Documentation
¶
Index ¶
- Constants
- func RoleTemplateHash(rt *api.RoleTemplate) string
- type AccessRequestConflictError
- type AccessRequestReconciler
- type AllowedResponse
- type K8sClient
- type Service
- func (s *Service) Allowed(ctx context.Context, ar *api.AccessRequest, app *argocd.Application) (*AllowedResponse, error)
- func (s *Service) HandlePermission(ctx context.Context, ar *api.AccessRequest, app *argocd.Application, ...) (api.Status, error)
- func (s *Service) RemoveArgoCDAccess(ctx context.Context, ar *api.AccessRequest, rt *api.RoleTemplate) error
Constants ¶
const ( // AccessRequestFinalizerName defines the name of the AccessRequest finalizer // managed by this controller AccessRequestFinalizerName = "accessrequest.ephemeral-access.argoproj-labs.io/finalizer" )
const (
FieldOwnerEphemeralAccess = "ephemeral-access-controller"
)
Variables ¶
This section is empty.
Functions ¶
func RoleTemplateHash ¶
func RoleTemplateHash(rt *api.RoleTemplate) string
RoleTemplateHash will generate a hash for the given role template based only on the necessary fields to require an update in the AppProject role
Types ¶
type AccessRequestConflictError ¶
type AccessRequestConflictError struct {
// contains filtered or unexported fields
}
func NewAccessRequestConflictError ¶
func NewAccessRequestConflictError(msg string) *AccessRequestConflictError
func (*AccessRequestConflictError) Error ¶
func (e *AccessRequestConflictError) Error() string
type AccessRequestReconciler ¶
type AccessRequestReconciler struct {
client.Client
Scheme *runtime.Scheme
Service *Service
Config config.ControllerConfigurer
}
AccessRequestReconciler reconciles a AccessRequest object
func (*AccessRequestReconciler) Reconcile ¶
func (r *AccessRequestReconciler) Reconcile(ctx context.Context, req ctrl.Request) (ctrl.Result, error)
Reconcile is the main function that will be invoked on every change in AccessRequests desired state. It will:
- Handle the accessrequest finalizer
- Validate the AccessRequest
- Verify if AccessRequest is expired 3.1 If so, remove the user from the elevated role 3.2 Update the accessrequest status to "expired"
- Verify if user has the necessary access to be promoted 4.1 If they don't, update the accessrequest status to "denied"
- Invoke preconfigured plugin to check if access can be granted
- Assign user in the desired role in the AppProject
- Update the accessrequest status to "granted"
func (*AccessRequestReconciler) SetupWithManager ¶
func (r *AccessRequestReconciler) SetupWithManager(mgr ctrl.Manager) error
SetupWithManager sets up the controller with the Manager.
func (*AccessRequestReconciler) Validate ¶
func (r *AccessRequestReconciler) Validate(ctx context.Context, ar *api.AccessRequest) error
Validate will verify if there are existing AccessRequests for the same user/app/role already in progress.
type AllowedResponse ¶
type AllowedResponse struct {
Allowed bool
Status plugin.GrantStatus
Message string
}
AllowedResponse defines the response that will be returned by permission verifier plugins.
type K8sClient ¶
type K8sClient interface {
// Patch patches the given obj in the Kubernetes cluster. obj must be a
// struct pointer so that obj can be updated with the content returned by the Server.
Patch(ctx context.Context, obj client.Object, patch client.Patch, opts ...client.PatchOption) error
// Get retrieves an obj for the given object key from the Kubernetes Cluster.
// obj must be a struct pointer so that obj can be updated with the response
// returned by the Server.
Get(ctx context.Context, key client.ObjectKey, obj client.Object, opts ...client.GetOption) error
// Status knows how to create a client which can update status subresource
// for kubernetes objects.
Status() client.SubResourceWriter
}
type Service ¶
type Service struct {
Config config.ControllerConfigurer
// contains filtered or unexported fields
}
func NewService ¶
func NewService(c K8sClient, cfg config.ControllerConfigurer, accessRequester plugin.AccessRequester) *Service
func (*Service) Allowed ¶
func (s *Service) Allowed(ctx context.Context, ar *api.AccessRequest, app *argocd.Application) (*AllowedResponse, error)
Allowed will invoke the GrantAccess() function from this Service.accessRequester plugin. If the Service.accessRequester plugin is nil, it will allow the controller to proceed with handling the permission.
func (*Service) HandlePermission ¶
func (s *Service) HandlePermission(ctx context.Context, ar *api.AccessRequest, app *argocd.Application, rt *api.RoleTemplate) (api.Status, error)
handlePermission will analyse the given ar and proceed with granting or removing Argo CD access for the subject listed in the AccessRequest. The following validations will be executed:
- Check if the given ar is expired. If so, the subject will be removed from the Argo CD role.
- Check if the subject is allowed to be assigned in the given AccessRequest target role. If so, it will proceed with grating Argo CD access. Otherwise it will return DeniedStatus.
It will update the AccessRequest status accordingly with the situation.
func (*Service) RemoveArgoCDAccess ¶
func (s *Service) RemoveArgoCDAccess(ctx context.Context, ar *api.AccessRequest, rt *api.RoleTemplate) error
removeArgoCDAccess will remove the subject in the given AccessRequest from the given ar.TargetRoleName from the Argo CD project referenced in the ar.Spec.AppProject. The AppProject update will be executed via a patch with optimistic lock enabled. It will retry in case of AppProject conflict is identied.
Source Files
Directories