options

package
v1.11.21 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Feb 19, 2023 License: Apache-2.0 Imports: 16 Imported by: 0

Documentation

Index

Constants

View Source
const (
	DefaultTokenExpiry = 28800       // 8 hrs
	DefaultThreshold   = float64(15) // 15 days
)

Variables

This section is empty.

Functions

func GetAccountId

func GetAccountId(metaEndPoint string, useRegionalSTS bool, region string) (string, error)

func GetRunsAsUidGid added in v1.10.52

func GetRunsAsUidGid(opts *Options) (int, int)

GetRunsAsUidGid returns the uid/gid that the tool should continue to run as based on the configured setup. For example, if all services have been configured to have the same uid/gid for keys and certs, then the tool can drop its access from root to the specified user. If they're multiple users defined then the return values would be -1/-1

func GetSvcNames

func GetSvcNames(svcs []Service) string

GetSvcNames returns comma separated list of service names

func InitCredsConfig

func InitCredsConfig(roleSuffix, accessProfileSeparator string, useRegionalSTS bool, region string) (*ConfigAccount, *AccessProfileConfig, error)

func InitEnvConfig

func InitEnvConfig(config *Config) (*Config, *ConfigAccount, error)

func InitFileConfig

func InitFileConfig(fileName, metaEndPoint string, useRegionalSTS bool, region, account string) (*Config, *ConfigAccount, error)

func InitProfileConfig

func InitProfileConfig(metaEndPoint, roleSuffix, accessProfileSeparator string) (*ConfigAccount, *AccessProfileConfig, error)

Types

type AccessProfileConfig added in v1.11.9

type AccessProfileConfig struct {
	Profile string `json:"profile,omitempty"` // map of role name to token attributes
}

func InitAccessProfileEnvConfig added in v1.11.9

func InitAccessProfileEnvConfig() (*AccessProfileConfig, error)

func InitAccessProfileFileConfig added in v1.11.9

func InitAccessProfileFileConfig(fileName string) (*AccessProfileConfig, error)

type Config

type Config struct {
	Version          string                   `json:"version,omitempty"`            //name of the provider
	Service          string                   `json:"service,omitempty"`            //name of the service for the identity
	Services         map[string]ConfigService `json:"services,omitempty"`           //names of the multiple services for the identity
	Ssh              *bool                    `json:"ssh,omitempty"`                //ssh certificate support
	SshHostKeyType   hostkey.KeyType          `json:"ssh_host_key_type,omitempty"`  //ssh host key type - rsa, ecdsa, etc
	SanDnsWildcard   bool                     `json:"sandns_wildcard,omitempty"`    //san dns wildcard support
	SanDnsHostname   bool                     `json:"sandns_hostname,omitempty"`    //san dns hostname support
	UseRegionalSTS   bool                     `json:"regionalsts,omitempty"`        //whether to use a regional STS endpoint (default is false)
	Accounts         []ConfigAccount          `json:"accounts,omitempty"`           //array of configured accounts
	GenerateRoleKey  bool                     `json:"generate_role_key,omitempty"`  //private key to be generated for role certificate
	RotateKey        bool                     `json:"rotate_key,omitempty"`         //rotate private key support
	User             string                   `json:"user,omitempty"`               //the username to chown the cert/key dirs to. If absent, then root
	Group            string                   `json:"group,omitempty"`              //the group name to chown the cert/key dirs to. If absent, then athenz
	SDSUdsPath       string                   `json:"sds_uds_path,omitempty"`       //uds path if the agent should support uds connections
	SDSUdsUid        int                      `json:"sds_uds_uid,omitempty"`        //uds connections must be from the given user uid
	ExpiryTime       int                      `json:"expiry_time,omitempty"`        //service and role certificate expiry in minutes
	RefreshInterval  int                      `json:"refresh_interval,omitempty"`   //specifies refresh interval in minutes
	ZTSRegion        string                   `json:"zts_region,omitempty"`         //specifies zts region for the requests
	DropPrivileges   bool                     `json:"drop_privileges,omitempty"`    //drop privileges to configured user instead of running as root
	AccessTokens     map[string]ac.Role       `json:"access_tokens,omitempty"`      //map of role name to token attributes
	FileDirectUpdate bool                     `json:"file_direct_update,omitempty"` //update key/cert files directly instead of using rename
	SiaKeyDir        string                   `json:"sia_key_dir,omitempty"`        //sia keys directory to override /var/lib/sia/keys
	SiaCertDir       string                   `json:"sia_cert_dir,omitempty"`       //sia certs directory to override /var/lib/sia/certs
	SiaTokenDir      string                   `json:"sia_token_dir,omitempty"`      //sia tokens directory to override /var/lib/sia/tokens
	SiaBackupDir     string                   `json:"sia_backup_dir,omitempty"`     //sia backup directory to override /var/lib/sia/backup
	HostnameSuffix   string                   `json:"hostname_suffix,omitempty"`    //hostname suffix in case we need to auto-generate hostname
}

Config represents entire sia_config file

type ConfigAccount

type ConfigAccount struct {
	Name         string                `json:"name,omitempty"`                       //name of the service identity
	User         string                `json:"user,omitempty"`                       //the username to chown the cert/key dirs to. If absent, then root.
	Group        string                `json:"group,omitempty"`                      //the group name to chown the cert/key dirs to. If absent, then athenz.
	Domain       string                `json:"domain,omitempty"`                     //name of the domain for the identity
	Account      string                `json:"account,omitempty"`                    //name of the account
	Service      string                `json:"service,omitempty"`                    //name of the service for the identity
	Zts          string                `json:"zts,omitempty"`                        //the ZTS to contact
	Roles        map[string]ConfigRole `json:"roles,omitempty"`                      //map of roles to retrieve certificates for
	Version      string                `json:"version,omitempty"`                    //sia version number
	Threshold    float64               `json:"cert_threshold_to_check,omitempty"`    //Threshold to verify for all certs
	SshThreshold float64               `json:"sshcert_threshold_to_check,omitempty"` //Threshold to verify for ssh certs
}

ConfigAccount represents each of the accounts that can be specified in the config file

type ConfigRole

type ConfigRole struct {
	Filename   string  `json:"filename,omitempty"`    //filename for the generated role certificate file
	ExpiryTime int     `json:"expiry_time,omitempty"` //requested expiry time for the role certificate
	Service    string  `json:"service,omitempty"`     //principal with role access
	User       string  `json:"user,omitempty"`        //user owner on the role identity key
	Group      string  `json:"group,omitempty"`       //group owner on the role identity key
	Threshold  float64 `json:"cert_threshold_to_check,omitempty"`
}

ConfigRole represents a role to be specified by user, and specify attributes for the role

type ConfigService

type ConfigService struct {
	KeyFilename    string  `json:"key_filename,omitempty"`
	CertFilename   string  `json:"cert_filename,omitempty"`
	User           string  `json:"user,omitempty"`
	Group          string  `json:"group,omitempty"`
	ExpiryTime     int     `json:"expiry_time,omitempty"`
	SDSUdsUid      int     `json:"sds_uds_uid,omitempty"`
	SDSNodeId      string  `json:"sds_node_id,omitempty"`
	SDSNodeCluster string  `json:"sds_node_cluster,omitempty"`
	Threshold      float64 `json:"cert_threshold_to_check,omitempty"`
}

ConfigService represents a service to be specified by user, and specify User/Group attributes for the service

type Options

type Options struct {
	Provider           provider.Provider //provider instance
	Name               string            //name of the service identity
	User               string            //the username to chown the cert/key dirs to. If absent, then root
	Group              string            //the group name to chown the cert/key dirs to. If absent, then athenz
	Domain             string            //name of the domain for the identity
	Account            string            //name of the account
	Service            string            //name of the service for the identity
	Zts                string            //the ZTS to contact
	InstanceId         string            //instance id if ec2, task id if running within eks/ecs
	Roles              []Role            //map of roles to retrieve certificates for
	Region             string            //region name
	SanDnsWildcard     bool              //san dns wildcard support
	SanDnsHostname     bool              //san dns hostname support
	Version            string            //sia version number
	ZTSDomains         []string          //zts domain prefixes
	Services           []Service         //array of configured services
	Ssh                bool              //ssh certificate support
	UseRegionalSTS     bool              //use regional sts endpoint
	KeyDir             string            //private key directory path
	CertDir            string            //x.509 certificate directory path
	AthenzCACertFile   string            //filename to store Athenz CA certs
	ZTSCACertFile      string            //filename for CA certs when communicating with ZTS
	ZTSServerName      string            //ZTS server name, if necessary for tls
	ZTSAWSDomains      []string          //list of domain prefixes for sanDNS entries
	GenerateRoleKey    bool              //option to generate a separate key for role certificates
	RotateKey          bool              //rotate the private key when refreshing certificates
	BackupDir          string            //backup directory for key/cert rotation
	CertCountryName    string            //generated x.509 certificate country name
	CertOrgName        string            //generated x.509 certificate organization name
	SshPubKeyFile      string            //ssh host public key file path
	SshCertFile        string            //ssh host certificate file path
	SshConfigFile      string            //sshd config file path
	PrivateIp          string            //instance private ip
	EC2Document        string            //EC2 instance identity document
	EC2Signature       string            //EC2 instance identity document pkcs7 signature
	EC2StartTime       *time.Time        //EC2 instance start time
	InstanceIdSanDNS   bool              //include instance id in a san dns entry (backward compatible option)
	RolePrincipalEmail bool              //include role principal in a san email field (backward compatible option)
	SDSUdsPath         string            //UDS path if the agent should support uds connections
	SDSUdsUid          int               //UDS connections must be from the given user uid
	RefreshInterval    int               //refresh interval for certificates - default 24 hours
	ZTSRegion          string            //ZTS region in case the client needs this information
	DropPrivileges     bool              //Drop privileges to configured user instead of running as root
	TokenDir           string            //Access tokens directory
	AccessTokens       []ac.AccessToken  //Access tokens object
	Profile            string            //Access profile name
	Threshold          float64           //threshold in number of days for cert expiry checks
	SshThreshold       float64           //threshold in number of days for ssh cert expiry checks
	FileDirectUpdate   bool              //update key/cert files directly instead of using rename
	HostnameSuffix     string            //hostname suffix in case we need to auto-generate hostname
}

Options represents settings that are derived from config file and application defaults

func NewOptions

func NewOptions(config *Config, configAccount *ConfigAccount, profileConfig *AccessProfileConfig, siaDir, siaVersion string, useRegionalSTS bool, region string) (*Options, error)

type Role

type Role struct {
	Name            string
	Service         string
	SvcKeyFilename  string
	SvcCertFilename string
	ExpiryTime      int
	Filename        string
	User            string
	Uid             int
	Gid             int
	FileMode        int
	Threshold       float64
}

Role contains role details. Attributes are set based on the config values

type Service

type Service struct {
	Name           string
	KeyFilename    string
	CertFilename   string
	User           string
	Group          string
	Uid            int
	Gid            int
	FileMode       int
	ExpiryTime     int
	SDSUdsUid      int
	SDSNodeId      string
	SDSNodeCluster string
	Threshold      float64
}

Service represents service details. Attributes are filled in based on the config values

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL