vmware
diff --git a/‎go.mod
Lines changed: 4 additions & 4 deletions b/‎go.mod
Lines changed: 4 additions & 4 deletions
diff --git a/‎go.sum
Lines changed: 8 additions & 9 deletions b/‎go.sum
Lines changed: 8 additions & 9 deletions
diff --git a/‎hack/prepare-for-integration-tests.sh
Lines changed: 92 additions & 2 deletions b/‎hack/prepare-for-integration-tests.sh
Lines changed: 92 additions & 2 deletions
diff --git a/‎hack/prepare-impersonator-on-kind.sh
Lines changed: 2 additions & 2 deletions b/‎hack/prepare-impersonator-on-kind.sh
Lines changed: 2 additions & 2 deletions
diff --git a/‎internal/controller/apicerts/certs_manager.go
Lines changed: 2 additions & 1 deletion b/‎internal/controller/apicerts/certs_manager.go
Lines changed: 2 additions & 1 deletion
diff --git a/‎internal/controller/apicerts/certs_manager_test.go
Lines changed: 2 additions & 1 deletion b/‎internal/controller/apicerts/certs_manager_test.go
Lines changed: 2 additions & 1 deletion
@@ -33,8 +33,8 @@ replace github.com/hashicorp/go-retryablehttp => github.com/hashicorp/go-retryab
 
 require (
 	github.com/MakeNowJust/heredoc/v2 v2.0.1
-	github.com/chromedp/cdproto v0.0.0-20241003230502-a4a8f7c660df
-	github.com/chromedp/chromedp v0.10.0
+	github.com/chromedp/cdproto v0.0.0-20241014181340-cb3a7a1d51d7
+	github.com/chromedp/chromedp v0.11.0
 	github.com/coreos/go-oidc/v3 v3.11.0
 	github.com/coreos/go-semver v0.3.1
 	github.com/creack/pty v1.1.23
@@ -64,7 +64,7 @@ require (
 	github.com/spf13/cobra v1.8.1
 	github.com/spf13/pflag v1.0.5
 	github.com/stretchr/testify v1.9.0
-	github.com/tdewolff/minify/v2 v2.20.37
+	github.com/tdewolff/minify/v2 v2.21.0
 	go.uber.org/mock v0.4.0
 	go.uber.org/zap v1.27.0
 	golang.org/x/crypto v0.28.0
@@ -162,7 +162,7 @@ require (
 	github.com/spf13/viper v1.16.0 // indirect
 	github.com/stoewer/go-strcase v1.2.0 // indirect
 	github.com/subosito/gotenv v1.4.2 // indirect
-	github.com/tdewolff/parse/v2 v2.7.15 // indirect
+	github.com/tdewolff/parse/v2 v2.7.17 // indirect
 	github.com/x448/float16 v0.8.4 // indirect
 	go.etcd.io/etcd/api/v3 v3.5.14 // indirect
 	go.etcd.io/etcd/client/pkg/v3 v3.5.14 // indirect
 
