Kazan

v0.11.0

Kazan v0.11.0 Kazan.Server View Source

Kazan.Server is a struct containing connection details for a kube server.

Link to this section Summary

Types

auth_t()
t()

Functions

from_env!()

Creates a Kazan.Server from the application config for the kazan app

from_env(map)

Creates a Kazan.Server from some user provided application config

from_kubeconfig(config_file, options \\ [])

Parses Kube server details from a provided kubeconfig file

in_cluster(options \\ [])

Server that will connect to the cluster that kazan is running on

resolve_auth!(server, opts)

Like resolve_auth/2 but raises on error

resolve_auth(server, opts)

Some auth methods require that auth be pulled from a provider. This does that

Link to this section Types

Link to this type t() View Source 
t() :: %{
  url: String.t(),
  insecure_skip_tls_verify: Boolean.t(),
  ca_cert: String.t() | nil,
  auth: auth_t()
}

Link to this section Functions

Link to this function from_env!() View Source

Creates a Kazan.Server from the application config for the kazan app

Link to this function from_env(map) View Source

Creates a Kazan.Server from some user provided application config.

Link to this function from_kubeconfig(config_file, options \\ []) View Source 
from_kubeconfig(String.t(), Keyword.t()) :: t()

Parses Kube server details from a provided kubeconfig file.

Will use the current-context provided in the file by default, though this and other details can be overridden via options

Note: any default namespaces provided in the kubecontext will be ignored.

Options

  • context can be used to override the default context we pull from the file.
  • user can be used to override the default user we pull from the file.
  • cluster can be used to override the default cluster we pull from the file.
Link to this function in_cluster(options \\ []) View Source 
in_cluster(Keyword.t()) :: t()

Server that will connect to the cluster that kazan is running on.

This will speak to the server via the kubernetes domain name, using the service account credentials that are stored on the filesystem.

See the Kubernetes documentation for more information.

Link to this function resolve_auth!(server, opts) View Source

Like resolve_auth/2 but raises on error.

See resolve_auth/2 for more details

Link to this function resolve_auth(server, opts) View Source

Some auth methods require that auth be pulled from a provider. This does that.

For authentication methods that don’t require this, this will just return the server unchanged.

Google Kubernetes Engine (GKE)

In particular, this function is required to support connecting to GKE clusters when authentication is configured locally using gcloud.

Note that the allow_command_execution option must be passed in as true for this function to run external commands such as the gcloud auth provider. It’s recommended that you tie this parameter in to your app config or mix env somehow so this functionality is disabled on production. Otherwise this could provide a way for attackers to execute arbitrary commands. For example:

{:ok, server} =
  Kazan.Server.from_kubeconfig("config.file")
  |> Kazan.Server.resolve_auth(
    allow_command_execution: Application.get_env(:my_app, :allow_k8s_command_execution)
  )

Refreshing

If resolve_auth is passed a Server that already has it’s auth resolved, it will not request new auth from the auth provider, unless the current token has expired. This means that it should be safe to call this function before every call to kubernetes, provided you cache the result of the call for future use.

Options

  • allow_command_execution controls whether kazan will run an external command in order to fetch authentication tokens. See the section on google kubernetes engine above.
  • force should be set to true if you want to request a token from the auth provider regardless of whether we have one already or not.