auth

Documentation

Index

• Constants
• func EnsureOIDCServiceAccountExistsForResource(ctx context.Context, serviceAccountLister corev1listers.ServiceAccountLister, ...) error
• func GetAudience(gvk schema.GroupVersionKind, objectMeta metav1.ObjectMeta) string
• func GetJWTFromHeader(header http.Header) string
• func GetOIDCServiceAccountForResource(gvk schema.GroupVersionKind, objectMeta metav1.ObjectMeta) *v1.ServiceAccount
• func GetOIDCServiceAccountNameForResource(gvk schema.GroupVersionKind, objectMeta metav1.ObjectMeta) string
• func SetAuthHeader(jwt string, header http.Header)
• type IDToken
• type OIDCTokenProvider
  • func NewOIDCTokenProvider(ctx context.Context) *OIDCTokenProvider
  • func (c *OIDCTokenProvider) GetJWT(serviceAccount types.NamespacedName, audience string) (string, error)
• type OIDCTokenVerifier
  • func NewOIDCTokenVerifier(ctx context.Context) *OIDCTokenVerifier
  • func (c *OIDCTokenVerifier) VerifyJWT(ctx context.Context, jwt, audience string) (*IDToken, error)

Constants

const (
	AuthHeaderKey = "Authorization"
)

Functions

func EnsureOIDCServiceAccountExistsForResource

func EnsureOIDCServiceAccountExistsForResource(ctx context.Context, serviceAccountLister corev1listers.ServiceAccountLister, kubeclient kubernetes.Interface, gvk schema.GroupVersionKind, objectMeta metav1.ObjectMeta) error

EnsureOIDCServiceAccountExistsForResource makes sure the given resource has an OIDC service account with an owner reference to the resource set.

func GetAudience

func GetAudience(gvk schema.GroupVersionKind, objectMeta metav1.ObjectMeta) string

GetAudience returns the audience string for the given object in the format <group>/<kind>/<namespace>/<name>

func GetJWTFromHeader

func GetJWTFromHeader(header http.Header) string

GetJWTFromHeader Returns the JWT from the Authorization header

func GetOIDCServiceAccountForResource

func GetOIDCServiceAccountForResource(gvk schema.GroupVersionKind, objectMeta metav1.ObjectMeta) *v1.ServiceAccount

GetOIDCServiceAccountForResource returns the service account to use for OIDC authentication for the given resource.

func GetOIDCServiceAccountNameForResource

func GetOIDCServiceAccountNameForResource(gvk schema.GroupVersionKind, objectMeta metav1.ObjectMeta) string

GetOIDCServiceAccountNameForResource returns the service account name to use for OIDC authentication for the given resource.

func SetAuthHeader

func SetAuthHeader(jwt string, header http.Header)

SetAuthHeader sets Authorization header with the given JWT

Types

type IDToken

type IDToken struct {
	Issuer          string
	Audience        []string
	Subject         string
	Expiry          time.Time
	IssuedAt        time.Time
	AccessTokenHash string
}

type OIDCTokenProvider

type OIDCTokenProvider struct {
	// contains filtered or unexported fields
}

func NewOIDCTokenProvider

func NewOIDCTokenProvider(ctx context.Context) *OIDCTokenProvider

func (*OIDCTokenProvider) GetJWT

func (c *OIDCTokenProvider) GetJWT(serviceAccount types.NamespacedName, audience string) (string, error)

GetJWT returns a JWT from the given service account for the given audience.

type OIDCTokenVerifier

type OIDCTokenVerifier struct {
	// contains filtered or unexported fields
}

func NewOIDCTokenVerifier

func NewOIDCTokenVerifier(ctx context.Context) *OIDCTokenVerifier

func (*OIDCTokenVerifier) VerifyJWT

func (c *OIDCTokenVerifier) VerifyJWT(ctx context.Context, jwt, audience string) (*IDToken, error)

VerifyJWT verifies the given JWT for the expected audience and returns the parsed ID token.