Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Implement proposal to allow Pinniped custom resources to ref configmaps or secrets for CA bundles #1996

Merged
merged 99 commits into from
Aug 5, 2024
Merged

Implement proposal to allow Pinniped custom resources to ref configmaps or secrets for CA bundles #1996

merged 99 commits into from
Aug 5, 2024

Conversation

ashish-amarnath
Copy link
Member

@ashish-amarnath ashish-amarnath commented Jun 20, 2024
edited by cfryanr
Loading

Implement proposal to allow Pinniped CRs to source CA bundles, for client-side TLS validation, from secrets and configMaps

Fixes #1886

This PR also adds a new "Status" printer column to the table output for WebhookAuthenticator and JWTAuthenticator. The value shown in the column is the status.Phase of the resource.

This PR also fixes a bug for JWTAuthenticators and WebhookAuthenticators where their status was not always being updated after its initial creation.

Release note:

TBD

@ashish-amarnath ashish-amarnath self-assigned this Jun 20, 2024
@ashish-amarnath ashish-amarnath force-pushed the ca-bundles-ref branch 2 times, most recently from f17b0de to a6e4b2c Compare June 25, 2024 17:42
@ashish-amarnath ashish-amarnath force-pushed the ca-bundles-ref branch 3 times, most recently from 239fa85 to f9c6882 Compare July 2, 2024 06:13
joshuatcasey and others added 21 commits August 5, 2024 11:32
@joshuatcasey @cfryanr
jwtcachefiller now tests for exact log lines and prints when it choos…
d6d66fa 
…es to not update the status
@ashish-amarnath @cfryanr
update expectation conditions message when CA bundle is not configured
a0c259f 
fix a typo where we intended to use a configmap instead of a secret

Signed-off-by: Ashish Amarnath <ashish.amarnath@broadcom.com>

Co-authored-by: Ryan Richard <richardry@vmware.com>
@cfryanr @ashish-amarnath
webhookcachefiller and jwtcachefiller always update status when needed
ed50294 
Even when the authenticator is found in the cache, try to update its
status. Failing to do so would mean that the actual status will not
be overwritten by the controller's newly computed desired status.

Co-authored-by: Ashish Amarnath <ashish.amarnath@broadcom.com>
@ashish-amarnath @cfryanr
secret/configmap with CA bundle to be created in namespace where pinn…
19c4acf 
…iped is installed

Signed-off-by: Ashish Amarnath <ashish.amarnath@broadcom.com>
@ashish-amarnath @cfryanr
update generated api docs
43964ff 
Signed-off-by: Ashish Amarnath <ashish.amarnath@broadcom.com>
@cfryanr
document new CA bundle source option in howto docs
91ef689
@cfryanr
small refactors
02e41ba
@cfryanr @ashish-amarnath
update docs and change struct name in types_tls.go.tmpl files
e0235ed 
Co-authored-by: Ashish Amarnath <ashish.amarnath@broadcom.com>
@cfryanr @ashish-amarnath
refactor test helpers in supervisor_login_test.go
2181418 
Co-authored-by: Ashish Amarnath <ashish.amarnath@broadcom.com>
@ashish-amarnath @cfryanr
Add integration tests for tls spec validation in JWTAuthenticator and…
c340509 
… WebhookAuthenticator

Signed-off-by: Ashish Amarnath <ashish.amarnath@broadcom.com>
@ashish-amarnath @cfryanr
add integration test for TLS config validation in OIDCIdentityProvider
59402bc 
Signed-off-by: Ashish Amarnath <ashish.amarnath@broadcom.com>
@ashish-amarnath @cfryanr
add integration test for TLS config validation in GitHubIdentityProvider
23129da 
Signed-off-by: Ashish Amarnath <ashish.amarnath@broadcom.com>
@cfryanr
document allowed enum values and default values in all CR spec fields
a40c88e
@cfryanr
ran codegen on previous commit's changes
67de14a
@cfryanr
minor test refactor
2ebf9d3
@cfryanr
assert on condition message in concierge_tls_spec_test.go and supervi…
db2d7c8 
…sor_tls_spec_test.go
@cfryanr
test more condition message cases in concierge_tls_spec_test.go and s…
4eb9a09 
…upervisor_tls_spec_test.go
@cfryanr @ashish-amarnath
improve api docs for TLSSpec in authenticator and IDP specs
59c2295 
Signed-off-by: Ashish Amarnath <ashish.amarnath@broadcom.com>
Co-authored-by: Ashish Amarnath <ashish.amarnath@broadcom.com>
@cfryanr
run codegen for changes in previous commit
d4ac69d
@ashish-amarnath @cfryanr
refactor to use new certificateAuthorityDataSourceKind enum
b70db9d 
Signed-off-by: Ashish Amarnath <ashish.amarnath@broadcom.com>
@cfryanr
fix typo in tmpl and run codegen
06b7d30
This was referenced Aug 5, 2024
Merged
Closed
@cfryanr cfryanr enabled auto-merge August 5, 2024 21:15
@cfryanr cfryanr merged commit 0787301 into vmware-tanzu:main Aug 5, 2024
43 checks passed
@ashish-amarnath ashish-amarnath deleted the ca-bundles-ref branch August 5, 2024 21:29
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@joshuatcasey joshuatcasey joshuatcasey approved these changes

@cfryanr cfryanr cfryanr approved these changes

Assignees

@ashish-amarnath ashish-amarnath

Labels
cla-not-required
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Allow a volumemount certificate reference to be used by JWTAuthenticator
4 participants
@ashish-amarnath @joshuatcasey @cfryanr @vmwclabot