Documentation
¶
Index ¶
- Constants
- Variables
- func GCPProjectIDFromJSON(jsonData []byte) (string, error)
- type AWSIntegration
- func (a *AWSIntegration) Externalize() *AWSIntegrationExternal
- func (a *AWSIntegration) GetBearerToken(getTokenCache GetTokenCacheFunc, setTokenCache SetTokenCacheFunc) (string, error)
- func (a *AWSIntegration) GetSession() (*session.Session, error)
- func (a *AWSIntegration) PopulateAWSArn() error
- func (a *AWSIntegration) ToProjectIntegration(category string, service IntegrationService) *ProjectIntegration
- type AWSIntegrationExternal
- type BasicIntegration
- type BasicIntegrationExternal
- type ClusterTokenCache
- type GCPIntegration
- func (g *GCPIntegration) Externalize() *GCPIntegrationExternal
- func (g *GCPIntegration) GetBearerToken(getTokenCache GetTokenCacheFunc, setTokenCache SetTokenCacheFunc, ...) (string, error)
- func (g *GCPIntegration) ToProjectIntegration(category string, service IntegrationService) *ProjectIntegration
- type GCPIntegrationExternal
- type GetTokenCacheFunc
- type HelmRepoTokenCache
- type IntegrationService
- type KubeIntegration
- type KubeIntegrationExternal
- type KubeIntegrationName
- type OAuthIntegration
- type OAuthIntegrationClient
- type OAuthIntegrationExternal
- type OIDCIntegration
- type OIDCIntegrationClient
- type OIDCIntegrationExternal
- type PorterIntegration
- type ProjectIntegration
- type RegTokenCache
- type SetTokenCacheFunc
- type TokenCache
Constants ¶
const ( KubeX509 KubeIntegrationName = "x509" KubeBasic = "basic" KubeBearer = "bearer" KubeLocal = "local" )
The supported kube auth mechanisms
Variables ¶
var PorterClusterIntegrations = []PorterIntegration{ PorterIntegration{ AuthMechanism: "gcp", Category: "cluster", Service: GKE, }, PorterIntegration{ AuthMechanism: "aws", Category: "cluster", Service: EKS, }, PorterIntegration{ AuthMechanism: "kube", Category: "cluster", Service: Kube, }, }
PorterClusterIntegrations are the supported cluster integrations
var PorterGitRepoIntegrations = []PorterIntegration{ PorterIntegration{ AuthMechanism: "oauth", Category: "repo", Service: Github, }, }
PorterGitRepoIntegrations are the supported git repo integrations
var PorterHelmRepoIntegrations = []PorterIntegration{ PorterIntegration{ AuthMechanism: "basic", Category: "helm", Service: HelmRepo, }, PorterIntegration{ AuthMechanism: "gcp", Category: "helm", Service: GCS, }, PorterIntegration{ AuthMechanism: "aws", Category: "helm", Service: S3, }, }
PorterHelmRepoIntegrations are the supported helm repo integrations
var PorterRegistryIntegrations = []PorterIntegration{ PorterIntegration{ AuthMechanism: "gcp", Category: "registry", Service: GCR, }, PorterIntegration{ AuthMechanism: "aws", Category: "registry", Service: ECR, }, PorterIntegration{ AuthMechanism: "oauth", Category: "registry", Service: Docker, }, }
PorterRegistryIntegrations are the supported registry integrations
Functions ¶
func GCPProjectIDFromJSON ¶
Types ¶
type AWSIntegration ¶
type AWSIntegration struct {
gorm.Model
// The id of the user that linked this auth mechanism
UserID uint `json:"user_id"`
// The project that this integration belongs to
ProjectID uint `json:"project_id"`
// The AWS arn this is integration is linked to
AWSArn string `json:"aws_arn"`
// The optional AWS region (required by some session configurations)
AWSRegion string `json:"aws_region"`
// The AWS cluster ID
// See https://github.com/kubernetes-sigs/aws-iam-authenticator#what-is-a-cluster-id
AWSClusterID []byte `json:"aws_cluster_id"`
// The AWS access key for this IAM user
AWSAccessKeyID []byte `json:"aws_access_key_id"`
// The AWS secret key for this IAM user
AWSSecretAccessKey []byte `json:"aws_secret_access_key"`
// An optional session token, if the user is assuming a role
AWSSessionToken []byte `json:"aws_session_token"`
}
AWSIntegration is an auth mechanism that uses a AWS IAM user to authenticate
func (*AWSIntegration) Externalize ¶
func (a *AWSIntegration) Externalize() *AWSIntegrationExternal
Externalize generates an external KubeIntegration to be shared over REST
func (*AWSIntegration) GetBearerToken ¶
func (a *AWSIntegration) GetBearerToken( getTokenCache GetTokenCacheFunc, setTokenCache SetTokenCacheFunc, ) (string, error)
GetBearerToken retrieves a bearer token for an AWS account
func (*AWSIntegration) GetSession ¶
func (a *AWSIntegration) GetSession() (*session.Session, error)
GetSession retrieves an AWS session to use based on the access key and secret access key
func (*AWSIntegration) PopulateAWSArn ¶
func (a *AWSIntegration) PopulateAWSArn() error
PopulateAWSArn uses the access key/secret to get the caller identity, and attaches it to the AWS integration
func (*AWSIntegration) ToProjectIntegration ¶
func (a *AWSIntegration) ToProjectIntegration( category string, service IntegrationService, ) *ProjectIntegration
ToProjectIntegration converts an aws integration to a project integration
type AWSIntegrationExternal ¶
type AWSIntegrationExternal struct {
ID uint `json:"id"`
// The id of the user that linked this auth mechanism
UserID uint `json:"user_id"`
// The project that this integration belongs to
ProjectID uint `json:"project_id"`
// The AWS arn this is integration is linked to
AWSArn string `json:"aws_arn"`
}
AWSIntegrationExternal is a AWSIntegration to be shared over REST
type BasicIntegration ¶
type BasicIntegration struct {
gorm.Model
// The id of the user that linked this auth mechanism
UserID uint `json:"user_id"`
// The project that this integration belongs to
ProjectID uint `json:"project_id"`
// Username/Password for basic authentication to a cluster
Username []byte `json:"username,omitempty"`
Password []byte `json:"password,omitempty"`
}
BasicIntegration represents a basic auth mechanism via username/password
func (*BasicIntegration) Externalize ¶
func (b *BasicIntegration) Externalize() *BasicIntegrationExternal
Externalize generates an external BasicIntegration to be shared over REST
func (*BasicIntegration) ToProjectIntegration ¶
func (b *BasicIntegration) ToProjectIntegration( category string, service IntegrationService, ) *ProjectIntegration
ToProjectIntegration converts an oauth integration to a project integration
type BasicIntegrationExternal ¶
type BasicIntegrationExternal struct {
ID uint `json:"id"`
// The id of the user that linked this auth mechanism
UserID uint `json:"user_id"`
// The project that this integration belongs to
ProjectID uint `json:"project_id"`
}
BasicIntegrationExternal is a BasicIntegration to be shared over REST
type ClusterTokenCache ¶
type ClusterTokenCache struct {
TokenCache
ClusterID uint `json:"cluster_id"`
}
ClusterTokenCache is a token cache that clusters can use; a foreign key constraint between a Cluster and ClusterTokenCache is created
type GCPIntegration ¶
type GCPIntegration struct {
gorm.Model
// The id of the user that linked this auth mechanism
UserID uint `json:"user_id"`
// The project that this integration belongs to
ProjectID uint `json:"project_id"`
// The GCP project id where the service account for this auth mechanism persists
GCPProjectID string `json:"gcp_project_id"`
// The GCP user email that linked this service account
GCPUserEmail string `json:"gcp-user-email"`
// The GCP region, which may or may not be used by the integration
GCPRegion string `json:"gcp_region"`
// KeyData for a service account for GCP connectors
GCPKeyData []byte `json:"gcp_key_data"`
}
GCPIntegration is an auth mechanism that uses a GCP service account to authenticate
func (*GCPIntegration) Externalize ¶
func (g *GCPIntegration) Externalize() *GCPIntegrationExternal
Externalize generates an external KubeIntegration to be shared over REST
func (*GCPIntegration) GetBearerToken ¶
func (g *GCPIntegration) GetBearerToken( getTokenCache GetTokenCacheFunc, setTokenCache SetTokenCacheFunc, scopes ...string, ) (string, error)
GetBearerToken retrieves a bearer token for a GCP account
func (*GCPIntegration) ToProjectIntegration ¶
func (g *GCPIntegration) ToProjectIntegration( category string, service IntegrationService, ) *ProjectIntegration
ToProjectIntegration converts a gcp integration to a project integration
type GCPIntegrationExternal ¶
type GCPIntegrationExternal struct {
ID uint `json:"id"`
// The id of the user that linked this auth mechanism
UserID uint `json:"user_id"`
// The project that this integration belongs to
ProjectID uint `json:"project_id"`
// The GCP project id where the service account for this auth mechanism persists
GCPProjectID string `json:"gcp-project-id"`
// The GCP user email that linked this service account
GCPUserEmail string `json:"gcp-user-email"`
}
GCPIntegrationExternal is a GCPIntegration to be shared over REST
type GetTokenCacheFunc ¶
type GetTokenCacheFunc func() (tok *TokenCache, err error)
GetTokenCacheFunc is a function that retrieves the token and expiry time from the db
type HelmRepoTokenCache ¶
type HelmRepoTokenCache struct {
TokenCache
HelmRepoID uint `json:"helm_repo_id"`
}
HelmRepoTokenCache is a token cache that helm repos can use; a foreign key constraint between a HelmRepo and HelmRepoTokenCache is created
type IntegrationService ¶
type IntegrationService string
IntegrationService is the name of a third-party service
const ( GKE IntegrationService = "gke" DOKS IntegrationService = "doks" GCS IntegrationService = "gcs" S3 IntegrationService = "s3" HelmRepo IntegrationService = "helm" EKS IntegrationService = "eks" Kube IntegrationService = "kube" GCR IntegrationService = "gcr" ECR IntegrationService = "ecr" DOCR IntegrationService = "docr" Github IntegrationService = "github" DockerHub IntegrationService = "dockerhub" Docker IntegrationService = "docker" )
The list of supported third-party services
type KubeIntegration ¶
type KubeIntegration struct {
gorm.Model
// The name of the auth mechanism
Mechanism KubeIntegrationName `json:"mechanism"`
// The id of the user that linked this auth mechanism
UserID uint `json:"user_id"`
// The project that this integration belongs to
ProjectID uint `json:"project_id"`
// Certificate data is used by x509 auth mechanisms over TLS
ClientCertificateData []byte `json:"client-certificate-data,omitempty"`
ClientKeyData []byte `json:"client-key-data,omitempty"`
// Token is used for bearer-token auth mechanisms
Token []byte `json:"token,omitempty"`
// Username/Password for basic authentication to a cluster
Username []byte `json:"username,omitempty"`
Password []byte `json:"password,omitempty"`
// The raw kubeconfig, used by local auth mechanisms
Kubeconfig []byte `json:"kubeconfig"`
}
KubeIntegration represents the kube-native auth mechanisms: using x509 certs, basic (username/password), bearer tokens, or local (using local kubeconfig)
func (*KubeIntegration) Externalize ¶
func (k *KubeIntegration) Externalize() *KubeIntegrationExternal
Externalize generates an external KubeIntegration to be shared over REST
func (*KubeIntegration) ToProjectIntegration ¶
func (k *KubeIntegration) ToProjectIntegration( category string, service IntegrationService, ) *ProjectIntegration
ToProjectIntegration converts a gcp integration to a project integration
type KubeIntegrationExternal ¶
type KubeIntegrationExternal struct {
ID uint `json:"id"`
// The name of the auth mechanism
Mechanism KubeIntegrationName `json:"mechanism"`
// The id of the user that linked this auth mechanism
UserID uint `json:"user_id"`
// The project that this integration belongs to
ProjectID uint `json:"project_id"`
}
KubeIntegrationExternal is a KubeIntegration to be shared over REST
type KubeIntegrationName ¶
type KubeIntegrationName string
KubeIntegrationName is the name of a kube auth mechanism
type OAuthIntegration ¶
type OAuthIntegration struct {
gorm.Model
// The name of the auth mechanism
Client OAuthIntegrationClient `json:"client"`
// The id of the user that linked this auth mechanism
UserID uint `json:"user_id"`
// The project that this integration belongs to
ProjectID uint `json:"project_id"`
// The ID issued to the client
ClientID []byte `json:"client-id"`
// The end-users's access token
AccessToken []byte `json:"access-token"`
// The end-user's refresh token
RefreshToken []byte `json:"refresh-token"`
}
OAuthIntegration is an auth mechanism that uses oauth https://tools.ietf.org/html/rfc6749
func (*OAuthIntegration) Externalize ¶
func (o *OAuthIntegration) Externalize() *OAuthIntegrationExternal
Externalize generates an external KubeIntegration to be shared over REST
func (*OAuthIntegration) ToProjectIntegration ¶
func (o *OAuthIntegration) ToProjectIntegration( category string, service IntegrationService, ) *ProjectIntegration
ToProjectIntegration converts an oauth integration to a project integration
type OAuthIntegrationClient ¶
type OAuthIntegrationClient string
OAuthIntegrationClient is the name of an OAuth mechanism client
const ( OAuthGithub OAuthIntegrationClient = "github" OAuthDigitalOcean OAuthIntegrationClient = "do" OAuthGoogle OAuthIntegrationClient = "google" )
The supported oauth mechanism clients
type OAuthIntegrationExternal ¶
type OAuthIntegrationExternal struct {
ID uint `json:"id"`
// The name of the auth mechanism
Client OAuthIntegrationClient `json:"client"`
// The id of the user that linked this auth mechanism
UserID uint `json:"user_id"`
// The project that this integration belongs to
ProjectID uint `json:"project_id"`
}
OAuthIntegrationExternal is an OAuthIntegration to be shared over REST
type OIDCIntegration ¶
type OIDCIntegration struct {
gorm.Model
// The name of the auth mechanism
Client OIDCIntegrationClient `json:"client"`
// The id of the user that linked this auth mechanism
UserID uint `json:"user_id"`
// The project that this integration belongs to
ProjectID uint `json:"project_id"`
// The "Issuer Identifier" of the OIDC spec (16.15)
IssuerURL []byte `json:"idp-issuer-url"`
// The ID issued to the Relying Party
ClientID []byte `json:"client-id"`
// The secret issued to the Relying Party
//
// This is present because it used to be a required field in a kubeconfig.
// However, because the kube apiserver acts as a Relying Party, the client
// secret is not necessary.
ClientSecret []byte `json:"client-secret"`
// The CA data -- certificate check must be performed (16.17)
CertificateAuthorityData []byte `json:"idp-certificate-authority-data"`
// The user's JWT id token
IDToken []byte `json:"id-token"`
// The user's refresh token
RefreshToken []byte `json:"refresh-token"`
}
OIDCIntegration is an auth mechanism that uses oidc. Spec: https://openid.net/specs/openid-connect-core-1_0.html
func (*OIDCIntegration) Externalize ¶
func (o *OIDCIntegration) Externalize() *OIDCIntegrationExternal
Externalize generates an external KubeIntegration to be shared over REST
func (*OIDCIntegration) ToProjectIntegration ¶
func (o *OIDCIntegration) ToProjectIntegration( category string, service IntegrationService, ) *ProjectIntegration
ToProjectIntegration converts a gcp integration to a project integration
type OIDCIntegrationClient ¶
type OIDCIntegrationClient string
OIDCIntegrationClient is the name of an OIDC auth mechanism client
const (
OIDCKube OIDCIntegrationClient = "kube"
)
The supported OIDC auth mechanism clients
type OIDCIntegrationExternal ¶
type OIDCIntegrationExternal struct {
ID uint `json:"id"`
// The name of the auth mechanism
Client OIDCIntegrationClient `json:"client"`
// The id of the user that linked this auth mechanism
UserID uint `json:"user_id"`
// The project that this integration belongs to
ProjectID uint `json:"project_id"`
}
OIDCIntegrationExternal is a OIDCIntegration to be shared over REST
type PorterIntegration ¶
type PorterIntegration struct {
AuthMechanism string `json:"auth_mechanism"`
Category string `json:"category"`
Service IntegrationService `json:"service"`
}
PorterIntegration is a supported integration service, specifying an auth mechanism and the category of integration. A single service can have multiple auth mechanisms. For example, a GKE integration can have both an "oauth" mechanism and a "gcp" mechanism:
PorterIntegration{
AuthMechanism: "oauth",
Category: "cluster",
Service: GKE,
}
PorterIntegration{
AuthMechanism: "gcp",
Category: "cluster",
Service: GKE,
}
type ProjectIntegration ¶
type ProjectIntegration struct {
ID uint `json:"id"`
ProjectID uint `json:"project_id"`
AuthMechanism string `json:"auth_mechanism"`
Category string `json:"category"`
Service IntegrationService `json:"service"`
}
ProjectIntegration is the top-level integration object for various integrations. Although the integrations are stored in the DB by auth mechanism, the integrations are cast to a ProjectIntegration for consolidation before passing on to the client.
type RegTokenCache ¶
type RegTokenCache struct {
TokenCache
RegistryID uint `json:"registry_id"`
}
RegTokenCache stores a token and an expiration for the JWT token for a Docker registry. This will never be shared over REST, so no need to externalize.
type SetTokenCacheFunc ¶
SetTokenCacheFunc is a function that updates the token cache with a new token and expiry time
type TokenCache ¶
type TokenCache struct {
gorm.Model
Expiry time.Time `json:"expiry,omitempty"`
Token []byte `json:"access_token"`
}
TokenCache stores a token and an expiration for the token for a service account. This will never be shared over REST, so no need to externalize.
func (*TokenCache) IsExpired ¶
func (t *TokenCache) IsExpired() bool
IsExpired returns true if a token is expired, false otherwise
Source Files