oauth

package
v0.1.52 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Nov 28, 2024 License: Apache-2.0 Imports: 46 Imported by: 0

Documentation

Index

Constants

View Source 
const (
	OAuthServerPort   = 6443
	RouteExternalPort = 443
)
View Source 
const (
	LoginTemplateKey             = "login.html"
	ProviderSelectionTemplateKey = "providers.html"
	ErrorsTemplateKey            = "errors.html"

	LoginTemplateFile             = "templates/" + LoginTemplateKey
	ProviderSelectionTemplateFile = "templates/" + ProviderSelectionTemplateKey
	ErrorsTemplateFile            = "templates/" + ErrorsTemplateKey
)
View Source 
const (
	IDPVolumePathPrefix = "/etc/oauth/idp"
)
View Source 
const (
	OAuthServerConfigKey = "config.yaml"
)
View Source 
const (
	SessionSecretsFileKey = "v4-0-config-system-session"
)

Variables

This section is empty.

Functions

func BuildOAuthVolumeErrorTemplate added in v0.1.12 

func BuildOAuthVolumeErrorTemplate(v *corev1.Volume, params *OAuthConfigParams)

func BuildOAuthVolumeLoginTemplate added in v0.1.12 

func BuildOAuthVolumeLoginTemplate(v *corev1.Volume, params *OAuthConfigParams)

func BuildOAuthVolumeProvidersTemplate added in v0.1.12 

func BuildOAuthVolumeProvidersTemplate(v *corev1.Volume, params *OAuthConfigParams)

func MustTemplate 

func MustTemplate(name string) []byte

func ReconcileAuditConfig added in v0.1.40 

func ReconcileAuditConfig(cm *corev1.ConfigMap, ownerRef config.OwnerRef, auditConfig configv1.Audit) error

func ReconcileDeployment 

func ReconcileDeployment(ctx context.Context, client client.Client, deployment *appsv1.Deployment, auditWebhookRef *corev1.LocalObjectReference, ownerRef config.OwnerRef, config *corev1.ConfigMap, auditConfig *corev1.ConfigMap, image string, deploymentConfig config.DeploymentConfig, identityProviders []configv1.IdentityProvider, providerOverrides map[string]*ConfigOverride, availabilityProberImage string, namedCertificates []configv1.APIServerNamedServingCert, proxyImage string, proxyConfig *configv1.ProxySpec, clusterNoProxy string, oauthNoProxy []string, params *OAuthConfigParams, platformType hyperv1.PlatformType) error

func ReconcileErrorTemplateSecret 

func ReconcileErrorTemplateSecret(secret *corev1.Secret, ownerRef config.OwnerRef) error

func ReconcileExternalPrivateRoute added in v0.1.2 

func ReconcileExternalPrivateRoute(route *routev1.Route, ownerRef config.OwnerRef, hostname string, defaultIngressDomain string, labelHCPRoutes bool) error

func ReconcileExternalPublicRoute added in v0.1.2 

func ReconcileExternalPublicRoute(route *routev1.Route, ownerRef config.OwnerRef, hostname string, defaultIngressDomain string, labelHCPRoutes bool) error

func ReconcileInternalRoute 

func ReconcileInternalRoute(route *routev1.Route, ownerRef config.OwnerRef) error

func ReconcileLoginTemplateSecret 

func ReconcileLoginTemplateSecret(secret *corev1.Secret, ownerRef config.OwnerRef) error

func ReconcileOAuthServerConfig 

func ReconcileOAuthServerConfig(ctx context.Context, cm *corev1.ConfigMap, ownerRef config.OwnerRef, client crclient.Client, params *OAuthConfigParams) error

func ReconcilePodDisruptionBudget 

func ReconcilePodDisruptionBudget(pdb *policyv1.PodDisruptionBudget, p *OAuthServerParams) error

func ReconcileProviderSelectionTemplateSecret 

func ReconcileProviderSelectionTemplateSecret(secret *corev1.Secret, ownerRef config.OwnerRef) error

func ReconcileService 

func ReconcileService(svc *corev1.Service, ownerRef config.OwnerRef, strategy *hyperv1.ServicePublishingStrategy) error

func ReconcileServiceStatus 

func ReconcileServiceStatus(svc *corev1.Service, route *routev1.Route, strategy *hyperv1.ServicePublishingStrategy) (host string, port int32, message string, err error)

func ReconcileSessionSecret 

func ReconcileSessionSecret(secret *corev1.Secret, ownerRef config.OwnerRef) error

Types

type ConfigOverride 

type ConfigOverride struct {
	URLs      osinv1.OpenIDURLs   `json:"urls,omitempty"`
	Claims    osinv1.OpenIDClaims `json:"claims,omitempty"`
	Challenge *bool               `json:"challenge,omitempty"`
}

ConfigOverride defines the oauth parameters that can be overridden in special use cases. The only supported use case for this currently is the IBMCloud IAM OIDC provider. These parameters are necessary since the public OpenID api does not support some customizations used in the IBMCloud IAM OIDC provider. This can be removed if the public API is adjusted to allow specifying these customizations.

type IDPVolumeMountInfo 

type IDPVolumeMountInfo struct {
	Container    string
	VolumeMounts util.PodVolumeMounts
	Volumes      []corev1.Volume
}

func ConvertIdentityProviders added in v0.1.50 

func ConvertIdentityProviders(ctx context.Context, identityProviders []configv1.IdentityProvider, providerOverrides map[string]*ConfigOverride, kclient crclient.Client, namespace string) ([]osinv1.IdentityProvider, *IDPVolumeMountInfo, error)

func (*IDPVolumeMountInfo) ConfigMapPath 

func (i *IDPVolumeMountInfo) ConfigMapPath(index int, configMapName, field, key string) string

func (*IDPVolumeMountInfo) SecretPath 

func (i *IDPVolumeMountInfo) SecretPath(index int, secretName, field, key string) string

type OAuthConfigParams 

type OAuthConfigParams struct {
	ExternalAPIHost              string
	ExternalAPIPort              int32
	ExternalHost                 string
	ExternalPort                 int32
	ServingCert                  *corev1.Secret
	NamedCertificates            []configv1.APIServerNamedServingCert
	CipherSuites                 []string
	MinTLSVersion                string
	IdentityProviders            []configv1.IdentityProvider
	AccessTokenMaxAgeSeconds     int32
	AccessTokenInactivityTimeout *metav1.Duration
	// OauthConfigOverrides contains a mapping from provider name to the config overrides specified for the provider.
	// The only supported use case of using this is for the IBMCloud IAM OIDC provider.
	OauthConfigOverrides map[string]*ConfigOverride
	// LoginURLOverride can be used to specify an override for the oauth config login url. The need for this arises
	// when the login a provider uses doesn't conform to the standard login url in hypershift. The only supported use case
	// for this is IBMCloud Red Hat Openshift
	LoginURLOverride string
	OAuthTemplates   configv1.OAuthTemplates
}

type OAuthServerParams 

type OAuthServerParams struct {
	OwnerRef                config.OwnerRef `json:"ownerRef"`
	ExternalHost            string          `json:"externalHost"`
	ExternalPort            int32           `json:"externalPort"`
	ExternalAPIHost         string          `json:"externalAPIHost"`
	ExternalAPIPort         int32           `json:"externalAPIPort"`
	OAuthServerImage        string
	config.DeploymentConfig `json:",inline"`
	OAuth                   *configv1.OAuthSpec
	ProxyConfig             *configv1.ProxySpec
	APIServer               *configv1.APIServerSpec `json:"apiServer"`
	// OauthConfigOverrides contains a mapping from provider name to the config overrides specified for the provider.
	// The only supported use case of using this is for the IBMCloud IAM OIDC provider.
	OauthConfigOverrides map[string]*ConfigOverride
	// LoginURLOverride can be used to specify an override for the oauth config login url. The need for this arises
	// when the login a provider uses doesn't conform to the standard login url in hypershift. The only supported use case
	// for this is IBMCloud Red Hat Openshift
	LoginURLOverride        string
	AvailabilityProberImage string `json:"availabilityProberImage"`
	Availability            hyperv1.AvailabilityPolicy
	// ProxyImage is the image that contains the control-plane-operator binary that will
	// be used to run konnectivity-socks5-proxy and konnectivity-https-proxy
	ProxyImage string
	// OAuthNoProxy is a list of hosts or IPs that should not be routed through
	// konnectivity. Currently only used for IBM Cloud specific addresses.
	OAuthNoProxy    []string
	AuditWebhookRef *corev1.LocalObjectReference
}

func NewOAuthServerParams 

func NewOAuthServerParams(hcp *hyperv1.HostedControlPlane, releaseImageProvider imageprovider.ReleaseImageProvider, host string, port int32, setDefaultSecurityContext bool) *OAuthServerParams

func (*OAuthServerParams) AccessTokenInactivityTimeout added in v0.1.10 

func (p *OAuthServerParams) AccessTokenInactivityTimeout() *metav1.Duration

func (*OAuthServerParams) AccessTokenMaxAgeSeconds 

func (p *OAuthServerParams) AccessTokenMaxAgeSeconds() int32

func (*OAuthServerParams) AuditPolicyConfig added in v0.1.40 

func (p *OAuthServerParams) AuditPolicyConfig() configv1.Audit

func (*OAuthServerParams) CipherSuites 

func (p *OAuthServerParams) CipherSuites() []string

func (*OAuthServerParams) ConfigParams 

func (p *OAuthServerParams) ConfigParams(servingCert *corev1.Secret) *OAuthConfigParams

func (*OAuthServerParams) IdentityProviders 

func (p *OAuthServerParams) IdentityProviders() []configv1.IdentityProvider

func (*OAuthServerParams) MinTLSVersion 

func (p *OAuthServerParams) MinTLSVersion() string

func (*OAuthServerParams) NamedCertificates 

func (p *OAuthServerParams) NamedCertificates() []configv1.APIServerNamedServingCert

func (*OAuthServerParams) OauthTemplates added in v0.1.12 

func (p *OAuthServerParams) OauthTemplates() configv1.OAuthTemplates

type OAuthServiceParams 

type OAuthServiceParams struct {
	OAuth    *configv1.OAuth `json:"oauth"`
	OwnerRef config.OwnerRef `json:"ownerRef"`
}

func NewOAuthServiceParams 

func NewOAuthServiceParams(hcp *hyperv1.HostedControlPlane) *OAuthServiceParams

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.