Ryan Richard
577797d569
add new supervisor configmap option to ignore userinfo endpoints by matching issuer URLs
2025-08-27 13:22:17 -07:00
Ryan Richard
e427a5202e
add new bool supervisor configmap option to ignore userinfo endpoints
2025-08-27 12:13:15 -07:00
Joshua Casey
1c1b3b7f2e
Bump golangci-lint to 2.3.0 and fix issues
2025-07-30 10:25:23 -05:00
Ryan Richard
e743beac53
upgrade k8s libs to v0.33.0
2025-05-13 11:56:03 -07:00
Joshua Casey
b8e7a64afe
Bump libs to k8s.io@v0.32.3, add codegen for k8s 1.32, and drop codegen for k8s 1.25
2025-05-12 16:36:46 -07:00
Ryan Richard
d90b3c23ef
introduce new configuration option to disable admission plugin types
2025-03-17 14:49:17 -07:00
Ryan Richard
c2018717b6
audit log OIDCClientSecretRequests
2024-11-27 13:53:02 -06:00
Ryan Richard
ced8686d11
add config for audit logging, remove Audit() from Logger interface
...
Co-authored-by: Joshua Casey <joshuatcasey@gmail.com >
2024-11-27 13:53:01 -06:00
Joshua Casey
369316556a
Add configuration to audit internal endpoints and backfill unit tests
2024-11-27 13:53:01 -06:00
Ryan Richard
4f9530eec7
audit logging WIP
2024-11-27 13:53:00 -06:00
Ryan Richard
4f661aaa69
pay attention to web proxy settings during connection probes
...
- WebhookAuthenticator will now detect the proxy setting and skip
dialing the connection probe if it should go through a proxy
- GitHubIdentityProvider will avoid using tls.Dial altogether
by instead making a real request to the GitHub API as its
connection probe, because this will respect the proxy settings
2024-10-10 10:41:31 -07:00
Joshua Casey
76a116641f
Add ptls.Dialer to provide some common configuration for tls.Dial operations
2024-09-24 14:14:48 -05:00
Joshua Casey
94809ee396
Use a real binary version when setting up the aggregated API servers
2024-08-27 13:26:39 -05:00
Joshua Casey
436112252d
Lint fixes
2024-08-27 13:26:39 -05:00
Joshua Casey
f09b3c2f72
Bump K8s libs to 1.31 and fix compilation errors
2024-08-27 13:26:38 -05:00
Ryan Richard
09724cfa71
Add unit test: when discovery is already cached for OIDCIdentityProvider
2024-08-05 11:32:20 -07:00
Joshua Casey
288e092d2e
GitHub IDP watcher should not dial an address that has already been validated
2024-08-05 11:32:19 -07:00
Ashish Amarnath
3a969a83b7
update supervisor controllers
...
Signed-off-by: Ashish Amarnath <ashish.amarnath@broadcom.com >
2024-08-05 11:32:19 -07:00
Ashish Amarnath
080c75efe6
refactor tls spec validation into its own package
...
Signed-off-by: Ashish Amarnath <ashish.amarnath@broadcom.com >
2024-08-05 11:32:19 -07:00
Ryan Richard
f7f32f2f98
some mild refactoring of ptls common.go (mostly renames)
2024-06-14 13:27:38 -07:00
Joshua Casey
53031ad8d4
User can now configured allowed ciphers, to restrict the ciphers used by the Default profile
2024-06-14 10:42:17 -07:00
Joshua Casey
c6463831ac
Use plog.Logger instead of logr.Logger wherever possible
2024-06-11 12:47:19 -05:00
Joshua Casey
bafd578866
Merge branch 'main' into jtc/add-importas-linter
2024-06-11 09:39:48 -05:00
Joshua Casey
513f43f465
Enforce more imports
...
- go.pinniped.dev/generated/latest/apis/concierge/config/v1alpha1
- go.pinniped.dev/generated/latest/client/concierge/clientset/versioned
- go.pinniped.dev/generated/latest/client/concierge/clientset/versioned/scheme
- go.pinniped.dev/generated/latest/client/supervisor/clientset/versioned
- go.pinniped.dev/generated/latest/client/supervisor/clientset/versioned/scheme
2024-05-21 09:31:15 -05:00
Joshua Casey
f5116cddb4
Enable 'makezero' and 'prealloc' linters, and require 'any' instead of 'interface{}'
...
Enforce importas:
- go.pinniped.dev/generated/latest/apis/supervisor/config/v1alpha1
- go.pinniped.dev/generated/latest/apis/supervisor/idp/v1alpha1
2024-05-21 09:31:15 -05:00
Joshua Casey
e9252a9ee3
Enforce more imports
...
