README
¶
Auth and bootstrap for GCP
This is a separate module, with dependencies to GCP APIs related to authentication, getting secrets and auto config.
The meshauth and mk8s packages have min deps and provide zero-deps REST alternatives for some of this code. This package provides the integration using official library.
The identity is based on:
- GOOGLE_APPLICATION_CREDENTIALS
- well known file ~/.config/gcloud/application_default_credentials.json
- if MDS is detected - GCE_METADATA_HOST, 169.254.169.254 and metadata.google.internal (2 sec timeout !)
Dependencies
golang.org/x/oauth2 - which in turn depends on gcp/metadata, protobuf This is the main Oauth2 library for go.
Documentation
¶
Index ¶
- Variables
- func GcpInit(ctx context.Context, mds *meshauth.MeshAuth, acct string) error
- func InitDefaultTokenSource(ctx context.Context) func(context.Context, string) (string, error)
- func ProjectLabels(ctx context.Context, p string) (map[string]string, error)
- func ProjectNumber(p string) string
- func RegionFromMetadata() (string, error)
- type GCP
- type GCPAuthProvider
- type GKE
- func (kr *GKE) DefaultsFromEnvAndMD(ctx context.Context) error
- func (kr *GKE) FindClusters(ctx context.Context, configProjectId string, location string) ([]*GKECluster, error)
- func (kr *GKE) FindHubClusters(ctx context.Context, configProjectId string) ([]*GKECluster, error)
- func (kr *GKE) GKECluster(ctx context.Context, p, l, clusterName string) (*GKECluster, error)
- func (kr *GKE) InitGKE(ctx context.Context) error
- func (kr *GKE) PickCluster(ctx context.Context, cll []*GKECluster) error
- func (gke *GKE) TrustDomain() string
- func (kr *GKE) UsableSubnetworks(ctx context.Context)
- type GKECluster
Constants ¶
This section is empty.
Variables ¶
var (
GCPInitTime time.Duration
)
Functions ¶
func GcpInit ¶
GcpInit will detect google credentials or MDS, and init the MDS struct accordingly.
- projectId will be populated based on credentials - an access token source will be populated ("gcp")
DefaultTokenSource will: - check GOOGLE_APPLICATION_CREDENTIALS - should be downloaded service account, can produce JWTs - ~/.config/gcloud/application_default_credentials.json" - use metadata
This also works for K8S, using node MDS or GKE MDS - but only if the ServiceAccount is annotated with a GSA (with permissions to use). Also specific to GKE and GCP APIs.
func InitDefaultTokenSource ¶
Create a token source for access tokens - based on GOOGLE_APPLICATION_CREDENTIALS or MDS This only returns access tokens if the default credentials are for a google account. Best to use the fake MDS
func ProjectNumber ¶
func RegionFromMetadata ¶
Types ¶
type GCP ¶
type GCP struct {
// Current project ID - tokens are associated with this project
ProjectId string
// Can be a region (Cloudrun, K8S) or zone (for VMs, K8S)
Location string
// For Cloudrun - instanceid. For VM - hostname. For K8S - pod (without suffix)
InstanceID string
}
Info about the current user's GCP account and instance.
type GCPAuthProvider ¶
type GCPAuthProvider struct {
// Returns access tokens for a user or service account (via default credentials)
// or federated access tokens.
AccessTokenSource oauth2.TokenSource
// GSA to get tokens for.
GSA string
}
GCPAuthProvider returns access or JWT tokens for a google account.
type GKE ¶
type GKE struct {
// Current project ID - tokens are associated with this project
ProjectId string
// Required for using hub
ProjectNumber string
// Project where GKE clusters are located.
ConfigProjectId string
// Clusters is populated by UpdateClusters
Clusters []*GKECluster
// Active cluster.
// Set using
Cluster *GKECluster
ClusterLocation string
MeshAddr *url.URL
ClusterName string
// For backward compat, POD_NAMESPACE is set as default, followed by "default"
Namespace string
// If set, this account will be used by exchanging current google account tokens
// with this K8S account
KSA string
// --------------- old ----------------
GSA string
InCluster bool
Debug bool
Client *kubernetes.Clientset
}
TODO: finish hub.
func (*GKE) DefaultsFromEnvAndMD ¶
DefaultsFromEnvAndMD will attempt to configure ProjectId, ClusterName, ClusterLocation, ProjectNumber, used on GCP Metadata server will be tried if env variables don't exist.
func (*GKE) FindClusters ¶
func (kr *GKE) FindClusters(ctx context.Context, configProjectId string, location string) ([]*GKECluster, error)
Updates the list of clusters in the config project.
Requires container.clusters.list
func (*GKE) FindHubClusters ¶
Find clusters in the hub, using connect gateway. Note the 2400 qpm (40 QPS) per project limit - may be best to use a local replica. roles/gkehub.viewer to list roles/gkehub.gatewayReader for read roles/gkehub.gatewayEditor for write
func (*GKE) GKECluster ¶
func (*GKE) InitGKE ¶
InitGKE will use MDS and env variables to initialize, then connect to GKE to get the list of available clusters or the explicitly configured cluster.
It will populate the rest.Config for the cluster if K8S env variable is set.
Will load all clusters otherwise, and select one:
-
func (*GKE) PickCluster ¶
func (kr *GKE) PickCluster(ctx context.Context, cll []*GKECluster) error
InitGKE loads GCP-specific metadata and discovers the config cluster. This step is skipped if user has explicit configuration for required settings.
Namespace, ProjectId, ProjectNumber ClusterName, ClusterLocation
func (*GKE) TrustDomain ¶
Trust domain for the mesh - based on the config cluster.
func (*GKE) UsableSubnetworks ¶
type GKECluster ¶
type GKECluster struct {
// mangled name
FullName string
ClusterName string
ClusterLocation string
ProjectId string
GKECluster *containerpb.Cluster
// contains filtered or unexported fields
}
GKECluster wraps cluster information for a discovered hub or gke cluster.
func (*GKECluster) Name ¶
func (gke *GKECluster) Name() string
func (*GKECluster) RestConfig ¶
func (gke *GKECluster) RestConfig() *rest.Config
Returns a rest config for the cluster. Similar to the 'in cluster config' - but using MDS auth.
Source Files