Documentation ¶
Index ¶
- type TokenClient
- func (c *TokenClient) DeleteServiceAccountToken(podUID types.UID)
- func (c *TokenClient) GetServiceAccountToken(namespace, name string, tr *authenticationv1.TokenRequest) (*authenticationv1.TokenRequest, error)
- func (c *TokenClient) SecretProviderServiceAccountTokenAttrs(namespace, serviceAccountName string, ...) (map[string]string, error)
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
This section is empty.
Types ¶
type TokenClient ¶
type TokenClient struct {
// contains filtered or unexported fields
}
TokenClient is a client for Kubernetes Token API
func NewTokenClient ¶
func NewTokenClient(kubeClient kubernetes.Interface) *TokenClient
NewTokenClient creates a new TokenClient The client will be used to request a token for token requests configured in the CSIDriver.
func (*TokenClient) DeleteServiceAccountToken ¶
func (c *TokenClient) DeleteServiceAccountToken(podUID types.UID)
DeleteServiceAccountToken should be invoked when pod got deleted. It simply clean token manager cache.
func (*TokenClient) GetServiceAccountToken ¶
func (c *TokenClient) GetServiceAccountToken(namespace, name string, tr *authenticationv1.TokenRequest) (*authenticationv1.TokenRequest, error)
GetServiceAccountToken gets a service account token for a pod from cache or from the TokenRequest API. This process is as follows: * Check the cache for the current token request. * If the token exists and does not require a refresh, return the current token. * Attempt to refresh the token. * If the token is refreshed successfully, save it in the cache and return the token. * If refresh fails and the old token is still valid, log an error and return the old token. * If refresh fails and the old token is no longer valid, return an error
func (*TokenClient) SecretProviderServiceAccountTokenAttrs ¶
func (c *TokenClient) SecretProviderServiceAccountTokenAttrs(namespace, serviceAccountName string, tokenRequests []secretsstorecsixk8siov1.TokenRequest) (map[string]string, error)
PodServiceAccountTokenAttrs returns the token for the pod service account that can be bound to the pod. This token will be sent to the providers and is of the format:
"csi.storage.k8s.io/serviceAccount.tokens": { <audience>: { 'token': <token>, 'expirationTimestamp': <expiration timestamp in RFC3339 format>, }, ... }
ref: https://kubernetes-csi.github.io/docs/token-requests.html#usage