mirrors/pinniped
1
0
Fork 0
mirror of https://github.com/vmware-tanzu/pinniped.git synced 2025-12-23 06:15:47 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
4,625 Commits 21 Branches 49 Tags
dd0dcad8c40d0b2e879c61548bf1a8ec622cc801
Commit Graph

1066 Commits

Author SHA1 Message Date
Ryan Richard
dd0dcad8c4 slow down filling out the Okta login screen for Chrome v134 2025-03-05 12:13:45 -08:00
Ryan Richard
4e04f5b606 remove fips_strict insecure ciphers which do not seem to be in Go 1.24 2025-02-19 08:13:55 -08:00
Ryan Richard
8cfc1c08ec allow both TLS v1.2 and v1.3 in fips mode, supported starting in Go 1.24 2025-02-18 10:46:59 -08:00
Ryan Richard
02eb26f135 "pinniped get kubeconfig" discovers CA bundle from CertificateAuthorityDataSource 2025-02-05 10:59:02 -08:00
Joshua Casey
1d873be184 Make sure that CEL errors are checked for the appropriate Kube version 2025-01-27 10:46:55 -06:00
Joshua Casey
5a0d6eddb1 Make sure each FederationDomain has a unique name, and skip CEL tests for old K8s versions 2025-01-27 10:46:55 -06:00
Joshua Casey
31b45525ce Remove deprecated CredentialIssuer.status.kubeConfigInfo 2025-01-27 10:46:55 -06:00
Joshua Casey
430c73b903 FederationDomain.spec.issuer must now be an HTTPS URL 2025-01-27 10:46:55 -06:00
Joshua Casey
cc1befbc57 Allow for multiple error messages 2025-01-27 10:46:55 -06:00
Joshua Casey
68a0ad4112 Extract common prefix from error messages 2025-01-27 10:46:55 -06:00
Ryan Richard
9619a0f226 change remoteAddr to sourceIPs in Supervisor audit log for incoming reqs 2025-01-06 21:21:01 -06:00
Ryan Richard
b625b4a076 introduce build tags to optionally override some TLS settings 2024-12-20 10:28:32 -08:00
Ryan Richard
90c95866d1 upgrade fosite to v0.49.0 and handle its API changes 2024-12-13 10:17:42 -08:00
Ryan Richard
ede9e45211 make audit_test.go ignore pod log lines that aren't JSON 2024-12-03 17:20:25 -06:00
Ryan Richard
df017f9267 attempt to fix a test flake seen sometimes in CI 2024-11-27 13:53:03 -06:00
Ryan Richard
ae5aad178d TokenCredentialRequest uses actual cert expiry time instead of estimate 
and also audit logs both the NotBefore and NotAfter of the issued cert.
Implemented by changing the return type of the cert issuer helpers
to make them also return the NotBefore and NotAfter values of the new
cert, along with the key PEM and cert PEM.
 2024-11-27 13:53:03 -06:00
Joshua Casey
0a28c818ad Small fixes for integration tests 2024-11-27 13:53:02 -06:00
Ryan Richard
1ebe2fcd1a add integration test for personal info showing in login audit logs 2024-11-27 13:53:02 -06:00
Joshua Casey
60bd118a9c pinniped CLI should print the audit-ID in certain error cases 
Co-authored-by: Ryan Richard <richardry@vmware.com>
 2024-11-27 13:53:02 -06:00
Joshua Casey
b69507f7f3 Add generic audit integration test 2024-11-27 13:53:02 -06:00
Ryan Richard
51fc86f950 don't audit log missing username or password, change query param value 
Co-authored-by: Joshua Casey <joshuatcasey@gmail.com>
 2024-11-27 13:53:02 -06:00
Ryan Richard
8fad2c5127 update test expectation to match new validation error text in new Kube 2024-11-06 13:57:15 -08:00
Ryan Richard
feef4bf508 fix test flake by removing memory limit from test pod 
On AKS clusters, the pod's container would exceed its memory limit,
get OOMKilled, get restarted, and cause that test to flake.

