Documentation
¶
Overview ¶
Package rotators provides credential rotation implementations.
This file contains common AWS functionality shared between different AWS credential rotators. It provides:
1. AWS Client Interfaces and Implementations:
- STSClient for AWS STS API operations
- Concrete implementations with proper AWS SDK integration
2. Credential File Management:
- Parsing and formatting of AWS credentials file
- Handling of temporary credentials and session tokens
3. Common Configuration:
- Default AWS configuration with adaptive retry
- Standard timeouts and delays
- Session name formatting
Index ¶
- Constants
- func GetBSPSecretName(bspName string) string
- func GetExpirationSecretAnnotation(secret *corev1.Secret) (time.Time, error)
- func IsBufferedTimeExpired(buffer time.Duration, expirationTime time.Time) bool
- func LookupSecret(ctx context.Context, k8sClient client.Client, namespace, name string) (*corev1.Secret, error)
- type AWSOIDCRotator
- type Rotator
- func NewAzureTokenRotator(client client.Client, kube kubernetes.Interface, logger logr.Logger, ...) (Rotator, error)
- func NewGCPOIDCTokenRotator(client client.Client, logger logr.Logger, bsp aigv1a1.BackendSecurityPolicy, ...) (Rotator, error)
- func NewGCPTokenRotator(client client.Client, kube kubernetes.Interface, logger logr.Logger, ...) (Rotator, error)
- type STSClient
Constants ¶
const ( // GCPAccessTokenKey is the key used to store GCP access token in Kubernetes secrets. GCPAccessTokenKey = "gcpAccessToken" GCPServiceAccountJSON = "service_account.json" GCPProjectNameKey = "projectName" GCPRegionKey = "region" )
const (
// AwsCredentialsKey is the key used to store AWS credentials in Kubernetes secrets.
AwsCredentialsKey = "credentials"
)
Common constants for AWS operations.
const (
// AzureAccessTokenKey is the key used to store Azure access token in Kubernetes secrets.
AzureAccessTokenKey = "azureAccessToken"
)
const ExpirationTimeAnnotationKey = "rotators/expiration-time"
ExpirationTimeAnnotationKey is exported for testing purposes within the controller.
Variables ¶
This section is empty.
Functions ¶
func GetBSPSecretName ¶
GetBSPSecretName will return the bspName with rotator prefix.
func GetExpirationSecretAnnotation ¶
GetExpirationSecretAnnotation will get the expiration time of credentials set in secret annotation.
func IsBufferedTimeExpired ¶
IsBufferedTimeExpired checks if the expired time minus duration buffer is before the current time.
Types ¶
type AWSOIDCRotator ¶
type AWSOIDCRotator struct {
// contains filtered or unexported fields
}
AWSOIDCRotator implements the Rotator interface for AWS OIDC token exchange. It manages the lifecycle of temporary AWS credentials obtained through OIDC token exchange with AWS STS.
func NewAWSOIDCRotator ¶
func NewAWSOIDCRotator( ctx context.Context, client client.Client, stsClient STSClient, kube kubernetes.Interface, logger logr.Logger, backendSecurityPolicyNamespace string, backendSecurityPolicyName string, preRotationWindow time.Duration, oidc egv1a1.OIDC, roleArn string, region string, ) (*AWSOIDCRotator, error)
NewAWSOIDCRotator creates a new AWS OIDC rotator with the specified configuration. It initializes the AWS STS client and sets up the rotation channels.
func (*AWSOIDCRotator) GetPreRotationTime ¶
GetPreRotationTime gets the expiration time minus the preRotation interval or return zero value for time.
type Rotator ¶
type Rotator interface {
// IsExpired checks if the provider credentials needs to be renewed.
IsExpired(preRotationExpirationTime time.Time) bool
// GetPreRotationTime gets the time when the credentials need to be renewed.
GetPreRotationTime(ctx context.Context) (time.Time, error)
// Rotate will update the credential secret file with new credentials and return expiration time.
Rotate(ctx context.Context) (time.Time, error)
}
Rotator defines the interface for rotating provider credential.
func NewAzureTokenRotator ¶ added in v0.2.0
func NewAzureTokenRotator( client client.Client, kube kubernetes.Interface, logger logr.Logger, backendSecurityPolicyNamespace string, backendSecurityPolicyName string, preRotationWindow time.Duration, tokenProvider tokenprovider.TokenProvider, ) (Rotator, error)
NewAzureTokenRotator creates a new azureTokenRotator with the given parameters.
func NewGCPOIDCTokenRotator ¶ added in v0.3.0
func NewGCPOIDCTokenRotator( client client.Client, logger logr.Logger, bsp aigv1a1.BackendSecurityPolicy, preRotationWindow time.Duration, tokenProvider tokenprovider.TokenProvider, ) (Rotator, error)
NewGCPOIDCTokenRotator creates a new gcpOIDCTokenRotator with the given parameters.
func NewGCPTokenRotator ¶ added in v0.3.0
func NewGCPTokenRotator( client client.Client, kube kubernetes.Interface, logger logr.Logger, backendSecurityPolicyNamespace string, backendSecurityPolicyName string, preRotationWindow time.Duration, tokenProvider tokenprovider.TokenProvider, ) (Rotator, error)
NewGCPTokenRotator creates a new gcpTokenRotator with the given parameters.
type STSClient ¶
type STSClient interface {
// AssumeRoleWithWebIdentity exchanges a web identity token for temporary AWS credentials.
AssumeRoleWithWebIdentity(ctx context.Context, params *sts.AssumeRoleWithWebIdentityInput, optFns ...func(*sts.Options)) (*sts.AssumeRoleWithWebIdentityOutput, error)
}
STSClient defines the interface for AWS STS operations required by the rotators. This interface encapsulates the STS API operations needed for OIDC token exchange and role assumption.
func NewSTSClient ¶
NewSTSClient creates a new STSClient with the given AWS config. The client is configured with the provided AWS configuration, which should include appropriate credentials and region settings.
Source Files