@@ -64,11 +64,11 @@ github.com/census-instrumentation/opencensus-proto v0.2.1/go.mod h1:f6KPmirojxKA
 github.com/cespare/xxhash/v2 v2.1.1/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs=
 github.com/cespare/xxhash/v2 v2.3.0 h1:UL815xU9SqsFlibzuggzjXhog7bL6oX9BbNZnL2UFvs=
 github.com/cespare/xxhash/v2 v2.3.0/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs=
-github.com/chromedp/cdproto v0.0.0-20240801214329-3f85d328b335/go.mod h1:GKljq0VrfU4D5yc+2qA6OVr8pmO/MBbPEWqWQ/oqGEs=
-github.com/chromedp/cdproto v0.0.0-20241003230502-a4a8f7c660df h1:cbtSn19AtqQha1cxmP2Qvgd3fFMz51AeAEKLJMyEUhc=
 github.com/chromedp/cdproto v0.0.0-20241003230502-a4a8f7c660df/go.mod h1:GKljq0VrfU4D5yc+2qA6OVr8pmO/MBbPEWqWQ/oqGEs=
-github.com/chromedp/chromedp v0.10.0 h1:bRclRYVpMm/UVD76+1HcRW9eV3l58rFfy7AdBvKab1E=
-github.com/chromedp/chromedp v0.10.0/go.mod h1:ei/1ncZIqXX1YnAYDkxhD4gzBgavMEUu7JCKvztdomE=
+github.com/chromedp/cdproto v0.0.0-20241014181340-cb3a7a1d51d7 h1:VDBgUGgdCBw9lTKwp0KPExhnqmGfGVJQTER2MehoICk=
+github.com/chromedp/cdproto v0.0.0-20241014181340-cb3a7a1d51d7/go.mod h1:GKljq0VrfU4D5yc+2qA6OVr8pmO/MBbPEWqWQ/oqGEs=
+github.com/chromedp/chromedp v0.11.0 h1:1PT6O4g39sBAFjlljIHTpxmCSk8meeYL6+R+oXH4bWA=
+github.com/chromedp/chromedp v0.11.0/go.mod h1:jsD7OHrX0Qmskqb5Y4fn4jHnqquqW22rkMFgKbECsqg=
 github.com/chromedp/sysutil v1.0.0 h1:+ZxhTpfpZlmchB58ih/LBHX52ky7w2VhQVKQMucy3Ic=
 github.com/chromedp/sysutil v1.0.0/go.mod h1:kgWmDdq8fTzXYcKIBqIYvRRTnYb9aNS9moAV0xufSww=
 github.com/chzyer/logex v1.1.10/go.mod h1:+Ywpsq7O8HXn0nuIou7OrIPyXbp3wmkHB+jjWRnGsAI=
@@ -560,10 +560,10 @@ github.com/stretchr/testify v1.9.0 h1:HtqpIVDClZ4nwg75+f6Lvsy/wHu+3BoSGCbBAcpTsT
 github.com/stretchr/testify v1.9.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY=
 github.com/subosito/gotenv v1.4.2 h1:X1TuBLAMDFbaTAChgCBLu3DU3UPyELpnF2jjJ2cz/S8=
 github.com/subosito/gotenv v1.4.2/go.mod h1:ayKnFf/c6rvx/2iiLrJUk1e6plDbT3edrFNGqEflhK0=
-github.com/tdewolff/minify/v2 v2.20.37 h1:Q97cx4STXCh1dlWDlNHZniE8BJ2EBL0+2b0n92BJQhw=
-github.com/tdewolff/minify/v2 v2.20.37/go.mod h1:L1VYef/jwKw6Wwyk5A+T0mBjjn3mMPgmjjA688RNsxU=
-github.com/tdewolff/parse/v2 v2.7.15 h1:hysDXtdGZIRF5UZXwpfn3ZWRbm+ru4l53/ajBRGpCTw=
-github.com/tdewolff/parse/v2 v2.7.15/go.mod h1:3FbJWZp3XT9OWVN3Hmfp0p/a08v4h8J9W1aghka0soA=
+github.com/tdewolff/minify/v2 v2.21.0 h1:nAPP1UVx0aK1xsQh/JiG3xyEnnqWw+agPstn+V6Pkto=
+github.com/tdewolff/minify/v2 v2.21.0/go.mod h1:hGcthJ6Vj51NG+9QRIfN/DpWj5loHnY3bfhThzWWq08=
+github.com/tdewolff/parse/v2 v2.7.17 h1:uC10p6DaQQORDy72eaIyD+AvAkaIUOouQ0nWp4uD0D0=
+github.com/tdewolff/parse/v2 v2.7.17/go.mod h1:3FbJWZp3XT9OWVN3Hmfp0p/a08v4h8J9W1aghka0soA=
 github.com/tdewolff/test v1.0.11-0.20231101010635-f1265d231d52/go.mod h1:6DAvZliBAAnD7rhVgwaM7DE5/d9NMOAJ09SqYqeK4QE=
 github.com/tdewolff/test v1.0.11-0.20240106005702-7de5f7df4739 h1:IkjBCtQOOjIn03u/dMQK9g+Iw9ewps4mCl1nB8Sscbo=
 github.com/tdewolff/test v1.0.11-0.20240106005702-7de5f7df4739/go.mod h1:XPuWBzvdUzhCuxWO1ojpXsyzsA5bFoS3tO/Q3kFuTG8=
@@ -851,7 +851,6 @@ golang.org/x/sys v0.7.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.8.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.17.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
 golang.org/x/sys v0.18.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
-golang.org/x/sys v0.22.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
 golang.org/x/sys v0.26.0 h1:KHjCJyddX0LoSTb3J+vWpupP9p0oznkqVk/IfjymZbo=
 golang.org/x/sys v0.26.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
 golang.org/x/term v0.0.0-20201117132131-f5c789dd3221/go.mod h1:Nr5EML6q2oocZ2LXRh80K7BxOlk5/8JxuGnuhpl+muw=
 
