Documentation ¶
Index ¶
- func RegisterExternalJWTSignerServer(s *grpc.Server, srv ExternalJWTSignerServer)
- type ExternalJWTSignerClient
- type ExternalJWTSignerServer
- type FetchKeysRequest
- func (*FetchKeysRequest) Descriptor() ([]byte, []int)
- func (*FetchKeysRequest) ProtoMessage()
- func (m *FetchKeysRequest) Reset()
- func (m *FetchKeysRequest) String() string
- func (m *FetchKeysRequest) XXX_DiscardUnknown()
- func (m *FetchKeysRequest) XXX_Marshal(b []byte, deterministic bool) ([]byte, error)
- func (m *FetchKeysRequest) XXX_Merge(src proto.Message)
- func (m *FetchKeysRequest) XXX_Size() int
- func (m *FetchKeysRequest) XXX_Unmarshal(b []byte) error
- type FetchKeysResponse
- func (*FetchKeysResponse) Descriptor() ([]byte, []int)
- func (m *FetchKeysResponse) GetDataTimestamp() *timestamppb.Timestamp
- func (m *FetchKeysResponse) GetKeys() []*Key
- func (m *FetchKeysResponse) GetRefreshHintSeconds() int64
- func (*FetchKeysResponse) ProtoMessage()
- func (m *FetchKeysResponse) Reset()
- func (m *FetchKeysResponse) String() string
- func (m *FetchKeysResponse) XXX_DiscardUnknown()
- func (m *FetchKeysResponse) XXX_Marshal(b []byte, deterministic bool) ([]byte, error)
- func (m *FetchKeysResponse) XXX_Merge(src proto.Message)
- func (m *FetchKeysResponse) XXX_Size() int
- func (m *FetchKeysResponse) XXX_Unmarshal(b []byte) error
- type Key
- func (*Key) Descriptor() ([]byte, []int)
- func (m *Key) GetExcludeFromOidcDiscovery() bool
- func (m *Key) GetKey() []byte
- func (m *Key) GetKeyId() string
- func (*Key) ProtoMessage()
- func (m *Key) Reset()
- func (m *Key) String() string
- func (m *Key) XXX_DiscardUnknown()
- func (m *Key) XXX_Marshal(b []byte, deterministic bool) ([]byte, error)
- func (m *Key) XXX_Merge(src proto.Message)
- func (m *Key) XXX_Size() int
- func (m *Key) XXX_Unmarshal(b []byte) error
- type MetadataRequest
- func (*MetadataRequest) Descriptor() ([]byte, []int)
- func (*MetadataRequest) ProtoMessage()
- func (m *MetadataRequest) Reset()
- func (m *MetadataRequest) String() string
- func (m *MetadataRequest) XXX_DiscardUnknown()
- func (m *MetadataRequest) XXX_Marshal(b []byte, deterministic bool) ([]byte, error)
- func (m *MetadataRequest) XXX_Merge(src proto.Message)
- func (m *MetadataRequest) XXX_Size() int
- func (m *MetadataRequest) XXX_Unmarshal(b []byte) error
- type MetadataResponse
- func (*MetadataResponse) Descriptor() ([]byte, []int)
- func (m *MetadataResponse) GetMaxTokenExpirationSeconds() int64
- func (*MetadataResponse) ProtoMessage()
- func (m *MetadataResponse) Reset()
- func (m *MetadataResponse) String() string
- func (m *MetadataResponse) XXX_DiscardUnknown()
- func (m *MetadataResponse) XXX_Marshal(b []byte, deterministic bool) ([]byte, error)
- func (m *MetadataResponse) XXX_Merge(src proto.Message)
- func (m *MetadataResponse) XXX_Size() int
- func (m *MetadataResponse) XXX_Unmarshal(b []byte) error
- type SignJWTRequest
- func (*SignJWTRequest) Descriptor() ([]byte, []int)
- func (m *SignJWTRequest) GetClaims() string
- func (*SignJWTRequest) ProtoMessage()
- func (m *SignJWTRequest) Reset()
- func (m *SignJWTRequest) String() string
- func (m *SignJWTRequest) XXX_DiscardUnknown()
- func (m *SignJWTRequest) XXX_Marshal(b []byte, deterministic bool) ([]byte, error)
- func (m *SignJWTRequest) XXX_Merge(src proto.Message)
- func (m *SignJWTRequest) XXX_Size() int
- func (m *SignJWTRequest) XXX_Unmarshal(b []byte) error
- type SignJWTResponse
- func (*SignJWTResponse) Descriptor() ([]byte, []int)
- func (m *SignJWTResponse) GetHeader() string
- func (m *SignJWTResponse) GetSignature() string
- func (*SignJWTResponse) ProtoMessage()
- func (m *SignJWTResponse) Reset()
- func (m *SignJWTResponse) String() string
- func (m *SignJWTResponse) XXX_DiscardUnknown()
- func (m *SignJWTResponse) XXX_Marshal(b []byte, deterministic bool) ([]byte, error)
- func (m *SignJWTResponse) XXX_Merge(src proto.Message)
- func (m *SignJWTResponse) XXX_Size() int
- func (m *SignJWTResponse) XXX_Unmarshal(b []byte) error
- type UnimplementedExternalJWTSignerServer
- func (*UnimplementedExternalJWTSignerServer) FetchKeys(ctx context.Context, req *FetchKeysRequest) (*FetchKeysResponse, error)
- func (*UnimplementedExternalJWTSignerServer) Metadata(ctx context.Context, req *MetadataRequest) (*MetadataResponse, error)
- func (*UnimplementedExternalJWTSignerServer) Sign(ctx context.Context, req *SignJWTRequest) (*SignJWTResponse, error)
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
func RegisterExternalJWTSignerServer ¶
func RegisterExternalJWTSignerServer(s *grpc.Server, srv ExternalJWTSignerServer)
Types ¶
type ExternalJWTSignerClient ¶
type ExternalJWTSignerClient interface { // Sign takes a serialized JWT payload, and returns the serialized header and // signature. The caller can then assemble the JWT from the header, payload, // and signature. // // The plugin MUST set a key id in the returned JWT header. Sign(ctx context.Context, in *SignJWTRequest, opts ...grpc.CallOption) (*SignJWTResponse, error) // FetchKeys returns the set of public keys that are trusted to sign // Kubernetes service account tokens. Kube-apiserver will call this RPC: // // * Every time it tries to validate a JWT from the service account issuer with an unknown key ID, and // // - Periodically, so it can serve reasonably-up-to-date keys from the OIDC // JWKs endpoint. FetchKeys(ctx context.Context, in *FetchKeysRequest, opts ...grpc.CallOption) (*FetchKeysResponse, error) // Metadata is meant to be called once on startup. // Enables sharing metadata with kube-apiserver (eg: the max token lifetime that signer supports) Metadata(ctx context.Context, in *MetadataRequest, opts ...grpc.CallOption) (*MetadataResponse, error) }
ExternalJWTSignerClient is the client API for ExternalJWTSigner service.
For semantics around ctx use and closing/ending streaming RPCs, please refer to https://godoc.org/google.golang.org/grpc#ClientConn.NewStream.
func NewExternalJWTSignerClient ¶
func NewExternalJWTSignerClient(cc *grpc.ClientConn) ExternalJWTSignerClient
type ExternalJWTSignerServer ¶
type ExternalJWTSignerServer interface { // Sign takes a serialized JWT payload, and returns the serialized header and // signature. The caller can then assemble the JWT from the header, payload, // and signature. // // The plugin MUST set a key id in the returned JWT header. Sign(context.Context, *SignJWTRequest) (*SignJWTResponse, error) // FetchKeys returns the set of public keys that are trusted to sign // Kubernetes service account tokens. Kube-apiserver will call this RPC: // // * Every time it tries to validate a JWT from the service account issuer with an unknown key ID, and // // - Periodically, so it can serve reasonably-up-to-date keys from the OIDC // JWKs endpoint. FetchKeys(context.Context, *FetchKeysRequest) (*FetchKeysResponse, error) // Metadata is meant to be called once on startup. // Enables sharing metadata with kube-apiserver (eg: the max token lifetime that signer supports) Metadata(context.Context, *MetadataRequest) (*MetadataResponse, error) }
ExternalJWTSignerServer is the server API for ExternalJWTSigner service.
type FetchKeysRequest ¶
type FetchKeysRequest struct { XXX_NoUnkeyedLiteral struct{} `json:"-"` XXX_unrecognized []byte `json:"-"` XXX_sizecache int32 `json:"-"` }
func (*FetchKeysRequest) Descriptor ¶
func (*FetchKeysRequest) Descriptor() ([]byte, []int)
func (*FetchKeysRequest) ProtoMessage ¶
func (*FetchKeysRequest) ProtoMessage()
func (*FetchKeysRequest) Reset ¶
func (m *FetchKeysRequest) Reset()
func (*FetchKeysRequest) String ¶
func (m *FetchKeysRequest) String() string
func (*FetchKeysRequest) XXX_DiscardUnknown ¶
func (m *FetchKeysRequest) XXX_DiscardUnknown()
func (*FetchKeysRequest) XXX_Marshal ¶
func (m *FetchKeysRequest) XXX_Marshal(b []byte, deterministic bool) ([]byte, error)
func (*FetchKeysRequest) XXX_Merge ¶
func (m *FetchKeysRequest) XXX_Merge(src proto.Message)
func (*FetchKeysRequest) XXX_Size ¶
func (m *FetchKeysRequest) XXX_Size() int
func (*FetchKeysRequest) XXX_Unmarshal ¶
func (m *FetchKeysRequest) XXX_Unmarshal(b []byte) error
type FetchKeysResponse ¶
type FetchKeysResponse struct { Keys []*Key `protobuf:"bytes,1,rep,name=keys,proto3" json:"keys,omitempty"` // The timestamp when this data was pulled from the authoritative source of // truth for verification keys. // kube-apiserver can export this from metrics, to enable end-to-end SLOs. DataTimestamp *timestamppb.Timestamp `protobuf:"bytes,2,opt,name=data_timestamp,json=dataTimestamp,proto3" json:"data_timestamp,omitempty"` // refresh interval for verification keys to pick changes if any. // any value <= 0 is considered a misconfiguration. RefreshHintSeconds int64 `protobuf:"varint,3,opt,name=refresh_hint_seconds,json=refreshHintSeconds,proto3" json:"refresh_hint_seconds,omitempty"` XXX_NoUnkeyedLiteral struct{} `json:"-"` XXX_unrecognized []byte `json:"-"` XXX_sizecache int32 `json:"-"` }
func (*FetchKeysResponse) Descriptor ¶
func (*FetchKeysResponse) Descriptor() ([]byte, []int)
func (*FetchKeysResponse) GetDataTimestamp ¶
func (m *FetchKeysResponse) GetDataTimestamp() *timestamppb.Timestamp
func (*FetchKeysResponse) GetKeys ¶
func (m *FetchKeysResponse) GetKeys() []*Key
func (*FetchKeysResponse) GetRefreshHintSeconds ¶
func (m *FetchKeysResponse) GetRefreshHintSeconds() int64
func (*FetchKeysResponse) ProtoMessage ¶
func (*FetchKeysResponse) ProtoMessage()
func (*FetchKeysResponse) Reset ¶
func (m *FetchKeysResponse) Reset()
func (*FetchKeysResponse) String ¶
func (m *FetchKeysResponse) String() string
func (*FetchKeysResponse) XXX_DiscardUnknown ¶
func (m *FetchKeysResponse) XXX_DiscardUnknown()
func (*FetchKeysResponse) XXX_Marshal ¶
func (m *FetchKeysResponse) XXX_Marshal(b []byte, deterministic bool) ([]byte, error)
func (*FetchKeysResponse) XXX_Merge ¶
func (m *FetchKeysResponse) XXX_Merge(src proto.Message)
func (*FetchKeysResponse) XXX_Size ¶
func (m *FetchKeysResponse) XXX_Size() int
func (*FetchKeysResponse) XXX_Unmarshal ¶
func (m *FetchKeysResponse) XXX_Unmarshal(b []byte) error
type Key ¶
type Key struct { // A unique identifier for this key. // Length must be <=1024. KeyId string `protobuf:"bytes,1,opt,name=key_id,json=keyId,proto3" json:"key_id,omitempty"` // The public key, PKIX-serialized. // must be a public key supported by kube-apiserver (currently RSA 256 or ECDSA 256/384/521) Key []byte `protobuf:"bytes,2,opt,name=key,proto3" json:"key,omitempty"` // Set only for keys that are not used to sign bound tokens. // eg: supported keys for legacy tokens. // If set, key is used for verification but excluded from OIDC discovery docs. // if set, external signer should not use this key to sign a JWT. ExcludeFromOidcDiscovery bool `` /* 138-byte string literal not displayed */ XXX_NoUnkeyedLiteral struct{} `json:"-"` XXX_unrecognized []byte `json:"-"` XXX_sizecache int32 `json:"-"` }
func (*Key) Descriptor ¶
func (*Key) GetExcludeFromOidcDiscovery ¶
func (*Key) ProtoMessage ¶
func (*Key) ProtoMessage()
func (*Key) XXX_DiscardUnknown ¶
func (m *Key) XXX_DiscardUnknown()
func (*Key) XXX_Unmarshal ¶
type MetadataRequest ¶
type MetadataRequest struct { XXX_NoUnkeyedLiteral struct{} `json:"-"` XXX_unrecognized []byte `json:"-"` XXX_sizecache int32 `json:"-"` }
func (*MetadataRequest) Descriptor ¶
func (*MetadataRequest) Descriptor() ([]byte, []int)
func (*MetadataRequest) ProtoMessage ¶
func (*MetadataRequest) ProtoMessage()
func (*MetadataRequest) Reset ¶
func (m *MetadataRequest) Reset()
func (*MetadataRequest) String ¶
func (m *MetadataRequest) String() string
func (*MetadataRequest) XXX_DiscardUnknown ¶
func (m *MetadataRequest) XXX_DiscardUnknown()
func (*MetadataRequest) XXX_Marshal ¶
func (m *MetadataRequest) XXX_Marshal(b []byte, deterministic bool) ([]byte, error)
func (*MetadataRequest) XXX_Merge ¶
func (m *MetadataRequest) XXX_Merge(src proto.Message)
func (*MetadataRequest) XXX_Size ¶
func (m *MetadataRequest) XXX_Size() int
func (*MetadataRequest) XXX_Unmarshal ¶
func (m *MetadataRequest) XXX_Unmarshal(b []byte) error
type MetadataResponse ¶
type MetadataResponse struct { // used by kube-apiserver for defaulting/validation of JWT lifetime while accounting for configuration flag values: // 1. `--service-account-max-token-expiration` // 2. `--service-account-extend-token-expiration` // // * If `--service-account-max-token-expiration` is greater than `max_token_expiration_seconds`, kube-apiserver treats that as misconfiguration and exits. // * If `--service-account-max-token-expiration` is not explicitly set, kube-apiserver defaults to `max_token_expiration_seconds`. // * If `--service-account-extend-token-expiration` is true, the extended expiration is `min(1 year, max_token_expiration_seconds)`. // // `max_token_expiration_seconds` must be at least 600s. MaxTokenExpirationSeconds int64 `` /* 141-byte string literal not displayed */ XXX_NoUnkeyedLiteral struct{} `json:"-"` XXX_unrecognized []byte `json:"-"` XXX_sizecache int32 `json:"-"` }
func (*MetadataResponse) Descriptor ¶
func (*MetadataResponse) Descriptor() ([]byte, []int)
func (*MetadataResponse) GetMaxTokenExpirationSeconds ¶
func (m *MetadataResponse) GetMaxTokenExpirationSeconds() int64
func (*MetadataResponse) ProtoMessage ¶
func (*MetadataResponse) ProtoMessage()
func (*MetadataResponse) Reset ¶
func (m *MetadataResponse) Reset()
func (*MetadataResponse) String ¶
func (m *MetadataResponse) String() string
func (*MetadataResponse) XXX_DiscardUnknown ¶
func (m *MetadataResponse) XXX_DiscardUnknown()
func (*MetadataResponse) XXX_Marshal ¶
func (m *MetadataResponse) XXX_Marshal(b []byte, deterministic bool) ([]byte, error)
func (*MetadataResponse) XXX_Merge ¶
func (m *MetadataResponse) XXX_Merge(src proto.Message)
func (*MetadataResponse) XXX_Size ¶
func (m *MetadataResponse) XXX_Size() int
func (*MetadataResponse) XXX_Unmarshal ¶
func (m *MetadataResponse) XXX_Unmarshal(b []byte) error
type SignJWTRequest ¶
type SignJWTRequest struct { // URL-safe base64 wrapped payload to be signed. // Exactly as it appears in the second segment of the JWT Claims string `protobuf:"bytes,1,opt,name=claims,proto3" json:"claims,omitempty"` XXX_NoUnkeyedLiteral struct{} `json:"-"` XXX_unrecognized []byte `json:"-"` XXX_sizecache int32 `json:"-"` }
func (*SignJWTRequest) Descriptor ¶
func (*SignJWTRequest) Descriptor() ([]byte, []int)
func (*SignJWTRequest) GetClaims ¶
func (m *SignJWTRequest) GetClaims() string
func (*SignJWTRequest) ProtoMessage ¶
func (*SignJWTRequest) ProtoMessage()
func (*SignJWTRequest) Reset ¶
func (m *SignJWTRequest) Reset()
func (*SignJWTRequest) String ¶
func (m *SignJWTRequest) String() string
func (*SignJWTRequest) XXX_DiscardUnknown ¶
func (m *SignJWTRequest) XXX_DiscardUnknown()
func (*SignJWTRequest) XXX_Marshal ¶
func (m *SignJWTRequest) XXX_Marshal(b []byte, deterministic bool) ([]byte, error)
func (*SignJWTRequest) XXX_Merge ¶
func (m *SignJWTRequest) XXX_Merge(src proto.Message)
func (*SignJWTRequest) XXX_Size ¶
func (m *SignJWTRequest) XXX_Size() int
func (*SignJWTRequest) XXX_Unmarshal ¶
func (m *SignJWTRequest) XXX_Unmarshal(b []byte) error
type SignJWTResponse ¶
type SignJWTResponse struct { // header must contain only alg, kid, typ claims. // typ must be “JWT”. // kid must be non-empty, <=1024 characters, and its corresponding public key should not be excluded from OIDC discovery. // alg must be one of the algorithms supported by kube-apiserver (currently RS256, ES256, ES384, ES512). // header cannot have any additional data that kube-apiserver does not recognize. // Already wrapped in URL-safe base64, exactly as it appears in the first segment of the JWT. Header string `protobuf:"bytes,1,opt,name=header,proto3" json:"header,omitempty"` // The signature for the JWT. // Already wrapped in URL-safe base64, exactly as it appears in the final segment of the JWT. Signature string `protobuf:"bytes,2,opt,name=signature,proto3" json:"signature,omitempty"` XXX_NoUnkeyedLiteral struct{} `json:"-"` XXX_unrecognized []byte `json:"-"` XXX_sizecache int32 `json:"-"` }
func (*SignJWTResponse) Descriptor ¶
func (*SignJWTResponse) Descriptor() ([]byte, []int)
func (*SignJWTResponse) GetHeader ¶
func (m *SignJWTResponse) GetHeader() string
func (*SignJWTResponse) GetSignature ¶
func (m *SignJWTResponse) GetSignature() string
func (*SignJWTResponse) ProtoMessage ¶
func (*SignJWTResponse) ProtoMessage()
func (*SignJWTResponse) Reset ¶
func (m *SignJWTResponse) Reset()
func (*SignJWTResponse) String ¶
func (m *SignJWTResponse) String() string
func (*SignJWTResponse) XXX_DiscardUnknown ¶
func (m *SignJWTResponse) XXX_DiscardUnknown()
func (*SignJWTResponse) XXX_Marshal ¶
func (m *SignJWTResponse) XXX_Marshal(b []byte, deterministic bool) ([]byte, error)
func (*SignJWTResponse) XXX_Merge ¶
func (m *SignJWTResponse) XXX_Merge(src proto.Message)
func (*SignJWTResponse) XXX_Size ¶
func (m *SignJWTResponse) XXX_Size() int
func (*SignJWTResponse) XXX_Unmarshal ¶
func (m *SignJWTResponse) XXX_Unmarshal(b []byte) error
type UnimplementedExternalJWTSignerServer ¶
type UnimplementedExternalJWTSignerServer struct { }
UnimplementedExternalJWTSignerServer can be embedded to have forward compatible implementations.
func (*UnimplementedExternalJWTSignerServer) FetchKeys ¶
func (*UnimplementedExternalJWTSignerServer) FetchKeys(ctx context.Context, req *FetchKeysRequest) (*FetchKeysResponse, error)
func (*UnimplementedExternalJWTSignerServer) Metadata ¶
func (*UnimplementedExternalJWTSignerServer) Metadata(ctx context.Context, req *MetadataRequest) (*MetadataResponse, error)
func (*UnimplementedExternalJWTSignerServer) Sign ¶
func (*UnimplementedExternalJWTSignerServer) Sign(ctx context.Context, req *SignJWTRequest) (*SignJWTResponse, error)
Click to show internal directories.
Click to hide internal directories.