Version: v0.19.0 Latest Latest

This package is not in the latest version of its module.

Go to latest
Published: Aug 26, 2022 License: Apache-2.0 Imports: 9 Imported by: 0



Package concierge contains functionality to load/store Config's from/to some source.



This section is empty.


This section is empty.


This section is empty.


type APIConfigSpec

type APIConfigSpec struct {
	ServingCertificateConfig ServingCertificateConfigSpec `json:"servingCertificate"`

APIConfigSpec contains configuration knobs for the Pinniped API.

type Config

type Config struct {
	DiscoveryInfo                DiscoveryInfoSpec `json:"discovery"`
	APIConfig                    APIConfigSpec     `json:"api"`
	APIGroupSuffix               *string           `json:"apiGroupSuffix,omitempty"`
	AggregatedAPIServerPort      *int64            `json:"aggregatedAPIServerPort"`
	ImpersonationProxyServerPort *int64            `json:"impersonationProxyServerPort"`
	NamesConfig                  NamesConfigSpec   `json:"names"`
	KubeCertAgentConfig          KubeCertAgentSpec `json:"kubeCertAgent"`
	Labels                       map[string]string `json:"labels"`
	// Deprecated: use log.level instead
	LogLevel *plog.LogLevel `json:"logLevel"`
	Log      plog.LogSpec   `json:"log"`

Config contains knobs to setup an instance of the Pinniped Concierge.

func FromPath

func FromPath(ctx context.Context, path string) (*Config, error)

FromPath loads an Config from a provided local file path, inserts any defaults (from the Config documentation), and verifies that the config is valid (per the Config documentation).

Note! The Config file should contain base64-encoded WebhookCABundle data. This function will decode that base64-encoded data to PEM bytes to be stored in the Config.

type DiscoveryInfoSpec

type DiscoveryInfoSpec struct {
	// URL contains the URL at which pinniped can be contacted.
	URL *string `json:"url,omitempty"`

DiscoveryInfoSpec contains configuration knobs specific to pinniped's publishing of discovery information. These values can be viewed as overrides, i.e., if these are set, then Pinniped will publish these values in its discovery document instead of the ones it finds.

type KubeCertAgentSpec

type KubeCertAgentSpec struct {
	// NamePrefix is the prefix of the name of the kube-cert-agent pods. For example, if this field is
	// set to "some-prefix-", then the name of the pods will look like "some-prefix-blah". The default
	// for this value is "pinniped-kube-cert-agent-".
	NamePrefix *string `json:"namePrefix,omitempty"`

	// Image is the container image that will be used by the kube-cert-agent pod. The container image
	// should contain at least 2 binaries: /bin/sleep and cat (somewhere on the $PATH). The default
	// for this value is "debian:latest".
	Image *string `json:"image"`

	// ImagePullSecrets is a list of names of Kubernetes Secret objects that will be used as
	// ImagePullSecrets on the kube-cert-agent pods.
	ImagePullSecrets []string

type NamesConfigSpec

type NamesConfigSpec struct {
	ServingCertificateSecret          string `json:"servingCertificateSecret"`
	CredentialIssuer                  string `json:"credentialIssuer"`
	APIService                        string `json:"apiService"`
	ImpersonationLoadBalancerService  string `json:"impersonationLoadBalancerService"`
	ImpersonationClusterIPService     string `json:"impersonationClusterIPService"`
	ImpersonationTLSCertificateSecret string `json:"impersonationTLSCertificateSecret"`
	ImpersonationCACertificateSecret  string `json:"impersonationCACertificateSecret"`
	ImpersonationSignerSecret         string `json:"impersonationSignerSecret"`
	AgentServiceAccount               string `json:"agentServiceAccount"`

NamesConfigSpec configures the names of some Kubernetes resources for the Concierge.

type ServingCertificateConfigSpec

type ServingCertificateConfigSpec struct {
	// DurationSeconds is the validity period, in seconds, of the API serving
	// certificate. By default, the serving certificate is issued for 31536000
	// seconds (1 year). This value is also used for the serving certificate's
	// CA certificate.
	DurationSeconds *int64 `json:"durationSeconds,omitempty"`

	// RenewBeforeSeconds is the period of time, in seconds, that Pinniped will
	// wait before rotating the serving certificate. This period of time starts
	// upon issuance of the serving certificate. This must be less than
	// DurationSeconds. By default, Pinniped begins rotation after 23328000
	// seconds (about 9 months).
	RenewBeforeSeconds *int64 `json:"renewBeforeSeconds,omitempty"`

ServingCertificateConfigSpec contains the configuration knobs for the API's serving certificate, i.e., the x509 certificate that it uses for the server certificate in inbound TLS connections.

Source Files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL