constellation/internal/cloud/openstack/imds.go

297 lines
7.8 KiB
Go
Raw Normal View History

/*
Copyright (c) Edgeless Systems GmbH
SPDX-License-Identifier: AGPL-3.0-only
*/
package openstack
import (
"context"
"encoding/json"
"errors"
"fmt"
"io"
"net/http"
"time"
"github.com/edgelesssys/constellation/v2/internal/cloud"
"github.com/edgelesssys/constellation/v2/internal/role"
)
// documentation of OpenStack Metadata Service: https://docs.openstack.org/nova/rocky/user/metadata-service.html
const (
imdsMetaDataURL = "http://169.254.169.254/openstack/2018-08-27/meta_data.json"
imdsNetworkDataURL = "http://169.254.169.254/openstack/2018-08-27/network_data.json"
ec2ImdsBaseURL = "http://169.254.169.254/1.0/meta-data"
maxCacheAge = 12 * time.Hour
)
type imdsClient struct {
client httpClient
vpcIPCache string
vpcIPCacheTime time.Time
networkCache networkResponse
networkCacheTime time.Time
cache metadataResponse
cacheTime time.Time
}
// providerID returns the provider ID of the instance the function is called from.
func (c *imdsClient) providerID(ctx context.Context) (string, error) {
if c.timeForUpdate(c.cacheTime) || c.cache.UUID == "" {
if err := c.update(ctx); err != nil {
return "", err
}
}
if c.cache.UUID == "" {
return "", errors.New("unable to get provider id")
}
return c.cache.UUID, nil
}
func (c *imdsClient) name(ctx context.Context) (string, error) {
if c.timeForUpdate(c.cacheTime) || c.cache.Name == "" {
if err := c.update(ctx); err != nil {
return "", err
}
}
if c.cache.Name == "" {
return "", errors.New("unable to get name")
}
return c.cache.Name, nil
}
// projectID returns the project ID of the instance the function
// is called from.
func (c *imdsClient) projectID(ctx context.Context) (string, error) {
if c.timeForUpdate(c.cacheTime) || c.cache.ProjectID == "" {
if err := c.update(ctx); err != nil {
return "", err
}
}
if c.cache.ProjectID == "" {
return "", errors.New("unable to get project id")
}
return c.cache.ProjectID, nil
}
// uid returns the UID of the cluster, based on the tags on the instance
// the function is called from, which are inherited from the scale set.
func (c *imdsClient) uid(ctx context.Context) (string, error) {
if c.timeForUpdate(c.cacheTime) || len(c.cache.Tags.UID) == 0 {
if err := c.update(ctx); err != nil {
return "", err
}
}
if len(c.cache.Tags.UID) == 0 {
return "", fmt.Errorf("unable to get uid from metadata tags %v", c.cache.Tags)
}
return c.cache.Tags.UID, nil
}
// initSecretHash returns the hash of the init secret of the cluster, based on the tags on the instance
// the function is called from, which are inherited from the scale set.
func (c *imdsClient) initSecretHash(ctx context.Context) (string, error) {
if c.timeForUpdate(c.cacheTime) || len(c.cache.Tags.InitSecretHash) == 0 {
if err := c.update(ctx); err != nil {
return "", err
}
}
if len(c.cache.Tags.InitSecretHash) == 0 {
return "", fmt.Errorf("unable to get tag %s from metadata tags %v", cloud.TagInitSecretHash, c.cache.Tags)
}
return c.cache.Tags.InitSecretHash, nil
}
// role returns the role of the instance the function is called from.
