2 Copyright 2015 The Kubernetes Authors.
4 Licensed under the Apache License, Version 2.0 (the "License");
5 you may not use this file except in compliance with the License.
6 You may obtain a copy of the License at
8 http://www.apache.org/licenses/LICENSE-2.0
10 Unless required by applicable law or agreed to in writing, software
11 distributed under the License is distributed on an "AS IS" BASIS,
12 WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 See the License for the specific language governing permissions and
14 limitations under the License.
26 // Config holds various options for establishing a transport.
28 // UserAgent is an optional field that specifies the caller of this
32 // The base TLS configuration for this transport.
35 // Username and password for basic authentication
39 // Bearer token for authentication
42 // Path to a file containing a BearerToken.
43 // If set, the contents are periodically read.
44 // The last successfully read value takes precedence over BearerToken.
45 BearerTokenFile string
47 // Impersonate is the config that this Config will impersonate using
48 Impersonate ImpersonationConfig
50 // Transport may be used for custom HTTP behavior. This attribute may
51 // not be specified with the TLS client certificate options. Use
52 // WrapTransport for most client level operations.
53 Transport http.RoundTripper
55 // WrapTransport will be invoked for custom HTTP behavior after the
56 // underlying transport is initialized (either the transport created
57 // from TLSClientConfig, Transport, or http.DefaultTransport). The
58 // config may layer other RoundTrippers on top of the returned
60 WrapTransport func(rt http.RoundTripper) http.RoundTripper
62 // Dial specifies the dial function for creating unencrypted TCP connections.
63 Dial func(ctx context.Context, network, address string) (net.Conn, error)
66 // ImpersonationConfig has all the available impersonation options
67 type ImpersonationConfig struct {
68 // UserName matches user.Info.GetName()
70 // Groups matches user.Info.GetGroups()
72 // Extra matches user.Info.GetExtra()
73 Extra map[string][]string
76 // HasCA returns whether the configuration has a certificate authority or not.
77 func (c *Config) HasCA() bool {
78 return len(c.TLS.CAData) > 0 || len(c.TLS.CAFile) > 0
81 // HasBasicAuth returns whether the configuration has basic authentication or not.
82 func (c *Config) HasBasicAuth() bool {
83 return len(c.Username) != 0
86 // HasTokenAuth returns whether the configuration has token authentication or not.
87 func (c *Config) HasTokenAuth() bool {
88 return len(c.BearerToken) != 0 || len(c.BearerTokenFile) != 0
91 // HasCertAuth returns whether the configuration has certificate authentication or not.
92 func (c *Config) HasCertAuth() bool {
93 return (len(c.TLS.CertData) != 0 || len(c.TLS.CertFile) != 0) && (len(c.TLS.KeyData) != 0 || len(c.TLS.KeyFile) != 0)
96 // HasCertCallbacks returns whether the configuration has certificate callback or not.
97 func (c *Config) HasCertCallback() bool {
98 return c.TLS.GetCert != nil
101 // TLSConfig holds the information needed to set up a TLS transport.
102 type TLSConfig struct {
103 CAFile string // Path of the PEM-encoded server trusted root certificates.
104 CertFile string // Path of the PEM-encoded client certificate.
105 KeyFile string // Path of the PEM-encoded client key.
107 Insecure bool // Server should be accessed without verifying the certificate. For testing only.
108 ServerName string // Override for the server name passed to the server for SNI and used to verify certificates.
110 CAData []byte // Bytes of the PEM-encoded server trusted root certificates. Supercedes CAFile.
111 CertData []byte // Bytes of the PEM-encoded client certificate. Supercedes CertFile.
112 KeyData []byte // Bytes of the PEM-encoded client key. Supercedes KeyFile.
114 GetCert func() (*tls.Certificate, error) // Callback that returns a TLS client certificate. CertData, CertFile, KeyData and KeyFile supercede this field.