Co-authored-by: Joshua Casey <joshuatcasey@gmail.com>
 2024-11-06 09:56:36 -08:00
Ryan Richard
fedb9812bd add SAN to default cert in supervisor_discovery_test.go 2024-11-04 17:34:53 -08:00
Ryan Richard
5c252fd083 increase allowed delta in test to allow for slower CI workers 2024-10-14 09:32:06 -07:00
Ryan Richard
eca8914760 fix integration test for WebhookAuthenticator status conditions 2024-10-10 14:41:49 -07:00
Ryan Richard
4f661aaa69 pay attention to web proxy settings during connection probes 
- WebhookAuthenticator will now detect the proxy setting and skip
  dialing the connection probe if it should go through a proxy
- GitHubIdentityProvider will avoid using tls.Dial altogether
  by instead making a real request to the GitHub API as its
  connection probe, because this will respect the proxy settings
 2024-10-10 10:41:31 -07:00
Ryan Richard
6fe55a3b48 assume port 443 when not specified in printServerCert() test helper 2024-10-07 13:18:42 -07:00
Joshua Casey
702d5bdc01 Bump golangci-lint to 1.61.0 2024-09-10 15:14:53 -05:00
Joshua Casey
72fa369fc9 Integration tests should use PINNIPED_TEST_SUPERVISOR_SERVICE_NAME to decide where to port-forward 2024-09-04 20:52:01 -05:00
Joshua Casey
08abff1cae Bump golanglint-ci to 1.60.3 2024-09-04 20:52:01 -05:00
Joshua Casey
f476259bbf Bump all dependencies 2024-09-04 20:52:01 -05:00
Joshua Casey
c87f091a44 Upcoming k8s versions have an additional extra field in the CSR response 
- failure due to https://github.com/kubernetes/kubernetes/pull/125634
 2024-09-04 11:23:11 -05:00
Joshua Casey
ca9503e4c0 Be sure to update the DEFAULT cert instead of the per-FederationDomain cert when the supervisor is using an IP address 2024-09-02 07:46:15 -05:00
Joshua Casey
dc72a36cb1 Add some logging to debug TLS validation failures with IP addresses 2024-09-01 08:26:23 -05:00
Joshua Casey
18e2024e3f Environment variables with 'https_address' in them should have 'https://' scheme 2024-08-31 17:46:35 -05:00
Joshua Casey
7d83e209c8 Integration tests should expect that the Supervisor hostname might be an IP address 2024-08-31 08:51:31 -05:00
Joshua Casey
1bbfa4984d Test refactor for clarity 2024-08-30 17:50:29 -05:00
Joshua Casey
557dee06f0 Allow the integration tests to set an IP address for the Supervisor issuer 
Co-authored-by: Ryan Richard <richardry@vmware.com>
 2024-08-30 15:48:04 -05:00
Joshua Casey
c0bab69cd1 Allow the Dex hostname to be set by integration tests 
Co-authored-by: Ryan Richard <richardry@vmware.com>
 2024-08-30 12:42:03 -05:00
Ryan Richard
c1328d9619 update expectation in supervisor_ldap_idp_test.go 2024-08-06 16:08:25 -07:00
Joshua Casey
f918edd846 Add integration tests to ensure that LDAP/AD conditions with status Unknown if they cannot be validated 
Co-authored-by: Ryan Richard <richardry@vmware.com>
 2024-08-06 16:08:25 -07:00
Ryan Richard
229b6a262e when dialing github to test connection, dial api.github.com 
Co-authored-by: Joshua Casey <joshuatcasey@gmail.com>
 2024-08-06 08:58:30 -07:00
Ashish Amarnath
6fdfee36fe fix typo in integration test function comments 
Signed-off-by: Ashish Amarnath <ashish.amarnath@broadcom.com>
 2024-08-05 23:33:31 -07:00
Ryan Richard
2af510a3ee Revert "add integration test for TLS config validation in GitHubIdentityProvider" 
This reverts commit 23129da3e2.
 2024-08-05 12:52:41 -07:00
Ryan Richard
fdeca2c026 Revert "add integration test for TLS config validation in OIDCIdentityProvider" 
This reverts commit 59402bca7b.
 2024-08-05 12:52:29 -07:00
Ryan Richard
23fd15f840 Revert "Add integration tests for tls spec validation in JWTAuthenticator and WebhookAuthenticator" 
This reverts commit c3405095b2.
 2024-08-05 12:52:21 -07:00
Ashish Amarnath
b70db9dc03 refactor to use new certificateAuthorityDataSourceKind enum 
Signed-off-by: Ashish Amarnath <ashish.amarnath@broadcom.com>
 2024-08-05 11:32:21 -07:00
Ryan Richard
4eb9a09385 test more condition message cases in concierge_tls_spec_test.go and supervisor_tls_spec_test.go 2024-08-05 11:32:21 -07:00
Ryan Richard
db2d7c8c50 assert on condition message in concierge_tls_spec_test.go and supervisor_tls_spec_test.go 2024-08-05 11:32:21 -07:00