Documentation
¶
Index ¶
- func DisableTransportSecurity(ts *grpcOauth2TokenSource)
- type AuthnConfig
- func (cfg *AuthnConfig) AddClientFlags(cmd *cobra.Command, clientName string) bool
- func (cfg *AuthnConfig) GRPCClientWithAuth() (credentials.PerRPCCredentials, error)
- func (cfg *AuthnConfig) GetCredentials() (clientID, clientSecret string)
- func (cfg *AuthnConfig) HttpClientWithAuth(client *http.Client) (*http.Client, error)
- func (cfg *AuthnConfig) RefreshHttpAuthNClient(client *http.Client) *http.Client
- func (cfg *AuthnConfig) SetupCredentialsFileWatcher(refresher AuthnRefresher)
- func (cfg *AuthnConfig) UpdateCredentials(creds *ClientCredentials) bool
- type AuthnRefresher
- type ClientCredentials
- type GRPCTokenSource
- type InmemoryTokenStore
- type IntervalTokenRefresher
- type LoggingTransport
- type Option
- type ProviderConfig
- type RefreshConfig
- type RefresherTokenSource
- type TLSConfigOptions
- func (opts *TLSConfigOptions) Certificate() (*tls.Certificate, error)
- func (opts *TLSConfigOptions) ClientTLSConfig() (*tls.Config, error)
- func (opts *TLSConfigOptions) LoadClientCAPool() (*x509.CertPool, error)
- func (opts *TLSConfigOptions) LoadRootCAPool() (*x509.CertPool, error)
- func (opts *TLSConfigOptions) ServerTLSConfig() (*tls.Config, error)
- type TokenRefresherConfig
- type TokenStore
- type UAMPolicyConfig
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
func DisableTransportSecurity ¶
func DisableTransportSecurity(ts *grpcOauth2TokenSource)
Types ¶
type AuthnConfig ¶
type AuthnConfig struct {
OIDCConfig *ProviderConfig `mapstructure:"oidc"`
RefreshConfig *RefreshConfig `mapstructure:"refresh"`
// tell grpc if this auth config requires transport security
DisableTransportSecurity bool `mapstructure:"disableTransportSecurity"`
// contains filtered or unexported fields
}
AuthnConfig holds all config necessary to fetch access tokens from authn server
func (*AuthnConfig) AddClientFlags ¶
func (cfg *AuthnConfig) AddClientFlags(cmd *cobra.Command, clientName string) bool
func (*AuthnConfig) GRPCClientWithAuth ¶
func (cfg *AuthnConfig) GRPCClientWithAuth() (credentials.PerRPCCredentials, error)
GRPCClientWithAuth - Adds an oauth2 middleware that automatically fetches and refreshes token based on the config
func (*AuthnConfig) GetCredentials ¶
func (cfg *AuthnConfig) GetCredentials() (clientID, clientSecret string)
GetCredentials safely reads the OIDC credentials with proper mutex protection. This method is thread-safe and should be used instead of directly reading OIDCConfig fields when credentials may be updated concurrently by SetupCredentialsFileWatcher.
func (*AuthnConfig) HttpClientWithAuth ¶
HttpClientWithAuth - Adds an oauth2 middleware that automatically fetches and refreshes token based on the config
func (*AuthnConfig) RefreshHttpAuthNClient ¶
func (cfg *AuthnConfig) RefreshHttpAuthNClient(client *http.Client) *http.Client
func (*AuthnConfig) SetupCredentialsFileWatcher ¶
func (cfg *AuthnConfig) SetupCredentialsFileWatcher(refresher AuthnRefresher)
SetupCredentialsFileWatcher - sets up the file watcher on creds-file if provided for client setup. It also supports periodic re-reading of the credentials file via RefreshConfig.CredentialsRefreshInterval, which is more reliable than file watching alone for atomic file replacements (e.g., vault-agent).
func (*AuthnConfig) UpdateCredentials ¶
func (cfg *AuthnConfig) UpdateCredentials(creds *ClientCredentials) bool
UpdateCredentials safely updates the OIDC credentials with proper mutex protection. Returns true if credentials were actually changed, false if they were already the same. This method is thread-safe and should be used instead of directly modifying OIDCConfig fields.
type AuthnRefresher ¶
type AuthnRefresher interface {
Update(creds *ClientCredentials)
}
AuthnRefresher allows for registering a callback if clients need to be notified of credentials change due to hot-reload of config
type ClientCredentials ¶
type ClientCredentials struct {
// Required - ClientID is used for OIDC authentication of requests
ClientID string `yaml:"id"`
// Required - ClientSecret to use for OIDC authentication of requests
ClientSecret string `yaml:"secret"` //nolint:gosec // G117: false positive - this is a configuration struct
}
type GRPCTokenSource ¶
type GRPCTokenSource interface {
credentials.PerRPCCredentials
AuthnRefresher
}
func NewGRPCOauth2TokenSource ¶
func NewGRPCOauth2TokenSource(config *clientcredentials.Config, opts ...Option) GRPCTokenSource
NewGRPCOauth2TokenSource constructs the PerRPCCredentials .
type InmemoryTokenStore ¶
type InmemoryTokenStore struct {
// contains filtered or unexported fields
}
func NewInmemoryTokenStore ¶
func NewInmemoryTokenStore() *InmemoryTokenStore
type IntervalTokenRefresher ¶
type IntervalTokenRefresher struct {
// contains filtered or unexported fields
}
func NewIntervalTokenRefresher ¶
func NewIntervalTokenRefresher(config *TokenRefresherConfig) *IntervalTokenRefresher
func (*IntervalTokenRefresher) StartAsyncRefresh ¶
func (r *IntervalTokenRefresher) StartAsyncRefresh(ctx context.Context)
type LoggingTransport ¶
type LoggingTransport struct {
// contains filtered or unexported fields
}
func NewLoggingRoundTripper ¶
func NewLoggingRoundTripper(roundTripper http.RoundTripper) *LoggingTransport
type ProviderConfig ¶
type ProviderConfig struct {
// Required - Host is the hostname of the authn server.
Host string
// Optional - CredentialsFile is the containing Client ID/Secret
CredentialsFile string
// Optional - ClientID is used for OIDC authentication of requests
ClientID string
// Optional - ClientSecret to use for OIDC authentication of requests
ClientSecret string //nolint:gosec // G117: false positive - this is a configuration struct
// Required - Scope(s) to request
Scopes []string
// Client name to use for authn setup
ClientName string `mapstructure:",omitempty"`
// contains filtered or unexported fields
}
ProviderConfig holds all configuration needed to generate OIDC device tokens for this client's requests. This is used if requests have to be authenticated using OIDC auth - typically for out-of-cluster access.
type RefreshConfig ¶
type RefreshConfig struct {
// Optional - Interval to use for token refresh. If not provided, background token refresh is not enabled.
Interval int64
// Optional - CredentialsRefreshInterval is the interval in seconds to periodically re-read the credentials file.
// This is more reliable than file watching alone, as it handles atomic file replacements (e.g., vault-agent).
// Recommended value: 300 (5 minutes). If 0, periodic refresh is disabled and only file watching is used.
CredentialsRefreshInterval int64 `mapstructure:"credentialsRefreshInterval"`
}
RefreshConfig Used to describe all vars needed for StartAsyncRefresh, extendable
type RefresherTokenSource ¶
type RefresherTokenSource struct {
// contains filtered or unexported fields
}
type TLSConfigOptions ¶
type TLSConfigOptions struct {
Enabled bool `mapstructure:"enabled"`
CertFile string `mapstructure:"cert-file,omitempty"`
KeyFile string `mapstructure:"key-file,omitempty"`
ClientCACertFiles []string `mapstructure:"client-ca-cert-file,omitempty"`
RootCAFile string `mapstructure:"root-ca-file,omitempty"`
InsecureSkipVerify bool `mapstructure:"insecure-skip-verify"`
ClientCAPool *x509.CertPool `json:"-"`
RootCAPool *x509.CertPool `json:"-"`
Cert *tls.Certificate `json:"-"`
}
func (*TLSConfigOptions) Certificate ¶
func (opts *TLSConfigOptions) Certificate() (*tls.Certificate, error)
func (*TLSConfigOptions) ClientTLSConfig ¶
func (opts *TLSConfigOptions) ClientTLSConfig() (*tls.Config, error)
func (*TLSConfigOptions) LoadClientCAPool ¶
func (opts *TLSConfigOptions) LoadClientCAPool() (*x509.CertPool, error)
func (*TLSConfigOptions) LoadRootCAPool ¶
func (opts *TLSConfigOptions) LoadRootCAPool() (*x509.CertPool, error)
func (*TLSConfigOptions) ServerTLSConfig ¶
func (opts *TLSConfigOptions) ServerTLSConfig() (*tls.Config, error)
type TokenRefresherConfig ¶
type TokenRefresherConfig struct {
ClientConfig *clientcredentials.Config
// to discriminate different usage - mygroup or controller
Id string
// contains filtered or unexported fields
}
TokenRefresherConfig Uam Authn config replace client credential config, customized token source for using it own
func NewConfigAndStartRefresher ¶
func NewConfigAndStartRefresher(ctx context.Context, conf *clientcredentials.Config, interval int64) *TokenRefresherConfig
func NewTokenRefresherConfig ¶
func NewTokenRefresherConfig(conf *clientcredentials.Config, interval int64, name string) *TokenRefresherConfig
func (*TokenRefresherConfig) Client ¶
func (c *TokenRefresherConfig) Client(ctx context.Context) *http.Client
func (*TokenRefresherConfig) TokenSource ¶
func (c *TokenRefresherConfig) TokenSource(ctx context.Context) oauth2.TokenSource
type TokenStore ¶
type TokenStore interface {
// contains filtered or unexported methods
}
type UAMPolicyConfig ¶
type UAMPolicyConfig struct {
Namespace string `mapstructure:"namespace"`
PolicyFQDN string `mapstructure:"name"`
}
UAMPolicyConfig captures the config required for authz evaluation
func (*UAMPolicyConfig) AddCommandFlags ¶
func (cfg *UAMPolicyConfig) AddCommandFlags(cmd *cobra.Command) bool
AddCommandFlags is a helper method to add config flags to cobra command
Source Files