feat: support service account auth in cli

Move the common GRPC interceptor code for siderov1 auth into go-api-signature. Refactor go-api-signature to attempt to read the known environment variables for service accounts. Signed-off-by: Utku Ozdemir <utku.ozdemir@siderolabs.com> (cherry picked from commit c14a5d4)
siderolabs · Oct 17, 2023 · 58b16b9 · 58b16b9
1 parent 124c2ff
commit 58b16b9
Show file tree

Hide file tree

Showing 6 changed files with 20 additions and 117 deletions.
diff --git a/go.mod b/go.mod
@@ -256,7 +256,6 @@ require (
 	github.com/pelletier/go-toml/v2 v2.0.6 // indirect
 	github.com/peterbourgon/diskv v2.0.1+incompatible // indirect
 	github.com/pierrec/lz4/v4 v4.1.14 // indirect
-	github.com/pkg/browser v0.0.0-20210911075715-681adbf594b8 // indirect
 	github.com/pkg/errors v0.9.1 // indirect
 	github.com/pmezard/go-difflib v1.0.0 // indirect
 	github.com/prometheus/client_golang v1.16.0 // indirect
@@ -267,7 +266,7 @@ require (
 	github.com/russross/blackfriday/v2 v2.1.0 // indirect
 	github.com/satori/go.uuid v1.2.1-0.20181028125025-b2ce2384e17b // indirect
 	github.com/sethgrid/pester v1.2.0 // indirect
-	github.com/siderolabs/go-api-signature v0.2.6 // indirect
+	github.com/siderolabs/go-api-signature v0.3.0 // indirect
 	github.com/siderolabs/protoenc v0.2.0 // indirect
 	github.com/siderolabs/tcpproxy v0.1.0 // indirect
 	github.com/sirupsen/logrus v1.9.0 // indirect
@@ -315,3 +314,5 @@ require (
 	sigs.k8s.io/kustomize/kyaml v0.14.3-0.20230601165947-6ce0bf390ce3 // indirect
 	sigs.k8s.io/structured-merge-diff/v4 v4.2.3 // indirect
 )
+
+require github.com/pkg/browser v0.0.0-20210911075715-681adbf594b8 // indirect
diff --git a/go.sum b/go.sum
@@ -993,8 +993,8 @@ github.com/siderolabs/discovery-client v0.1.5 h1:CyaOOynanZdB29v46lyEOaNfPoBnKjj
 github.com/siderolabs/discovery-client v0.1.5/go.mod h1:XFSNX7ADu+4r3j/m299V6pP7f4vEDnSJJhgc5yZE73g=
 github.com/siderolabs/gen v0.4.5 h1:rwXUVJlL7hYza1LrSVXfT905ZC9Rgei37jMKKs/+eP0=
 github.com/siderolabs/gen v0.4.5/go.mod h1:wS8tFq7sn5vqKAuyS30vJUig3tX5v6q79VG4KfUnILM=
-github.com/siderolabs/go-api-signature v0.2.6 h1:X4Q+J7CmyfUHKUR+4x4RqmmSSksQ2pYGDajwVX8ZaJ0=
-github.com/siderolabs/go-api-signature v0.2.6/go.mod h1:jt7azUqWctrkn7XuTPunfkWllvGPIfRJW8AS3OVkiqE=
+github.com/siderolabs/go-api-signature v0.3.0 h1:RSJ210iLD6p2FouRvRvkB6FMvz8ZltXvt9+g+5EGbC4=
+github.com/siderolabs/go-api-signature v0.3.0/go.mod h1:RZQFRiZ4midsdC9XCGhhWyS8QcIWtpEFeigvqoDPYJY=
 github.com/siderolabs/go-blockdevice v0.4.6 h1:yfxFYzXezzszB0mSF2ZG8jPPampoNXa9r8W8nM0IoZI=
 github.com/siderolabs/go-blockdevice v0.4.6/go.mod h1:4PeOuk71pReJj1JQEXDE7kIIQJPVe8a+HZQa+qjxSEA=
 github.com/siderolabs/go-circular v0.1.0 h1:zpBJNUbCZSh0odZxA4Dcj0d3ShLLR2WxKW6hTdAtoiE=

diff --git a/pkg/machinery/client/connection.go b/pkg/machinery/client/connection.go
@@ -15,6 +15,8 @@ import (
 	"strings"
 
 	"github.com/siderolabs/gen/slices"
+	"github.com/siderolabs/go-api-signature/pkg/client/interceptor"
+	"github.com/siderolabs/go-api-signature/pkg/pgp/client"
 	"google.golang.org/grpc"
 	"google.golang.org/grpc/credentials"
 
@@ -81,10 +83,16 @@ func (c *Client) getConn(ctx context.Context, opts ...grpc.DialOption) (*grpcCon
 			contextName = c.options.contextOverride
 		}
 
-		authInterceptor := newAuthInterceptorConfig(contextName, sideroV1.Identity)
+		authInterceptor := interceptor.New(interceptor.Options{
+			UserKeyProvider: client.NewKeyProvider("talos/keys"),
+			ContextName:     contextName,
+			Identity:        sideroV1.Identity,
+			ClientName:      "Talos",
+		})
+
 		dialOpts = append(dialOpts,
-			grpc.WithUnaryInterceptor(authInterceptor.Interceptor().Unary()),
-			grpc.WithStreamInterceptor(authInterceptor.Interceptor().Stream()),
+			grpc.WithUnaryInterceptor(authInterceptor.Unary()),
+			grpc.WithStreamInterceptor(authInterceptor.Stream()),
 		)
 	}
 

diff --git a/pkg/machinery/client/siderov1.go b/pkg/machinery/client/siderov1.go
diff --git a/pkg/machinery/go.mod b/pkg/machinery/go.mod
@@ -17,10 +17,9 @@ require (
 	github.com/jsimonetti/rtnetlink v1.3.4
 	github.com/mdlayher/ethtool v0.1.0
 	github.com/opencontainers/runtime-spec v1.0.3-0.20210326190908-1c3f411f0417
-	github.com/pkg/browser v0.0.0-20210911075715-681adbf594b8
 	github.com/siderolabs/crypto v0.4.1
 	github.com/siderolabs/gen v0.4.5
-	github.com/siderolabs/go-api-signature v0.2.6
+	github.com/siderolabs/go-api-signature v0.3.0
 	github.com/siderolabs/go-blockdevice v0.4.6
 	github.com/siderolabs/go-pointer v1.0.0
 	github.com/siderolabs/net v0.4.0
@@ -51,6 +50,7 @@ require (
 	github.com/mdlayher/socket v0.4.1 // indirect
 	github.com/onsi/ginkgo/v2 v2.2.0 // indirect
 	github.com/onsi/gomega v1.20.1 // indirect
+	github.com/pkg/browser v0.0.0-20210911075715-681adbf594b8 // indirect
 	github.com/pkg/errors v0.9.1 // indirect
 	github.com/pmezard/go-difflib v1.0.0 // indirect
 	github.com/ryanuber/go-glob v1.0.0 // indirect

diff --git a/pkg/machinery/go.sum b/pkg/machinery/go.sum
@@ -107,8 +107,8 @@ github.com/siderolabs/crypto v0.4.1 h1:PP84WSDDyCCbjYKePcc0IaMSPXDndz8V3cQ9hMRSv
 github.com/siderolabs/crypto v0.4.1/go.mod h1:nJmvkqWy1Hngbzw3eg2TdtJ/ZYHHofQK1NbmmYywW8k=
 github.com/siderolabs/gen v0.4.5 h1:rwXUVJlL7hYza1LrSVXfT905ZC9Rgei37jMKKs/+eP0=
 github.com/siderolabs/gen v0.4.5/go.mod h1:wS8tFq7sn5vqKAuyS30vJUig3tX5v6q79VG4KfUnILM=
-github.com/siderolabs/go-api-signature v0.2.6 h1:X4Q+J7CmyfUHKUR+4x4RqmmSSksQ2pYGDajwVX8ZaJ0=
-github.com/siderolabs/go-api-signature v0.2.6/go.mod h1:jt7azUqWctrkn7XuTPunfkWllvGPIfRJW8AS3OVkiqE=
+github.com/siderolabs/go-api-signature v0.3.0 h1:RSJ210iLD6p2FouRvRvkB6FMvz8ZltXvt9+g+5EGbC4=
+github.com/siderolabs/go-api-signature v0.3.0/go.mod h1:RZQFRiZ4midsdC9XCGhhWyS8QcIWtpEFeigvqoDPYJY=
 github.com/siderolabs/go-blockdevice v0.4.6 h1:yfxFYzXezzszB0mSF2ZG8jPPampoNXa9r8W8nM0IoZI=
 github.com/siderolabs/go-blockdevice v0.4.6/go.mod h1:4PeOuk71pReJj1JQEXDE7kIIQJPVe8a+HZQa+qjxSEA=
 github.com/siderolabs/go-pointer v1.0.0 h1:6TshPKep2doDQJAAtHUuHWXbca8ZfyRySjSBT/4GsMU=