Documentation
¶
Overview ¶
Package auth includes obtains auth tokens for workload identity.
Index ¶
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
This section is empty.
Types ¶
type Client ¶ added in v0.6.0
type Client struct {
KubeClient *kubernetes.Clientset
MetadataClient *metadata.Client
IAMClient *credentials.IamCredentialsClient
HTTPClient *http.Client
}
func (*Client) Token ¶ added in v0.6.0
Token fetches a workload identity auth token for the pod for the MountConfig.
This requires obtaining a ServiceAccount token from the K8S API for the pod, trading that token for an identitybindingtoken using the securetoken.googleapis.com API, and then trading that token for a GCP Service Account token using the iamcredentials.googleapis.com API.
Caveats:
None of the API calls are cached since the plugin binary is executed once per mount event. The tokens are to be used immediately so no refresh abilities are implemented - blocking Issue #14.
This method requires additional K8S API permission for the CSI driver daemonset, including serviceaccounts/token create and serviceaccounts get. These permissions could break node isolation and a long term solution is tracked by Issue #13.
Token sent by driver is extracted and used. However, if tokenRequests is not set in driver spec, the provider does not receive any tokens from driver and generates its own token. Token creation can be removed once driver implements the requiresRepublish.
func (*Client) TokenSource ¶ added in v0.6.0
func (c *Client) TokenSource(ctx context.Context, cfg *config.MountConfig) (oauth2.TokenSource, error)
TokenSource returns the correct oauth2.TokenSource depending on the auth configuration of the MountConfig.
Source Files