services

Documentation

Index

• Variables
• func AuthenticateHandler(issuer *TokenIssuer) http.HandlerFunc
• func CA(w http.ResponseWriter, _ *http.Request)
• func CreateBlackWhitelistEvent(errEvent string, api v1.CoreV1Interface) error
• func GenerateAppRoleBinding(namespace string)
• func GenerateAppServiceAccount(namespace string)
• func GenerateDefaultRoleBinding(namespace string)
• func GenerateProjects(context []*types.Project, blackWhiteList *types.BlackWhitelist)
• func GenerateResources() error
• func GenerateUserRoleBinding(namespace string, role string)
• func GetBlackWhitelistCM(api v1.CoreV1Interface) (*corev1.ConfigMap, error)
• func GetPodSecurityStandardName(namespace string) string
• func GetUserNamespace(group string) (*types.Project, error)
• func GetUserNamespaces(groups []string) []*types.Project
• func MakeBlackWhitelist(blackWhiteCMData map[string]string) types.BlackWhitelist
• func NamespaceParser(namespace string) types.Project
• func RefreshK8SResources()
• func WatchNetPolConfig() cache.Store
• func WatchProjects() cache.Store
• type TokenIssuer
  • func (issuer *TokenIssuer) CurrentJWT(usertoken string) (*types.AuthJWTClaims, error)
  • func (issuer *TokenIssuer) GenerateConfig(w http.ResponseWriter, r *http.Request)
  • func (issuer *TokenIssuer) GenerateExtraToken(username string, email string, hasAdminAccess bool, hasApplicationAccess bool, ...) (*string, error)
  • func (issuer *TokenIssuer) GenerateJWT(w http.ResponseWriter, r *http.Request)
  • func (issuer *TokenIssuer) GenerateUserToken(groups []string, username string, email string, hasAdminAccess bool, ...) (*string, error)
  • func (issuer *TokenIssuer) VerifyToken(usertoken string) error

Variables

var DnsParser = regexp.MustCompile("(?:.+_+)*(?P<namespace>.+)_(?P<role>.+)$")

Functions

func AuthenticateHandler

func AuthenticateHandler(issuer *TokenIssuer) http.HandlerFunc

Authenticate service for kubernetes Api Server https://kubernetes.io/docs/reference/access-authn-authz/authentication/#webhook-token-authentication

func CA

func CA(w http.ResponseWriter, _ *http.Request)

func CreateBlackWhitelistEvent

func CreateBlackWhitelistEvent(errEvent string, api v1.CoreV1Interface) error

func GenerateAppRoleBinding

func GenerateAppRoleBinding(namespace string)

func GenerateAppServiceAccount

func GenerateAppServiceAccount(namespace string)

Generate

func GenerateDefaultRoleBinding

func GenerateDefaultRoleBinding(namespace string)

func GenerateProjects

func GenerateProjects(context []*types.Project, blackWhiteList *types.BlackWhitelist)

A loop wrapper for generateProject splitted for unit test !

func GenerateResources

func GenerateResources() error

Generate Namespaces and Rolebinding from Ldap groups

func GenerateUserRoleBinding

func GenerateUserRoleBinding(namespace string, role string)

GenerateRolebinding from tupple If exists, nothing is done, only creating !

func GetBlackWhitelistCM

func GetBlackWhitelistCM(api v1.CoreV1Interface) (*corev1.ConfigMap, error)

func GetPodSecurityStandardName

func GetPodSecurityStandardName(namespace string) string

func GetUserNamespace

func GetUserNamespace(group string) (*types.Project, error)

Get Namespace, Role for a group name

func GetUserNamespaces

func GetUserNamespaces(groups []string) []*types.Project

Get Namespace, Role for a list of group name

func MakeBlackWhitelist

func MakeBlackWhitelist(blackWhiteCMData map[string]string) types.BlackWhitelist

func NamespaceParser

func NamespaceParser(namespace string) types.Project

Parse an ldap namespace an extract: - Kubernetes namespace - Project ( namespace without environment) - Environment If environment not found, return the namespace as is

func RefreshK8SResources

func RefreshK8SResources()

Handler to regenerate all resources created by kubi

func WatchNetPolConfig

func WatchNetPolConfig() cache.Store

Watch NetworkPolicyConfig, which is a config object for namespace network bubble This CRD allow user to deploy global configuration for network configuration for update, the default network config is updated for deletion, it is automatically recreated for create, just create it

func WatchProjects

func WatchProjects() cache.Store

Watch NetworkPolicyConfig, which is a config object for namespace network bubble This CRD allow user to deploy global configuration for network configuration for update, the default network config is updated for deletion, it is automatically recreated for create, just create it

Types

type TokenIssuer

type TokenIssuer struct {
	EcdsaPrivate       *ecdsa.PrivateKey
	EcdsaPublic        *ecdsa.PublicKey
	TokenDuration      string
	ExtraTokenDuration string
	Locator            string
	PublicApiServerURL string
	Tenant             string
}

func (*TokenIssuer) CurrentJWT

func (issuer *TokenIssuer) CurrentJWT(usertoken string) (*types.AuthJWTClaims, error)

func (*TokenIssuer) GenerateConfig

func (issuer *TokenIssuer) GenerateConfig(w http.ResponseWriter, r *http.Request)

GenerateConfig generates a config in yaml, including JWT token and cluster information. It can be directly used out of the box by kubectl. It returns a well formatted yaml

func (*TokenIssuer) GenerateExtraToken

func (issuer *TokenIssuer) GenerateExtraToken(username string, email string, hasAdminAccess bool, hasApplicationAccess bool, hasOpsAccess bool, scopes string) (*string, error)

Generate an service token from a user account The semantic of this token should be hold by the target backend, ex: service api, promotion api... Only user with transversal access can generate extra tokens

func (*TokenIssuer) GenerateJWT

func (issuer *TokenIssuer) GenerateJWT(w http.ResponseWriter, r *http.Request)

func (*TokenIssuer) GenerateUserToken

func (issuer *TokenIssuer) GenerateUserToken(groups []string, username string, email string, hasAdminAccess bool, hasApplicationAccess bool, hasOpsAccess bool, hasViewerAccess bool, hasServiceAccess bool) (*string, error)

func (*TokenIssuer) VerifyToken

func (issuer *TokenIssuer) VerifyToken(usertoken string) error