clusterauth

package
v2.3.0-rc4 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Feb 3, 2022 License: Apache-2.0 Imports: 12 Imported by: 1

Documentation

Index

Constants

View Source 
const (
	ArgoCDManagerServiceAccount     = "argocd-manager"
	ArgoCDManagerClusterRole        = "argocd-manager-role"
	ArgoCDManagerClusterRoleBinding = "argocd-manager-role-binding"
)

ArgoCDManagerServiceAccount is the name of the service account for managing a cluster

Variables

View Source 
var ArgoCDManagerClusterPolicyRules = []rbacv1.PolicyRule{
	{
		APIGroups: []string{"*"},
		Resources: []string{"*"},
		Verbs:     []string{"*"},
	},
	{
		NonResourceURLs: []string{"*"},
		Verbs:           []string{"*"},
	},
}

ArgoCDManagerPolicyRules are the policies to give argocd-manager

View Source 
var ArgoCDManagerNamespacePolicyRules = []rbacv1.PolicyRule{
	{
		APIGroups: []string{"*"},
		Resources: []string{"*"},
		Verbs:     []string{"*"},
	},
}

ArgoCDManagerNamespacePolicyRules are the namespace level policies to give argocd-manager

Functions

func CreateServiceAccount 

func CreateServiceAccount(
	clientset kubernetes.Interface,
	serviceAccountName string,
	namespace string,
) error

CreateServiceAccount creates a service account in a given namespace

func GenerateNewClusterManagerSecret 

func GenerateNewClusterManagerSecret(clientset kubernetes.Interface, claims *ServiceAccountClaims) (*corev1.Secret, error)

GenerateNewClusterManagerSecret creates a new secret derived with same metadata as existing one and waits until the secret is populated with a bearer token

func GetServiceAccountBearerToken 

func GetServiceAccountBearerToken(clientset kubernetes.Interface, ns string, sa string) (string, error)

GetServiceAccountBearerToken will attempt to get the provided service account until it exists, iterate the secrets associated with it looking for one of type kubernetes.io/service-account-token, and return it's token if found.

func InstallClusterManagerRBAC 

func InstallClusterManagerRBAC(clientset kubernetes.Interface, ns string, namespaces []string) (string, error)

InstallClusterManagerRBAC installs RBAC resources for a cluster manager to operate a cluster. Returns a token

func RotateServiceAccountSecrets 

func RotateServiceAccountSecrets(clientset kubernetes.Interface, claims *ServiceAccountClaims, newSecret *corev1.Secret) error

RotateServiceAccountSecrets rotates the entries in the service accounts secrets list

func UninstallClusterManagerRBAC 

func UninstallClusterManagerRBAC(clientset kubernetes.Interface) error

UninstallClusterManagerRBAC removes RBAC resources for a cluster manager to operate a cluster

func UninstallRBAC 

func UninstallRBAC(clientset kubernetes.Interface, namespace, bindingName, roleName, serviceAccount string) error

UninstallRBAC uninstalls RBAC related resources for a binding, role, and service account

Types

type ServiceAccountClaims 

type ServiceAccountClaims struct {
	Sub                string `json:"sub"`
	Iss                string `json:"iss"`
	Namespace          string `json:"kubernetes.io/serviceaccount/namespace"`
	SecretName         string `json:"kubernetes.io/serviceaccount/secret.name"`
	ServiceAccountName string `json:"kubernetes.io/serviceaccount/service-account.name"`
	ServiceAccountUID  string `json:"kubernetes.io/serviceaccount/service-account.uid"`
}

func ParseServiceAccountToken 

func ParseServiceAccountToken(token string) (*ServiceAccountClaims, error)

ParseServiceAccountToken parses a Kubernetes service account token

func (*ServiceAccountClaims) Valid 

func (sac *ServiceAccountClaims) Valid() error

Valid satisfies the jwt.Claims interface to enable JWT parsing

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.