From e93788d387d19fac9fa8daa74b28e5d8b2db57c8 Mon Sep 17 00:00:00 2001 From: Marek Siarkowicz Date: Thu, 29 Oct 2020 18:15:52 +0100 Subject: [PATCH] Add datapolicy tags to staging/src/k8s.io/client-go/ Kubernetes-commit: e29c568c4a9cd45d15665345aa015e21bcff52dd --- pkg/apis/clientauthentication/types.go | 4 ++-- pkg/apis/clientauthentication/v1alpha1/types.go | 4 ++-- pkg/apis/clientauthentication/v1beta1/types.go | 4 ++-- plugin/pkg/client/auth/exec/exec.go | 4 ++-- plugin/pkg/client/auth/gcp/gcp.go | 6 +++--- rest/config.go | 6 +++--- tools/auth/clientauth.go | 4 ++-- tools/clientcmd/api/types.go | 6 +++--- tools/clientcmd/api/v1/types.go | 6 +++--- tools/clientcmd/client_config.go | 2 +- transport/cache.go | 2 +- transport/config.go | 4 ++-- transport/round_trippers.go | 4 ++-- util/certificate/certificate_manager.go | 2 +- 14 files changed, 29 insertions(+), 29 deletions(-) diff --git a/pkg/apis/clientauthentication/types.go b/pkg/apis/clientauthentication/types.go index bdae85b1..c1089979 100644 --- a/pkg/apis/clientauthentication/types.go +++ b/pkg/apis/clientauthentication/types.go @@ -66,13 +66,13 @@ type ExecCredentialStatus struct { ExpirationTimestamp *metav1.Time // Token is a bearer token used by the client for request authentication. // +optional - Token string + Token string `datapolicy:"token"` // PEM-encoded client TLS certificate. // +optional ClientCertificateData string // PEM-encoded client TLS private key. // +optional - ClientKeyData string + ClientKeyData string `datapolicy:"secret-key"` } // Response defines metadata about a failed request, including HTTP status code and diff --git a/pkg/apis/clientauthentication/v1alpha1/types.go b/pkg/apis/clientauthentication/v1alpha1/types.go index 1080fddb..1ff13c43 100644 --- a/pkg/apis/clientauthentication/v1alpha1/types.go +++ b/pkg/apis/clientauthentication/v1alpha1/types.go @@ -61,11 +61,11 @@ type ExecCredentialStatus struct { // +optional ExpirationTimestamp *metav1.Time `json:"expirationTimestamp,omitempty"` // Token is a bearer token used by the client for request authentication. - Token string `json:"token,omitempty"` + Token string `json:"token,omitempty" datapolicy:"token"` // PEM-encoded client TLS certificates (including intermediates, if any). ClientCertificateData string `json:"clientCertificateData,omitempty"` // PEM-encoded private key for the above certificate. - ClientKeyData string `json:"clientKeyData,omitempty"` + ClientKeyData string `json:"clientKeyData,omitempty" datapolicy:"security-key"` } // Response defines metadata about a failed request, including HTTP status code and diff --git a/pkg/apis/clientauthentication/v1beta1/types.go b/pkg/apis/clientauthentication/v1beta1/types.go index 4c3cbc8b..fabc6f65 100644 --- a/pkg/apis/clientauthentication/v1beta1/types.go +++ b/pkg/apis/clientauthentication/v1beta1/types.go @@ -58,11 +58,11 @@ type ExecCredentialStatus struct { // +optional ExpirationTimestamp *metav1.Time `json:"expirationTimestamp,omitempty"` // Token is a bearer token used by the client for request authentication. - Token string `json:"token,omitempty"` + Token string `json:"token,omitempty" datapolicy:"token"` // PEM-encoded client TLS certificates (including intermediates, if any). ClientCertificateData string `json:"clientCertificateData,omitempty"` // PEM-encoded private key for the above certificate. - ClientKeyData string `json:"clientKeyData,omitempty"` + ClientKeyData string `json:"clientKeyData,omitempty" datapolicy:"security-key"` } // Cluster contains information to allow an exec plugin to communicate diff --git a/plugin/pkg/client/auth/exec/exec.go b/plugin/pkg/client/auth/exec/exec.go index 08c59a8c..af21c499 100644 --- a/plugin/pkg/client/auth/exec/exec.go +++ b/plugin/pkg/client/auth/exec/exec.go @@ -241,8 +241,8 @@ type Authenticator struct { } type credentials struct { - token string - cert *tls.Certificate + token string `datapolicy:"token"` + cert *tls.Certificate `datapolicy:"secret-key"` } // UpdateTransportConfig updates the transport.Config to use credentials diff --git a/plugin/pkg/client/auth/gcp/gcp.go b/plugin/pkg/client/auth/gcp/gcp.go index 389dc6c7..ee1bfdef 100644 --- a/plugin/pkg/client/auth/gcp/gcp.go +++ b/plugin/pkg/client/auth/gcp/gcp.go @@ -188,7 +188,7 @@ func (g *gcpAuthProvider) Login() error { return nil } type cachedTokenSource struct { lk sync.Mutex source oauth2.TokenSource - accessToken string + accessToken string `datapolicy:"token"` expiry time.Time persister restclient.AuthProviderConfigPersister cache map[string]string @@ -269,8 +269,8 @@ func (t *cachedTokenSource) baseCache() map[string]string { type commandTokenSource struct { cmd string args []string - tokenKey string - expiryKey string + tokenKey string `datapolicy:"token"` + expiryKey string `datapolicy:"secret-key"` timeFmt string } diff --git a/rest/config.go b/rest/config.go index c9d72288..3735750b 100644 --- a/rest/config.go +++ b/rest/config.go @@ -65,12 +65,12 @@ type Config struct { // Server requires Basic authentication Username string - Password string + Password string `datapolicy:"password"` // Server requires Bearer authentication. This client will not attempt to use // refresh tokens for an OAuth2 flow. // TODO: demonstrate an OAuth2 compatible client. - BearerToken string + BearerToken string `datapolicy:"token"` // Path to a file containing a BearerToken. // If set, the contents are periodically read. @@ -231,7 +231,7 @@ type TLSClientConfig struct { CertData []byte // KeyData holds PEM-encoded bytes (typically read from a client certificate key file). // KeyData takes precedence over KeyFile - KeyData []byte + KeyData []byte `datapolicy:"security-key"` // CAData holds PEM-encoded bytes (typically read from a root certificates bundle). // CAData takes precedence over CAFile CAData []byte diff --git a/tools/auth/clientauth.go b/tools/auth/clientauth.go index c3417267..4c24f799 100644 --- a/tools/auth/clientauth.go +++ b/tools/auth/clientauth.go @@ -75,11 +75,11 @@ import ( // to be read/written from a file as a JSON object. type Info struct { User string - Password string + Password string `datapolicy:"password"` CAFile string CertFile string KeyFile string - BearerToken string + BearerToken string `datapolicy:"token"` Insecure *bool } diff --git a/tools/clientcmd/api/types.go b/tools/clientcmd/api/types.go index d3d39530..24f46923 100644 --- a/tools/clientcmd/api/types.go +++ b/tools/clientcmd/api/types.go @@ -114,10 +114,10 @@ type AuthInfo struct { ClientKey string `json:"client-key,omitempty"` // ClientKeyData contains PEM-encoded data from a client key file for TLS. Overrides ClientKey // +optional - ClientKeyData []byte `json:"client-key-data,omitempty"` + ClientKeyData []byte `json:"client-key-data,omitempty" datapolicy:"security-key"` // Token is the bearer token for authentication to the kubernetes cluster. // +optional - Token string `json:"token,omitempty"` + Token string `json:"token,omitempty" datapolicy:"token"` // TokenFile is a pointer to a file that contains a bearer token (as described above). If both Token and TokenFile are present, Token takes precedence. // +optional TokenFile string `json:"tokenFile,omitempty"` @@ -135,7 +135,7 @@ type AuthInfo struct { Username string `json:"username,omitempty"` // Password is the password for basic authentication to the kubernetes cluster. // +optional - Password string `json:"password,omitempty"` + Password string `json:"password,omitempty" datapolicy:"password"` // AuthProvider specifies a custom authentication plugin for the kubernetes cluster. // +optional AuthProvider *AuthProviderConfig `json:"auth-provider,omitempty"` diff --git a/tools/clientcmd/api/v1/types.go b/tools/clientcmd/api/v1/types.go index 70d8c20d..8c29b39c 100644 --- a/tools/clientcmd/api/v1/types.go +++ b/tools/clientcmd/api/v1/types.go @@ -104,10 +104,10 @@ type AuthInfo struct { ClientKey string `json:"client-key,omitempty"` // ClientKeyData contains PEM-encoded data from a client key file for TLS. Overrides ClientKey // +optional - ClientKeyData []byte `json:"client-key-data,omitempty"` + ClientKeyData []byte `json:"client-key-data,omitempty" datapolicy:"security-key"` // Token is the bearer token for authentication to the kubernetes cluster. // +optional - Token string `json:"token,omitempty"` + Token string `json:"token,omitempty" datapolicy:"token"` // TokenFile is a pointer to a file that contains a bearer token (as described above). If both Token and TokenFile are present, Token takes precedence. // +optional TokenFile string `json:"tokenFile,omitempty"` @@ -125,7 +125,7 @@ type AuthInfo struct { Username string `json:"username,omitempty"` // Password is the password for basic authentication to the kubernetes cluster. // +optional - Password string `json:"password,omitempty"` + Password string `json:"password,omitempty" datapolicy:"password"` // AuthProvider specifies a custom authentication plugin for the kubernetes cluster. // +optional AuthProvider *AuthProviderConfig `json:"auth-provider,omitempty"` diff --git a/tools/clientcmd/client_config.go b/tools/clientcmd/client_config.go index 8a8b8036..9e1cd64a 100644 --- a/tools/clientcmd/client_config.go +++ b/tools/clientcmd/client_config.go @@ -77,7 +77,7 @@ type PersistAuthProviderConfigForUser func(user string) restclient.AuthProviderC type promptedCredentials struct { username string - password string + password string `datapolicy:"password"` } // DirectClientConfig is a ClientConfig interface that is backed by a clientcmdapi.Config, options overrides, and an optional fallbackReader for auth information diff --git a/transport/cache.go b/transport/cache.go index fa2afb1f..5fe768ed 100644 --- a/transport/cache.go +++ b/transport/cache.go @@ -44,7 +44,7 @@ type tlsCacheKey struct { insecure bool caData string certData string - keyData string + keyData string `datapolicy:"security-key"` certFile string keyFile string serverName string diff --git a/transport/config.go b/transport/config.go index 926cc53e..0c9ccce2 100644 --- a/transport/config.go +++ b/transport/config.go @@ -35,10 +35,10 @@ type Config struct { // Username and password for basic authentication Username string - Password string + Password string `datapolicy:"password"` // Bearer token for authentication - BearerToken string + BearerToken string `datapolicy:"token"` // Path to a file containing a BearerToken. // If set, the contents are periodically read. diff --git a/transport/round_trippers.go b/transport/round_trippers.go index f4cfadbd..b198e5db 100644 --- a/transport/round_trippers.go +++ b/transport/round_trippers.go @@ -167,7 +167,7 @@ func (rt *userAgentRoundTripper) WrappedRoundTripper() http.RoundTripper { retur type basicAuthRoundTripper struct { username string - password string + password string `datapolicy:"password"` rt http.RoundTripper } @@ -305,7 +305,7 @@ func (rt *bearerAuthRoundTripper) WrappedRoundTripper() http.RoundTripper { retu // requestInfo keeps track of information about a request/response combination type requestInfo struct { - RequestHeaders http.Header + RequestHeaders http.Header `datapolicy:"token"` RequestVerb string RequestURL string diff --git a/util/certificate/certificate_manager.go b/util/certificate/certificate_manager.go index 4032a4c5..1afa1c1c 100644 --- a/util/certificate/certificate_manager.go +++ b/util/certificate/certificate_manager.go @@ -114,7 +114,7 @@ type Config struct { // This is intended to allow the first boot of a component to be // initialized using a generic, multi-use cert/key pair which will be // quickly replaced with a unique cert/key pair. - BootstrapKeyPEM []byte + BootstrapKeyPEM []byte `datapolicy:"security-key"` // CertificateRotation will record a metric showing the time in seconds // that certificates lived before being rotated. This metric is a histogram // because there is value in keeping a history of rotation cadences. It