clusteraccess

package
v0.22.0 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Sep 18, 2025 License: Apache-2.0 Imports: 15 Imported by: 0

Documentation

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

func ComputeTokenRenewalTime

func ComputeTokenRenewalTime(creationTime, expirationTime time.Time) time.Time

ComputeTokenRenewalTime computes the time for the renewal of a token, given its creation and expiration time. Returns the zero time if either of the given times is zero. The returned time is when 80% of the validity duration is reached. If another percentage is desired, use ComputeTokenRenewalTimeWithRatio instead.

func ComputeTokenRenewalTimeWithRatio

func ComputeTokenRenewalTimeWithRatio(creationTime, expirationTime time.Time, ratio float64) time.Time

ComputeTokenRenewalTime computes the time for the renewal of a token, given its creation and expiration time. Returns the zero time if either of the given times is zero. Ratio must be between 0 and 1. The returned time is when this percentage of the validity duration is reached.

func CreateOIDCKubeconfig added in v0.17.0

func CreateOIDCKubeconfig(user, host string, caData []byte, issuer, clientID string, extraOptions ...CreateOIDCKubeconfigOption) ([]byte, error)

CreateOIDCKubeconfig creates a kubeconfig that uses the oidc-login plugin for authentication. The 'user' arg is used as key for the auth configuration and can be chosen freely. Note that this kubeconfig is meant for human users, controllers can usually not execute 'kubectl oidc-login get-token'.

func CreateTokenKubeconfig

func CreateTokenKubeconfig(user, host string, caData []byte, token string) ([]byte, error)

CreateTokenKubeconfig generates a kubeconfig based on the given values. The 'user' arg is used as key for the auth configuration and can be chosen freely.

func EnsureClusterRole

func EnsureClusterRole(ctx context.Context, c client.Client, name string, rules []rbacv1.PolicyRule, expectedLabels ...Label) (*rbacv1.ClusterRole, error)

EnsureClusterRole ensures that the specified ClusterRole exists with the specified rules. If it doesn't exist, it is created with the expected labels. If it exists, but does not have the expected labels, a ResourceNotManagedError is returned. The ClusterRole is returned.

func EnsureClusterRoleAndBinding

func EnsureClusterRoleAndBinding(ctx context.Context, c client.Client, name string, subjects []rbacv1.Subject, rules []rbacv1.PolicyRule, expectedLabels ...Label) (*rbacv1.ClusterRoleBinding, *rbacv1.ClusterRole, error)

EnsureClusterRoleAndBinding combines EnsureClusterRole and EnsureClusterRoleBinding. The name is used for both the ClusterRole and ClusterRoleBinding.

func EnsureClusterRoleBinding

func EnsureClusterRoleBinding(ctx context.Context, c client.Client, name, clusterRoleName string, subjects []rbacv1.Subject, expectedLabels ...Label) (*rbacv1.ClusterRoleBinding, error)

EnsureClusterRoleBinding ensures that the specified ClusterRoleBinding exists with the specified subjects. If it doesn't exist, it is created with the expected labels. If it exists, but does not have the expected labels, a ResourceNotManagedError is returned. The ClusterRoleBinding is returned.

func EnsureNamespace

func EnsureNamespace(ctx context.Context, c client.Client, nsName string, expectedLabels ...Label) (*corev1.Namespace, error)

EnsureNamespace ensures that the specified Namespace exists. If it doesn't exist, it is created with the expected labels. If it exists, but does not have the expected labels, a ResourceNotManagedError is returned. The namespace is returned.

func EnsureRole

func EnsureRole(ctx context.Context, c client.Client, name, namespace string, rules []rbacv1.PolicyRule, expectedLabels ...Label) (*rbacv1.Role, error)

EnsureRole ensures that the specified Role exists with the specified rules. If it doesn't exist, it is created with the expected labels. If it exists, but does not have the expected labels, a ResourceNotManagedError is returned. The Role is returned.

func EnsureRoleAndBinding

func EnsureRoleAndBinding(ctx context.Context, c client.Client, name, namespace string, subjects []rbacv1.Subject, rules []rbacv1.PolicyRule, expectedLabels ...Label) (*rbacv1.RoleBinding, *rbacv1.Role, error)

EnsureRoleAndBinding combines EnsureRole and EnsureRoleBinding. The name is used for both the Role and RoleBinding.

func EnsureRoleBinding

func EnsureRoleBinding(ctx context.Context, c client.Client, name, namespace, roleName string, subjects []rbacv1.Subject, expectedLabels ...Label) (*rbacv1.RoleBinding, error)

EnsureRoleBinding ensures that the specified RoleBinding exists with the specified subjects. If it doesn't exist, it is created with the expected labels. If it exists, but does not have the expected labels, a ResourceNotManagedError is returned. The RoleBinding is returned.

func EnsureServiceAccount

func EnsureServiceAccount(ctx context.Context, c client.Client, saName, saNamespace string, expectedLabels ...Label) (*corev1.ServiceAccount, error)

EnsureServiceAccount ensures that the specified ServiceAccount exists. If it doesn't exist, it is created with the expected labels (the namespace has to exist). If it exists, but does not have the expected labels, a ResourceNotManagedError is returned. The ServiceAccount is returned.

func FailIfNotManaged

func FailIfNotManaged(obj client.Object, expectedLabels ...Label) error

FailIfNotManaged takes an object and a list of expected labels. It returns an ResourceNotManagedError, if any of the expected labels is missing on the object or has a different value. If the object is nil or the expected labels are empty, it returns nil.

func IsResourceNotManagedError

func IsResourceNotManagedError(err error) bool

IsResourceNotManagedError returns true if the error is non-nil and of type *ResourceNotManagedError.

