djpbessems/ContainerImage.Pinniped
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
764a1ad7e4
ContainerImage.Pinniped/internal
History
Monis Khan cd686ffdf3
Force the use of secure TLS config 
This change updates the TLS config used by all pinniped components.
There are no configuration knobs associated with this change.  Thus
this change tightens our static defaults.

There are four TLS config levels:

1. Secure (TLS 1.3 only)
2. Default (TLS 1.2+ best ciphers that are well supported)
3. Default LDAP (TLS 1.2+ with less good ciphers)
4. Legacy (currently unused, TLS 1.2+ with all non-broken ciphers)

Highlights per component:

1. pinniped CLI
   - uses "secure" config against KAS
   - uses "default" for all other connections
2. concierge
   - uses "secure" config as an aggregated API server
   - uses "default" config as a impersonation proxy API server
   - uses "secure" config against KAS
   - uses "default" config for JWT authenticater (mostly, see code)
   - no changes to webhook authenticater (see code)
3. supervisor
   - uses "default" config as a server
   - uses "secure" config against KAS
   - uses "default" config against OIDC IDPs
   - uses "default LDAP" config against LDAP IDPs

Signed-off-by: Monis Khan <mok@vmware.com>
2021-11-17 16:55:35 -05:00
..
apiserviceref Use API service as owner ref for cluster scoped resources 2021-02-10 21:52:08 -05:00
authenticators Addressing code review changes 2021-11-05 14:22:43 -07:00
certauthority certauthority: tolerate larger clock skew between API server and pinniped 2021-09-21 09:32:24 -04:00
clusterhost Introduce clusterhost package to determine whether a cluster has control plane nodes 2021-02-09 11:16:01 -08:00
concierge Force the use of secure TLS config 2021-11-17 16:55:35 -05:00
config Remove references to impersonationConfigMap. 2021-05-26 15:24:59 -05:00
constable Save 2 lines by using inline-style comments for Copyright 2020-09-16 10:35:19 -04:00
controller Force the use of secure TLS config 2021-11-17 16:55:35 -05:00
controllerinit kubecertagent: fix flakey tests 2021-09-16 14:48:04 -04:00
controllerlib test/integration: run parallel tests concurrently with serial tests 2021-08-26 12:59:52 -04:00
controllermanager Do not rotate impersonation proxy signer CA unless necessary 2021-10-06 12:03:49 -04:00
crud Add a comment that might be useful some day 2021-10-18 15:35:22 -07:00
crypto/ptls Force the use of secure TLS config 2021-11-17 16:55:35 -05:00
deploymentref Use API service as owner ref for cluster scoped resources 2021-02-10 21:52:08 -05:00
downward internal/downward: add support for (optional) pod name 2020-12-11 11:49:27 -05:00
dynamiccert Force the use of secure TLS config 2021-11-17 16:55:35 -05:00
endpointaddr Add endpointaddr pkg for parsing host+port inputs. 2021-05-25 16:17:26 -05:00
execcredcache Add CLI caching of cluster-specific credentials. 2021-04-08 14:12:34 -05:00
fositestorage Basic upstream LDAP/AD refresh 2021-11-05 14:22:42 -07:00
fositestoragei More adjustments based on PR feedback 2021-04-27 16:54:26 -07:00
groupsuffix Remove unparam linter 2021-08-19 10:20:24 -07:00
here Save 2 lines by using inline-style comments for Copyright 2020-09-16 10:35:19 -04:00
httputil Force the use of secure TLS config 2021-11-17 16:55:35 -05:00
issuer dynamiccert: split into serving cert and CA providers 2021-03-15 12:24:07 -04:00
kubeclient Force the use of secure TLS config 2021-11-17 16:55:35 -05:00
leaderelection Ensure concierge and supervisor gracefully exit 2021-08-30 20:29:52 -04:00
localuserauthenticator Force the use of secure TLS config 2021-11-17 16:55:35 -05:00
mocks Perform an upstream refresh during downstream refresh for OIDC upstreams 2021-10-13 12:31:20 -07:00
net/phttp Force the use of secure TLS config 2021-11-17 16:55:35 -05:00
oidc Force the use of secure TLS config 2021-11-17 16:55:35 -05:00
ownerref internal/groupsuffix: mutate TokenCredentialRequest's Authenticator 2021-02-10 15:53:44 -05:00
plog Force the use of secure TLS config 2021-11-17 16:55:35 -05:00
psession Basic upstream LDAP/AD refresh 2021-11-05 14:22:42 -07:00
registry token credential request: fix trace log kind 2021-09-20 15:34:05 -04:00
secret All controller unit tests should not cancel context until test is over 2021-03-04 17:26:01 -08:00
supervisor/server Force the use of secure TLS config 2021-11-17 16:55:35 -05:00
testutil Force the use of secure TLS config 2021-11-17 16:55:35 -05:00
upstreamldap Force the use of secure TLS config 2021-11-17 16:55:35 -05:00
upstreamoidc When performing an upstream refresh, use the configured http client 2021-10-13 14:05:00 -07:00
valuelesscontext valuelesscontext: make unit tests more clear 2021-04-30 10:43:29 -04:00