api

package
v0.31.0-beta.0 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Jul 16, 2024 License: Apache-2.0 Imports: 9 Imported by: 5,179

Documentation

Overview

Example (EmptyConfig)
defaultConfig := NewConfig()

output, err := yaml.Marshal(defaultConfig)
if err != nil {
	fmt.Printf("Unexpected error: %v", err)
}

fmt.Printf("%v", string(output))
Output:

clusters: {}
contexts: {}
current-context: ""
preferences: {}
users: {}
Example (MinifyAndShorten)
certFile, _ := os.CreateTemp("", "")
keyFile, _ := os.CreateTemp("", "")
caFile, _ := os.CreateTemp("", "")
defer utiltesting.CloseAndRemove(&testing.T{}, certFile, keyFile, caFile)

certData := "cert"
keyData := "key"
caData := "ca"

config := newMergedConfig(certFile.Name(), certData, keyFile.Name(), keyData, caFile.Name(), caData, nil)

MinifyConfig(&config)
ShortenConfig(&config)

output, _ := yaml.Marshal(config)
fmt.Printf("%s", string(output))
Output:

clusters:
  cow-cluster:
    certificate-authority-data: DATA+OMITTED
    server: http://cow.org:8080
contexts:
  federal-context:
    cluster: cow-cluster
    user: red-user
current-context: federal-context
preferences: {}
users:
  red-user:
    client-certificate-data: DATA+OMITTED
    client-key-data: DATA+OMITTED
    token: REDACTED
Example (OfOptionsConfig)
defaultConfig := NewConfig()
defaultConfig.Preferences.Colors = true
defaultConfig.Clusters["alfa"] = &Cluster{
	Server:                "https://alfa.org:8080",
	InsecureSkipTLSVerify: true,
	CertificateAuthority:  "path/to/my/cert-ca-filename",
	DisableCompression:    true,
}
defaultConfig.Clusters["bravo"] = &Cluster{
	Server:                "https://bravo.org:8080",
	InsecureSkipTLSVerify: false,
	DisableCompression:    false,
}
defaultConfig.AuthInfos["white-mage-via-cert"] = &AuthInfo{
	ClientCertificate: "path/to/my/client-cert-filename",
	ClientKey:         "path/to/my/client-key-filename",
}
defaultConfig.AuthInfos["red-mage-via-token"] = &AuthInfo{
	Token: "my-secret-token",
}
defaultConfig.AuthInfos["black-mage-via-auth-provider"] = &AuthInfo{
	AuthProvider: &AuthProviderConfig{
		Name: "gcp",
		Config: map[string]string{
			"foo":   "bar",
			"token": "s3cr3t-t0k3n",
		},
	},
}
defaultConfig.Contexts["bravo-as-black-mage"] = &Context{
	Cluster:   "bravo",
	AuthInfo:  "black-mage-via-auth-provider",
	Namespace: "yankee",
}
defaultConfig.Contexts["alfa-as-black-mage"] = &Context{
	Cluster:   "alfa",
	AuthInfo:  "black-mage-via-auth-provider",
	Namespace: "zulu",
}
defaultConfig.Contexts["alfa-as-white-mage"] = &Context{
	Cluster:  "alfa",
	AuthInfo: "white-mage-via-cert",
}
defaultConfig.CurrentContext = "alfa-as-white-mage"

output, err := yaml.Marshal(defaultConfig)
if err != nil {
	fmt.Printf("Unexpected error: %v", err)
}

fmt.Printf("%v", string(output))
Output:

clusters:
  alfa:
    certificate-authority: path/to/my/cert-ca-filename
    disable-compression: true
    insecure-skip-tls-verify: true
    server: https://alfa.org:8080
  bravo:
    server: https://bravo.org:8080
contexts:
  alfa-as-black-mage:
    cluster: alfa
    namespace: zulu
    user: black-mage-via-auth-provider
  alfa-as-white-mage:
    cluster: alfa
    user: white-mage-via-cert
  bravo-as-black-mage:
    cluster: bravo
    namespace: yankee
    user: black-mage-via-auth-provider
current-context: alfa-as-white-mage
preferences:
  colors: true
users:
  black-mage-via-auth-provider:
    auth-provider:
      config:
        foo: bar
        token: s3cr3t-t0k3n
      name: gcp
  red-mage-via-token:
    token: my-secret-token
  white-mage-via-cert:
    client-certificate: path/to/my/client-cert-filename
    client-key: path/to/my/client-key-filename

Index

Examples

Constants

This section is empty.

Variables

View Source
var (
	SchemeBuilder = runtime.NewSchemeBuilder(addKnownTypes)
	AddToScheme   = SchemeBuilder.AddToScheme
)
View Source
var SchemeGroupVersion = schema.GroupVersion{Group: "", Version: runtime.APIVersionInternal}

SchemeGroupVersion is group version used to register these objects TODO this should be in the "kubeconfig" group

Functions

func FlattenConfig

func FlattenConfig(config *Config) error

FlattenConfig changes the config object into a self-contained config (useful for making secrets)

func FlattenContent

func FlattenContent(path *string, contents *[]byte, baseDir string) error

func IsConfigEmpty

func IsConfigEmpty(config *Config) bool

IsConfigEmpty returns true if the config is empty.

func MakeAbs

func MakeAbs(path, base string) (string, error)

func MinifyConfig

func MinifyConfig(config *Config) error

MinifyConfig read the current context and uses that to keep only the relevant pieces of config This is useful for making secrets based on kubeconfig files

func RedactSecrets added in v0.26.0

func RedactSecrets(config *Config) error

RedactSecrets replaces any sensitive values with REDACTED

func ResolvePath

func ResolvePath(path string, base string) string

ResolvePath returns the path as an absolute paths, relative to the given base directory

func ShortenConfig

func ShortenConfig(config *Config)

ShortenConfig redacts raw data entries from the config object for a human-readable view.

Types

type AuthInfo

type AuthInfo struct {
	// LocationOfOrigin indicates where this object came from.  It is used for round tripping config post-merge, but never serialized.
	// +k8s:conversion-gen=false
	LocationOfOrigin string `json:"-"`
	// ClientCertificate is the path to a client cert file for TLS.
	// +optional
	ClientCertificate string `json:"client-certificate,omitempty"`
	// ClientCertificateData contains PEM-encoded data from a client cert file for TLS. Overrides ClientCertificate
	// +optional
	ClientCertificateData []byte `json:"client-certificate-data,omitempty"`
	// ClientKey is the path to a client key file for TLS.
	// +optional
	ClientKey string `json:"client-key,omitempty"`
	// ClientKeyData contains PEM-encoded data from a client key file for TLS. Overrides ClientKey
	// +optional
	ClientKeyData []byte `json:"client-key-data,omitempty" datapolicy:"security-key"`
	// Token is the bearer token for authentication to the kubernetes cluster.
	// +optional
	Token string `json:"token,omitempty" datapolicy:"token"`
	// TokenFile is a pointer to a file that contains a bearer token (as described above).  If both Token and TokenFile are present, Token takes precedence.
	// +optional
	TokenFile string `json:"tokenFile,omitempty"`
	// Impersonate is the username to act-as.
	// +optional
	Impersonate string `json:"act-as,omitempty"`
	// ImpersonateUID is the uid to impersonate.
	// +optional
	ImpersonateUID string `json:"act-as-uid,omitempty"`
	// ImpersonateGroups is the groups to impersonate.
	// +optional
	ImpersonateGroups []string `json:"act-as-groups,omitempty"`
	// ImpersonateUserExtra contains additional information for impersonated user.
	// +optional
	ImpersonateUserExtra map[string][]string `json:"act-as-user-extra,omitempty"`
	// Username is the username for basic authentication to the kubernetes cluster.
	// +optional
	Username string `json:"username,omitempty"`
	// Password is the password for basic authentication to the kubernetes cluster.
	// +optional
	Password string `json:"password,omitempty" datapolicy:"password"`
	// AuthProvider specifies a custom authentication plugin for the kubernetes cluster.
	// +optional
	AuthProvider *AuthProviderConfig `json:"auth-provider,omitempty"`
	// Exec specifies a custom exec-based authentication plugin for the kubernetes cluster.
	// +optional
	Exec *ExecConfig `json:"exec,omitempty"`
	// Extensions holds additional information. This is useful for extenders so that reads and writes don't clobber unknown fields
	// +optional
	Extensions map[string]runtime.Object `json:"extensions,omitempty"`
}

AuthInfo contains information that describes identity information. This is use to tell the kubernetes cluster who you are.

func NewAuthInfo

func NewAuthInfo() *AuthInfo

NewAuthInfo is a convenience function that returns a new AuthInfo object with non-nil maps

func (*AuthInfo) DeepCopy

func (in *AuthInfo) DeepCopy() *AuthInfo

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AuthInfo.

func (*AuthInfo) DeepCopyInto

func (in *AuthInfo) DeepCopyInto(out *AuthInfo)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type AuthProviderConfig

type AuthProviderConfig struct {
	Name string `json:"name"`
	// +optional
	Config map[string]string `json:"config,omitempty"`
}

AuthProviderConfig holds the configuration for a specified auth provider.

func (*AuthProviderConfig) DeepCopy

func (in *AuthProviderConfig) DeepCopy() *AuthProviderConfig

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AuthProviderConfig.

func (*AuthProviderConfig) DeepCopyInto

func (in *AuthProviderConfig) DeepCopyInto(out *AuthProviderConfig)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

func (AuthProviderConfig) GoString

func (c AuthProviderConfig) GoString() string

GoString implements fmt.GoStringer and sanitizes sensitive fields of AuthProviderConfig to prevent accidental leaking via logs.

func (AuthProviderConfig) String

func (c AuthProviderConfig) String() string

String implements fmt.Stringer and sanitizes sensitive fields of AuthProviderConfig to prevent accidental leaking via logs.

type Cluster

type Cluster struct {
	// LocationOfOrigin indicates where this object came from.  It is used for round tripping config post-merge, but never serialized.
	// +k8s:conversion-gen=false
	LocationOfOrigin string `json:"-"`
	// Server is the address of the kubernetes cluster (https://hostname:port).
	Server string `json:"server"`
	// TLSServerName is used to check server certificate. If TLSServerName is empty, the hostname used to contact the server is used.
	// +optional
	TLSServerName string `json:"tls-server-name,omitempty"`
	// InsecureSkipTLSVerify skips the validity check for the server's certificate. This will make your HTTPS connections insecure.
	// +optional
	InsecureSkipTLSVerify bool `json:"insecure-skip-tls-verify,omitempty"`
	// CertificateAuthority is the path to a cert file for the certificate authority.
	// +optional
	CertificateAuthority string `json:"certificate-authority,omitempty"`
	// CertificateAuthorityData contains PEM-encoded certificate authority certificates. Overrides CertificateAuthority
	// +optional
	CertificateAuthorityData []byte `json:"certificate-authority-data,omitempty"`
	// ProxyURL is the URL to the proxy to be used for all requests made by this
	// client. URLs with "http", "https", and "socks5" schemes are supported.  If
	// this configuration is not provided or the empty string, the client
	// attempts to construct a proxy configuration from http_proxy and
	// https_proxy environment variables. If these environment variables are not
	// set, the client does not attempt to proxy requests.
	//
	// socks5 proxying does not currently support spdy streaming endpoints (exec,
	// attach, port forward).
	// +optional
	ProxyURL string `json:"proxy-url,omitempty"`
	// DisableCompression allows client to opt-out of response compression for all requests to the server. This is useful
	// to speed up requests (specifically lists) when client-server network bandwidth is ample, by saving time on
	// compression (server-side) and decompression (client-side): https://github.com/kubernetes/kubernetes/issues/112296.
	// +optional
	DisableCompression bool `json:"disable-compression,omitempty"`
	// Extensions holds additional information. This is useful for extenders so that reads and writes don't clobber unknown fields
	// +optional
	Extensions map[string]runtime.Object `json:"extensions,omitempty"`
}

Cluster contains information about how to communicate with a kubernetes cluster

func NewCluster

func NewCluster() *Cluster

NewCluster is a convenience function that returns a new Cluster object with non-nil maps

func (*Cluster) DeepCopy

func (in *Cluster) DeepCopy() *Cluster

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Cluster.

func (*Cluster) DeepCopyInto

func (in *Cluster) DeepCopyInto(out *Cluster)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type Config

type Config struct {
	// Legacy field from pkg/api/types.go TypeMeta.
	// TODO(jlowdermilk): remove this after eliminating downstream dependencies.
	// +k8s:conversion-gen=false
	// +optional
	Kind string `json:"kind,omitempty"`
	// Legacy field from pkg/api/types.go TypeMeta.
	// TODO(jlowdermilk): remove this after eliminating downstream dependencies.
	// +k8s:conversion-gen=false
	// +optional
	APIVersion string `json:"apiVersion,omitempty"`
	// Preferences holds general information to be use for cli interactions
	Preferences Preferences `json:"preferences"`
	// Clusters is a map of referencable names to cluster configs
	Clusters map[string]*Cluster `json:"clusters"`
	// AuthInfos is a map of referencable names to user configs
	AuthInfos map[string]*AuthInfo `json:"users"`
	// Contexts is a map of referencable names to context configs
	Contexts map[string]*Context `json:"contexts"`
	// CurrentContext is the name of the context that you would like to use by default
	CurrentContext string `json:"current-context"`
	// Extensions holds additional information. This is useful for extenders so that reads and writes don't clobber unknown fields
	// +optional
	Extensions map[string]runtime.Object `json:"extensions,omitempty"`
}

Config holds the information needed to build connect to remote kubernetes clusters as a given user IMPORTANT if you add fields to this struct, please update IsConfigEmpty() +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object

func NewConfig

func NewConfig() *Config

NewConfig is a convenience function that returns a new Config object with non-nil maps

func (*Config) DeepCopy

func (in *Config) DeepCopy() *Config

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Config.

func (*Config) DeepCopyInto

func (in *Config) DeepCopyInto(out *Config)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

func (*Config) DeepCopyObject

func (in *Config) DeepCopyObject() runtime.Object

DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.

func (*Config) GetObjectKind

func (obj *Config) GetObjectKind() schema.ObjectKind

func (*Config) GroupVersionKind

func (obj *Config) GroupVersionKind() schema.GroupVersionKind

func (*Config) SetGroupVersionKind

func (obj *Config) SetGroupVersionKind(gvk schema.GroupVersionKind)

type Context

type Context struct {
	// LocationOfOrigin indicates where this object came from.  It is used for round tripping config post-merge, but never serialized.
	// +k8s:conversion-gen=false
	LocationOfOrigin string `json:"-"`
	// Cluster is the name of the cluster for this context
	Cluster string `json:"cluster"`
	// AuthInfo is the name of the authInfo for this context
	AuthInfo string `json:"user"`
	// Namespace is the default namespace to use on unspecified requests
	// +optional
	Namespace string `json:"namespace,omitempty"`
	// Extensions holds additional information. This is useful for extenders so that reads and writes don't clobber unknown fields
	// +optional
	Extensions map[string]runtime.Object `json:"extensions,omitempty"`
}

Context is a tuple of references to a cluster (how do I communicate with a kubernetes cluster), a user (how do I identify myself), and a namespace (what subset of resources do I want to work with)

func NewContext

func NewContext() *Context

NewContext is a convenience function that returns a new Context object with non-nil maps

func (*Context) DeepCopy

func (in *Context) DeepCopy() *Context

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Context.

func (*Context) DeepCopyInto

func (in *Context) DeepCopyInto(out *Context)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type ExecConfig

type ExecConfig struct {
	// Command to execute.
	Command string `json:"command"`
	// Arguments to pass to the command when executing it.
	// +optional
	Args []string `json:"args"`
	// Env defines additional environment variables to expose to the process. These
	// are unioned with the host's environment, as well as variables client-go uses
	// to pass argument to the plugin.
	// +optional
	Env []ExecEnvVar `json:"env"`

	// Preferred input version of the ExecInfo. The returned ExecCredentials MUST use
	// the same encoding version as the input.
	APIVersion string `json:"apiVersion,omitempty"`

	// This text is shown to the user when the executable doesn't seem to be
	// present. For example, `brew install foo-cli` might be a good InstallHint for
	// foo-cli on Mac OS systems.
	InstallHint string `json:"installHint,omitempty"`

	// ProvideClusterInfo determines whether or not to provide cluster information,
	// which could potentially contain very large CA data, to this exec plugin as a
	// part of the KUBERNETES_EXEC_INFO environment variable. By default, it is set
	// to false. Package k8s.io/client-go/tools/auth/exec provides helper methods for
	// reading this environment variable.
	ProvideClusterInfo bool `json:"provideClusterInfo"`

	// Config holds additional config data that is specific to the exec
	// plugin with regards to the cluster being authenticated to.
	//
	// This data is sourced from the clientcmd Cluster object's extensions[exec] field:
	//
	// clusters:
	// - name: my-cluster
	//   cluster:
	//     ...
	//     extensions:
	//     - name: client.authentication.k8s.io/exec  # reserved extension name for per cluster exec config
	//       extension:
	//         audience: 06e3fbd18de8  # arbitrary config
	//
	// In some environments, the user config may be exactly the same across many clusters
	// (i.e. call this exec plugin) minus some details that are specific to each cluster
	// such as the audience.  This field allows the per cluster config to be directly
	// specified with the cluster info.  Using this field to store secret data is not
	// recommended as one of the prime benefits of exec plugins is that no secrets need
	// to be stored directly in the kubeconfig.
	// +k8s:conversion-gen=false
	Config runtime.Object `json:"-"`

	// InteractiveMode determines this plugin's relationship with standard input. Valid
	// values are "Never" (this exec plugin never uses standard input), "IfAvailable" (this
	// exec plugin wants to use standard input if it is available), or "Always" (this exec
	// plugin requires standard input to function). See ExecInteractiveMode values for more
	// details.
	//
	// If APIVersion is client.authentication.k8s.io/v1alpha1 or
	// client.authentication.k8s.io/v1beta1, then this field is optional and defaults
	// to "IfAvailable" when unset. Otherwise, this field is required.
	// +optional
	InteractiveMode ExecInteractiveMode `json:"interactiveMode,omitempty"`

	// StdinUnavailable indicates whether the exec authenticator can pass standard
	// input through to this exec plugin. For example, a higher level entity might be using
	// standard input for something else and therefore it would not be safe for the exec
	// plugin to use standard input. This is kept here in order to keep all of the exec configuration
	// together, but it is never serialized.
	// +k8s:conversion-gen=false
	StdinUnavailable bool `json:"-"`

	// StdinUnavailableMessage is an optional message to be displayed when the exec authenticator
	// cannot successfully run this exec plugin because it needs to use standard input and
	// StdinUnavailable is true. For example, a process that is already using standard input to
	// read user instructions might set this to "used by my-program to read user instructions".
	// +k8s:conversion-gen=false
	StdinUnavailableMessage string `json:"-"`
}

ExecConfig specifies a command to provide client credentials. The command is exec'd and outputs structured stdout holding credentials.

See the client.authentication.k8s.io API group for specifications of the exact input and output format

func (*ExecConfig) DeepCopy

func (in *ExecConfig) DeepCopy() *ExecConfig

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ExecConfig.

func (*ExecConfig) DeepCopyInto

func (in *ExecConfig) DeepCopyInto(out *ExecConfig)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

func (ExecConfig) GoString

func (c ExecConfig) GoString() string

GoString implements fmt.GoStringer and sanitizes sensitive fields of ExecConfig to prevent accidental leaking via logs.

func (ExecConfig) String

func (c ExecConfig) String() string

String implements fmt.Stringer and sanitizes sensitive fields of ExecConfig to prevent accidental leaking via logs.

type ExecEnvVar

type ExecEnvVar struct {
	Name  string `json:"name"`
	Value string `json:"value"`
}

ExecEnvVar is used for setting environment variables when executing an exec-based credential plugin.

func (*ExecEnvVar) DeepCopy

func (in *ExecEnvVar) DeepCopy() *ExecEnvVar

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ExecEnvVar.

func (*ExecEnvVar) DeepCopyInto

func (in *ExecEnvVar) DeepCopyInto(out *ExecEnvVar)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type ExecInteractiveMode added in v0.22.0

type ExecInteractiveMode string

ExecInteractiveMode is a string that describes an exec plugin's relationship with standard input.

const (
	// NeverExecInteractiveMode declares that this exec plugin never needs to use standard
	// input, and therefore the exec plugin will be run regardless of whether standard input is
	// available for user input.
	NeverExecInteractiveMode ExecInteractiveMode = "Never"
	// IfAvailableExecInteractiveMode declares that this exec plugin would like to use standard input
	// if it is available, but can still operate if standard input is not available. Therefore, the
	// exec plugin will be run regardless of whether stdin is available for user input. If standard
	// input is available for user input, then it will be provided to this exec plugin.
	IfAvailableExecInteractiveMode ExecInteractiveMode = "IfAvailable"
	// AlwaysExecInteractiveMode declares that this exec plugin requires standard input in order to
	// run, and therefore the exec plugin will only be run if standard input is available for user
	// input. If standard input is not available for user input, then the exec plugin will not be run
	// and an error will be returned by the exec plugin runner.
	AlwaysExecInteractiveMode ExecInteractiveMode = "Always"
)

type Preferences

type Preferences struct {
	// +optional
	Colors bool `json:"colors,omitempty"`
	// Extensions holds additional information. This is useful for extenders so that reads and writes don't clobber unknown fields
	// +optional
	Extensions map[string]runtime.Object `json:"extensions,omitempty"`
}

IMPORTANT if you add fields to this struct, please update IsConfigEmpty()

func NewPreferences

func NewPreferences() *Preferences

NewPreferences is a convenience function that returns a new Preferences object with non-nil maps

func (*Preferences) DeepCopy

func (in *Preferences) DeepCopy() *Preferences

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Preferences.

func (*Preferences) DeepCopyInto

func (in *Preferences) DeepCopyInto(out *Preferences)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

Directories

Path Synopsis

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL