kubernetesk8s.io/kubernetes/pkg/credentialprovider Index | Files | Directories

package credentialprovider

import "k8s.io/kubernetes/pkg/credentialprovider"

Package credentialprovider supplies interfaces and implementations for docker registry providers to expose their authentication scheme.

Index

Functions

func DefaultDockerConfigJSONPaths 

func DefaultDockerConfigJSONPaths() []string

DefaultDockerConfigJSONPaths returns default search paths of .docker/config.json

func DefaultDockercfgPaths 

func DefaultDockercfgPaths() []string

DefaultDockercfgPaths returns default search paths of .dockercfg

func GetPreferredDockercfgPath 

func GetPreferredDockercfgPath() string

GetPreferredDockercfgPath get preferred docker config path

func ParseSchemelessURL 

func ParseSchemelessURL(schemelessURL string) (*url.URL, error)

ParseSchemelessURL parses a schemeless url and returns a url.URL url.Parse require a scheme, but ours don't have schemes. Adding a scheme to make url.Parse happy, then clear out the resulting scheme.

func ReadURL 

func ReadURL(url string, client *http.Client, header *http.Header) (body []byte, err error)

ReadURL read contents from given url

func SetPreferredDockercfgPath 

func SetPreferredDockercfgPath(path string)

SetPreferredDockercfgPath set preferred docker config path

func SplitURL 

func SplitURL(url *url.URL) (parts []string, port string)

SplitURL splits the host name into parts, as well as the port

func URLsMatch 

func URLsMatch(globURL *url.URL, targetURL *url.URL) (bool, error)

URLsMatch checks whether the given target url matches the glob url, which may have glob wild cards in the host name.

Examples: 

globURL=*.docker.io, targetURL=blah.docker.io => match
globURL=*.docker.io, targetURL=not.right.io   => no match

Note that we don't support wildcards in ports and paths yet.

func URLsMatchStr 

func URLsMatchStr(glob string, target string) (bool, error)

URLsMatchStr is wrapper for URLsMatch, operating on strings instead of URLs.

Types

type AuthConfig 

type AuthConfig struct {
	Username string `json:"username,omitempty"`
	Password string `json:"password,omitempty"`
	Auth     string `json:"auth,omitempty"`

	// Email is an optional value associated with the username.
	// This field is deprecated and will be removed in a later
	// version of docker.
	Email string `json:"email,omitempty"`

	ServerAddress string `json:"serveraddress,omitempty"`

	// IdentityToken is used to authenticate the user and get
	// an access token for the registry.
	IdentityToken string `json:"identitytoken,omitempty"`

	// RegistryToken is a bearer token to be sent to a registry
	RegistryToken string `json:"registrytoken,omitempty"`
}

AuthConfig contains authorization information for connecting to a Registry This type mirrors "github.com/docker/docker/api/types.AuthConfig"

type BasicDockerKeyring 

type BasicDockerKeyring struct {
	// contains filtered or unexported fields
}

BasicDockerKeyring is a trivial map-backed implementation of DockerKeyring

func (*BasicDockerKeyring) Add 

func (dk *BasicDockerKeyring) Add(src *CredentialSource, cfg DockerConfig)

Add inserts the docker config `cfg` into the basic docker keyring. It attaches the `src` information that describes where the docker config `cfg` comes from. `src` is nil if the docker config is globally available on the node.

func (*BasicDockerKeyring) Lookup 

func (dk *BasicDockerKeyring) Lookup(image string) ([]TrackedAuthConfig, bool)

Lookup implements the DockerKeyring method for fetching credentials based on image name. Multiple credentials may be returned if there are multiple potentially valid credentials available. This allows for rotation.

type CachingDockerConfigProvider 

type CachingDockerConfigProvider struct {
	Provider DockerConfigProvider
	Lifetime time.Duration

	// ShouldCache is an optional function that returns true if the specific config should be cached.
	// If nil, all configs are treated as cacheable.
	ShouldCache func(DockerConfig) bool
	// contains filtered or unexported fields
}

CachingDockerConfigProvider implements DockerConfigProvider by composing with another DockerConfigProvider and caching the DockerConfig it provides for a pre-specified lifetime.

func (*CachingDockerConfigProvider) Enabled 

func (d *CachingDockerConfigProvider) Enabled() bool

Enabled implements dockerConfigProvider

func (*CachingDockerConfigProvider) Provide 

func (d *CachingDockerConfigProvider) Provide(image string) DockerConfig

Provide implements dockerConfigProvider

type CredentialSource 

type CredentialSource struct {
	Secret SecretCoordinates
}

type DockerConfig 

type DockerConfig map[string]DockerConfigEntry

DockerConfig represents the config file used by the docker CLI. This config that represents the credentials that should be used when pulling images from specific image repositories.

func ReadDockerConfigFile 

func ReadDockerConfigFile() (cfg DockerConfig, err error)

ReadDockerConfigFile read a docker config file from default path

func ReadDockerConfigFileFromBytes 

func ReadDockerConfigFileFromBytes(contents []byte) (cfg DockerConfig, err error)

