auth package - github.com/fluxcd/pkg/auth

auth package - github.com/fluxcd/pkg/auth - Go Packages

auth is a package for handling short-lived credentials.

const (
	
	
	ControllerFlagDefaultServiceAccount = "default-service-account"

	
	
	
	ControllerFlagDefaultKubeConfigServiceAccount = "default-kubeconfig-service-account"

	
	
	
	ControllerFlagDefaultDecryptionServiceAccount = "default-decryption-service-account"
)

View Source

const FeatureGateObjectLevelWorkloadIdentity = "ObjectLevelWorkloadIdentity"

FeatureGateObjectLevelWorkloadIdentity is a feature gate that enables the use of object-level workload identity for authentication.

View Source

var ErrDefaultServiceAccountNotFound = fmt.Errorf("the specified default service account does not exist in the object namespace. your cluster is subject to multi-tenant workload identity lockdown, reach out to your cluster administrator for help")

ErrDefaultServiceAccountNotFound is returned when a default service account configured by the operator is not found in the user's namespace.

View Source

var ErrInconsistentObjectLevelConfiguration = fmt.Errorf(
	"cannot set default service accounts when the feature gate %s is not enabled",
	FeatureGateObjectLevelWorkloadIdentity)

ErrInconsistentObjectLevelConfiguration is used when the controller has an inconsistent object-level workload identity configuration.

ErrObjectLevelWorkloadIdentityNotEnabled is returned when object-level workload identity is attempted but not enabled.

func DisableObjectLevelWorkloadIdentity()

DisableObjectLevelWorkloadIdentity disables the use of object-level workload identity for authentication.

func EnableObjectLevelWorkloadIdentity()

EnableObjectLevelWorkloadIdentity enables the use of object-level workload identity for authentication.

func GetDefaultDecryptionServiceAccount() string

GetDefaultDecryptionServiceAccount returns the default decryption service account name.

func GetDefaultKubeConfigServiceAccount() string

GetDefaultKubeConfigServiceAccount returns the default kubeconfig service account name.

func GetDefaultServiceAccount() string

GetDefaultServiceAccount returns the default service account name for workload identity.

GetRegistryFromArtifactRepository returns the registry from the artifact repository.

func InconsistentObjectLevelConfiguration() bool

InconsistentObjectLevelConfiguration checks if the controller's object-level workload identity configuration is inconsistent.

func IsObjectLevelWorkloadIdentityEnabled() bool

IsObjectLevelWorkloadIdentityEnabled returns true if the object-level workload identity feature gate is enabled.

ParseClusterAddress parses the given cluster address and returns the canonical form https://<lowercase(host)>:<port>.

func SetDefaultDecryptionServiceAccount(sa string)

SetDefaultDecryptionServiceAccount sets the default decryption service account name.

func SetDefaultKubeConfigServiceAccount(sa string)

SetDefaultKubeConfigServiceAccount sets the default kubeconfig service account name.

func SetDefaultServiceAccount(sa string)

SetDefaultServiceAccount sets the default service account name for workload identity.

SetFeatureGates sets the default values for the feature gates.

ArtifactRegistryCredentials is a particular type implementing the Token interface for credentials that can be used to authenticate against an artifact registry from a cloud provider.

GetArtifactRegistryCredentials retrieves the registry credentials for the specified artifact repository and provider.

GetDuration implements Token.

type ArtifactRegistryCredentialsProvider interface {
	Provider

	
	
	GetAccessTokenOptionsForArtifactRepository(artifactRepository string) ([]Option, error)

	
	
	
	
	ParseArtifactRepository(artifactRepository string) (string, error)

	
	
	
	NewArtifactRegistryCredentials(ctx context.Context, registryInput string,
		accessToken Token, opts ...Option) (*ArtifactRegistryCredentials, error)
}

ArtifactRegistryCredentialsProvider is an interface that defines methods for retrieving credentials for artifact registries from cloud providers.

type Option func(*Options)

Option is a functional option for the auth package.

func WithAllowShellOut() Option

WithAllowShellOut allows the provider to shell out to binary tools for acquiring controller tokens. MUST be used only by the Flux CLI, i.e. in the github.com/fluxcd/flux2 Git repository.

func WithAudiences(audiences ...string) Option

WithAudiences sets the audiences for the Kubernetes ServiceAccount token.

WithCAData sets the CA data for credentials that require a CA, e.g. for Kubernetes REST config.

WithCache sets the token cache and the involved object for recording events.

WithClient sets the controller-runtime client for the provider.

func WithClusterAddress(clusterAddress string) Option

WithClusterAddress sets the cluster address for creating a REST config. This address is used to select the correct cluster endpoint and CA data when the provider has a list of endpoints to choose from, or to simply validate the address against the cluster resource when the provider returns a single endpoint. This is optional, providers returning a list of endpoints will select the first one if no address is provided.

func WithClusterResource(clusterResource string) Option

WithClusterResource sets the cluster resource for creating a REST config. Must be the fully qualified name of the cluster resource in the cloud provider API.

func WithProxyURL(proxyURL url.URL) Option

WithProxyURL sets a *url.URL for an HTTP/S proxy for acquiring the token.

func WithSTSEndpoint(stsEndpoint string) Option

WithSTSEndpoint sets the endpoint for the STS service.

func WithSTSRegion(stsRegion string) Option

WithSTSRegion sets the region for the STS service (some cloud providers require a region, e.g. AWS).

func WithScopes(scopes ...string) Option

WithScopes sets the scopes for the token.

func WithServiceAccountName(name string) Option

WithServiceAccountName sets the ServiceAccount name for the token.

func WithServiceAccountNamespace(namespace string) Option

WithServiceAccountNamespace sets the ServiceAccount namespace for the token.

Options contains options for configuring the behavior of the provider methods. Not all providers/methods support all options.

func (o *Options) Apply(opts ...Option)

Apply applies the given slice of Option(s) to the Options struct.

GetHTTPClient returns a *http.Client with appropriate timeouts and proxy settings. The client includes a 10-second timeout to prevent indefinite hangs during token acquisition.

func (o *Options) ShouldGetServiceAccountToken() bool

ShouldGetServiceAccountToken returns true if ServiceAccount token should be retrieved.

Provider contains the logic to retrieve security credentials for accessing resources in a cloud provider.

RESTConfig is a particular type implementing the Token interface for Kubernetes REST configurations.

GetRESTConfig retrieves the authentication and connection details to a remote Kubernetes cluster for the given provider, cluster resource name and options.

GetDuration implements Token.

type RESTConfigProvider interface {
	Provider

	
	
	
	
	
	GetAccessTokenOptionsForCluster(opts ...Option) ([][]Option, error)

	
	
	
	
	
	
	NewRESTConfig(ctx context.Context, accessTokens []Token, opts ...Option) (*RESTConfig, error)
}

RESTConfigProvider is an interface that defines methods for retrieving REST configurations for Kubernetes clusters from cloud providers.

Token is an interface that represents an access token that can be used to authenticate requests for a cloud provider. The only common method is for getting the duration of the token, because different providers have different ways of representing the token. For example, Azure and GCP use a single string, while AWS uses three strings: access key ID, secret access key and token session. Consumers of this interface should know what type to cast it to.

GetAccessToken returns an access token for accessing resources in the given cloud provider.