imds

package
v0.0.0-...-f9509b0 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Jun 21, 2024 License: Apache-2.0 Imports: 30 Imported by: 0

Documentation

Overview

Package imds contains emulations of cloud provider IMDS APIs

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

func NewAzureVaultTokenFetcher 

func NewAzureVaultTokenFetcher(
	vault *vault.Client,
	vaultMountPath, iamRole, resource string,
	metricSink metrics.MetricSink,
) (cache.Fetcher[*AzureCredentials], error)

func NewServer 

func NewServer(ctx context.Context, conf *MetadataServerConfig) (*server.Server, func(), error)

NewServer creates a new metadata server.

Types

type AwsCredentials 

type AwsCredentials struct {
	AccessKeyID     string `json:"AccessKeyId"`
	Code            string
	Expiration      time.Time
	LastUpdated     time.Time
	SecretAccessKey string
	Token           string
	Type            string
}

type AwsProvider 

type AwsProvider struct {
	// contains filtered or unexported fields
}

AwsProvider implements the AWS Metadata Service backed by Vault.

func Aws 

func Aws(
	ctx context.Context,
	log *zap.Logger,
	v1Allowed bool,
	metricSink metrics.MetricSink,
	tokenFetcher cache.Fetcher[*AwsCredentials],
	roleGetter AwsRoleGetter,
	identifier InstanceIdentifier,
	refreshFunc cache.RefreshAtFunc, retryOpts ...retry.Option,
) (*AwsProvider, error)

Aws returns a new AwsProvider.

func (*AwsProvider) Name 

func (p *AwsProvider) Name() string

Name returns the provider's logical name.

func (*AwsProvider) RegisterHandlers 

func (p *AwsProvider) RegisterHandlers(router *muxt.Router, handlerFactory *HandlerFactory) error

RegisterHandlers registers all HTTP handlers for the AWS provider.

type AwsRoleGetter 

type AwsRoleGetter interface {
	// contains filtered or unexported methods
}

AwsRoleGetter returns the configured AWS IMDS role. This meant to be temporary and will be replaced once the AWS role name generated from the pod namespace and service account is passed directly to the AwsProvider.

type AwsVaultStsTokenFetcher 

type AwsVaultStsTokenFetcher struct {
	// contains filtered or unexported fields
}

func NewVaultAwsStsTokenFetcher 

func NewVaultAwsStsTokenFetcher(vault *vaultclient.Client,
	iamRole, vaultMountPath string,
	log *zap.Logger,
	metricSink metrics.MetricSink,
) (*AwsVaultStsTokenFetcher, error)

func (*AwsVaultStsTokenFetcher) Fetch 

func (a *AwsVaultStsTokenFetcher) Fetch(ctx context.Context) (creds *cache.ExpiringValue[*AwsCredentials], err error)

func (*AwsVaultStsTokenFetcher) String 

func (a *AwsVaultStsTokenFetcher) String() string

type AzureCredentials 

type AzureCredentials struct {
	AccessToken  string `json:"access_token"`
	RefreshToken string `json:"refresh_token"`

	ExpiresIn string `json:"expires_in"`
	ExpiresOn string `json:"expires_on"`
	NotBefore string `json:"not_before"`

	Resource string `json:"resource"`
	Type     string `json:"token_type"`
}

AzureCredentials fields are documented here: https://learn.microsoft.com/en-us/entra/identity/managed-identities-azure-resources/how-to-use-vm-token#get-a-token-using-http

type AzureProvider 

type AzureProvider struct {
	// contains filtered or unexported fields
}

AzureProvider implements identity portion of the Azure Instance Metadata service.

func Azure 

func Azure(
	ctx context.Context,
	log *zap.Logger,
	metricSink metrics.MetricSink,
	refreshFunc cache.RefreshAtFunc,
	tokenFetcherFactory AzureTokenFetcherFactory,
	subscriptionIDGetter AzureSubscriptionIDGetter,
	retryOpts ...retry.Option,
) (*AzureProvider, error)

Azure returns a new AzureProvider.

func (*AzureProvider) Name 

func (p *AzureProvider) Name() string

Name returns the provider's logical name.

func (*AzureProvider) RegisterHandlers 

func (p *AzureProvider) RegisterHandlers(router *muxt.Router, handlerFactory *HandlerFactory) error

RegisterHandlers registers all HTTP handlers for the Azure provider.

type AzureSubscriptionIDGetter 

type AzureSubscriptionIDGetter interface {
	// contains filtered or unexported methods
}

AzureSubscriptionIDGetter returns the Azure subscription ID for IMDS

func NewAzureStaticSubscriptionIDGetter 

func NewAzureStaticSubscriptionIDGetter(subscriptionID string) AzureSubscriptionIDGetter

func NewAzureVaultSubscriptionIDGetter 

func NewAzureVaultSubscriptionIDGetter(vault *vault.Client, vaultMountPath string) AzureSubscriptionIDGetter

type AzureTokenFetcherFactory 

type AzureTokenFetcherFactory = func(resource string) (cache.Fetcher[*AzureCredentials], error)

type Config 

type Config struct {
	// the cloud provider IAM role (e.g. for GCP, the service account)
	IamRole string `yaml:"iam_role"`

	// By default AWS IMDSv1 is disabled
	IMDSv1Allowed bool `yaml:"imds_v1_allowed"`

	// the Vault mount path for GCP
	GcpVaultMountPath string `yaml:"gcp_vault_mount_path"`

	// mapping from gcp project name to the gcp project id
	GcpProjectIds map[string]string `yaml:"gcp_project_ids"`

	// the Vault mount path for AWS
	AwsVaultMountPath string `yaml:"aws_vault_mount_path"`

	// the Vault mount path for Azure
	AzureVaultMountPath string `yaml:"azure_vault_mount_path"`

	// Server configuration
	ServerConfig server.Config `yaml:"server"`

	// the cloud provider (e.g., "aws")
	Provider string `yaml:"provider"`

	// the cloud provider region (e.g., "us-east-1")
	Region string `yaml:"region"`

	// the cloud provider zone (e.g., "us-east-1a")
	Zone string `yaml:"zone"`
}

Config for metadata server.

func (*Config) Validate 

func (c *Config) Validate() error

Validate a config.

type GcpCredentials 

type GcpCredentials struct {
	Token            string `mapstructure:"token"`
	ExpiresAtSeconds int64  `mapstructure:"expires_at_seconds"`
}

type GcpProvider 

type GcpProvider struct {
	// contains filtered or unexported fields
}

GcpProvider implements the GCP Metadata Service backed by Vault.

func Gcp 

func Gcp(ctx context.Context, log *zap.Logger,
	metricSink metrics.MetricSink,
	tokenFetcher cache.Fetcher[*GcpCredentials],
	serviceAccountInfoGetter GcpServiceAccountInfoGetter,
	refreshFunc cache.RefreshAtFunc, retryOpts ...retry.Option,
) (*GcpProvider, error)

Gcp returns a new GcpProvider.

func (*GcpProvider) Name 

func (p *GcpProvider) Name() string

Name returns the provider's logical name.

func (*GcpProvider) RegisterHandlers 

func (p *GcpProvider) RegisterHandlers(router *muxt.Router, handlerFactory *HandlerFactory) error

RegisterHandlers registers all HTTP handlers for the GCP provider.

type GcpServiceAccountInfoGetter 

type GcpServiceAccountInfoGetter interface {
	// contains filtered or unexported methods
}

GcpServiceAccountInfoGetter returns data about the configured GCP IMDS service account. This meant to be temporary and will be replaced once the static data from is passed directly to the GcpProvider.

type GcpVaultTokenFetcher 

type GcpVaultTokenFetcher struct {
	// contains filtered or unexported fields
}

func NewGcpVaultTokenFetcher 

func NewGcpVaultTokenFetcher(vault *vault.Client,
	iamRole, vaultMountPath string,
	projectIds map[string]string,
	log *zap.Logger,
	metricSink metrics.MetricSink,
) (*GcpVaultTokenFetcher, error)

func (*GcpVaultTokenFetcher) Fetch 

func (g *GcpVaultTokenFetcher) Fetch(ctx context.Context) (creds *cache.ExpiringValue[*GcpCredentials], err error)

func (*GcpVaultTokenFetcher) String 

func (g *GcpVaultTokenFetcher) String() string

type HTTPError 

type HTTPError struct {
	// contains filtered or unexported fields
}

HTTPError should be returned for all HTTP handlers that need to return an error with a custom HTTP status code or http response body. Otherwise, HTTP handlers should return `error`.

func (HTTPError) Error 

func (he HTTPError) Error() string

func (HTTPError) Status 

func (he HTTPError) Status() int

Status code of the HTTP response.

type HandlerFactory 

type HandlerFactory struct {
	// contains filtered or unexported fields
}

HandlerFactory struct for creating Handlers.

func NewHandlerFactory 

func NewHandlerFactory(metricSink metrics.MetricSink, log *zap.Logger) *HandlerFactory

NewHandlerFactory creates a HandlerFactory.

func (*HandlerFactory) CreateHTTPHandler 

func (f *HandlerFactory) CreateHTTPHandler(provider string, handlerFunc handlerFunc) http.Handler

CreateHTTPHandler for an HTTP server.

type InstanceIdentifier 

type InstanceIdentifier interface {
	GetInstanceIdentity(context.Context) (interface{}, error)
}

InstanceIdentifier provides an instance identity document

func NewAwsInstanceIdentifier 

func NewAwsInstanceIdentifier(provider, region, zone string) InstanceIdentifier

NewAwsInstanceIdentifier builds an instance identity document provider based on a given current cloud provider context.

type MetadataServerConfig 

type MetadataServerConfig struct {
	CloudiamConf  Config
	DDVaultClient *vault.Client

	MetricSink metrics.MetricSink
	Log        *zap.Logger
}

type Provider 

type Provider interface {

	// Name returns the name of the Provider.
	Name() string

	// RegisterHandlers registers HTTP handlers with the server.
	//
	// `mux.Router` parameter is the server and `HandlerFactory` is a factory
	// for creating HTTP Handlers for handling requests.
	RegisterHandlers(router *muxt.Router, factory *HandlerFactory) error
}

Provider encapsulates all the parameters necessary for implementing the cloud provider's Metadata Service backed by Vault.

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.
JackTT - Gopher 🇻🇳