mirrors/pinniped
1
0
Fork 0
mirror of https://github.com/vmware-tanzu/pinniped.git synced 2026-01-05 04:56:11 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
4,816 Commits 21 Branches 50 Tags
main
Commit Graph

48 Commits

Author SHA1 Message Date
Ryan Richard
44509d016e standardize import of "k8s.io/client-go/kubernetes/fake" 2025-12-22 10:34:53 -08:00
Ryan Richard
9d1c65c3e6 fix deprecation of NewSimpleClientset by using NewClientset or ignoring 2025-12-19 12:00:56 -08:00
Joshua Casey
f798777a3b Refactor: reorder parameters to MergeConditions 2024-08-08 08:12:41 -05:00
Ryan Richard
6b49cd7d28 add Unknown SearchBaseFound status condition for AD only 2024-08-06 16:08:25 -07:00
Joshua Casey
afa3aa2232 LDAP and AD IDPs now always report condition with type LDAPConnectionValid, even if the status is unknown 
Co-authored-by: Ryan Richard <richardry@vmware.com>
 2024-08-06 16:08:25 -07:00
Joshua Casey
1c59a41cc5 Remove some dead code from LDAP/AD controllers 2024-08-06 16:08:25 -07:00
Ryan Richard
e0235ed190 update docs and change struct name in types_tls.go.tmpl files 
Co-authored-by: Ashish Amarnath <ashish.amarnath@broadcom.com>
 2024-08-05 11:32:21 -07:00
Ryan Richard
9f17ba5ae4 change wording of TLS config loaded success messages 2024-08-05 11:32:20 -07:00
Ashish Amarnath
81d42cb3b9 add unit tests for validatedsettings cache storing ca bundle hash 
Signed-off-by: Ashish Amarnath <ashish.amarnath@broadcom.com>

Co-authored-by: Ryan Richard <richardry@vmware.com>
 2024-08-05 11:32:20 -07:00
Joshua Casey
a888083c50 Introduce type alias CABundleHash for the hash of a CA bundle ([32]byte) 
Co-authored-by: Ryan Richard <richardry@vmware.com>
Co-authored-by: Ashish Amarnath <ashish.amarnath@broadcom.com>
 2024-08-05 11:32:20 -07:00
Ashish Amarnath
a1dcba4731 add unit tests for validatedsettings cache storing ca bundle hash 
Signed-off-by: Ashish Amarnath <ashish.amarnath@broadcom.com>
 2024-08-05 11:32:20 -07:00
Ashish Amarnath
2a62beeb5f store ca bundle hash in validated settings cache 
Signed-off-by: Ashish Amarnath <ashish.amarnath@broadcom.com>
 2024-08-05 11:32:20 -07:00
Joshua Casey
242fa8afb2 When reading CA bundle from a secret/configmap, return more specific err 
When the bundle does not contain any certs, make the error more
specific.

Co-authored-by: Ryan Richard <richardry@vmware.com>
 2024-08-05 11:32:20 -07:00
Ashish Amarnath
199562fd05 get all supervisor unit tests to pass 
Signed-off-by: Ashish Amarnath <ashish.amarnath@broadcom.com>
 2024-08-05 11:32:19 -07:00
Ashish Amarnath
3a969a83b7 update supervisor controllers 
Signed-off-by: Ashish Amarnath <ashish.amarnath@broadcom.com>
 2024-08-05 11:32:19 -07:00
Ashish Amarnath
080c75efe6 refactor tls spec validation into its own package 
Signed-off-by: Ashish Amarnath <ashish.amarnath@broadcom.com>
 2024-08-05 11:32:19 -07:00
Joshua Casey
bafd578866 Merge branch 'main' into jtc/add-importas-linter 2024-06-11 09:39:48 -05:00
Joshua Casey
bdd79a9984 Enforce more imports 
- go.pinniped.dev/generated/latest/client/concierge/clientset/versioned/fake
- go.pinniped.dev/generated/latest/client/supervisor/clientset/versioned/fake
- go.pinniped.dev/generated/latest/client/concierge/informers/externalversions
- go.pinniped.dev/generated/latest/client/supervisor/informers/externalversions
 2024-05-21 09:31:15 -05:00
Joshua Casey
f5116cddb4 Enable 'makezero' and 'prealloc' linters, and require 'any' instead of 'interface{}' 
Enforce importas:

- go.pinniped.dev/generated/latest/apis/supervisor/config/v1alpha1
- go.pinniped.dev/generated/latest/apis/supervisor/idp/v1alpha1
 2024-05-21 09:31:15 -05:00
Joshua Casey
791b785dea Merge branch 'main' into jtc/merge-main-at-d7849c79-to-github 2024-05-10 14:22:09 -05:00
Joshua Casey
7b36c8ab54 Enable 'copyloopvar' linter 2024-05-10 12:51:02 -05:00
Joshua Casey
c9b61ef010 Populate internal GitHub IDP Config from CRD 2024-04-16 14:33:01 -05:00
Joshua Casey
bc8aebeffe Use go.uber.org/mock instead of github.com/golang/mock and rerun mock generation 2024-03-11 13:42:30 -05:00
Benjamin A. Petersen
e8482ab9e9 Update jwtauthenticator unit tests to check actions 
- Add test to verify timestamps are particularly updated
- Improve diff output in tests for actions
- Make jwtauthenticator status tests parallel
- Update copyright headers in multiple files
 2024-02-27 15:45:32 -08:00
Benjamin A. Petersen
fd14a5794e ldap upstream watcher: rename local var for clarity 2024-02-27 15:45:32 -08:00
Joshua Casey
b68e7f3e9e Lightly standardize import aliases 2023-11-15 13:52:17 -06:00
Ryan Richard
86c791b8a6 reorganize federation domain packages to be more intuitive 
Co-authored-by: Benjamin A. Petersen <ben@benjaminapetersen.me>
 2023-09-11 11:11:52 -07:00
Ryan Richard
7af75dfe3c First draft of implementation of multiple IDPs support 2023-09-11 11:09:49 -07:00
Joshua Casey
64f1bff13f Use Conditions from apimachinery, specifically k8s.io/apimachinery/pkg/apis/meta/v1.Conditions 2023-09-11 10:13:39 -07:00
Ryan Richard
c187474499 Use groupSearch.userAttributeForFilter during LDAP group searches 
Load the setting in the controller.
Use the setting during authentication and during refreshes.
 2023-05-25 14:25:17 -07:00
Ryan Richard
5aa0d91267 New controller watches OIDCClients and updates validation Conditions 2022-06-17 13:11:26 -04:00
Monis Khan
0674215ef3 Switch to go.uber.org/zap for JSON formatted logging 
Signed-off-by: Monis Khan <mok@vmware.com>
 2022-05-24 11:17:42 -04:00
Margo Crawford
fdac4d16f0 Only run group refresh when the skipGroupRefresh boolean isn't set 
for AD and LDAP
 2022-02-17 12:50:28 -08:00
Ryan Richard
092a80f849 Refactor some variable names and update one comment 
Change variable names to match previously renamed interface name.
 2022-01-14 10:06:00 -08:00
Ryan Richard
7f99d78462 Fix bug where LDAP or AD status conditions were not updated correctly 
When the LDAP and AD IDP watcher controllers encountered an update error
while trying to update the status conditions of the IDP resources, then
they would drop the computed desired new value of the condition on the
ground. Next time the controller ran it would not try to update the
condition again because it wants to use the cached settings and had
already forgotten the desired new value of the condition computed during
the previous run of the controller. This would leave the outdated value
of the condition on the IDP resource.

This bug would manifest in CI as random failures in which the expected
condition message and the actual condition message would refer to
different versions numbers of the bind secret. The actual condition
message would refer to an older version of the bind secret because the
update failed and then the new desired message got dropped on the
ground.

This commit changes the in-memory caching strategy to also cache the
computed condition messages, allowing the conditions to be updated
on the IDP resource during future calls to Sync() in the case of a
failed update.
 2022-01-07 17:19:13 -08:00
Margo Crawford
1bd346cbeb Require refresh tokens for upstream OIDC and save more session data 
- Requiring refresh tokens to be returned from upstream OIDC idps
- Storing refresh tokens (for oidc) and idp information (for all idps) in custom session data during authentication
- Don't pass access=offline all the time
 2021-10-08 15:48:21 -07:00
Margo Crawford
05f5bac405 ValidatedSettings is all or nothing 
If either the search base or the tls settings is invalid, just
recheck everything.
 2021-09-07 13:09:35 -07:00
Margo Crawford
0195894a50 Test fix for ldap upstream watcher 2021-09-07 13:09:35 -07:00
Margo Crawford
cb0ee07b51 Fetch AD search base from defaultNamingContext when not specified 2021-07-23 13:01:41 -07:00
Margo Crawford
8e1d70562d Remove shared variables from ldap upstream observer 2021-07-23 13:01:41 -07:00
Margo Crawford
5d8d7246c2 Refactor active directory and ldap controllers to share almost everything 
Signed-off-by: Ryan Richard <richardry@vmware.com>
 2021-07-23 13:01:41 -07:00
Matt Moyer
89eff28549 Convert LDAP code to use endpointaddr package. 
Signed-off-by: Matt Moyer <moyerm@vmware.com>
 2021-05-25 16:17:27 -05:00
Ryan Richard
8b549f66d4 Add integration test for LDAP StartTLS 2021-05-20 13:39:48 -07:00
Ryan Richard
7e76b66639 LDAP upstream watcher controller tries using both TLS and StartTLS 
- Automatically try to fall back to using StartTLS when using TLS
  doesn't work. Only complain when both don't work.
- Remember (in-memory) which one worked and keeping using that one
  in the future (unless the pod restarts).
 2021-05-20 12:46:33 -07:00
Ryan Richard
025b37f839 upstreamldap.New() now supports a StartTLS config option 
- This enhances our LDAP client code to make it possible to optionally
  dial an LDAP server without TLS and then use StartTLS to upgrade
  the connection to TLS.
- The controller for LDAPIdentityProviders is not using this option
  yet. That will come in a future commit.
 2021-05-19 17:17:44 -07:00
Ryan Richard
3e1e8880f7 Initial support for upstream LDAP group membership 
Reflect the upstream group membership into the Supervisor's
downstream tokens, so they can be added to the user's
identity on the workload clusters.

LDAP group search is configurable on the
LDAPIdentityProvider resource.
 2021-05-17 11:10:26 -07:00
Ryan Richard
f5bf8978a3 Cache ResourceVersion of the validated bind Secret in memory 
...instead of caching it in the text of the Condition message
 2021-05-13 15:22:36 -07:00
Ryan Richard
1ae3c6a1ad Split package upstreamwatchers into four packages 2021-05-12 14:00:39 -07:00