Hello community,

here is the log from the commit of package velum for openSUSE:Factory checked 
in at 2018-02-09 15:51:13
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/velum (Old)
 and      /work/SRC/openSUSE:Factory/.velum.new (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Package is "velum"

Fri Feb  9 15:51:13 2018 rev:5 rq:574233 
version:3.0.0+dev+git_r644_b0361e81be2d64b10de6b8c676dce394044f164a

Changes:
--------
--- /work/SRC/openSUSE:Factory/velum/velum.changes      2018-02-02 
22:23:26.734616949 +0100
+++ /work/SRC/openSUSE:Factory/.velum.new/velum.changes 2018-02-09 
15:51:17.803309230 +0100
@@ -1,0 +2,47 @@
+Thu Feb  8 12:28:28 UTC 2018 - containers-bugow...@suse.de
+
+- Commit b12fdf4 by Kiall Mac Innes ki...@macinnes.ie
+ Add manual kubeconfig setup instructions
+ 
+ Add instructions for manually adding a cluster to a pre-existing kubeconfig
+ file.
+
+
+-------------------------------------------------------------------
+Wed Feb  7 17:25:39 UTC 2018 - containers-bugow...@suse.de
+
+- Commit 2db24eb by Kiall Mac Innes ki...@macinnes.ie
+ Use separate Dex clients for each actual client
+ 
+ Previously Velum, CaaSP CLI, and Kubernetes all shared a single Dex client.
+ From a security perspective, this was far from ideal.
+ 
+ Update Velum to:
+ 
+ * Generate a unique secret for the Velum and Kubernetes client during setup
+ * Add a migration to generate secrets during upgrade
+ * Use the Velum client to auth with Dex
+ * Request a token from Dex which is valid for the kubernetes client
+
+
+-------------------------------------------------------------------
+Tue Feb  6 17:55:27 UTC 2018 - containers-bugow...@suse.de
+
+- Commit 48188f1 by Chris Olstrom ch...@olstrom.com
+ Add fallback link to fetch kubeconfig if redirect fails
+
+
+-------------------------------------------------------------------
+Tue Feb  6 17:03:32 UTC 2018 - containers-bugow...@suse.de
+
+- Commit 01453e3 by James Mason jma...@suse.com
+ Update login feature spec
+ 
+ I had issues with a failing test that used inconsitent access to the 'Log in'
+ button, so I've updated it to match the rest of the spec.
+ 
+ Additionally, the descriptions didn't make sense in documentation format so I
+ reworded them.
+
+
+-------------------------------------------------------------------

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Other differences:
------------------
++++++ velum.spec ++++++
--- /var/tmp/diff_new_pack.fsQMng/_old  2018-02-09 15:51:18.727276045 +0100
+++ /var/tmp/diff_new_pack.fsQMng/_new  2018-02-09 15:51:18.731275901 +0100
@@ -23,7 +23,7 @@
 # Version:      1.0.0
 # %%define branch 1.0.0
 
-Version:        3.0.0+dev+git_r636_348aa62ece758fd9933ade7f585ec04e8d8d32a4
+Version:        3.0.0+dev+git_r644_b0361e81be2d64b10de6b8c676dce394044f164a
 Release:        0
 %define branch master
 Summary:        Dashboard for CaasP
@@ -96,7 +96,7 @@
 %description
 velum is the dashboard for CaasP to manage and deploy kubernetes clusters on 
top of MicroOS
 
-This package has been built with commit 
348aa62ece758fd9933ade7f585ec04e8d8d32a4 from branch master on date Fri, 02 Feb 
2018 11:59:01 +0000
+This package has been built with commit 
b0361e81be2d64b10de6b8c676dce394044f164a from branch master on date Thu, 08 Feb 
2018 12:27:49 +0000
 
 %prep
 %setup -q -n velum-%{branch}

++++++ master.tar.gz ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' old/velum-master/app/controllers/oidc_controller.rb 
new/velum-master/app/controllers/oidc_controller.rb
--- old/velum-master/app/controllers/oidc_controller.rb 2018-02-02 
13:00:11.000000000 +0100
+++ new/velum-master/app/controllers/oidc_controller.rb 2018-02-08 
13:27:18.000000000 +0100
@@ -30,7 +30,11 @@
   end
 
   def client_id
-    "caasp-cli"
+    "velum"
+  end
+
+  def client_secret
+    Pillar.value(pillar: :dex_client_secrets_velum)
   end
 
   def index
@@ -57,24 +61,27 @@
     id_token.verify!(
       issuer:    issuer,
       client_id: client_id,
-      nonce:     stored_nonce
+      nonce:     stored_nonce,
+      audience:  "kubernetes"
     )
 
-    email = id_token.raw_attributes["email"]
-    client_id = access_token.client.identifier
-    client_secret = access_token.client.secret
-    idp_issuer_url = id_token.iss
-    refresh_token = access_token.refresh_token
-
-    @redirect_target = oidc_kubeconfig_url email:          email,
-                                           client_id:      client_id,
-                                           client_secret:  client_secret,
-                                           id_token:       
access_token.id_token,
-                                           idp_issuer_url: idp_issuer_url,
-                                           refresh_token:  refresh_token
+    @email = id_token.raw_attributes["email"]
+    @client_id = access_token.client.identifier
+    @client_secret = access_token.client.secret
+    @id_token = access_token.id_token
+    @idp_issuer_url = id_token.iss
+    @refresh_token = access_token.refresh_token
+
+    lookup_config
+
+    @redirect_target = oidc_kubeconfig_url email:          @email,
+                                           client_id:      @client_id,
+                                           client_secret:  @client_secret,
+                                           id_token:       @id_token,
+                                           idp_issuer_url: @idp_issuer_url,
+                                           refresh_token:  @refresh_token
   rescue OpenIDConnect::ResponseObject::IdToken::InvalidNonce => e
-    redirect_to root_path,
-                alert: e.message
+    redirect_to root_path, alert: e.message
   end
 
   def kubeconfig
@@ -94,6 +101,8 @@
 
   def lookup_config
     kubeconfig = Velum::Kubernetes.kubeconfig
+    # TODO: Allow cluster_name to be set in pillar during bootstrap
+    @cluster_name = "caasp"
     @apiserver_host = kubeconfig.host
     @ca_crt = kubeconfig.ca_crt
     @client_crt = kubeconfig.client_crt
@@ -106,7 +115,14 @@
       response_type: :code,
       nonce:         nonce,
       state:         nonce,
-      scope:         [:openid, :profile, :email, :offline_access, 
:groups].collect(&:to_s)
+      scope:         [
+        :openid,
+        :profile,
+        :email,
+        :offline_access,
+        :groups,
+        "audience:server:client_id:kubernetes"
+      ].collect(&:to_s)
     )
   end
 
@@ -120,7 +136,7 @@
 
     @client ||= OpenIDConnect::Client.new(
       identifier:             client_id,
-      secret:                 "swac7qakes7AvucH8bRucucH",
+      secret:                 client_secret,
       scopes_supported:       config.scopes_supported,
       jwks_uri:               config.jwks_uri,
       authorization_endpoint: config.authorization_endpoint,
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' old/velum-master/app/controllers/setup_controller.rb 
new/velum-master/app/controllers/setup_controller.rb
--- old/velum-master/app/controllers/setup_controller.rb        2018-02-02 
13:00:11.000000000 +0100
+++ new/velum-master/app/controllers/setup_controller.rb        2018-02-08 
13:27:18.000000000 +0100
@@ -107,6 +107,12 @@
       settings["no_proxy"] = ""
     end
 
+    settings["dex_client_secrets_kubernetes"] = \
+      Pillar.value(pillar: :dex_client_secrets_kubernetes) \
+      || SecureRandom.uuid
+    settings["dex_client_secrets_velum"] = Pillar.value(pillar: 
:dex_client_secrets_velum) \
+      || SecureRandom.uuid
+
     Velum::LDAP.ldap_pillar_settings!(settings)
   end
 
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' old/velum-master/app/models/pillar.rb 
new/velum-master/app/models/pillar.rb
--- old/velum-master/app/models/pillar.rb       2018-02-02 13:00:11.000000000 
+0100
+++ new/velum-master/app/models/pillar.rb       2018-02-08 13:27:18.000000000 
+0100
@@ -14,34 +14,36 @@
 
     def all_pillars
       {
-        dashboard:               "dashboard",
-        dashboard_external_fqdn: "dashboard_external_fqdn",
-        apiserver:               "api:server:external_fqdn",
-        cluster_cidr:            "cluster_cidr",
-        cluster_cidr_min:        "cluster_cidr_min",
-        cluster_cidr_max:        "cluster_cidr_max",
-        cluster_cidr_len:        "cluster_cidr_len",
-        services_cidr:           "services_cidr",
-        api_cluster_ip:          "api:cluster_ip",
-        dns_cluster_ip:          "dns:cluster_ip",
-        proxy_systemwide:        "proxy:systemwide",
-        http_proxy:              "proxy:http",
-        https_proxy:             "proxy:https",
-        no_proxy:                "proxy:no_proxy",
-        tiller:                  "addons:tiller",
-        ldap_host:               "ldap:host",
-        ldap_port:               "ldap:port",
-        ldap_bind_dn:            "ldap:bind_dn",
-        ldap_bind_pw:            "ldap:bind_pw",
-        ldap_domain:             "ldap:domain",
-        ldap_group_dn:           "ldap:group_dn",
-        ldap_people_dn:          "ldap:people_dn",
-        ldap_base_dn:            "ldap:base_dn",
-        ldap_admin_group_dn:     "ldap:admin_group_dn",
-        ldap_admin_group_name:   "ldap:admin_group_name",
-        ldap_tls_method:         "ldap:tls_method",
-        ldap_mail_attribute:     "ldap:mail_attribute",
-        cloud_framework:         "cloud:framework"
+        dashboard:                     "dashboard",
+        dashboard_external_fqdn:       "dashboard_external_fqdn",
+        apiserver:                     "api:server:external_fqdn",
+        cluster_cidr:                  "cluster_cidr",
+        cluster_cidr_min:              "cluster_cidr_min",
+        cluster_cidr_max:              "cluster_cidr_max",
+        cluster_cidr_len:              "cluster_cidr_len",
+        services_cidr:                 "services_cidr",
+        api_cluster_ip:                "api:cluster_ip",
+        dns_cluster_ip:                "dns:cluster_ip",
+        proxy_systemwide:              "proxy:systemwide",
+        http_proxy:                    "proxy:http",
+        https_proxy:                   "proxy:https",
+        no_proxy:                      "proxy:no_proxy",
+        tiller:                        "addons:tiller",
+        ldap_host:                     "ldap:host",
+        ldap_port:                     "ldap:port",
+        ldap_bind_dn:                  "ldap:bind_dn",
+        ldap_bind_pw:                  "ldap:bind_pw",
+        ldap_domain:                   "ldap:domain",
+        ldap_group_dn:                 "ldap:group_dn",
+        ldap_people_dn:                "ldap:people_dn",
+        ldap_base_dn:                  "ldap:base_dn",
+        ldap_admin_group_dn:           "ldap:admin_group_dn",
+        ldap_admin_group_name:         "ldap:admin_group_name",
+        ldap_tls_method:               "ldap:tls_method",
+        ldap_mail_attribute:           "ldap:mail_attribute",
+        cloud_framework:               "cloud:framework",
+        dex_client_secrets_kubernetes: "dex:client_secrets:kubernetes",
+        dex_client_secrets_velum:      "dex:client_secrets:velum"
       }
     end
 
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' old/velum-master/app/views/oidc/done.html.slim 
new/velum-master/app/views/oidc/done.html.slim
--- old/velum-master/app/views/oidc/done.html.slim      2018-02-02 
13:00:11.000000000 +0100
+++ new/velum-master/app/views/oidc/done.html.slim      2018-02-08 
13:27:18.000000000 +0100
@@ -1,4 +1,8 @@
-h1 Download your kubeconfig file
+h1 Authenticate with Kubernetes
+
+p= link_to "You can return to the dashboard once you have prepared your 
kubeconfig file", root_path
+
+h2 Option 1: Download your kubeconfig file
 
 p
   | You will see a download dialog that will allow you to download your 
kubeconfig file. Please,
@@ -9,10 +13,38 @@
   |  like <strong>KUBECONFIG=~/Downloads/kubeconfig kubectl get nodes</strong>.
 
 p
-  | You can also save it to your home in `~/.kube/config`, `kubectl` will 
automatically read this
-  |  file without the need to specify the <strong>KUBECONFIG</strong> 
environment variable.
+  | Alternatively, you can also save it to your home in `~/.kube/config`, 
`kubectl` will automatically
+  | read this file without the need to specify the <strong>KUBECONFIG</strong> 
environment variable.
+
+p= link_to "Click here if the download has not started automatically.", 
@redirect_target
+
+h2 Option 2: Manually configure kubeconfig file
+
+p
+  | You can manually configure a client by running these commands:
+
+pre
+  | # Create a file containing the Kubernetes API CA Certificate
+    echo "#{Base64.strict_encode64 @ca_crt}" \
+      | base64 -d > ~/.kube/#{@cluster_name}-ca.crt
+
+    # Create the Cluster entry in the ~/.kube/config file
+    kubectl config set-cluster #{@cluster_name} \
+      --server=https://#{@apiserver_host}:6443 \
+      --certificate-authority=$(readlink -f ~/.kube/#{@cluster_name}-ca.crt)
+
+    # Create the User entry in the ~/.kube/config file
+    kubectl config set-credentials "#{@email}" \
+      --auth-provider=oidc \
+      --auth-provider-arg=client-id="#{@client_id}" \
+      --auth-provider-arg=client-secret="#{@client_secret}" \
+      --auth-provider-arg=id-token="#{@id_token}" \
+      --auth-provider-arg=refresh-token="#{@refresh_token}" \
+      --auth-provider-arg=idp-issuer-url="#{@idp_issuer_url}"
 
-p= link_to "You can navigate to the dashboard now, once you have downloaded 
your kubeconfig file", root_path
+    # Create and use the cluster context
+    kubectl config set-context "#{@cluster_name}-#{@email}" --cluster 
#{@cluster_name} --user="#{@email}"
+    kubectl config use-context "#{@cluster_name}-#{@email}"
 
 = content_for :page_javascript do
   javascript:
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' old/velum-master/app/views/oidc/kubeconfig.erb 
new/velum-master/app/views/oidc/kubeconfig.erb
--- old/velum-master/app/views/oidc/kubeconfig.erb      2018-02-02 
13:00:11.000000000 +0100
+++ new/velum-master/app/views/oidc/kubeconfig.erb      2018-02-08 
13:27:18.000000000 +0100
@@ -1,7 +1,7 @@
 apiVersion: v1
 kind: Config
 clusters:
-- name: local
+- name: <%= @cluster_name %>
   cluster:
     server: https://<%= @apiserver_host %>:6443
     certificate-authority-data: <%= Base64.strict_encode64 @ca_crt %>
@@ -19,6 +19,8 @@
         idp-issuer-url: <%= @idp_issuer_url %>
         refresh-token: <%= @refresh_token %>
 contexts:
-- context:
-    cluster: local
+- name: <%= @cluster_name %>-<%= @email %>
+  context:
+    cluster: <%= @cluster_name %>
     user: <%= @email %>
+current-context: <%= @cluster_name %>-<%= @email %>
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' 
old/velum-master/db/migrate/20180206150021_generate_dex_secrets.rb 
new/velum-master/db/migrate/20180206150021_generate_dex_secrets.rb
--- old/velum-master/db/migrate/20180206150021_generate_dex_secrets.rb  
1970-01-01 01:00:00.000000000 +0100
+++ new/velum-master/db/migrate/20180206150021_generate_dex_secrets.rb  
2018-02-08 13:27:18.000000000 +0100
@@ -0,0 +1,17 @@
+require 'securerandom'
+
+class GenerateDexSecrets < ActiveRecord::Migration
+  def up
+    Pillar.find_or_create_by pillar: "dex:client_secrets:kubernetes" do 
|pillar|
+      pillar.value = SecureRandom.uuid
+    end
+    Pillar.find_or_create_by pillar: "dex:client_secrets:velum" do |pillar|
+      pillar.value = SecureRandom.uuid
+    end
+  end
+
+  def down
+    Pillar.where(pillar: "dex:client_secrets:kubernetes").destroy_all
+    Pillar.where(pillar: "dex:client_secrets:velum").destroy_all
+  end
+end
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' old/velum-master/db/schema.rb 
new/velum-master/db/schema.rb
--- old/velum-master/db/schema.rb       2018-02-02 13:00:11.000000000 +0100
+++ new/velum-master/db/schema.rb       2018-02-08 13:27:18.000000000 +0100
@@ -11,7 +11,7 @@
 #
 # It's strongly recommended that you check this file into your version control 
system.
 
-ActiveRecord::Schema.define(version: 20180118103201) do
+ActiveRecord::Schema.define(version: 20180206150021) do
 
   create_table "certificate_services", force: :cascade do |t|
     t.integer  "certificate_id", limit: 4
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' 
old/velum-master/spec/features/auth/login_feature_spec.rb 
new/velum-master/spec/features/auth/login_feature_spec.rb
--- old/velum-master/spec/features/auth/login_feature_spec.rb   2018-02-02 
13:00:11.000000000 +0100
+++ new/velum-master/spec/features/auth/login_feature_spec.rb   2018-02-08 
13:27:18.000000000 +0100
@@ -1,6 +1,6 @@
 require "rails_helper"
 
-describe "Login feature" do
+describe "Feature: login dialog" do
   let!(:user) { create(:user) }
 
   before do
@@ -12,7 +12,7 @@
     expect(page).not_to have_content("You need to sign in or sign up before 
continuing.")
   end
 
-  it "Existing user is able using his login and password to login into velum" 
do
+  it "allows a existing user to login into velum with valid credentials" do
     # We don't use Capybara's `login_as` method on purpose, because we are
     # testing the UI for logging in.
     fill_in "user_email", with: user.email
@@ -22,26 +22,26 @@
     expect(page).to have_content("Configuration")
   end
 
-  it "Wrong password results in an error message" do
-    pending("fix the validations")
+  it "shows an error message when using invalid credentials" do
+    # pending("fix the validations")
     fill_in "user_email", with: "foo"
     fill_in "user_password", with: "bar"
-    find("input[type=submit]", match: :first).click
+    click_button("Log in")
 
     expect(page).to have_content("Invalid Email or password")
   end
 
-  it "When guest tries to access dashboard - he is redirected to the login 
page" do
+  it "redirects to the login plage when a guest tries to access dashboard" do
     visit root_path
     expect(page).to have_content("Log in")
   end
 
-  it "User is redirected to the login page when trying to access a protected 
page" do
+  it "redirects to the login page when trying to access a protected page" do
     visit setup_path
     expect(page).to have_content("You need to sign in or sign up before 
continuing.")
   end
 
-  it "Successful login when trying to access a page redirects back the guest" 
do
+  it "redirects back to a protected page after successful login" do
     visit setup_path
 
     fill_in "user_email", with: user.email


Reply via email to