Documentation
¶
Overview ¶
auth is a package for handling secret-less authentication with cloud providers.
Index ¶
- type ArtifactRegistryCredentials
- type Option
- func WithArtifactRepository(artifactRepository string) Option
- func WithCache(cache cache.TokenCache, involvedObject cache.InvolvedObject) Option
- func WithProxyURL(proxyURL url.URL) Option
- func WithSTSEndpoint(stsEndpoint string) Option
- func WithScopes(scopes ...string) Option
- func WithServiceAccount(saRef client.ObjectKey, client client.Client) Option
- type Options
- type Provider
- type Token
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
This section is empty.
Types ¶
type ArtifactRegistryCredentials ¶
ArtifactRegistryCredentials is a particular type implementing the Token interface for credentials that can be used to authenticate with an artifact registry from a cloud provider. This type is compatible with all the cloud providers and should be returned when the artifact repository is configured in the options.
func (*ArtifactRegistryCredentials) GetDuration ¶
func (a *ArtifactRegistryCredentials) GetDuration() time.Duration
type Option ¶
type Option func(*Options)
Option is a functional option for the auth package.
func WithArtifactRepository ¶
WithArtifactRepository sets the artifact repository the token will be used for. In most cases artifact registry credentials require an additional token exchange at the end. This option allows the library to implement this exchange and cache the final token.
func WithCache ¶
func WithCache(cache cache.TokenCache, involvedObject cache.InvolvedObject) Option
WithCache sets the token cache and the involved object for recording events.
func WithProxyURL ¶
WithProxyURL sets a *url.URL for an HTTP/S proxy for acquiring the token.
func WithSTSEndpoint ¶
WithSTSEndpoint sets the endpoint for the STS service.
func WithScopes ¶
WithScopes sets the scopes for the token.
type Options ¶
type Options struct {
Client client.Client
Cache *cache.TokenCache
ServiceAccount *client.ObjectKey
InvolvedObject cache.InvolvedObject
Scopes []string
ArtifactRepository string
STSEndpoint string
ProxyURL *url.URL
}
Options contains options for configuring the behavior of the provider methods. Not all providers/methods support all options.
func (*Options) GetHTTPClient ¶
GetHTTPClient returns a *http.Client with the configured proxy URL or nil if no proxy URL is set.
type Provider ¶
type Provider interface {
// GetName returns the name of the provider.
GetName() string
// NewDefaultToken returns a token that can be used to authenticate with the
// cloud provider retrieved from the default source, i.e. from the pod's
// environment, e.g. files mounted in the pod, environment variables,
// local metadata services, etc. In this case the method would implicitly
// use the ServiceAccount associated with the controller pod, and not one
// specified in the options.
NewDefaultToken(ctx context.Context, opts ...Option) (Token, error)
// GetAudience returns the audience the OIDC tokens issued representing
// ServiceAccounts should have. This is usually a string that represents
// the cloud provider's STS service, or some entity in the provider for
// which the OIDC tokens are targeted to.
GetAudience(ctx context.Context) (string, error)
// GetIdentity takes a ServiceAccount and returns the identity which the
// ServiceAccount wants to impersonate, by looking at annotations.
GetIdentity(serviceAccount corev1.ServiceAccount) (string, error)
// NewToken takes a ServiceAccount and its OIDC token and returns a token
// that can be used to authenticate with the cloud provider. The OIDC token is
// the JWT token that was issued for the ServiceAccount by the Kubernetes API.
// The implementation should exchange this token for a cloud provider access
// token through the provider's STS service.
NewTokenForServiceAccount(ctx context.Context, oidcToken string,
serviceAccount corev1.ServiceAccount, opts ...Option) (Token, error)
// GetArtifactCacheKey extracts the part of the artifact repository that must be
// included in cache keys when caching registry credentials for the provider.
GetArtifactCacheKey(artifactRepository string) string
// NewArtifactRegistryToken takes an artifact repository and an access token and returns a token
// that can be used to authenticate with the artifact registry of the artifact.
NewArtifactRegistryToken(ctx context.Context, artifactRepository string,
accessToken Token, opts ...Option) (Token, error)
}
Provider contains the logic to retrieve an access token for a cloud provider from a ServiceAccount (OIDC/JWT) token.
type Token ¶
type Token interface {
// GetDuration returns the duration for which the token will still be valid
// relative to approximately time.Now(). This is used to determine when the token should
// be refreshed.
GetDuration() time.Duration
}
Token is an interface that represents an access token that can be used to authenticate requests for a cloud provider. The only common method is for getting the duration of the token, because different providers have different ways of representing the token. For example, Azure and GCP use a single string, while AWS uses three strings: access key ID, secret access key and token session. Consumers of this interface should know what type to cast it to.