Documentation ¶
Index ¶
- Constants
- Variables
- func Add(mgr manager.Manager) error
- func ClientHasCondition(client *oidcv1.Client, c oidcv1.ClientCondition) bool
- func SetClientCondition(client *oidcv1.Client, conditionType oidcv1.ClientConditionType, ...)
- type ClientControllerConfig
- type ClientCredentials
- type OIDCClientError
- type OidcClientResponse
- type ReconcileClient
- func (r *ReconcileClient) CreateClientRegistration(ctx context.Context, client *oidcv1.Client, clientCreds *ClientCredentials) (response *http.Response, err error)
- func (r *ReconcileClient) CreateZenInstance(ctx context.Context, client *oidcv1.Client, clientCreds *ClientCredentials) (err error)
- func (r *ReconcileClient) DeleteClientRegistration(ctx context.Context, client *oidcv1.Client) (response *http.Response, err error)
- func (r *ReconcileClient) DeleteZenInstance(ctx context.Context, client *oidcv1.Client) (err error)
- func (r *ReconcileClient) GetAuthServiceURL() (value string, err error)
- func (r *ReconcileClient) GetClientCreds(ctx context.Context, client *oidcv1.Client) (clientCreds *ClientCredentials, err error)
- func (r *ReconcileClient) GetClientRegistration(ctx context.Context, client *oidcv1.Client) (response *http.Response, err error)
- func (r *ReconcileClient) GetDefaultAdminPassword() (value string, err error)
- func (r *ReconcileClient) GetDefaultAdminUser() (value string, err error)
- func (r *ReconcileClient) GetIdentityManagementURL() (value string, err error)
- func (r *ReconcileClient) GetIdentityProviderURL() (value string, err error)
- func (r *ReconcileClient) GetOAuthAdminPassword() (value string, err error)
- func (r *ReconcileClient) GetROKSEnabled() (value bool, err error)
- func (r *ReconcileClient) GetZenInstance(ctx context.Context, client *oidcv1.Client) (zenInstance *ZenInstance, err error)
- func (r *ReconcileClient) IsConfigured() bool
- func (r *ReconcileClient) Reconcile(ctx context.Context, request reconcile.Request) (result reconcile.Result, err error)
- func (r *ReconcileClient) RemoveAnnotationFromSA(ctx context.Context, client *oidcv1.Client, sAccNamespace string)
- func (r *ReconcileClient) SetConfig(ctx context.Context, namespace string) (err error)
- func (r *ReconcileClient) UpdateClientRegistration(ctx context.Context, client *oidcv1.Client, clientCreds *ClientCredentials) (response *http.Response, err error)
- type TokenInfo
- type ZenInstance
Constants ¶
const ( // PlatformAuthIDPConfigMapName is the name of the ConfigMap containing settings used for Client management PlatformAuthIDPConfigMapName string = "platform-auth-idp" // PlatformAuthIDPCredentialsSecretName is the name of the Secret containing default credentials PlatformAuthIDPCredentialsSecretName string = "platform-auth-idp-credentials" // PlatformOIDCCredentialsSecretName is the name of the Secret containing the OP admin oauthadmin's password PlatformOIDCCredentialsSecretName string = "platform-oidc-credentials" // CSCACertificateSecretName is the name of the Secret created by the installer in the shared services namespace // that contains the Common Services CA certificate and private key details CSCACertificateSecretName string = "cs-ca-certificate-secret" // CP3FinalizerName is the name of the finalizer added to Clients by the Client controller in IM v4.x CP3FinalizerName string = "client.oidc.security.ibm.com" // CP2FinalizerName is the name of the finalizer added to Clients by the OIDC Client Watcher in IAM v3.x CP2FinalizerName string = "fynalyzer.client.oidc.security.ibm.com" AdministratorRole string = "Administrator" )
const ( GetType = "GET" PostType = "POST" PutType = "PUT" DeleteType = "DELETE" )
const ( MessageCreateClientSuccessful = "OIDC client registration create successful" MessageUpdateClientSuccessful = "OIDC client registration update successful" MessageClientSuccessful = "OIDC client registration successful" MessageCreateClientFailed = "OIDC client registration create failed" MessageCreateZenRegistrationFailed = "Registration of the Zen Instance failed" MessageUnknown string = "Unexpected error occurred while processing the request" ReasonCreateClientSuccessful = "CreateClientSuccessful" ReasonCreateClientFailed = "CreateClientFailed" ReasonUpdateClientSuccessful = "UpdateClientSuccessful" ReasonUpdateClientFailed = "UpdateClientFailed" ReasonGetClientFailed = "GetClientFailed" ReasonDeleteClientFailed = "DeleteClientFailed" ReasonCreateZenRegistrationFailed = "CreateZenRegistrationFailed" ReasonUnknown string = "Unknown" )
These are valid condition statuses. "ConditionTrue" means a resource is in the condition; "ConditionFalse" means a resource is not in the condition; "ConditionUnknown" means kubernetes can't decide if a resource is in the condition or not. In the future, we could add other intermediate conditions, e.g. ConditionDegraded.
const OptimisticLockErrorMsg = "the object has been modified; please apply your changes to the latest version and try again"
Variables ¶
var Clock clock.Clock = clock.RealClock{}
Functions ¶
func Add ¶
Add creates a new Client Controller and adds it to the Manager. The Manager will set fields on the Controller and Start it when the Manager is Started.
func ClientHasCondition ¶
func ClientHasCondition(client *oidcv1.Client, c oidcv1.ClientCondition) bool
ClientHasCondition will return true if the given Client has a condition matching the provided ClientCondition. Only the Type and Status field will be used in the comparison, meaning that this function will return 'true' even if the Reason, Message and LastTransitionTime fields do not match.
func SetClientCondition ¶
func SetClientCondition(client *oidcv1.Client, conditionType oidcv1.ClientConditionType, status oidcv1.ConditionStatus, reason, message string)
SetClientCondition will set a 'condition' on the given Client.
- If no condition of the same type already exists, the condition will be inserted with the LastTransitionTime set to the current time.
- If a condition of the same type and state already exists, the condition will be updated but the LastTransitionTime will not be modified.
- If a condition of the same type and different state already exists, the condition will be updated and the LastTransitionTime set to the current time.
Types ¶
type ClientControllerConfig ¶
ClientControllerConfig maintains state used while reconciling OIDC Client objects
func (ClientControllerConfig) ApplyConfigMap ¶
func (c ClientControllerConfig) ApplyConfigMap(configMap *corev1.ConfigMap, keysList ...string) (err error)
ApplyConfigMap takes the key value pairs found in a ConfigMap's Data field and sets the same keys and values in the ClientControllerConfig. Produces an error if the ConfigMap had an empty Data field.
func (ClientControllerConfig) ApplySecret ¶
func (c ClientControllerConfig) ApplySecret(secret *corev1.Secret, keysList ...string) (err error)
ApplySecret takes the key value pairs found in a Secret's Data field and sets the same keys and values in the ClientControllerConfig after converting the values into strings from []byte. Produces an error if the Secret had an empty Data field.
type ClientCredentials ¶
type OIDCClientError ¶
type OIDCClientError struct {
Description string `json:"error_description"`
}
func NewOIDCClientError ¶
func NewOIDCClientError(response *http.Response) (oidcErr *OIDCClientError)
NewOIDCClientError produces a new OIDCClientError by attempting to unmarshal the response body JSON into an OIDCClientError's Description field.
func (*OIDCClientError) Error ¶
func (e *OIDCClientError) Error() string
type OidcClientResponse ¶
type OidcClientResponse struct { ClientIDIssuedAt int `json:"client_id_issued_at"` RegistrationClientURI string `json:"registration_client_uri"` ClientSecretExpiresAt int `json:"client_secret_expires_at"` TokenEndpointAuthMethod string `json:"token_endpoint_auth_method"` Scope string `json:"scope"` GrantTypes []string `json:"grant_types"` ResponseTypes []string `json:"response_types"` ApplicationType string `json:"application_type"` SubjectType string `json:"subject_type"` PostLogoutRedirectUris []string `json:"post_logout_redirect_uris"` IntrospectTokens bool `json:"introspect_tokens"` TrustedURIPrefixes []string `json:"trusted_uri_prefixes"` ResourceIds []string `json:"resource_ids"` FunctionalUserGroupIds []string `json:"functional_user_groupIds"` FunctionalUserID string `json:"functional_user_id"` AppPasswordAllowed bool `json:"appPasswordAllowed"` AppTokenAllowed bool `json:"appTokenAllowed"` ClientID string `json:"client_id"` ClientSecret string `json:"client_secret"` ClientName string `json:"client_name"` RedirectUris []string `json:"redirect_uris"` AllowRegexpRedirects bool `json:"allow_regexp_redirects"` }
type ReconcileClient ¶
ReconcileClient is a split client that reads objects from the cache and writes to the apiserver
func (*ReconcileClient) CreateClientRegistration ¶
func (r *ReconcileClient) CreateClientRegistration(ctx context.Context, client *oidcv1.Client, clientCreds *ClientCredentials) (response *http.Response, err error)
CreateClientRegistration registers a new OIDC Client on the OP using information provided in the provided Client CR.
func (*ReconcileClient) CreateZenInstance ¶
func (r *ReconcileClient) CreateZenInstance(ctx context.Context, client *oidcv1.Client, clientCreds *ClientCredentials) (err error)
CreateZenInstance registers the zen instance with the iam identity mgmt service
func (*ReconcileClient) DeleteClientRegistration ¶
func (r *ReconcileClient) DeleteClientRegistration(ctx context.Context, client *oidcv1.Client) (response *http.Response, err error)
DeleteClientRegistration deletes from the OP the OIDC Client registration represented by the Client CR.
func (*ReconcileClient) DeleteZenInstance ¶
DeleteZenInstance deletes the requested zen instance
func (*ReconcileClient) GetAuthServiceURL ¶
func (r *ReconcileClient) GetAuthServiceURL() (value string, err error)
GetAuthServiceURL gets the IAM Auth Service URL from the ReconcileClient's ClientControllerConfig. Produces an error if the ClientControllerConfig is empty or if the key is not present.
func (*ReconcileClient) GetClientCreds ¶
func (r *ReconcileClient) GetClientCreds(ctx context.Context, client *oidcv1.Client) (clientCreds *ClientCredentials, err error)
GetClientCreds uses information from a Client to obtain the Client's credentials from the cluster. The Client must at a minimum have its ClientId, Secret, and namespace set.
func (*ReconcileClient) GetClientRegistration ¶
func (r *ReconcileClient) GetClientRegistration(ctx context.Context, client *oidcv1.Client) (response *http.Response, err error)
GetClientRegistration gets the registered Client from the OP, if it is there.
func (*ReconcileClient) GetDefaultAdminPassword ¶
func (r *ReconcileClient) GetDefaultAdminPassword() (value string, err error)
GetDefaultAdminPassword gets the default admin password for the IAM API from the ReconcileClient's ClientControllerConfig. Produces an error if the ClientControllerConfig is empty or if the key is not present.
func (*ReconcileClient) GetDefaultAdminUser ¶
func (r *ReconcileClient) GetDefaultAdminUser() (value string, err error)
GetDefaultAdminUser gets the default admin user for the IAM API from the ReconcileClient's ClientControllerConfig. Produces an error if the ClientControllerConfig is empty or if the key is not present.
func (*ReconcileClient) GetIdentityManagementURL ¶
func (r *ReconcileClient) GetIdentityManagementURL() (value string, err error)
GetIdentityManagementURL gets the Identity Management URL from the ReconcileClient's ClientControllerConfig. Produces an error if the ClientControllerConfig is empty or if the key is not present.
func (*ReconcileClient) GetIdentityProviderURL ¶
func (r *ReconcileClient) GetIdentityProviderURL() (value string, err error)
GetIdentityProviderURL gets the Identity Provider URL from the ReconcileClient's ClientControllerConfig. Produces an error if the ClientControllerConfig is empty or if the key is not present.
func (*ReconcileClient) GetOAuthAdminPassword ¶
func (r *ReconcileClient) GetOAuthAdminPassword() (value string, err error)
GetOauthAdminPassword gets the password for the OAuth Provider oauthadmin account from the ReconcileClient's ClientControllerConfig. Produces an error if the ClientControllerConfig is empty or if the key is not present.
func (*ReconcileClient) GetROKSEnabled ¶
func (r *ReconcileClient) GetROKSEnabled() (value bool, err error)
GetROKSEnabled gets from the ClientControllerConfig whether the controller is enabled to use OpenShift OAuthClients for OIDC Client authentication via legacy configuration; creates and manages OAuthClient objects with names that match OIDC Client's clientId field. Produces an error if the ClientControllerConfig is empty or if the key is not present.
func (*ReconcileClient) GetZenInstance ¶
func (r *ReconcileClient) GetZenInstance(ctx context.Context, client *oidcv1.Client) (zenInstance *ZenInstance, err error)
GetZenInstance returns the zen instance or nil if it does not exist
func (*ReconcileClient) IsConfigured ¶
func (r *ReconcileClient) IsConfigured() bool
IsConfigured returns whether all mandatory config fields are set.
func (*ReconcileClient) Reconcile ¶
func (r *ReconcileClient) Reconcile(ctx context.Context, request reconcile.Request) (result reconcile.Result, err error)
Reconcile reads that state of the cluster for a Client object and makes changes based on the state read and what is in the Client.Spec The Controller will requeue the Request to be processed again if the returned error is non-nil or Result.Requeue is true, otherwise upon completion it will remove the work from the queue.
func (*ReconcileClient) RemoveAnnotationFromSA ¶
func (r *ReconcileClient) RemoveAnnotationFromSA(ctx context.Context, client *oidcv1.Client, sAccNamespace string)
RemoveAnnotationFromSA removes respective redirecturi annotation present in ibm-iam-operand-restricted SA for deleteClient Call
func (*ReconcileClient) SetConfig ¶
func (r *ReconcileClient) SetConfig(ctx context.Context, namespace string) (err error)
SetConfig sets the ClientControllerConfig on the ReconcileClient using the platform-auth-idp ConfigMap and platform-auth-idp-credentials Secret that are installed on the cluster.
func (*ReconcileClient) UpdateClientRegistration ¶
func (r *ReconcileClient) UpdateClientRegistration(ctx context.Context, client *oidcv1.Client, clientCreds *ClientCredentials) (response *http.Response, err error)
UpdateClientRegistration updates the OIDC Client registration represented by the Client CR to use the credentials stored in the provided Secret.
type ZenInstance ¶
type ZenInstance struct { ClientID string `json:"clientId"` InstanceId string `json:"instanceId"` ProductNameUrl string `json:"productNameUrl"` Namespace string `json:"namespace"` ZenAuditUrl string `json:"zenAuditUrl"` }
ZenInstance represents the zen instance model (response from post, get)