auth

package module
v0.22.0 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Jul 15, 2025 License: Apache-2.0 Imports: 16 Imported by: 9

Documentation

Overview

auth is a package for handling secret-less authentication with cloud providers.

Index

Constants

View Source 
const EnvVarEnableObjectLevelWorkloadIdentity = "ENABLE_OBJECT_LEVEL_WORKLOAD_IDENTITY"

EnvVarEnableObjectLevelWorkloadIdentity is the environment variable that enables the use of object-level workload identity for authentication.

View Source 
const FeatureGateObjectLevelWorkloadIdentity = "ObjectLevelWorkloadIdentity"

FeatureGateObjectLevelWorkloadIdentity is a feature gate that enables the use of object-level workload identity for authentication.

Variables

View Source 
var ErrObjectLevelWorkloadIdentityNotEnabled = fmt.Errorf(
	"%s feature gate is not enabled", FeatureGateObjectLevelWorkloadIdentity)

ErrObjectLevelWorkloadIdentityNotEnabled is returned when object-level workload identity is attempted but not enabled.

Functions

func EnableObjectLevelWorkloadIdentity added in v0.13.0 

func EnableObjectLevelWorkloadIdentity()

EnableObjectLevelWorkloadIdentity enables the use of object-level workload identity for authentication.

func GetRegistryFromArtifactRepository added in v0.12.0 

func GetRegistryFromArtifactRepository(artifactRepository string) (string, error)

GetRegistryFromArtifactRepository returns the registry from the artifact repository.

func IsObjectLevelWorkloadIdentityEnabled added in v0.13.0 

func IsObjectLevelWorkloadIdentityEnabled() bool

IsObjectLevelWorkloadIdentityEnabled returns true if the object-level workload identity feature gate is enabled.

func ParseClusterAddress added in v0.21.0 

func ParseClusterAddress(address string) (string, error)

ParseClusterAddress parses the given cluster address and returns the canonical form https://<lowercase(host)>:<port>.

func SetFeatureGates added in v0.13.0 

func SetFeatureGates(features map[string]bool)

SetFeatureGates sets the default values for the feature gates.

Types

type ArtifactRegistryCredentials 

type ArtifactRegistryCredentials struct {
	authn.Authenticator
	ExpiresAt time.Time
}

ArtifactRegistryCredentials is a particular type implementing the Token interface for credentials that can be used to authenticate against an artifact registry from a cloud provider.

func GetArtifactRegistryCredentials added in v0.21.0 

func GetArtifactRegistryCredentials(ctx context.Context, provider ArtifactRegistryCredentialsProvider,
	artifactRepository string, opts ...Option) (*ArtifactRegistryCredentials, error)

GetArtifactRegistryCredentials retrieves the registry credentials for the specified artifact repository and provider.

func (*ArtifactRegistryCredentials) GetDuration 

func (a *ArtifactRegistryCredentials) GetDuration() time.Duration

GetDuration implements Token.

type ArtifactRegistryCredentialsProvider added in v0.21.0 

type ArtifactRegistryCredentialsProvider interface {
	Provider

	// GetAccessTokenOptionsForArtifactRepository returns the options that must be
	// passed to the provider to retrieve access tokens for an artifact repository.
	GetAccessTokenOptionsForArtifactRepository(artifactRepository string) ([]Option, error)

	// ParseArtifactRepository parses the artifact repository to verify
	// it's a valid repository for the provider. As a result, it returns
	// the input required for the provider to issue registry credentials.
	// This input is included in the cache key for the issued credentials.
	ParseArtifactRepository(artifactRepository string) (string, error)

	// NewArtifactRegistryCredentials takes the registry input extracted by
	// ParseArtifactRepository() and an access token and returns credentials
	// that can be used to authenticate with the registry.
	NewArtifactRegistryCredentials(ctx context.Context, registryInput string,
		accessToken Token, opts ...Option) (*ArtifactRegistryCredentials, error)
}

ArtifactRegistryCredentialsProvider is an interface that defines methods for retrieving credentials for artifact registries from cloud providers.

type Option 

type Option func(*Options)

Option is a functional option for the auth package.

func WithAllowShellOut added in v0.17.0 

func WithAllowShellOut() Option

WithAllowShellOut allows the provider to shell out to binary tools for acquiring controller tokens. MUST be used only by the Flux CLI, i.e. in the github.com/fluxcd/flux2 Git repository.

func WithAudiences added in v0.21.0 

func WithAudiences(audiences ...string) Option

WithAudiences sets the audiences for the Kubernetes ServiceAccount token.

func WithCAData added in v0.21.0 

func WithCAData(caData string) Option

WithCAData sets the CA data for credentials that require a CA, e.g. for Kubernetes REST config.

func WithCache 

func WithCache(cache cache.TokenCache, involvedObject cache.InvolvedObject) Option

WithCache sets the token cache and the involved object for recording events.

func WithClient added in v0.21.0 

func WithClient(client client.Client) Option

WithClient sets the controller-runtime client for the provider.

func WithClusterAddress added in v0.21.0 

func WithClusterAddress(clusterAddress string) Option

WithClusterAddress sets the cluster address for creating a REST config. This address is used to select the correct cluster endpoint and CA data when the provider has a list of endpoints to choose from, or to simply validate the address against the cluster resource when the provider returns a single endpoint. This is optional, providers returning a list of endpoints will select the first one if no address is provided.

func WithClusterResource added in v0.21.0 

func WithClusterResource(clusterResource string) Option

WithClusterResource sets the cluster resource for creating a REST config. Must be the fully qualified name of the cluster resource in the cloud provider API.

func WithProxyURL 

func WithProxyURL(proxyURL url.URL) Option

WithProxyURL sets a *url.URL for an HTTP/S proxy for acquiring the token.

func WithSTSEndpoint 

func WithSTSEndpoint(stsEndpoint string) Option

WithSTSEndpoint sets the endpoint for the STS service.

func WithSTSRegion added in v0.12.0 

func WithSTSRegion(stsRegion string) Option

WithSTSRegion sets the region for the STS service (some cloud providers require a region, e.g. AWS).

func WithScopes 

func WithScopes(scopes ...string) Option

WithScopes sets the scopes for the token.

func WithServiceAccount 

func WithServiceAccount(saRef client.ObjectKey, c client.Client) Option

WithServiceAccount sets the ServiceAccount reference for the token and a controller-runtime client to fetch the ServiceAccount and create an OIDC token for it in the Kubernetes API.

type Options 

type Options struct {
	Client          client.Client
	Cache           *cache.TokenCache
	ServiceAccount  *client.ObjectKey
	InvolvedObject  cache.InvolvedObject
	Audiences       []string
	Scopes          []string
	STSRegion       string
	STSEndpoint     string
	ProxyURL        *url.URL
	CAData          string
	ClusterResource string
	ClusterAddress  string
	AllowShellOut   bool
}

Options contains options for configuring the behavior of the provider methods. Not all providers/methods support all options.

func (*Options) Apply 

func (o *Options) Apply(opts ...Option)

Apply applies the given slice of Option(s) to the Options struct.

func (*Options) GetHTTPClient 

func (o *Options) GetHTTPClient() *http.Client

GetHTTPClient returns a *http.Client with the configured proxy URL or nil if no proxy URL is set.

type Provider 

type Provider interface {
	// GetName returns the name of the cloud provider.
	GetName() string

	// NewControllerToken returns a token that can be used to authenticate
	// with the cloud provider retrieved from the default source, i.e. from
	// the environment of the controller pod, e.g. files mounted in the pod,
	// environment variables, local metadata services, etc.
	NewControllerToken(ctx context.Context, opts ...Option) (Token, error)

	// GetAudiences returns the audiences the OIDC tokens issued representing
	// ServiceAccounts should have. These are usually strings that represent
	// the cloud provider's STS service, or some entity in the provider for
	// which the OIDC tokens are targeted to.
	GetAudiences(ctx context.Context, serviceAccount corev1.ServiceAccount) ([]string, error)

	// GetIdentity takes a ServiceAccount and returns the identity which the
	// ServiceAccount wants to impersonate, by looking at annotations.
	GetIdentity(serviceAccount corev1.ServiceAccount) (string, error)

	// NewToken takes a ServiceAccount and its OIDC token and returns a token
	// that can be used to authenticate with the cloud provider. The OIDC token is
	// the JWT token that was issued for the ServiceAccount by the Kubernetes API.
	// The implementation should exchange this token for a cloud provider access
	// token through the provider's STS service.
	NewTokenForServiceAccount(ctx context.Context, oidcToken string,
		serviceAccount corev1.ServiceAccount, opts ...Option) (Token, error)
}

Provider contains the logic to retrieve security credentials for accessing resources in a cloud provider.

type RESTConfig added in v0.21.0 

type RESTConfig struct {
	Host        string
	BearerToken string
	CAData      []byte
	ExpiresAt   time.Time
}

RESTConfig is a particular type implementing the Token interface for Kubernetes REST configurations.

func GetRESTConfig added in v0.21.0 

func GetRESTConfig(ctx context.Context, provider RESTConfigProvider, opts ...Option) (*RESTConfig, error)

GetRESTConfig retrieves the authentication and connection details to a remote Kubernetes cluster for the given provider, cluster resource name and options.

func (*RESTConfig) GetDuration added in v0.21.0 

func (r *RESTConfig) GetDuration() time.Duration

GetDuration implements Token.

type RESTConfigProvider added in v0.21.0 

type RESTConfigProvider interface {
	Provider

	// GetAccessTokenOptionsForCluster returns the options that must be
	// passed to the provider to retrieve access tokens for a cluster.
	// More than one access token may be required depending on the
	// provider, with different options (e.g. scope). Hence the return
	// type is a slice of []Option.
	GetAccessTokenOptionsForCluster(opts ...Option) ([][]Option, error)

	// NewRESTConfig returns a new RESTConfig that can be used to authenticate
	// with the Kubernetes API server. The access tokens are used for looking
	// up connection details like the API server address and CA certificate
	// data, and for accessing the cluster API server itself via the IAM
	// system of the cloud provider. If it's just a single token or multiple,
	// it depends on the provider.
	NewRESTConfig(ctx context.Context, accessTokens []Token, opts ...Option) (*RESTConfig, error)
}

RESTConfigProvider is an interface that defines methods for retrieving REST configurations for Kubernetes clusters from cloud providers.

type Token 

type Token interface {
	// GetDuration returns the duration for which the token will still be valid
	// relative to approximately time.Now(). This is used to determine when the
	// token should be renewed.
	GetDuration() time.Duration
}

Token is an interface that represents an access token that can be used to authenticate requests for a cloud provider. The only common method is for getting the duration of the token, because different providers have different ways of representing the token. For example, Azure and GCP use a single string, while AWS uses three strings: access key ID, secret access key and token session. Consumers of this interface should know what type to cast it to.

func GetAccessToken added in v0.21.0 

func GetAccessToken(ctx context.Context, provider Provider, opts ...Option) (Token, error)

GetAccessToken returns an access token for accessing resources in the given cloud provider.

Source Files

View all Source files

Directories

Path Synopsis
Package utils contains small utility functions without much logic wrapping the major APIs of the core auth package for ease of use in the controllers.
 Package utils contains small utility functions without much logic wrapping the major APIs of the core auth package for ease of use in the controllers.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.