dataplane

package

v0.4.3 Latest Latest Go to latest Published: Mar 6, 2025 License: MIT Imports: 21 Imported by: 12

Details

Valid go.mod file
Redistributable license
Tagged version
Stable version
Learn more about best practices

Repository

github.com/Azure/msi-dataplane

Links

Open Source Insights

Documentation ¶

Index ¶

Constants
func FormatManagedIdentityCredentialsForStorage(identifier string, credentials ManagedIdentityCredentials) (string, azsecrets.SetSecretParameters, error)
func FormatUserAssignedIdentityCredentialsForStorage(identifier string, credentials UserAssignedIdentityCredentials) (string, azsecrets.SetSecretParameters, error)
func GetCredential(clientOpts azcore.ClientOptions, credential UserAssignedIdentityCredentials) (*azidentity.ClientCertificateCredential, error)
func IdentifierForManagedIdentityCredentials(identifier string) string
func IdentifierForUserAssignedIdentityCredentials(identifier string) string
func NewUserAssignedIdentityCredential(ctx context.Context, credentialPath string, opts ...Option) (azcore.TokenCredential, error)
type Client
type ClientFactory
- func NewClientFactory(cred azcore.TokenCredential, audience string, opts *azcore.ClientOptions, ...) ClientFactory
type ClientFactoryOption
- func WithClientLogger(logger *logr.Logger) ClientFactoryOption
type CustomClaims
type DelegatedResource
type ManagedIdentityCredentials
type MoveIdentityRequest
type MoveIdentityResponse
type Option
- func WithBackstopRefresh(d time.Duration) Option
- func WithClientOpts(o azcore.ClientOptions) Option
- func WithLogger(logger *logr.Logger) Option
type UserAssignedIdentitiesRequest
type UserAssignedIdentityCredentials

Constants ¶

View Source

const (
	// MsiIdentityURLHeader is provided by ARM in responses for resource creation
	// to specify the URL at which clients can get credentials for a managed identity
	// associated with the ARM resource being created.
	MsiIdentityURLHeader = "x-ms-identity-url"
	// MsiPrincipalIDHeader is provided by ARM in responses for resource creation
	// to specify the service principal ID for a managed identity associated with
	// the ARM resource being created.
	MsiPrincipalIDHeader = "x-ms-identity-principal-id"
	// MsiTenantHeader is provided by ARM in responses for resource creation to specify
	// the tenant id for a managed identity associated with the ARM resource being created.
	MsiTenantHeader = "x-ms-home-tenant-id"
)

View Source

const (
	// ManagedIdentityCredentialsStoragePrefix is a suggested prefix to use when
	// storing a ManagedIdentityCredentials object in Azure KeyVault.
	ManagedIdentityCredentialsStoragePrefix = "msi-"
	// UserAssignedIdentityCredentialsStoragePrefix is a suggested prefix to use when
	// storing a UserAssignedIdentityCredentials object in Azure KeyVault.
	UserAssignedIdentityCredentialsStoragePrefix = "uamsi-"
)

View Source

const (
	// RenewAfterKeyVaultTag is used to store the RFC3339-formatted timestamp after which the
	// certificate stored in the KeyVault item should be renewed.
	RenewAfterKeyVaultTag = "renew_after"
	// CannotRenewAfterKeyVaultTag is used to store the RFC3339-formatted timestamp after which the
	// certificate stored in the KeyVault item cannot be renewed.
	CannotRenewAfterKeyVaultTag = "cannot_renew_after"
)

Variables ¶

This section is empty.

Functions ¶

func FormatManagedIdentityCredentialsForStorage ¶ added in v0.4.1

func FormatManagedIdentityCredentialsForStorage(identifier string, credentials ManagedIdentityCredentials) (string, azsecrets.SetSecretParameters, error)

FormatManagedIdentityCredentialsForStorage provides the canonical KeyVault secret parameters for storing managed identity credentials, ensuring that appropriate times are recorded for the expiry and notBefore, as well as that renewal times are recorded in tags.

func FormatUserAssignedIdentityCredentialsForStorage ¶ added in v0.4.2

func FormatUserAssignedIdentityCredentialsForStorage(identifier string, credentials UserAssignedIdentityCredentials) (string, azsecrets.SetSecretParameters, error)

FormatUserAssignedIdentityCredentialsForStorage provides the canonical KeyVault secret parameters for storing user-assigned managed identity credentials, ensuring that appropriate times are recorded for the expiry and notBefore, as well as that renewal times are recorded in tags.

func GetCredential ¶ added in v0.0.9

func GetCredential(clientOpts azcore.ClientOptions, credential UserAssignedIdentityCredentials) (*azidentity.ClientCertificateCredential, error)

Get an AzIdentity credential for the given nested credential object Clients can use the credential to get a token for the user-assigned identity

func IdentifierForManagedIdentityCredentials ¶ added in v0.4.2

func IdentifierForManagedIdentityCredentials(identifier string) string

IdentifierForManagedIdentityCredentials creates a canonical identifier for a KeyVault item, labelling the item as storing managed identity credentials.

func IdentifierForUserAssignedIdentityCredentials ¶ added in v0.4.2

func IdentifierForUserAssignedIdentityCredentials(identifier string) string

IdentifierForUserAssignedIdentityCredentials creates a canonical identifier for a KeyVault item, labelling the item as storing user-assigned managed identity credentials.

func NewUserAssignedIdentityCredential ¶ added in v0.0.9

func NewUserAssignedIdentityCredential(ctx context.Context, credentialPath string, opts ...Option) (azcore.TokenCredential, error)

NewUserAssignedIdentityCredential creates a new reloadingCredential for a user-assigned identity. ctx is used to manage the lifecycle of the reloader, allowing for cancellation if reloading is no longer needed. credentialPath is the path to the credential file. opts allows for additional configuration, such as setting a custom logger, periodic reload time, and cloud environment.

The function ensures that a valid token is loaded before returning the credential. It also starts a background process to watch for changes to the credential file and reloads it as necessary.

Types ¶

type Client ¶ added in v0.0.9

type Client interface {
	// DeleteSystemAssignedIdentity deletes the system-assigned identity for a proxy resource.
	DeleteSystemAssignedIdentity(ctx context.Context) error

	// GetSystemAssignedIdentityCredentials retrieves the credentials for the system-assigned identity associated with the proxy resource.
	GetSystemAssignedIdentityCredentials(ctx context.Context) (*ManagedIdentityCredentials, error)

	// GetUserAssignedIdentitiesCredentials retrieves the credentials for any user-assigned identities associated with the proxy resource.
	GetUserAssignedIdentitiesCredentials(ctx context.Context, request UserAssignedIdentitiesRequest) (*ManagedIdentityCredentials, error)

	// MoveIdentity moves the identity from one resource group into another.
	MoveIdentity(ctx context.Context, request MoveIdentityRequest) (*MoveIdentityResponse, error)
}

Client exposes the API for the MSI data plane.

type ClientFactory ¶ added in v0.0.9

type ClientFactory interface {
	// NewClient creates a client that can operate on credentials for one managed identity.
	// identityURL is the x-ms-identity-url header provided from ARM, including any path,
	// query parameters, etc.
	NewClient(identityURL string) (Client, error)
}

ClientFactory creates clients for managed identity credentials.

func NewClientFactory ¶ added in v0.0.9

func NewClientFactory(cred azcore.TokenCredential, audience string, opts *azcore.ClientOptions, clientFactoryOpts ...ClientFactoryOption) ClientFactory

NewClientFactory creates a new MSI data plane client factory. The credentials and audience presented are for the first-party credential. As the server to be contacted for each identity varies, a factory is returned that can create clients on-demand.

type ClientFactoryOption ¶ added in v0.2.0

type ClientFactoryOption func(*clientOpts)

func WithClientLogger ¶ added in v0.2.0

func WithClientLogger(logger *logr.Logger) ClientFactoryOption

WithLogger sets a custom logger for the reloadingCredential. This can be useful for debugging or logging purposes.

type CustomClaims ¶

type CustomClaims = client.CustomClaims

type DelegatedResource ¶ added in v0.0.9

type DelegatedResource = client.DelegatedResource

type ManagedIdentityCredentials ¶ added in v0.0.9

type ManagedIdentityCredentials = client.ManagedIdentityCredentials

type MoveIdentityRequest ¶ added in v0.0.9

type MoveIdentityRequest = client.MoveRequestBodyDefinition

type MoveIdentityResponse ¶

type MoveIdentityResponse = client.MoveIdentityResponse

type Option ¶ added in v0.0.9

type Option func(*reloadingCredential)

func WithBackstopRefresh ¶ added in v0.0.9

func WithBackstopRefresh(d time.Duration) Option

WithBackstopRefresh sets a custom timer for the reloadingCredential. This can be useful for loading credential file periodically.

func WithClientOpts ¶ added in v0.4.0

func WithClientOpts(o azcore.ClientOptions) Option

WithClientOpts adds common Azure client options. Use this field to, for instance, configure the cloud environment in which this credential should authenticate.

func WithLogger ¶ added in v0.0.9

func WithLogger(logger *logr.Logger) Option

WithLogger sets a custom logger for the reloadingCredential. This can be useful for debugging or logging purposes.

type UserAssignedIdentitiesRequest ¶ added in v0.0.9

type UserAssignedIdentitiesRequest = client.CredRequestDefinition

type UserAssignedIdentityCredentials ¶ added in v0.0.9

type UserAssignedIdentityCredentials = client.UserAssignedIdentityCredentials

Source Files ¶

View all Source files

Directories ¶

Path	Synopsis
internal
challenge
client
sample command

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL