const (
//ResourcePrincipalVersion2_2 is a supported version for resource principals
ResourcePrincipalVersion2_2 = "2.2"
//ResourcePrincipalVersionEnvVar environment var name for version
ResourcePrincipalVersionEnvVar = "OCI_RESOURCE_PRINCIPAL_VERSION"
//ResourcePrincipalRPSTEnvVar environment var name holding the token or a path to the token
ResourcePrincipalRPSTEnvVar = "OCI_RESOURCE_PRINCIPAL_RPST"
//ResourcePrincipalPrivatePEMEnvVar environment var holding a rsa private key in pem format or a path to one
ResourcePrincipalPrivatePEMEnvVar = "OCI_RESOURCE_PRINCIPAL_PRIVATE_PEM"
//ResourcePrincipalPrivatePEMPassphraseEnvVar environment var holding the passphrase to a key or a path to one
ResourcePrincipalPrivatePEMPassphraseEnvVar = "OCI_RESOURCE_PRINCIPAL_PRIVATE_PEM_PASSPHRASE"
//ResourcePrincipalRegionEnvVar environment variable holding a region
ResourcePrincipalRegionEnvVar = "OCI_RESOURCE_PRINCIPAL_REGION"
//ResourcePrincipalVersion1_1 is a supported version for resource principals
ResourcePrincipalVersion1_1 = "1.1"
//ResourcePrincipalSessionTokenEndpoint endpoint for retrieving the Resource Principal Session Token
ResourcePrincipalSessionTokenEndpoint = "OCI_RESOURCE_PRINCIPAL_RPST_ENDPOINT"
//ResourcePrincipalTokenEndpoint endpoint for retrieving the Resource Principal Token
ResourcePrincipalTokenEndpoint = "OCI_RESOURCE_PRINCIPAL_RPT_ENDPOINT"
// KubernetesServiceAccountTokenPath that contains cluster information
KubernetesServiceAccountTokenPath = "/var/run/secrets/kubernetes.io/serviceaccount/token"
// DefaultKubernetesServiceAccountCertPath that contains cluster information
DefaultKubernetesServiceAccountCertPath = "/var/run/secrets/kubernetes.io/serviceaccount/ca.crt"
// OciKubernetesServiceAccountCertPath Environment variable for Kubernetes Service Account Cert Path
OciKubernetesServiceAccountCertPath = "OCI_KUBERNETES_SERVICE_ACCOUNT_CERT_PATH"
// KubernetesServiceHostEnvVar environment var holding the kubernetes host
KubernetesServiceHostEnvVar = "KUBERNETES_SERVICE_HOST"
// KubernetesProxymuxServicePort environment var holding the kubernetes port
KubernetesProxymuxServicePort = "12250"
// TenancyOCIDClaimKey is the key used to look up the resource tenancy in an RPST
TenancyOCIDClaimKey = "res_tenant"
// CompartmentOCIDClaimKey is the key used to look up the resource compartment in an RPST
CompartmentOCIDClaimKey = "res_compartment"
)
const (
//ResourcePrincipalTokenPath path for retrieving the Resource Principal Token
ResourcePrincipalTokenPath = "OCI_RESOURCE_PRINCIPAL_RPT_PATH"
//ResourceID OCID for the resource for Resource Principal
ResourceID = "OCI_RESOURCE_PRINCIPAL_RPT_ID"
)
var (
// ErrNoSuchClaim is returned when a token does not hold the claim sought
ErrNoSuchClaim = errors.New("no such claim")
)
var (
// ErrNonStringClaim is returned if the token has a claim for a key, but it's not a string value
ErrNonStringClaim = errors.New("claim does not have a string value")
)
func GetGenericConfigurationProvider(configProvider common.ConfigurationProvider) (common.ConfigurationProvider, error)
GetGenericConfigurationProvider checks auth config paras in config file and return the final configuration provider
func InstancePrincipalConfigurationForRegionWithCustomClient(region common.Region, modifier func(common.HTTPRequestDispatcher) (common.HTTPRequestDispatcher, error)) (common.ConfigurationProvider, error)
InstancePrincipalConfigurationForRegionWithCustomClient returns a configuration for instance principals with a given region using a modifier function to modify the HTTPRequestDispatcher
func InstancePrincipalConfigurationProvider() (common.ConfigurationProvider, error)
InstancePrincipalConfigurationProvider returns a configuration for instance principals
func InstancePrincipalConfigurationProviderForRegion(region common.Region) (common.ConfigurationProvider, error)
InstancePrincipalConfigurationProviderForRegion returns a configuration for instance principals with a given region
func InstancePrincipalConfigurationProviderWithCustomClient(modifier func(common.HTTPRequestDispatcher) (common.HTTPRequestDispatcher, error)) (common.ConfigurationProvider, error)
InstancePrincipalConfigurationProviderWithCustomClient returns a configuration for instance principals using a modifier function to modify the HTTPRequestDispatcher
func InstancePrincipalConfigurationWithCerts(region common.Region, leafCertificate, leafPassphrase, leafPrivateKey []byte, intermediateCertificates [][]byte) (common.ConfigurationProvider, error)
InstancePrincipalConfigurationWithCerts returns a configuration for instance principals with a given region and hardcoded certificates in lieu of metadata service certs
func InstancePrincipalDelegationTokenConfigurationProvider(delegationToken *string) (common.ConfigurationProvider, error)
InstancePrincipalDelegationTokenConfigurationProvider returns a configuration for obo token instance principals
func InstancePrincipalDelegationTokenConfigurationProviderForRegion(delegationToken *string, region common.Region) (common.ConfigurationProvider, error)
InstancePrincipalDelegationTokenConfigurationProviderForRegion returns a configuration for obo token instance principals with a given region
func ResourcePrincipalConfigurationProviderWithInterceptor(instancePrincipalProvider common.ConfigurationProvider, resourcePrincipalTokenEndpoint, resourcePrincipalSessionTokenEndpoint string, interceptor common.RequestInterceptor) (common.ConfigurationProvider, error)
ResourcePrincipalConfigurationProviderWithInterceptor creates a resource principal configuration provider with endpoints a interceptor used to customize the call going to the resource principal token request to the target service see https://godoc.org/github.com/oracle/oci-go-sdk/common#RequestInterceptor
ClaimHolder is implemented by any token interface that provides access to the security claims embedded in the token.
type ClaimHolder interface {
GetClaim(key string) (interface{}, error)
}
ConfigurationProviderWithClaimAccess mixes in a method to access the claims held on the underlying security token
type ConfigurationProviderWithClaimAccess interface {
common.ConfigurationProvider
ClaimHolder
}
func OkeWorkloadIdentityConfigurationProvider() (ConfigurationProviderWithClaimAccess, error)
OkeWorkloadIdentityConfigurationProvider returns a resource principal configuration provider by OKE Workload Identity
func OkeWorkloadIdentityConfigurationProviderWithServiceAccountTokenProvider(saTokenProvider ServiceAccountTokenProvider) (ConfigurationProviderWithClaimAccess, error)
OkeWorkloadIdentityConfigurationProviderWithServiceAccountTokenProvider returns a resource principal configuration provider by OKE Workload Identity with service account token provider
func ResourcePrincipalConfigurationProvider() (ConfigurationProviderWithClaimAccess, error)
ResourcePrincipalConfigurationProvider returns a resource principal configuration provider using well known environment variables to look up token information. The environment variables can either paths or contain the material value of the keys. However in the case of the keys and tokens paths and values can not be mixed
func ResourcePrincipalConfigurationProviderForRegion(region common.Region) (ConfigurationProviderWithClaimAccess, error)
ResourcePrincipalConfigurationProviderForRegion returns a resource principal configuration provider using well known environment variables to look up token information, for a given region. The environment variables can either paths or contain the material value of the keys. However, in the case of the keys and tokens paths and values can not be mixed
func ResourcePrincipalConfigurationProviderWithPathProvider(pathProvider PathProvider) (ConfigurationProviderWithClaimAccess, error)
ResourcePrincipalConfigurationProviderWithPathProvider returns a resource principal configuration provider using path provider.
func ResourcePrincipalDelegationTokenConfigurationProvider(delegationToken *string) (ConfigurationProviderWithClaimAccess, error)
ResourcePrincipalDelegationTokenConfigurationProvider returns a configuration for obo token resource principals
func ResourcePrincipalDelegationTokenConfigurationProviderForRegion(delegationToken *string, region common.Region) (ConfigurationProviderWithClaimAccess, error)
ResourcePrincipalDelegationTokenConfigurationProviderForRegion returns a configuration for obo token resource principals with a given region
DefaultRptPathProvider path provider makes sure the behavior happens with the correct fallback.
For the path, Use the contents of the OCI_RESOURCE_PRINCIPAL_RPT_PATH environment variable, if set. Otherwise, use the current path: "/20180711/resourcePrincipalToken/{id}"
For the resource id, Use the contents of the OCI_RESOURCE_PRINCIPAL_RPT_ID environment variable, if set. Otherwise, use IMDS to get the instance id
This path provider is used when the caller doesn't provide a specific path provider to the resource principals signer
type DefaultRptPathProvider struct {
// contains filtered or unexported fields
}
func (pp DefaultRptPathProvider) Path() (*string, error)
Path returns the resource principal token path
func (pp DefaultRptPathProvider) ResourceID() (*string, error)
ResourceID returns the resource associated with the resource principal
DefaultServiceAccountTokenProvider is supplied by user when instantiating OkeWorkloadIdentityConfigurationProvider
type DefaultServiceAccountTokenProvider struct {
// contains filtered or unexported fields
}
func NewDefaultServiceAccountTokenProvider() DefaultServiceAccountTokenProvider
NewDefaultServiceAccountTokenProvider returns a new instance of defaultServiceAccountTokenProvider
func (d DefaultServiceAccountTokenProvider) ServiceAccountToken() (string, error)
ServiceAccountToken returns a service account token
func (d DefaultServiceAccountTokenProvider) WithSaTokenPath(tokenPath string) DefaultServiceAccountTokenProvider
WithSaTokenPath Builder method to override the to SA ken path
EnvRptPathProvider sets the path and resource ID from environment variables
type EnvRptPathProvider struct{}
func (pp EnvRptPathProvider) Path() (*string, error)
Path returns the resource principal token path
func (pp EnvRptPathProvider) ResourceID() (*string, error)
ResourceID returns the resource associated with the resource principal
ImdsRptPathProvider sets the path from a default value and the resource ID from instance metadata
type ImdsRptPathProvider struct{}
func (pp ImdsRptPathProvider) Path() (*string, error)
Path returns the resource principal token path
func (pp ImdsRptPathProvider) ResourceID() (*string, error)
ResourceID returns the resource associated with the resource principal
PathProvider is an interface that returns path and resource ID
type PathProvider interface {
Path() (*string, error)
ResourceID() (*string, error)
}
ServiceAccountTokenProvider comment
type ServiceAccountTokenProvider interface {
ServiceAccountToken() (string, error)
}
StringRptPathProvider is a simple path provider that takes a string and returns it
type StringRptPathProvider struct {
// contains filtered or unexported fields
}
func (pp StringRptPathProvider) Path() (*string, error)
Path returns the resource principal token path
func (pp StringRptPathProvider) ResourceID() (*string, error)
ResourceID returns the resource associated with the resource principal
SuppliedServiceAccountTokenProvider is supplied by user when instantiating OkeWorkloadIdentityConfigurationProviderWithServiceAccountTokenProvider
type SuppliedServiceAccountTokenProvider struct {
// contains filtered or unexported fields
}
func NewSuppliedServiceAccountTokenProvider(tokenString string) SuppliedServiceAccountTokenProvider
NewSuppliedServiceAccountTokenProvider returns a new instance of defaultServiceAccountTokenProvider
func (d SuppliedServiceAccountTokenProvider) ServiceAccountToken() (string, error)
ServiceAccountToken returns a service account token
Token token
type Token struct {
Token string `mandatory:"true" json:"token,omitempty"`
}
X509FederationDetails x509 federation details
type X509FederationDetails struct {
Certificate string `mandatory:"true" json:"certificate,omitempty"`
PublicKey string `mandatory:"true" json:"publicKey,omitempty"`
IntermediateCertificates []string `mandatory:"false" json:"intermediateCertificates,omitempty"`
}