Documentation ¶
Overview ¶
Initializes an Admin Client that exposes all implemented services by FlyteAdmin server. The library supports different authentication flows (see AuthType). It initializes the grpc connection once and reuses it. The gRPC connection is sticky (it hogs one server and keeps the connection alive). For better load balancing against the server, place a proxy service in between instead.
Index ¶
- Constants
- Variables
- func GetAdditionalAdminClientConfigOptions(cfg *Config) []grpc.DialOption
- func GetPKCEAuthTokenSource(ctx context.Context, tokenOrchestrator pkce.TokenOrchestrator) (oauth2.TokenSource, error)
- func InitializeAdminClient(ctx context.Context, cfg *Config, opts ...grpc.DialOption) service.AdminServiceClient
- func InitializeAdminClientFromConfig(ctx context.Context, tokenCache pkce.TokenCache, opts ...grpc.DialOption) (service.AdminServiceClient, error)deprecated
- func InitializeAuthMetadataClient(ctx context.Context, cfg *Config) (client service.AuthMetadataServiceClient, err error)
- func InitializeMockAdminClient() service.AdminServiceClient
- func NewAdminClient(ctx context.Context, conn *grpc.ClientConn) service.AdminServiceClient
- func NewAdminConnection(ctx context.Context, cfg *Config, opts ...grpc.DialOption) (*grpc.ClientConn, error)
- func SetConfig(cfg *Config) error
- type AuthType
- type ClientCredentialsTokenSourceProvider
- type Clientset
- type ClientsetBuilder
- func (cb *ClientsetBuilder) Build(ctx context.Context) (*Clientset, error)
- func (cb *ClientsetBuilder) WithConfig(config *Config) *ClientsetBuilder
- func (cb *ClientsetBuilder) WithDialOptions(opts ...grpc.DialOption) *ClientsetBuilder
- func (cb *ClientsetBuilder) WithTokenCache(tokenCache pkce.TokenCache) *ClientsetBuilder
- type Config
- type CustomHeaderTokenSource
- type ExternalTokenSourceProvider
- type PKCETokenSourceProvider
- type TokenSourceProvider
- func NewClientCredentialsTokenSourceProvider(ctx context.Context, cfg *Config, ...) (TokenSourceProvider, error)
- func NewExternalTokenSourceProvider(command []string) (TokenSourceProvider, error)
- func NewPKCETokenSourceProvider(ctx context.Context, pkceCfg pkce.Config, tokenCache pkce.TokenCache, ...) (TokenSourceProvider, error)
- func NewTokenSourceProvider(ctx context.Context, cfg *Config, tokenCache pkce.TokenCache, ...) (TokenSourceProvider, error)
Examples ¶
Constants ¶
const DefaultAuthorizationHeader = "authorization"
const (
DefaultClientID = "flytepropeller"
)
Variables ¶
Functions ¶
func GetAdditionalAdminClientConfigOptions ¶
func GetAdditionalAdminClientConfigOptions(cfg *Config) []grpc.DialOption
func GetPKCEAuthTokenSource ¶ added in v0.21.4
func GetPKCEAuthTokenSource(ctx context.Context, tokenOrchestrator pkce.TokenOrchestrator) (oauth2.TokenSource, error)
Returns the token source which would be used for three legged oauth. eg : for admin to authorize access to flytectl
func InitializeAdminClient ¶
func InitializeAdminClient(ctx context.Context, cfg *Config, opts ...grpc.DialOption) service.AdminServiceClient
Create an AdminClient with a shared Admin connection for the process Deprecated: Please use initializeClients instead.
func InitializeAdminClientFromConfig
deprecated
func InitializeAdminClientFromConfig(ctx context.Context, tokenCache pkce.TokenCache, opts ...grpc.DialOption) (service.AdminServiceClient, error)
Deprecated: Please use NewClientsetBuilder() instead.
func InitializeAuthMetadataClient ¶ added in v0.18.40
func InitializeAuthMetadataClient(ctx context.Context, cfg *Config) (client service.AuthMetadataServiceClient, err error)
InitializeAuthMetadataClient creates a new anonymously Auth Metadata Service client.
func InitializeMockAdminClient ¶
func InitializeMockAdminClient() service.AdminServiceClient
func NewAdminClient ¶
func NewAdminClient(ctx context.Context, conn *grpc.ClientConn) service.AdminServiceClient
func NewAdminConnection ¶
func NewAdminConnection(ctx context.Context, cfg *Config, opts ...grpc.DialOption) (*grpc.ClientConn, error)
Types ¶
type AuthType ¶ added in v0.18.40
type AuthType uint8
const ( // Chooses Client Secret OAuth2 protocol (ref: https://tools.ietf.org/html/rfc6749#section-4.4) AuthTypeClientSecret AuthType = iota // Chooses Proof Key Code Exchange OAuth2 extension protocol (ref: https://tools.ietf.org/html/rfc7636) AuthTypePkce // Chooses an external authentication process AuthTypeExternalCommand )
func AuthTypeString ¶ added in v0.18.40
AuthTypeString retrieves an enum value from the enum constants string name. Throws an error if the param is not part of the enum.
