Documentation
¶
Index ¶
- func FetchToken(ctx context.Context, provider CredentialProvider) (*goauth.Token, error)
- func GitSourceScopes() []string
- func IsCredentialsNotFoundError(err error) bool
- func OCISourceScopes() []string
- type CachingCredentialProvider
- type CredentialProvider
- type FakeCredentialProvider
- type FakeTokenProvider
- type LoggingTokenProvider
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
func FetchToken ¶
FetchToken returns a token or an error from the CredentialProvider.
func GitSourceScopes ¶
func GitSourceScopes() []string
GitSourceScopes returns the scopes needed to fetch source from CSR and SSM.
func IsCredentialsNotFoundError ¶
IsCredentialsNotFoundError returns true if an error from credentials.DetectDefault indicates that no credentials are configured.
func OCISourceScopes ¶
func OCISourceScopes() []string
OCISourceScopes returns the scopes needed to fetch OCI source from GCR & GAR.
Types ¶
type CachingCredentialProvider ¶
type CachingCredentialProvider struct {
// Scopes that credentials tokens should have.
Scopes []string
// contains filtered or unexported fields
}
CachingCredentialProvider provides cached default detected credentials. The credentials are only detected until successful, then cached forever.
func (*CachingCredentialProvider) Credentials ¶
func (p *CachingCredentialProvider) Credentials() (goauth.TokenProvider, error)
Credentials returns a TokenProvider that manages caching and refreshing auth tokens. The token expiration will be logged when refreshed.
The Subject identity is auto-detected:
- Node Identity uses a GCP service account supplied by the metadata service.
- Workload Identity also uses a GCP service account supplied by the metadata service, specific to the Pod.
- Fleet Workload Identity reads the credential config from the path specified by the GOOGLE_APPLICATION_CREDENTIALS env var, which is set by reconciler-manager from the config.kubernetes.io/fleet-workload-identity annotation on the reconciler Pod, copied from the reconciler Deployment. This may use a GCP service account with impersonation by a K8s service account or a K8s service account directly (BYOID).
- Application Identity also reads the credential config from the path specified by the GOOGLE_APPLICATION_CREDENTIALS env var, or falling back to the default credential file path.
The scopes are hardcoded to "https://www.googleapis.com/auth/cloud-platform".
type CredentialProvider ¶
type CredentialProvider interface {
// Credentials returns a TokenProvider or an error.
// The returned TokenProvider must not be modified.
Credentials() (goauth.TokenProvider, error)
}
CredentialProvider specifies an interface for anything that can return credentials.
type FakeCredentialProvider ¶
type FakeCredentialProvider struct {
// CredentialsOut is returned by every Credentials call
CredentialsOut goauth.TokenProvider
// CredentialsError is returned by every Credentials call
CredentialsError error
}
FakeCredentialProvider always provides the specified TokenProvider and Error.
func (*FakeCredentialProvider) Credentials ¶
func (p *FakeCredentialProvider) Credentials() (goauth.TokenProvider, error)
Credentials always returns the specified TokenProvider and Error.
type FakeTokenProvider ¶
type FakeTokenProvider struct {
// TokenOut is returned by every Token call
TokenOut *goauth.Token
// TokenError is returned by every Token call
TokenError error
}
FakeTokenProvider always provides the specified Token and Error.
type LoggingTokenProvider ¶
type LoggingTokenProvider struct {
Delegate goauth.TokenProvider
// contains filtered or unexported fields
}
LoggingTokenProvider wraps a delegate TokenProvider and logs when a new token is fetched. This helps debugging when the token was last refreshed and when it will expire.
Source Files