clusterauth

package
v2.12.9 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Jan 3, 2025 License: Apache-2.0 Imports: 15 Imported by: 1

Documentation

Index

Constants

View Source
const (
	ArgoCDManagerServiceAccount     = "argocd-manager"
	ArgoCDManagerClusterRole        = "argocd-manager-role"
	ArgoCDManagerClusterRoleBinding = "argocd-manager-role-binding"
)

ArgoCDManagerServiceAccount is the name of the service account for managing a cluster

Variables

View Source
var ArgoCDManagerClusterPolicyRules = []rbacv1.PolicyRule{
	{
		APIGroups: []string{"*"},
		Resources: []string{"*"},
		Verbs:     []string{"*"},
	},
	{
		NonResourceURLs: []string{"*"},
		Verbs:           []string{"*"},
	},
}

ArgoCDManagerPolicyRules are the policies to give argocd-manager

View Source
var ArgoCDManagerNamespacePolicyRules = []rbacv1.PolicyRule{
	{
		APIGroups: []string{"*"},
		Resources: []string{"*"},
		Verbs:     []string{"*"},
	},
}

ArgoCDManagerNamespacePolicyRules are the namespace level policies to give argocd-manager

Functions

func CreateServiceAccount

func CreateServiceAccount(
	clientset kubernetes.Interface,
	serviceAccountName string,
	namespace string,
) error

CreateServiceAccount creates a service account in a given namespace

func GenerateNewClusterManagerSecret

func GenerateNewClusterManagerSecret(clientset kubernetes.Interface, claims *ServiceAccountClaims) (*corev1.Secret, error)

GenerateNewClusterManagerSecret creates a new secret derived with same metadata as existing one and waits until the secret is populated with a bearer token

func GetServiceAccountBearerToken

func GetServiceAccountBearerToken(clientset kubernetes.Interface, ns string, sa string, timeout time.Duration) (string, error)

GetServiceAccountBearerToken determines if a ServiceAccount has a bearer token secret to use or if a secret should be created. It then waits for the secret to have a bearer token if a secret needs to be created and returns the token in encoded base64.

func InstallClusterManagerRBAC

func InstallClusterManagerRBAC(clientset kubernetes.Interface, ns string, namespaces []string, bearerTokenTimeout time.Duration) (string, error)

InstallClusterManagerRBAC installs RBAC resources for a cluster manager to operate a cluster. Returns a token

func RotateServiceAccountSecrets

func RotateServiceAccountSecrets(clientset kubernetes.Interface, claims *ServiceAccountClaims, newSecret *corev1.Secret) error

RotateServiceAccountSecrets rotates the entries in the service accounts secrets list

func UninstallClusterManagerRBAC

func UninstallClusterManagerRBAC(clientset kubernetes.Interface) error

UninstallClusterManagerRBAC removes RBAC resources for a cluster manager to operate a cluster

func UninstallRBAC

func UninstallRBAC(clientset kubernetes.Interface, namespace, bindingName, roleName, serviceAccount string) error

UninstallRBAC uninstalls RBAC related resources for a binding, role, and service account

Types

type ServiceAccountClaims

type ServiceAccountClaims struct {
	Sub                string `json:"sub"`
	Iss                string `json:"iss"`
	Namespace          string `json:"kubernetes.io/serviceaccount/namespace"`
	SecretName         string `json:"kubernetes.io/serviceaccount/secret.name"`
	ServiceAccountName string `json:"kubernetes.io/serviceaccount/service-account.name"`
	ServiceAccountUID  string `json:"kubernetes.io/serviceaccount/service-account.uid"`
}

func ParseServiceAccountToken

func ParseServiceAccountToken(token string) (*ServiceAccountClaims, error)

ParseServiceAccountToken parses a Kubernetes service account token

func (*ServiceAccountClaims) Valid

func (sac *ServiceAccountClaims) Valid() error

Valid satisfies the jwt.Claims interface to enable JWT parsing

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL