auth

package module
v0.33.0 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Nov 18, 2025 License: Apache-2.0 Imports: 16 Imported by: 9

Documentation

Overview

auth is a package for handling secret-less authentication with cloud providers.

Index

Constants

View Source 
const (
	// ControllerFlagDefaultServiceAccount defines the flag for the default service account name
	// to be used when .spec.serviceAccountName is not specified in the object.
	ControllerFlagDefaultServiceAccount = "default-service-account"

	// ControllerFlagDefaultKubeConfigServiceAccount defines the flag for the default
	// service account name to be used when .data.serviceAccountName is not specified
	// in the ConfigMap referenced by .spec.kubeConfig.configMapRef.
	ControllerFlagDefaultKubeConfigServiceAccount = "default-kubeconfig-service-account"

	// ControllerFlagDefaultDecryptionServiceAccount defines the flag for the default
	// service account name to be used when .spec.decryption.serviceAccountName is
	// not specified in the object.
	ControllerFlagDefaultDecryptionServiceAccount = "default-decryption-service-account"
)
View Source 
const FeatureGateObjectLevelWorkloadIdentity = "ObjectLevelWorkloadIdentity"

FeatureGateObjectLevelWorkloadIdentity is a feature gate that enables the use of object-level workload identity for authentication.

Variables

View Source 
var ErrDefaultServiceAccountNotFound = fmt.Errorf("the specified default service account does not exist in the object namespace. your cluster is subject to multi-tenant workload identity lockdown, reach out to your cluster administrator for help")

ErrDefaultServiceAccountNotFound is returned when a default service account configured by the operator is not found in the user's namespace.

View Source 
var ErrInconsistentObjectLevelConfiguration = fmt.Errorf(
	"cannot set default service accounts when the feature gate %s is not enabled",
	FeatureGateObjectLevelWorkloadIdentity)

ErrInconsistentObjectLevelConfiguration is used when the controller has an inconsistent object-level workload identity configuration.

View Source 
var ErrObjectLevelWorkloadIdentityNotEnabled = fmt.Errorf(
	"%s feature gate is not enabled", FeatureGateObjectLevelWorkloadIdentity)

ErrObjectLevelWorkloadIdentityNotEnabled is returned when object-level workload identity is attempted but not enabled.

Functions

func DisableObjectLevelWorkloadIdentity added in v0.26.0 

func DisableObjectLevelWorkloadIdentity()

DisableObjectLevelWorkloadIdentity disables the use of object-level workload identity for authentication.

func EnableObjectLevelWorkloadIdentity added in v0.13.0 

func EnableObjectLevelWorkloadIdentity()

EnableObjectLevelWorkloadIdentity enables the use of object-level workload identity for authentication.

func GetDefaultDecryptionServiceAccount added in v0.25.0 

func GetDefaultDecryptionServiceAccount() string

GetDefaultDecryptionServiceAccount returns the default decryption service account name.

func GetDefaultKubeConfigServiceAccount added in v0.25.0 

func GetDefaultKubeConfigServiceAccount() string

GetDefaultKubeConfigServiceAccount returns the default kubeconfig service account name.

func GetDefaultServiceAccount added in v0.25.0 

func GetDefaultServiceAccount() string

GetDefaultServiceAccount returns the default service account name for workload identity.

func GetRegistryFromArtifactRepository added in v0.12.0 

func GetRegistryFromArtifactRepository(artifactRepository string) (string, error)

GetRegistryFromArtifactRepository returns the registry from the artifact repository.

func InconsistentObjectLevelConfiguration added in v0.27.0 

func InconsistentObjectLevelConfiguration() bool

InconsistentObjectLevelConfiguration checks if the controller's object-level workload identity configuration is inconsistent.

func IsObjectLevelWorkloadIdentityEnabled added in v0.13.0 

func IsObjectLevelWorkloadIdentityEnabled() bool

IsObjectLevelWorkloadIdentityEnabled returns true if the object-level workload identity feature gate is enabled.

func ParseClusterAddress added in v0.21.0 

func ParseClusterAddress(address string) (string, error)

ParseClusterAddress parses the given cluster address and returns the canonical form https://<lowercase(host)>:<port>.

func SetDefaultDecryptionServiceAccount added in v0.25.0 

func SetDefaultDecryptionServiceAccount(sa string)

SetDefaultDecryptionServiceAccount sets the default decryption service account name.

func SetDefaultKubeConfigServiceAccount added in v0.25.0 

func SetDefaultKubeConfigServiceAccount(sa string)

SetDefaultKubeConfigServiceAccount sets the default kubeconfig service account name.

func SetDefaultServiceAccount added in v0.25.0 

func SetDefaultServiceAccount(sa string)

SetDefaultServiceAccount sets the default service account name for workload identity.

func SetFeatureGates added in v0.13.0 

func SetFeatureGates(features map[string]bool)

SetFeatureGates sets the default values for the feature gates.

Types

type ArtifactRegistryCredentials 

type ArtifactRegistryCredentials struct {
	authn.Authenticator
	ExpiresAt time.Time
}

ArtifactRegistryCredentials is a particular type implementing the Token interface for credentials that can be used to authenticate against an artifact registry from a cloud provider.

func GetArtifactRegistryCredentials added in v0.21.0 

func GetArtifactRegistryCredentials(ctx context.Context, provider ArtifactRegistryCredentialsProvider,
	artifactRepository string, opts ...Option) (*ArtifactRegistryCredentials, error)

GetArtifactRegistryCredentials retrieves the registry credentials for the specified artifact repository and provider.

func (*ArtifactRegistryCredentials) GetDuration 

func (a *ArtifactRegistryCredentials) GetDuration() time.Duration

GetDuration implements Token.

type ArtifactRegistryCredentialsProvider added in v0.21.0 

type ArtifactRegistryCredentialsProvider interface {
	Provider

	// GetAccessTokenOptionsForArtifactRepository returns the options that must be
	// passed to the provider to retrieve access tokens for an artifact repository.
	GetAccessTokenOptionsForArtifactRepository(artifactRepository string) ([]Option, error)

	// ParseArtifactRepository parses the artifact repository to verify
	// it's a valid repository for the provider. As a result, it returns
	// the input required for the provider to issue registry credentials.
	// This input is included in the cache key for the issued credentials.
	ParseArtifactRepository(artifactRepository string) (string, error)

	// NewArtifactRegistryCredentials takes the registry input extracted by
	// ParseArtifactRepository() and an access token and returns credentials
	// that can be used to authenticate with the registry.
	NewArtifactRegistryCredentials(ctx context.Context, registryInput string,
		accessToken Token, opts ...Option) (*ArtifactRegistryCredentials, error)
}

ArtifactRegistryCredentialsProvider is an interface that defines methods for retrieving credentials for artifact registries from cloud providers.

type Option 

type Option func(*Options)

Option is a functional option for the auth package.

func WithAllowShellOut added in v0.17.0 

func WithAllowShellOut() Option

WithAllowShellOut allows the provider to shell out to binary tools for acquiring controller tokens. MUST be used only by the Flux CLI, i.e. in the github.com/fluxcd/flux2 Git repository.

func WithAudiences added in v0.21.0 

func WithAudiences(audiences ...string) Option

WithAudiences sets the audiences for the Kubernetes ServiceAccount token.

func WithCAData added in v0.21.0 

func WithCAData(caData string) Option

WithCAData sets the CA data for credentials that require a CA, e.g. for Kubernetes REST config.

func WithCache 

func WithCache(cache cache.TokenCache, involvedObject cache.InvolvedObject) Option

WithCache sets the token cache and the involved object for recording events.

func WithClient added in v0.21.0 

func WithClient(client client.Client) Option

WithClient sets the controller-runtime client for the provider.

func WithClusterAddress added in v0.21.0 

func WithClusterAddress(clusterAddress string) Option

WithClusterAddress sets the cluster address for creating a REST config. This address is used to select the correct cluster endpoint and CA data when the provider has a list of endpoints to choose from, or to simply validate the address against the cluster resource when the provider returns a single endpoint. This is optional, providers returning a list of endpoints will select the first one if no address is provided.

func WithClusterResource added in v0.21.0 

func WithClusterResource(clusterResource string) Option

WithClusterResource sets the cluster resource for creating a REST config. Must be the fully qualified name of the cluster resource in the cloud provider API.

func WithProxyURL 

func WithProxyURL(proxyURL url.URL) Option

WithProxyURL sets a *url.URL for an HTTP/S proxy for acquiring the token.

func WithSTSEndpoint 

func WithSTSEndpoint(stsEndpoint string) Option

WithSTSEndpoint sets the endpoint for the STS service.

func WithSTSRegion added in v0.12.0 

func WithSTSRegion(stsRegion string) Option

WithSTSRegion sets the region for the STS service (some cloud providers require a region, e.g. AWS).

func WithScopes 

func WithScopes(scopes ...string) Option

WithScopes sets the scopes for the token.

func WithServiceAccountName added in v0.25.0 

func WithServiceAccountName(name string) Option

WithServiceAccountName sets the ServiceAccount name for the token.

func WithServiceAccountNamespace added in v0.25.0 

func WithServiceAccountNamespace(namespace string) Option

WithServiceAccountNamespace sets the ServiceAccount namespace for the token.

type Options 

type Options struct {
	Client                  client.Client
	Cache                   *cache.TokenCache
	ServiceAccountName      string
	ServiceAccountNamespace string
	InvolvedObject          cache.InvolvedObject
	Audiences               []string
	Scopes                  []string
	STSRegion               string
	STSEndpoint             string
	ProxyURL                *url.URL
	CAData                  string
	ClusterResource         string
	ClusterAddress          string
	AllowShellOut           bool
}

