credential

package
v0.68.0 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Apr 27, 2026 License: Apache-2.0 Imports: 17 Imported by: 0

Documentation

Index

Constants

View Source 
const (
	// Gateway secret data keys (supporting migration from Ingress to Gateway API).
	IngressDataKey   = "auth"
	HTTPRouteDataKey = ".htpasswd"

	// SecretKeyUsername, SecretKeyPassword and SecretKeyHtpasswd are the keys
	// written into the rendered per-credential Secret. Username/password match
	// the required keys of the kubernetes.io/basic-auth Secret type.
	SecretKeyUsername = "username"
	SecretKeyPassword = "password"
	SecretKeyHtpasswd = "htpasswd"
)

Variables

View Source 
var ErrCredentialNotReady = errors.New("agent credential secret not yet rendered")

ErrCredentialNotReady signals that the AgentCredential CR exists but the backing Secret has not been rendered yet. Callers should treat this as a transient state worthy of a short requeue rather than a hard error. The AgentCredentialReconciler produces the Secret asynchronously.

Functions

func ClusterCredentialName 

func ClusterCredentialName(clusterName string, backend observabilityv1alpha1.CredentialBackend) string

ClusterCredentialName returns the AgentCredential name used by the cluster controller for the given cluster and backend. Kept here so collectors and the cluster controller agree on the naming scheme.

func ClusterSecretName 

func ClusterSecretName(clusterName string, backend observabilityv1alpha1.CredentialBackend) string

ClusterSecretName returns the Secret name used by the cluster controller for the given cluster and backend. The "-auth" suffix matches the pre-CRD legacy Secret name, so existing Alloy collectors keep their references unchanged.

func SecretName 

func SecretName(cred *observabilityv1alpha1.AgentCredential) string

SecretName returns the name of the Secret for the given AgentCredential. Defaults to the CR's name when spec.secretName is empty.

Types

type Aggregator 

type Aggregator struct {
	Client         client.Client
	GatewayConfigs GatewayConfigs
}

Aggregator rebuilds the per-backend gateway htpasswd Secrets by concatenating entries from every AgentCredential matching a given backend.

func NewAggregator 

func NewAggregator(c client.Client, configs GatewayConfigs) *Aggregator

NewAggregator builds an Aggregator.

func (*Aggregator) Aggregate 

func (a *Aggregator) Aggregate(ctx context.Context, backend observabilityv1alpha1.CredentialBackend) error

Aggregate rewrites both gateway secrets (ingress and HTTPRoute) for the given backend to reflect the current set of AgentCredentials.

type BackendCredentials 

type BackendCredentials map[observabilityv1alpha1.CredentialBackend]BasicAuth

BackendCredentials is a per-backend bag of resolved basic-auth pairs. The cluster controller resolves it once per reconcile and passes it into each collector so the rendering layer stays free of credential-store I/O.

func (BackendCredentials) Get 

func (c BackendCredentials) Get(backend observabilityv1alpha1.CredentialBackend) (BasicAuth, bool)

Get returns the credentials for the given backend plus a boolean indicating whether they were present.

type BasicAuth 

type BasicAuth struct {
	Username string
	Password string
}

BasicAuth holds a resolved basic-auth pair.

type GatewayConfig 

type GatewayConfig struct {
	// Namespace is the Kubernetes namespace where the gateway secrets reside.
	Namespace string

	// IngressSecretName is the name of the auth secret consumed by Ingress.
	IngressSecretName string
	// IngressDataKey is the data key within the ingress secret.
	IngressDataKey string

	// HTTPRouteSecretName is the name of the auth secret consumed by the
	// Gateway API HTTPRoute.
	HTTPRouteSecretName string
	// HTTPRouteDataKey is the data key within the HTTPRoute secret.
	HTTPRouteDataKey string
}

GatewayConfig holds the namespace and secret names for a single backend's gateway authentication secrets.

func NewGatewayConfig 

func NewGatewayConfig(namespace, ingressSecretName, httprouteSecretName string) GatewayConfig

NewGatewayConfig builds a GatewayConfig with the standard data keys.

type GatewayConfigs 

type GatewayConfigs map[observabilityv1alpha1.CredentialBackend]GatewayConfig

GatewayConfigs maps each backend to its gateway secret configuration.

type PasswordGenerator 

type PasswordGenerator interface {
	GeneratePassword(length int) (string, error)
	GenerateHtpasswd(username, password string) (string, error)
}

PasswordGenerator generates passwords and htpasswd entries.

func NewPasswordGenerator 

func NewPasswordGenerator() PasswordGenerator

NewPasswordGenerator creates a new password generator.

type Reader 

type Reader interface {
	// ReadPassword returns (username, password) for the AgentCredential with
	// the given name in the given namespace.
	ReadPassword(ctx context.Context, namespace, credentialName string) (username, password string, err error)
}

Reader reads basic-auth credentials from the Secrets backing AgentCredentials.

func NewReader 

func NewReader(c client.Client) Reader

NewReader returns a Reader backed by a controller-runtime client.

type Renderer 

type Renderer struct {
	Client            client.Client
	PasswordGenerator PasswordGenerator
}

Renderer creates or updates the per-credential basic-auth Secret backing an AgentCredential.

func NewRenderer 

func NewRenderer(c client.Client) *Renderer

NewRenderer builds a Renderer with the default password generator.

func (*Renderer) Render 

func (r *Renderer) Render(ctx context.Context, cred *observabilityv1alpha1.AgentCredential) (*corev1.Secret, error)

Render creates or updates the basic-auth Secret for the given AgentCredential. Returns the rendered Secret so callers can update status.

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.