Merge pull request #60 from szuecs/platform-iam

Add support for Platform IAM tokens

Author: linki

auth/tokens.go

@@ -0,0 +1,61 @@
+package auth
+
+import (
+	"fmt"
+	"net/http"
+	"os"
+	"path"
+
+	"golang.org/x/oauth2"
+	"k8s.io/client-go/transport"
+)
+
+const (
+	DefaultCredentialsDir = "/meta/credentials"
+	CredentialsDirEnvar   = "CREDENTIALS_DIR"
+)
+
+type platformCredentialsTokenSource struct {
+	tokenName      string
+	credentialsDir string
+}
+
+func NewPlatformCredentialsTokenSource(tokenName string, credentialsDir string) *platformCredentialsTokenSource {
+	return &platformCredentialsTokenSource{
+		tokenName:      tokenName,
+		credentialsDir: credentialsDir,
+	}
+}
+
+func (s *platformCredentialsTokenSource) Token() (*oauth2.Token, error) {
+	filePath := path.Join(s.credentialsDir, fmt.Sprintf("%s-token-secret", s.tokenName))
+	contents, err := os.ReadFile(filePath)
+	if err != nil {
+		return nil, err
+	}
+	return &oauth2.Token{AccessToken: string(contents)}, nil
+}
+
+type tokenInjector struct {
+	tokenSource oauth2.TokenSource
+	next        http.RoundTripper
+}
+
+func TokenInjector(tokenSource oauth2.TokenSource) transport.WrapperFunc {
+	return func(rt http.RoundTripper) http.RoundTripper {
+		return &tokenInjector{
+			tokenSource: tokenSource,
+			next:        rt,
+		}
+	}
+}
+
+func (i *tokenInjector) RoundTrip(request *http.Request) (*http.Response, error) {
+	token, err := i.tokenSource.Token()
+	if err != nil {
+		return nil, err
+	}
+
+	request.Header.Set("Authorization", "Bearer "+token.AccessToken)
+	return i.next.RoundTrip(request)
+}

go.mod

@@ -18,6 +18,7 @@ require (
 	github.com/prometheus/client_golang v1.20.4
 	github.com/sirupsen/logrus v1.9.3
 	github.com/stretchr/testify v1.10.0
+	golang.org/x/oauth2 v0.27.0
 	k8s.io/api v0.33.5
 	k8s.io/apimachinery v0.33.5
 	k8s.io/client-go v0.33.5
@@ -70,7 +71,6 @@ require (
 	github.com/x448/float16 v0.8.4 // indirect
 	github.com/xhit/go-str2duration/v2 v2.1.0 // indirect
 	golang.org/x/net v0.38.0 // indirect
-	golang.org/x/oauth2 v0.27.0 // indirect
 	golang.org/x/sys v0.31.0 // indirect
 	golang.org/x/term v0.30.0 // indirect
 	golang.org/x/text v0.23.0 // indirect

main.go

@@ -13,6 +13,7 @@ import (
 	"github.com/aws/aws-sdk-go-v2/config"
 	"github.com/prometheus/client_golang/prometheus/promhttp"
 	log "github.com/sirupsen/logrus"
+	"github.com/szuecs/kube-static-egress-controller/auth"
 	"github.com/szuecs/kube-static-egress-controller/controller"
 	"github.com/szuecs/kube-static-egress-controller/kube"
 	"github.com/szuecs/kube-static-egress-controller/provider"
@@ -55,6 +56,9 @@ type Config struct {
 	Namespace                  string
 	ResyncInterval             time.Duration
 	Address                    string
+	// required by Platform credentials
+	UsePlatformCredentials bool
+	CredentialsDir         string
 }
 
 var defaultConfig = &Config{
@@ -120,6 +124,8 @@ Example:
 	// Flags related to Kubernetes
 	app.Flag("master", "The Kubernetes API server to connect to (default: auto-detect)").Default(defaultConfig.Master).StringVar(&cfg.Master)
 	app.Flag("kubeconfig", "Retrieve target cluster configuration from a Kubernetes configuration file (default: auto-detect)").Default(defaultConfig.KubeConfig).StringVar(&cfg.KubeConfig)
+	app.Flag("use-platform-credentials", "Use Platform credentials (default: disabled)").BoolVar(&cfg.UsePlatformCredentials)
+	app.Flag("credentials-dir", "Directory where the Platform credentials are stored (default: /meta/credentials)").Default(auth.DefaultCredentialsDir).Envar(auth.CredentialsDirEnvar).StringVar(&cfg.CredentialsDir)
 	app.Flag("provider", "Provider implementing static egress <noop|aws> (default: auto-detect)").Default(defaultConfig.Provider).StringVar(&cfg.Provider)
 	app.Flag("cluster-id", "Cluster ID used define ownership of Egress stack.").StringVar(&cfg.ClusterID)
 	app.Flag("cluster-id-tag-prefix", "Prefix for the Cluster ID tag set on the Egress stack.").Default(defaultConfig.ClusterIDTagPrefix).StringVar(&cfg.ClusterIDTagPrefix)
@@ -169,7 +175,7 @@ func main() {
 	}
 
 	configsChan := make(chan provider.EgressConfig)
-	cmWatcher, err := kube.NewConfigMapWatcher(newKubeClient(), cfg.Namespace, "egress=static", configsChan)
+	cmWatcher, err := kube.NewConfigMapWatcher(newKubeClient(cfg), cfg.Namespace, "egress=static", configsChan)
 	if err != nil {
 		log.Fatalf("Failed to setup ConfigMap watcher: %v", err)
 	}
@@ -188,7 +194,7 @@ func main() {
 }
 
 // newKubeClient returns a new Kubernetes client with the default config.
-func newKubeClient() kubernetes.Interface {
+func newKubeClient(cfg *Config) kubernetes.Interface {
 	var kubeconfig string
 	if _, err := os.Stat(clientcmd.RecommendedHomeFile); err == nil {
 		kubeconfig = clientcmd.RecommendedHomeFile
@@ -199,6 +205,10 @@ func newKubeClient() kubernetes.Interface {
 		log.Fatalf("build config failed: %v", err)
 	}
 
+	if cfg.UsePlatformCredentials {
+		config.Wrap(auth.TokenInjector(auth.NewPlatformCredentialsTokenSource(name, cfg.CredentialsDir)))
+	}
+
 	client, err := kubernetes.NewForConfig(config)
 	if err != nil {
 		log.Fatalf("initialize kubernetes client failed: %v", err)