Options contains options for configuring the behavior of the provider methods. Not all providers/methods support all options.

func (*Options) Apply 

func (o *Options) Apply(opts ...Option)

Apply applies the given slice of Option(s) to the Options struct.

func (*Options) GetHTTPClient 

func (o *Options) GetHTTPClient() *http.Client

GetHTTPClient returns a *http.Client with appropriate timeouts and proxy settings. The client includes a 10-second timeout to prevent indefinite hangs during token acquisition.

func (*Options) ShouldGetServiceAccountToken added in v0.25.0 

func (o *Options) ShouldGetServiceAccountToken() bool

ShouldGetServiceAccountToken returns true if ServiceAccount token should be retrieved.

type Provider 

type Provider interface {
	// GetName returns the name of the cloud provider.
	GetName() string

	// NewControllerToken returns a token that can be used to authenticate
	// with the cloud provider retrieved from the default source, i.e. from
	// the environment of the controller pod, e.g. files mounted in the pod,
	// environment variables, local metadata services, etc.
	NewControllerToken(ctx context.Context, opts ...Option) (Token, error)

	// GetAudiences returns the audiences the OIDC tokens issued representing
	// ServiceAccounts should have. These are usually strings that represent
	// the cloud provider's STS service, or some entity in the provider for
	// which the OIDC tokens are targeted to.
	GetAudiences(ctx context.Context, serviceAccount corev1.ServiceAccount) ([]string, error)

	// GetIdentity takes a ServiceAccount and returns the identity which the
	// ServiceAccount wants to impersonate, by looking at annotations.
	GetIdentity(serviceAccount corev1.ServiceAccount) (string, error)

	// NewToken takes a ServiceAccount and its OIDC token and returns a token
	// that can be used to authenticate with the cloud provider. The OIDC token is
	// the JWT token that was issued for the ServiceAccount by the Kubernetes API.
	// The implementation should exchange this token for a cloud provider access
	// token through the provider's STS service.
	NewTokenForServiceAccount(ctx context.Context, oidcToken string,
		serviceAccount corev1.ServiceAccount, opts ...Option) (Token, error)
}

Provider contains the logic to retrieve security credentials for accessing resources in a cloud provider.

type RESTConfig added in v0.21.0 

type RESTConfig struct {
	Host        string
	BearerToken string
	CAData      []byte
	ExpiresAt   time.Time
}

RESTConfig is a particular type implementing the Token interface for Kubernetes REST configurations.

func GetRESTConfig added in v0.21.0 

func GetRESTConfig(ctx context.Context, provider RESTConfigProvider, opts ...Option) (*RESTConfig, error)

GetRESTConfig retrieves the authentication and connection details to a remote Kubernetes cluster for the given provider, cluster resource name and options.

func (*RESTConfig) GetDuration added in v0.21.0 

func (r *RESTConfig) GetDuration() time.Duration

GetDuration implements Token.

type RESTConfigProvider added in v0.21.0 

type RESTConfigProvider interface {
	Provider

	// GetAccessTokenOptionsForCluster returns the options that must be
	// passed to the provider to retrieve access tokens for a cluster.
	// More than one access token may be required depending on the
	// provider, with different options (e.g. scope). Hence the return
	// type is a slice of []Option.
	GetAccessTokenOptionsForCluster(opts ...Option) ([][]Option, error)

	// NewRESTConfig returns a new RESTConfig that can be used to authenticate
	// with the Kubernetes API server. The access tokens are used for looking
	// up connection details like the API server address and CA certificate
	// data, and for accessing the cluster API server itself via the IAM
	// system of the cloud provider. If it's just a single token or multiple,
	// it depends on the provider.
	NewRESTConfig(ctx context.Context, accessTokens []Token, opts ...Option) (*RESTConfig, error)
}

RESTConfigProvider is an interface that defines methods for retrieving REST configurations for Kubernetes clusters from cloud providers.

type Token 

type Token interface {
	// GetDuration returns the duration for which the token will still be valid
	// relative to approximately time.Now(). This is used to determine when the
	// token should be renewed.
	GetDuration() time.Duration
}

Token is an interface that represents an access token that can be used to authenticate requests for a cloud provider. The only common method is for getting the duration of the token, because different providers have different ways of representing the token. For example, Azure and GCP use a single string, while AWS uses three strings: access key ID, secret access key and token session. Consumers of this interface should know what type to cast it to.

func GetAccessToken added in v0.21.0 

func GetAccessToken(ctx context.Context, provider Provider, opts ...Option) (Token, error)

GetAccessToken returns an access token for accessing resources in the given cloud provider.

Source Files

View all Source files

Directories

Path Synopsis
Package utils contains small utility functions without much logic wrapping the major APIs of the core auth package for ease of use in the controllers.
 Package utils contains small utility functions without much logic wrapping the major APIs of the core auth package for ease of use in the controllers.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.