Documentation
¶
Overview ¶
auth is a package for handling secret-less authentication with cloud providers.
Index ¶
- func GetRegistryFromArtifactRepository(artifactRepository string) (string, error)
- type ArtifactRegistryCredentials
- type Option
- func WithArtifactRepository(artifactRepository string) Option
- func WithCache(cache cache.TokenCache, involvedObject cache.InvolvedObject) Option
- func WithProxyURL(proxyURL url.URL) Option
- func WithSTSEndpoint(stsEndpoint string) Option
- func WithSTSRegion(stsRegion string) Option
- func WithScopes(scopes ...string) Option
- func WithServiceAccount(saRef client.ObjectKey, client client.Client) Option
- type Options
- type Provider
- type Token
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
func GetRegistryFromArtifactRepository ¶ added in v0.12.0
GetRegistryFromArtifactRepository returns the registry from the artifact repository.
Types ¶
type ArtifactRegistryCredentials ¶
type ArtifactRegistryCredentials struct {
authn.Authenticator
ExpiresAt time.Time
}
ArtifactRegistryCredentials is a particular type implementing the Token interface for credentials that can be used to authenticate against an artifact registry from a cloud provider. This type is compatible with all the cloud providers and should be returned when the artifact repository is configured in the options.
func (*ArtifactRegistryCredentials) GetDuration ¶
func (a *ArtifactRegistryCredentials) GetDuration() time.Duration
type Option ¶
type Option func(*Options)
Option is a functional option for the auth package.
func WithArtifactRepository ¶
WithArtifactRepository sets the artifact repository the token will be used for. In most cases artifact registry credentials require an additional token exchange at the end. This option allows the library to implement this exchange and cache the final token.
func WithCache ¶
func WithCache(cache cache.TokenCache, involvedObject cache.InvolvedObject) Option
WithCache sets the token cache and the involved object for recording events.
func WithProxyURL ¶
WithProxyURL sets a *url.URL for an HTTP/S proxy for acquiring the token.
func WithSTSEndpoint ¶
WithSTSEndpoint sets the endpoint for the STS service.
func WithSTSRegion ¶ added in v0.12.0
WithSTSRegion sets the region for the STS service (some cloud providers require a region, e.g. AWS).
func WithScopes ¶
WithScopes sets the scopes for the token.
type Options ¶
type Options struct {
Client client.Client
Cache *cache.TokenCache
ServiceAccount *client.ObjectKey
InvolvedObject cache.InvolvedObject
Scopes []string
ArtifactRepository string
STSRegion string
STSEndpoint string
ProxyURL *url.URL
}
Options contains options for configuring the behavior of the provider methods. Not all providers/methods support all options.
func (*Options) GetHTTPClient ¶
GetHTTPClient returns a *http.Client with the configured proxy URL or nil if no proxy URL is set.
type Provider ¶
type Provider interface {
// GetName returns the name of the provider.
GetName() string
// NewControllerToken returns a token that can be used to authenticate
// with the cloud provider retrieved from the default source, i.e. from
// the environment of the controller pod, e.g. files mounted in the pod,
// environment variables, local metadata services, etc.
NewControllerToken(ctx context.Context, opts ...Option) (Token, error)
// GetAudience returns the audience the OIDC tokens issued representing
// ServiceAccounts should have. This is usually a string that represents
// the cloud provider's STS service, or some entity in the provider for
// which the OIDC tokens are targeted to.
GetAudience(ctx context.Context) (string, error)
// GetIdentity takes a ServiceAccount and returns the identity which the
// ServiceAccount wants to impersonate, by looking at annotations.
GetIdentity(serviceAccount corev1.ServiceAccount) (string, error)
// NewToken takes a ServiceAccount and its OIDC token and returns a token
// that can be used to authenticate with the cloud provider. The OIDC token is
// the JWT token that was issued for the ServiceAccount by the Kubernetes API.
// The implementation should exchange this token for a cloud provider access
// token through the provider's STS service.
NewTokenForServiceAccount(ctx context.Context, oidcToken string,
serviceAccount corev1.ServiceAccount, opts ...Option) (Token, error)
// ParseArtifactRepository parses the artifact repository to verify if it
// is a valid repository for the provider. As a result, it returns the
// input required for the provider to issue the registry credentials. This
// input is also included as part of the cache key for the issued credentials.
ParseArtifactRepository(artifactRepository string) (string, error)
// NewArtifactRegistryCredentials takes the registry input extracted by
// ParseArtifactRepository() and an access token and returns credentials
// that can be used to authenticate with the registry.
NewArtifactRegistryCredentials(ctx context.Context, registryInput string,
accessToken Token, opts ...Option) (*ArtifactRegistryCredentials, error)
}
Provider contains the logic to retrieve an access token for a cloud provider from a ServiceAccount (OIDC/JWT) token.
type Token ¶
type Token interface {
// GetDuration returns the duration for which the token will still be valid
// relative to approximately time.Now(). This is used to determine when the
// token should be renewed.
GetDuration() time.Duration
}
Token is an interface that represents an access token that can be used to authenticate requests for a cloud provider. The only common method is for getting the duration of the token, because different providers have different ways of representing the token. For example, Azure and GCP use a single string, while AWS uses three strings: access key ID, secret access key and token session. Consumers of this interface should know what type to cast it to.
Source Files
Directories