robotauth

Documentation

Overview

The robotauth package contains the class for reading and writing the robot-id.json file. This file contains the id & private key of a robot that's connected to a Cloud project.

Index

• func CreateJWTSource() oauth2.TokenSource
• type RobotAuth
  • func LoadFromFile(keyfile string) (*RobotAuth, error)
  • func LoadFromK8sSecret(ctx context.Context, clientset kubernetes.Interface, namespace string) (*RobotAuth, error)
  • func (r *RobotAuth) CreateJWT(ctx context.Context, lifetime time.Duration) (string, error)
  • func (r *RobotAuth) CreatePrivateKey() error
  • func (r *RobotAuth) CreateRobotTokenSource(ctx context.Context, gcpSaChain ...string) oauth2.TokenSource
  • func (r *RobotAuth) ServiceAccountEmail(saName string) (string, error)
  • func (r *RobotAuth) StoreInFile() error
  • func (r *RobotAuth) StoreInK8sSecret(ctx context.Context, clientset kubernetes.Interface, namespace string) error

Functions

func CreateJWTSource

func CreateJWTSource() oauth2.TokenSource

CreateJWTSource creates an OAuth2 token source for the JWTs signed by the robot's private key.

Types

type RobotAuth

type RobotAuth struct {
	RobotName           string `json:"id"`
	ProjectId           string `json:"project_id"`
	PublicKeyRegistryId string `json:"public_key_registry_id"`
	PrivateKey          []byte `json:"private_key"`
	Domain              string `json:"domain"`
}

Object containing ID, as stored in robot-id.json.

func LoadFromFile

func LoadFromFile(keyfile string) (*RobotAuth, error)

LoadFromFile loads key from json file. If keyfile is "", it tries to load from the default location.

func LoadFromK8sSecret

func LoadFromK8sSecret(ctx context.Context, clientset kubernetes.Interface, namespace string) (*RobotAuth, error)

func (*RobotAuth) CreateJWT

func (r *RobotAuth) CreateJWT(ctx context.Context, lifetime time.Duration) (string, error)

CreateJWT allows to create a JWT for authentication against the token vendor. This does not grant Google Cloud access, but can be used for explicit authentication with the token vendor.

func (*RobotAuth) CreatePrivateKey

func (r *RobotAuth) CreatePrivateKey() error

CreatePrivateKey creates a private key. The private key is written to the RobotAuth struct.

func (*RobotAuth) CreateRobotTokenSource

func (r *RobotAuth) CreateRobotTokenSource(ctx context.Context, gcpSaChain ...string) oauth2.TokenSource

CreateRobotTokenSource creates an OAuth2 token source for the token vendor. This token source returns Google Cloud access token minted for either the robot-service@ service account or impersonated via provided gcpSaChain.

func (*RobotAuth) ServiceAccountEmail

func (r *RobotAuth) ServiceAccountEmail(saName string) (string, error)

ServiceAccountEmail takes name of service account and returns its email form for given RobotAuth.

Note: method will also accept SA in email form and return it AS-IS if it resembles GCP service account. This allows caller to use this method transparently for a situation where SA from different project than RobotAuth#ProjectId is needed for robot. This should be very rare.

func (*RobotAuth) StoreInFile

func (r *RobotAuth) StoreInFile() error

StoreInFile writes a newly-chosen ID to disk.

func (*RobotAuth) StoreInK8sSecret

func (r *RobotAuth) StoreInK8sSecret(ctx context.Context, clientset kubernetes.Interface, namespace string) error

StoreInK8sSecret writes new robot-id to kubernetes secret.