const globalCacheKey … const cachePurgeInterval … var scheme … var codecs … var apiVersions … func init() { … } // RegisterCredentialProviderPlugins is called from kubelet to register external credential provider // plugins according to the CredentialProviderConfig config file. func RegisterCredentialProviderPlugins(pluginConfigFile, pluginBinDir string) error { … } // newPluginProvider returns a new pluginProvider based on the credential provider config. func newPluginProvider(pluginBinDir string, provider kubeletconfig.CredentialProvider) (*pluginProvider, error) { … } type pluginProvider … type cacheEntry … // cacheKeyFunc extracts AuthEntry.MatchKey as the cache key function for the plugin provider. func cacheKeyFunc(obj interface{ … } type cacheExpirationPolicy … // IsExpired returns true if the current time is after cacheEntry.expiresAt, which is determined by the // cache duration returned from the credential provider plugin response. func (c *cacheExpirationPolicy) IsExpired(entry *cache.TimestampedEntry) bool { … } // Provide returns a credentialprovider.DockerConfig based on the credentials returned // from cache or the exec plugin. func (p *pluginProvider) Provide(image string) credentialprovider.DockerConfig { … } // Enabled always returns true since registration of the plugin via kubelet implies it should be enabled. func (p *pluginProvider) Enabled() bool { … } // isImageAllowed returns true if the image matches against the list of allowed matches by the plugin. func (p *pluginProvider) isImageAllowed(image string) bool { … } // getCachedCredentials returns a credentialprovider.DockerConfig if cached from the plugin. func (p *pluginProvider) getCachedCredentials(image string) (credentialprovider.DockerConfig, bool, error) { … } type Plugin … type execPlugin … // ExecPlugin executes the plugin binary with arguments and environment variables specified in CredentialProviderConfig: // // $ ENV_NAME=ENV_VALUE <plugin-name> args[0] args[1] <<<request // // The plugin is expected to receive the CredentialProviderRequest API via stdin from the kubelet and // return CredentialProviderResponse via stdout. func (e *execPlugin) ExecPlugin(ctx context.Context, image string) (*credentialproviderapi.CredentialProviderResponse, error) { … } func (e *execPlugin) runPlugin(ctx context.Context, cmd *exec.Cmd, image string) error { … } // encodeRequest encodes the internal CredentialProviderRequest type into the v1alpha1 version in json func (e *execPlugin) encodeRequest(request *credentialproviderapi.CredentialProviderRequest) ([]byte, error) { … } // decodeResponse decodes data into the internal CredentialProviderResponse type func (e *execPlugin) decodeResponse(data []byte) (*credentialproviderapi.CredentialProviderResponse, error) { … } // parseRegistry extracts the registry hostname of an image (including port if specified). func parseRegistry(image string) string { … } // mergedEnvVars overlays system defined env vars with credential provider env vars, // it gives priority to the credential provider vars allowing user to override system // env vars func mergeEnvVars(sysEnvVars, credProviderVars []string) []string { … }
Codebase Browser
kubernetes