clusterauth

package
v0.1.0 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Jun 3, 2026 License: Apache-2.0 Imports: 17 Imported by: 0

Documentation

Overview

Package clusterauth coordinates cluster OIDC login, refresh, and token persistence.

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

func Login 

func Login(ctx context.Context, c *config.Config, opts Options) (config.AuthMetadata, oidc.Tokens, error)

Login performs the OIDC login flow against opts.Cluster and persists the resulting tokens (metadata to the config file, secrets to the OS keyring). It does not touch kubectl; command handlers configure kubectl separately.

func Logout 

func Logout(c *config.Config, stdout io.Writer, clusterID string, local bool) error

Logout clears cached auth state and matching kubectl access for a cluster.

func LogoutLocal 

func LogoutLocal(stdout io.Writer, clusterID string) error

LogoutLocal clears cached auth state and kubectl access for a local cluster.

func NewOIDCHTTPClient 

func NewOIDCHTTPClient(c *config.Config, cluster *clusterconfig.ClusterConfig) (*http.Client, error)

NewOIDCHTTPClient returns an *http.Client suitable for talking to cluster's OIDC issuer. It resolves cluster.Cluster.OIDC.CACert (inline PEM / URL / file path) via c.ResolveCACert("oidc-ca", spec) and trusts that CA in addition to the system roots. Callers that want a different transport (e.g. tests with a mock) can build their own *http.Client and pass it directly to Login or Refresh via Options.HTTPClient.

func Refresh 

func Refresh(ctx context.Context, c *config.Config, opts Options, meta config.AuthMetadata, refreshToken string) (oidc.Tokens, error)

Refresh exchanges refreshToken for fresh tokens against opts.Cluster's issuer, persists the result against meta, and returns the new tokens. Used by the kubectl-auth hook before falling back to a full Login.

func ResolveToken 

func ResolveToken(c *config.Config, clusterID, sub string) (string, error)

ResolveToken implements the kubectl auth hook token waterfall: cached token, refresh token, then fresh login.

Types

type Options 

type Options struct {
	Cluster      *clusterconfig.ClusterConfig
	HTTPClient   *http.Client
	CallbackPort int
	Headless     bool
}

Options configures a single Login or Refresh call. The caller supplies an HTTP client already configured to trust the issuer's CA (clusterauth doesn't do TLS plumbing).

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.