clusterauth

package
v2.1.4 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Oct 20, 2021 License: Apache-2.0 Imports: 12 Imported by: 1

Documentation

Index

Constants

View Source
const (
	ArgoCDManagerServiceAccount     = "argocd-manager"
	ArgoCDManagerClusterRole        = "argocd-manager-role"
	ArgoCDManagerClusterRoleBinding = "argocd-manager-role-binding"
)

ArgoCDManagerServiceAccount is the name of the service account for managing a cluster

Variables

View Source
var ArgoCDManagerClusterPolicyRules = []rbacv1.PolicyRule{
	{
		APIGroups: []string{"*"},
		Resources: []string{"*"},
		Verbs:     []string{"*"},
	},
	{
		NonResourceURLs: []string{"*"},
		Verbs:           []string{"*"},
	},
}

ArgoCDManagerPolicyRules are the policies to give argocd-manager

View Source
var ArgoCDManagerNamespacePolicyRules = []rbacv1.PolicyRule{
	{
		APIGroups: []string{"*"},
		Resources: []string{"*"},
		Verbs:     []string{"*"},
	},
}

ArgoCDManagerNamespacePolicyRules are the namespace level policies to give argocd-manager

Functions

func CreateServiceAccount

func CreateServiceAccount(
	clientset kubernetes.Interface,
	serviceAccountName string,
	namespace string,
) error

CreateServiceAccount creates a service account in a given namespace

func GenerateNewClusterManagerSecret

func GenerateNewClusterManagerSecret(clientset kubernetes.Interface, claims *ServiceAccountClaims) (*corev1.Secret, error)

GenerateNewClusterManagerSecret creates a new secret derived with same metadata as existing one and waits until the secret is populated with a bearer token

func GetServiceAccountBearerToken

func GetServiceAccountBearerToken(clientset kubernetes.Interface, ns string, sa string) (string, error)

GetServiceAccountBearerToken will attempt to get the provided service account until it exists, iterate the secrets associated with it looking for one of type kubernetes.io/service-account-token, and return it's token if found.

func InstallClusterManagerRBAC

func InstallClusterManagerRBAC(clientset kubernetes.Interface, ns string, namespaces []string) (string, error)

InstallClusterManagerRBAC installs RBAC resources for a cluster manager to operate a cluster. Returns a token

func RotateServiceAccountSecrets

func RotateServiceAccountSecrets(clientset kubernetes.Interface, claims *ServiceAccountClaims, newSecret *corev1.Secret) error

RotateServiceAccountSecrets rotates the entries in the service accounts secrets list

func UninstallClusterManagerRBAC

func UninstallClusterManagerRBAC(clientset kubernetes.Interface) error

UninstallClusterManagerRBAC removes RBAC resources for a cluster manager to operate a cluster

func UninstallRBAC

func UninstallRBAC(clientset kubernetes.Interface, namespace, bindingName, roleName, serviceAccount string) error

UninstallRBAC uninstalls RBAC related resources for a binding, role, and service account

Types

type ServiceAccountClaims

type ServiceAccountClaims struct {
	Sub                string `json:"sub"`
	Iss                string `json:"iss"`
	Namespace          string `json:"kubernetes.io/serviceaccount/namespace"`
	SecretName         string `json:"kubernetes.io/serviceaccount/secret.name"`
	ServiceAccountName string `json:"kubernetes.io/serviceaccount/service-account.name"`
	ServiceAccountUID  string `json:"kubernetes.io/serviceaccount/service-account.uid"`
}

func ParseServiceAccountToken

func ParseServiceAccountToken(token string) (*ServiceAccountClaims, error)

ParseServiceAccountToken parses a Kubernetes service account token

func (*ServiceAccountClaims) Valid

func (sac *ServiceAccountClaims) Valid(helper *jwt.ValidationHelper) error

Valid satisfies the jwt.Claims interface to enable JWT parsing

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL