workload

package
v0.101.0 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Jul 3, 2024 License: MPL-2.0 Imports: 20 Imported by: 0

Documentation

Index

Constants

View Source
const (
	// FormatTypeValue indicates that the value itself contains the access_token
	FormatTypeValue = "value"

	// FormatTypeJSON indicates that the response is a JSON payload that
	// contains the access_token.
	FormatTypeJSON = "json"
)

Variables

This section is empty.

Functions

This section is empty.

Types

type AWSCredentialSource

type AWSCredentialSource struct {
	// IMDSv2 indicates that IMDSv2 endpoint should be used.
	IMDSv2 bool `json:"imds_v2,omitempty"`
	// contains filtered or unexported fields
}

AWSCredentialSource sources credentials by interacting with the AWS IMDS endpoint to sign an AWS GetCallerIdentity request. The signed request can then be used by HCP to return HCP Service Principal credentials based on the identity of the AWS workload.

type CredentialFormat

type CredentialFormat struct {
	// Type is either "text" or "json". When not provided "text" type is assumed.
	Type string `json:"format_type,omitempty"`

	// SubjectCredentialPointer is a JSON pointer that indicates how to access
	// the subject credential.
	SubjectCredentialPointer string `json:"subject_cred_pointer,omitempty"`
}

CredentialFormat configures how to extract the credential from the source value. It supports either treating the entire response as the value or extracting a particular field from a JSON response.

func (CredentialFormat) Validate

func (cf CredentialFormat) Validate() error

Validate validates the format configuration.

type EnvironmentVariableCredentialSource

type EnvironmentVariableCredentialSource struct {
	// Var sources the external credential value from the given environment variable.
	Var string `json:"var,omitempty"`

	// CredentialFormat configures how the credentials are extracted from the environment
	// variable value.
	CredentialFormat
}

EnvironmentVariableCredentialSource sources credentials by reading the specified environment variable.

func (*EnvironmentVariableCredentialSource) Validate

Validate validates the config.

type FileCredentialSource

type FileCredentialSource struct {
	// Path sources the external credential by reading the value from the
	// specified file path.
	Path string `json:"path,omitempty"`

	// CredentialFormat configures how the credentials are extracted from the file.
	CredentialFormat
}

FileCredentialSource sources credentials by reading the file at the given path.

func (*FileCredentialSource) Validate

func (fc *FileCredentialSource) Validate() error

Validate validates the config.

type IdentityProviderConfig

type IdentityProviderConfig struct {
	// ProviderResourceName is the resource name of the workload identity
	// provider to exchange the access_token with.
	ProviderResourceName string `json:"provider_resource_name,omitempty"`

	// File sources the subject credential from a file.
	File *FileCredentialSource `json:"file,omitempty"`

	// EnvironmentVariable sources the subject credential from an environment
	// variable.
	EnvironmentVariable *EnvironmentVariableCredentialSource `json:"env,omitempty"`

	// URL sources the subject credential by making a HTTP request to the
	// provided URL.
	URL *URLCredentialSource `json:"url,omitempty"`

	// AWS uses the IMDS endpoint to retrieve the AWS Caller Identity.
	AWS *AWSCredentialSource `json:"aws,omitempty"`
}

IdentityProviderConfig configures how to source a workload credential and exchange it for an HCP Service Principal access token using Workload Identity Federation.

func (*IdentityProviderConfig) Validate

func (c *IdentityProviderConfig) Validate() error

Validate validates the config.

type Provider

type Provider struct {
	// contains filtered or unexported fields
}

Provider sources a workload token and exchanges it for a HCP service principal access token. It implements the oauth2.TokenSource interface.

func New

New takes an IdentityProviderConfig and returns a Provider or an error if the configuration is invalid. The provider can then be used as an auth source when creating the HCP Configuration.

func (*Provider) ResourceName added in v0.71.0

func (p *Provider) ResourceName() string

ResourceName returns the resource name of the provider.

func (*Provider) SetAPI

func (p *Provider) SetAPI(info hcpAPIInfo)

SetAPI configures the HCP API to use. This will be called by the WithWorkloadIdentity helper.

func (*Provider) Token

func (p *Provider) Token() (*oauth2.Token, error)

Token implements the oauth2.TokenSource interface. It retrieves the workload subject token using the configured credential source and then exchanges it for the HCP SP access_token.

type URLCredentialSource

type URLCredentialSource struct {
	// URL reads the credentials by invoking the given URL with the headers.
	URL string `json:"url,omitempty"`

	// Headers are included when invoking the given URL.
	Headers map[string]string `json:"headers,omitempty"`

	// CredentialFormat configures how the credentials are extracted from the HTTP
	// response body.
	CredentialFormat
}

URLCredentialSource sources credentials by making an HTTP request to the given URL.

func (*URLCredentialSource) Validate

func (uc *URLCredentialSource) Validate() error

Validate validates the config.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL