Documentation
¶
Index ¶
Examples ¶
Constants ¶
const ( // MetadataURL is used if the JSON config file does not override it. MetadataURL = "http://169.254.169.254" // RoleLabelKey identifies the docker metadata string that holds a role alias. // The alias corresponds to the alias-to-ARN mapping in the JSON config file. RoleLabelKey = "ec2metaproxy.RoleAlias" // PolicyLabelKey identifies the docker metadata string that holds a JSON IAM // policy used in the AssumeRole operation. PolicyLabelKey = "ec2metaproxy.Policy" )
Variables ¶
This section is empty.
Functions ¶
func RequestID ¶
RequestID is a middleware that injects a request ID into the context of each request. A request ID is a string of the form "host.example.com/random-0001", where "random" is a base62 random string that uniquely identifies this go process, and where the last number is an atomically incremented request counter.
Types ¶
type Config ¶
type Config struct {
// AliasToARN maps human-friendly names to IAM ARNs.
AliasToARN map[string]string `json:"aliasToARN"`
// DefaultAlias is a AliasToARN key to select the default role for containers whose
// metadata does not specify one.
DefaultAlias string `json:"defaultAlias"`
// DefaultPolicy restricts the effective role's permissions to the intersection of
// the role's policy and this JSON policy.
DefaultPolicy string `json:"defaultPolicy"`
// DockerHost is a valid DOCKER_HOST string.
DockerHost string `json:"dockerHost"`
// ListenAddr is a TCP network address.
ListenAddr string `json:"listen"`
// Verbose enables request/response logging to standard out.
Verbose bool
}
Config describes the JSON config file selected via `-config` flag.
func NewConfigFromFlag ¶
NewConfigFromFlag constructs a new Config from the JSON file obtained via `-config` CLI flag. It also validates the unmarshaled Config fields.
type ContainerInfo ¶
ContainerInfo can identify a specific container and its IAM role/policy.
type ContainerService ¶
type ContainerService interface {
ContainerForIP(ctx context.Context, containerIP string) (ContainerInfo, error)
TypeName() string
}
ContainerService implementations provide ContainerInfo.
type DockerContainerService ¶
type DockerContainerService struct {
// contains filtered or unexported fields
}
DockerContainerService queries the Docker daemon and maintains a mapping of IPs to container details.
func NewDockerContainerService ¶
func NewDockerContainerService(config Config, logger *log.Logger) (*DockerContainerService, error)
NewDockerContainerService creates a Docker specific ContainerService implementation.
func (*DockerContainerService) ContainerForIP ¶
func (d *DockerContainerService) ContainerForIP(ctx context.Context, containerIP string) (ContainerInfo, error)
ContainerForIP implements a ContainerService method.
If ContainerInfo exists in the cache, keyed by the container IP, then it is returned. Otherwise syncContainer is used to collect fresh ContainerInfo from the docker API.
func (*DockerContainerService) TypeName ¶
func (d *DockerContainerService) TypeName() string
TypeName implements a ContainerService method.
type MetadataCredentials ¶
type MetadataCredentials struct {
Code string
LastUpdated time.Time
Type string
AccessKeyID string `json:"AccessKeyId"`
SecretAccessKey string
Token string
Expiration time.Time
}
MetadataCredentials fields are returned in HTTP responses as JSON.
type Proxy ¶
type Proxy struct {
// contains filtered or unexported fields
}
Proxy provides HTTP handlers for responding to container requests and mediates requests to the real upstream metadata service. Its mediation duties also include mapping containers to the roles identified in their (docker) metadata, caching of container/credential information, and (optional) operational logging.
func New ¶
func New(config Config, httpClient http.RoundTripper, stsSvc stsiface.STSAPI, containerSvc ContainerService, logger *log.Logger) (*Proxy, error)
New creates a Proxy instance using the given configuration.
Example ¶
package main
import (
"log"
"net/http"
"os"
"github.com/aws/aws-sdk-go/aws/session"
"github.com/aws/aws-sdk-go/service/sts"
"github.com/codeactual/ec2metaproxy/proxy"
)
func main() {
config, configErr := proxy.NewConfigFromFlag()
if configErr != nil {
log.Fatalf("Error reading configuration from flag/file: %+v", configErr)
}
logger := log.New(os.Stdout, "ec2metaproxy ", log.LstdFlags|log.LUTC)
containerSvc, dockerErr := proxy.NewDockerContainerService(config, logger)
if dockerErr != nil {
log.Fatalf("Error creating Docker service: %+v", dockerErr)
}
p, initErr := proxy.New(config, &http.Transport{}, sts.New(session.New()), containerSvc, logger)
if initErr != nil {
log.Fatalf("Error creating proxy: %+v", initErr)
}
http.Handle("/", proxy.RequestID(p))
logger.Fatal(p.Listen())
}
Output:
func (*Proxy) HandleCredentials ¶
func (p *Proxy) HandleCredentials(baseURL, apiVersion, subpath string, c *credentialsProvider, w http.ResponseWriter, r *http.Request)
HandleCredentials responds to credentials requests identified in ServeHTTP.
type RoleARN ¶
type RoleARN struct {
// contains filtered or unexported fields
}
RoleARN holds parsed ARN sections.
func NewRoleARN ¶
NewRoleARN creates a new instance by parsing a full ARN string.
Source Files