Documentation ¶
Overview ¶
Package credentials handles the access to credentials for consumers of credential sets.
A credentials set is just a set of simple key/values pair, for example username and password. Every credential consumer, for example repository implementation of other context types, (OCI repositories, OCM repositories, ...) uses the same procedure to get to its credentials:
- it composes a most significant typed ConsumerIdentity for every request. This is a set of name/value pairs describing the access context. For an OCI registry, this is for example: - the type (OCIRegistry) - the hostname - an optional port - the repository path
- it then requests credentials from its credentials Context for this consumer.
- the credentials context matches the requested consumer against configured consumers using a dedicated matcher. (For example: finding the consumer specification with the longest matching repository path prefix (for OCI))
- the credentials for the best matching entry are then returned to the requester.
The credentials context is the mediator between credential providers and credential consumers. Here
- it is possible to explicitly configure credentials for consumer ids
- it is possible to manage credential repositories providing named credential sets and
- to map dedicated such sets to consumer ids.
- specialized credential repositories, may propagate their contained credentials to auto-calculated consumer ids.
This way, there is a special credential repository type DockerConfig. It knows what its credentials are meant for (for accessing OCI registries). When instantiating such a repository, it automatically exposes its credentials under the appropriate consumer ids used by the OCI repository implementation. But docker does not allow for separate credentials for different repository prefixes in OCI registries (for example organisations in ghcr.io), only per host. Therefore, the propagated consumer ids do not provide the path property of a consumer id. Together with the path prefix matcher, those id settings therefore match all OCI credential requests for all repository paths of a dedicated host, as long as there is no more significant setting.
The credentials context also provides a configuration objeect managed by a ConfigurationContext and used to configure a credentials context. The serialization form of this object can be put into a configuration object of the configuration context. For example, the .ocmconfig file is then a serialization of such an object which is initially read by the OCM CLI to configure the used ConfigurationContext. If it describes a credentials configuration this one is applied to the credentials context. Such a credentials config object allows to
- describe direct consumer id to credential set mappings
- describe the instantiation of credential repositories (for example a dockerconfig repo)
- the mapping of credential sets of any credential repository to consumer ids (for example mapping of vault entries to consumers (vault not implemented yet)
As for very context type the Context is the central element of this package. It provides access to the complete functionality by bundling all the settings required to provide credentials to its clients.
Index ¶
- Constants
- Variables
- func DefaultContext() internal.Context
- func ErrUnknownCredentials(name string) error
- func GetClientCerts(ctx ContextProvider, creds Credentials) ([]tls.Certificate, error)
- func GetProvidedIdentityMatcher(obj interface{}) string
- func GetRootCAs(ctx ContextProvider, creds Credentials) (*x509.CertPool, error)
- func GuessConsumerType(ctxp ContextProvider, spec string) string
- func RepositoryUsage(scheme RepositoryTypeScheme) string
- func WithConfigs(ctx config.Context) internal.Builder
- func WithContext(ctx context.Context) internal.Builder
- func WithRepositoyTypeScheme(scheme RepositoryTypeScheme) internal.Builder
- func WithStandardConumerMatchers(matchers internal.IdentityMatcherRegistry) internal.Builder
- type ConsumerIdentity
- type ConsumerIdentityProvider
- type Context
- type ContextProvider
- type Credentials
- func CredentialsFor(ctx ContextProvider, obj interface{}, uctx ...UsageContext) (Credentials, error)
- func CredentialsForConsumer(ctx ContextProvider, id ConsumerIdentity, matchers ...IdentityMatcher) (Credentials, error)
- func CredentialsFromList(props ...string) Credentials
- func NewCredentials(props common.Properties) Credentials
- func RequiredCredentialsForConsumer(ctx ContextProvider, id ConsumerIdentity, matchers ...IdentityMatcher) (Credentials, error)
- type CredentialsChain
- type CredentialsSource
- type CredentialsSpec
- type DirectCredentials
- type GenericCredentialsSpec
- type GenericRepositorySpec
- type IdentityMatcher
- type IdentityMatcherInfo
- type IdentityMatcherInfos
- type IdentityMatcherRegistry
- type ProviderIdentity
- type Repository
- type RepositorySpec
- type RepositoryTypeScheme
- type StringUsageContext
- type UsageContext
Constants ¶
const ( ID_TYPE = internal.ID_TYPE ATTR_TYPE = internal.ATTR_TYPE ATTR_USERNAME = internal.ATTR_USERNAME ATTR_PASSWORD = internal.ATTR_PASSWORD ATTR_CERTIFICATE_AUTHORITY = internal.ATTR_CERTIFICATE_AUTHORITY ATTR_CERTIFICATE = internal.ATTR_CERTIFICATE // PEM encoded ATTR_PRIVATE_KEY = internal.ATTR_PRIVATE_KEY // PEM encoded ATTR_SERVER_ADDRESS = internal.ATTR_SERVER_ADDRESS ATTR_IDENTITY_TOKEN = internal.ATTR_IDENTITY_TOKEN ATTR_REGISTRY_TOKEN = internal.ATTR_REGISTRY_TOKEN ATTR_TOKEN = internal.ATTR_TOKEN )
const ( KIND_CREDENTIALS = internal.KIND_CREDENTIALS KIND_CONSUMER = internal.KIND_CONSUMER KIND_REPOSITORY = internal.KIND_REPOSITORY )
const AliasRepositoryType = internal.AliasRepositoryType
const CONTEXT_TYPE = internal.CONTEXT_TYPE
Variables ¶
var ( CompleteMatch = internal.CompleteMatch NoMatch = internal.NoMatch PartialMatch = internal.PartialMatch )
Functions ¶
func DefaultContext ¶
func ErrUnknownCredentials ¶
func GetClientCerts ¶
func GetClientCerts(ctx ContextProvider, creds Credentials) ([]tls.Certificate, error)
func GetProvidedIdentityMatcher ¶
func GetProvidedIdentityMatcher(obj interface{}) string
func GetRootCAs ¶
func GetRootCAs(ctx ContextProvider, creds Credentials) (*x509.CertPool, error)
func GuessConsumerType ¶
func GuessConsumerType(ctxp ContextProvider, spec string) string
func RepositoryUsage ¶
func RepositoryUsage(scheme RepositoryTypeScheme) string
func WithRepositoyTypeScheme ¶
func WithRepositoyTypeScheme(scheme RepositoryTypeScheme) internal.Builder
func WithStandardConumerMatchers ¶
func WithStandardConumerMatchers(matchers internal.IdentityMatcherRegistry) internal.Builder
Types ¶
type ConsumerIdentity ¶
type ConsumerIdentity = internal.ConsumerIdentity
func GetProvidedConsumerId ¶
func GetProvidedConsumerId(obj interface{}, uctx ...UsageContext) ConsumerIdentity
func NewConsumerIdentity ¶
func NewConsumerIdentity(typ string, attrs ...string) ConsumerIdentity
type ConsumerIdentityProvider ¶
type ConsumerIdentityProvider = internal.ConsumerIdentityProvider
type Context ¶
func FromContext ¶
func FromProvider ¶
func FromProvider(p ContextProvider) Context
func New ¶
func New(mode ...datacontext.BuilderMode) Context
type ContextProvider ¶
type ContextProvider = internal.ContextProvider
type Credentials ¶
type Credentials = internal.Credentials
func CredentialsFor ¶
func CredentialsFor(ctx ContextProvider, obj interface{}, uctx ...UsageContext) (Credentials, error)
func CredentialsForConsumer ¶
func CredentialsForConsumer(ctx ContextProvider, id ConsumerIdentity, matchers ...IdentityMatcher) (Credentials, error)
CredentialsForConsumer determine effective credentials for a consumer. If no credentials are configured no error and nil is returned. It evaluates a found credentials source for the consumer to determine the final credential properties.
func CredentialsFromList ¶
func CredentialsFromList(props ...string) Credentials
func NewCredentials ¶
func NewCredentials(props common.Properties) Credentials
func RequiredCredentialsForConsumer ¶
func RequiredCredentialsForConsumer(ctx ContextProvider, id ConsumerIdentity, matchers ...IdentityMatcher) (Credentials, error)
RequiredCredentialsForConsumer like CredentialsForConsumer, but an errors is returned if no credentials are found.
type CredentialsChain ¶
type CredentialsChain = internal.CredentialsChain
type CredentialsSource ¶
type CredentialsSource = internal.CredentialsSource
type CredentialsSpec ¶
type CredentialsSpec = internal.CredentialsSpec
func CredentialsSpecFromList ¶
func CredentialsSpecFromList(props ...string) CredentialsSpec
func NewCredentialsSpec ¶
func NewCredentialsSpec(name string, repospec RepositorySpec) CredentialsSpec
func NewGenericCredentialsSpec ¶
func NewGenericCredentialsSpec(name string, repospec *GenericRepositorySpec) CredentialsSpec
type DirectCredentials ¶
type DirectCredentials = internal.DirectCredentials
type GenericCredentialsSpec ¶
type GenericCredentialsSpec = internal.GenericCredentialsSpec
func ToGenericCredentialsSpec ¶
func ToGenericCredentialsSpec(spec CredentialsSpec) (*GenericCredentialsSpec, error)
type GenericRepositorySpec ¶
type GenericRepositorySpec = internal.GenericRepositorySpec
func ToGenericRepositorySpec ¶
func ToGenericRepositorySpec(spec RepositorySpec) (*GenericRepositorySpec, error)
type IdentityMatcher ¶
type IdentityMatcher = internal.IdentityMatcher
type IdentityMatcherInfo ¶
type IdentityMatcherInfo = internal.IdentityMatcherInfo
type IdentityMatcherInfos ¶
type IdentityMatcherInfos = internal.IdentityMatcherInfos
type IdentityMatcherRegistry ¶
type IdentityMatcherRegistry = internal.IdentityMatcherRegistry
type ProviderIdentity ¶
type ProviderIdentity = internal.ProviderIdentity
type Repository ¶
type Repository = internal.Repository
type RepositorySpec ¶
type RepositorySpec = internal.RepositorySpec
func NewGenericRepositorySpec ¶
func NewGenericRepositorySpec(data []byte, unmarshaler runtime.Unmarshaler) (RepositorySpec, error)
type RepositoryTypeScheme ¶
type RepositoryTypeScheme = internal.RepositoryTypeScheme
type StringUsageContext ¶
type StringUsageContext = internal.StringUsageContext
type UsageContext ¶
type UsageContext = internal.UsageContext