Documentation
¶
Overview ¶
Package rotators provides credential rotation implementations. This file contains common AWS functionality shared between different AWS credential rotators. It provides: 1. AWS Client Interfaces and Implementations: - STSClient for AWS STS API operations - Concrete implementations with proper AWS SDK integration 2. Credential File Management: - Parsing and formatting of AWS credentials file - Handling of temporary credentials and session tokens 3. Common Configuration: - Default AWS configuration with adaptive retry - Standard timeouts and delays - Session name formatting
Index ¶
- Constants
- func GetBSPSecretName(bspName string) string
- func GetExpirationSecretAnnotation(secret *corev1.Secret) (time.Time, error)
- func IsBufferedTimeExpired(buffer time.Duration, expirationTime time.Time) bool
- func LookupSecret(ctx context.Context, k8sClient client.Client, namespace, name string) (*corev1.Secret, error)
- type AWSOIDCRotator
- type Rotator
- type STSClient
Constants ¶
const ExpirationTimeAnnotationKey = "rotators/expiration-time"
ExpirationTimeAnnotationKey is exported for testing purposes within the controller.
Variables ¶
This section is empty.
Functions ¶
func GetBSPSecretName ¶
GetBSPSecretName will return the bspName with rotator prefix.
func GetExpirationSecretAnnotation ¶
GetExpirationSecretAnnotation will get the expiration time of credentials set in secret annotation.
func IsBufferedTimeExpired ¶
IsBufferedTimeExpired checks if the expired time minus duration buffer is before the current time.
Types ¶
type AWSOIDCRotator ¶
type AWSOIDCRotator struct {
// contains filtered or unexported fields
}
AWSOIDCRotator implements the Rotator interface for AWS OIDC token exchange. It manages the lifecycle of temporary AWS credentials obtained through OIDC token exchange with AWS STS.
func NewAWSOIDCRotator ¶
func NewAWSOIDCRotator( ctx context.Context, client client.Client, stsClient STSClient, kube kubernetes.Interface, logger logr.Logger, backendSecurityPolicyNamespace string, backendSecurityPolicyName string, preRotationWindow time.Duration, roleArn string, region string, ) (*AWSOIDCRotator, error)
NewAWSOIDCRotator creates a new AWS OIDC rotator with the specified configuration. It initializes the AWS STS client and sets up the rotation channels.
func (*AWSOIDCRotator) GetPreRotationTime ¶
GetPreRotationTime gets the expiration time minus the preRotation interval or return zero value for time.
type Rotator ¶
type Rotator interface {
// IsExpired checks if the provider credentials needs to be renewed.
IsExpired(preRotationExpirationTime time.Time) bool
// GetPreRotationTime gets the time when the credentials need to be renewed.
GetPreRotationTime(ctx context.Context) (time.Time, error)
// Rotate will update the credential secret file with new credentials.
Rotate(ctx context.Context, token string) error
}
Rotator defines the interface for rotating provider credential.
type STSClient ¶
type STSClient interface {
// AssumeRoleWithWebIdentity exchanges a web identity token for temporary AWS credentials.
AssumeRoleWithWebIdentity(ctx context.Context, params *sts.AssumeRoleWithWebIdentityInput, optFns ...func(*sts.Options)) (*sts.AssumeRoleWithWebIdentityOutput, error)
}
STSClient defines the interface for AWS STS operations required by the rotators. This interface encapsulates the STS API operations needed for OIDC token exchange and role assumption.
func NewSTSClient ¶
NewSTSClient creates a new STSClient with the given AWS config. The client is configured with the provided AWS configuration, which should include appropriate credentials and region settings.
Source Files