Ryan Richard
54d530784d
upgrade to golangci-lint v2.7.2, bring back some nolint directives
2025-12-22 11:03:46 -08:00
Ryan Richard
44509d016e
standardize import of "k8s.io/client-go/kubernetes/fake"
2025-12-22 10:34:53 -08:00
Ryan Richard
9d1c65c3e6
fix deprecation of NewSimpleClientset by using NewClientset or ignoring
2025-12-19 12:00:56 -08:00
Ryan Richard
5218c20c76
upgrade linter and remove newly unused linter directives
2025-12-05 10:56:33 -08:00
Ryan Richard
cba4e2a2e8
update test expectations for new oidc error message text
2025-12-05 10:30:46 -08:00
Ryan Richard
9be6bb0b94
allow the kube cert agent deployment's strategy type to be configured
2025-10-23 18:10:19 -07:00
Joshua Casey
270594cdb1
Allow users to specify the RunAsUser and RunAsGroup for the kube-cert-agent container
2025-10-20 13:45:46 -05:00
Joshua Casey
2f68041c88
fix lint issues
2025-10-17 07:29:52 -05:00
Ryan Richard
577797d569
add new supervisor configmap option to ignore userinfo endpoints by matching issuer URLs
2025-08-27 13:22:17 -07:00
Ryan Richard
e427a5202e
add new bool supervisor configmap option to ignore userinfo endpoints
2025-08-27 12:13:15 -07:00
Ryan Richard
4fe8167f60
account for move of repo from vmware-tanzu to vmware on GitHub
2025-08-02 15:08:15 -07:00
Joshua Casey
1c1b3b7f2e
Bump golangci-lint to 2.3.0 and fix issues
2025-07-30 10:25:23 -05:00
Ryan Richard
83696fd023
improve errors and docs for JWTAuthenticator features, with int tests
2025-07-18 12:22:06 -07:00
Ryan Richard
64e5e20010
add usernameExpression and groupsExpression to JWTAuthenticator CRD
2025-07-16 14:56:44 -07:00
Ryan Richard
2a83d00373
add claimValidationRules, userValidationRules, and claims.extra to JWTAuthenticator CRD
2025-07-16 14:56:44 -07:00
Ryan Richard
7276a1df53
add new concierge configuration option kubeCertAgent.priorityClassName
2025-05-16 10:43:13 -05:00
Ryan Richard
e743beac53
upgrade k8s libs to v0.33.0
2025-05-13 11:56:03 -07:00
Ryan Richard
c600cf7949
upgrade linter to latest
2025-05-12 15:19:50 -07:00
Joshua Casey
31b45525ce
Remove deprecated CredentialIssuer.status.kubeConfigInfo
2025-01-27 10:46:55 -06:00
Ryan Richard
ae5aad178d
TokenCredentialRequest uses actual cert expiry time instead of estimate
...
and also audit logs both the NotBefore and NotAfter of the issued cert.
Implemented by changing the return type of the cert issuer helpers
to make them also return the NotBefore and NotAfter values of the new
cert, along with the key PEM and cert PEM.
2024-11-27 13:53:03 -06:00
Ryan Richard
c5f4cce3ae
make Audit() take struct as param for all optional params and redact PII
2024-11-27 13:53:01 -06:00
Ryan Richard
ced8686d11
add config for audit logging, remove Audit() from Logger interface
...
Co-authored-by: Joshua Casey <joshuatcasey@gmail.com >
2024-11-27 13:53:01 -06:00
Joshua Casey
f9e1dd4bec
Backfill unit tests for garbage_collector audit logging
2024-11-27 13:53:01 -06:00
Ryan Richard
8cf9c59957
refactor to move audit event message types to their own pkg
2024-11-27 13:53:01 -06:00
Ryan Richard
1006dd9379
resolve some todos
2024-11-27 13:53:01 -06:00
Joshua Casey
dd42f35db0
plog.TestLogger returns a buffer that holds the logs
...
# Conflicts:
# internal/controller/apicerts/certs_expirer_test.go
# internal/plog/plog_test.go
# internal/plog/testing.go
# pkg/oidcclient/login_test.go
2024-11-27 13:53:00 -06:00
Joshua Casey
b20e890f15
Add testutil.RequireLogLines to verify multiple log lines at once
2024-11-27 13:53:00 -06:00
Ryan Richard
4f9530eec7
audit logging WIP
2024-11-27 13:53:00 -06:00
Ryan Richard
e44d70b41d
kube cert agent controller avoids unschedulable nodes when possible
2024-11-25 14:20:12 -08:00
Joshua Casey
0c131f11f8
plog.TestLogger returns a buffer instead of taking one in
2024-11-07 17:46:01 -06:00
Ryan Richard
106a480dad
JWTAuthenticator must reload when spec.audience or spec.claims changes
2024-11-04 12:49:18 -08:00
Ryan Richard
f36298c542
use required headers for GitHub API connection probe request
2024-10-14 11:12:34 -07:00
Ryan Richard
dc195536d0
also use port number when checking https proxy for WebhookAuthenticator
2024-10-11 14:49:46 -07:00
Ryan Richard
4d2bbac674
use .cluster.local address for LUA (squid cannot resolve .svc addresses)
2024-10-10 14:44:14 -07:00
Ryan Richard
4f661aaa69
pay attention to web proxy settings during connection probes
...
- WebhookAuthenticator will now detect the proxy setting and skip
dialing the connection probe if it should go through a proxy
- GitHubIdentityProvider will avoid using tls.Dial altogether
by instead making a real request to the GitHub API as its
connection probe, because this will respect the proxy settings
2024-10-10 10:41:31 -07:00
Joshua Casey
f7fd209f29
Address PR feedback
2024-09-24 14:14:48 -05:00
Joshua Casey
76a116641f
Add ptls.Dialer to provide some common configuration for tls.Dial operations
2024-09-24 14:14:48 -05:00
Joshua Casey
08abff1cae
Bump golanglint-ci to 1.60.3
2024-09-04 20:52:01 -05:00
Joshua Casey
b78e2c7ded
Update comments for testing
2024-08-27 13:26:40 -05:00
Joshua Casey
0ee8ee80e1
Use sha256.Size
2024-08-27 13:26:39 -05:00
Joshua Casey
8bd9b94d0a
Impersonator server should take in a cancellable context instead of a stop channel
2024-08-27 13:26:39 -05:00
Joshua Casey
504f0dc26f
Fix some unit tests
2024-08-27 13:26:38 -05:00
Joshua Casey
d0f5c2c7ab
Merge branch 'main' into jtc/refactor-conditions-util
2024-08-09 11:22:59 -05:00
Ryan Richard
5e6f6a1c50
support alternate controller-manager flags in kubecertagent controller
2024-08-08 15:52:50 -07:00
Joshua Casey
bab8b54ed8
Update godoc
2024-08-08 10:38:12 -05:00
Joshua Casey
4bd5db14b4
Refactor branching logic when using an early return
2024-08-08 08:12:41 -05:00
Joshua Casey
4a9136040c
Refactor to make it obvious that newCondition is a copy
2024-08-08 08:12:41 -05:00
Joshua Casey
8b97414f3d
Refactor to simplify logic
2024-08-08 08:12:41 -05:00
Joshua Casey
1e8e9ecc98
Refactor to use slices helpers instead of harder-to-read loops
2024-08-08 08:12:41 -05:00
Joshua Casey
2d8ab9ff5d
Refactor variable name for clarity
2024-08-08 08:12:41 -05:00
