options

package
v1.10.60 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Nov 17, 2023 License: Apache-2.0 Imports: 14 Imported by: 0

Documentation

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

func GetAccountId

func GetAccountId(metaEndPoint string, useRegionalSTS bool, region string) (string, error)

func GetRunsAsUidGid added in v1.10.52

func GetRunsAsUidGid(opts *Options) (int, int)

GetRunsAsUidGid returns the uid/gid that the tool should continue to run as based on the configured setup. For example, if all services have been configured to have the same uid/gid for keys and certs, then the tool can drop its access from root to the specified user. If they're multiple users defined then the return values would be -1/-1

func GetSvcNames

func GetSvcNames(svcs []Service) string

GetSvcNames returns comma separated list of service names

func InitEnvConfig

func InitEnvConfig(config *Config) (*Config, *ConfigAccount, error)

func InitFileConfig

func InitFileConfig(fileName, metaEndPoint string, useRegionalSTS bool, region, account string) (*Config, *ConfigAccount, error)

Types

type Config

type Config struct {
	Version         string                   `json:"version,omitempty"`           //name of the provider
	Service         string                   `json:"service,omitempty"`           //name of the service for the identity
	Services        map[string]ConfigService `json:"services,omitempty"`          //names of the multiple services for the identity
	Ssh             *bool                    `json:"ssh,omitempty"`               //ssh certificate support
	SanDnsWildcard  bool                     `json:"sandns_wildcard,omitempty"`   //san dns wildcard support
	UseRegionalSTS  bool                     `json:"regionalsts,omitempty"`       //whether to use a regional STS endpoint (default is false)
	Accounts        []ConfigAccount          `json:"accounts,omitempty"`          //array of configured accounts
	GenerateRoleKey bool                     `json:"generate_role_key,omitempty"` //private key to be generated for role certificate
	RotateKey       bool                     `json:"rotate_key,omitempty"`        //rotate private key support
	User            string                   `json:"user,omitempty"`              //the user name to chown the cert/key dirs to. If absent, then root
	Group           string                   `json:"group,omitempty"`             //the group name to chown the cert/key dirs to. If absent, then athenz
	SDSUdsPath      string                   `json:"sds_uds_path,omitempty"`      //uds path if the agent should support uds connections
	SDSUdsUid       int                      `json:"sds_uds_uid,omitempty"`       //uds connections must be from the given user uid
	ExpiryTime      int                      `json:"expiry_time,omitempty"`       //service and role certificate expiry in minutes
	RefreshInterval int                      `json:"refresh_interval,omitempty"`  //specifies refresh interval in minutes
	ZTSRegion       string                   `json:"zts_region,omitempty"`        //specifies zts region for the requests
	KeepPrivileges  bool                     `json:"keep_privileges,omitempty"`   //keep privileges as root instead of dropping to configured user
}

Config represents entire sia_config file

type ConfigAccount

type ConfigAccount struct {
	Name     string                `json:"name,omitempty"`     //name of the service identity
	User     string                `json:"user,omitempty"`     //the username to chown the cert/key dirs to. If absent, then root.
	Group    string                `json:"group,omitempty"`    //the group name to chown the cert/key dirs to. If absent, then athenz.
	Domain   string                `json:"domain,omitempty"`   //name of the domain for the identity
	Account  string                `json:"account,omitempty"`  //name of the account
	Service  string                `json:"service,omitempty"`  //name of the service for the identity
	Zts      string                `json:"zts,omitempty"`      //the ZTS to contact
	Filename string                `json:"filename,omitempty"` //filename to put the service certificate
	Roles    map[string]ConfigRole `json:"roles,omitempty"`    //map of roles to retrieve certificates for
	Version  string                `json:"version,omitempty"`  //sia version number
}

ConfigAccount represents each of the accounts that can be specified in the config file

func InitCredsConfig

func InitCredsConfig(roleSuffix string, useRegionalSTS bool, region string) (*ConfigAccount, error)

func InitProfileConfig

func InitProfileConfig(metaEndPoint, roleSuffix string) (*ConfigAccount, error)

type ConfigRole

type ConfigRole struct {
	Filename   string `json:"filename,omitempty"`
	ExpiryTime int    `json:"expiry_time,omitempty"`
}

ConfigRole represents a role to be specified by user, and specify attributes for the role

type ConfigService

type ConfigService struct {
	Filename       string `json:"filename,omitempty"`
	User           string `json:"user,omitempty"`
	Group          string `json:"group,omitempty"`
	ExpiryTime     int    `json:"expiry_time,omitempty"`
	SDSUdsUid      int    `json:"sds_uds_uid,omitempty"`
	SDSNodeId      string `json:"sds_node_id,omitempty"`
	SDSNodeCluster string `json:"sds_node_cluster,omitempty"`
}

ConfigService represents a service to be specified by user, and specify User/Group attributes for the service

type Options

type Options struct {
	Provider           string                //name of the provider
	Name               string                //name of the service identity
	User               string                //the user name to chown the cert/key dirs to. If absent, then root
	Group              string                //the group name to chown the cert/key dirs to. If absent, then athenz
	Domain             string                //name of the domain for the identity
	Account            string                //name of the account
	Service            string                //name of the service for the identity
	Zts                string                //the ZTS to contact
	Filename           string                //filename to put the service certificate
	InstanceId         string                //instance id if ec2, task id if running within eks/ecs
	Roles              map[string]ConfigRole //map of roles to retrieve certificates for
	Region             string                //region name
	SanDnsWildcard     bool                  //san dns wildcard support
	Version            string                //sia version number
	ZTSDomains         []string              //zts domain prefixes
	Services           []Service             //array of configured services
	Ssh                bool                  //ssh certificate support
	UseRegionalSTS     bool                  //use regional sts endpoint
	KeyDir             string                //private key directory path
	CertDir            string                //x.509 certificate directory path
	AthenzCACertFile   string                //filename to store Athenz CA certs
	ZTSCACertFile      string                //filename for CA certs when communicating with ZTS
	ZTSServerName      string                //ZTS server name, if necessary for tls
	ZTSAWSDomains      []string              //list of domain prefixes for sanDNS entries
	GenerateRoleKey    bool                  //option to generate a separate key for role certificates
	RotateKey          bool                  //rotate the private key when refreshing certificates
	BackUpDir          string                //backup directory for key/cert rotation
	CertCountryName    string                //generated x.509 certificate country name
	CertOrgName        string                //generated x.509 certificate organization name
	SshPubKeyFile      string                //ssh host public key file path
	SshCertFile        string                //ssh host certificate file path
	SshConfigFile      string                //sshd config file path
	PrivateIp          string                //instance private ip
	EC2Document        string                //EC2 instance identity document
	EC2Signature       string                //EC2 instance identity document pkcs7 signature
	EC2StartTime       *time.Time            //EC2 instance start time
	InstanceIdSanDNS   bool                  //include instance id in a san dns entry (backward compatible option)
	RolePrincipalEmail bool                  //include role principal in a san email field (backward compatible option)
	SDSUdsPath         string                //UDS path if the agent should support uds connections
	SDSUdsUid          int                   //UDS connections must be from the given user uid
	RefreshInterval    int                   //refresh interval for certificates - default 24 hours
	ZTSRegion          string                //ZTS region in case the client needs this information
	KeepPrivileges     bool                  //Keep privileges as root instead of dropping to configured user
}

Options represents settings that are derived from config file and application defaults

func NewOptions

func NewOptions(config *Config, configAccount *ConfigAccount, siaDir, siaVersion string, useRegionalSTS bool, region string) (*Options, error)

type Role

type Role struct {
	Name     string
	Service  string
	Filename string
	User     string
	Uid      int
	Gid      int
	FileMode int
}

Role contains role details. Attributes are set based on the config values

type Service

type Service struct {
	Name           string
	Filename       string
	User           string
	Group          string
	Uid            int
	Gid            int
	FileMode       int
	ExpiryTime     int
	SDSUdsUid      int
	SDSNodeId      string
	SDSNodeCluster string
}

Service represents service details. Attributes are filled in based on the config values

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL