The io/ioutil package has been deprecated as of Go 1.16 [1]. This commit
replaces the existing io/ioutil functions with their new definitions in
io and os packages.
[1]: https://golang.org/doc/go1.16#ioutil
Signed-off-by: Eng Zer Jun <engzerjun@gmail.com>
when bumping ginkgo to v2, a third party lib of ginkgo has to be
included in go.mod to fix a ginkgo flag redefined error. The root
cause is a test file imports ginkgo v2 and a lib who imports ginkgo
v1.
So now we need to bump lager to v3 who also uses ginkgo v2, together
with concourse/retryhttp and concourse/flag bumps to get rid of the
ginkgo v1 reference everywhere.
Signed-off-by: Rui Yang <ruiya@vmware.com>
Ginkgo 2.0 introduced [new features](https://onsi.github.io/ginkgo/MIGRATING_TO_V2#major-additions-and-improvement)
that substatially improve developer experience. It is also now the only
actively developed and supported version of Ginkgo.
Co-authored-by: Rui Yang <ruiya@vmware.com>
Signed-off-by: David Timm <dtimm@vmware.com>
remove pkger and use go embed for dex web assets
not sure why it insists on bumping containerd and friends as well
Signed-off-by: Rui Yang <ryang@pivotal.io>
Co-authored-by: Aidan Oldershaw <aoldershaw@pivotal.io>
Signed-off-by: Aidan Oldershaw <aoldershaw@pivotal.io>
several test suites had to do the same setup/teardown for the postgres
process. this commit adds a helper to configure the Before/AfterSuite
for the common case, while adding more fine-grained helpers if you e.g.
need a more complicated Before/AfterSuite (since Ginkgo only lets you
have one)
Signed-off-by: Aidan Oldershaw <aoldershaw@pivotal.io>
rather than the awkward "RestoreDBFromTemplate" method, we can instead
create the DB from a template at the start of each test and then drop it
after each test.
some of these suites, due to their nature (testing migrations
themselves) or Ginkgo awkwardness (can't have both BeforeSuite and
SynchronizedBeforeSuite), require creating a fresh database each time -
for this, there's CreateEmptyTestDB. typically, CreateTestDBFromTemplate
is what you'll want, though
Signed-off-by: Aidan Oldershaw <aoldershaw@pivotal.io>
pkged.go contains assets file for Dex under skymarshal/web, which
will be accessed by Dex server during runtime.
Signed-off-by: Rui Yang <ruiya@vmware.com>
so it could get latest from upstream dex and the release of
concourse/dex in the future could be picked up by dependabot
Signed-off-by: Rui Yang <ruiya@vmware.com>
I've noticed this test flaking for a while now, and it's integrating across a
wide boundary -- I think it's OK to simply make it a bit more permissive.
On the other hand, it's a very small piece of validation logic that is being
tested, which would be a natural candidate for a unit test. We may have a bit
of a separation problem here.
On the other other hand, we're going to revisit configuration soon so it might
make sense to pay down this pre-existing tech debt later when we're doing the
right thing anyway.
Signed-off-by: Jamie Klassen <jklassen@vmware.com>
when using the `aud` claim, these two values are coordinated, otherwise
just assumes that the user knows what they're doing.
fixes#5536
Signed-off-by: Ciro S. Costa <cscosta@pivotal.io>
Co-authored-by: Joshua Winters <jwinters@pivotal.io>
concourse/concourse#5421
This was accidentally left in frmo when @vito and I were experimenting with ways
to invoke the `concourse` binary in tests.
Signed-off-by: Jamie Klassen <cklassen@pivotal.io>
concourse/concourse#5421
I find I struggle to read such a long nested context and it seems clearer to
just describe the happy path without too many extra descriptors - in the spirit
of Gary Bernhardt, let's save our detailed conditions for the degenerate cases.
Signed-off-by: Jamie Klassen <cklassen@pivotal.io>
use the signing key to create a default client secret for the 'atc' and
'tsa' clients.
the goal here is to have a reasonable default such that operators won't
have to do anything special in order to upgrade or deploy a new
multi-web-node Concourse cluster.
requiring operators to configure these client secrets is a little bit
confusing, because they're actually for authenticating with Dex, which
we try to keep hidden away for the most part. we can still allow the
flags to be set if an operator has some reason to set their own.
Signed-off-by: Alex Suraci <suraci.alex@gmail.com>
- The biggest change here is the fact that skymarshal, which is actually
3 different components (auth server, login server, legacy proxy) is now
broken up so its more obvious what each component does.
- There ends up being a lot of configuration that happens which needs to
describe how the tsa/dex/sky/api are all goign to communicate (mostly
configuring clients and auth endpoints everywhere) but since all these
things live on the same host, we can do some configuration magic in the
web cmd.
- This commit also makes things much more configurable. For instance
users can configure how we identify 'system' requests in concourse.
Signed-off-by: Josh Winters <jwinters@pivotal.io>
- use client credentials grant to request token
- all requests from the tsa will be treated as 'system' requests since
the tsa already handles its own authorization for team based worker
operations
- remove atc specific logic from tsa integration tests, the tsa
shouldn't care how the api handles its internal authorization
Signed-off-by: Josh Winters <jwinters@pivotal.io>
most of the flow that takes place in the operations that we perform on
containers look like this:
1. create a container
2. leave it running there for few moments
3. execute a process there
however, as a container is a process with a certain set of kernel
features enabled on it to provide a sandboxed environment, we need to
have an init process there in the first place.
this commit created `cmd/init`, which is exactly that - an executable
that takes care of ... being there! it does nothing more than waiting
for a signal to come (having marked itself as not caring about any
children in that pid namespace).
Signed-off-by: Ciro S. Costa <cscosta@pivotal.io>
Say cluster name is "dev", them sample log lines are as below: (notice "cluster" field in logs)
web_1 | {"timestamp":"2019-09-11T00:53:59.706488300Z","level":"info","source":"atc","message":"atc.cmd.finish","data":{"cluster":"dev","duration":378200,"session":"1"}}
web_1 | {"timestamp":"2019-09-11T00:53:59.707583200Z","level":"info","source":"tsa","message":"tsa.listening","data":{"cluster":"dev"}}
Signed-off-by: Chao Li <chaol@vmware.com>
this fails if the defaults actually work on the dev's machine. i can't
really think of a good way to assert on anything useful here. :/ just
gonna remove it since it's covering for a fixed panic() which should
also be covered by the remaining tests.
Signed-off-by: Alex Suraci <suraci.alex@gmail.com>
add a max-in-flight for the sweepers so that containers
and volumes can be deleted in parallel with a batch size
of `max-in-flight`
refactor workerCommand.Execute and make tsa.WorkerPrivateKey
explicitly required.
make both sweepers private as they don't need to be exposed.
concourse/concourse#2833
Signed-off-by: Krishna Mannem <kmannem@pivotal.io>
Co-authored-by: Divya Dadlani <ddadlani@pivotal.io>
split SweepRunner into ContainerSweeper and VolumeSweeper;
run in their own ifrit processes so that container and
volume GC can occur independently.
Signed-off-by: Krishna Mannem <kmannem@pivotal.io>
Co-authored-by: Divya Dadlani <ddadlani@pivotal.io>
this can also be a DNS address, not just an IP
this looks backwards-incompatible but in practice this flag was always
auto-set by taking the host from `--peer-url`. that flag has now been
removed, and --tsa-peer-address is to be used instead, so we might as
well get the name right.
Signed-off-by: Alex Suraci <suraci.alex@gmail.com>