps) *cobra.Command {
Args: cobra.NoArgs,
Use: "oidc --issuer ISSUER",
Short: "Login using an OpenID Connect provider",
SilenceUsage: true,
Long: here.Doc(
`Login using an OpenID Connect provider
Use "pinniped get kubeconfig" to generate a kubeconfig file which includes this
login command in its configuration. This login command is not meant to be
invoked directly by a user.
This login command is a Kubernetes client-go credential plugin which is meant to
be configured inside a kubeconfig file. (See the Kubernetes authentication
documentation for more information about client-go credential plugins.)`,
),
SilenceUsage: true, // do not print usage message when commands fail
}
flags oidcLoginFlags
conciergeNamespace string // unused now
)
cmd.Flags().StringVar(&flags.issuer, "issuer", "", "OpenID Connect issuer URL")
cmd.Flags().StringVar(&flags.clientID, "client-id", "pinniped-cli", "OpenID Connect client ID")
cmd.Flags().StringVar(&flags.clientID, "client-id", oidcapi.ClientIDPinnipedCLI, "OpenID Connect client ID")
cmd.Flags().Uint16Var(&flags.listenPort, "listen-port", 0, "TCP port for localhost listener (authorization code flow only)")
cmd.Flags().StringSliceVar(&flags.scopes, "scopes", []string{oidc.ScopeOfflineAccess, oidc.ScopeOpenID, "pinniped:request-audience"}, "OIDC scopes to request during login")
cmd.Flags().StringSliceVar(&flags.scopes, "scopes", []string{oidcapi.ScopeOfflineAccess, oidcapi.ScopeOpenID, oidcapi.ScopeRequestAudience, oidcapi.ScopeUsername, oidcapi.ScopeGroups}, "OIDC scopes to request during login")
cmd.Flags().BoolVar(&flags.skipBrowser, "skip-browser", false, "Skip opening the browser (just print the URL)")
cmd.Flags().BoolVar(&flags.skipListen, "skip-listen", false, "Skip starting a localhost callback listener (manual copy/paste flow only)")
cmd.Flags().StringVar(&flags.sessionCachePath, "session-cache", filepath.Join(mustGetConfigDir(), "sessions.yaml"), "Path to session cache file")
@ -125,7 +144,7 @@ func oidcLoginCommand(deps oidcLoginCommandDeps) *cobra.Command {
}
func runOIDCLogin(cmd *cobra.Command, deps oidcLoginCommandDeps, flags oidcLoginFlags) error { //nolint:funlen
pLogger, err := SetLogLevel(deps.lookupEnv)
pLogger, err := SetLogLevel(cmd.Context(), deps.lookupEnv)
if err != nil {
plog.WarningErr("Received error while setting log level", err)
}
@ -133,11 +152,11 @@ func runOIDCLogin(cmd *cobra.Command, deps oidcLoginCommandDeps, flags oidcLogin
// Initialize the session cache.
var sessionOptions []filesession.Option
// If the hidden --debug-session-cache option is passed, log all the errors from the session cache with klog.
// If the hidden --debug-session-cache option is passed, log all the errors from the session cache.
if flags.debugSessionCache {
logger := klogr.New().WithName("session")
logger := plog.WithName("session")
sessionOptions = append(sessionOptions, filesession.WithErrorReporter(func(err error) {
logger.Error(err, "error during session cache operation")
logger.Error("error during session cache operation", err)
}))
}
sessionCache := filesession.New(flags.sessionCachePath, sessionOptions...)
@ -145,7 +164,7 @@ func runOIDCLogin(cmd *cobra.Command, deps oidcLoginCommandDeps, flags oidcLogin
// Initialize the login handler.
opts := []oidcclient.Option{
oidcclient.WithContext(cmd.Context()),
oidcclient.WithLogger(klogr.New()),
oidcclient.WithLogger(plog.Logr()), //nolint:staticcheck // old code with lots of log statements
oidcclient.WithScopes(flags.scopes),
oidcclient.WithSessionCache(sessionCache),
}
@ -166,6 +185,7 @@ func runOIDCLogin(cmd *cobra.Command, deps oidcLoginCommandDeps, flags oidcLogin
flowOpts, err := flowOptions(
idpdiscoveryv1alpha1.IDPType(flags.upstreamIdentityProviderType),
idpdiscoveryv1alpha1.IDPFlow(flags.upstreamIdentityProviderFlow),
deps,
)
if err != nil {
return err
@ -251,9 +271,21 @@ func runOIDCLogin(cmd *cobra.Command, deps oidcLoginCommandDeps, flags oidcLogin
return json.NewEncoder(cmd.OutOrStdout()).Encode(cred)
}
func flowOptions(requestedIDPType idpdiscoveryv1alpha1.IDPType, requestedFlow idpdiscoveryv1alpha1.IDPFlow) ([]oidcclient.Option, error) {
func flowOptions(
requestedIDPType idpdiscoveryv1alpha1.IDPType,
requestedFlow idpdiscoveryv1alpha1.IDPFlow,
deps oidcLoginCommandDeps,
) ([]oidcclient.Option, error) {
useCLIFlow := []oidcclient.Option{oidcclient.WithCLISendingCredentials()}
// If the env var is set to override the --upstream-identity-provider-type flag, then override it.
flowOverride, hasFlowOverride := deps.lookupEnv(upstreamIdentityProviderFlowEnvVarName)
flowSource := "--upstream-identity-provider-flow"
if hasFlowOverride {
requestedFlow = idpdiscoveryv1alpha1.IDPFlow(flowOverride)
flowSource = upstreamIdentityProviderFlowEnvVarName
}
switch requestedIDPType {
case idpdiscoveryv1alpha1.IDPTypeOIDC:
switch requestedFlow {
@ -263,19 +295,21 @@ func flowOptions(requestedIDPType idpdiscoveryv1alpha1.IDPType, requestedFlow id
return nil, nil // browser authcode flow is the default Option, so don't need to return an Option here
default:
return nil, fmt.Errorf(
"--upstream-identity-provider-flow value not recognized for identity provider type %q: %s (supported values: %s)",
requestedIDPType, requestedFlow, strings.Join([]string{idpdiscoveryv1alpha1.IDPFlowBrowserAuthcode.String(), idpdiscoveryv1alpha1.IDPFlowCLIPassword.String()}, ", "))
"%s value not recognized for identity provider type %q: %s (supported values: %s)",
flowSource, requestedIDPType, requestedFlow,
strings.Join([]string{idpdiscoveryv1alpha1.IDPFlowBrowserAuthcode.String(), idpdiscoveryv1alpha1.IDPFlowCLIPassword.String()}, ", "))
}
case idpdiscoveryv1alpha1.IDPTypeLDAP, idpdiscoveryv1alpha1.IDPTypeActiveDirectory:
switch requestedFlow {
case idpdiscoveryv1alpha1.IDPFlowCLIPassword, "":
return useCLIFlow, nil
case idpdiscoveryv1alpha1.IDPFlowBrowserAuthcode:
fallthrough // not supported for LDAP providers, so fallthrough to error case
return nil, nil // browser authcode flow is the default Option, so don't need to return an Option here
default:
return nil, fmt.Errorf(
"--upstream-identity-provider-flow value not recognized for identity provider type %q: %s (supported values: %s)",
requestedIDPType, requestedFlow, []string{idpdiscoveryv1alpha1.IDPFlowCLIPassword.String()})
"%s value not recognized for identity provider type %q: %s (supported values: %s)",
flowSource, requestedIDPType, requestedFlow,
strings.Join([]string{idpdiscoveryv1alpha1.IDPFlowCLIPassword.String(), idpdiscoveryv1alpha1.IDPFlowBrowserAuthcode.String()}, ", "))
}
default:
// Surprisingly cobra does not support this kind of flag validation. See https://github.com/spf13/pflag/issues/236
@ -294,7 +328,7 @@ func flowOptions(requestedIDPType idpdiscoveryv1alpha1.IDPType, requestedFlow id
func makeClient(caBundlePaths []string, caBundleData []string) (*http.Client, error) {
pool := x509.NewCertPool()
for _, p := range caBundlePaths {
pem, err := ioutil.ReadFile(p)
pem, err := os.ReadFile(p)
if err != nil {
return nil, fmt.Errorf("could not read --ca-bundle: %w", err)
}
@ -326,22 +360,26 @@ func tokenCredential(token *oidctypes.Token) *clientauthv1beta1.ExecCredential {
return &cred
}
func SetLogLevel(lookupEnv func(string) (string, bool)) (plog.Logger, error) {
func SetLogLevel(ctx context.Context, lookupEnv func(string) (string, bool)) (plog.Logger, error) {
debug, _ := lookupEnv("PINNIPED_DEBUG")
if debug == "true" {
err := plog.ValidateAndSetLogLevelGlobally(plog.LevelDebug)
err := plog.ValidateAndSetLogLevelAndFormatGlobally(ctx, plog.LogSpec{Level: plog.LevelDebug, Format: plog.FormatCLI})
if err != nil {
return nil, err
}
}
logger := plog.New("Pinniped login: ")
logger := plog.New().WithName("pinniped-login")
return logger, nil
}
// mustGetConfigDir returns a directory that follows the XDG base directory convention:
// $XDG_CONFIG_HOME defines the base directory relative to which user specific configuration files should
// be stored. If $XDG_CONFIG_HOME is either not set or empty, a default equal to $HOME/.config should be used.
// [1] https://specifications.freedesktop.org/basedir-spec/basedir-spec-latest.html
/*
mustGetConfigDir returns a directory that follows the XDG base directory convention:
$XDG_CONFIG_HOME defines the base directory relative to which user specific configuration files should
be stored. If $XDG_CONFIG_HOME is either not set or empty, a default equal to $HOME/.config should be used.
[1] https://specifications.freedesktop.org/basedir-spec/basedir-spec-latest.html
*/
func mustGetConfigDir() string {
const xdgAppName = "pinniped"

View File

@ -1,4 +1,4 @@
// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.
// Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
// SPDX-License-Identifier: Apache-2.0
package cmd
@ -8,20 +8,21 @@ import (
"context"
"encoding/base64"
"fmt"
"io/ioutil"
"os"
"path/filepath"
"strings"
"testing"
"time"
"github.com/stretchr/testify/require"
"go.uber.org/zap"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
clientauthv1beta1 "k8s.io/client-go/pkg/apis/clientauthentication/v1beta1"
"k8s.io/klog/v2"
clocktesting "k8s.io/utils/clock/testing"
"go.pinniped.dev/internal/certauthority"
"go.pinniped.dev/internal/here"
"go.pinniped.dev/internal/testutil"
"go.pinniped.dev/internal/testutil/testlogger"
"go.pinniped.dev/internal/plog"
"go.pinniped.dev/pkg/conciergeclient"
"go.pinniped.dev/pkg/oidcclient"
"go.pinniped.dev/pkg/oidcclient/oidctypes"
@ -32,12 +33,16 @@ func TestLoginOIDCCommand(t *testing.T) {
testCA, err := certauthority.New("Test CA", 1*time.Hour)
require.NoError(t, err)
tmpdir := testutil.TempDir(t)
tmpdir := t.TempDir()
testCABundlePath := filepath.Join(tmpdir, "testca.pem")
require.NoError(t, ioutil.WriteFile(testCABundlePath, testCA.Bundle(), 0600))
require.NoError(t, os.WriteFile(testCABundlePath, testCA.Bundle(), 0600))
time1 := time.Date(3020, 10, 12, 13, 14, 15, 16, time.UTC)
now, err := time.Parse(time.RFC3339Nano, "2028-10-11T23:37:26.953313745Z")
require.NoError(t, err)
nowStr := now.Local().Format(time.RFC1123)
tests := []struct {
name string
args []string
@ -56,6 +61,14 @@ func TestLoginOIDCCommand(t *testing.T) {
wantStdout: here.Doc(`
Login using an OpenID Connect provider
Use "pinniped get kubeconfig" to generate a kubeconfig file which includes this
login command in its configuration. This login command is not meant to be
invoked directly by a user.
This login command is a Kubernetes client-go credential plugin which is meant to
be configured inside a kubeconfig file. (See the Kubernetes authentication
documentation for more information about client-go credential plugins.)
Usage:
oidc --issuer ISSUER [flags]
@ -74,7 +87,7 @@ func TestLoginOIDCCommand(t *testing.T) {
--issuer string OpenID Connect issuer URL
--listen-port uint16 TCP port for localhost listener (authorization code flow only)
--request-audience string Request a token with an alternate audience using RFC8693 token exchange
--scopes strings OIDC scopes to request during login (default [offline_access,openid,pinniped:request-audience])
--scopes strings OIDC scopes to request during login (default [offline_access,openid,pinniped:request-audience,username,groups])
--session-cache string Path to session cache file (default "` + cfgDir + `/sessions.yaml")
--skip-browser Skip opening the browser (just print the URL)
--upstream-identity-provider-flow string The type of client flow to use with the upstream identity provider during login with a Supervisor (e.g. 'browser_authcode', 'cli_password')
@ -142,7 +155,7 @@ func TestLoginOIDCCommand(t *testing.T) {
`),
},
{
name: "invalid upstream type",
name: "invalid upstream type is an error",
args: []string{
"--issuer", "test-issuer",
"--upstream-identity-provider-type", "invalid",
@ -152,6 +165,18 @@ func TestLoginOIDCCommand(t *testing.T) {
Error: --upstream-identity-provider-type value not recognized: invalid (supported values: oidc, ldap, activedirectory)
`),
},
{
name: "invalid upstream type when flow override env var is used is still an error",
args: []string{
"--issuer", "test-issuer",
"--upstream-identity-provider-type", "invalid",
},
env: map[string]string{"PINNIPED_UPSTREAM_IDENTITY_PROVIDER_FLOW": "browser_authcode"},
wantError: true,
wantStderr: here.Doc(`
Error: --upstream-identity-provider-type value not recognized: invalid (supported values: oidc, ldap, activedirectory)
`),
},
{
name: "oidc upstream type with default flow is allowed",
args: []string{
@ -187,6 +212,32 @@ func TestLoginOIDCCommand(t *testing.T) {
wantOptionsCount: 4,
wantStdout: `{"kind":"ExecCredential","apiVersion":"client.authentication.k8s.io/v1beta1","spec":{"interactive":false},"status":{"expirationTimestamp":"3020-10-12T13:14:15Z","token":"test-id-token"}}` + "\n",
},
{
name: "oidc upstream type with CLI flow in flow override env var is allowed",
args: []string{
"--issuer", "test-issuer",
"--client-id", "test-client-id",
"--upstream-identity-provider-type", "oidc",
"--upstream-identity-provider-flow", "browser_authcode",
"--credential-cache", "", // must specify --credential-cache or else the cache file on disk causes test pollution
},
env: map[string]string{"PINNIPED_UPSTREAM_IDENTITY_PROVIDER_FLOW": "cli_password"},
wantOptionsCount: 5,
wantStdout: `{"kind":"ExecCredential","apiVersion":"client.authentication.k8s.io/v1beta1","spec":{"interactive":false},"status":{"expirationTimestamp":"3020-10-12T13:14:15Z","token":"test-id-token"}}` + "\n",
},
{
name: "oidc upstream type with with browser flow in flow override env var is allowed",
args: []string{
"--issuer", "test-issuer",
"--client-id", "test-client-id",
"--upstream-identity-provider-type", "oidc",
"--upstream-identity-provider-flow", "cli_password",
"--credential-cache", "", // must specify --credential-cache or else the cache file on disk causes test pollution
},
env: map[string]string{"PINNIPED_UPSTREAM_IDENTITY_PROVIDER_FLOW": "browser_authcode"},
wantOptionsCount: 4,
wantStdout: `{"kind":"ExecCredential","apiVersion":"client.authentication.k8s.io/v1beta1","spec":{"interactive":false},"status":{"expirationTimestamp":"3020-10-12T13:14:15Z","token":"test-id-token"}}` + "\n",
},
{
name: "oidc upstream type with unsupported flow is an error",
args: []string{
@ -201,6 +252,21 @@ func TestLoginOIDCCommand(t *testing.T) {
Error: --upstream-identity-provider-flow value not recognized for identity provider type "oidc": foobar (supported values: browser_authcode, cli_password)
`),
},
{
name: "oidc upstream type with unsupported flow in flow override env var is an error",
args: []string{
"--issuer", "test-issuer",
"--client-id", "test-client-id",
"--upstream-identity-provider-type", "oidc",
"--upstream-identity-provider-flow", "browser_authcode",
"--credential-cache", "", // must specify --credential-cache or else the cache file on disk causes test pollution
},
env: map[string]string{"PINNIPED_UPSTREAM_IDENTITY_PROVIDER_FLOW": "foo"},
wantError: true,
wantStderr: here.Doc(`
Error: PINNIPED_UPSTREAM_IDENTITY_PROVIDER_FLOW value not recognized for identity provider type "oidc": foo (supported values: browser_authcode, cli_password)
`),
},
{
name: "ldap upstream type with default flow is allowed",
args: []string{
@ -235,18 +301,71 @@ func TestLoginOIDCCommand(t *testing.T) {
wantOptionsCount: 5,
wantStdout: `{"kind":"ExecCredential","apiVersion":"client.authentication.k8s.io/v1beta1","spec":{"interactive":false},"status":{"expirationTimestamp":"3020-10-12T13:14:15Z","token":"test-id-token"}}` + "\n",
},
{
name: "ldap upstream type with browser_authcode flow is allowed",
args: []string{
"--issuer", "test-issuer",
"--client-id", "test-client-id",
"--upstream-identity-provider-type", "ldap",
"--upstream-identity-provider-flow", "browser_authcode",
"--credential-cache", "", // must specify --credential-cache or else the cache file on disk causes test pollution
},
wantOptionsCount: 4,
wantStdout: `{"kind":"ExecCredential","apiVersion":"client.authentication.k8s.io/v1beta1","spec":{"interactive":false},"status":{"expirationTimestamp":"3020-10-12T13:14:15Z","token":"test-id-token"}}` + "\n",
},
{
name: "ldap upstream type with CLI flow in flow override env var is allowed",
args: []string{
"--issuer", "test-issuer",
"--client-id", "test-client-id",
"--upstream-identity-provider-type", "ldap",
"--upstream-identity-provider-flow", "browser_authcode",
"--credential-cache", "", // must specify --credential-cache or else the cache file on disk causes test pollution
},
env: map[string]string{"PINNIPED_UPSTREAM_IDENTITY_PROVIDER_FLOW": "cli_password"},
wantOptionsCount: 5,
wantStdout: `{"kind":"ExecCredential","apiVersion":"client.authentication.k8s.io/v1beta1","spec":{"interactive":false},"status":{"expirationTimestamp":"3020-10-12T13:14:15Z","token":"test-id-token"}}` + "\n",
},
{
name: "ldap upstream type with browser_authcode flow in flow override env var is allowed",
args: []string{
"--issuer", "test-issuer",
"--client-id", "test-client-id",
"--upstream-identity-provider-type", "ldap",
"--upstream-identity-provider-flow", "cli_password",
"--credential-cache", "", // must specify --credential-cache or else the cache file on disk causes test pollution
},
env: map[string]string{"PINNIPED_UPSTREAM_IDENTITY_PROVIDER_FLOW": "browser_authcode"},
wantOptionsCount: 4,
wantStdout: `{"kind":"ExecCredential","apiVersion":"client.authentication.k8s.io/v1beta1","spec":{"interactive":false},"status":{"expirationTimestamp":"3020-10-12T13:14:15Z","token":"test-id-token"}}` + "\n",
},
{
name: "ldap upstream type with unsupported flow is an error",
args: []string{
"--issuer", "test-issuer",
"--client-id", "test-client-id",
"--upstream-identity-provider-type", "ldap",
"--upstream-identity-provider-flow", "browser_authcode", // "browser_authcode" is only supported for OIDC upstreams
"--upstream-identity-provider-flow", "foo",
"--credential-cache", "", // must specify --credential-cache or else the cache file on disk causes test pollution
},
wantError: true,
wantStderr: here.Doc(`
Error: --upstream-identity-provider-flow value not recognized for identity provider type "ldap": browser_authcode (supported values: [cli_password])
Error: --upstream-identity-provider-flow value not recognized for identity provider type "ldap": foo (supported values: cli_password, browser_authcode)
`),
},
{
name: "ldap upstream type with unsupported flow in flow override env var is an error",
args: []string{
"--issuer", "test-issuer",
"--client-id", "test-client-id",
"--upstream-identity-provider-type", "ldap",
"--upstream-identity-provider-flow", "browser_authcode",
"--credential-cache", "", // must specify --credential-cache or else the cache file on disk causes test pollution
},
env: map[string]string{"PINNIPED_UPSTREAM_IDENTITY_PROVIDER_FLOW": "foo"},
wantError: true,
wantStderr: here.Doc(`
Error: PINNIPED_UPSTREAM_IDENTITY_PROVIDER_FLOW value not recognized for identity provider type "ldap": foo (supported values: cli_password, browser_authcode)
`),
},
{
@ -261,18 +380,71 @@ func TestLoginOIDCCommand(t *testing.T) {
wantOptionsCount: 5,
wantStdout: `{"kind":"ExecCredential","apiVersion":"client.authentication.k8s.io/v1beta1","spec":{"interactive":false},"status":{"expirationTimestamp":"3020-10-12T13:14:15Z","token":"test-id-token"}}` + "\n",
},
{
name: "active directory upstream type with browser_authcode is allowed",
args: []string{
"--issuer", "test-issuer",
"--client-id", "test-client-id",
"--upstream-identity-provider-type", "activedirectory",
"--upstream-identity-provider-flow", "browser_authcode",
"--credential-cache", "", // must specify --credential-cache or else the cache file on disk causes test pollution
},
wantOptionsCount: 4,
wantStdout: `{"kind":"ExecCredential","apiVersion":"client.authentication.k8s.io/v1beta1","spec":{"interactive":false},"status":{"expirationTimestamp":"3020-10-12T13:14:15Z","token":"test-id-token"}}` + "\n",
},
{
name: "active directory upstream type with CLI flow in flow override env var is allowed",
args: []string{
"--issuer", "test-issuer",
"--client-id", "test-client-id",
"--upstream-identity-provider-type", "activedirectory",
"--upstream-identity-provider-flow", "browser_authcode",
"--credential-cache", "", // must specify --credential-cache or else the cache file on disk causes test pollution
},
env: map[string]string{"PINNIPED_UPSTREAM_IDENTITY_PROVIDER_FLOW": "cli_password"},
wantOptionsCount: 5,
wantStdout: `{"kind":"ExecCredential","apiVersion":"client.authentication.k8s.io/v1beta1","spec":{"interactive":false},"status":{"expirationTimestamp":"3020-10-12T13:14:15Z","token":"test-id-token"}}` + "\n",
},
{
name: "active directory upstream type with browser_authcode in flow override env var is allowed",
args: []string{
"--issuer", "test-issuer",
"--client-id", "test-client-id",
"--upstream-identity-provider-type", "activedirectory",
"--upstream-identity-provider-flow", "cli_password",
"--credential-cache", "", // must specify --credential-cache or else the cache file on disk causes test pollution
},
env: map[string]string{"PINNIPED_UPSTREAM_IDENTITY_PROVIDER_FLOW": "browser_authcode"},
wantOptionsCount: 4,
wantStdout: `{"kind":"ExecCredential","apiVersion":"client.authentication.k8s.io/v1beta1","spec":{"interactive":false},"status":{"expirationTimestamp":"3020-10-12T13:14:15Z","token":"test-id-token"}}` + "\n",
},
{
name: "active directory upstream type with unsupported flow is an error",
args: []string{
"--issuer", "test-issuer",
"--client-id", "test-client-id",
"--upstream-identity-provider-type", "activedirectory",
"--upstream-identity-provider-flow", "browser_authcode", // "browser_authcode" is only supported for OIDC upstreams
"--upstream-identity-provider-flow", "foo",
"--credential-cache", "", // must specify --credential-cache or else the cache file on disk causes test pollution
},
wantError: true,
wantStderr: here.Doc(`
Error: --upstream-identity-provider-flow value not recognized for identity provider type "activedirectory": browser_authcode (supported values: [cli_password])
Error: --upstream-identity-provider-flow value not recognized for identity provider type "activedirectory": foo (supported values: cli_password, browser_authcode)
`),
},
{
name: "active directory upstream type with unsupported flow in flow override env var is an error",
args: []string{
"--issuer", "test-issuer",
"--client-id", "test-client-id",
"--upstream-identity-provider-type", "activedirectory",
"--upstream-identity-provider-flow", "browser_authcode",
"--credential-cache", "", // must specify --credential-cache or else the cache file on disk causes test pollution
},
env: map[string]string{"PINNIPED_UPSTREAM_IDENTITY_PROVIDER_FLOW": "foo"},
wantError: true,
wantStderr: here.Doc(`
Error: PINNIPED_UPSTREAM_IDENTITY_PROVIDER_FLOW value not recognized for identity provider type "activedirectory": foo (supported values: cli_password, browser_authcode)
`),
},
{
@ -318,8 +490,8 @@ func TestLoginOIDCCommand(t *testing.T) {
wantOptionsCount: 4,
wantStdout: `{"kind":"ExecCredential","apiVersion":"client.authentication.k8s.io/v1beta1","spec":{"interactive":false},"status":{"expirationTimestamp":"3020-10-12T13:14:15Z","token":"test-id-token"}}` + "\n",
wantLogs: []string{
"\"level\"=0 \"msg\"=\"Pinniped login: Performing OIDC login\" \"client id\"=\"test-client-id\" \"issuer\"=\"test-issuer\"",
"\"level\"=0 \"msg\"=\"Pinniped login: No concierge configured, skipping token credential exchange\"",
nowStr + ` pinniped-login cmd/login_oidc.go:243 Performing OIDC login {"issuer": "test-issuer", "client id": "test-client-id"}`,
nowStr + ` pinniped-login cmd/login_oidc.go:263 No concierge configured, skipping token credential exchange`,
},
},
{
@ -340,7 +512,7 @@ func TestLoginOIDCCommand(t *testing.T) {
"--concierge-endpoint", "https://127.0.0.1:1234/",
"--concierge-ca-bundle-data", base64.StdEncoding.EncodeToString(testCA.Bundle()),
"--concierge-api-group-suffix", "some.suffix.com",
"--credential-cache", testutil.TempDir(t) + "/credentials.yaml", // must specify --credential-cache or else the cache file on disk causes test pollution
"--credential-cache", t.TempDir() + "/credentials.yaml", // must specify --credential-cache or else the cache file on disk causes test pollution
"--upstream-identity-provider-name", "some-upstream-name",
"--upstream-identity-provider-type", "ldap",
},
@ -348,18 +520,20 @@ func TestLoginOIDCCommand(t *testing.T) {
wantOptionsCount: 11,
wantStdout: `{"kind":"ExecCredential","apiVersion":"client.authentication.k8s.io/v1beta1","spec":{"interactive":false},"status":{"token":"exchanged-token"}}` + "\n",
wantLogs: []string{
"\"level\"=0 \"msg\"=\"Pinniped login: Performing OIDC login\" \"client id\"=\"test-client-id\" \"issuer\"=\"test-issuer\"",
"\"level\"=0 \"msg\"=\"Pinniped login: Exchanging token for cluster credential\" \"authenticator name\"=\"test-authenticator\" \"authenticator type\"=\"webhook\" \"endpoint\"=\"https://127.0.0.1:1234/\"",
"\"level\"=0 \"msg\"=\"Pinniped login: Successfully exchanged token for cluster credential.\"",
"\"level\"=0 \"msg\"=\"Pinniped login: caching cluster credential for future use.\"",
nowStr + ` pinniped-login cmd/login_oidc.go:243 Performing OIDC login {"issuer": "test-issuer", "client id": "test-client-id"}`,
nowStr + ` pinniped-login cmd/login_oidc.go:253 Exchanging token for cluster credential {"endpoint": "https://127.0.0.1:1234/", "authenticator type": "webhook", "authenticator name": "test-authenticator"}`,
nowStr + ` pinniped-login cmd/login_oidc.go:261 Successfully exchanged token for cluster credential.`,
nowStr + ` pinniped-login cmd/login_oidc.go:268 caching cluster credential for future use.`,
},
},
}
for _, tt := range tests {
tt := tt
t.Run(tt.name, func(t *testing.T) {
testLogger := testlogger.NewLegacy(t) //nolint: staticcheck // old test with lots of log statements
klog.SetLogger(testLogger.Logger)
var buf bytes.Buffer
fakeClock := clocktesting.NewFakeClock(now)
ctx := plog.TestZapOverrides(context.Background(), t, &buf, nil, zap.WithClock(plog.ZapClock(fakeClock)))
var (
gotOptions []oidcclient.Option
)
@ -404,7 +578,7 @@ func TestLoginOIDCCommand(t *testing.T) {
cmd.SetOut(&stdout)
cmd.SetErr(&stderr)
cmd.SetArgs(tt.args)
err := cmd.Execute()
err = cmd.ExecuteContext(ctx)
if tt.wantError {
require.Error(t, err)
} else {
@ -414,7 +588,15 @@ func TestLoginOIDCCommand(t *testing.T) {
require.Equal(t, tt.wantStderr, stderr.String(), "unexpected stderr")
require.Len(t, gotOptions, tt.wantOptionsCount)
require.Equal(t, tt.wantLogs, testLogger.Lines())
require.Equal(t, tt.wantLogs, logLines(buf.String()))
})
}
}
func logLines(logs string) []string {
if len(logs) == 0 {
return nil
}
return strings.Split(strings.TrimSpace(logs), "\n")
}

