controller

package
v1.0.0-rc11 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Sep 4, 2025 License: Apache-2.0 Imports: 27 Imported by: 0

Documentation

Index

Constants

View Source 
const (
	// AccessRequestFinalizerName defines the name of the AccessRequest finalizer
	// managed by this controller
	AccessRequestFinalizerName = "accessrequest.ephemeral-access.argoproj-labs.io/finalizer"
)
View Source 
const (
	FieldOwnerEphemeralAccess = "ephemeral-access-controller"
)

Variables

This section is empty.

Functions

func ApplicationChangedPredicate 

func ApplicationChangedPredicate() predicate.Predicate

ApplicationChangedPredicate returns a predicate that triggers reconciliation when an ArgoCD Application's project changes, or when the Application is deleted. It ignores create and generic events.

func MatchRolePoliciesAndTokens 

func MatchRolePoliciesAndTokens(role argocd.ProjectRole, policies []string, tokens []argocd.JWTToken) bool

MatchRolePoliciesAndTokens compares two ProjectRole objects and returns true if both have identical Policies and JWTTokens slices (regardless of order). Returns false if the lengths differ or any element is missing in either slice.

func ProjectChangeShouldTriggerReconcile 

func ProjectChangeShouldTriggerReconcile(newProj, oldProj *argocd.AppProject) bool

ProjectChangeShouldTriggerReconcile determines whether a change between two AppProject objects should trigger a reconcile. It compares the roles, policies, JWT tokens, and groups between the new and old project specifications. If there are any differences in the number of roles, policies, JWT tokens, groups, or in the role names or descriptions, it returns true. If either project is nil, it also returns true.

func ProjectChangedPredicate 

func ProjectChangedPredicate() predicate.Predicate

ProjectChangedPredicate returns a predicate that triggers reconciliation only when an ArgoCD AppProject has changed in a way that should trigger a reconcile, as determined by ProjectChangeShouldTriggerReconcile. It ignores create, delete, and generic events.

func RoleTemplateHash 

func RoleTemplateHash(rt *api.RoleTemplate) string

RoleTemplateHash will generate a hash for the given role template based only on the necessary fields to require an update in the AppProject role

Types

type AccessRequestConflictError 

type AccessRequestConflictError struct {
	// contains filtered or unexported fields
}

func NewAccessRequestConflictError 

func NewAccessRequestConflictError(msg string) *AccessRequestConflictError

func (*AccessRequestConflictError) Error 

func (e *AccessRequestConflictError) Error() string

type AccessRequestReconciler 

type AccessRequestReconciler struct {
	client.Client
	Scheme  *runtime.Scheme
	Service *Service
	Config  config.ControllerConfigurer
}

AccessRequestReconciler reconciles a AccessRequest object

func (*AccessRequestReconciler) HandleConflict 

func (r *AccessRequestReconciler) HandleConflict(ctx context.Context, ar *api.AccessRequest) error

HandleConflict processes AccessRequest objects to handle validation conflicts. If a conflict is detected, it updates the AccessRequest status to invalid. Returns an AccessRequestConflictError if a conflict scenario is identified.

func (*AccessRequestReconciler) Reconcile 

func (r *AccessRequestReconciler) Reconcile(ctx context.Context, req ctrl.Request) (ctrl.Result, error)

Reconcile is the main function that will be invoked on every change in AccessRequests desired state. It will:

  1. Handle the accessrequest finalizer
  2. Validate the AccessRequest
  3. Verify if AccessRequest is expired 3.1 If so, remove the user from the elevated role 3.2 Update the accessrequest status to "expired"
  4. Verify if user has the necessary access to be promoted 4.1 If they don't, update the accessrequest status to "denied"
  5. Invoke preconfigured plugin to check if access can be granted
  6. Assign user in the desired role in the AppProject
  7. Update the accessrequest status to "granted"

func (*AccessRequestReconciler) SetupWithManager 

func (r *AccessRequestReconciler) SetupWithManager(mgr ctrl.Manager) error

SetupWithManager sets up the controller with the Manager.

func (*AccessRequestReconciler) ValidateConflict 

func (r *AccessRequestReconciler) ValidateConflict(ctx context.Context, ar *api.AccessRequest) error

ValidateConflict will verify if there are existing AccessRequests for the same user/app/role already in progress.

type AllowedResponse 

type AllowedResponse struct {
	Allowed bool
	Status  plugin.GrantStatus
	Message string
}

AllowedResponse defines the response that will be returned by permission verifier plugins.

type K8sClient 

type K8sClient interface {
	// Patch patches the given obj in the Kubernetes cluster. obj must be a
	// struct pointer so that obj can be updated with the content returned by the Server.
	Patch(ctx context.Context, obj client.Object, patch client.Patch, opts ...client.PatchOption) error

	// Get retrieves an obj for the given object key from the Kubernetes Cluster.
	// obj must be a struct pointer so that obj can be updated with the response
	// returned by the Server.
	Get(ctx context.Context, key client.ObjectKey, obj client.Object, opts ...client.GetOption) error

	// Status knows how to create a client which can update status subresource
	// for kubernetes objects.
	Status() client.SubResourceWriter
}

type Service 

type Service struct {
	Config config.ControllerConfigurer
	// contains filtered or unexported fields
}

func NewService 

func NewService(c K8sClient, cfg config.ControllerConfigurer, accessRequester plugin.AccessRequester) *Service

func (*Service) Allowed 

func (s *Service) Allowed(ctx context.Context, ar *api.AccessRequest, app *argocd.Application) (*AllowedResponse, error)

Allowed will invoke the GrantAccess() function from this Service.accessRequester plugin. If the Service.accessRequester plugin is nil, it will allow the controller to proceed with handling the permission.

func (*Service) HandlePermission 

func (s *Service) HandlePermission(ctx context.Context, ar *api.AccessRequest) (api.Status, error)

handlePermission will analyse the given ar and proceed with granting or removing Argo CD access for the subject listed in the AccessRequest. The following validations will be executed:

  1. Check if the given ar is expired. If so, the subject will be removed from the Argo CD role.
  2. Check if the subject is allowed to be assigned in the given AccessRequest target role. If so, it will proceed with grating Argo CD access. Otherwise it will return DeniedStatus.

It will update the AccessRequest status accordingly with the situation.

func (*Service) RemoveArgoCDAccess 

func (s *Service) RemoveArgoCDAccess(ctx context.Context, ar *api.AccessRequest, rt *api.RoleTemplate) error

removeArgoCDAccess will remove the subject in the given AccessRequest from the given ar.TargetRoleName from the Argo CD project referenced in the ar.Spec.AppProject. The AppProject update will be executed via a patch with optimistic lock enabled. It will retry in case of AppProject conflict is identied.

func (*Service) ValidateProject 

func (s *Service) ValidateProject(ctx context.Context, app *argocd.Application, ar *api.AccessRequest) (bool, error)

ValidateProject validates that the Argo CD Application is associated with a valid project and that the AccessRequest matches the current project. It updates the AccessRequest status to invalid in the following cases: - The Application project isn't set. - The Application project changed. - The Application project does not exist.

Returns true if the project is valid and exists, false otherwise. Returns an error if any status update or project retrieval fails.

Source Files

View all Source files

Directories

Path Synopsis

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.