config

package

v1.0.2 Latest Latest Go to latest Published: Jul 11, 2019 License: Apache-2.0 Imports: 15 Imported by: 0

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

github.com/aliyuncontainerservice/ack-ram-authenticator

Links

Open Source Insights

Documentation ¶

Constants ¶

This section is empty.

Variables ¶

This section is empty.

Functions ¶

This section is empty.

Types ¶

type Config ¶

type Config struct {
	// ClusterID is a unique-per-cluster identifier for your
	// ack-ram-authenticator installation.
	ClusterID string

	// KubeconfigPregenerated is set to `true` when a webhook kubeconfig is
	// pre-generated by running the `init` command, and therefore the
	// `server` shouldn't unnecessarily re-generate a new one.
	KubeconfigPregenerated bool

	// HostPort is the TCP Port on which to listen for authentication checks.
	HostPort int

	// Hostname is the hostname that the server bind to.
	Hostname string

	// GenerateKubeconfigPath is the output path where a generated webhook
	// kubeconfig (for `--authentication-token-webhook-config-file`) will be
	// stored.
	GenerateKubeconfigPath string

	// StateDir is the directory where generated certificates and private keys
	// will be stored. You want these persisted between runs so that your API
	// server webhook configuration doesn't change on restart.
	StateDir string

	// RoleMappings is a list of mappings from RAM Role to
	// Kubernetes username + groups.
	RoleMappings []RoleMapping

	// UserMappings is a list of mappings from RAM User to
	// Kubernetes username + groups.
	UserMappings []UserMapping

	// Address defines the hostname or IP Address to bind the HTTPS server to listen to. This is useful when creating
	// a local server to handle the authentication request for development.
	Address string
}

Config specifies the configuration for a ack-ram-authenticator server

func (*Config) CertPath ¶

func (c *Config) CertPath() string

CertPath returns the path to the pem file containing the certificate

func (*Config) CreateKubeconfig ¶

func (c *Config) CreateKubeconfig() error

CreateKubeconfig create a kubeconfig file

func (*Config) GenerateFiles ¶

func (c *Config) GenerateFiles() error

GenerateFiles create related files

func (*Config) GetOrCreateCertificate ¶

func (c *Config) GetOrCreateCertificate() (*tls.Certificate, error)

GetOrCreateCertificate will create a certificate if it cannot find one based on the config

func (*Config) KeyPath ¶

func (c *Config) KeyPath() string

KeyPath returns the path to the pem file containing the private key

func (*Config) ListenAddr ¶

func (c *Config) ListenAddr() string

ListenAddr listen addr

func (*Config) ListenURL ¶

func (c *Config) ListenURL() string

ListenURL listen url

func (*Config) LoadExistingCertificate ¶

func (c *Config) LoadExistingCertificate() (*tls.Certificate, error)

LoadExistingCertificate will load certificates from a local path

type RoleMapping ¶

type RoleMapping struct {
	// RoleARN is the RAM Resource Name of the role. (e.g., "acs:ram::000000000000:role/Foo").
	RoleARN string

	// Username is the username pattern that this instances assuming this
	// role will have in Kubernetes.
	Username string

	// Groups is a list of Kubernetes groups this role will authenticate
	// as (e.g., `system:masters`). Each group name can include placeholders.
	Groups []string
}

RoleMapping is a mapping of an RAM Role ARN to a Kubernetes username and a list of Kubernetes groups. The username and groups are specified as templates that may optionally contain two template parameters:

"{{AccountID}}" is the 16 digit ID.
"{{SessionName}}" is the role session name.

The meaning of SessionName depends on the type of entity assuming the role. In the case of an ECS instance role this will be the ECS instance ID. In the case of a federated role it will be the federated identity (controlled by the federated identity provider). In the case of a role assumed directly with sts:AssumeRole it will be user controlled.

You can use plain values without parameters to have a more static mapping.

type UserMapping ¶

type UserMapping struct {
	// UserARN is the RAM Resource Name of the user. (e.g., "acs:ram::000000000000:user/Test").
	UserARN string

	// Username is the Kubernetes username this role will authenticate as (e.g., `mycorp:foo`)
	Username string

	// Groups is a list of Kubernetes groups this role will authenticate as (e.g., `system:masters`)
	Groups []string
}

UserMapping is a static mapping of a single RAM User ARN to a Kubernetes username and a list of Kubernetes groups

Source Files ¶

View all Source files

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL