Documentation
¶
Index ¶
- Constants
- func BindToClusterRole(ctx context.Context, c client.Client, clusterRoleName string, ...) (*rbacv1.ClusterRoleBinding, error)
- func CreateOIDCKubeconfig(ctx context.Context, crateClient client.Client, ...) ([]byte, error)
- func CreateTokenForServiceAccount(ctx context.Context, c client.Client, sa *corev1.ServiceAccount, ...) (*authenticationv1.TokenRequest, error)
- func CreateTokenKubeconfig(user, host string, caData []byte, token string) ([]byte, error)
- func EnsureNamespace(ctx context.Context, c client.Client, nsName string) (*corev1.Namespace, error)
- func EnsureServiceAccount(ctx context.Context, c client.Client, saName, saNamespace string) (*corev1.ServiceAccount, error)
- func EnsureUserClusterRole(ctx context.Context, c client.Client, crName string) (*rbacv1.ClusterRole, error)
- func FailIfNotManaged(ctx context.Context, c client.Client, obj client.Object) error
- func GetAdminAccess(ctx context.Context, c client.Client, cfg *rest.Config, ...) (*openmcpv1alpha1.APIServerAccess, error)
- func PatchManagedByLabel(ctx context.Context, c client.Client, obj client.Object) error
Constants ¶
const DefaultAdminAccessValidityTime = 180 * 24 * time.Hour
Variables ¶
This section is empty.
Functions ¶
func BindToClusterRole ¶
func BindToClusterRole(ctx context.Context, c client.Client, clusterRoleName string, subject rbacv1.Subject) (*rbacv1.ClusterRoleBinding, error)
BindToClusterRole creates/updates a ClusterRoleBinding that binds the given subject to the given ClusterRole. It returns the created/updated ClusterRoleBinding.
func CreateOIDCKubeconfig ¶
func CreateOIDCKubeconfig(ctx context.Context, crateClient client.Client, clusterName, namespace, host, defaultIdp string, caData []byte, identityProviders []openmcpv1alpha1.IdentityProvider) ([]byte, error)
CreateOIDCKubeconfig generates a kubeconfig for a cluster that uses OIDC for authentication. For each identity provider, a user is created that uses the 'oidc-login' plugin to get a token. The cluster name is prefixed with 'mcp-<namespace>-' and the context name is clusterName--idpName.
func CreateTokenForServiceAccount ¶
func CreateTokenForServiceAccount(ctx context.Context, c client.Client, sa *corev1.ServiceAccount, desiredDuration *time.Duration) (*authenticationv1.TokenRequest, error)
CreateTokenForServiceAccount generates a token for the given ServiceAccount. Returns a TokenRequest object whose status contains the token and its expiration timestamp.
func CreateTokenKubeconfig ¶
CreateTokenKubeconfig generates a kubeconfig based on the given values. The 'user' arg is used as key for the auth configuration and can be chosen freely.
func EnsureNamespace ¶
func EnsureNamespace(ctx context.Context, c client.Client, nsName string) (*corev1.Namespace, error)
EnsureNamespace creates a Namespace, if required. It returns the Namespace.
func EnsureServiceAccount ¶
func EnsureServiceAccount(ctx context.Context, c client.Client, saName, saNamespace string) (*corev1.ServiceAccount, error)
EnsureServiceAccount creates a ServiceAccount, if required. It returns the ServiceAccount.
func EnsureUserClusterRole ¶
func EnsureUserClusterRole(ctx context.Context, c client.Client, crName string) (*rbacv1.ClusterRole, error)
EnsureUserClusterRole creates/updates a ClusterRole that has permissions for namespaces, secrets, and configmaps.
func FailIfNotManaged ¶
FailIfNotManaged fetches the given object from the cluster and returns an error if it does not contain the managed-by label set to 'true'. Also returns an error if fetching the object doesn't work, unless the reason is that it doesn't exist, then nil is returned.
func GetAdminAccess ¶
func GetAdminAccess(ctx context.Context, c client.Client, cfg *rest.Config, saName, saNamespace string) (*openmcpv1alpha1.APIServerAccess, error)
GetAdminAccess creates a ServiceAccount (if it does not exist), binds it to the cluster-admin role and returns a kubeconfig for it.
Types ¶
This section is empty.
Source Files