README
¶
pkg/client
Intention
pkg/client is a historical catch-all package for client-related concerns inside platform processes. It exists so repository-wide client behavior can be fixed once in one place, not because these responsibilities form a clean abstraction.
Today it conflates three main functions:
- Kubernetes client and scheme construction for processes that genuinely need to create their own in-cluster Kubernetes client
- HTTP client security support for internal service-to-service API traffic, including MTLS material loading and principal-propagation signing around generated API clients
- context-based client scoping for hierarchical provisioner execution as control moves from the local ArgoCD-managed layer into remote clusters
The Kubernetes side is the sanctioned constructor path when a process genuinely needs to create its own in-cluster client. If an appropriate client is already available, use that instead of constructing another one. The point is to avoid ad hoc client construction scattered across the codebase.
The HTTP side exists because generated API clients provide bindings, but not the platform's internal trust model. This package loads CA and client-certificate material from Kubernetes secrets, applies it to TLS configuration, and signs principal-bearing payloads so internal services can prove possession of the X.509 private key associated with their identity.
The context side is legacy provisioner plumbing. It carries the active provisioning scope through a call graph so descendant provisioners operate on the currently scoped cluster by default, while still allowing explicit access to the local control-plane client when a step needs to reach back to the ArgoCD-managed layer. This was practical when deeply refactoring function-signature chains was expensive, but it is not a clean boundary.
Invariants And Guard Rails
- This is an internal platform support package, not a general-purpose client library.
New()is the centralized in-cluster Kubernetes client constructor for processes that genuinely need to build their own client. Do not create Kubernetes clients ad hoc in random code paths.- If you are running inside a controller-runtime manager or controller, use the client provided there. For other processes such as APIs, monitors, or similar standalone components, use this package rather than open-coding client construction.
NewScheme()returns the repository's broad convenience scheme, not a minimal scheme. It intentionally registers Kubernetes types, Unikorn API types, fake Unikorn API types, and the local Argo shim before applying any extraSchemeAdderfunctions.- The Argo/CD-related scheme content exists for legacy compatibility with the old in-tree CD layer. New usage should not grow around it.
- The HTTP client role here is transport and authentication support around internal generated clients, not API generation.
- While this package still owns MTLS setup, it assumes certificate issuance and rotation are handled by an external system rather than by the client code itself.
- TLS trust bundles and client certificates must come from correctly shaped
kubernetes.io/tlssecrets when using the current secret-backed MTLS path. - Payload signing is part of the current internal trust model for principal propagation between services. It is not a generic invitation to invent new signed application protocols.
- Context scoping in this package controls the active provisioning target. Descendant provisioners are expected to operate on the currently scoped cluster unless they explicitly reach back to the local provisioner client.
- Context-based scoping is legacy CD-layer plumbing and should be treated as constrained internal machinery, not as a pattern to spread further.
Caveats
- The package name is misleading.
pkg/clientconflates unrelated responsibilities for legacy reasons and should be split into more intuitive packages. - A sensible split would be: Kubernetes client construction, internal HTTP client security support, and context-based provisioning scope.
- The context-based scoping model is tied to the old ArgoCD/in-tree CD layer. It is legacy machinery that should shrink with that architecture rather than spread further.
- The HTTP MTLS helper layer may become obsolete if service identity and transport concerns move out to something like SPIFFE.
New()starts the controller-runtime cache asynchronously and discards cache startup failure. Constructor success does not prove that the cache has started successfully.NewScheme()is convenience-biased rather than minimal. It includes historical and compatibility-oriented registrations so callers in services or tests tend to get something that works for this repository.- The Argo shim and other CD-layer baggage remain in lock step with this repository for compatibility, but that is legacy behavior rather than a direction to build more dependencies around.
- CA trust loading and client-certificate loading do not use identical configuration rules: CA loading only checks whether the secret name is set, while client-certificate loading requires both namespace and name. This is a current inconsistency and a potential bug if this package continues to own MTLS setup.
- Client certificate reload is lazy and handshake-triggered rather than proactive.
- Post-startup certificate reload is best-effort. If a reload fails after an earlier certificate was loaded successfully, the process keeps using the stale certificate rather than failing closed.
- Reload uses a background context, so post-construction certificate refresh is not currently time-bounded.
- The payload signing helpers are currently RSA-only. That restriction applies to message signing and verification, not to MTLS in general.
