agentcrypto

package

v0.0.0-...-05f333e Latest Latest Go to latest Published: Mar 26, 2024 License: Apache-2.0 Imports: 20 Imported by: 0

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

github.com/GoogleCloudPlatform/guest-agent

Documentation ¶

Rendered for

Overview ¶

Package agentcrypto provides various cryptography related utility functions for Guest Agent.

Constants ¶

View Source

const (

	// MTLSSchedulerID is the identifier used by job scheduler.
	MTLSSchedulerID = "MTLS_MDS_Credential_Boostrapper"
	// MTLSScheduleInterval is interval at which credential bootstrapper runs.
	MTLSScheduleInterval = 48 * time.Hour
)

Variables ¶

This section is empty.

Functions ¶

This section is empty.

Types ¶

type CredsJob ¶

type CredsJob struct {
	// contains filtered or unexported fields
}

CredsJob implements job scheduler interface for generating/rotating credentials.

func New ¶

func New() *CredsJob

New initializer new job.

func (*CredsJob) ID ¶

func (j *CredsJob) ID() string

ID returns the ID for this job.

func (*CredsJob) Interval ¶

func (j *CredsJob) Interval() (time.Duration, bool)

Interval returns the interval at which job is executed.

func (*CredsJob) Run ¶

func (j *CredsJob) Run(ctx context.Context) (bool, error)

Run generates the required credentials for MTLS MDS workflow.

1. Fetches, verifies and writes Root CA cert from UEFI variable to /run/google-mds-mtls/root.crt 2. Fetches encrypted client credentials from MDS, decrypts it via vTPM and writes it to /run/google-mds-mtls/client.key

Note that these credentials are at `C:\Program Files\Google\Compute Engine\certs\mds` on Windows. Additionally agent also generates a PFX file on windows that can be used invoking HTTPS endpoint.

Example usage of these credentials to call HTTPS endpoint of MDS:

curl --cacert /run/google-mds-mtls/root.crt -E /run/google-mds-mtls/client.key -H "MetadataFlavor: Google" https://169.254.169.254

Windows example:

$cert = Get-PfxCertificate -FilePath "C:\ProgramData\Google\Compute Engine\mds-mtls-client.key.pfx" or $cert = Get-ChildItem Cert:\LocalMachine\My | Where-Object { $_.Issuer -like "*google.internal*" } Invoke-RestMethod -Uri https://169.254.169.254 -Method Get -Headers @{"Metadata-Flavor"="Google"} -Certificate $cert

func (*CredsJob) ShouldEnable ¶

func (j *CredsJob) ShouldEnable(ctx context.Context) bool

ShouldEnable returns true if MDS endpoint for fetching credentials is available on the VM. Used for identifying if we want schedule bootstrapping and enable MDS mTLS credential rotation.

Source Files ¶

View all Source files

Directories ¶

Path	Synopsis
credentials

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL