Kazan v0.11.0 Kazan.Server View Source
Kazan.Server is a struct containing connection details for a kube server.
Link to this section Summary
Functions
Creates a Kazan.Server
from the application config for the kazan
app
Creates a Kazan.Server
from some user provided application config
Parses Kube server details from a provided kubeconfig file
Server that will connect to the cluster that kazan is running on
Like resolve_auth/2
but raises on error
Some auth methods require that auth be pulled from a provider. This does that
Link to this section Types
auth_t() :: nil | Kazan.Server.BasicAuth.t() | Kazan.Server.CertificateAuth.t() | Kazan.Server.TokenAuth.t() | Kazan.Server.ProviderAuth.t()
Link to this section Functions
Creates a Kazan.Server
from the application config for the kazan
app
Creates a Kazan.Server
from some user provided application config.
Parses Kube server details from a provided kubeconfig file.
Will use the current-context provided in the file by default, though this and other details can be overridden via options
Note: any default namespaces provided in the kubecontext will be ignored.
Options
context
can be used to override the default context we pull from the file.user
can be used to override the default user we pull from the file.cluster
can be used to override the default cluster we pull from the file.
Server that will connect to the cluster that kazan is running on.
This will speak to the server via the kubernetes
domain name, using the service account credentials that are stored on the filesystem.
Like resolve_auth/2
but raises on error.
See resolve_auth/2
for more details
Some auth methods require that auth be pulled from a provider. This does that.
For authentication methods that don’t require this, this will just return the server unchanged.
Google Kubernetes Engine (GKE)
In particular, this function is required to support connecting to GKE clusters when authentication is configured locally using gcloud.
Note that the allow_command_execution
option must be passed in as true for
this function to run external commands such as the gcloud auth provider. It’s
recommended that you tie this parameter in to your app config or mix env
somehow so this functionality is disabled on production. Otherwise this could
provide a way for attackers to execute arbitrary commands. For example:
{:ok, server} =
Kazan.Server.from_kubeconfig("config.file")
|> Kazan.Server.resolve_auth(
allow_command_execution: Application.get_env(:my_app, :allow_k8s_command_execution)
)
Refreshing
If resolve_auth
is passed a Server that already has it’s auth resolved, it
will not request new auth from the auth provider, unless the current token has
expired. This means that it should be safe to call this function before every
call to kubernetes, provided you cache the result of the call for future use.
Options
allow_command_execution
controls whether kazan will run an external command in order to fetch authentication tokens. See the section on google kubernetes engine above.force
should be set to true if you want to request a token from the auth provider regardless of whether we have one already or not.