Documentation
¶
Index ¶
- func FromContext(ctx context.Context) (client.Client, error)
- func NamespaceFromContext(ctx context.Context) (string, error)
- func New(ctx context.Context, schemes ...SchemeAdder) (client.Client, error)
- func NewContext(ctx context.Context, client client.Client) context.Context
- func NewContextWithCluster(ctx context.Context, remote *ClusterContext) context.Context
- func NewContextWithNamespace(ctx context.Context, namespace string) context.Context
- func NewScheme(schemes ...SchemeAdder) (*runtime.Scheme, error)
- func TLSClientConfig(ctx context.Context, cli client.Client, options *HTTPOptions, ...) (*tls.Config, error)
- func VerifyAndDecode(data any, payload string, certificate *x509.Certificate) error
- type ClusterContext
- type HTTPClientOptions
- func (o *HTTPClientOptions) AddFlags(f *pflag.FlagSet)
- func (o *HTTPClientOptions) ApplyTLSClientConfig(ctx context.Context, cli client.Client, config *tls.Config) error
- func (o *HTTPClientOptions) EncodeAndSign(ctx context.Context, cli client.Client, data any) (string, error)
- func (o *HTTPClientOptions) SetNow(now func() time.Time)
- type HTTPOptions
- type SchemeAdder
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
func NamespaceFromContext ¶ added in v0.1.72
func New ¶
New returns a new controller runtime caching client, initialized with core and unikorn resources for typed operation.
func NewContext ¶ added in v1.8.0
func NewContextWithCluster ¶ added in v0.1.64
func NewContextWithCluster(ctx context.Context, remote *ClusterContext) context.Context
func NewContextWithNamespace ¶ added in v0.1.72
func NewScheme ¶
func NewScheme(schemes ...SchemeAdder) (*runtime.Scheme, error)
NewScheme returns a scheme with all types that are required by unikorn. TODO: we'd really love to include ArgoCD here, but it's dependency hell. See https://github.com/argoproj/gitops-engine/issues/56 for a never ending commentary on the underlying problem.
func TLSClientConfig ¶ added in v0.1.65
func TLSClientConfig(ctx context.Context, cli client.Client, options *HTTPOptions, clientOptions *HTTPClientOptions) (*tls.Config, error)
TLSClientConfig is a helper to create a TLS client configuration.
func VerifyAndDecode ¶ added in v1.4.0
func VerifyAndDecode(data any, payload string, certificate *x509.Certificate) error
VerifyAndDecode checks the payload's signature against the message and decodes the payload into an arbitrary data type.
Types ¶
type ClusterContext ¶ added in v0.1.64
type ClusterContext struct {
// Client is a Kubernetes client that can access resources on the remote
// cluster. This is typically used to extract Kubenetes configuration to
// chain to the next remote cluster. It is also used when some combination
// of Helm application/ArgoCD is broken and needs manual intervention.
Client client.Client
// ID is the unique remote cluster ID as cunsumed by the CD layer.
// This is only set on invocation of a remote cluster provisioner.
ID *cd.ResourceIdentifier
// Host is the Kubernetes endpoint hostname. This is only set on
// invocation of a remote cluster provisioner.
Host string
// Port is the Kubernetes endpoint port. This is only set on
// invocation of a remote cluster provisioner.
Port string
}
ClusterContext is available to all provisioners and is updated when invoked within the scope of a remote cluster provisioner. In general, you should avoid having to use this, because it implies hackery.
func ClusterFromContext ¶ added in v0.1.64
func ClusterFromContext(ctx context.Context) (*ClusterContext, error)
type HTTPClientOptions ¶ added in v0.1.65
type HTTPClientOptions struct {
// contains filtered or unexported fields
}
HTTPClientOptions allows generic options to be passed to all HTTP clients.
func (*HTTPClientOptions) AddFlags ¶ added in v0.1.65
func (o *HTTPClientOptions) AddFlags(f *pflag.FlagSet)
AddFlags adds the options to the CLI flags.
func (*HTTPClientOptions) ApplyTLSClientConfig ¶ added in v0.1.65
func (o *HTTPClientOptions) ApplyTLSClientConfig(ctx context.Context, cli client.Client, config *tls.Config) error
ApplyTLSClientConfig loads op a client certificate if one is configured and applies it to the provided TLS configuration.
func (*HTTPClientOptions) EncodeAndSign ¶ added in v1.4.0
func (o *HTTPClientOptions) EncodeAndSign(ctx context.Context, cli client.Client, data any) (string, error)
EncodeAndSign takes an arbitrary data type, encodes as JSON, generates a digest and creates a digital signature, then returns a stringified version for verifiable communication from one service to another. Confidentiality is ensured by the use of TLS.
func (*HTTPClientOptions) SetNow ¶ added in v1.16.0
func (o *HTTPClientOptions) SetNow(now func() time.Time)
SetNow overrides the clock used for inline client certificate reload checks.
type HTTPOptions ¶ added in v0.1.65
type HTTPOptions struct {
// contains filtered or unexported fields
}
HTTPOptions are generic options for HTTP clients.
func NewHTTPOptions ¶ added in v0.1.65
func NewHTTPOptions(service string) *HTTPOptions
func (*HTTPOptions) AddFlags ¶ added in v0.1.65
func (o *HTTPOptions) AddFlags(f *pflag.FlagSet)
AddFlags adds the options to the CLI flags.
func (*HTTPOptions) ApplyTLSConfig ¶ added in v0.1.65
func (o *HTTPOptions) ApplyTLSConfig(ctx context.Context, cli client.Client, config *tls.Config) error
ApplyTLSConfig adds CA certificates to the TLS configuration if one is specified.
func (*HTTPOptions) Host ¶ added in v0.1.65
func (o *HTTPOptions) Host() string
type SchemeAdder ¶
SchemeAdder allows custom resources to be added to the scheme.
Source Files