-
Notifications
You must be signed in to change notification settings - Fork 284
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
SIA (Service Identity Agent for GCP Runs (#2693)
Signed-off-by: Henry Avetisyan <[email protected]>
- Loading branch information
1 parent
ebb1acc
commit c3d2433
Showing
16 changed files
with
743 additions
and
20 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,73 @@ | ||
GOPKGNAME:=github.com/AthenZ/athenz/provider/gcp/sia-run | ||
export GOPATH ?= /tmp/go | ||
export GOPRIVATE=github.com | ||
|
||
FMT_LOG=/tmp/fmt.log | ||
|
||
BUILD_VERSION:=development | ||
CENTOS_VERSION:=7 | ||
|
||
all: build_darwin build_linux test | ||
|
||
local: build test | ||
|
||
darwin: build_darwin test | ||
|
||
linux: build_linux test | ||
|
||
build: build_darwin build_linux | ||
|
||
build_darwin: | ||
@echo "Building darwin arm64 client with $(BUILD_VERSION)" | ||
GOOS=darwin GOARCH=arm64 go install -ldflags "-X main.Version=$(BUILD_VERSION)" -v $(GOPKGNAME)/... | ||
@echo "Building darwin amd64 client with $(BUILD_VERSION)" | ||
GOOS=darwin GOARCH=amd64 go install -ldflags "-X main.Version=$(BUILD_VERSION)" -v $(GOPKGNAME)/... | ||
|
||
build_linux: | ||
@echo "Building linux arm64 client with $(BUILD_VERSION)" | ||
GOOS=linux GOARCH=arm64 go install -ldflags "-X main.Version=$(BUILD_VERSION)" -v $(GOPKGNAME)/... | ||
@echo "Building linux client with $(BUILD_VERSION)" | ||
GOOS=linux GOARCH=amd64 go install -ldflags "-X main.Version=$(BUILD_VERSION)" -v $(GOPKGNAME)/... | ||
|
||
vet: | ||
go vet $(GOPKGNAME)/... | ||
|
||
fmt: | ||
gofmt -d . >$(FMT_LOG) | ||
@if [ -s $(FMT_LOG) ]; then echo gofmt FAIL; cat $(FMT_LOG); false; fi | ||
|
||
test: vet fmt | ||
go test -v $(GOPKGNAME)/... | ||
|
||
clean: | ||
go clean -i -x $(GOPKGNAME)/... | ||
|
||
custom.clean.post: | ||
rm -rf $(GOPATH)/bin/{linux_amd64,linux_arm64}/{metamock,siad} | ||
|
||
|
||
RPM_DIR := $(shell pwd)/rpm | ||
RPM_VARS := | ||
RPM_VARS += --define 'BIN_DIR $(GOPATH)/bin' | ||
RPM_VARS += --define 'PACKAGE_VERSION $(BUILD_VERSION)' | ||
RPM_VARS += --define 'RELEASE 1' | ||
RPM_VARS += --define 'CENTOS_VERSION $(CENTOS_VERSION)' | ||
RPM_VARS += --define '_topdir $(RPM_DIR)' | ||
|
||
package: | ||
echo "rpmbuild $(RPM_VARS) -bb sia-run.spec" | ||
find $(GOPATH)/bin | ||
echo "siad version" | ||
$(GOPATH)/bin/siad -version | ||
rpmbuild $(RPM_VARS) -bb sia-run.spec | ||
|
||
ubuntu: | ||
sed -i.bak s/SIA_PACKAGE_VERSION/$(PACKAGE_VERSION)/g debian/sia/DEBIAN/control | ||
mkdir -p debian/sia/usr/lib/systemd/system/ | ||
cp -fp $(GOPATH)/src/$(GOPKGNAME)/build/service/sia.service debian/sia/usr/lib/systemd/system/ | ||
mkdir -p debian/sia/usr/sbin/ | ||
cp -fp $(GOPATH)/bin/siad debian/sia/usr/sbin/ | ||
cp debian/ubuntu/postinst debian/sia/DEBIAN/ | ||
cp debian/ubuntu/preinst debian/sia/DEBIAN/ | ||
mkdir -p debian/pkg | ||
cd debian && dpkg-deb --build sia pkg |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,41 @@ | ||
# SIA for GCP Run | ||
|
||
## Configuration | ||
|
||
SIA GCP Run requires a configuration file to be present in the /etc/sia/sia_config with the | ||
following required attributes | ||
|
||
```json | ||
{ | ||
"version": "1.0.0", | ||
"domain": "application-domain-name", | ||
"service": "application-service-name" | ||
} | ||
``` | ||
|
||
The Google Project administrator must create a Google Service Account with the name | ||
`<application-service-name>`. | ||
|
||
SIA Configuration file provides a way to change the default user/group settings that the private key is owned by. | ||
By default, the private key is owned by user `root` and readable by group `athenz`. If the admin wants to | ||
provide access to their service identity private key to another user, it can be accomplished by adding the user to the group `athenz`. | ||
If the user wants to change the user and group values, a config file must contain following optional fields: | ||
|
||
```json | ||
{ | ||
"version": "1.0.0", | ||
"domain": "application-domain-name", | ||
"service": "application-service-name", | ||
"user": "unix-username", | ||
"group": "unix-groupname" | ||
} | ||
``` | ||
|
||
SIA-RUN can be built with following parameters - | ||
e.g. | ||
|
||
```shell | ||
GOOS=linux go install -ldflags "-X main.Version=1.0.0 -X main.ZtsEndPoint=zts.athenz.io -X main.DnsDomain=gcp.athenz.io -X main.ProviderPrefix=athenz.gcp" ./... | ||
``` | ||
|
||
alternatively, those parameters can be passed during runtime and runtime parameters will take precedence over build time parameters. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,44 @@ | ||
// | ||
// Copyright The Athenz Authors | ||
// | ||
// Licensed under the Apache License, Version 2.0 (the "License"); | ||
// you may not use this file except in compliance with the License. | ||
// You may obtain a copy of the License at | ||
// | ||
// http://www.apache.org/licenses/LICENSE-2.0 | ||
// | ||
// Unless required by applicable law or agreed to in writing, software | ||
// distributed under the License is distributed on an "AS IS" BASIS, | ||
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | ||
// See the License for the specific language governing permissions and | ||
// limitations under the License. | ||
// | ||
|
||
package sia | ||
|
||
import ( | ||
"github.com/AthenZ/athenz/libs/go/sia/host/provider" | ||
"github.com/AthenZ/athenz/libs/go/sia/options" | ||
"log" | ||
) | ||
|
||
func GetRunConfig(configFile, metaEndpoint, region string, provider provider.Provider) (*options.Config, error) { | ||
|
||
config, _, err := options.InitFileConfig(configFile, metaEndpoint, false, region, "", provider) | ||
if err != nil { | ||
log.Printf("Unable to process configuration file '%s': %v\n", configFile, err) | ||
log.Println("Trying to determine service details from the environment variables...") | ||
config, _, err = options.InitEnvConfig(config, provider) | ||
if err != nil { | ||
log.Printf("Unable to process environment settings: %v\n", err) | ||
// if we do not have settings in our environment, we're going | ||
// to use fallback to retrieve values from the context ( metadata etc. ) | ||
config, _, err = options.InitGenericProfileConfig(metaEndpoint, "", "", provider) | ||
if err != nil { | ||
log.Printf("Unable to determine project, domain, service etc. from context err=%v\n", err) | ||
return nil, err | ||
} | ||
} | ||
} | ||
return config, nil | ||
} |
Oops, something went wrong.