func WriteKubeconfigFromRESTConfig added in v0.11.0

func WriteKubeconfigFromRESTConfig(restConfig *rest.Config) ([]byte, error)

WriteKubeconfigFromRESTConfig converts the RESTConfig to a kubeconfig format. Supported authentication methods are Bearer Token, Username/Password and Client Certificate.

func WriteOIDCConfigFromRESTConfig added in v0.11.0

func WriteOIDCConfigFromRESTConfig(restConfig *rest.Config) ([]byte, error)

WriteOIDCConfigFromRESTConfig converts a RESTConfig to an OIDC trust configuration format. When creating a Kubernetes deployment, this configuration is used to set up the trust relationship to the target cluster. Example:

spec:

template:
  spec:
    volumes:
    - name: oidc-trust-config
      projected:
        sources:
        - secret:
          name: oidc-trust-config
          items:
          - key: host
            path: cluster/host
          - key: caData
            path: cluster/ca.crt
        - serviceAccountToken:
            audience: target-cluster
            path: cluster/token
            expirationSeconds: 3600

    volumeMounts:
    - name: oidc-trust-config
      mountPath: /var/run/secrets/oidc-trust-config
      readOnly: true

Types

type CreateOIDCKubeconfigOption added in v0.17.0

type CreateOIDCKubeconfigOption func(*CreateOIDCKubeconfigOptions)

func ForceRefresh added in v0.17.0

func ForceRefresh() CreateOIDCKubeconfigOption

ForceRefresh is an option for CreateOIDCKubeconfig that forces the refresh of the token, independent of its expiration time.

func UsePKCE added in v0.17.0

UsePKCE is an option for CreateOIDCKubeconfig that enforces the use of PKCE.

func WithClientSecret added in v0.17.0

func WithClientSecret(clientSecret string) CreateOIDCKubeconfigOption

WithClientSecret is an option for CreateOIDCKubeconfig that sets the client secret.

func WithClusterName added in v0.17.0

func WithClusterName(clusterName string) CreateOIDCKubeconfigOption

WithClusterName allows to override the default cluster name "cluster" in the kubeconfig.

func WithContextName added in v0.17.0

func WithContextName(contextName string) CreateOIDCKubeconfigOption

WithContextName allows to override the default context name "cluster" in the kubeconfig.

func WithExtraScope added in v0.17.0

func WithExtraScope(scope string) CreateOIDCKubeconfigOption

WithExtraScope is an option for CreateOIDCKubeconfig that adds an extra scope to the oidc-login subcommand. This option can be used multiple times to add multiple scopes.

func WithGrantType added in v0.17.0

func WithGrantType(grantType OIDCGrantType) CreateOIDCKubeconfigOption

WithGrantType is an option for CreateOIDCKubeconfig that sets the grant type. Valid values are "auto", "authcode", "authcode-keyboard", "password", and "device-code".

type CreateOIDCKubeconfigOptions added in v0.17.0

type CreateOIDCKubeconfigOptions struct {
	ContextName  string
	ClusterName  string
	User         string
	Host         string
	CAData       []byte
	Issuer       string
	ClientID     string
	ClientSecret string
	ExtraScopes  []string
	UsePKCE      bool
	ForceRefresh bool
	GrantType    OIDCGrantType
}

type Label

type Label = pairs.Pair[string, string]

type OIDCGrantType added in v0.17.0

type OIDCGrantType string
const (
	GrantTypeAuto             OIDCGrantType = "auto"
	GrantTypeAuthCode         OIDCGrantType = "authcode"
	GrantTypeAuthCodeKeyboard OIDCGrantType = "authcode-keyboard"
	GrantTypePassword         OIDCGrantType = "password"
	GrantTypeDeviceCode       OIDCGrantType = "device-code"
)

type ResourceNotManagedError

type ResourceNotManagedError struct {
	Obj            client.Object
	ExpectedLabels []Label
}

func NewResourceNotManagedError

func NewResourceNotManagedError(obj client.Object, expectedLabels ...Label) *ResourceNotManagedError

NewResourceNotManagedError creates a new ResourceNotManagedError.

func (*ResourceNotManagedError) Error

func (e *ResourceNotManagedError) Error() string

type ServiceAccountToken

type ServiceAccountToken struct {
	Token               string
	CreationTimestamp   time.Time
	ExpirationTimestamp time.Time
}

ServiceAccountToken is a helper struct that bundles a ServiceAccount token together with its creation and expiration timestamps.

func CreateTokenForServiceAccount

func CreateTokenForServiceAccount(ctx context.Context, c client.Client, sa *corev1.ServiceAccount, desiredDuration *time.Duration) (*ServiceAccountToken, error)

CreateTokenForServiceAccount generates a token for the given ServiceAccount.

func GetTokenBasedAccess

func GetTokenBasedAccess(ctx context.Context, c client.Client, restCfg *rest.Config, name, namespace string, namespaceScoped bool, rolePrefix string, rules []rbacv1.PolicyRule, expectedLabels ...Label) ([]byte, *ServiceAccountToken, error)

GetTokenBasedAccess is a convenience function that wraps the flow of ensuring namespace, serviceaccount, (cluster)role(binding), and creating the token. It returns a kubeconfig, the token with expiration timestamp, and an error if any of the steps fail. The name will be used for all resources except the namespace (serviceaccount, (cluster)role, (cluster)rolebinding), with anything role-related additionally being prefixed with rolePrefix. The namespace holds the serviceaccount and, if namespaceScoped is true, the role and rolebinding. If namespaceScoped is false, clusterrole and clusterrolebinding are used.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL