v1alpha1

package
v0.32.0-rc.0 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Nov 27, 2024 License: Apache-2.0 Imports: 8 Imported by: 2

Documentation

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

func RegisterExternalJWTSignerServer

func RegisterExternalJWTSignerServer(s *grpc.Server, srv ExternalJWTSignerServer)

Types

type ExternalJWTSignerClient

type ExternalJWTSignerClient interface {
	// Sign takes a serialized JWT payload, and returns the serialized header and
	// signature.  The caller can then assemble the JWT from the header, payload,
	// and signature.
	//
	// The plugin MUST set a key id in the returned JWT header.
	Sign(ctx context.Context, in *SignJWTRequest, opts ...grpc.CallOption) (*SignJWTResponse, error)
	// FetchKeys returns the set of public keys that are trusted to sign
	// Kubernetes service account tokens. Kube-apiserver will call this RPC:
	//
	// * Every time it tries to validate a JWT from the service account issuer with an unknown key ID, and
	//
	//   - Periodically, so it can serve reasonably-up-to-date keys from the OIDC
	//     JWKs endpoint.
	FetchKeys(ctx context.Context, in *FetchKeysRequest, opts ...grpc.CallOption) (*FetchKeysResponse, error)
	// Metadata is meant to be called once on startup.
	// Enables sharing metadata with kube-apiserver (eg: the max token lifetime that signer supports)
	Metadata(ctx context.Context, in *MetadataRequest, opts ...grpc.CallOption) (*MetadataResponse, error)
}

ExternalJWTSignerClient is the client API for ExternalJWTSigner service.

For semantics around ctx use and closing/ending streaming RPCs, please refer to https://godoc.org/google.golang.org/grpc#ClientConn.NewStream.

func NewExternalJWTSignerClient

func NewExternalJWTSignerClient(cc *grpc.ClientConn) ExternalJWTSignerClient

type ExternalJWTSignerServer

type ExternalJWTSignerServer interface {
	// Sign takes a serialized JWT payload, and returns the serialized header and
	// signature.  The caller can then assemble the JWT from the header, payload,
	// and signature.
	//
	// The plugin MUST set a key id in the returned JWT header.
	Sign(context.Context, *SignJWTRequest) (*SignJWTResponse, error)
	// FetchKeys returns the set of public keys that are trusted to sign
	// Kubernetes service account tokens. Kube-apiserver will call this RPC:
	//
	// * Every time it tries to validate a JWT from the service account issuer with an unknown key ID, and
	//
	//   - Periodically, so it can serve reasonably-up-to-date keys from the OIDC
	//     JWKs endpoint.
	FetchKeys(context.Context, *FetchKeysRequest) (*FetchKeysResponse, error)
	// Metadata is meant to be called once on startup.
	// Enables sharing metadata with kube-apiserver (eg: the max token lifetime that signer supports)
	Metadata(context.Context, *MetadataRequest) (*MetadataResponse, error)
}

ExternalJWTSignerServer is the server API for ExternalJWTSigner service.

type FetchKeysRequest

type FetchKeysRequest struct {
	XXX_NoUnkeyedLiteral struct{} `json:"-"`
	XXX_unrecognized     []byte   `json:"-"`
	XXX_sizecache        int32    `json:"-"`
}

func (*FetchKeysRequest) Descriptor

func (*FetchKeysRequest) Descriptor() ([]byte, []int)

func (*FetchKeysRequest) ProtoMessage

func (*FetchKeysRequest) ProtoMessage()

func (*FetchKeysRequest) Reset

func (m *FetchKeysRequest) Reset()

func (*FetchKeysRequest) String

func (m *FetchKeysRequest) String() string

func (*FetchKeysRequest) XXX_DiscardUnknown

func (m *FetchKeysRequest) XXX_DiscardUnknown()

func (*FetchKeysRequest) XXX_Marshal

func (m *FetchKeysRequest) XXX_Marshal(b []byte, deterministic bool) ([]byte, error)

func (*FetchKeysRequest) XXX_Merge

func (m *FetchKeysRequest) XXX_Merge(src proto.Message)

func (*FetchKeysRequest) XXX_Size

func (m *FetchKeysRequest) XXX_Size() int

func (*FetchKeysRequest) XXX_Unmarshal

func (m *FetchKeysRequest) XXX_Unmarshal(b []byte) error

type FetchKeysResponse

type FetchKeysResponse struct {
	Keys []*Key `protobuf:"bytes,1,rep,name=keys,proto3" json:"keys,omitempty"`
	// The timestamp when this data was pulled from the authoritative source of
	// truth for verification keys.
	// kube-apiserver can export this from metrics, to enable end-to-end SLOs.
	DataTimestamp *timestamppb.Timestamp `protobuf:"bytes,2,opt,name=data_timestamp,json=dataTimestamp,proto3" json:"data_timestamp,omitempty"`
	// refresh interval for verification keys to pick changes if any.
	// any value <= 0 is considered a misconfiguration.
	RefreshHintSeconds   int64    `protobuf:"varint,3,opt,name=refresh_hint_seconds,json=refreshHintSeconds,proto3" json:"refresh_hint_seconds,omitempty"`
	XXX_NoUnkeyedLiteral struct{} `json:"-"`
	XXX_unrecognized     []byte   `json:"-"`
	XXX_sizecache        int32    `json:"-"`
}

func (*FetchKeysResponse) Descriptor

func (*FetchKeysResponse) Descriptor() ([]byte, []int)

func (*FetchKeysResponse) GetDataTimestamp

func (m *FetchKeysResponse) GetDataTimestamp() *timestamppb.Timestamp

func (*FetchKeysResponse) GetKeys

func (m *FetchKeysResponse) GetKeys() []*Key

func (*FetchKeysResponse) GetRefreshHintSeconds

func (m *FetchKeysResponse) GetRefreshHintSeconds() int64

func (*FetchKeysResponse) ProtoMessage

func (*FetchKeysResponse) ProtoMessage()

func (*FetchKeysResponse) Reset

func (m *FetchKeysResponse) Reset()

func (*FetchKeysResponse) String

func (m *FetchKeysResponse) String() string

func (*FetchKeysResponse) XXX_DiscardUnknown

func (m *FetchKeysResponse) XXX_DiscardUnknown()

func (*FetchKeysResponse) XXX_Marshal

func (m *FetchKeysResponse) XXX_Marshal(b []byte, deterministic bool) ([]byte, error)

func (*FetchKeysResponse) XXX_Merge

func (m *FetchKeysResponse) XXX_Merge(src proto.Message)

func (*FetchKeysResponse) XXX_Size

func (m *FetchKeysResponse) XXX_Size() int

func (*FetchKeysResponse) XXX_Unmarshal

func (m *FetchKeysResponse) XXX_Unmarshal(b []byte) error

type Key

type Key struct {
	// A unique identifier for this key.
	// Length must be <=1024.
	KeyId string `protobuf:"bytes,1,opt,name=key_id,json=keyId,proto3" json:"key_id,omitempty"`
	// The public key, PKIX-serialized.
	// must be a public key supported by kube-apiserver (currently RSA 256 or ECDSA 256/384/521)
	Key []byte `protobuf:"bytes,2,opt,name=key,proto3" json:"key,omitempty"`
	// Set only for keys that are not used to sign bound tokens.
	// eg: supported keys for legacy tokens.
	// If set, key is used for verification but excluded from OIDC discovery docs.
	// if set, external signer should not use this key to sign a JWT.
	ExcludeFromOidcDiscovery bool     `` /* 138-byte string literal not displayed */
	XXX_NoUnkeyedLiteral     struct{} `json:"-"`
	XXX_unrecognized         []byte   `json:"-"`
	XXX_sizecache            int32    `json:"-"`
}

func (*Key) Descriptor

func (*Key) Descriptor() ([]byte, []int)

func (*Key) GetExcludeFromOidcDiscovery

func (m *Key) GetExcludeFromOidcDiscovery() bool

func (*Key) GetKey

func (m *Key) GetKey() []byte

func (*Key) GetKeyId

func (m *Key) GetKeyId() string

func (*Key) ProtoMessage

func (*Key) ProtoMessage()

func (*Key) Reset

func (m *Key) Reset()

func (*Key) String

func (m *Key) String() string

func (*Key) XXX_DiscardUnknown

func (m *Key) XXX_DiscardUnknown()

func (*Key) XXX_Marshal

func (m *Key) XXX_Marshal(b []byte, deterministic bool) ([]byte, error)

func (*Key) XXX_Merge

func (m *Key) XXX_Merge(src proto.Message)

func (*Key) XXX_Size

func (m *Key) XXX_Size() int

func (*Key) XXX_Unmarshal

func (m *Key) XXX_Unmarshal(b []byte) error

type MetadataRequest

type MetadataRequest struct {
	XXX_NoUnkeyedLiteral struct{} `json:"-"`
	XXX_unrecognized     []byte   `json:"-"`
	XXX_sizecache        int32    `json:"-"`
}

func (*MetadataRequest) Descriptor

func (*MetadataRequest) Descriptor() ([]byte, []int)

func (*MetadataRequest) ProtoMessage

func (*MetadataRequest) ProtoMessage()

func (*MetadataRequest) Reset

func (m *MetadataRequest) Reset()

func (*MetadataRequest) String

func (m *MetadataRequest) String() string

func (*MetadataRequest) XXX_DiscardUnknown

func (m *MetadataRequest) XXX_DiscardUnknown()

func (*MetadataRequest) XXX_Marshal

func (m *MetadataRequest) XXX_Marshal(b []byte, deterministic bool) ([]byte, error)

func (*MetadataRequest) XXX_Merge

func (m *MetadataRequest) XXX_Merge(src proto.Message)

func (*MetadataRequest) XXX_Size

func (m *MetadataRequest) XXX_Size() int

func (*MetadataRequest) XXX_Unmarshal

func (m *MetadataRequest) XXX_Unmarshal(b []byte) error

type MetadataResponse

type MetadataResponse struct {
	// used by kube-apiserver for defaulting/validation of JWT lifetime while accounting for configuration flag values:
	// 1. `--service-account-max-token-expiration`
	// 2. `--service-account-extend-token-expiration`
	//
	// * If `--service-account-max-token-expiration` is greater than `max_token_expiration_seconds`, kube-apiserver treats that as misconfiguration and exits.
	// * If `--service-account-max-token-expiration` is not explicitly set, kube-apiserver defaults to `max_token_expiration_seconds`.
	// * If `--service-account-extend-token-expiration` is true, the extended expiration is `min(1 year, max_token_expiration_seconds)`.
	//
	// `max_token_expiration_seconds` must be at least 600s.
	MaxTokenExpirationSeconds int64    `` /* 141-byte string literal not displayed */
	XXX_NoUnkeyedLiteral      struct{} `json:"-"`
	XXX_unrecognized          []byte   `json:"-"`
	XXX_sizecache             int32    `json:"-"`
}

func (*MetadataResponse) Descriptor

func (*MetadataResponse) Descriptor() ([]byte, []int)

func (*MetadataResponse) GetMaxTokenExpirationSeconds

func (m *MetadataResponse) GetMaxTokenExpirationSeconds() int64

func (*MetadataResponse) ProtoMessage

func (*MetadataResponse) ProtoMessage()

func (*MetadataResponse) Reset

func (m *MetadataResponse) Reset()

func (*MetadataResponse) String

func (m *MetadataResponse) String() string

func (*MetadataResponse) XXX_DiscardUnknown

func (m *MetadataResponse) XXX_DiscardUnknown()

func (*MetadataResponse) XXX_Marshal

func (m *MetadataResponse) XXX_Marshal(b []byte, deterministic bool) ([]byte, error)

func (*MetadataResponse) XXX_Merge

func (m *MetadataResponse) XXX_Merge(src proto.Message)

func (*MetadataResponse) XXX_Size

func (m *MetadataResponse) XXX_Size() int

func (*MetadataResponse) XXX_Unmarshal

func (m *MetadataResponse) XXX_Unmarshal(b []byte) error

type SignJWTRequest

type SignJWTRequest struct {
	// URL-safe base64 wrapped payload to be signed.
	// Exactly as it appears in the second segment of the JWT
	Claims               string   `protobuf:"bytes,1,opt,name=claims,proto3" json:"claims,omitempty"`
	XXX_NoUnkeyedLiteral struct{} `json:"-"`
	XXX_unrecognized     []byte   `json:"-"`
	XXX_sizecache        int32    `json:"-"`
}

func (*SignJWTRequest) Descriptor

func (*SignJWTRequest) Descriptor() ([]byte, []int)

func (*SignJWTRequest) GetClaims

func (m *SignJWTRequest) GetClaims() string

func (*SignJWTRequest) ProtoMessage

func (*SignJWTRequest) ProtoMessage()

func (*SignJWTRequest) Reset

func (m *SignJWTRequest) Reset()

func (*SignJWTRequest) String

func (m *SignJWTRequest) String() string

func (*SignJWTRequest) XXX_DiscardUnknown

func (m *SignJWTRequest) XXX_DiscardUnknown()

func (*SignJWTRequest) XXX_Marshal

func (m *SignJWTRequest) XXX_Marshal(b []byte, deterministic bool) ([]byte, error)

func (*SignJWTRequest) XXX_Merge

func (m *SignJWTRequest) XXX_Merge(src proto.Message)

func (*SignJWTRequest) XXX_Size

func (m *SignJWTRequest) XXX_Size() int

func (*SignJWTRequest) XXX_Unmarshal

func (m *SignJWTRequest) XXX_Unmarshal(b []byte) error

type SignJWTResponse

type SignJWTResponse struct {
	// header must contain only alg, kid, typ claims.
	// typ must be “JWT”.
	// kid must be non-empty, <=1024 characters, and its corresponding public key should not be excluded from OIDC discovery.
	// alg must be one of the algorithms supported by kube-apiserver (currently RS256, ES256, ES384, ES512).
	// header cannot have any additional data that kube-apiserver does not recognize.
	// Already wrapped in URL-safe base64, exactly as it appears in the first segment of the JWT.
	Header string `protobuf:"bytes,1,opt,name=header,proto3" json:"header,omitempty"`
	// The signature for the JWT.
	// Already wrapped in URL-safe base64, exactly as it appears in the final segment of the JWT.
	Signature            string   `protobuf:"bytes,2,opt,name=signature,proto3" json:"signature,omitempty"`
	XXX_NoUnkeyedLiteral struct{} `json:"-"`
	XXX_unrecognized     []byte   `json:"-"`
	XXX_sizecache        int32    `json:"-"`
}

func (*SignJWTResponse) Descriptor

func (*SignJWTResponse) Descriptor() ([]byte, []int)

func (*SignJWTResponse) GetHeader

func (m *SignJWTResponse) GetHeader() string

func (*SignJWTResponse) GetSignature

func (m *SignJWTResponse) GetSignature() string

func (*SignJWTResponse) ProtoMessage

func (*SignJWTResponse) ProtoMessage()

func (*SignJWTResponse) Reset

func (m *SignJWTResponse) Reset()

func (*SignJWTResponse) String

func (m *SignJWTResponse) String() string

func (*SignJWTResponse) XXX_DiscardUnknown

func (m *SignJWTResponse) XXX_DiscardUnknown()

func (*SignJWTResponse) XXX_Marshal

func (m *SignJWTResponse) XXX_Marshal(b []byte, deterministic bool) ([]byte, error)

func (*SignJWTResponse) XXX_Merge

func (m *SignJWTResponse) XXX_Merge(src proto.Message)

func (*SignJWTResponse) XXX_Size

func (m *SignJWTResponse) XXX_Size() int

func (*SignJWTResponse) XXX_Unmarshal

func (m *SignJWTResponse) XXX_Unmarshal(b []byte) error

type UnimplementedExternalJWTSignerServer

type UnimplementedExternalJWTSignerServer struct {
}

UnimplementedExternalJWTSignerServer can be embedded to have forward compatible implementations.

func (*UnimplementedExternalJWTSignerServer) FetchKeys

func (*UnimplementedExternalJWTSignerServer) Metadata

func (*UnimplementedExternalJWTSignerServer) Sign

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL