kube-token-refresher

command module

v0.1.2 Latest Latest Go to latest Published: Jul 1, 2021 License: BSD-3-Clause Imports: 23 Imported by: 0

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

github.com/vshn/kube-token-refresher

Links

Open Source Insights

README ¶

kube-token-refresher

The kube-token-refresher is a tool to periodically fetch access token and write them to Kubernetes secrets. It fetches the access token using the OpenId Connect Client Credentials grant.

This enables systems that expect long lived access token to work with short lived tokens that expire frequently.

Configuration

The kube-token-refresher can be configured using a YAML file, environment variables, or command line flags.

---
## kube-token-refresher configuration

secret:
  # Name of the secret to write to
  name: ''

  # Namespace of the secret to write to
  namespace: ''

  # The key in the specified secret to write the token to
  key: 'token'

# In what interval (in seconds) to fetch a new token and update the secret
# You should count in possible timeouts upon refreshing and also mount update, see
# https://kubernetes.io/docs/concepts/configuration/secret/#mounted-secrets-are-updated-automatically
interval: 500

log:
  # How verbose the logging should be. One of:
  # * debug
  # * info
  # * warn
  level: 'info'

  # What format to log in. One of
  # * text
  # * json
  format: 'text'

# Configures how to connect to the OIDC provider
oidc:
  # The toke endpoint of the OpenId Connect provider
  #
  # Usually in the form of: `https://<domain>/token`
  tokenurl: ''

  # The Client ID
  clientid: ''

  # The Client Secret
  clientsecret: ''

The configuration file has to be specified directly with the --config flag.

Environment Variables

All configuration values can be set through environment variables. The configuration key is translated to a environment variable with the prefix KTR_ and the key name in all caps. For nested configuration keys the levels are separated with _.

# Will set the logLevel to `debug`
export KTR_LOG_LEVEL="debug"

# Will set the OIDC tokenUrl to `https://auth.vshn.net/token`
export KTR_OIDC_TOKENURL="https://auth.vshn.net/token"

Environment variables will take precedence over the configuration file.

Command Line Flags

All configuration values can also be set through command line flags. The configuration key is directly translated to the flag. Nested configuration keys are separated with ..

# Will set the logLevel to `warn`
./kube-token-refresher --log.level warn

# Will set the OIDC tokenUrl to `https://auth.vshn.net/token`
./kube-token-refresher --oidc.tokenurl="https://auth.vshn.net/token"

Command line flags will take precedence over both the configuration file and environment variables.

Deploy

To deploy the kube-token-refresher you need OIDC credentials capable of requesting an access token, and Kubernetes credentials to get and update the specified secret. If the kube-token-refresher is expected to create the specified secret, it will also need permission to create secrets.

Documentation ¶

There is no documentation for this package.

Source Files ¶

View all Source files

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL