controller

package
v0.56.0 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: May 1, 2026 License: Apache-2.0 Imports: 20 Imported by: 0

Documentation

Index

Constants

This section is empty.

Variables

View Source 
var SyncMaxRetries = 6

SyncMaxRetries is the maximum number of ClusterSync poll attempts.

View Source 
var SyncPollInterval = 5 * time.Second

SyncPollInterval is the delay between ClusterSync status checks.

Functions

func RotateSecret 

func RotateSecret(ctx context.Context, input *RotateSecretInput) error

RotateSecret performs the IAM credential rotation workflow:

  1. Validates the Account CR (not STS, has iamUserId label)
  2. Resolves the osdManagedAdmin username
  3. Verifies rotation permissions via SimulatePrincipalPolicy
  4. Creates a new IAM access key
  5. Updates k8s secrets on hive
  6. Creates a SyncSet to push credentials to the cluster
  7. Polls ClusterSync for completion and cleans up the SyncSet
  8. Optionally rotates osdCcsAdmin credentials

func VerifyRotationPermissions 

func VerifyRotationPermissions(out io.Writer, awsClient awsprovider.Client, accountID string, username string) error

VerifyRotationPermissions checks if the assumed role has the necessary IAM permissions to perform secret rotation by simulating the required actions.

Types

type InsufficientPermissionsError 

type InsufficientPermissionsError struct {
	DeniedActions []string
}

InsufficientPermissionsError is returned when SimulatePrincipalPolicy reports that one or more required IAM actions are denied.

func (*InsufficientPermissionsError) Error 

func (e *InsufficientPermissionsError) Error() string

type RotateSecretInput 

type RotateSecretInput struct {
	// AccountCRName is the name of the Account CR.
	AccountCRName string

	// Account is the pre-fetched Account CR.
	Account *awsv1alpha1.Account

	// OsdManagedAdminUsername is an explicit admin username override.
	// If empty, it is derived from the Account CR's iamUserId label.
	OsdManagedAdminUsername string

	// UpdateCcsCreds controls whether osdCcsAdmin credentials are also rotated.
	UpdateCcsCreds bool

	// AwsClient is the fully-authenticated AWS client with permissions in the
	// target AWS account (after all role chaining has been completed).
	AwsClient awsprovider.Client

	// HiveKubeClient is the k8s client connected to the hive cluster.
	HiveKubeClient client.Client

	// ManagedClusterClient is the k8s client connected to the managed cluster
	// (via backplane using the target OCM environment). Used to delete
	// CredentialRequests so CCO recreates them with the new credentials.
	ManagedClusterClient client.Client

	// DryRun, when true, prints what actions would be taken without performing
	// any mutating operations (no AWS key creation/deletion, no k8s resource
	// creation/deletion/updates).
	DryRun bool

	// Out is the writer for informational output.
	Out io.Writer
}

RotateSecretInput holds all resolved dependencies for secret rotation. The CLI layer is responsible for resolving AWS and k8s clients before calling RotateSecret.

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.