@@ -34,7 +34,7 @@ clean_kind=no
 api_group_suffix="pinniped.dev" # same default as in the values.yaml ytt file
 dockerfile_path=""
 get_active_directory_vars="" # specify a filename for a script to get AD related env variables
-get_github_vars="" # specify a filename for a script to get GitHub related env variables
+get_github_vars=""           # specify a filename for a script to get GitHub related env variables
 alternate_deploy="undefined"
 pre_install="undefined"
 
@@ -319,6 +319,15 @@ service_https_nodeport_nodeport: $service_https_nodeport_nodeport
 service_https_clusterip_port: $service_https_clusterip_port
 EOF
 
+if [[ "${FIREWALL_IDPS:-no}" == "yes" ]]; then
+  # Configure the web proxy on the Supervisor pods. Note that .svc and .cluster.local are not included,
+  # so requests for things like dex.tools.svc.cluster.local will go through the web proxy.
+  cat <<EOF >>"$data_values_file"
+https_proxy: "http://proxy.tools.svc.cluster.local:3128"
+no_proxy: "\$(KUBERNETES_SERVICE_HOST),169.254.169.254,127.0.0.1,localhost"
+EOF
+fi
+
 if [ "$alternate_deploy" != "undefined" ]; then
   log_note "The Pinniped Supervisor will be deployed with $alternate_deploy pinniped-supervisor $tag $registry_with_port $repo $data_values_file ..."
   $alternate_deploy pinniped-supervisor "$tag" $registry_with_port $repo $data_values_file
@@ -338,7 +347,7 @@ manifest=/tmp/pinniped-concierge.yaml
 data_values_file=/tmp/concierge-values.yml
 concierge_app_name="pinniped-concierge"
 concierge_namespace="concierge"
-webhook_url="https://local-user-authenticator.local-user-authenticator.svc/authenticate"
+webhook_url="https://local-user-authenticator.local-user-authenticator.svc.cluster.local/authenticate"
 discovery_url="$(TERM=dumb kubectl cluster-info | awk '/master|control plane/ {print $NF}')"
 concierge_custom_labels="{myConciergeCustomLabelName: myConciergeCustomLabelValue}"
 log_level="debug"
@@ -354,6 +363,16 @@ image_tag: $tag
 discovery_url: $discovery_url
 EOF
 
+if [[ "${FIREWALL_IDPS:-no}" == "yes" ]]; then
+  # Configure the web proxy on the Concierge pods. Note that .svc and .cluster.local are not included,
+  # so requests for things like pinniped-supervisor-clusterip.supervisor.svc.cluster.local and
+  # local-user-authenticator.local-user-authenticator.svc.cluster.local will go through the web proxy.
+  cat <<EOF >>"$data_values_file"
+https_proxy: "http://proxy.tools.svc.cluster.local:3128"
+no_proxy: "\$(KUBERNETES_SERVICE_HOST),169.254.169.254,127.0.0.1,localhost"
+EOF
+fi
+
 if [ "$alternate_deploy" != "undefined" ]; then
   log_note "The Pinniped Concierge will be deployed with $alternate_deploy pinniped-concierge $tag $registry_with_port $repo $data_values_file ..."
   $alternate_deploy pinniped-concierge "$tag" $registry_with_port $repo $data_values_file
@@ -366,6 +385,77 @@ else
   popd >/dev/null
 fi
 
+#
+# Now that the everything is deployed, optionally firewall the Dex server, the local user authenticator server,
+# and the GitHub API so that the Supervisor and Concierge cannot reach them directly. However, the Squid
+# proxy server can reach them all, so the Supervisor and Concierge can reach them through the proxy.
+#
+if [[ "${FIREWALL_IDPS:-no}" == "yes" ]]; then
+  log_note "Setting up firewalls for the Supervisor and Concierge's outgoing TCP/UDP network traffic..."
+  cat <<EOF | kubectl apply --wait -f -
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: supervisor-cannot-make-external-requests
+  namespace: ${supervisor_namespace}
+spec:
+  # An empty podSelector matches all pods in this namespace.
+  podSelector: {}
+  policyTypes:
+    - Egress
+  # This is an allow list. Everything else disallowed.
+  # Especially note that it cannot access Dex or the GitHub API directly.
+  egress:
+  - to:
+    # Allowed to make requests to all pods in kube-system for DNS and Kube API.
+    - namespaceSelector:
+        matchLabels:
+          kubernetes.io/metadata.name: kube-system
+    # Allowed to make requests to the LDAP server in tools, because we cannot use
+    # an HTTP proxy for the LDAP protocol, since LDAP is not over HTTP.
+    - namespaceSelector:
+        matchLabels:
+          kubernetes.io/metadata.name: tools
+      podSelector:
+        matchLabels:
+          app: ldap
+    # Allowed to make requests to the Squid proxy server in the tools namespace.
+    - namespaceSelector:
+        matchLabels:
+          kubernetes.io/metadata.name: tools
+      podSelector:
+        matchLabels:
+          app: proxy
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: concierge-cannot-make-external-requests
+  namespace: ${concierge_namespace}
+spec:
+  # An empty podSelector matches all pods in this namespace.
+  podSelector: {}
+  policyTypes:
+    - Egress
+  # This is an allow list. Everything else disallowed.
+  # Especially note that it cannot access the local user authenticator or Supervisor directly.
+  egress:
+  - to:
+    # Allowed to make requests to all pods in kube-system for DNS and Kube API.
+    - namespaceSelector:
+        matchLabels:
+          kubernetes.io/metadata.name: kube-system
+    # Allowed to make requests to the Squid proxy server in the tools namespace.
+    - namespaceSelector:
+        matchLabels:
+          kubernetes.io/metadata.name: tools
+      podSelector:
+        matchLabels:
+          app: proxy
+EOF
+fi
+
 #
 # Create a test user in the local-user-authenticator and get its CA bundle.
 #
 
@@ -1,6 +1,6 @@
 #!/usr/bin/env bash
 
-# Copyright 2021-2023 the Pinniped contributors. All Rights Reserved.
+# Copyright 2021-2024 the Pinniped contributors. All Rights Reserved.
 # SPDX-License-Identifier: Apache-2.0
 
 #
@@ -50,7 +50,7 @@ kind: WebhookAuthenticator
 metadata:
   name: local-user-authenticator
 spec:
-  endpoint: https://local-user-authenticator.local-user-authenticator.svc/authenticate
+  endpoint: https://local-user-authenticator.local-user-authenticator.svc.cluster.local/authenticate
   tls:
     certificateAuthorityData: $LOCAL_USER_AUTHENTICATOR_CA
 EOF
 
@@ -119,7 +119,8 @@ func (c *certsManagerController) Sync(ctx controllerlib.Context) error {
 	// Using the CA from above, create a TLS server cert if we have service name.
 	if len(c.serviceNameForGeneratedCertCommonName) != 0 {
 		serviceEndpoint := c.serviceNameForGeneratedCertCommonName + "." + c.namespace + ".svc"
-		tlsCert, err := ca.IssueServerCert([]string{serviceEndpoint}, nil, c.certDuration)
+		// Allow clients to use either service-name.namespace.svc or service-name.namespace.svc.cluster.local to verify TLS.
+		tlsCert, err := ca.IssueServerCert([]string{serviceEndpoint, serviceEndpoint + ".cluster.local"}, nil, c.certDuration)
 		if err != nil {
 			return fmt.Errorf("could not issue serving certificate: %w", err)
 		}
 
@@ -1,4 +1,4 @@
-// Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
+// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0
 
 package apicerts
@@ -225,6 +225,7 @@ func TestManagerControllerSync(t *testing.T) {
 				// Validate the created cert using the CA, and also validate the cert's hostname
 				validCert := testutil.ValidateServerCertificate(t, actualCACert, actualCertChain)
 				validCert.RequireDNSName("pinniped-api." + installedInNamespace + ".svc")
+				validCert.RequireDNSName("pinniped-api." + installedInNamespace + ".svc.cluster.local")
 				validCert.RequireLifetime(time.Now(), time.Now().Add(certDuration), 6*time.Minute)
 				validCert.RequireMatchesPrivateKey(actualPrivateKey)
 			})