func AuthTypeValues ¶ added in v0.18.40
func AuthTypeValues() []AuthType
AuthTypeValues returns all values of the enum
func (AuthType) IsAAuthType ¶ added in v0.18.40
IsAAuthType returns "true" if the value is listed in the enum definition. "false" otherwise
func (AuthType) MarshalJSON ¶ added in v0.18.40
MarshalJSON implements the json.Marshaler interface for AuthType
func (AuthType) MarshalYAML ¶ added in v0.18.40
MarshalYAML implements a YAML Marshaler for AuthType
func (*AuthType) UnmarshalJSON ¶ added in v0.18.40
UnmarshalJSON implements the json.Unmarshaler interface for AuthType
func (*AuthType) UnmarshalYAML ¶ added in v0.18.40
UnmarshalYAML implements a YAML Unmarshaler for AuthType
type ClientCredentialsTokenSourceProvider ¶ added in v0.21.4
type ClientCredentialsTokenSourceProvider struct {
// contains filtered or unexported fields
}
func (ClientCredentialsTokenSourceProvider) GetTokenSource ¶ added in v0.21.4
func (p ClientCredentialsTokenSourceProvider) GetTokenSource(ctx context.Context) (oauth2.TokenSource, error)
type Clientset ¶ added in v0.18.40
type Clientset struct {
// contains filtered or unexported fields
}
Clientset contains the clients exposed to communicate with various admin services.
func InitializeMockClientset ¶ added in v0.18.40
func InitializeMockClientset() *Clientset
func (Clientset) AdminClient ¶ added in v0.18.40
func (c Clientset) AdminClient() service.AdminServiceClient
AdminClient retrieves the AdminServiceClient
func (Clientset) AuthMetadataClient ¶ added in v0.18.40
func (c Clientset) AuthMetadataClient() service.AuthMetadataServiceClient
AuthMetadataClient retrieves the AuthMetadataServiceClient
func (Clientset) IdentityClient ¶ added in v0.18.40
func (c Clientset) IdentityClient() service.IdentityServiceClient
type ClientsetBuilder ¶ added in v0.18.40
type ClientsetBuilder struct {
// contains filtered or unexported fields
}
ClientsetBuilder is used to build the clientset. This allows custom token cache implementations to be plugged in.
func ClientSetBuilder ¶ added in v0.18.40
func ClientSetBuilder() *ClientsetBuilder
ClientSetBuilder is constructor function to be used by the clients in interacting with the builder
Example ¶
ctx := context.Background() // Create a client set that initializes the connection with flyte admin and sets up Auth (if needed). // See AuthType for a list of supported authentication types. clientSet, err := NewClientsetBuilder().WithConfig(GetConfig(ctx)).Build(ctx) if err != nil { logger.Fatalf(ctx, "failed to initialize clientSet from config. Error: %v", err) } // Access and use the desired client: _ = clientSet.AdminClient() _ = clientSet.AuthMetadataClient() _ = clientSet.IdentityClient()
Output:
func NewClientsetBuilder ¶ added in v0.18.40
func NewClientsetBuilder() *ClientsetBuilder
func (*ClientsetBuilder) Build ¶ added in v0.18.40
func (cb *ClientsetBuilder) Build(ctx context.Context) (*Clientset, error)
Build the clientset using the current state of the ClientsetBuilder
func (*ClientsetBuilder) WithConfig ¶ added in v0.18.40
func (cb *ClientsetBuilder) WithConfig(config *Config) *ClientsetBuilder
WithConfig provides the admin config to be used for constructing the clientset
func (*ClientsetBuilder) WithDialOptions ¶ added in v0.18.40
func (cb *ClientsetBuilder) WithDialOptions(opts ...grpc.DialOption) *ClientsetBuilder
func (*ClientsetBuilder) WithTokenCache ¶ added in v0.18.40
func (cb *ClientsetBuilder) WithTokenCache(tokenCache pkce.TokenCache) *ClientsetBuilder
WithTokenCache allows pluggable token cache implemetations. eg; flytectl uses keyring as tokenCache
type Config ¶
type Config struct { Endpoint config.URL `json:"endpoint" pflag:",For admin types, specify where the uri of the service is located."` UseInsecureConnection bool `json:"insecure" pflag:",Use insecure connection."` InsecureSkipVerify bool `` /* 186-byte string literal not displayed */ MaxBackoffDelay config.Duration `json:"maxBackoffDelay" pflag:",Max delay for grpc backoff"` PerRetryTimeout config.Duration `json:"perRetryTimeout" pflag:",gRPC per retry timeout"` MaxRetries int `json:"maxRetries" pflag:",Max number of gRPC retries"` AuthType AuthType `json:"authType" pflag:"-,Type of OAuth2 flow used for communicating with admin."` // Deprecated: settings will be discovered dynamically DeprecatedUseAuth bool `json:"useAuth" pflag:",Deprecated: Auth will be enabled/disabled based on admin's dynamically discovered information."` ClientID string `json:"clientId" pflag:",Client ID"` ClientSecretLocation string `json:"clientSecretLocation" pflag:",File containing the client secret"` Scopes []string `json:"scopes" pflag:",List of scopes to request"` // There are two ways to get the token URL. If the authorization server url is provided, the client will try to use RFC 8414 to // try to get the token URL. Or it can be specified directly through TokenURL config. // Deprecated: This will now be discovered through admin's anonymously accessible metadata. DeprecatedAuthorizationServerURL string `json:"authorizationServerUrl" pflag:",This is the URL to your IdP's authorization server. It'll default to Endpoint"` // If not provided, it'll be discovered through admin's anonymously accessible metadata endpoint. TokenURL string `` /* 141-byte string literal not displayed */ // See the implementation of the 'grpcAuthorizationHeader' option in Flyte Admin for more information. But // basically we want to be able to use a different string to pass the token from this client to the the Admin service // because things might be running in a service mesh (like Envoy) that already uses the default 'authorization' header // Deprecated: It will automatically be discovered through an anonymously accessible auth metadata service. DeprecatedAuthorizationHeader string `json:"authorizationHeader" pflag:",Custom metadata header to pass JWT"` PkceConfig pkce.Config `json:"pkceConfig" pflag:",Config for Pkce authentication flow."` Command []string `json:"command" pflag:",Command for external authentication token generation"` }
type CustomHeaderTokenSource ¶ added in v0.16.3
type CustomHeaderTokenSource struct { oauth2.TokenSource // contains filtered or unexported fields }
This class is here because we cannot use the normal "github.com/grpc/grpc-go/credentials/oauth" package to satisfy the credentials.PerRPCCredentials interface. This is because we want to be able to support a different 'header' when passing the token in the gRPC call's metadata. The default is filled in in the constructor if none is supplied.
func NewCustomHeaderTokenSource ¶ added in v0.16.3
func NewCustomHeaderTokenSource(source oauth2.TokenSource, insecure bool, customHeader string) CustomHeaderTokenSource
func (CustomHeaderTokenSource) GetRequestMetadata ¶ added in v0.16.3
func (ts CustomHeaderTokenSource) GetRequestMetadata(ctx context.Context, uri ...string) (map[string]string, error)
GetRequestMetadata gets the authorization metadata as a map using a TokenSource to generate a token
func (CustomHeaderTokenSource) RequireTransportSecurity ¶ added in v0.16.3
func (ts CustomHeaderTokenSource) RequireTransportSecurity() bool
RequireTransportSecurity returns whether this credentials class requires TLS/SSL. OAuth uses Bearer tokens that are susceptible to MITM (Man-In-The-Middle) attacks that are mitigated by TLS/SSL. We may return false here to make it easier to setup auth. However, in a production environment, TLS for OAuth2 is a requirement. see also: https://tools.ietf.org/html/rfc6749#section-3.1
type ExternalTokenSourceProvider ¶ added in v0.21.4
type ExternalTokenSourceProvider struct {
// contains filtered or unexported fields
}
func (ExternalTokenSourceProvider) GetTokenSource ¶ added in v0.21.4
func (e ExternalTokenSourceProvider) GetTokenSource(ctx context.Context) (oauth2.TokenSource, error)
type PKCETokenSourceProvider ¶ added in v0.21.4
type PKCETokenSourceProvider struct {
// contains filtered or unexported fields
}
func (PKCETokenSourceProvider) GetTokenSource ¶ added in v0.21.4
func (p PKCETokenSourceProvider) GetTokenSource(ctx context.Context) (oauth2.TokenSource, error)
type TokenSourceProvider ¶ added in v0.21.4
type TokenSourceProvider interface {
GetTokenSource(ctx context.Context) (oauth2.TokenSource, error)
}
TokenSourceProvider defines the interface needed to provide a TokenSource that is used to create a client with authentication enabled.
func NewClientCredentialsTokenSourceProvider ¶ added in v0.21.4
func NewClientCredentialsTokenSourceProvider(ctx context.Context, cfg *Config, clientMetadata *service.PublicClientAuthConfigResponse, tokenURL string) (TokenSourceProvider, error)
func NewExternalTokenSourceProvider ¶ added in v0.21.4
func NewExternalTokenSourceProvider(command []string) (TokenSourceProvider, error)
func NewPKCETokenSourceProvider ¶ added in v0.21.4
func NewPKCETokenSourceProvider(ctx context.Context, pkceCfg pkce.Config, tokenCache pkce.TokenCache, authClient service.AuthMetadataServiceClient) (TokenSourceProvider, error)
func NewTokenSourceProvider ¶ added in v0.21.4
func NewTokenSourceProvider(ctx context.Context, cfg *Config, tokenCache pkce.TokenCache, authClient service.AuthMetadataServiceClient) (TokenSourceProvider, error)
Source Files ¶
Directories ¶
Path | Synopsis |
---|---|
Provides the setup required for the client to perform the "Authorization Code" flow with PKCE in order to obtain an access token for public/untrusted clients.
|
Provides the setup required for the client to perform the "Authorization Code" flow with PKCE in order to obtain an access token for public/untrusted clients. |