Git Product home page Git Product logo

token-cache-plugin's Introduction

token-cache-plugin

Acquire, and optionally cache, bearer tokens for use with kubectl.

Purpose

An implementation of a client-go external credential provider. This has been initially designed to work with kubernetes-ldap, but could be used with any webhook service that exchanges a username and password, supplied using basic auth, for a bearer token. Bearer tokens are cached locally and reused if present. This works well if the webhook service issuing and reviewing tokens places a time limit on their use. Users are then forced to reauthenticate periodically when their bearer token expires.

Requirements

kubectl 1.10+

Configuration

Configuring a credential plugin

apiVersion: v1
kind: Config
users:
- name: my-user
  user:
    exec:
      # Command to execute. Required.
      command: "token-cache-plugin"

      # API version to use when encoding and decoding the ExecCredentials
      # resource. Required.
      apiVersion: "client.authentication.k8s.io/v1alpha1"

      args:
      # Endpoint responsible for issuing tokens. Defaults to "".
      - '-token-request-endpoint=https://127.0.0.1:8443/ldapAuth'

      # Endpoint responsible for reviewing tokens. Defaults to "".
      - '-token-review-endpoint=https://127.0.0.1:8443/authenticate'

      # Path to CA certificate used to verify token request and token review endpoints. If not specified
      # the OS's default certificate store will be used.
      - '-ca-cert=/path/to/ca.pem'

      # Skip verification of the certificate presented by token request and token review endpoints.
      # Not recommended for producton environments. Defaults to false.
      - '-skip-tls-verification=true'

      # Whether to cache tokens returned by the token request endpoint. If tokens aren't cached then
      # credentials will have to be passed every time kubectl is run. This is meant to be used with
      # time restricted tokens. Derfaults to true.
      - '-cache-tokens=false'

      # Path to save locally cached tokens returned by the token request endpoint. Defaults to ~/.k8s-last-token
      - '-token-path=/fully/qualified/path/to/.token'

Build

Dependencies managed by https://github.com/golang/dep

go build

token-cache-plugin's People

Contributors

mweigel avatar

Watchers

avatar

Forkers

kalmanb

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.