mirrors/pinniped
1
0
Fork 0
mirror of https://github.com/vmware-tanzu/pinniped.git synced 2026-01-10 07:58:07 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
835 Commits 21 Branches 50 Tags
20b62b884167a2002575cdec2a83cc1f241fb654
Commit Graph

835 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Mo Khan
20b62b8841 Merge pull request #231 from enj/enj/f/fosite_kube_storage 
Add kube based storage for use with fosite
 2020-11-19 15:34:55 -05:00
Monis Khan
86865d155a Switch fuzzing test to UTC 
Signed-off-by: Monis Khan <mok@vmware.com>
 2020-11-19 14:04:25 -05:00
Monis Khan
3575be7742 Add authorization code storage 
Signed-off-by: Monis Khan <mok@vmware.com>
 2020-11-19 13:18:27 -05:00
Monis Khan
b7d823a077 Add generic Kube API based CRUD storage 
Signed-off-by: Monis Khan <mok@vmware.com>
 2020-11-19 13:18:02 -05:00
Mo Khan
3bc5952f7e Merge pull request #227 from mattmoyer/add-authorizationconfig-omitempty 
Use `omitempty` on UpstreamOIDCProvider `spec.authorizationConfig` field.
 2020-11-18 20:10:55 -05:00
Matt Moyer
7520dadbdd Use omitempty on UpstreamOIDCProvider spec.authorizationConfig field. 
This allows you to omit the field in creation requests, which was annoying.

Signed-off-by: Matt Moyer <moyerm@vmware.com>
 2020-11-18 17:14:35 -06:00
Mo Khan
8a4be431f6 Merge pull request #230 from vmware-tanzu/scc 
Add nonroot SCC to work on OpenShift clusters
 2020-11-18 17:46:01 -05:00
Mo Khan
c32e452db8 Add nonroot SCC to work on OpenShift clusters 2020-11-18 17:08:45 -05:00
Ryan Richard
24bd8b2e42 Merge pull request #226 from absoludity/fix-getting-started4 
Fix demo.md and update default namespace for pinniped concierge.
 2020-11-18 13:39:04 -08:00
Ryan Richard
c83cec341b Merge branch 'main' into fix-getting-started4 2020-11-17 15:02:36 -08:00
Matt Moyer
7404ee4531 Merge pull request #224 from mattmoyer/make-oidcclient-public 
Move `./internal/oidcclient` to `./pkg/oidcclient`.
 2020-11-17 15:13:50 -06:00
Matt Moyer
e0a9bef6ce Move ./internal/oidcclient to ./pkg/oidcclient. 
This will allow it to be imported by Go code outside of our repository, which was something we have planned for since this code was written.

Signed-off-by: Matt Moyer <moyerm@vmware.com>
 2020-11-17 14:53:32 -06:00
Matt Moyer
428b9f2758 Merge pull request #223 from mattmoyer/refactor-cert-gen 
Refactor certificate generation for integration test Dex.
 2020-11-17 12:45:20 -06:00
Matt Moyer
0d1ad6e1df Fix some broken resource grouping/ordering in Tiltfile. 
Signed-off-by: Matt Moyer <moyerm@vmware.com>
 2020-11-17 12:21:15 -06:00
Matt Moyer
6ce2f109bf Refactor certificate generation for integration test Dex. 
Before, we did this in an init container, which meant if the Dex pod restarted we would have fresh certs, but our Tilt/bash setup didn't account for this.

Now, the certs are generated by a Job which runs once and saves the generated files into a Secret. This should be a bit more stable.

Signed-off-by: Matt Moyer <moyerm@vmware.com>
 2020-11-17 11:36:36 -06:00
Matt Moyer
3b9fb71dd1 Merge pull request #222 from mattmoyer/readd-supervisor-login-tests 
Re-add the TestSupervisorLogin integration test.
 2020-11-17 11:16:01 -06:00
Matt Moyer
d6d808d185 Re-add the TestSupervisorLogin integration test. 
This is 99% Andrew's code from 4032ed32ae, but tweaked to work with the new UpstreamOIDCProvider setup.

Signed-off-by: Matt Moyer <moyerm@vmware.com>
 2020-11-17 09:21:17 -06:00
Matt Moyer
b75a6cdb76 Merge pull request #221 from mattmoyer/use-https-dex 
Add support for custom CA bundle in CLI and UpstreamOIDCProvider.
 2020-11-16 20:47:16 -06:00
Matt Moyer
b31deff0fb Update integration tests to use HTTPS Dex for UpstreamOIDCProvider testing. 
Signed-off-by: Matt Moyer <moyerm@vmware.com>
 2020-11-16 20:23:20 -06:00
Matt Moyer
ee978fdde8 Add controller support for spec.tls field. 
Signed-off-by: Matt Moyer <moyerm@vmware.com>
 2020-11-16 20:23:20 -06:00
Matt Moyer
e867fb82b9 Add spec.tls field to UpstreamOIDCProvider API. 
This allows for a custom CA bundle to be used when connecting to the upstream issuer.

Signed-off-by: Matt Moyer <moyerm@vmware.com>
 2020-11-16 20:23:20 -06:00
Matt Moyer
b17ac6ec0b Update integration tests to run Dex over HTTPS. 
Signed-off-by: Matt Moyer <moyerm@vmware.com>
 2020-11-16 20:23:20 -06:00
Matt Moyer
dd2133458e Add --ca-bundle flag to "pinniped login oidc" command. 
Signed-off-by: Matt Moyer <moyerm@vmware.com>
 2020-11-16 18:15:20 -06:00
Matt Moyer
e7ecfd3954 Merge pull request #219 from mattmoyer/add-test-proxy 
Convert CLI tests to work through an HTTP forward proxy.
 2020-11-16 17:48:16 -06:00
Matt Moyer
c8b17978a9 Convert CLI tests to work through an HTTP forward proxy. 
This change deploys a small Squid-based proxy into the `dex` namespace in our integration test environment. This lets us use the cluster-local DNS name (`http://dex.dex.svc.cluster.local/dex`) as the OIDC issuer. It will make generating certificates easier, and most importantly it will mean that our CLI can see Dex at the same name/URL as the supervisor running inside the cluster.

Signed-off-by: Matt Moyer <moyerm@vmware.com>
 2020-11-16 17:16:58 -06:00
Matt Moyer
a4733025ce Merge pull request #220 from jonasrosland/fix-landing-text 
Fix landing page use cases
 2020-11-16 16:36:44 -06:00
jonasrosland
332ed8e50b Fix landing page use cases 
Signed-off-by: jonasrosland <jrosland@vmware.com>
 2020-11-16 12:00:06 -05:00
Michael Nelson
57a2dc9fc1 Update default namespace for pinniped-concierge to match install-pinniped-concierge.yaml 2020-11-16 11:05:53 +11:00
Michael Nelson
9bb9402e89 Updated doc/demo.md with required namespace 2020-11-16 11:05:53 +11:00
Matt Moyer
84b61fac88 Merge pull request #215 from mattmoyer/fix-upstream-oidc-provider 
Fix some issues in the UpstreamOIDCProvider CRD and controller
 2020-11-13 17:23:10 -06:00
Matt Moyer
c10393b495 Mask the raw error messages from go-oidc, since they are dangerous. 
Signed-off-by: Matt Moyer <moyerm@vmware.com>
 2020-11-13 16:22:34 -06:00
Matt Moyer
d3d8ef44a0 Make more fields in UpstreamOIDCProvider optional. 
Signed-off-by: Matt Moyer <moyerm@vmware.com>
 2020-11-13 15:28:37 -06:00
Mo Khan
d5ee925e62 Merge pull request #213 from mattmoyer/more-categories 
Add our TokenCredentialRequest to the "pinniped" API category as well.
 2020-11-13 15:51:42 -05:00
Mo Khan
47d216caae Merge pull request #209 from alexbrand/doc-fixes 
Fix broken links in the project's website
 2020-11-13 15:51:13 -05:00
Alexander Brand
406d6b5544 docs/scope.md: Fix link to contrib guide 
Signed-off-by: Alexander Brand <alexbrand09@gmail.com>
 2020-11-13 15:25:01 -05:00
Matt Moyer
ab87977c08 Put our TokenCredentialRequest API into the "pinniped" category. 
Signed-off-by: Matt Moyer <moyerm@vmware.com>
 2020-11-13 14:22:26 -06:00
Matt Moyer
f4dfc22f8e Merge pull request #212 from enj/enj/i/restore_cert_ttl 
Reduce client cert TTL back to 5 mins
 2020-11-13 14:11:44 -06:00
Matt Moyer
785a1d14fb Merge pull request #199 from mattmoyer/add-oidc-upstream-crd 
Add UpstreamOIDCProvider API and initial controller.
 2020-11-13 13:01:13 -06:00
Matt Moyer
d68a4b85f4 Add integration tests for UpstreamOIDCProvider status. 
Signed-off-by: Matt Moyer <moyerm@vmware.com>
 2020-11-13 12:30:38 -06:00
Matt Moyer
cbd71df574 Add "upstream-watcher" controller to supervisor. 
Signed-off-by: Matt Moyer <moyerm@vmware.com>
 2020-11-13 12:30:38 -06:00
Monis Khan
c05cbca0b0 Reduce client cert TTL back to 5 mins 
Signed-off-by: Monis Khan <mok@vmware.com>
 2020-11-13 13:30:02 -05:00
Matt Moyer
2e7d869ccc Add generated API/client code for new UpstreamOIDCProvider CRD. 
Signed-off-by: Matt Moyer <moyerm@vmware.com>
 2020-11-13 11:38:50 -06:00
Matt Moyer
bac3c19bec Add UpstreamOIDCProvider API type definition. 
This is essentially just a copy of Andrew's work from https://github.com/vmware-tanzu/pinniped/pull/135.

Signed-off-by: Matt Moyer <moyerm@vmware.com>
 2020-11-13 11:38:49 -06:00
Alexander Brand
271640b66d docs/architecture.md: Fix broken link 2020-11-13 09:17:47 -05:00
Alexander Brand
6b0d4184d5 docs/architecture.md: Fix broken link 2020-11-13 09:15:46 -05:00
Ryan Richard
d351ef430c Merge pull request #206 from vmware-tanzu/authorize_endpoint_reuse_cookie 
Supervisor authorize endpoint reuses existing CSRF cookies and signs new ones
 2020-11-12 16:26:01 -08:00
Matt Moyer
e6f128e2a7 Merge pull request #205 from mattmoyer/more-careful-categories 
Put all of our APIs into a "pinniped" category, and never use "all".
 2020-11-12 17:37:20 -06:00
Andrew Keesler
080bb594b2 Supervisor authorize endpoint reuses existing CSRF cookies and signs new ones 
- To better support having multiple downstream providers configured,
  the authorize endpoint will share a CSRF cookie between all
  downstream providers' authorize endpoints. The first time a
  user's browser hits the authorize endpoint of any downstream
  provider, that endpoint will set the cookie. Then if the user
  starts an authorize flow with that same downstream provider or with
  any other downstream provider which shares the same domain name
  (i.e. differentiated by issuer path), then the same cookie will be
  submitted and respected.
- Just in case we are sharing the domain name with some other app,
  we sign the value of any new CSRF cookie and check the signature
  when we receive the cookie. This wasn't strictly necessary since
  we probably won't share a domain name with other apps, but it
  wasn't hard to add this cookie signing.

Signed-off-by: Ryan Richard <richardry@vmware.com>
 2020-11-12 15:36:59 -08:00
Matt Moyer
f1696411d9 Test that Pinniped APis do not have short names, either. 
Signed-off-by: Matt Moyer <moyerm@vmware.com>
 2020-11-12 17:13:52 -06:00
Matt Moyer
5580ca82ac Merge pull request #204 from mattmoyer/cleanup-update-script 
Remove CRD count check, since we can now use wildcards.
 2020-11-12 16:28:24 -06:00