View File

@ -1,4 +1,4 @@
// Copyright 2020-2021 the Pinniped contributors. All Rights Reserved.
// Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
// SPDX-License-Identifier: Apache-2.0
package cmd
@ -7,7 +7,6 @@ import (
"context"
"encoding/json"
"fmt"
"io"
"os"
"path/filepath"
"time"
@ -17,12 +16,13 @@ import (
"go.pinniped.dev/internal/execcredcache"
"go.pinniped.dev/internal/groupsuffix"
"go.pinniped.dev/internal/here"
"go.pinniped.dev/internal/plog"
"go.pinniped.dev/pkg/conciergeclient"
"go.pinniped.dev/pkg/oidcclient/oidctypes"
)
//nolint: gochecknoinits
//nolint:gochecknoinits
func init() {
loginCmd.AddCommand(staticLoginCommand(staticLoginRealDeps()))
}
@ -59,7 +59,18 @@ func staticLoginCommand(deps staticLoginDeps) *cobra.Command {
Args: cobra.NoArgs,
Use: "static [--token TOKEN] [--token-env TOKEN_NAME]",
Short: "Login using a static token",
SilenceUsage: true,
Long: here.Doc(
`Login using a static token
Use "pinniped get kubeconfig" to generate a kubeconfig file which includes this
login command in its configuration. This login command is not meant to be
invoked directly by a user.
This login command is a Kubernetes client-go credential plugin which is meant to
be configured inside a kubeconfig file. (See the Kubernetes authentication
documentation for more information about client-go credential plugins.)`,
),
SilenceUsage: true, // do not print usage message when commands fail
}
flags staticLoginParams
conciergeNamespace string // unused now
@ -75,7 +86,7 @@ func staticLoginCommand(deps staticLoginDeps) *cobra.Command {
cmd.Flags().StringVar(&flags.conciergeAPIGroupSuffix, "concierge-api-group-suffix", groupsuffix.PinnipedDefaultSuffix, "Concierge API group suffix")
cmd.Flags().StringVar(&flags.credentialCachePath, "credential-cache", filepath.Join(mustGetConfigDir(), "credentials.yaml"), "Path to cluster-specific credentials cache (\"\" disables the cache)")
cmd.RunE = func(cmd *cobra.Command, args []string) error { return runStaticLogin(cmd.OutOrStdout(), deps, flags) }
cmd.RunE = func(cmd *cobra.Command, args []string) error { return runStaticLogin(cmd, deps, flags) }
mustMarkDeprecated(cmd, "concierge-namespace", "not needed anymore")
mustMarkHidden(cmd, "concierge-namespace")
@ -83,8 +94,9 @@ func staticLoginCommand(deps staticLoginDeps) *cobra.Command {
return cmd
}
func runStaticLogin(out io.Writer, deps staticLoginDeps, flags staticLoginParams) error {
pLogger, err := SetLogLevel(deps.lookupEnv)
func runStaticLogin(cmd *cobra.Command, deps staticLoginDeps, flags staticLoginParams) error {
out := cmd.OutOrStdout()
pLogger, err := SetLogLevel(cmd.Context(), deps.lookupEnv)
if err != nil {
plog.WarningErr("Received error while setting log level", err)
}

