k8s.io/client-go@v0.22.2/pkg/apis/clientauthentication/types.go (about) 1 /* 2 Copyright 2018 The Kubernetes Authors. 3 4 Licensed under the Apache License, Version 2.0 (the "License"); 5 you may not use this file except in compliance with the License. 6 You may obtain a copy of the License at 7 8 http://www.apache.org/licenses/LICENSE-2.0 9 10 Unless required by applicable law or agreed to in writing, software 11 distributed under the License is distributed on an "AS IS" BASIS, 12 WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 See the License for the specific language governing permissions and 14 limitations under the License. 15 */ 16 17 package clientauthentication 18 19 import ( 20 metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" 21 "k8s.io/apimachinery/pkg/runtime" 22 ) 23 24 // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object 25 26 // ExecCredential is used by exec-based plugins to communicate credentials to 27 // HTTP transports. 28 type ExecCredential struct { 29 metav1.TypeMeta 30 31 // Spec holds information passed to the plugin by the transport. This contains 32 // request and runtime specific information, such as if the session is interactive. 33 Spec ExecCredentialSpec 34 35 // Status is filled in by the plugin and holds the credentials that the transport 36 // should use to contact the API. 37 // +optional 38 Status *ExecCredentialStatus 39 } 40 41 // ExecCredentialSpec holds request and runtime specific information provided by 42 // the transport. 43 type ExecCredentialSpec struct { 44 // Response is populated when the transport encounters HTTP status codes, such as 401, 45 // suggesting previous credentials were invalid. 46 // +optional 47 Response *Response 48 49 // Interactive is true when the transport detects the command is being called from an 50 // interactive prompt, i.e., when stdin has been passed to this exec plugin. 51 // +optional 52 Interactive bool 53 54 // Cluster contains information to allow an exec plugin to communicate with the 55 // kubernetes cluster being authenticated to. Note that Cluster is non-nil only 56 // when provideClusterInfo is set to true in the exec provider config (i.e., 57 // ExecConfig.ProvideClusterInfo). 58 // +optional 59 Cluster *Cluster 60 } 61 62 // ExecCredentialStatus holds credentials for the transport to use. 63 type ExecCredentialStatus struct { 64 // ExpirationTimestamp indicates a time when the provided credentials expire. 65 // +optional 66 ExpirationTimestamp *metav1.Time 67 // Token is a bearer token used by the client for request authentication. 68 // +optional 69 Token string `datapolicy:"token"` 70 // PEM-encoded client TLS certificate. 71 // +optional 72 ClientCertificateData string 73 // PEM-encoded client TLS private key. 74 // +optional 75 ClientKeyData string `datapolicy:"secret-key"` 76 } 77 78 // Response defines metadata about a failed request, including HTTP status code and 79 // response headers. 80 type Response struct { 81 // Headers holds HTTP headers returned by the server. 82 Header map[string][]string 83 // Code is the HTTP status code returned by the server. 84 Code int32 85 } 86 87 // Cluster contains information to allow an exec plugin to communicate 88 // with the kubernetes cluster being authenticated to. 89 // 90 // To ensure that this struct contains everything someone would need to communicate 91 // with a kubernetes cluster (just like they would via a kubeconfig), the fields 92 // should shadow "k8s.io/client-go/tools/clientcmd/api/v1".Cluster, with the exception 93 // of CertificateAuthority, since CA data will always be passed to the plugin as bytes. 94 type Cluster struct { 95 // Server is the address of the kubernetes cluster (https://hostname:port). 96 Server string 97 // TLSServerName is passed to the server for SNI and is used in the client to 98 // check server certificates against. If ServerName is empty, the hostname 99 // used to contact the server is used. 100 // +optional 101 TLSServerName string 102 // InsecureSkipTLSVerify skips the validity check for the server's certificate. 103 // This will make your HTTPS connections insecure. 104 // +optional 105 InsecureSkipTLSVerify bool 106 // CAData contains PEM-encoded certificate authority certificates. 107 // If empty, system roots should be used. 108 // +listType=atomic 109 // +optional 110 CertificateAuthorityData []byte 111 // ProxyURL is the URL to the proxy to be used for all requests to this 112 // cluster. 113 // +optional 114 ProxyURL string 115 // Config holds additional config data that is specific to the exec 116 // plugin with regards to the cluster being authenticated to. 117 // 118 // This data is sourced from the clientcmd Cluster object's 119 // extensions[client.authentication.k8s.io/exec] field: 120 // 121 // clusters: 122 // - name: my-cluster 123 // cluster: 124 // ... 125 // extensions: 126 // - name: client.authentication.k8s.io/exec # reserved extension name for per cluster exec config 127 // extension: 128 // audience: 06e3fbd18de8 # arbitrary config 129 // 130 // In some environments, the user config may be exactly the same across many clusters 131 // (i.e. call this exec plugin) minus some details that are specific to each cluster 132 // such as the audience. This field allows the per cluster config to be directly 133 // specified with the cluster info. Using this field to store secret data is not 134 // recommended as one of the prime benefits of exec plugins is that no secrets need 135 // to be stored directly in the kubeconfig. 136 // +optional 137 Config runtime.Object 138 }