client

package
v1.16.1 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: May 7, 2026 License: Apache-2.0 Imports: 19 Imported by: 22

README

Client

Purpose

This package is the identity-specific realization of the generic client machinery in core/pkg/client.

Its main job is to construct outbound identity API clients that obey the same internal trust model that identity enforces on inbound requests in pkg/middleware/openapi.

In practice that means:

  • building generated OpenAPI clients for the identity API
  • applying the internal service-to-service transport model
  • propagating distributed trace context
  • propagating delegated principal context in the form expected by the identity middleware stack
  • exposing a few higher-level helpers for identity-specific lifecycle coordination

This is not a general client abstraction and it is not the main place where Kubernetes client construction is documented. The Kubernetes/TLS foundations come from core/pkg/client. This package turns those foundations into concrete identity API callers.

Main Components

BaseClient

BaseClient wraps:

  • a Kubernetes client
  • identity HTTP endpoint options
  • optional HTTP client certificate configuration

It uses the shared TLS configuration support from core/pkg/client to construct an http.Client suitable for calling the identity API.

APIClient

APIClient(...) is the normal service-to-service path.

It constructs a generated identity API client from pkg/openapi and applies request mutators for:

  • W3C trace-context propagation
  • service-to-service transport identity handling
  • principal propagation from the current request context via pkg/principal

This is the outbound counterpart to the inbound normalization performed by pkg/middleware/openapi.

ControllerClient

ControllerClient(...) is the controller/provisioner path.

Instead of assuming an active request principal is already present in context, it reconstructs the principal from a Kubernetes resource and applies it to the outbound request using pkg/principal.

This is what allows controller-style workflows to participate in the same delegated identity model as API-originated calls.

References

References is not just a convenience wrapper.

It provides idempotent add/remove operations for project dependency references over the identity API, keyed from the shared resource-reference model in core/pkg/manager.

That matters for lifecycle coordination because it gives other services a way to block project deletion without requiring prior knowledge of the project namespace. A project can remain undeletable while logical dependants still hold registered references.

This is an important forward-looking deletion mechanism because it is based on explicit dependency registration rather than only namespace-local descendant discovery.

Allocations

Allocations wraps the identity quota/allocation API used by API handlers and controller-style resource lifecycles.

It exists so allocation create/update/delete flows are retriable and can be made idempotent from the caller side, reducing unnecessary user-visible errors during normal reconcile or teardown retries.

It is closely related to:

The current implementation still carries transitional debt: it persists the returned allocation ID back onto the owning resource via annotation rather than keying directly on the shared resource reference.

Invariants And Guard Rails

  • This package is the outbound realization of identity's internal trust model, not a general-purpose API client wrapper.
  • Outbound identity API calls are expected to propagate trace context.
  • Service-to-service identity calls are expected to propagate delegated principal information in the form consumed by pkg/middleware/openapi.
  • Controller-originated calls should reconstruct principal context from durable resource metadata rather than assuming a live request principal exists.
  • References and Allocations should be safe to retry during convergence and teardown flows.
  • The shared resource-reference model from core/pkg/manager is the correct durable identity for cross-service resource dependency tracking.

Caveats

  • The package name is broader than the real responsibility. The important part here is identity API client construction and identity-specific lifecycle helpers.
  • context.go contains older static/dynamic Kubernetes-client scoping helpers. That is local legacy machinery, not the center of this package's design.
  • Allocations still relies on an allocation ID annotation on the owning resource. The better long-term model is to key allocations directly by the shared resource reference.
  • If request mutators drift from the expectations enforced by pkg/middleware/openapi, service-to-service trust semantics can break in subtle ways even though transport-level calls still succeed.

Documentation

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

func APIClient added in v1.4.0 

func APIClient[T any](ctx context.Context, base *BaseClient, builder Builder[T]) (*T, error)

APIClient returns a new OpenAPI client that can be used to access the API from another API.

func CertificateRequestMutator added in v1.4.0 

func CertificateRequestMutator(ctx context.Context, req *http.Request) error

CertificateRequestMutator sets the client certifcate header when bound to an access token.

func ControllerClient added in v1.4.0 

func ControllerClient[T any](ctx context.Context, base *BaseClient, builder Builder[T], resource metav1.Object) (*T, error)

ControllerClient returns a new OpenAPI client that can be used to access the API from another controller. It requires a resource that stores the identity principal information.

func DynamicClientFromContext 

func DynamicClientFromContext(ctx context.Context) client.Client

func NewContextWithDynamicClient 

func NewContextWithDynamicClient(ctx context.Context, client client.Client) context.Context

func NewContextWithStaticClient 

func NewContextWithStaticClient(ctx context.Context, client client.Client) context.Context

func StaticClientFromContext 

func StaticClientFromContext(ctx context.Context) client.Client

func TraceContextRequestMutator added in v1.4.0 

func TraceContextRequestMutator(ctx context.Context, req *http.Request) error

TraceContextRequestMutator sets the w3c trace context header for distributed tracing.

Types

type AccessTokenGetter added in v0.2.44 

type AccessTokenGetter interface {
	Get(ctx context.Context) (string, error)
}

AccessTokenGetter provides an interface to retrieve an access token.

type Allocations added in v1.10.0 

type Allocations struct {
	// contains filtered or unexported fields
}

Allocations wraps up quota allocation management. This is specific to API handlers only.

func NewAllocations added in v1.10.0 

func NewAllocations(client client.Client, api openapi.ClientWithResponsesInterface) *Allocations

func (*Allocations) Create added in v1.10.0 

func (r *Allocations) Create(ctx context.Context, resource client.Object, allocations openapi.ResourceAllocationList) error

Create accepts a resource kind, creates an allocation for it with the requested set of resources, and patches the allocation ID into the resource for tracking. TODO: could we not just use the resource reference as eky, rather than messing with IDs?

func (*Allocations) Delete added in v1.10.0 

func (r *Allocations) Delete(ctx context.Context, resource client.Object) error

Delete deletes the allocation.

func (*Allocations) Update added in v1.10.0 

func (r *Allocations) Update(ctx context.Context, resource client.Object, allocations openapi.ResourceAllocationList) error

Update updates an existing allocation, typically for scaling operations.

type BaseClient added in v1.4.0 

type BaseClient struct {
	// contains filtered or unexported fields
}

BaseClient wraps up the raw OpenAPI client with TLS and TLS client options, so that they can be used by any service provider's API or controllers.

func NewBaseClient added in v1.4.0 

func NewBaseClient(client client.Client, options *Options, clientOptions *coreclient.HTTPClientOptions) *BaseClient

NewBaseClient creates a new client.

func (*BaseClient) HTTPClient added in v1.4.0 

func (c *BaseClient) HTTPClient(ctx context.Context) (*http.Client, error)

HTTPClient returns a new http client that will handle TLS and mTLS only.

type Builder added in v1.4.0 

type Builder[T any] interface {
	WithHTTPClient(client *http.Client)
	WithRequestEditorFn(fn func(context.Context, *http.Request) error)
	Client(hostname string) (*T, error)
}

type Client added in v0.2.7 

type Client struct {
	// contains filtered or unexported fields
}

Client wraps up the raw OpenAPI client with things to make it useable e.g. authorization and TLS.

func New 

func New(client client.Client, options *Options, clientOptions *coreclient.HTTPClientOptions) *Client

New creates a new client.

func (*Client) APIClient added in v1.4.0 

func (c *Client) APIClient(ctx context.Context) (*openapi.ClientWithResponses, error)

APIClient returns a new OpenAPI client that can be used to access the Identity API from another service provider's API.

func (*Client) ControllerClient added in v1.9.0 

func (c *Client) ControllerClient(ctx context.Context, resource metav1.Object) (*openapi.ClientWithResponses, error)

ControllerClient returns a new OpenAPI client that can be used to access the API from another controller. It requires a resource that stores the identity principal information.

func (*Client) HTTPClient added in v0.2.30 

func (c *Client) HTTPClient(ctx context.Context) (*http.Client, error)

HTTPClient returns a new http client that will handle TLS and mTLS only.

type Options added in v0.2.8 

type Options = coreclient.HTTPOptions

func NewOptions added in v0.2.30 

func NewOptions() *Options

NewOptions must be used to create options for consistency.

type References added in v1.9.0 

type References struct {
	// contains filtered or unexported fields
}

References allows references to be added and removed on identity resources from remote services.

func NewReferences added in v1.9.0 

func NewReferences(serviceDescriptor util.ServiceDescriptor, serverOptions *coreclient.HTTPOptions, clientOptions *coreclient.HTTPClientOptions) *References

func (*References) AddReferenceToProject added in v1.9.0 

func (r *References) AddReferenceToProject(ctx context.Context, resource client.Object) error

func (*References) RemoveReferenceFromProject added in v1.9.0 

func (r *References) RemoveReferenceFromProject(ctx context.Context, resource client.Object) error

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.