View File

@ -1,4 +1,4 @@
// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.
// Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
// SPDX-License-Identifier: Apache-2.0
package cmd
@ -7,22 +7,20 @@ import (
"bytes"
"context"
"fmt"
"io/ioutil"
"os"
"path/filepath"
"testing"
"time"
"k8s.io/klog/v2"
"go.pinniped.dev/internal/testutil/testlogger"
"github.com/stretchr/testify/require"
"go.uber.org/zap"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
clientauthv1beta1 "k8s.io/client-go/pkg/apis/clientauthentication/v1beta1"
clocktesting "k8s.io/utils/clock/testing"
"go.pinniped.dev/internal/certauthority"
"go.pinniped.dev/internal/here"
"go.pinniped.dev/internal/testutil"
"go.pinniped.dev/internal/plog"
"go.pinniped.dev/pkg/conciergeclient"
)
@ -31,9 +29,13 @@ func TestLoginStaticCommand(t *testing.T) {
testCA, err := certauthority.New("Test CA", 1*time.Hour)
require.NoError(t, err)
tmpdir := testutil.TempDir(t)
tmpdir := t.TempDir()
testCABundlePath := filepath.Join(tmpdir, "testca.pem")
require.NoError(t, ioutil.WriteFile(testCABundlePath, testCA.Bundle(), 0600))
require.NoError(t, os.WriteFile(testCABundlePath, testCA.Bundle(), 0600))
now, err := time.Parse(time.RFC3339Nano, "2038-12-07T23:37:26.953313745Z")
require.NoError(t, err)
nowStr := now.Local().Format(time.RFC1123)
tests := []struct {
name string
@ -53,6 +55,14 @@ func TestLoginStaticCommand(t *testing.T) {
wantStdout: here.Doc(`
Login using a static token
Use "pinniped get kubeconfig" to generate a kubeconfig file which includes this
login command in its configuration. This login command is not meant to be
invoked directly by a user.
This login command is a Kubernetes client-go credential plugin which is meant to
be configured inside a kubeconfig file. (See the Kubernetes authentication
documentation for more information about client-go credential plugins.)
Usage:
static [--token TOKEN] [--token-env TOKEN_NAME] [flags]
@ -136,7 +146,9 @@ func TestLoginStaticCommand(t *testing.T) {
wantStderr: here.Doc(`
Error: could not complete Concierge credential exchange: some concierge error
`),
wantLogs: []string{"\"level\"=0 \"msg\"=\"Pinniped login: exchanging static token for cluster credential\" \"authenticator name\"=\"test-authenticator\" \"authenticator type\"=\"webhook\" \"endpoint\"=\"https://127.0.0.1/\""},
wantLogs: []string{
nowStr + ` pinniped-login cmd/login_static.go:159 exchanging static token for cluster credential {"endpoint": "https://127.0.0.1/", "authenticator type": "webhook", "authenticator name": "test-authenticator"}`,
},
},
{
name: "invalid API group suffix",
@ -165,8 +177,10 @@ func TestLoginStaticCommand(t *testing.T) {
for _, tt := range tests {
tt := tt
t.Run(tt.name, func(t *testing.T) {
testLogger := testlogger.NewLegacy(t) //nolint: staticcheck // old test with lots of log statements
klog.SetLogger(testLogger.Logger)
var buf bytes.Buffer
fakeClock := clocktesting.NewFakeClock(now)
ctx := plog.TestZapOverrides(context.Background(), t, &buf, nil, zap.WithClock(plog.ZapClock(fakeClock)))
cmd := staticLoginCommand(staticLoginDeps{
lookupEnv: func(s string) (string, bool) {
v, ok := tt.env[s]
@ -194,7 +208,7 @@ func TestLoginStaticCommand(t *testing.T) {
cmd.SetOut(&stdout)
cmd.SetErr(&stderr)
cmd.SetArgs(tt.args)
err := cmd.Execute()
err := cmd.ExecuteContext(ctx)
if tt.wantError {
require.Error(t, err)
} else {
@ -203,7 +217,7 @@ func TestLoginStaticCommand(t *testing.T) {
require.Equal(t, tt.wantStdout, stdout.String(), "unexpected stdout")
require.Equal(t, tt.wantStderr, stderr.String(), "unexpected stderr")
require.Equal(t, tt.wantLogs, testLogger.Lines())
require.Equal(t, tt.wantLogs, logLines(buf.String()))
})
}
}

View File

@ -1,26 +1,35 @@
// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.
// Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
// SPDX-License-Identifier: Apache-2.0
package cmd
import (
"os"
"context"
"github.com/spf13/cobra"
"go.pinniped.dev/internal/here"
"go.pinniped.dev/internal/plog"
)
//nolint: gochecknoglobals
//nolint:gochecknoglobals
var rootCmd = &cobra.Command{
Use: "pinniped",
Short: "pinniped",
Long: "pinniped is the client-side binary for use with Pinniped-enabled Kubernetes clusters.",
Long: here.Doc(
`The Pinniped CLI is the client-side binary for use with Pinniped-enabled Kubernetes clusters
Find more information at: https://pinniped.dev`,
),
SilenceUsage: true, // do not print usage message when commands fail
}
// Execute adds all child commands to the root command and sets flags appropriately.
// This is called by main.main(). It only needs to happen once to the rootCmd.
func Execute() {
if err := rootCmd.Execute(); err != nil {
os.Exit(1)
func Execute() error {
defer plog.Setup()()
// the context does not matter here because it is unused when CLI formatting is provided
if err := plog.ValidateAndSetLogLevelAndFormatGlobally(context.Background(), plog.LogSpec{Format: plog.FormatCLI}); err != nil {
return err
}
return rootCmd.Execute()
}

View File

@ -1,28 +1,61 @@
// Copyright 2020 the Pinniped contributors. All Rights Reserved.
// Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
// SPDX-License-Identifier: Apache-2.0
package cmd
import (
"encoding/json"
"fmt"
"github.com/spf13/cobra"
"k8s.io/component-base/version"
"sigs.k8s.io/yaml"
"go.pinniped.dev/internal/pversion"
)
//nolint: gochecknoinits
//nolint:gochecknoinits
func init() {
rootCmd.AddCommand(newVersionCommand())
}
//nolint:gochecknoglobals
var (
output = new(string)
// getBuildInfo can be overwritten by tests.
getBuildInfo = pversion.Get
)
func newVersionCommand() *cobra.Command {
return &cobra.Command{
RunE: func(cmd *cobra.Command, _ []string) error {
fmt.Fprintf(cmd.OutOrStdout(), "%#v\n", version.Get())
return nil
},
c := &cobra.Command{
RunE: runner,
Args: cobra.NoArgs, // do not accept positional arguments for this command
Use: "version",
Short: "Print the version of this Pinniped CLI",
}
c.Flags().StringVarP(output, "output", "o", "", "one of 'yaml' or 'json'")
return c
}
func runner(cmd *cobra.Command, _ []string) error {
buildVersion := getBuildInfo()
switch {
case output == nil || *output == "":
_, _ = fmt.Fprintf(cmd.OutOrStdout(), "%s\n", buildVersion.GitVersion)
case *output == "json":
bytes, err := json.MarshalIndent(buildVersion, "", " ")
if err != nil {
return err
}
_, _ = fmt.Fprintf(cmd.OutOrStdout(), "%s\n", bytes)
case *output == "yaml":
bytes, err := yaml.Marshal(buildVersion)
if err != nil {
return err
}
_, _ = fmt.Fprint(cmd.OutOrStdout(), string(bytes))
default:
return fmt.Errorf("'%s' is not a valid option for output", *output)
}
return nil
}

View File

@ -1,4 +1,4 @@
// Copyright 2020 the Pinniped contributors. All Rights Reserved.
// Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
// SPDX-License-Identifier: Apache-2.0
package cmd
@ -9,8 +9,10 @@ import (
"github.com/stretchr/testify/assert"
"github.com/stretchr/testify/require"
apimachineryversion "k8s.io/apimachinery/pkg/version"
"go.pinniped.dev/internal/here"
"go.pinniped.dev/internal/pversion"
)
var (
@ -20,7 +22,7 @@ var (
Flags:
-h, --help help for version
-o, --output string one of 'yaml' or 'json'
`)
knownGoodHelpRegexpForVersion = here.Doc(`
@ -31,15 +33,43 @@ var (
Flags:
-h, --help help for version
-o, --output string one of 'yaml' or 'json'
`)
emptyVersionRegexp = `version.Info{Major:"", Minor:"", GitVersion:".*", GitCommit:".*", GitTreeState:"", BuildDate:".*", GoVersion:".*", Compiler:".*", Platform:".*/.*"}`
jsonRegexp = here.Doc(`{
"major": "\d*",
"minor": "\d*",
"gitVersion": "i am a version for json output",
"gitCommit": ".*",
"gitTreeState": ".*",
"buildDate": ".*",
"goVersion": ".*",
"compiler": ".*",
"platform": ".*/.*"
}`)
yamlRegexp = here.Doc(`buildDate: ".*"
compiler: .*
gitCommit: .*
gitTreeState: .*
gitVersion: i am a version for yaml output
goVersion: .*
major: "\d*"
minor: "\d*"
platform: .*/.*
`)
)
func TestNewVersionCmd(t *testing.T) {
t.Cleanup(func() {
getBuildInfo = pversion.Get
})
tests := []struct {
name string
args []string
vars string
getBuildInfo func() apimachineryversion.Info
wantError bool
wantStdoutRegexp string
wantStderrRegexp string
@ -47,7 +77,10 @@ func TestNewVersionCmd(t *testing.T) {
{
name: "no flags",
args: []string{},
wantStdoutRegexp: emptyVersionRegexp + "\n",
getBuildInfo: func() apimachineryversion.Info {
return apimachineryversion.Info{GitVersion: "v55.66.44"}
},
wantStdoutRegexp: "v55.66.44\n",
},
{
name: "help flag passed",
@ -61,10 +94,44 @@ func TestNewVersionCmd(t *testing.T) {
wantStderrRegexp: `Error: unknown command "tuna" for "version"`,
wantStdoutRegexp: knownGoodUsageRegexpForVersion,
},
{
name: "json output",
args: []string{"--output", "json"},
getBuildInfo: func() apimachineryversion.Info {
return apimachineryversion.Info{
GitVersion: "i am a version for json output",
Platform: "a/b",
}
},
wantStdoutRegexp: jsonRegexp,
},
{
name: "yaml output",
args: []string{"--output", "yaml"},
getBuildInfo: func() apimachineryversion.Info {
return apimachineryversion.Info{
GitVersion: "i am a version for yaml output",
Platform: "c/d",
}
},
wantStdoutRegexp: yamlRegexp,
},
{
name: "incorrect output",
args: []string{"--output", "foo"},
wantError: true,
wantStderrRegexp: `Error: 'foo' is not a valid option for output`,
wantStdoutRegexp: knownGoodUsageRegexpForVersion,
},
}
for _, tt := range tests {
tt := tt
t.Run(tt.name, func(t *testing.T) {
if tt.getBuildInfo != nil {
getBuildInfo = tt.getBuildInfo
}
cmd := newVersionCommand()
require.NotNil(t, cmd)

View File

@ -1,4 +1,4 @@
// Copyright 2021 the Pinniped contributors. All Rights Reserved.
// Copyright 2021-2023 the Pinniped contributors. All Rights Reserved.
// SPDX-License-Identifier: Apache-2.0
package cmd
@ -24,7 +24,7 @@ import (
"go.pinniped.dev/internal/here"
)
//nolint: gochecknoinits
//nolint:gochecknoinits
func init() {
rootCmd.AddCommand(newWhoamiCommand(getRealConciergeClientset))
}
@ -48,7 +48,7 @@ func newWhoamiCommand(getClientset getConciergeClientsetFunc) *cobra.Command {
Args: cobra.NoArgs, // do not accept positional arguments for this command
Use: "whoami",
Short: "Print information about the current user",
SilenceUsage: true,
SilenceUsage: true, // do not print usage message when commands fail
}
flags := &whoamiFlags{}

View File

@ -1,4 +1,4 @@
// Copyright 2020 the Pinniped contributors. All Rights Reserved.
// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.
// SPDX-License-Identifier: Apache-2.0
package main
@ -9,9 +9,11 @@ import (
"github.com/pkg/browser"
"go.pinniped.dev/cmd/pinniped/cmd"
// this side effect import ensures that we use fipsonly crypto in fips_strict mode.
_ "go.pinniped.dev/internal/crypto/ptls"
)
//nolint: gochecknoinits
//nolint:gochecknoinits
func init() {
// browsers like chrome like to write to our std out which breaks our JSON ExecCredential output
// thus we redirect the browser's std out to our std err
@ -19,5 +21,7 @@ func init() {
}
func main() {
cmd.Execute()
if err := cmd.Execute(); err != nil {
os.Exit(1)
}
}

View File

@ -1,11 +1,9 @@
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.4.0
creationTimestamp: null
controller-gen.kubebuilder.io/version: v0.13.0
name: jwtauthenticators.authentication.concierge.pinniped.dev
spec:
group: authentication.concierge.pinniped.dev
@ -98,9 +96,15 @@ spec:
description: Represents the observations of the authenticator's current
state.
items:
description: Condition status of a resource (mirrored from the metav1.Condition
type added in Kubernetes 1.19). In a future API version we can
switch to using the upstream type. See https://github.com/kubernetes/apimachinery/blob/v0.19.0/pkg/apis/meta/v1/types.go#L1353-L1413.
description: "Condition contains details for one aspect of the current
state of this API Resource. --- This struct is intended for direct
use as an array at the field path .status.conditions. For example,
\n type FooStatus struct{ // Represents the observations of a
foo's current state. // Known .status.conditions.type are: \"Available\",
\"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge
// +listType=map // +listMapKey=type Conditions []metav1.Condition
`json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\"
protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }"
properties:
lastTransitionTime:
description: lastTransitionTime is the last time the condition
@ -169,9 +173,3 @@ spec:
storage: true
subresources:
status: {}
status:
acceptedNames:
kind: ""
plural: ""
conditions: []
storedVersions: []

View File

@ -1,11 +1,9 @@
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.4.0
creationTimestamp: null
controller-gen.kubebuilder.io/version: v0.13.0
name: webhookauthenticators.authentication.concierge.pinniped.dev
spec:
group: authentication.concierge.pinniped.dev
@ -71,9 +69,15 @@ spec:
description: Represents the observations of the authenticator's current
state.
items:
description: Condition status of a resource (mirrored from the metav1.Condition
type added in Kubernetes 1.19). In a future API version we can
switch to using the upstream type. See https://github.com/kubernetes/apimachinery/blob/v0.19.0/pkg/apis/meta/v1/types.go#L1353-L1413.
description: "Condition contains details for one aspect of the current
state of this API Resource. --- This struct is intended for direct
use as an array at the field path .status.conditions. For example,
\n type FooStatus struct{ // Represents the observations of a
foo's current state. // Known .status.conditions.type are: \"Available\",
\"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge
// +listType=map // +listMapKey=type Conditions []metav1.Condition
`json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\"
protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }"
properties:
lastTransitionTime:
description: lastTransitionTime is the last time the condition
@ -142,9 +146,3 @@ spec:
storage: true
subresources:
status: {}
status:
acceptedNames:
kind: ""
plural: ""
conditions: []
storedVersions: []

View File

@ -1,11 +1,9 @@
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.4.0
creationTimestamp: null
controller-gen.kubebuilder.io/version: v0.13.0
name: credentialissuers.config.concierge.pinniped.dev
spec:
group: config.concierge.pinniped.dev
@ -104,6 +102,24 @@ spec:
- None
type: string
type: object
tls:
description: "TLS contains information about how the Concierge
impersonation proxy should serve TLS. \n If this field is empty,
the impersonation proxy will generate its own TLS certificate."
properties:
certificateAuthorityData:
description: X.509 Certificate Authority (base64-encoded PEM
bundle). Used to advertise the CA bundle for the impersonation
proxy endpoint.
type: string
secretName:
description: SecretName is the name of a Secret in the same
namespace, of type `kubernetes.io/tls`, which contains the
TLS serving certificate for the Concierge impersonation
proxy endpoint.
minLength: 1
type: string
type: object
required:
- mode
- service
@ -239,9 +255,3 @@ spec:
storage: true
subresources:
status: {}
status:
acceptedNames:
kind: ""
plural: ""
conditions: []
storedVersions: []

View File

@ -1,4 +1,4 @@
#! Copyright 2020-2021 the Pinniped contributors. All Rights Reserved.
#! Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
#! SPDX-License-Identifier: Apache-2.0
#@ load("@ytt:data", "data")
@ -12,7 +12,14 @@ apiVersion: v1
kind: Namespace
metadata:
name: #@ data.values.namespace
labels: #@ labels()
labels:
_: #@ template.replace(labels())
#! When deploying onto a cluster which has PSAs enabled by default for namespaces,
#! effectively disable them for this namespace. The kube-cert-agent Deployment's pod
#! created by the Concierge in this namespace needs to be able to perform privileged
#! actions. The regular Concierge pod containers created by the Deployment below do
#! not need special privileges and are marked as such in their securityContext settings.
pod-security.kubernetes.io/enforce: privileged
#@ end
---
apiVersion: v1
@ -86,8 +93,14 @@ data:
imagePullSecrets:
- image-pull-secret
(@ end @)
(@ if data.values.log_level or data.values.deprecated_log_format: @)
log:
(@ if data.values.log_level: @)
logLevel: (@= getAndValidateLogLevel() @)
level: (@= getAndValidateLogLevel() @)
(@ end @)
(@ if data.values.deprecated_log_format: @)
format: (@= data.values.deprecated_log_format @)
(@ end @)
(@ end @)
---
#@ if data.values.image_pull_dockerconfigjson and data.values.image_pull_dockerconfigjson != "":
@ -121,8 +134,6 @@ spec:
#! More recently added the more unique deploymentPodLabel() so Services can select these Pods more specifically
#! without accidentally selecting any other Deployment's Pods, especially the kube cert agent Deployment's Pods.
_: #@ template.replace(deploymentPodLabel())
annotations:
scheduler.alpha.kubernetes.io/critical-pod: ""
spec:
securityContext:
runAsUser: #@ data.values.run_as_user
@ -142,6 +153,15 @@ spec:
imagePullPolicy: IfNotPresent
securityContext:
readOnlyRootFilesystem: true
runAsNonRoot: true
allowPrivilegeEscalation: false
capabilities:
drop: [ "ALL" ]
#! seccompProfile was introduced in Kube v1.19. Using it on an older Kube version will result in a
#! kubectl validation error when installing via `kubectl apply`, which can be ignored using kubectl's
#! `--validate=false` flag. Note that installing via `kapp` does not complain about this validation error.
seccompProfile:
type: "RuntimeDefault"
resources:
requests:
cpu: "100m"
@ -221,11 +241,18 @@ spec:
tolerations:
- key: CriticalAddonsOnly
operator: Exists
- key: node-role.kubernetes.io/master #! Allow running on master nodes too
- key: node-role.kubernetes.io/master #! Allow running on master nodes too (name deprecated by kubernetes 1.20).
effect: NoSchedule
#! "system-cluster-critical" cannot be used outside the kube-system namespace until Kubernetes >= 1.17,
#! so we skip setting this for now (see https://github.com/kubernetes/kubernetes/issues/60596).
#!priorityClassName: system-cluster-critical
- key: node-role.kubernetes.io/control-plane #! The new name for these nodes as of Kubernetes 1.24.
effect: NoSchedule
- key: kubernetes.io/arch
effect: NoSchedule
operator: Equal
value: amd64 #! Allow running on amd64 nodes.
- key: kubernetes.io/arch
effect: NoSchedule
operator: Equal
value: arm64 #! Also allow running on arm64 nodes.
#! This will help make sure our multiple pods run on different nodes, making
#! our deployment "more" "HA".
affinity:

View File

@ -54,6 +54,10 @@ api_serving_certificate_renew_before_seconds: 2160000
#! Specify the verbosity of logging: info ("nice to know" information), debug (developer
#! information), trace (timing information), all (kitchen sink).
log_level: #! By default, when this value is left unset, only warnings and errors are printed. There is no way to suppress warning and error logs.
#! Specify the format of logging: json (for machine parsable logs) and text (for legacy klog formatted logs).
#! By default, when this value is left unset, logs are formatted in json.
#! This configuration is deprecated and will be removed in a future release at which point logs will always be formatted as json.
deprecated_log_format:
run_as_user: 65532 #! run_as_user specifies the user ID that will own the process, see the Dockerfile for the reasoning behind this choice
run_as_group: 65532 #! run_as_group specifies the group ID that will own the process, see the Dockerfile for the reasoning behind this choice

View File

@ -1,4 +1,4 @@
#! Copyright 2020-2021 the Pinniped contributors. All Rights Reserved.
#! Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
#! SPDX-License-Identifier: Apache-2.0
#@ load("@ytt:data", "data")
@ -65,6 +65,26 @@ spec:
imagePullPolicy: IfNotPresent
command:
- local-user-authenticator
securityContext:
readOnlyRootFilesystem: true
runAsNonRoot: true
allowPrivilegeEscalation: false
capabilities:
drop: [ "ALL" ]
#! seccompProfile was introduced in Kube v1.19. Using it on an older Kube version will result in a
#! kubectl validation error when installing via `kubectl apply`, which can be ignored using kubectl's
#! `--validate=false` flag. Note that installing via `kapp` does not complain about this validation error.
seccompProfile:
type: "RuntimeDefault"
tolerations:
- key: kubernetes.io/arch
effect: NoSchedule
operator: Equal
value: amd64 #! Allow running on amd64 nodes.
- key: kubernetes.io/arch
effect: NoSchedule
operator: Equal
value: arm64 #! Also allow running on arm64 nodes.
---
apiVersion: v1
kind: Service

Some files were not shown because too many files have changed in this diff Show More