- k8s.io/apimachinery/pkg/apis/meta/v1
- k8s.io/api/core/v1
- github.com/coreos/go-oidc/v3/oidc
- github.com/ory/fosite/handler/oauth2
- go.pinniped.dev/generated/latest/apis/concierge/authentication/v1alpha1
2024-05-21 09:31:15 -05:00
Joshua Casey
875b0739aa
Enforce aliases for 'k8s.io/apimachinery/pkg/util/errors' and 'k8s.io/apimachinery/pkg/api/errors'
2024-05-21 09:31:15 -05:00
Joshua Casey
791b785dea
Merge branch 'main' into jtc/merge-main-at-d7849c79-to-github
2024-05-10 14:22:09 -05:00
Joshua Casey
7b36c8ab54
Enable 'copyloopvar' linter
2024-05-10 12:51:02 -05:00
Joshua Casey
e04e5e0185
Fix revive linter issues for all production code, and exclude revive linter issues for test code
2024-05-10 12:51:02 -05:00
Ryan Richard
7277d00e1a
refactor upstreamgithub.ProviderConfig to hold more config
2024-05-09 15:35:37 -07:00
Benjamin A. Petersen
c43193a0c8
Merge branch 'main' into github_identity_provider
2024-05-01 12:15:08 -04:00
Ryan Richard
9838a7cb6d
avoid the ValidatingAdmissionPolicy admission plugin when it can't work
2024-04-29 13:22:14 -07:00
Benjamin A. Petersen
7968ed6d69
Allow GitHubIdentityProvider IDP type by FederationDomainWatcher
2024-04-25 17:02:05 -04:00
Joshua Casey
14b1b7c862
Polish up the github_upstream_watcher: default and verify spec.claims correctly
2024-04-24 13:37:40 -05:00
Joshua Casey
c9b61ef010
Populate internal GitHub IDP Config from CRD
2024-04-16 14:33:01 -05:00
Benjamin A. Petersen
5c490e999d
Stub in unit tests for github_upstream_watcher
2024-04-02 12:38:06 -04:00
Benjamin A. Petersen
a11e1527f0
Add github-upstream-observer Controller
2024-04-02 10:53:26 -04:00
Ryan Richard
c7299f4daf
Update dependencies, including Kube packages to v0.29.0
2024-01-04 12:30:22 -08:00
Ryan Richard
a4883507b5
Disable UnauthenticatedHTTP2DOSMitigation feature gate
2023-12-12 08:47:03 -08:00
Ryan Richard
c5d1f380d2
revert the disabling of http2 for the Supervisor OIDC endpoints
...
Due to the unintended consequence of potentially breaking Ingresses
which were configured to use http2 on their backends.
2023-12-06 13:10:51 -08:00
Ryan Richard
4b7b9e4362
Defensive changes to mitigate potential http2 rapid reset attacks
2023-12-05 14:57:50 -08:00
Joshua Casey
b68e7f3e9e
Lightly standardize import aliases
2023-11-15 13:52:17 -06:00
Ryan Richard
ca6c29e463
Fix deadlock during shutdown which prevented leader election cleanup
...
Before this fix, the deadlock would prevent the leader pod from giving
up its lease, which would make it take several minutes for new pods to
be allowed to elect a new leader. During that time, no Pinniped
controllers could write to the Kube API, so important resources were not
being updated during that window. It would also make pod shutdown take
about 1 minute.
After this fix, the leader gives up its lease immediately, and pod
shutdown takes about 1 second. This improves restart/upgrade time and
also fixes the problem where there was no leader for several minutes
after a restart/upgrade.
The deadlock was between the post-start hook and the pre-shutdown hook.
The pre-shutdown hook blocked until a certain background goroutine in
the post-start hook finished, but that goroutine could not finish until
the pre-shutdown hook finished. Thus, they were both blocked, waiting
for each other infinitely. Eventually the process would be externally
killed.
This deadlock was most likely introduced by some change in Kube's
generic api server package related to how the many complex channels used
during server shutdown interact with each other, and was not noticed
when we upgraded to the version which introduced the change.
2023-09-20 16:54:24 -07:00
Ryan Richard
32063db46e
Validate apiGroup names are valid in federation_domain_watcher.go
2023-09-11 11:14:05 -07:00
Ryan Richard
022fdb9cfd
Update a test assertion to make failure easier to understand
2023-09-11 11:12:27 -07:00
Ryan Richard
86c791b8a6
reorganize federation domain packages to be more intuitive
...
Co-authored-by: Benjamin A. Petersen <ben@benjaminapetersen.me >
2023-09-11 11:11:52 -07:00
Ryan Richard
96098841dd
Get tests to compile again and fix lint errors
2023-09-11 11:09:50 -07:00
Ryan Richard
7af75dfe3c
First draft of implementation of multiple IDPs support
2023-09-11 11:09:49 -07:00
Ryan Richard
ce567c481b
Improve pod logs related to Supervisor TLS certificate problems
2023-09-11 09:13:21 -07:00
