Documentation
¶
Overview ¶
Package agentcrypto provides various cryptography related utility functions for Guest Agent.
Index ¶
Constants ¶
const ( // MTLSSchedulerID is the identifier used by job scheduler. MTLSSchedulerID = "MTLS_MDS_Credential_Boostrapper" // MTLSScheduleInterval is interval at which credential bootstrapper runs. MTLSScheduleInterval = 48 * time.Hour )
Variables ¶
This section is empty.
Functions ¶
Types ¶
type CredsJob ¶
type CredsJob struct {
// contains filtered or unexported fields
}
CredsJob implements job scheduler interface for generating/rotating credentials.
func (*CredsJob) Run ¶
Run generates the required credentials for MTLS MDS workflow.
1. Fetches, verifies and writes Root CA cert from UEFI variable to /run/google-mds-mtls/root.crt 2. Fetches encrypted client credentials from MDS, decrypts it via vTPM and writes it to /run/google-mds-mtls/client.key
Note that these credentials are at `C:\Program Files\Google\Compute Engine\certs\mds` on Windows. Additionally agent also generates a PFX file on windows that can be used invoking HTTPS endpoint.
Example usage of these credentials to call HTTPS endpoint of MDS:
curl --cacert /run/google-mds-mtls/root.crt -E /run/google-mds-mtls/client.key -H "MetadataFlavor: Google" https://169.254.169.254
Windows example:
$cert = Get-PfxCertificate -FilePath "C:\ProgramData\Google\Compute Engine\mds-mtls-client.key.pfx" or $cert = Get-ChildItem Cert:\LocalMachine\My | Where-Object { $_.Issuer -like "*google.internal*" } Invoke-RestMethod -Uri https://169.254.169.254 -Method Get -Headers @{"Metadata-Flavor"="Google"} -Certificate $cert
Source Files
Directories