ReadDockerConfigFileFromBytes read a docker config file from the given bytes

func ReadDockerConfigJSONFile 

func ReadDockerConfigJSONFile(searchPaths []string) (cfg DockerConfig, err error)

ReadDockerConfigJSONFile attempts to read a docker config.json file from the given paths. if searchPaths is empty, the default paths are used.

func ReadDockercfgFile 

func ReadDockercfgFile(searchPaths []string) (cfg DockerConfig, err error)

ReadDockercfgFile attempts to read a legacy dockercfg file from the given paths. if searchPaths is empty, the default paths are used.

func ReadSpecificDockerConfigJSONFile 

func ReadSpecificDockerConfigJSONFile(filePath string) (cfg DockerConfig, err error)

ReadSpecificDockerConfigJSONFile attempts to read docker configJSON from a given file path.

type DockerConfigEntry 

type DockerConfigEntry struct {
	Username string
	Password string
	Email    string
	Provider DockerConfigProvider
}

DockerConfigEntry wraps a docker config as a entry

func (DockerConfigEntry) MarshalJSON 

func (ident DockerConfigEntry) MarshalJSON() ([]byte, error)

MarshalJSON implements the json.Marshaler interface.

func (*DockerConfigEntry) UnmarshalJSON 

func (ident *DockerConfigEntry) UnmarshalJSON(data []byte) error

UnmarshalJSON implements the json.Unmarshaler interface.

type DockerConfigJSON 

type DockerConfigJSON struct {
	Auths DockerConfig `json:"auths"`
	// +optional
	HTTPHeaders map[string]string `json:"HttpHeaders,omitempty"`
}

DockerConfigJSON represents ~/.docker/config.json file info see https://github.com/docker/docker/pull/12009

type DockerConfigProvider 

type DockerConfigProvider interface {
	// Enabled returns true if the config provider is enabled.
	// Implementations can be blocking - e.g. metadata server unavailable.
	Enabled() bool
	// Provide returns docker configuration.
	// Implementations can be blocking - e.g. metadata server unavailable.
	// The image is passed in as context in the event that the
	// implementation depends on information in the image name to return
	// credentials; implementations are safe to ignore the image.
	Provide(image string) DockerConfig
}

DockerConfigProvider is the interface that registered extensions implement to materialize 'dockercfg' credentials.

type DockerKeyring 

type DockerKeyring interface {
	Lookup(image string) ([]TrackedAuthConfig, bool)
}

DockerKeyring tracks a set of docker registry credentials, maintaining a reverse index across the registry endpoints. A registry endpoint is made up of a host (e.g. registry.example.com), but it may also contain a path (e.g. registry.example.com/foo) This index is important for two reasons:

func NewDefaultDockerKeyring 

func NewDefaultDockerKeyring() DockerKeyring

NewDefaultDockerKeyring creates a DockerKeyring to use for resolving credentials, which returns the default credentials from the .dockercfg file.

type FakeKeyring 

type FakeKeyring struct {
	// contains filtered or unexported fields
}

FakeKeyring a fake config credentials

func (*FakeKeyring) Lookup 

func (f *FakeKeyring) Lookup(image string) ([]TrackedAuthConfig, bool)

Lookup implements the DockerKeyring method for fetching credentials based on image name return fake auth and ok

type HTTPError 

type HTTPError struct {
	StatusCode int
	URL        string
}

HTTPError wraps a non-StatusOK error code as an error.

func (*HTTPError) Error 

func (he *HTTPError) Error() string

Error implements error

type SecretCoordinates 

type SecretCoordinates struct {
	UID       string
	Namespace string
	Name      string
}

type TrackedAuthConfig 

type TrackedAuthConfig struct {
	AuthConfig
	AuthConfigHash string

	Source *CredentialSource
}

TrackedAuthConfig wraps the AuthConfig and adds information about the source of the credentials.

func NewTrackedAuthConfig 

func NewTrackedAuthConfig(c *AuthConfig, src *CredentialSource) *TrackedAuthConfig

NewTrackedAuthConfig initializes the TrackedAuthConfig structure by adding the source information to the supplied AuthConfig. It also counts a hash of the AuthConfig and keeps it in the returned structure.

The supplied CredentialSource is only used when the "KubeletEnsureSecretPulledImages" is enabled, the same applies for counting the hash.

type UnionDockerKeyring 

type UnionDockerKeyring []DockerKeyring

UnionDockerKeyring delegates to a set of keyrings.

func (UnionDockerKeyring) Lookup 

func (k UnionDockerKeyring) Lookup(image string) ([]TrackedAuthConfig, bool)

Lookup implements the DockerKeyring method for fetching credentials based on image name. return each credentials

Source Files

config.go doc.go keyring.go provider.go

Directories

PathSynopsis
pkg/credentialprovider/plugin
pkg/credentialprovider/secrets
Version
v1.33.0 (latest)
Published
Apr 23, 2025
Platform
linux/amd64
Imports
21 packages
Last checked
3 hours ago

Tools for package owners.