func (c *imdsClient) role(ctx context.Context) (role.Role, error) {
if c.timeForUpdate(c.cacheTime) || len(c.cache.Tags.Role) == 0 {
if err := c.update(ctx); err != nil {
return role.Unknown, err
}
}
if len(c.cache.Tags.Role) == 0 {
return role.Unknown, fmt.Errorf("unable to get role from metadata tags %v", c.cache.Tags)
}
return role.FromString(c.cache.Tags.Role), nil
}
func (c *imdsClient) authURL(ctx context.Context) (string, error) {
if c.timeForUpdate(c.cacheTime) || c.cache.Tags.AuthURL == "" {
if err := c.update(ctx); err != nil {
return "", err
}
}
if c.cache.Tags.AuthURL == "" {
return "", errors.New("unable to get auth url")
}
return c.cache.Tags.AuthURL, nil
}
func (c *imdsClient) userDomainName(ctx context.Context) (string, error) {
if c.timeForUpdate(c.cacheTime) || c.cache.Tags.UserDomainName == "" {
if err := c.update(ctx); err != nil {
return "", err
}
}
if c.cache.Tags.UserDomainName == "" {
return "", errors.New("unable to get user domain name")
}
return c.cache.Tags.UserDomainName, nil
}
func (c *imdsClient) username(ctx context.Context) (string, error) {
if c.timeForUpdate(c.cacheTime) || c.cache.Tags.Username == "" {
if err := c.update(ctx); err != nil {
return "", err
}
}
if c.cache.Tags.Username == "" {
return "", errors.New("unable to get token name")
}
return c.cache.Tags.Username, nil
}
func (c *imdsClient) password(ctx context.Context) (string, error) {
if c.timeForUpdate(c.cacheTime) || c.cache.Tags.Password == "" {
if err := c.update(ctx); err != nil {
return "", err
}
}
if c.cache.Tags.Password == "" {
return "", errors.New("unable to get token password")
}
return c.cache.Tags.Password, nil
}
// timeForUpdate checks whether an update is needed due to cache age.
func (c *imdsClient) timeForUpdate(t time.Time) bool {
return time.Since(t) > maxCacheAge
}
// update updates instance metadata from the azure imds API.
func (c *imdsClient) update(ctx context.Context) error {
resp, err := httpGet(ctx, c.client, imdsMetaDataURL)
if err != nil {
return err
}
var metadataResp metadataResponse
if err := json.Unmarshal(resp, &metadataResp); err != nil {
return err
}
c.cache = metadataResp
c.cacheTime = time.Now()
return nil
}
func (c *imdsClient) vpcIP(ctx context.Context) (string, error) {
const path = "local-ipv4"
if c.timeForUpdate(c.vpcIPCacheTime) || c.vpcIPCache == "" {
resp, err := httpGet(ctx, c.client, ec2ImdsBaseURL+"/"+path)
if err != nil {
return "", err
}
c.vpcIPCache = string(resp)
c.vpcIPCacheTime = time.Now()
}
if c.vpcIPCache == "" {
return "", errors.New("unable to get vpc ip")
}
return c.vpcIPCache, nil
}
func (c *imdsClient) networkIDs(ctx context.Context) ([]string, error) {
if c.timeForUpdate(c.networkCacheTime) || len(c.networkCache.Networks) == 0 {
resp, err := httpGet(ctx, c.client, imdsNetworkDataURL)
if err != nil {
return nil, err
}
var networkResp networkResponse
if err := json.Unmarshal(resp, &networkResp); err != nil {
return nil, err
}
c.networkCache = networkResp
c.networkCacheTime = time.Now()
}
var networkIDs []string
for _, network := range c.networkCache.Networks {
if network.NetworkID == "" {
continue
}
networkIDs = append(networkIDs, network.NetworkID)
}
return networkIDs, nil
}
func httpGet(ctx context.Context, c httpClient, url string) ([]byte, error) {
req, err := http.NewRequestWithContext(ctx, http.MethodGet, url, http.NoBody)
if err != nil {
return nil, err
}
resp, err := c.Do(req)
if err != nil {
return nil, err
}
defer resp.Body.Close()
return io.ReadAll(resp.Body)
}
// metadataResponse contains metadataResponse with only the required values.
type metadataResponse struct {
UUID string `json:"uuid,omitempty"`
ProjectID string `json:"project_id,omitempty"`
Name string `json:"name,omitempty"`
Tags metadataTags `json:"meta,omitempty"`
}
type metadataTags struct {
InitSecretHash string `json:"constellation-init-secret-hash,omitempty"`
Role string `json:"constellation-role,omitempty"`
UID string `json:"constellation-uid,omitempty"`
AuthURL string `json:"openstack-auth-url,omitempty"`
UserDomainName string `json:"openstack-user-domain-name,omitempty"`
Username string `json:"openstack-username,omitempty"`
Password string `json:"openstack-password,omitempty"`
}
// networkResponse contains networkResponse with only the required values.
type networkResponse struct {
Networks []metadataNetwork `json:"networks,omitempty"`
}
type metadataNetwork struct {
ID string `json:"id,omitempty"`
NetworkID string `json:"network_id,omitempty"`
}
type httpClient interface {
Do(req *http.Request) (*http.Response, error)
}