mirror of
https://github.com/edgelesssys/constellation.git
synced 2025-01-04 04:10:59 -05:00
5a0234b3f2
* Convert enforceIDKeyDigest setting to enum * Use MAA fallback in Azure SNP attestation * Only create MAA provider if MAA fallback is enabled --------- Signed-off-by: Daniel Weiße <dw@edgeless.systems> Co-authored-by: Thomas Tendyck <tt@edgeless.systems>
233 lines
6.5 KiB
Go
233 lines
6.5 KiB
Go
/*
|
|
Copyright (c) Edgeless Systems GmbH
|
|
|
|
SPDX-License-Identifier: AGPL-3.0-only
|
|
*/
|
|
|
|
package azure
|
|
|
|
import (
|
|
"context"
|
|
"encoding/json"
|
|
"errors"
|
|
"fmt"
|
|
"io"
|
|
"net/http"
|
|
"time"
|
|
|
|
"github.com/edgelesssys/constellation/v2/internal/cloud"
|
|
"github.com/edgelesssys/constellation/v2/internal/role"
|
|
)
|
|
|
|
// subset of azure imds API: https://docs.microsoft.com/en-us/azure/virtual-machines/windows/instance-metadata-service?tabs=linux
|
|
// this is not yet available through the azure sdk (see https://github.com/Azure/azure-rest-api-specs/issues/4408)
|
|
|
|
const (
|
|
imdsURL = "http://169.254.169.254/metadata/instance"
|
|
imdsAPIVersion = "2021-02-01"
|
|
maxCacheAge = 12 * time.Hour
|
|
)
|
|
|
|
// IMDSClient is a client for the Azure Instance Metadata Service.
|
|
type IMDSClient struct {
|
|
client *http.Client
|
|
|
|
cache metadataResponse
|
|
cacheTime time.Time
|
|
}
|
|
|
|
// NewIMDSClient creates a new IMDSClient.
|
|
func NewIMDSClient() *IMDSClient {
|
|
// The default http client may use a system-wide proxy and it is recommended to disable the proxy explicitly:
|
|
// https://docs.microsoft.com/en-us/azure/virtual-machines/windows/instance-metadata-service?tabs=linux#proxies
|
|
// See also: https://github.com/microsoft/azureimds/blob/master/imdssample.go#L10
|
|
return &IMDSClient{
|
|
client: &http.Client{Transport: &http.Transport{Proxy: nil}},
|
|
}
|
|
}
|
|
|
|
// Tags returns the tags of the instance the function is called from.
|
|
func (c *IMDSClient) Tags(ctx context.Context) (map[string]string, error) {
|
|
if c.timeForUpdate() || len(c.cache.Compute.Tags) == 0 {
|
|
if err := c.update(ctx); err != nil {
|
|
return nil, err
|
|
}
|
|
}
|
|
|
|
tags := make(map[string]string, len(c.cache.Compute.Tags))
|
|
for _, tag := range c.cache.Compute.Tags {
|
|
tags[tag.Name] = tag.Value
|
|
}
|
|
|
|
return tags, nil
|
|
}
|
|
|
|
// providerID returns the provider ID of the instance the function is called from.
|
|
func (c *IMDSClient) providerID(ctx context.Context) (string, error) {
|
|
if c.timeForUpdate() || c.cache.Compute.ResourceID == "" {
|
|
if err := c.update(ctx); err != nil {
|
|
return "", err
|
|
}
|
|
}
|
|
|
|
if c.cache.Compute.ResourceID == "" {
|
|
return "", errors.New("unable to get provider id")
|
|
}
|
|
|
|
return c.cache.Compute.ResourceID, nil
|
|
}
|
|
|
|
func (c *IMDSClient) name(ctx context.Context) (string, error) {
|
|
if c.timeForUpdate() || c.cache.Compute.OSProfile.ComputerName == "" {
|
|
if err := c.update(ctx); err != nil {
|
|
return "", err
|
|
}
|
|
}
|
|
|
|
if c.cache.Compute.OSProfile.ComputerName == "" {
|
|
return "", errors.New("unable to get name")
|
|
}
|
|
|
|
return c.cache.Compute.OSProfile.ComputerName, nil
|
|
}
|
|
|
|
// subscriptionID returns the subscription ID of the instance the function
|
|
// is called from.
|
|
func (c *IMDSClient) subscriptionID(ctx context.Context) (string, error) {
|
|
if c.timeForUpdate() || c.cache.Compute.SubscriptionID == "" {
|
|
if err := c.update(ctx); err != nil {
|
|
return "", err
|
|
}
|
|
}
|
|
|
|
if c.cache.Compute.SubscriptionID == "" {
|
|
return "", errors.New("unable to get subscription id")
|
|
}
|
|
|
|
return c.cache.Compute.SubscriptionID, nil
|
|
}
|
|
|
|
// resourceGroup returns the resource group of the instance the function
|
|
// is called from.
|
|
func (c *IMDSClient) resourceGroup(ctx context.Context) (string, error) {
|
|
if c.timeForUpdate() || c.cache.Compute.ResourceGroup == "" {
|
|
if err := c.update(ctx); err != nil {
|
|
return "", err
|
|
}
|
|
}
|
|
|
|
if c.cache.Compute.ResourceGroup == "" {
|
|
return "", errors.New("unable to get resource group")
|
|
}
|
|
|
|
return c.cache.Compute.ResourceGroup, nil
|
|
}
|
|
|
|
// uid returns the UID of the cluster, based on the tags on the instance
|
|
// the function is called from, which are inherited from the scale set.
|
|
func (c *IMDSClient) uid(ctx context.Context) (string, error) {
|
|
if c.timeForUpdate() || len(c.cache.Compute.Tags) == 0 {
|
|
if err := c.update(ctx); err != nil {
|
|
return "", err
|
|
}
|
|
}
|
|
|
|
for _, tag := range c.cache.Compute.Tags {
|
|
if tag.Name == cloud.TagUID {
|
|
return tag.Value, nil
|
|
}
|
|
}
|
|
|
|
return "", fmt.Errorf("unable to get uid from metadata tags %v", c.cache.Compute.Tags)
|
|
}
|
|
|
|
// initSecretHash returns the hash of the init secret of the cluster, based on the tags on the instance
|
|
// the function is called from, which are inherited from the scale set.
|
|
func (c *IMDSClient) initSecretHash(ctx context.Context) (string, error) {
|
|
if c.timeForUpdate() || len(c.cache.Compute.Tags) == 0 {
|
|
if err := c.update(ctx); err != nil {
|
|
return "", err
|
|
}
|
|
}
|
|
|
|
for _, tag := range c.cache.Compute.Tags {
|
|
if tag.Name == cloud.TagInitSecretHash {
|
|
return tag.Value, nil
|
|
}
|
|
}
|
|
|
|
return "", fmt.Errorf("unable to get tag %s from metadata tags %v", cloud.TagInitSecretHash, c.cache.Compute.Tags)
|
|
}
|
|
|
|
// role returns the role of the instance the function is called from.
|
|
func (c *IMDSClient) role(ctx context.Context) (role.Role, error) {
|
|
if c.timeForUpdate() || len(c.cache.Compute.Tags) == 0 {
|
|
if err := c.update(ctx); err != nil {
|
|
return role.Unknown, err
|
|
}
|
|
}
|
|
|
|
for _, tag := range c.cache.Compute.Tags {
|
|
if tag.Name == cloud.TagRole {
|
|
return role.FromString(tag.Value), nil
|
|
}
|
|
}
|
|
|
|
return role.Unknown, fmt.Errorf("unable to get role from metadata tags %v", c.cache.Compute.Tags)
|
|
}
|
|
|
|
// timeForUpdate checks whether an update is needed due to cache age.
|
|
func (c *IMDSClient) timeForUpdate() bool {
|
|
return time.Since(c.cacheTime) > maxCacheAge
|
|
}
|
|
|
|
// update updates instance metadata from the azure imds API.
|
|
func (c *IMDSClient) update(ctx context.Context) error {
|
|
req, err := http.NewRequestWithContext(ctx, http.MethodGet, imdsURL, http.NoBody)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
req.Header.Add("Metadata", "True")
|
|
query := req.URL.Query()
|
|
query.Add("format", "json")
|
|
query.Add("api-version", imdsAPIVersion)
|
|
req.URL.RawQuery = query.Encode()
|
|
resp, err := c.client.Do(req)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
defer resp.Body.Close()
|
|
body, err := io.ReadAll(resp.Body)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
var res metadataResponse
|
|
if err := json.Unmarshal(body, &res); err != nil {
|
|
return err
|
|
}
|
|
|
|
c.cache = res
|
|
c.cacheTime = time.Now()
|
|
return nil
|
|
}
|
|
|
|
// metadataResponse contains metadataResponse with only the required values.
|
|
type metadataResponse struct {
|
|
Compute metadataResponseCompute `json:"compute,omitempty"`
|
|
}
|
|
|
|
type metadataResponseCompute struct {
|
|
ResourceID string `json:"resourceId,omitempty"`
|
|
SubscriptionID string `json:"subscriptionId,omitempty"`
|
|
ResourceGroup string `json:"resourceGroupName,omitempty"`
|
|
Tags []metadataTag `json:"tagsList,omitempty"`
|
|
OSProfile struct {
|
|
ComputerName string `json:"computerName,omitempty"`
|
|
} `json:"osProfile,omitempty"`
|
|
}
|
|
|
|
type metadataTag struct {
|
|
Name string `json:"name,omitempty"`
|
|
Value string `json:"value,omitempty"`
|
|
}
|