Documentation
¶
Overview ¶
Copyright 2019 The OpenShift Authors.
Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.
Index ¶
- func CalculateSliceDiff(original, new []string) ([]string, []string)
- func CreateRole(gcpClient ccgcp.Client, permissions []string, ...) (*iamadminpb.Role, error)
- func CreateServiceAccount(gcpClient ccgcp.Client, ...) (*iamadminpb.ServiceAccount, error)
- func DeleteRole(gcpClient ccgcp.Client, roleName string) (*iamadminpb.Role, error)
- func DeleteServiceAccount(gcpClient ccgcp.Client, svcAcct *iamadminpb.ServiceAccount) error
- func EnsurePolicyBindingsForProject(rootClient ccgcp.Client, roles []string, member string) error
- func EnsurePolicyBindingsForServiceAccount(rootClient ccgcp.Client, svcAcct *iamadminpb.ServiceAccount, roles []string, ...) error
- func GenerateRoleID(projectName string, crName string) (string, error)
- func GenerateRoleName(projectName string, crName string) (string, error)
- func GetRole(gcpClient ccgcp.Client, roleID, projectName string) (*iamadminpb.Role, error)
- func GetServiceAccount(gcpClient ccgcp.Client, svcAcctID string) (*iamadminpb.ServiceAccount, error)
- func RemovePolicyBindingsForProject(gcpClient ccgcp.Client, memberName string) error
- func ServiceAccountBindingName(svcAccount *iamadminpb.ServiceAccount) string
- func UndeleteRole(gcpClient ccgcp.Client, roleName string) (*iamadminpb.Role, error)
- func UpdateRole(gcpClient ccgcp.Client, role *iamadminpb.Role, roleName string) (*iamadminpb.Role, error)
- type Actuator
- func (a *Actuator) Create(ctx context.Context, cr *minterv1.CredentialsRequest) error
- func (a *Actuator) Delete(ctx context.Context, cr *minterv1.CredentialsRequest) error
- func (a *Actuator) Exists(ctx context.Context, cr *minterv1.CredentialsRequest) (bool, error)
- func (a *Actuator) GetCredentialsRootSecret(ctx context.Context, cr *minterv1.CredentialsRequest) (*corev1.Secret, error)
- func (a *Actuator) GetCredentialsRootSecretLocation() types.NamespacedName
- func (a *Actuator) IsTimedTokenCluster(c client.Client, ctx context.Context, logger log.FieldLogger) (bool, error)
- func (a *Actuator) Update(ctx context.Context, cr *minterv1.CredentialsRequest) error
- func (a *Actuator) Upgradeable(mode operatorv1.CloudCredentialsMode) *configv1.ClusterOperatorStatusCondition
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
func CalculateSliceDiff ¶
CalculateSliceDiff compares the two slices, and returns two new slices: The first slice is all the elements from new that are not present in original. The second slice is all the elements from original that are not present in new. To this effect, the first slice can be considered the elements that new has "added" over original, and the second slice can be considered the elements that new has "removed" from original.
func CreateRole ¶
func CreateRole(gcpClient ccgcp.Client, permissions []string, roleName, roleID, roleDescription, projectName string) (*iamadminpb.Role, error)
CreateRole creates a new role given permissions
func CreateServiceAccount ¶
func CreateServiceAccount(gcpClient ccgcp.Client, svcAcctID, svcAcctName, svcAcctDescription, projectName string) (*iamadminpb.ServiceAccount, error)
func DeleteRole ¶
DeleteRole deletes the role created to satisfy a credentials request
func DeleteServiceAccount ¶
func DeleteServiceAccount(gcpClient ccgcp.Client, svcAcct *iamadminpb.ServiceAccount) error
func EnsurePolicyBindingsForProject ¶
EnsurePolicyBindingsForProject ensures that given roles and member, appropriate binding is added to project
func EnsurePolicyBindingsForServiceAccount ¶
func EnsurePolicyBindingsForServiceAccount(rootClient ccgcp.Client, svcAcct *iamadminpb.ServiceAccount, roles []string, member string) error
EnsurePolicyBindingsForServiceAccount ensures that given roles and member, appropriate binding is added to IAM service account
func GenerateRoleID ¶
GenerateRoleID generates a unique ID for the role given project name and credentials request name. The role ID has a max length of 64 chars and can include only letters, numbers, period and underscores we sanitize projectName and crName to make them alphanumeric and then split role ID into 32_31 where the resulting string becomes: <projectName chopped to 32 chars>_<crName chopped to 31 chars>
func GenerateRoleName ¶
GenerateRoleName generates a unique name for the role given project name and credentials request name. The role name has a max length of 100 chars, so we split role ID into 50-49 where the resulting string becomes: <projectName chopped to 50 chars>-<crName chopped to 49 chars>
func GetServiceAccount ¶
func GetServiceAccount(gcpClient ccgcp.Client, svcAcctID string) (*iamadminpb.ServiceAccount, error)
func RemovePolicyBindingsForProject ¶
RemovePolicyBindingsForProject ensures that given member, all the associated bindings for that member are removed from the project policy
func ServiceAccountBindingName ¶
func ServiceAccountBindingName(svcAccount *iamadminpb.ServiceAccount) string
func UndeleteRole ¶
UndeleteRole undeletes a previously deleted role that has not yet been pruned
func UpdateRole ¶
func UpdateRole(gcpClient ccgcp.Client, role *iamadminpb.Role, roleName string) (*iamadminpb.Role, error)
UpdateRole updates an existing role given permissions
Types ¶
type Actuator ¶
type Actuator struct {
ProjectName string
Client client.Client
RootCredClient client.Client
GCPClientBuilder func(string, []byte) (ccgcp.Client, error)
}
Actuator implements the CredentialsRequest Actuator interface to create credentials for GCP.
func NewActuator ¶
NewActuator initializes and returns a new Actuator for GCP.
func (*Actuator) Delete ¶
Delete the credentials. If no error returned, it is assumed that all dependent resources have been cleaned up.
func (*Actuator) Exists ¶
Exists checks if the credentials currently exist.
To do this we will check if the target secret exists. This call is only used to determine if we're doing a Create or an Update, but in the context of this acutator it makes no difference. As such we will not check if the service account exists in GCP and is correctly configured as this will all be handled in both Create and Update.
func (*Actuator) GetCredentialsRootSecret ¶
func (a *Actuator) GetCredentialsRootSecret(ctx context.Context, cr *minterv1.CredentialsRequest) (*corev1.Secret, error)
GetCredentialsRootSecret will return the cluster's root GCP cloud cred secret if it exists and is properly annotated
func (*Actuator) GetCredentialsRootSecretLocation ¶
func (a *Actuator) GetCredentialsRootSecretLocation() types.NamespacedName
GetCredentialsRootSecretLocation returns the namespace and name where the parent credentials secret is stored.
func (*Actuator) IsTimedTokenCluster ¶
func (*Actuator) Upgradeable ¶
func (a *Actuator) Upgradeable(mode operatorv1.CloudCredentialsMode) *configv1.ClusterOperatorStatusCondition
Upgradeable returns a ClusterOperator status condition for the upgradeable type if the system is considered not upgradeable. Otherwise, return nil as the default value is for things to be upgradeable.
Source Files