authcheck

package
v0.20.0 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Jan 12, 2021 License: Apache-2.0 Imports: 26 Imported by: 0

Documentation

Overview

Package authcheck provides utilities to check authentication configuration for data plane resources. File authcheck contains functions to run customized checks inside of a Pod.

Package authcheck provides utilities to check authentication configuration for data plane resources. File authtype contains functions to differentiate authentication mode.

Package authcheck provides utilities to check authentication configuration for data plane resources. enqueue.go contains customized EventHandlers to enqueue resources for authentication check.

Package authcheck provides utilities to check authentication configuration for data plane resources. File authcheck contains functions to run customized checks inside of a Pod.

Package authcheck provides utilities to check authentication configuration for data plane resources. list.go contains functions to get a list of resources based on label selector and get information from a list of resources.

Package authcheck provides utilities to check authentication configuration for data plane resources. probechecker.go utilities to perform a probe check for liviness and readiness.

Index

Constants

View Source
const (
	AuthenticationCheckUnknownReason = "AuthenticationCheckPending"
	ControlPlaneNamespace            = "events-system"
	BrokerServiceAccountName         = "broker"
)
View Source
const DefaultProbeCheckPort = 8080

DefaultProbeCheckPort is the default port for checking sync pool health.

Variables

View Source
var (
	BrokerSecret = &corev1.SecretKeySelector{
		LocalObjectReference: corev1.LocalObjectReference{Name: "google-broker-key"},
		Key:                  "key.json",
	}
)

Functions

func AuthenticationCheckForSecret

func AuthenticationCheckForSecret(ctx context.Context) error

AuthenticationCheckForSecret performs the authentication check for Pod in secret mode.

func AuthenticationCheckForWorkloadIdentityGSA

func AuthenticationCheckForWorkloadIdentityGSA(resource string, client *http.Client) error

AuthenticationCheckForWorkloadIdentityGSA performs the authentication check for Pod in workload-identity-gsa mode.

func EnqueueBrokerCell

func EnqueueBrokerCell(impl *controller.Impl, brokerCellLister v1alpha1.BrokerCellLister) cache.ResourceEventHandler

EnqueueBrokerCell returns an event handler for resources which are not created/owned by brokercell. It is used for serviceAccountInformer and secretinformer.

func EnqueuePullSubscription

func EnqueuePullSubscription(impl *controller.Impl, pullSubscriptionLister listers.PullSubscriptionLister) cache.ResourceEventHandler

EnqueuePullSubscription returns an event handler for resources which are not created/owned by pullsubscription. It is used for serviceAccountInformer.

func EnqueueTopic

func EnqueueTopic(impl *controller.Impl, topicLister listers.TopicLister) cache.ResourceEventHandler

EnqueueTopic returns an event handler for resources which are not created/owned by topic. It is used for serviceAccountInformer.

func GetEventList

func GetEventList(ctx context.Context, kubeClientSet kubernetes.Interface, pod, namespace string) (*corev1.EventList, error)

GetEventList get a list of k8s event in a certain namespace with certain field selector related to Pod.

func GetMountFailureMessageFromEventList

func GetMountFailureMessageFromEventList(el *corev1.EventList, secret *corev1.SecretKeySelector) string

GetMountFailureMessageFromEventList gets the k8s events message that related to secret errors. It returns the first relevant k8s event message from any Event in the list.

func GetPodList

func GetPodList(ctx context.Context, ls labels.Selector, kubeClientSet kubernetes.Interface, namespace string) (*corev1.PodList, error)

GetPodList get a list of Pods in a certain namespace with certain label selector.

func GetTerminationLogFromPodList

func GetTerminationLogFromPodList(pl *corev1.PodList) string

GetTerminationLogFromPodList gets the termination log from Pods that failed due to authentication check errors. It returns the first authentication termination log from any Pods in the list.

Types

type AuthType

type AuthType string
const (
	// Secret option is referring to authentication configuration for secret.
	// https://cloud.google.com/kubernetes-engine/docs/tutorials/authenticating-to-cloud-platform#importing_credentials_as_a_secret
	Secret AuthType = "secret"
	// WorkloadIdentityGSA option is referring to authentication configuration for Workload Identity using GSA
	// https://cloud.google.com/kubernetes-engine/docs/how-to/workload-identity
	WorkloadIdentityGSA AuthType = "workload-identity-gsa"
	WorkloadIdentity    AuthType = "workload-identity"
)

func GetAuthTypeForBrokerCell

func GetAuthTypeForBrokerCell(ctx context.Context, serviceAccountLister corev1listers.ServiceAccountLister,
	secretLister corev1listers.SecretLister, args AuthTypeArgs) (AuthType, error)

GetAuthTypeForBrokerCell will get authType for BrokerCell.

func GetAuthTypeForSources

func GetAuthTypeForSources(ctx context.Context, serviceAccountLister corev1listers.ServiceAccountLister, args AuthTypeArgs) (AuthType, error)

GetAuthTypeForSources will get authType for Sources.

type AuthTypeArgs

type AuthTypeArgs struct {
	Namespace          string
	ServiceAccountName string
	Secret             *corev1.SecretKeySelector
}

type AuthenticationCheck

type AuthenticationCheck interface {
	Check(ctx context.Context) error
}

func NewDefault

func NewDefault(authType AuthType) AuthenticationCheck

type FakeAuthenticationCheck

type FakeAuthenticationCheck struct {
	Err error
}

func (*FakeAuthenticationCheck) Check

type ProbeChecker

type ProbeChecker struct {
	// contains filtered or unexported fields
}

func NewProbeChecker

func NewProbeChecker(logger *zap.Logger, authType AuthType) ProbeChecker

NewProbeChecker returns ProbeChecker with default probe checker port.

func (*ProbeChecker) ServeHTTP

func (pc *ProbeChecker) ServeHTTP(w http.ResponseWriter, req *http.Request)

ServerHTTP will perform the authentication check if the request path is /healthz.

func (*ProbeChecker) Start

func (pc *ProbeChecker) Start(ctx context.Context)

Start will initialize an http server and start to listen.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL