Documentation
¶
Overview ¶
Package agentcrypto provides various cryptography related utility functions and a module for mds mtls setup.
Index ¶
Constants ¶
View Source
const ( // MTLSSchedulerID is the identifier used by job scheduler. MTLSSchedulerID = "MTLS_MDS_Credential_Boostrapper" // MTLSScheduleInterval is interval at which credential bootstrapper runs. MTLSScheduleInterval = 48 * time.Hour )
Variables ¶
This section is empty.
Functions ¶
Types ¶
type CredsJob ¶
type CredsJob struct {
// contains filtered or unexported fields
}
CredsJob implements job scheduler interface for generating/rotating credentials.
func (*CredsJob) Run ¶
Run generates the required credentials for MTLS MDS workflow.
- Fetches, verifies and writes Root CA cert from UEFI variable to /run/google-mds-mtls/root.crt
- Fetches encrypted client credentials from MDS, decrypts it via vTPM and writes it to /run/google-mds-mtls/client.key
Note that these credentials are at `C:\Program Files\Google\Compute Engine\certs\mds` on Windows. Additionally agent also generates a PFX file on windows that can be used invoking HTTPS endpoint.
Example usage of these credentials to call HTTPS endpoint of MDS:
curl --cacert /run/google-mds-mtls/root.crt \ -E /run/google-mds-mtls/client.key -H "MetadataFlavor: Google" \ https://169.254.169.254
Windows example:
$cert = Get-PfxCertificate \ -FilePath "C:\ProgramData\Google\Compute Engine\mds-mtls-client.key.pfx"
or
$cert = Get-ChildItem Cert:\LocalMachine\My | Where-Object \
{ $_.Issuer -like "*google.internal*" }
Invoke-RestMethod -Uri https://169.254.169.254 -Method Get \
-Headers @{"Metadata-Flavor"="Google"} -Certificate $cert
Source Files
Click to show internal directories.
Click to hide internal directories.