Documentation ¶
Overview ¶
Package credentials handles the access to credentials for consumers of credential sets.
A credentials set is just a set of simple key/values pair, for example username and password. Every credential consumer, for example repository implementation of other context types, (OCI repositories, OCM repositories, ...) uses the same procedure to get to its credentials:
- it composes a most significant typed ConsumerIdentity for every request. This is a set of name/value pairs describing the access context. For an OCI registry, this is for example: - the type (OCIRegistry) - the hostname - an optional port - the repository path
- it then requests credentials from its credentials Context for this consumer.
- the credentials context matches the requested consumer against configured consumers using a dedicated matcher. (For example: finding the consumer specification with the longest matching repository path prefix (for OCI))
- the credentials for the best matching entry are then returned to the requester.
The credentials context is the mediator between credential providers and credential consumers. Here
- it is possible to explicitly configure credentials for consumer ids
- it is possible to manage credential repositories providing named credential sets and
- to map dedicated such sets to consumer ids.
- specialized credential repositories, may propagate their contained credentials to auto-calculated consumer ids.
This way, there is a special credential repository type DockerConfig. It knows what its credentials are meant for (for accessing OCI registries). When instantiating such a repository, it automatically exposes its credentials under the appropriate consumer ids used by the OCI repository implementation. But docker does not allow for separate credentials for different repository prefixes in OCI registries (for example organisations in ghcr.io), only per host. Therefore, the propagated consumer ids do not provide the path property of a consumer id. Together with the path prefix matcher, those id settings therefore match all OCI credential requests for all repository paths of a dedicated host, as long as there is no more significant setting.
The credentials context also provides a configuration objeect managed by a ConfigurationContext and used to configure a credentials context. The serialization form of this object can be put into a configuration object of the configuration context. For example, the .ocmconfig file is then a serialization of such an object which is initially read by the OCM CLI to configure the used ConfigurationContext. If it describes a credentials configuration this one is applied to the credentials context. Such a credentials config object allows to
- describe direct consumer id to credential set mappings
- describe the instantiation of credential repositories (for example a dockerconfig repo)
- the mapping of credential sets of any credential repository to consumer ids (for example mapping of vault entries to consumers (vault not implemented yet)
As for very context type the Context is the central element of this package. It provides access to the complete functionality by bundling all the settings required to provide credentials to its clients.
Index ¶
- Constants
- Variables
- func DefaultContext() internal.Context
- func ErrUnknownCredentials(name string) error
- func GetClientCerts(ctx ContextProvider, creds Credentials) ([]tls.Certificate, error)
- func GetProvidedIdentityMatcher(obj interface{}) string
- func GetRootCAs(ctx ContextProvider, creds Credentials) (*x509.CertPool, error)
- func GuessConsumerType(ctxp ContextProvider, spec string) string
- func RepositoryUsage(scheme RepositoryTypeScheme) string
- func WithConfigs(ctx config.Context) internal.Builder
- func WithContext(ctx context.Context) internal.Builder
- func WithRepositoyTypeScheme(scheme RepositoryTypeScheme) internal.Builder
- func WithStandardConumerMatchers(matchers internal.IdentityMatcherRegistry) internal.Builder
- type ConsumerIdentity
- type ConsumerIdentityProvider
- type Context
- type ContextProvider
- type Credentials
- func CredentialsFor(ctx ContextProvider, obj interface{}, uctx ...UsageContext) (Credentials, error)
- func CredentialsForConsumer(ctx ContextProvider, id ConsumerIdentity, matchers ...IdentityMatcher) (Credentials, error)
- func CredentialsFromList(props ...string) Credentials
- func NewCredentials(props common.Properties) Credentials
- func RequiredCredentialsForConsumer(ctx ContextProvider, id ConsumerIdentity, matchers ...IdentityMatcher) (Credentials, error)
- type CredentialsChain
- type CredentialsSource
- type CredentialsSpec
- type DirectCredentials
- type GenericCredentialsSpec
- type GenericRepositorySpec
- type IdentityMatcher
- type IdentityMatcherInfo
- type IdentityMatcherInfos
- type IdentityMatcherRegistry
- type ProviderIdentity
- type Repository
- type RepositorySpec
- type RepositoryTypeScheme
- type StringUsageContext
- type UsageContext
Constants ¶
const ( ID_TYPE = internal.ID_TYPE ATTR_TYPE = internal.ATTR_TYPE ATTR_USERNAME = internal.ATTR_USERNAME ATTR_PASSWORD = internal.ATTR_PASSWORD ATTR_CERTIFICATE_AUTHORITY = internal.ATTR_CERTIFICATE_AUTHORITY ATTR_CERTIFICATE = internal.ATTR_CERTIFICATE // PEM encoded ATTR_PRIVATE_KEY = internal.ATTR_PRIVATE_KEY // PEM encoded ATTR_SERVER_ADDRESS = internal.ATTR_SERVER_ADDRESS ATTR_IDENTITY_TOKEN = internal.ATTR_IDENTITY_TOKEN ATTR_REGISTRY_TOKEN = internal.ATTR_REGISTRY_TOKEN ATTR_TOKEN = internal.ATTR_TOKEN )
const ( KIND_CREDENTIALS = internal.KIND_CREDENTIALS KIND_CONSUMER = internal.KIND_CONSUMER KIND_REPOSITORY = internal.KIND_REPOSITORY )
const AliasRepositoryType = internal.AliasRepositoryType
const CONTEXT_TYPE = internal.CONTEXT_TYPE
Variables ¶
var ( CompleteMatch = internal.CompleteMatch NoMatch = internal.NoMatch PartialMatch = internal.PartialMatch )
Functions ¶
func DefaultContext ¶
func ErrUnknownCredentials ¶
func GetClientCerts ¶ added in v0.8.0
func GetClientCerts(ctx ContextProvider, creds Credentials) ([]tls.Certificate, error)
func GetProvidedIdentityMatcher ¶ added in v0.3.0
func GetProvidedIdentityMatcher(obj interface{}) string
func GetRootCAs ¶ added in v0.8.0
func GetRootCAs(ctx ContextProvider, creds Credentials) (*x509.CertPool, error)
func GuessConsumerType ¶ added in v0.7.0
func GuessConsumerType(ctxp ContextProvider, spec string) string
func RepositoryUsage ¶ added in v0.5.0
func RepositoryUsage(scheme RepositoryTypeScheme) string
func WithRepositoyTypeScheme ¶
func WithRepositoyTypeScheme(scheme RepositoryTypeScheme) internal.Builder
func WithStandardConumerMatchers ¶
func WithStandardConumerMatchers(matchers internal.IdentityMatcherRegistry) internal.Builder
Types ¶
type ConsumerIdentity ¶
type ConsumerIdentity = internal.ConsumerIdentity
func GetProvidedConsumerId ¶ added in v0.3.0
func GetProvidedConsumerId(obj interface{}, uctx ...UsageContext) ConsumerIdentity
func NewConsumerIdentity ¶ added in v0.3.0
func NewConsumerIdentity(typ string, attrs ...string) ConsumerIdentity
type ConsumerIdentityProvider ¶ added in v0.3.0
type ConsumerIdentityProvider = internal.ConsumerIdentityProvider
type Context ¶
func FromContext ¶ added in v0.3.0
func FromProvider ¶ added in v0.3.0
func FromProvider(p ContextProvider) Context
func New ¶
func New(mode ...datacontext.BuilderMode) Context
type ContextProvider ¶
type ContextProvider = internal.ContextProvider
type Credentials ¶
type Credentials = internal.Credentials
func CredentialsFor ¶ added in v0.6.0
func CredentialsFor(ctx ContextProvider, obj interface{}, uctx ...UsageContext) (Credentials, error)
func CredentialsForConsumer ¶
func CredentialsForConsumer(ctx ContextProvider, id ConsumerIdentity, matchers ...IdentityMatcher) (Credentials, error)
CredentialsForConsumer determine effective credentials for a consumer. If no credentials are configured no error and nil is returned. It evaluates a found credentials source for the consumer to determine the final credential properties.
func CredentialsFromList ¶ added in v0.5.0
func CredentialsFromList(props ...string) Credentials
func NewCredentials ¶
func NewCredentials(props common.Properties) Credentials
func RequiredCredentialsForConsumer ¶
func RequiredCredentialsForConsumer(ctx ContextProvider, id ConsumerIdentity, matchers ...IdentityMatcher) (Credentials, error)
RequiredCredentialsForConsumer like CredentialsForConsumer, but an errors is returned if no credentials are found.
type CredentialsChain ¶
type CredentialsChain = internal.CredentialsChain
type CredentialsSource ¶
type CredentialsSource = internal.CredentialsSource
type CredentialsSpec ¶
type CredentialsSpec = internal.CredentialsSpec
func CredentialsSpecFromList ¶ added in v0.7.0
func CredentialsSpecFromList(props ...string) CredentialsSpec
func NewCredentialsSpec ¶
func NewCredentialsSpec(name string, repospec RepositorySpec) CredentialsSpec
func NewGenericCredentialsSpec ¶
func NewGenericCredentialsSpec(name string, repospec *GenericRepositorySpec) CredentialsSpec
type DirectCredentials ¶
type DirectCredentials = internal.DirectCredentials
type GenericCredentialsSpec ¶
type GenericCredentialsSpec = internal.GenericCredentialsSpec
func ToGenericCredentialsSpec ¶
func ToGenericCredentialsSpec(spec CredentialsSpec) (*GenericCredentialsSpec, error)
type GenericRepositorySpec ¶
type GenericRepositorySpec = internal.GenericRepositorySpec
func ToGenericRepositorySpec ¶
func ToGenericRepositorySpec(spec RepositorySpec) (*GenericRepositorySpec, error)
type IdentityMatcher ¶
type IdentityMatcher = internal.IdentityMatcher
type IdentityMatcherInfo ¶
type IdentityMatcherInfo = internal.IdentityMatcherInfo
type IdentityMatcherInfos ¶ added in v0.3.0
type IdentityMatcherInfos = internal.IdentityMatcherInfos
type IdentityMatcherRegistry ¶
type IdentityMatcherRegistry = internal.IdentityMatcherRegistry
type ProviderIdentity ¶ added in v0.3.0
type ProviderIdentity = internal.ProviderIdentity
type Repository ¶
type Repository = internal.Repository
type RepositorySpec ¶
type RepositorySpec = internal.RepositorySpec
func NewGenericRepositorySpec ¶
func NewGenericRepositorySpec(data []byte, unmarshaler runtime.Unmarshaler) (RepositorySpec, error)
type RepositoryTypeScheme ¶
type RepositoryTypeScheme = internal.RepositoryTypeScheme
type StringUsageContext ¶ added in v0.3.0
type StringUsageContext = internal.StringUsageContext
type UsageContext ¶ added in v0.3.0
type UsageContext = internal.UsageContext