Documentation
¶
Index ¶
- Variables
- func BuildMergedKubeconfig(bindings []*provider.BindingMeta, proxyToken string, credproxyURL string) (*provider.SandboxConfigFile, error)
- func IsPrivateIP(ip net.IP) bool
- func ParseKubeconfig(_ string, raw []byte) (*provider.UploadResult, error)
- func ValidateIssuerURL(issuerURL string) error
- type K8sProvider
- func (p *K8sProvider) BuildSandboxConfig(bindings []*provider.BindingMeta, proxyToken string, credproxyPublicURL string) ([]*provider.SandboxConfigFile, error)
- func (p *K8sProvider) Kind() string
- func (p *K8sProvider) ParseUpload(contentType string, raw []byte) (*provider.UploadResult, error)
- func (p *K8sProvider) ServeHTTP(w http.ResponseWriter, r *http.Request, b *provider.DecryptedBinding)
- type OIDCAuthConfig
Constants ¶
This section is empty.
Variables ¶
View Source
var AllowPrivateUpstreams bool
AllowPrivateUpstreams disables the SSRF dial-time guard when true. Set by cmd/credentialproxy/main.go from config.
Functions ¶
func BuildMergedKubeconfig ¶
func BuildMergedKubeconfig( bindings []*provider.BindingMeta, proxyToken string, credproxyURL string, ) (*provider.SandboxConfigFile, error)
BuildMergedKubeconfig generates a merged kubeconfig that routes all cluster traffic through the credential proxy. Pure function: no I/O.
func IsPrivateIP ¶
IsPrivateIP reports whether ip falls in any private/reserved range.
func ParseKubeconfig ¶
func ParseKubeconfig(_ string, raw []byte) (*provider.UploadResult, error)
ParseKubeconfig validates an uploaded kubeconfig yaml and extracts the fields to persist.
func ValidateIssuerURL ¶ added in v0.40.0
ValidateIssuerURL checks that an OIDC issuer URL is https and not a private IP. Exported so the agentserver handler can call it before OIDC discovery.
Types ¶
type K8sProvider ¶
type K8sProvider struct{}
K8sProvider implements provider.Provider for Kubernetes API servers.
func (*K8sProvider) BuildSandboxConfig ¶
func (p *K8sProvider) BuildSandboxConfig( bindings []*provider.BindingMeta, proxyToken string, credproxyPublicURL string, ) ([]*provider.SandboxConfigFile, error)
func (*K8sProvider) Kind ¶
func (p *K8sProvider) Kind() string
func (*K8sProvider) ParseUpload ¶
func (p *K8sProvider) ParseUpload(contentType string, raw []byte) (*provider.UploadResult, error)
func (*K8sProvider) ServeHTTP ¶
func (p *K8sProvider) ServeHTTP(w http.ResponseWriter, r *http.Request, b *provider.DecryptedBinding)
type OIDCAuthConfig ¶ added in v0.40.0
type OIDCAuthConfig struct {
IssuerURL string `json:"issuer_url"`
ClientID string `json:"client_id"`
Scopes []string `json:"scopes"`
RefreshToken string `json:"refresh_token,omitempty"`
AccessToken string `json:"access_token,omitempty"`
TokenExpiry string `json:"token_expiry,omitempty"`
}
OIDCAuthConfig is the auth_blob plaintext format for auth_type="oidc".
Source Files
Click to show internal directories.
Click to hide internal directories.