ocm_get_credentials.md

January 6, 2025 · View on GitHub

ocm get credentials — Get Credentials For A Dedicated Consumer Spec

Synopsis

ocm get credentials {<consumer property>=<value>}

Aliases

credentials, creds, cred

Options

  -h, --help             help for credentials
  -m, --matcher string   matcher type override
  -s, --sloppy           sloppy matching of consumer type

Description

Try to resolve a given consumer specification against the configured credential settings and show the found credential attributes.

Matchers exist for the following usage contexts or consumer types:

Buildcredentials.ocm.software: Gardener config credential matcher

It matches the Buildcredentials.ocm.software consumer type and additionally acts like the hostpath type.

Credential consumers of the consumer type Buildcredentials.ocm.software evaluate the following credential properties:
- key: secret key use to access the credential server
Git: Git credential matcher

It matches the Git consumer type and additionally acts like the hostpath type.

Credential consumers of the consumer type Git evaluate the following credential properties:
- username: the basic auth user name
- password: the basic auth password
- token: HTTP token authentication
- privateKey: Private Key authentication certificate
Github: GitHub credential matcher

This matcher is a hostpath matcher.

Credential consumers of the consumer type Github evaluate the following credential properties:
- token: GitHub personal access token
HashiCorpVault: HashiCorp Vault credential matcher

This matcher matches credentials for a HashiCorp vault instance. It uses the following identity attributes:
- hostname: vault server host
- scheme: (optional) URL scheme
- port: (optional) server port
- namespace: vault namespace
- mountPath: mount path
- pathprefix: path prefix for secret
Credential consumers of the consumer type HashiCorpVault evaluate the following credential properties:
- authmeth: auth method
- token: vault token
- roleid: app-role role id
- secretid: app-role secret id
The only supported auth methods, so far, are token and approle.
HelmChartRepository: Helm chart repository

It matches the HelmChartRepository consumer type and additionally acts like the hostpath type.

Credential consumers of the consumer type HelmChartRepository evaluate the following credential properties:
- username: the basic auth user name
- password: the basic auth password
- certificate: TLS client certificate
- privateKey: TLS private key
- certificateAuthority: TLS certificate authority
MavenRepository: MVN repository

It matches the MavenRepository consumer type and additionally acts like the hostpath type.

Credential consumers of the consumer type MavenRepository evaluate the following credential properties:
- username: the basic auth user name
- password: the basic auth password
NpmRegistry: NPM registry

It matches the NpmRegistry consumer type and additionally acts like the hostpath type.

Credential consumers of the consumer type NpmRegistry evaluate the following credential properties:
- username: the basic auth user name
- password: the basic auth password
- email: NPM registry, require an email address
- token: the token attribute. May exist after login at any npm registry. Check your .npmrc file!
OCIRegistry: OCI registry credential matcher

It matches the OCIRegistry consumer type and additionally acts like the hostpath type.

Credential consumers of the consumer type OCIRegistry evaluate the following credential properties:
- username: the basic auth username
- password: the basic auth password
- identityToken: the bearer token used for non-basic auth authorization
- certificateAuthority: the certificate authority certificate used to verify certificates
S3: S3 credential matcher

This matcher is a hostpath matcher.

Credential consumers of the consumer type S3 evaluate the following credential properties:
- awsAccessKeyID: AWS access key id
- awsSecretAccessKey: AWS secret for access key id
- token: AWS access token (alternatively)
Signingserver.gardener.cloud: signing service credential matcher

This matcher matches credentials for a Signing Service instance. It uses the following identity attributes:
- hostname: signing server host
- scheme: (optional) URL scheme
- port: (optional) server port
- pathprefix: path prefix for the server URL
Credential consumers of the consumer type Signingserver.gardener.cloud evaluate the following credential properties:
- clientCert: client certificate for authentication
- privateKey: private key for client certificate
- caCerts: root certificate for signing server
wget: wget credential matcher

It matches the wget consumer type and additionally acts like the hostpath type.

Credential consumers of the consumer type wget evaluate the following credential properties:
- username: the basic auth user name
- password: the basic auth password
- identityToken: the bearer token used for non-basic auth authorization
- certificateAuthority: the certificate authority certificate used to verify certificates presented by the server
- certificate: the certificate used to present to the server
- privateKey: the private key corresponding to the certificate

The following standard identity matchers are supported:

exact: exact match of given pattern set
hostpath: Host and path based credential matcher

This matcher works on the following properties:
- type (required if set in pattern): the identity type
- hostname (required if set in pattern): the hostname of a server
- scheme (optional): the URL scheme of a server
- port (optional): the port of a server
- pathprefix (optional): a path prefix to match. The element with the most matching path components is selected (separator is /).
partial (default): complete match of given pattern ignoring additional attributes

The used matcher is derived from the consumer attribute type. For all other consumer types a matcher matching all attributes will be used. The usage of a dedicated matcher can be enforced by the option --matcher.