blob: 569bd4b500eaecfb38fcf6702b823ee6460bc4fd [file] [log] [blame]
Robin Thellendefe48ef2015-10-13 09:52:03 -07001// Copyright 2015 The Vanadium Authors. All rights reserved.
2// Use of this source code is governed by a BSD-style
3// license that can be found in the LICENSE file.
4
5// The following enables go generate to generate the doc.go file.
6//go:generate go run $JIRI_ROOT/release/go/src/v.io/x/lib/cmdline/testdata/gendoc.go . -help
7
8package main
9
10import (
11 "encoding/base64"
12 "io/ioutil"
Robin Thellend2d05ac22015-10-28 13:37:21 -070013 "os"
Robin Thellendefe48ef2015-10-13 09:52:03 -070014 "strings"
15
16 "v.io/v23"
17 "v.io/v23/context"
18 "v.io/v23/security"
19 "v.io/v23/vom"
20 "v.io/x/lib/cmdline"
21 lsecurity "v.io/x/ref/lib/security"
22 "v.io/x/ref/lib/signals"
23 "v.io/x/ref/lib/v23cmd"
24 "v.io/x/ref/services/agent/internal/ipc"
25 "v.io/x/ref/services/agent/internal/server"
26 "v.io/x/ref/services/cluster"
27
Asim Shankarc7fafb42015-11-17 15:23:03 -080028 _ "v.io/x/ref/runtime/factories/roaming"
Robin Thellendefe48ef2015-10-13 09:52:03 -070029)
30
31var (
32 clusterAgent string
33 socketPath string
34 secretKeyFile string
35 rootBlessings string
36)
37
38func main() {
39 cmdPodAgentD.Flags.StringVar(&clusterAgent, "agent", "", "The address of the cluster agent.")
40 cmdPodAgentD.Flags.StringVar(&socketPath, "socket-path", "", "The path of the unix socket to listen on.")
41 cmdPodAgentD.Flags.StringVar(&secretKeyFile, "secret-key-file", "", "The name of the file that contains the secret key.")
42 cmdPodAgentD.Flags.StringVar(&rootBlessings, "root-blessings", "", "A comma-separated list of the root blessings to trust, base64-encoded VOM-encoded.")
43
44 cmdline.HideGlobalFlagsExcept()
45 cmdline.Main(cmdPodAgentD)
46}
47
48var cmdPodAgentD = &cmdline.Command{
49 Runner: v23cmd.RunnerFunc(runPodAgentD),
50 Name: "pod_agentd",
51 Short: "Holds the principal of a kubernetes pod",
52 Long: `
53Command pod_agentd runs a security agent daemon, which holds a private key in
54memory and makes it available to the kubernetes pod in which it is running.
55`,
56}
57
58func runPodAgentD(ctx *context.T, env *cmdline.Env, args []string) error {
59 p, err := lsecurity.NewPrincipal()
60 if err != nil {
61 return err
62 }
63 if ctx, err = v23.WithPrincipal(ctx, p); err != nil {
64 return err
65 }
66 if rootBlessings != "" {
67 addRoot(ctx, rootBlessings)
68 }
69
70 secret, err := ioutil.ReadFile(secretKeyFile)
71 if err != nil {
72 return err
73 }
74
75 // Fetch blessings from cluster agent.
76 ca := cluster.ClusterAgentClient(clusterAgent)
77 blessings, err := ca.SeekBlessings(ctx, string(secret))
78 if err != nil {
79 return err
80 }
81 if err = p.BlessingStore().SetDefault(blessings); err != nil {
82 return err
83 }
84 if _, err = p.BlessingStore().Set(blessings, security.AllPrincipals); err != nil {
85 return err
86 }
Asim Shankar17d0c822015-10-14 19:54:46 -070087 if err = security.AddToRoots(p, blessings); err != nil {
Robin Thellendefe48ef2015-10-13 09:52:03 -070088 return err
89 }
90
91 // Run the server.
92 i := ipc.NewIPC()
93 defer i.Close()
94 if err = server.ServeAgent(i, lsecurity.NewImmutablePrincipal(p)); err != nil {
95 return err
96 }
Robin Thellend2d05ac22015-10-28 13:37:21 -070097 if _, err := os.Stat(socketPath); err == nil {
98 os.Remove(socketPath)
99 }
Robin Thellendefe48ef2015-10-13 09:52:03 -0700100 if err = i.Listen(socketPath); err != nil {
101 return err
102 }
Robin Thellend3c905442015-12-07 13:47:16 -0800103 // Make the socket available to all users so that the application can
104 // run with a non-root UID.
105 // The socket's parent directory is mounted only in the containers that
106 // should have access to it. So, this doesn't change who has access to
107 // the socket.
108 if err = os.Chmod(socketPath, 0666); err != nil {
109 return err
110 }
Robin Thellendefe48ef2015-10-13 09:52:03 -0700111 <-signals.ShutdownOnSignals(ctx)
112 return nil
113}
114
115func addRoot(ctx *context.T, flagRoots string) {
116 p := v23.GetPrincipal(ctx)
117 for _, b64 := range strings.Split(flagRoots, ",") {
118 // We use URLEncoding to be compatible with the principal
119 // command.
120 vomBlessings, err := base64.URLEncoding.DecodeString(b64)
121 if err != nil {
122 ctx.Fatalf("unable to decode the base64 blessing roots: %v", err)
123 }
124 var blessings security.Blessings
125 if err := vom.Decode(vomBlessings, &blessings); err != nil {
126 ctx.Fatalf("unable to decode the vom blessing roots: %v", err)
127 }
Asim Shankar17d0c822015-10-14 19:54:46 -0700128 if err := security.AddToRoots(p, blessings); err != nil {
Robin Thellendefe48ef2015-10-13 09:52:03 -0700129 ctx.Fatalf("unable to add blessing roots: %v", err)
130 }
131 }
132}