Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Implement proposal to allow Pinniped custom resources to ref configmaps or secrets for CA bundles #1996

Merged
merged 99 commits into from
Aug 5, 2024
+11,900 −2,455
Merged

Implement proposal to allow Pinniped custom resources to ref configmaps or secrets for CA bundles #1996

Changes from 1 commit
Commits
Show all changes
99 commits
Select commit Hold shift + click to select a range
842f14a
update go templates for TLSSpec for concierge and supervisor
ashish-amarnath Jun 19, 2024
19c3f2c
run hack/update.sh
ashish-amarnath Jun 21, 2024
7e6dadb
add CRD validation integration tests
ashish-amarnath Jun 24, 2024
080c75e
refactor tls spec validation into its own package
ashish-amarnath Jun 26, 2024
aab1ee9
unify TLS Spec between supervisor and concierge
ashish-amarnath Jun 26, 2024
3a969a8
update supervisor controllers
ashish-amarnath Jun 27, 2024
199562f
get all supervisor unit tests to pass
ashish-amarnath Jun 28, 2024
207bac9
webhook cache filler
ashish-amarnath Jul 2, 2024
9ab7c39
jwt cache filler
ashish-amarnath Jul 2, 2024
90e8cc8
integration tests pass
ashish-amarnath Jul 3, 2024
edc327b
update supervisor RBAC to allow get, list, and watch on configmaps
ashish-amarnath Jul 3, 2024
afcd80d
more integration tests pass
ashish-amarnath Jul 3, 2024
821a893
integration tests for supervisor oidc, ldap, activedirectory IDP
ashish-amarnath Jul 9, 2024
6a610a9
add namespace to jwt authenticator controller
ashish-amarnath Jul 9, 2024
8eb15a9
integration tests for supervisor oidc, ldap, activedirectory IDP
ashish-amarnath Jul 9, 2024
cb4b63f
integration tests for concierge authenticators
ashish-amarnath Jul 10, 2024
1b7a26d
test secret and configmap filtering in concierge authenticator contro…
ashish-amarnath Jul 10, 2024
6e9023e
add code review todos and light refactoring
joshuatcasey Jul 18, 2024
bf1c02d
jwtauthenticator controller redoes validations when external CA bundl…
joshuatcasey Jul 18, 2024
920b519
error when CA bundle from Secret or ConfigMap is empty
cfryanr Jul 19, 2024
2d5943b
Move conditions reason Success to conditions_util
joshuatcasey Jul 22, 2024
66401b4
Add GitHubIDP tests for a CA bundle in a Secret or a ConfigMap
joshuatcasey Jul 22, 2024
373713f
webhook controller redoes validations when external CA bundle changes
cfryanr Jul 22, 2024
8060e82
include external CA bundles in the cache key in oidc_upstream_watcher.go
cfryanr Jul 22, 2024
72745cd
run codegen to update copyrights
cfryanr Jul 22, 2024
288e092
GitHub IDP watcher should not dial an address that has already been v…
joshuatcasey Jul 23, 2024
756966c
add "Status" printer column to JWTAuthenticator and WebhookAuthenticator
cfryanr Jul 23, 2024
30c0fd4
Fix e2e_test.go
cfryanr Jul 23, 2024
a4ad5d6
Fix *_tls_spec_test.go for old versions of Kubernetes
cfryanr Jul 23, 2024
d62d6a1
Refactor github_controller_watcher to simplify the tls Dial
joshuatcasey Jul 23, 2024
0f103ed
Add unit tests for external CA bundle in oidc_upstream_watcher_test.go
cfryanr Jul 23, 2024
d5e3ad9
Concierge external TLS static integration tests use the real URL of t…
joshuatcasey Jul 23, 2024
afec420
Add JWTAuthenticators to the static validation checks for concierge T…
joshuatcasey Jul 23, 2024
0f9352d
Integration tests should use a helper func to infer Supervisor's down…
joshuatcasey Jul 23, 2024
d74c2a6
Supervisor TLS spec integration tests should use an OIDC issuer url f…
joshuatcasey Jul 23, 2024
09724cf
Add unit test: when discovery is already cached for OIDCIdentityProvider
cfryanr Jul 23, 2024
3a303cc
Supervisor TLS Spec validation integration tests should use helper me…
joshuatcasey Jul 23, 2024
f381c92
Use templates to reduce duplication in concierge_tls_spec_test.go
cfryanr Jul 23, 2024
4b2ed52
Add GitHubIdentityProvider to the Supervisor TLS config static valida…
joshuatcasey Jul 23, 2024
b7c26c4
Add LDAPIdentityProvider and ActiveDirectoryIdentityProvider to the S…
joshuatcasey Jul 23, 2024
4ec5766
Modify Concierge/Superivsor TLS spec integration tests to allow for o…
joshuatcasey Jul 24, 2024
414ff50
extract some common condition reason string constants
cfryanr Jul 24, 2024
60f82d2
Fix integration test typo
joshuatcasey Jul 24, 2024
ca2dd2d
refactor InferSupervisorIssuerURL() func; remove a TODO
cfryanr Jul 24, 2024
06b47a5
jwtcachefiller controller loops over all jwtauthenticators
cfryanr Jul 24, 2024
adb460b
refactor integration test to use proper test table
cfryanr Jul 24, 2024
9420bfd
webhookcachefiller controller loops over all webhookauthenticators
joshuatcasey Jul 25, 2024
de86809
Fix some integration tests
joshuatcasey Jul 25, 2024
9a16dc2
Fix another integration test
joshuatcasey Jul 25, 2024
e3ed722
Minor refactor
joshuatcasey Jul 25, 2024
242fa8a
When reading CA bundle from a secret/configmap, return more specific err
joshuatcasey Jul 25, 2024
2a62bee
store ca bundle hash in validated settings cache
ashish-amarnath Jul 25, 2024
a1dcba4
add unit tests for validatedsettings cache storing ca bundle hash
ashish-amarnath Jul 25, 2024
005dbf3
refactor tlsconfigutil to return a caBundle type
ashish-amarnath Jul 26, 2024
282b949
update jwtcachefiller to use new tlsconfigutil.CABundle type
ashish-amarnath Jul 26, 2024
15d0006
Pull tlsconfigutil.CABundle into a separate file
joshuatcasey Jul 26, 2024
0711093
Add tests for tlsconfigutil.CABundle and all callers should use the c…
joshuatcasey Jul 26, 2024
e82cb2c
Refactor tlsconfigutil.getCertPool to return a CABundle and change it…
joshuatcasey Jul 26, 2024
34eff2a
Refactor tlsconfigutil.buildCABundle to make it more clear where the …
joshuatcasey Jul 26, 2024
4cf0e46
tlsconfigutil.CABundle should generate its own certPool
joshuatcasey Jul 26, 2024
fcceeed
Refactor tlsconfigutil.CABundle 'getters' to not have 'get' in the name
joshuatcasey Jul 26, 2024
99cfc4f
Remove tlsconfigutil.CABundle.IsEqual and ensure that tlsconfigutil.N…
joshuatcasey Jul 26, 2024
a888083
Introduce type alias CABundleHash for the hash of a CA bundle ([32]byte)
joshuatcasey Jul 26, 2024
f5da417
fix bug in jwtcachefiller caused when status update returns error
cfryanr Jul 26, 2024
dfef9f4
fix bug in webhookcachefiller caused when status update returns error
cfryanr Jul 26, 2024
81d42cb
add unit tests for validatedsettings cache storing ca bundle hash
ashish-amarnath Jul 26, 2024
9f17ba5
change wording of TLS config loaded success messages
cfryanr Jul 29, 2024
3891f90
skip external CA bundle tests when CA bundle is empty
cfryanr Jul 29, 2024
8725ab4
do not make any assumption about OIDC issuer 404 page body in test
cfryanr Jul 29, 2024
290676e
improve info/debug log messages for jwtcachefiller & webhookcachefiller
cfryanr Jul 29, 2024
dedd51d
Test Refactor: webhookauthenticator_test checks exact log line equality
joshuatcasey Jul 30, 2024
05a2fd9
webhookcontroller now only logs the webhook authenticator name instea…
joshuatcasey Jul 30, 2024
ca5bb21
webhookcontroller should use a logger that is built for each webhook …
joshuatcasey Jul 30, 2024
1438f06
webhookcachefiller adds more detail when it chooses to update or not …
joshuatcasey Jul 30, 2024
15c84fc
extract helper func in jwtcachefiller and webhookcachefiller
cfryanr Jul 30, 2024
d6d66fa
jwtcachefiller now tests for exact log lines and prints when it choos…
joshuatcasey Jul 31, 2024
a0c259f
update expectation conditions message when CA bundle is not configured
ashish-amarnath Jul 31, 2024
ed50294
webhookcachefiller and jwtcachefiller always update status when needed
cfryanr Jul 31, 2024
19c4acf
secret/configmap with CA bundle to be created in namespace where pinn…
ashish-amarnath Jul 31, 2024
43964ff
update generated api docs
ashish-amarnath Jul 31, 2024
91ef689
document new CA bundle source option in howto docs
cfryanr Jul 31, 2024
02e41ba
small refactors
cfryanr Aug 1, 2024
e0235ed
update docs and change struct name in types_tls.go.tmpl files
cfryanr Aug 1, 2024
2181418
refactor test helpers in supervisor_login_test.go
cfryanr Aug 1, 2024
c340509
Add integration tests for tls spec validation in JWTAuthenticator and…
ashish-amarnath Aug 3, 2024
59402bc
add integration test for TLS config validation in OIDCIdentityProvider
ashish-amarnath Aug 3, 2024
23129da
add integration test for TLS config validation in GitHubIdentityProvider
ashish-amarnath Aug 3, 2024
a40c88e
document allowed enum values and default values in all CR spec fields
cfryanr Aug 3, 2024
67de14a
ran codegen on previous commit's changes
cfryanr Aug 3, 2024
2ebf9d3
minor test refactor
cfryanr Aug 3, 2024
db2d7c8
assert on condition message in concierge_tls_spec_test.go and supervi…
cfryanr Aug 3, 2024
4eb9a09
test more condition message cases in concierge_tls_spec_test.go and s…
cfryanr Aug 4, 2024
59c2295
improve api docs for TLSSpec in authenticator and IDP specs
cfryanr Aug 4, 2024
d4ac69d
run codegen for changes in previous commit
cfryanr Aug 4, 2024
b70db9d
refactor to use new certificateAuthorityDataSourceKind enum
ashish-amarnath Aug 3, 2024
06b7d30
fix typo in tmpl and run codegen
cfryanr Aug 5, 2024
23fd15f
Revert "Add integration tests for tls spec validation in JWTAuthentic…
cfryanr Aug 5, 2024
fdeca2c
Revert "add integration test for TLS config validation in OIDCIdentit…
cfryanr Aug 5, 2024
2af510a
Revert "add integration test for TLS config validation in GitHubIdent…
cfryanr Aug 5, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Prev Previous commit
Next Next commit
update supervisor RBAC to allow get, list, and watch on configmaps 
Signed-off-by: Ashish Amarnath <ashish.amarnath@broadcom.com>
  • Loading branch information
@ashish-amarnath @cfryanr
ashish-amarnath authored and cfryanr committed Aug 5, 2024
commit edc327ba335cf8fb6a21372987e8a68adf29312e
3 changes: 3 additions & 0 deletions deploy/supervisor/rbac.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -16,6 +16,9 @@ rules:
- apiGroups: [""]
resources: [secrets]
verbs: [create, get, list, patch, update, watch, delete]
- apiGroups: [""]
resources: [configmaps]
verbs: [get, list, watch]
- apiGroups:
- #@ pinnipedDevAPIGroupWithPrefix("config.supervisor")
resources: [federationdomains]
Expand Down