mirrors/pinniped
1
0
Fork 0
mirror of https://github.com/vmware-tanzu/pinniped.git synced 2026-01-09 15:44:10 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
4,782 Commits 21 Branches 50 Tags
2cfa61024923e4f73631be469b798fd3d64ccbdb
Commit Graph

58 Commits

Author SHA1 Message Date
Ryan Richard
106a480dad JWTAuthenticator must reload when spec.audience or spec.claims changes 2024-11-04 12:49:18 -08:00
Ryan Richard
dc195536d0 also use port number when checking https proxy for WebhookAuthenticator 2024-10-11 14:49:46 -07:00
Ryan Richard
4f661aaa69 pay attention to web proxy settings during connection probes 
- WebhookAuthenticator will now detect the proxy setting and skip
  dialing the connection probe if it should go through a proxy
- GitHubIdentityProvider will avoid using tls.Dial altogether
  by instead making a real request to the GitHub API as its
  connection probe, because this will respect the proxy settings
 2024-10-10 10:41:31 -07:00
Joshua Casey
f7fd209f29 Address PR feedback 2024-09-24 14:14:48 -05:00
Joshua Casey
76a116641f Add ptls.Dialer to provide some common configuration for tls.Dial operations 2024-09-24 14:14:48 -05:00
Joshua Casey
f798777a3b Refactor: reorder parameters to MergeConditions 2024-08-08 08:12:41 -05:00
Joshua Casey
afa3aa2232 LDAP and AD IDPs now always report condition with type LDAPConnectionValid, even if the status is unknown 
Co-authored-by: Ryan Richard <richardry@vmware.com>
 2024-08-06 16:08:25 -07:00
Ryan Richard
02e41baa47 small refactors 2024-08-05 11:32:21 -07:00
Ryan Richard
ed502949dd webhookcachefiller and jwtcachefiller always update status when needed 
Even when the authenticator is found in the cache, try to update its
status. Failing to do so would mean that the actual status will not
be overwritten by the controller's newly computed desired status.

Co-authored-by: Ashish Amarnath <ashish.amarnath@broadcom.com>
 2024-08-05 11:32:20 -07:00
Ryan Richard
15c84fcc94 extract helper func in jwtcachefiller and webhookcachefiller 2024-08-05 11:32:20 -07:00
Joshua Casey
1438f06c12 webhookcachefiller adds more detail when it chooses to update or not update status conditions 2024-08-05 11:32:20 -07:00
Joshua Casey
ca5bb2170c webhookcontroller should use a logger that is built for each webhook authenticator 2024-08-05 11:32:20 -07:00
Joshua Casey
05a2fd97f8 webhookcontroller now only logs the webhook authenticator name instead of an object 
Co-authored-by: Ryan Richard <richardry@vmware.com>
 2024-08-05 11:32:20 -07:00
Ryan Richard
290676e4d1 improve info/debug log messages for jwtcachefiller & webhookcachefiller 
Co-authored-by: Ashish Amarnath <ashish.amarnath@broadcom.com>
 2024-08-05 11:32:20 -07:00
Ryan Richard
dfef9f470f fix bug in webhookcachefiller caused when status update returns error 
Also refactor test assertions regarding log statements in
jwtcachefiller_test.go and webhookcachefiller_test.go

Co-authored-by: Ashish Amarnath <ashish.amarnath@broadcom.com>
 2024-08-05 11:32:20 -07:00
Ryan Richard
f5da417450 fix bug in jwtcachefiller caused when status update returns error 
Co-authored-by: Ashish Amarnath <ashish.amarnath@broadcom.com>
 2024-08-05 11:32:20 -07:00
Joshua Casey
a888083c50 Introduce type alias CABundleHash for the hash of a CA bundle ([32]byte) 
Co-authored-by: Ryan Richard <richardry@vmware.com>
Co-authored-by: Ashish Amarnath <ashish.amarnath@broadcom.com>
 2024-08-05 11:32:20 -07:00
Joshua Casey
fcceeed9fa Refactor tlsconfigutil.CABundle 'getters' to not have 'get' in the name 
Co-authored-by: Ryan Richard <richardry@vmware.com>
 2024-08-05 11:32:20 -07:00
Ashish Amarnath
282b949c24 update jwtcachefiller to use new tlsconfigutil.CABundle type 
Signed-off-by: Ashish Amarnath <ashish.amarnath@broadcom.com>
 2024-08-05 11:32:20 -07:00
Ashish Amarnath
005dbf3aa8 refactor tlsconfigutil to return a caBundle type 
Signed-off-by: Ashish Amarnath <ashish.amarnath@broadcom.com>
 2024-08-05 11:32:20 -07:00
Joshua Casey
9420bfde5b webhookcachefiller controller loops over all webhookauthenticators 2024-08-05 11:32:20 -07:00
Ryan Richard
06b47a5792 jwtcachefiller controller loops over all jwtauthenticators 
Co-authored-by: Joshua Casey <joshuatcasey@gmail.com>
 2024-08-05 11:32:20 -07:00
Ryan Richard
414ff503ef extract some common condition reason string constants 2024-08-05 11:32:20 -07:00
Ryan Richard
373713f7e0 webhook controller redoes validations when external CA bundle changes 2024-08-05 11:32:19 -07:00
Joshua Casey
2d5943b21a Move conditions reason Success to conditions_util 2024-08-05 11:32:19 -07:00
Ryan Richard
920b519ebf error when CA bundle from Secret or ConfigMap is empty 
Co-authored-by: Joshua Casey <joshuatcasey@gmail.com>
 2024-08-05 11:32:19 -07:00
Joshua Casey
6e9023e090 add code review todos and light refactoring 
Co-authored-by: Ryan Richard <richardry@vmware.com>
 2024-08-05 11:32:19 -07:00
Ashish Amarnath
1b7a26d932 test secret and configmap filtering in concierge authenticator controllers 
Signed-off-by: Ashish Amarnath <ashish.amarnath@broadcom.com>
 2024-08-05 11:32:19 -07:00
Ashish Amarnath
cb4b63f8b3 integration tests for concierge authenticators 
Signed-off-by: Ashish Amarnath <ashish.amarnath@broadcom.com>
 2024-08-05 11:32:19 -07:00
Ashish Amarnath
207bac9452 webhook cache filler 
Signed-off-by: Ashish Amarnath <ashish.amarnath@broadcom.com>
 2024-08-05 11:32:19 -07:00
Ryan Richard
a2be4b7b5e clarify some comments based on PR feedback 2024-07-17 09:58:26 -07:00
Ryan Richard
b5a509f27f fix authenticators bug: stop allowing usage when validation fails 2024-07-16 09:59:19 -07:00
Joshua Casey
bafd578866 Merge branch 'main' into jtc/add-importas-linter 2024-06-11 09:39:48 -05:00
Joshua Casey
e9252a9ee3 Enforce more imports 
- k8s.io/apimachinery/pkg/apis/meta/v1
- k8s.io/api/core/v1
- github.com/coreos/go-oidc/v3/oidc
- github.com/ory/fosite/handler/oauth2
- go.pinniped.dev/generated/latest/apis/concierge/authentication/v1alpha1
 2024-05-21 09:31:15 -05:00
Joshua Casey
875b0739aa Enforce aliases for 'k8s.io/apimachinery/pkg/util/errors' and 'k8s.io/apimachinery/pkg/api/errors' 2024-05-21 09:31:15 -05:00
Joshua Casey
fe5d037600 Merge branch 'main' into jtc/merge-main-5fe94c4e-into-github 2024-04-23 12:42:07 -05:00
Joshua Casey
da135d9958 Webhookcachefiller now uses a real tls.Dial, which means we can test IPv6 2024-04-19 09:24:17 -05:00
Ryan Richard
e048859afd Use ptls package when calling webhook during authentication 2024-04-18 16:00:57 -07:00
Ryan Richard
8c081c50d4 Use ptls package to determine TLS config when probing webhook for status 2024-04-18 12:55:49 -07:00
Joshua Casey
c9b61ef010 Populate internal GitHub IDP Config from CRD 2024-04-16 14:33:01 -05:00
Benjamin A. Petersen
f86c46e160 Update WebhookAuthenticator Status WebhookConnectionValid 
- ConnectionProbeValid -> WebhookConnectionValid
  - This is to conform with the pattern of other controllers, ex:
    LDAPConnectionValid
 2024-03-26 15:33:44 -04:00
Benjamin A. Petersen
e38a27d93d Add endpointaddr.ParseFromURL helper, WebhookAuthenticator handle additional IPv6 cases 2024-03-22 15:57:57 -04:00
Benjamin A. Petersen
bec5fe85cc change WebhookAuthenticator TLSConnectionNegotiationValid to ConnectionProbeValid 2024-03-19 18:00:40 -04:00
Benjamin A. Petersen
5c0d67dc50 refactor WebhookAuthenticator newWebhookAuthenticator func 2024-03-19 16:48:08 -04:00
Benjamin A. Petersen
337459feb0 Update webhook status integration tests 
- total api fields test 260->261
 2024-03-19 16:48:05 -04:00
Benjamin A. Petersen
590e2d18f7 Add WebhookAuthenticator integration tests, expand unit tests 
- Add WebhookAuthenticator unit tests, update generated code
- Add validateTLSNegotiation(), update tests
- Update validateTLSNegotiation, add unit tests, factor out helpers
- Update generated code
 2024-03-19 16:48:05 -04:00
Benjamin A. Petersen
ef36b454ba Improve WebhookAuthenticator Status and Validations 
- Validate TLS Configuration
- Validate Endpoint
- Validate TLS Negotiation
  - Report status handshake negotiation with webhook
- Unit tests
- Integration tests
 2024-03-19 16:48:03 -04:00
Ryan Richard
c6c2c525a6 Upgrade the linter and fix all new linter warnings 
Also fix some tests that were broken by bumping golang and dependencies
in the previous commits.

Note that in addition to changes made to satisfy the linter which do not
impact the behavior of the code, this commit also adds ReadHeaderTimeout
to all usages of http.Server to satisfy the linter (and because it
seemed like a good suggestion).
 2022-08-24 14:45:55 -07:00
Ryan Richard
7751c0bf59 Bump project deps, including kube 0.23.6->0.24.1 and Go 1.18.1->1.18.3 
Several API changes in Kube required changes in Pinniped code.

Signed-off-by: Monis Khan <mok@vmware.com>
 2022-06-07 15:26:30 -04:00
Monis Khan
cd686ffdf3 Force the use of secure TLS config 
This change updates the TLS config used by all pinniped components.
There are no configuration knobs associated with this change.  Thus
this change tightens our static defaults.

There are four TLS config levels:

1. Secure (TLS 1.3 only)
2. Default (TLS 1.2+ best ciphers that are well supported)
3. Default LDAP (TLS 1.2+ with less good ciphers)
4. Legacy (currently unused, TLS 1.2+ with all non-broken ciphers)

Highlights per component:

1. pinniped CLI
   - uses "secure" config against KAS
   - uses "default" for all other connections
2. concierge
   - uses "secure" config as an aggregated API server
   - uses "default" config as a impersonation proxy API server
   - uses "secure" config against KAS
   - uses "default" config for JWT authenticater (mostly, see code)
   - no changes to webhook authenticater (see code)
3. supervisor
   - uses "default" config as a server
   - uses "secure" config against KAS
   - uses "default" config against OIDC IDPs
   - uses "default LDAP" config against LDAP IDPs

Signed-off-by: Monis Khan <mok@vmware.com>
 2021-11-17 16:55:35 -05:00