diff --git a/integrations/lib/testing/fakejoin/kubesigner.go b/integrations/lib/testing/fakejoin/kubesigner.go
index 271c913d2758f..460bfff21320f 100644
--- a/integrations/lib/testing/fakejoin/kubesigner.go
+++ b/integrations/lib/testing/fakejoin/kubesigner.go
@@ -30,7 +30,7 @@ import (
"github.com/jonboulle/clockwork"
"github.com/gravitational/teleport/lib/cryptosuites"
- "github.com/gravitational/teleport/lib/kubernetestoken"
+ kubetoken "github.com/gravitational/teleport/lib/kube/token"
)
// KubernetesSigner is a JWT signer that mimicks the Kubernetes one. The signer mock Kubernetes and
@@ -87,7 +87,7 @@ func (s *KubernetesSigner) GetMarshaledJWKS() (string, error) {
// This token has the Teleport cluster name in its audience as required by the Kubernetes JWKS join method.
func (s *KubernetesSigner) SignServiceAccountJWT(pod, namespace, serviceAccount, clusterName string) (string, error) {
now := s.clock.Now()
- claims := kubernetestoken.ServiceAccountClaims{
+ claims := kubetoken.ServiceAccountClaims{
Claims: jwt.Claims{
Subject: fmt.Sprintf("system:serviceaccount:%s:%s", namespace, serviceAccount),
Audience: jwt.Audience{clusterName},
@@ -97,13 +97,13 @@ func (s *KubernetesSigner) SignServiceAccountJWT(pod, namespace, serviceAccount,
// The Kubernetes JWKS join method rejects tokens valid more than 30 minutes.
Expiry: jwt.NewNumericDate(now.Add(29 * time.Minute)),
},
- Kubernetes: &kubernetestoken.KubernetesSubClaim{
+ Kubernetes: &kubetoken.KubernetesSubClaim{
Namespace: namespace,
- ServiceAccount: &kubernetestoken.ServiceAccountSubClaim{
+ ServiceAccount: &kubetoken.ServiceAccountSubClaim{
Name: serviceAccount,
UID: uuid.New().String(),
},
- Pod: &kubernetestoken.PodSubClaim{
+ Pod: &kubetoken.PodSubClaim{
Name: pod,
UID: uuid.New().String(),
},
diff --git a/integrations/terraform/testlib/machineid_join_test.go b/integrations/terraform/testlib/machineid_join_test.go
index 52299c3cf457e..63d751f75630b 100644
--- a/integrations/terraform/testlib/machineid_join_test.go
+++ b/integrations/terraform/testlib/machineid_join_test.go
@@ -35,7 +35,7 @@ import (
"github.com/gravitational/teleport/api/types"
"github.com/gravitational/teleport/integrations/lib/testing/fakejoin"
"github.com/gravitational/teleport/integrations/lib/testing/integration"
- "github.com/gravitational/teleport/lib/kubernetestoken"
+ kubetoken "github.com/gravitational/teleport/lib/kube/token"
"github.com/gravitational/teleport/lib/services"
"github.com/gravitational/teleport/integrations/terraform/provider"
@@ -115,7 +115,7 @@ func TestTerraformJoin(t *testing.T) {
tempDir := t.TempDir()
jwtPath := filepath.Join(tempDir, "token")
require.NoError(t, os.WriteFile(jwtPath, []byte(jwt), 0600))
- require.NoError(t, os.Setenv(kubernetestoken.EnvVarCustomKubernetesTokenPath, jwtPath))
+ require.NoError(t, os.Setenv(kubetoken.EnvVarCustomKubernetesTokenPath, jwtPath))
// Test setup: craft a Terraform provider configuration
terraformConfig := fmt.Sprintf(`
diff --git a/lib/auth/auth.go b/lib/auth/auth.go
index 5543a6fb00752..7e1a31640cdaa 100644
--- a/lib/auth/auth.go
+++ b/lib/auth/auth.go
@@ -100,8 +100,8 @@ import (
"github.com/gravitational/teleport/lib/githubactions"
"github.com/gravitational/teleport/lib/gitlab"
"github.com/gravitational/teleport/lib/inventory"
+ kubetoken "github.com/gravitational/teleport/lib/kube/token"
kubeutils "github.com/gravitational/teleport/lib/kube/utils"
- "github.com/gravitational/teleport/lib/kubernetestoken"
"github.com/gravitational/teleport/lib/limiter"
"github.com/gravitational/teleport/lib/loginrule"
"github.com/gravitational/teleport/lib/modules"
@@ -618,10 +618,10 @@ func NewServer(cfg *InitConfig, opts ...ServerOption) (*Server, error) {
as.tpmValidator = tpm.Validate
}
if as.k8sTokenReviewValidator == nil {
- as.k8sTokenReviewValidator = &kubernetestoken.TokenReviewValidator{}
+ as.k8sTokenReviewValidator = &kubetoken.TokenReviewValidator{}
}
if as.k8sJWKSValidator == nil {
- as.k8sJWKSValidator = kubernetestoken.ValidateTokenWithJWKS
+ as.k8sJWKSValidator = kubetoken.ValidateTokenWithJWKS
}
if as.gcpIDTokenValidator == nil {
diff --git a/lib/auth/bot_test.go b/lib/auth/bot_test.go
index 5ff53115b5374..ae4ddb14136b9 100644
--- a/lib/auth/bot_test.go
+++ b/lib/auth/bot_test.go
@@ -62,7 +62,8 @@ import (
libevents "github.com/gravitational/teleport/lib/events"
"github.com/gravitational/teleport/lib/events/eventstest"
"github.com/gravitational/teleport/lib/fixtures"
- "github.com/gravitational/teleport/lib/kubernetestoken"
+ "github.com/gravitational/teleport/lib/kube/token"
+ kubetoken "github.com/gravitational/teleport/lib/kube/token"
"github.com/gravitational/teleport/lib/reversetunnelclient"
"github.com/gravitational/teleport/lib/tbot/identity"
"github.com/gravitational/teleport/lib/tlsca"
@@ -764,9 +765,9 @@ func TestRegisterBot_BotInstanceRejoin(t *testing.T) {
k8sReadFileFunc := func(name string) ([]byte, error) {
return []byte(k8sTokenName), nil
}
- a.k8sJWKSValidator = func(_ time.Time, _ []byte, _ string, token string) (*kubernetestoken.ValidationResult, error) {
+ a.k8sJWKSValidator = func(_ time.Time, _ []byte, _ string, token string) (*token.ValidationResult, error) {
if token == k8sTokenName {
- return &kubernetestoken.ValidationResult{Username: "system:serviceaccount:static-jwks:matching"}, nil
+ return &kubetoken.ValidationResult{Username: "system:serviceaccount:static-jwks:matching"}, nil
}
return nil, errMockInvalidToken
@@ -919,9 +920,9 @@ func TestRegisterBotWithInvalidInstanceID(t *testing.T) {
botName := "bot"
k8sTokenName := "jwks-matching-service-account"
- a.k8sJWKSValidator = func(_ time.Time, _ []byte, _ string, token string) (*kubernetestoken.ValidationResult, error) {
+ a.k8sJWKSValidator = func(_ time.Time, _ []byte, _ string, token string) (*token.ValidationResult, error) {
if token == k8sTokenName {
- return &kubernetestoken.ValidationResult{Username: "system:serviceaccount:static-jwks:matching"}, nil
+ return &kubetoken.ValidationResult{Username: "system:serviceaccount:static-jwks:matching"}, nil
}
return nil, errMockInvalidToken
diff --git a/lib/auth/join/join.go b/lib/auth/join/join.go
index 15deb2bb5da7b..b00c4b6bf2a7d 100644
--- a/lib/auth/join/join.go
+++ b/lib/auth/join/join.go
@@ -50,7 +50,7 @@ import (
"github.com/gravitational/teleport/lib/defaults"
"github.com/gravitational/teleport/lib/githubactions"
"github.com/gravitational/teleport/lib/gitlab"
- "github.com/gravitational/teleport/lib/kubernetestoken"
+ kubetoken "github.com/gravitational/teleport/lib/kube/token"
"github.com/gravitational/teleport/lib/spacelift"
"github.com/gravitational/teleport/lib/terraformcloud"
"github.com/gravitational/teleport/lib/tlsca"
@@ -238,7 +238,7 @@ func Register(ctx context.Context, params RegisterParams) (result *RegisterResul
return nil, trace.Wrap(err)
}
case types.JoinMethodKubernetes:
- params.IDToken, err = kubernetestoken.GetIDToken(os.Getenv, params.KubernetesReadFileFunc)
+ params.IDToken, err = kubetoken.GetIDToken(os.Getenv, params.KubernetesReadFileFunc)
if err != nil {
return nil, trace.Wrap(err)
}
diff --git a/lib/auth/join_kubernetes.go b/lib/auth/join_kubernetes.go
index bcf9eeea05b56..d5bbc6586d831 100644
--- a/lib/auth/join_kubernetes.go
+++ b/lib/auth/join_kubernetes.go
@@ -27,16 +27,16 @@ import (
"github.com/sirupsen/logrus"
"github.com/gravitational/teleport/api/types"
- "github.com/gravitational/teleport/lib/kubernetestoken"
+ kubetoken "github.com/gravitational/teleport/lib/kube/token"
)
type k8sTokenReviewValidator interface {
- Validate(ctx context.Context, token, clusterName string) (*kubernetestoken.ValidationResult, error)
+ Validate(ctx context.Context, token, clusterName string) (*kubetoken.ValidationResult, error)
}
-type k8sJWKSValidator func(now time.Time, jwksData []byte, clusterName string, token string) (*kubernetestoken.ValidationResult, error)
+type k8sJWKSValidator func(now time.Time, jwksData []byte, clusterName string, token string) (*kubetoken.ValidationResult, error)
-func (a *Server) checkKubernetesJoinRequest(ctx context.Context, req *types.RegisterUsingTokenRequest) (*kubernetestoken.ValidationResult, error) {
+func (a *Server) checkKubernetesJoinRequest(ctx context.Context, req *types.RegisterUsingTokenRequest) (*kubetoken.ValidationResult, error) {
if req.IDToken == "" {
return nil, trace.BadParameter("IDToken not provided for Kubernetes join request")
}
@@ -58,7 +58,7 @@ func (a *Server) checkKubernetesJoinRequest(ctx context.Context, req *types.Regi
}
// Switch to join method subtype token validation.
- var result *kubernetestoken.ValidationResult
+ var result *kubetoken.ValidationResult
switch token.Spec.Kubernetes.Type {
case types.KubernetesJoinTypeStaticJWKS:
result, err = a.k8sJWKSValidator(
@@ -90,10 +90,10 @@ func (a *Server) checkKubernetesJoinRequest(ctx context.Context, req *types.Regi
return result, trace.Wrap(checkKubernetesAllowRules(token, result))
}
-func checkKubernetesAllowRules(pt *types.ProvisionTokenV2, got *kubernetestoken.ValidationResult) error {
+func checkKubernetesAllowRules(pt *types.ProvisionTokenV2, got *kubetoken.ValidationResult) error {
// If a single rule passes, accept the token
for _, rule := range pt.Spec.Kubernetes.Allow {
- wantUsername := fmt.Sprintf("%s:%s", kubernetestoken.ServiceAccountNamePrefix, rule.ServiceAccount)
+ wantUsername := fmt.Sprintf("%s:%s", kubetoken.ServiceAccountNamePrefix, rule.ServiceAccount)
if wantUsername != got.Username {
continue
}
diff --git a/lib/auth/join_kubernetes_test.go b/lib/auth/join_kubernetes_test.go
index 3af845ba5467f..00090d70a124d 100644
--- a/lib/auth/join_kubernetes_test.go
+++ b/lib/auth/join_kubernetes_test.go
@@ -28,14 +28,14 @@ import (
"github.com/gravitational/teleport/api/types"
"github.com/gravitational/teleport/lib/auth/testauthority"
- "github.com/gravitational/teleport/lib/kubernetestoken"
+ kubetoken "github.com/gravitational/teleport/lib/kube/token"
)
type mockK8STokenReviewValidator struct {
- tokens map[string]*kubernetestoken.ValidationResult
+ tokens map[string]*kubetoken.ValidationResult
}
-func (m *mockK8STokenReviewValidator) Validate(_ context.Context, token, _ string) (*kubernetestoken.ValidationResult, error) {
+func (m *mockK8STokenReviewValidator) Validate(_ context.Context, token, _ string) (*kubetoken.ValidationResult, error) {
result, ok := m.tokens[token]
if !ok {
return nil, errMockInvalidToken
@@ -48,14 +48,14 @@ func TestAuth_RegisterUsingToken_Kubernetes(t *testing.T) {
// Test setup
// Creating an auth server with mock Kubernetes token validator
- tokenReviewTokens := map[string]*kubernetestoken.ValidationResult{
+ tokenReviewTokens := map[string]*kubetoken.ValidationResult{
"matching-implicit-in-cluster": {Username: "system:serviceaccount:namespace1:service-account1"},
// "matching-explicit-in-cluster" intentionally matches the second allow
// rule of explicitInCluster to ensure all rules are processed.
"matching-explicit-in-cluster": {Username: "system:serviceaccount:namespace2:service-account2"},
"user-token": {Username: "namespace1:service-account1"},
}
- jwksTokens := map[string]*kubernetestoken.ValidationResult{
+ jwksTokens := map[string]*kubetoken.ValidationResult{
"jwks-matching-service-account": {Username: "system:serviceaccount:static-jwks:matching"},
"jwks-mismatched-service-account": {Username: "system:serviceaccount:static-jwks:mismatched"},
}
@@ -63,7 +63,7 @@ func TestAuth_RegisterUsingToken_Kubernetes(t *testing.T) {
ctx := context.Background()
p, err := newTestPack(ctx, t.TempDir(), func(server *Server) error {
server.k8sTokenReviewValidator = &mockK8STokenReviewValidator{tokens: tokenReviewTokens}
- server.k8sJWKSValidator = func(_ time.Time, _ []byte, _ string, token string) (*kubernetestoken.ValidationResult, error) {
+ server.k8sJWKSValidator = func(_ time.Time, _ []byte, _ string, token string) (*kubetoken.ValidationResult, error) {
result, ok := jwksTokens[token]
if !ok {
return nil, errMockInvalidToken
diff --git a/lib/kubernetestoken/token_source.go b/lib/kube/token/source.go
similarity index 98%
rename from lib/kubernetestoken/token_source.go
rename to lib/kube/token/source.go
index 55a506937cc89..8a10c442088fa 100644
--- a/lib/kubernetestoken/token_source.go
+++ b/lib/kube/token/source.go
@@ -16,7 +16,7 @@
* along with this program. If not, see .
*/
-package kubernetestoken
+package token
import (
"strings"
diff --git a/lib/kubernetestoken/token_source_test.go b/lib/kube/token/source_test.go
similarity index 99%
rename from lib/kubernetestoken/token_source_test.go
rename to lib/kube/token/source_test.go
index 4089017378278..9d3e5fd5a4092 100644
--- a/lib/kubernetestoken/token_source_test.go
+++ b/lib/kube/token/source_test.go
@@ -16,7 +16,7 @@
* along with this program. If not, see .
*/
-package kubernetestoken
+package token
import (
"io/fs"
diff --git a/lib/kubernetestoken/token_validator.go b/lib/kube/token/validator.go
similarity index 99%
rename from lib/kubernetestoken/token_validator.go
rename to lib/kube/token/validator.go
index 3d04392f2eeae..cff66b95f2454 100644
--- a/lib/kubernetestoken/token_validator.go
+++ b/lib/kube/token/validator.go
@@ -16,7 +16,7 @@
* along with this program. If not, see .
*/
-package kubernetestoken
+package token
import (
"context"
diff --git a/lib/kubernetestoken/token_validator_test.go b/lib/kube/token/validator_test.go
similarity index 99%
rename from lib/kubernetestoken/token_validator_test.go
rename to lib/kube/token/validator_test.go
index 23433f62602ef..823ca40214b22 100644
--- a/lib/kubernetestoken/token_validator_test.go
+++ b/lib/kube/token/validator_test.go
@@ -16,7 +16,7 @@
* along with this program. If not, see .
*/
-package kubernetestoken
+package token
import (
"context"