Documentation
¶
Index ¶
- Constants
- func AddImageProxy(ctx context.Context, rpc *grpc.Server, imageServiceAddress string)
- func EvictStaleCredentials(liveRefs map[string]struct{})
- func InitCredentialStore(interval time.Duration)
- func InitKubeSecretListener(ctx context.Context, kubeconfigPath string) error
- func InitKubeletProvider(configPath, binDir string) error
- type AuthProvider
- type AuthRequest
- type CRIProvider
- type DockerProvider
- type KubeSecretListener
- type KubeSecretProvider
- type KubeletProvider
- type LabelsProvider
- type PassKeyChain
- func FromBase64(str string) (PassKeyChain, error)
- func GetKeyChainByRef(ref string, labels map[string]string) (*PassKeyChain, error)
- func GetRegistryKeyChain(ref string, labels map[string]string) *PassKeyChain
- func GetStoredCredential(ref string) *PassKeyChain
- func RenewCredential(ref string) *PassKeyChain
- type RenewableProvider
Constants ¶
const DefaultImageServiceAddress = "/run/containerd/containerd.sock"
Variables ¶
This section is empty.
Functions ¶
func AddImageProxy ¶ added in v0.5.0
AddImageProxy sets up a CRI image proxy that intercepts credentials. This should be called once at startup to enable CRI credential capture. from stargz-snapshotter/cmd/containerd-stargz-grpc/main.go#main
func EvictStaleCredentials ¶ added in v0.15.14
func EvictStaleCredentials(liveRefs map[string]struct{})
EvictStaleCredentials removes store entries whose ref is not present in liveRefs. Entries added recently (within interval/2) are kept to avoid racing with a concurrent image pull: GetRegistryKeyChain adds the ref to the store on the first layer fetch, but the RAFS entry is only created later when the mount completes. Evicting here would cause redundant provider lookups for every remaining layer fetch in the pull.
func InitCredentialStore ¶ added in v0.15.14
InitCredentialStore creates the global credential store without starting any background goroutine. The caller is responsible for driving renewal (e.g., from snapshot/renewal.go).
func InitKubeSecretListener ¶ added in v0.3.0
func InitKubeletProvider ¶ added in v0.15.12
InitKubeletProvider initializes the global kubelet credential provider. This should be called once at startup if kubelet credential providers are enabled.
Types ¶
type AuthProvider ¶ added in v0.15.12
type AuthProvider interface {
// GetCredentials retrieves credentials for the given request.
// Returns nil if no credentials are available.
GetCredentials(req *AuthRequest) (*PassKeyChain, error)
String() string
}
AuthProvider manage how credentials are retrieved for different sources
type AuthRequest ¶ added in v0.15.12
type AuthRequest struct {
// Ref is the full image reference (e.g., "docker.io/library/nginx:latest")
Ref string
// Labels are snapshot labels that may contain credentials
Labels map[string]string
// ValidUntil, when non-zero, instructs providers to return a credential
// that remains valid at least until this time. Providers that do not
// have a notion of expiration will ignore this..
ValidUntil time.Time
}
AuthRequest contains parameters for retrieving registry credentials.
type CRIProvider ¶ added in v0.15.12
type CRIProvider struct{}
CRIProvider retrieves credentials from CRI image pull requests.
func NewCRIProvider ¶ added in v0.15.12
func NewCRIProvider() *CRIProvider
NewCRIProvider creates a new CRI-based auth provider.
func (*CRIProvider) GetCredentials ¶ added in v0.15.12
func (p *CRIProvider) GetCredentials(req *AuthRequest) (*PassKeyChain, error)
func (*CRIProvider) String ¶ added in v0.15.12
func (p *CRIProvider) String() string
type DockerProvider ¶ added in v0.15.12
type DockerProvider struct {
// contains filtered or unexported fields
}
DockerProvider retrieves credentials from Docker's config.json.
func NewDockerProvider ¶ added in v0.15.12
func NewDockerProvider() *DockerProvider
NewDockerProvider creates a new Docker config-based auth provider.
func (*DockerProvider) CanRenew ¶ added in v0.15.12
func (p *DockerProvider) CanRenew() bool
CanRenew implements RenewableProvider. Docker credentials can be refreshed by re-reading the config file. Works well with docker credential helpers.
func (*DockerProvider) GetCredentials ¶ added in v0.15.12
func (p *DockerProvider) GetCredentials(req *AuthRequest) (*PassKeyChain, error)
GetCredentials retrieves credentials from Docker's config.json. Returns nil if no credentials are found for the registry.
func (*DockerProvider) String ¶ added in v0.15.12
func (p *DockerProvider) String() string
type KubeSecretListener ¶ added in v0.3.0
type KubeSecretListener struct {
// contains filtered or unexported fields
}
func (*KubeSecretListener) GetCredentialsStore ¶ added in v0.3.0
func (kubelistener *KubeSecretListener) GetCredentialsStore(host string) *PassKeyChain
func (*KubeSecretListener) SyncKubeSecrets ¶ added in v0.3.0
func (kubelistener *KubeSecretListener) SyncKubeSecrets(ctx context.Context, clientset *kubernetes.Clientset) error
type KubeSecretProvider ¶ added in v0.15.12
type KubeSecretProvider struct{}
KubeSecretProvider implements AuthProvider for Kubernetes secrets.
func NewKubeSecretProvider ¶ added in v0.15.12
func NewKubeSecretProvider() *KubeSecretProvider
NewKubeSecretProvider creates a new Kubernetes secret-based auth provider.
func (*KubeSecretProvider) CanRenew ¶ added in v0.15.12
func (p *KubeSecretProvider) CanRenew() bool
CanRenew implements RenewableProvider. KubeSecret credentials can be refreshed because the underlying informer watches for secret changes.
func (*KubeSecretProvider) GetCredentials ¶ added in v0.15.12
func (p *KubeSecretProvider) GetCredentials(req *AuthRequest) (*PassKeyChain, error)
GetCredentials retrieves credentials from Kubernetes secrets. Returns nil if no credentials are found or the listener is not initialized.
func (*KubeSecretProvider) String ¶ added in v0.15.12
func (p *KubeSecretProvider) String() string
type KubeletProvider ¶ added in v0.15.12
type KubeletProvider struct {
// contains filtered or unexported fields
}
KubeletProvider retrieves credentials using Kubernetes credential provider plugins.
func NewKubeletProvider ¶ added in v0.15.12
func NewKubeletProvider(configPath, binDir string) (*KubeletProvider, error)
NewKubeletProvider creates a new kubelet credential helpers-based auth provider.
func (*KubeletProvider) CanRenew ¶ added in v0.15.12
func (p *KubeletProvider) CanRenew() bool
CanRenew implements RenewableProvider. Kubelet credentials can be refreshed by re-executing the credential provider plugins.
func (*KubeletProvider) GetCredentials ¶ added in v0.15.12
func (p *KubeletProvider) GetCredentials(req *AuthRequest) (*PassKeyChain, error)
GetCredentials retrieves credentials using kubelet credential provider plugins. It first checks the cache using the same cacheKeyType-based lookup as the kubelet (image -> registry -> global). On a cache miss it executes all matching plugins, stores results keyed by cacheKeyType, and returns the most specific match for the requested ref.
func (*KubeletProvider) String ¶ added in v0.15.12
func (p *KubeletProvider) String() string
type LabelsProvider ¶ added in v0.15.12
type LabelsProvider struct{}
LabelsProvider retrieves credentials from snapshot labels.
func NewLabelsProvider ¶ added in v0.15.12
func NewLabelsProvider() *LabelsProvider
NewLabelsProvider creates a new labels-based auth provider.
func (*LabelsProvider) GetCredentials ¶ added in v0.15.12
func (p *LabelsProvider) GetCredentials(req *AuthRequest) (*PassKeyChain, error)
GetCredentials retrieves credentials from snapshot labels. Returns nil if labels don't contain valid credentials.
func (*LabelsProvider) String ¶ added in v0.15.12
func (p *LabelsProvider) String() string
type PassKeyChain ¶
PassKeyChain is user/password based key chain
func FromBase64 ¶
func FromBase64(str string) (PassKeyChain, error)
func GetKeyChainByRef ¶ added in v0.3.0
func GetKeyChainByRef(ref string, labels map[string]string) (*PassKeyChain, error)
func GetRegistryKeyChain ¶
func GetRegistryKeyChain(ref string, labels map[string]string) *PassKeyChain
GetRegistryKeyChain retrieves image pull credentials from the first provider that returns a result, checked in priority order: 1. credential renewal store (if enabled) 2. username and secrets labels 3. cri request 4. docker config 5. kubelet credential helpers 6. k8s docker config secret
When a renewable provider returns credentials and the renewal store is enabled, the credentials are cached for periodic renewal.
func GetStoredCredential ¶ added in v0.15.14
func GetStoredCredential(ref string) *PassKeyChain
GetStoredCredential returns the cached keychain for ref from the global store, or nil if not present or the store is not initialized.
func RenewCredential ¶ added in v0.15.14
func RenewCredential(ref string) *PassKeyChain
RenewCredential fetches fresh credentials for ref from the renewable provider list and caches them in the global store. Returns the keychain on success or nil on failure. Emits renewal metrics.
func (PassKeyChain) Resolve ¶
func (kc PassKeyChain) Resolve(_ authn.Resource) (authn.Authenticator, error)
func (PassKeyChain) ToBase64 ¶
func (kc PassKeyChain) ToBase64() string
func (PassKeyChain) TokenBase ¶
func (kc PassKeyChain) TokenBase() bool
TokenBase check if PassKeyChain is token based, when username is empty and password is not empty then password is registry token
type RenewableProvider ¶ added in v0.15.12
type RenewableProvider interface {
AuthProvider
// CanRenew reports whether this provider can renew credentials.
CanRenew() bool
}
RenewableProvider extends AuthProvider with credential renewal capability. Providers that can refresh credentials implement this interface.
Source Files