mdsd

package
v0.0.0-...-2a6dfc0 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Aug 3, 2024 License: Apache-2.0 Imports: 13 Imported by: 1

Documentation

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

func MdsModFn 

func MdsModFn(m *meshauth.Module) error

func SetupAgent 

func SetupAgent(ma *meshauth.Mesh, mux *http.ServeMux) error

Types

type Error 

type Error struct {
	// Code is the HTTP response status code.
	Code int
	// Message is the server response message.
	Message string
}

Error contains an error response from the server.

func (*Error) Error 

func (e *Error) Error() string

type MDS 

type MDS struct {
	// Certificates, config and client factory.
	MeshAuth *meshauth.Mesh

	// Addr is the address of the MDS server, including http:// or https://
	// Will detect a GCP/GKE server
	Addr string
	// contains filtered or unexported fields
}

MDS represents the workload metadata. It is extracted from environment: env variables, mesh config, local metadata server. It implements the TokenSource interface, by default it should return tokens signed by platform (google) CA including access tokens.

func Get 

func Get(m *meshauth.Mesh) *MDS

func NewMDSClient 

func NewMDSClient(ma *meshauth.Mesh, mdsBase string) *MDS

NewMDSClient returns a client for an GCP MDS-like server.

It can return JWT tokens for the 'primary' service account, as well as metadata.

func (*MDS) Get 

func (c *MDS) Get(suffix string) (string, error)

Get returns a value from the metadata service. The suffix is appended to "http://${GCE_METADATA_HOST}/computeMetadata/v1/".

If the GCE_METADATA_HOST environment variable is not defined, a default of 169.254.169.254 will be used instead.

If the requested metadata is not defined, the returned error will be of type NotDefinedError.

func (*MDS) GetEnv 

func (mds *MDS) GetEnv(name string) string

func (*MDS) GetToken 

func (s *MDS) GetToken(ctx context.Context, aud string) (string, error)

Get an WorkloadID token from platform (GCP, etc) using metadata server. 

curl  -H "Metadata-Flavor: Google" "http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/default/identity?audience=[AUDIENCE]" \

On GKE requires annotation: iam.gke.io/gcp-service-account=[GSA_NAME]@[PROJECT_ID] May fail and need retry

func (*MDS) MetadataGet 

func (m *MDS) MetadataGet(path string) (string, error)

GetMDS returns MDS info:

For GCP: instance/hostname - node name.c.PROJECT.internal instance/attributes/cluster-name, cluster-location project/project-id, numeric-project-id

Auth: instance/service-accounts/ - default, PROJECTID.svc.id.goog instance/service-accounts/default/identity - requires the iam.gke.io/gcp-service-account=gsa@project annotation and IAM instance/service-accounts/default/token - access token for the KSA

func (*MDS) NumericProjectID 

func (s *MDS) NumericProjectID() string

func (*MDS) ProjectID 

func (s *MDS) ProjectID() string

func (*MDS) Subscribe 

func (c *MDS) Subscribe(suffix string, fn func(v string, ok bool) error) error

Subscribe subscribes to a value from the metadata service. The suffix is appended to "http://${GCE_METADATA_HOST}/computeMetadata/v1/". The suffix may contain query parameters.

Subscribe calls fn with the latest metadata value indicated by the provided suffix. If the metadata value is deleted, fn is called with the empty string and ok false. Subscribe blocks until fn returns a non-nil error or the value is deleted. Subscribe returns the error value returned from the last call to fn, which may be nil when ok == false.

type MDSD 

type MDSD struct {
	MeshAuth *meshauth.Mesh
	Metadata Metadata
}

func (*MDSD) HandleMDS 

func (m *MDSD) HandleMDS(w http.ResponseWriter, r *http.Request)

MDS emulates the GCP metadata server. MDS address is 169.254.169.254:80 - can be intercepted with iptables, or set using GCE_METADATA_HOST https://googleapis.dev/python/google-auth/latest/reference/google.auth.environment_vars.html https://pkg.go.dev/cloud.google.com/go/compute/metadata#Client.Get

gRPC library will use it if: - the env variable is set - a probe to the IP and URL / returns the proper flavor. - DNS resolves metadata.google.internal to the IP

type Metadata 

type Metadata struct {
	Instance struct {
		Attributes struct {
			// Only GKE
			ClusterLocation string
			ClusterName     string
			ClusterUid      string

			// Only GCP
			// Full authorized_hosts with \n separators
			SSHKeys string
		}

		//     "hostname": "gke-CLUSTER_NAME-pool-1-1b6cad60-1l3a.c.costin-asm1.internal",
		// This is the FQDN hostname of the node !
		Hostname string

		ID int

		// Local part of the hostname.
		Name string

		Zone string

		// Default is present and the service account running the node/VM
		ServiceAccounts map[string]struct {
			Aliases []string // "default"
			Email   string   // Based on annotation on the KSA
			Scopes  []string
		}

		NetworkInterfaces map[string]struct {
			IPV6s string

			// Only GCP
			AccessConfigs struct {
				ExternalIP string
				Type       string // ONE_TO_ONE_NAT
			}
			Gateway           string
			IP                string
			Mac               string
			Mtu               string
			Network           string // projects/NUMBER/network/NAME
			Subnetmask        string
			TargetInstanceIps []string
			DNSServers        []string
		}
		Tags []string
	}

	Project struct {
		NumericProjectId int
		ProjectId        string

		// Only on GCP VMs
		Attributes map[string]string

		SSHKeys string `json:"sshKeys"`
	}
}

Metadata represents info about an instance, as reported by the GCP MDS.

Some info is only available on VMs or CloudRun.

type NotDefinedError 

type NotDefinedError string

func (NotDefinedError) Error 

func (suffix NotDefinedError) Error() string

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.