auth

package module
v0.16.0 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: May 25, 2025 License: Apache-2.0 Imports: 14 Imported by: 9

Documentation

Overview

auth is a package for handling secret-less authentication with cloud providers.

Index

Constants

View Source 
const EnvVarEnableObjectLevelWorkloadIdentity = "ENABLE_OBJECT_LEVEL_WORKLOAD_IDENTITY"

EnvVarEnableObjectLevelWorkloadIdentity is the environment variable that enables the use of object-level workload identity for authentication.

View Source 
const FeatureGateObjectLevelWorkloadIdentity = "ObjectLevelWorkloadIdentity"

FeatureGateObjectLevelWorkloadIdentity is a feature gate that enables the use of object-level workload identity for authentication.

Variables

View Source 
var ErrObjectLevelWorkloadIdentityNotEnabled = fmt.Errorf(
	"%s feature gate is not enabled", FeatureGateObjectLevelWorkloadIdentity)

ErrObjectLevelWorkloadIdentityNotEnabled is returned when object-level workload identity is attempted but not enabled.

Functions

func EnableObjectLevelWorkloadIdentity added in v0.13.0 

func EnableObjectLevelWorkloadIdentity()

EnableObjectLevelWorkloadIdentity enables the use of object-level workload identity for authentication.

func GetRegistryFromArtifactRepository added in v0.12.0 

func GetRegistryFromArtifactRepository(artifactRepository string) (string, error)

GetRegistryFromArtifactRepository returns the registry from the artifact repository.

func IsObjectLevelWorkloadIdentityEnabled added in v0.13.0 

func IsObjectLevelWorkloadIdentityEnabled() bool

IsObjectLevelWorkloadIdentityEnabled returns true if the object-level workload identity feature gate is enabled.

func SetFeatureGates added in v0.13.0 

func SetFeatureGates(features map[string]bool)

SetFeatureGates sets the default values for the feature gates.

Types

type ArtifactRegistryCredentials 

type ArtifactRegistryCredentials struct {
	authn.Authenticator
	ExpiresAt time.Time
}

ArtifactRegistryCredentials is a particular type implementing the Token interface for credentials that can be used to authenticate against an artifact registry from a cloud provider. This type is compatible with all the cloud providers and should be returned when the artifact repository is configured in the options.

func (*ArtifactRegistryCredentials) GetDuration 

func (a *ArtifactRegistryCredentials) GetDuration() time.Duration

type Option 

type Option func(*Options)

Option is a functional option for the auth package.

func WithArtifactRepository 

func WithArtifactRepository(artifactRepository string) Option

WithArtifactRepository sets the artifact repository the token will be used for. In most cases artifact registry credentials require an additional token exchange at the end. This option allows the library to implement this exchange and cache the final token.

func WithCache 

func WithCache(cache cache.TokenCache, involvedObject cache.InvolvedObject) Option

WithCache sets the token cache and the involved object for recording events.

func WithProxyURL 

func WithProxyURL(proxyURL url.URL) Option

WithProxyURL sets a *url.URL for an HTTP/S proxy for acquiring the token.

func WithSTSEndpoint 

func WithSTSEndpoint(stsEndpoint string) Option

WithSTSEndpoint sets the endpoint for the STS service.

func WithSTSRegion added in v0.12.0 

func WithSTSRegion(stsRegion string) Option

WithSTSRegion sets the region for the STS service (some cloud providers require a region, e.g. AWS).

func WithScopes 

func WithScopes(scopes ...string) Option

WithScopes sets the scopes for the token.

func WithServiceAccount 

func WithServiceAccount(saRef client.ObjectKey, client client.Client) Option

WithServiceAccount sets the ServiceAccount reference for the token and a controller-runtime client to fetch the ServiceAccount and create an OIDC token for it in the Kubernetes API.

type Options 

type Options struct {
	Client             client.Client
	Cache              *cache.TokenCache
	ServiceAccount     *client.ObjectKey
	InvolvedObject     cache.InvolvedObject
	Scopes             []string
	ArtifactRepository string
	STSRegion          string
	STSEndpoint        string
	ProxyURL           *url.URL
}

Options contains options for configuring the behavior of the provider methods. Not all providers/methods support all options.

func (*Options) Apply 

func (o *Options) Apply(opts ...Option)

Apply applies the given slice of Option(s) to the Options struct.

func (*Options) GetHTTPClient 

func (o *Options) GetHTTPClient() *http.Client

GetHTTPClient returns a *http.Client with the configured proxy URL or nil if no proxy URL is set.

type Provider 

type Provider interface {
	// GetName returns the name of the provider.
	GetName() string

	// NewControllerToken returns a token that can be used to authenticate
	// with the cloud provider retrieved from the default source, i.e. from
	// the environment of the controller pod, e.g. files mounted in the pod,
	// environment variables, local metadata services, etc.
	NewControllerToken(ctx context.Context, opts ...Option) (Token, error)

	// GetAudience returns the audience the OIDC tokens issued representing
	// ServiceAccounts should have. This is usually a string that represents
	// the cloud provider's STS service, or some entity in the provider for
	// which the OIDC tokens are targeted to.
	GetAudience(ctx context.Context, serviceAccount corev1.ServiceAccount) (string, error)

	// GetIdentity takes a ServiceAccount and returns the identity which the
	// ServiceAccount wants to impersonate, by looking at annotations.
	GetIdentity(serviceAccount corev1.ServiceAccount) (string, error)

	// NewToken takes a ServiceAccount and its OIDC token and returns a token
	// that can be used to authenticate with the cloud provider. The OIDC token is
	// the JWT token that was issued for the ServiceAccount by the Kubernetes API.
	// The implementation should exchange this token for a cloud provider access
	// token through the provider's STS service.
	NewTokenForServiceAccount(ctx context.Context, oidcToken string,
		serviceAccount corev1.ServiceAccount, opts ...Option) (Token, error)

	// ParseArtifactRepository parses the artifact repository to verify if it
	// is a valid repository for the provider. As a result, it returns the
	// input required for the provider to issue the registry credentials. This
	// input is also included as part of the cache key for the issued credentials.
	ParseArtifactRepository(artifactRepository string) (string, error)

	// NewArtifactRegistryCredentials takes the registry input extracted by
	// ParseArtifactRepository() and an access token and returns credentials
	// that can be used to authenticate with the registry.
	NewArtifactRegistryCredentials(ctx context.Context, registryInput string,
		accessToken Token, opts ...Option) (*ArtifactRegistryCredentials, error)
}

Provider contains the logic to retrieve an access token for a cloud provider from a ServiceAccount (OIDC/JWT) token.

type Token 

type Token interface {
	// GetDuration returns the duration for which the token will still be valid
	// relative to approximately time.Now(). This is used to determine when the
	// token should be renewed.
	GetDuration() time.Duration
}

Token is an interface that represents an access token that can be used to authenticate requests for a cloud provider. The only common method is for getting the duration of the token, because different providers have different ways of representing the token. For example, Azure and GCP use a single string, while AWS uses three strings: access key ID, secret access key and token session. Consumers of this interface should know what type to cast it to.

func GetToken 

func GetToken(ctx context.Context, provider Provider, opts ...Option) (Token, error)

GetToken returns an access token for accessing resources in the given cloud provider.

Source Files

View all Source files

Directories

Path Synopsis
authutils contains small utility functions without much logic wrapping the major APIs of the core auth package for ease of use in the controllers.
 authutils contains small utility functions without much logic wrapping the major APIs of the core auth package for ease of use in the controllers.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.