Documentation ¶
Index ¶
- Constants
- Variables
- func CreateServiceAccount(clientset kubernetes.Interface, serviceAccountName string, namespace string) error
- func GenerateNewClusterManagerSecret(clientset kubernetes.Interface, claims *ServiceAccountClaims) (*corev1.Secret, error)
- func GetServiceAccountBearerToken(clientset kubernetes.Interface, ns string, sa string, timeout time.Duration) (string, error)
- func InstallClusterManagerRBAC(clientset kubernetes.Interface, ns string, namespaces []string, ...) (string, error)
- func RotateServiceAccountSecrets(clientset kubernetes.Interface, claims *ServiceAccountClaims, ...) error
- func UninstallClusterManagerRBAC(clientset kubernetes.Interface) error
- func UninstallRBAC(clientset kubernetes.Interface, ...) error
- type ServiceAccountClaims
Constants ¶
const ( ArgoCDManagerServiceAccount = "argocd-manager" ArgoCDManagerClusterRole = "argocd-manager-role" ArgoCDManagerClusterRoleBinding = "argocd-manager-role-binding" )
ArgoCDManagerServiceAccount is the name of the service account for managing a cluster
Variables ¶
var ArgoCDManagerClusterPolicyRules = []rbacv1.PolicyRule{ { APIGroups: []string{"*"}, Resources: []string{"*"}, Verbs: []string{"*"}, }, { NonResourceURLs: []string{"*"}, Verbs: []string{"*"}, }, }
ArgoCDManagerPolicyRules are the policies to give argocd-manager
var ArgoCDManagerNamespacePolicyRules = []rbacv1.PolicyRule{ { APIGroups: []string{"*"}, Resources: []string{"*"}, Verbs: []string{"*"}, }, }
ArgoCDManagerNamespacePolicyRules are the namespace level policies to give argocd-manager
Functions ¶
func CreateServiceAccount ¶
func CreateServiceAccount( clientset kubernetes.Interface, serviceAccountName string, namespace string, ) error
CreateServiceAccount creates a service account in a given namespace
func GenerateNewClusterManagerSecret ¶
func GenerateNewClusterManagerSecret(clientset kubernetes.Interface, claims *ServiceAccountClaims) (*corev1.Secret, error)
GenerateNewClusterManagerSecret creates a new secret derived with same metadata as existing one and waits until the secret is populated with a bearer token
func GetServiceAccountBearerToken ¶
func GetServiceAccountBearerToken(clientset kubernetes.Interface, ns string, sa string, timeout time.Duration) (string, error)
GetServiceAccountBearerToken determines if a ServiceAccount has a bearer token secret to use or if a secret should be created. It then waits for the secret to have a bearer token if a secret needs to be created and returns the token in encoded base64.
func InstallClusterManagerRBAC ¶
func InstallClusterManagerRBAC(clientset kubernetes.Interface, ns string, namespaces []string, bearerTokenTimeout time.Duration) (string, error)
InstallClusterManagerRBAC installs RBAC resources for a cluster manager to operate a cluster. Returns a token
func RotateServiceAccountSecrets ¶
func RotateServiceAccountSecrets(clientset kubernetes.Interface, claims *ServiceAccountClaims, newSecret *corev1.Secret) error
RotateServiceAccountSecrets rotates the entries in the service accounts secrets list
func UninstallClusterManagerRBAC ¶
func UninstallClusterManagerRBAC(clientset kubernetes.Interface) error
UninstallClusterManagerRBAC removes RBAC resources for a cluster manager to operate a cluster
func UninstallRBAC ¶
func UninstallRBAC(clientset kubernetes.Interface, namespace, bindingName, roleName, serviceAccount string) error
UninstallRBAC uninstalls RBAC related resources for a binding, role, and service account
Types ¶
type ServiceAccountClaims ¶
type ServiceAccountClaims struct { Sub string `json:"sub"` Iss string `json:"iss"` Namespace string `json:"kubernetes.io/serviceaccount/namespace"` SecretName string `json:"kubernetes.io/serviceaccount/secret.name"` ServiceAccountName string `json:"kubernetes.io/serviceaccount/service-account.name"` ServiceAccountUID string `json:"kubernetes.io/serviceaccount/service-account.uid"` }
func ParseServiceAccountToken ¶
func ParseServiceAccountToken(token string) (*ServiceAccountClaims, error)
ParseServiceAccountToken parses a Kubernetes service account token
func (*ServiceAccountClaims) Valid ¶
func (sac *ServiceAccountClaims) Valid(helper *jwt.ValidationHelper) error
Valid satisfies the jwt.Claims interface to enable JWT parsing