Documentation
¶
Overview ¶
Package adminclient constructs the CLI's gRPC client to the control plane's AdminService. It composes auth primitives (mTLS material + signed JWT assertions) with CP-specific network topology (127.0.0.1:adminPort target, Hydra token endpoint, ServerName).
Auth primitives live in internal/auth — this package owns the wiring that turns those primitives into a working AdminServiceClient.
Index ¶
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
func Dial ¶
func Dial(ctx context.Context, adminPort, hydraPort int, opts ...grpc.DialOption) (adminv1.AdminServiceClient, *grpc.ClientConn, error)
Dial connects to the CP's gRPC AdminService with mTLS + OAuth2.
- Load signing key + CA cert + client cert from auth material
- Build TLS config trusting the CLI CA
- Create a tokenSource that auto-refreshes via Hydra /oauth2/token
- Dial gRPC with mTLS + auto-refreshing bearer token in metadata
Callers may pass additional grpc.DialOption values (e.g. keepalive, observability interceptors via grpc.WithChainUnaryInterceptor). The auth/TLS baseline is appended last:
- WithTransportCredentials: single-slot, last-wins — baseline mTLS cannot be disabled by caller intent.
- Auth bearer-token interceptor: registered via grpc.WithChainUnaryInterceptor so it composes additively with caller chain interceptors; a caller's own grpc.WithUnaryInterceptor (if any) is prepended by grpc-go as the outermost wrapper.
Do NOT pass grpc.WithUnaryInterceptor — grpc-go stores it in a single field with last-wins semantics, so your interceptor will be silently dropped (baseline auth wins). Use grpc.WithChainUnaryInterceptor.
Types ¶
This section is empty.
Source Files