From 986ba23212dbdf996b4754f9f639c1b41d2147f1 Mon Sep 17 00:00:00 2001 From: Mark van Holsteijn Date: Sun, 5 Dec 2021 21:20:55 +0100 Subject: [PATCH] much improved implementation - client side uses a real proxy - client and server side proxy will only forward to gke clusters endpoints - cobra is used for CLI --- README.md | 30 ++--- client/main.go | 166 +++++++++++++++++++++++++ client/rewrite_request_url.go | 58 +++++++++ clusterinfo/cache.go | 147 ++++++++++++++++++++++ clusterinfo/cache_test.go | 32 +++++ cmd/client.go | 78 ++++++++++++ cmd/root.go | 99 +++++++++++++++ cmd/server.go | 31 +++++ go.mod | 18 +++ go.sum | 163 ++++++++++++++++++++++++ main.go | 220 +------------------------------- old_main.go | 227 ++++++++++++++++++++++++++++++++++ server/main.go | 127 +++++++++++++++++++ terraform/.terraform-version | 1 + terraform/iap-proxy.service | 15 +-- terraform/main.tf | 41 ++---- terraform/output.tf | 7 +- terraform/variables.tf | 8 -- 18 files changed, 1185 insertions(+), 283 deletions(-) create mode 100644 client/main.go create mode 100644 client/rewrite_request_url.go create mode 100644 clusterinfo/cache.go create mode 100644 clusterinfo/cache_test.go create mode 100644 cmd/client.go create mode 100644 cmd/root.go create mode 100644 cmd/server.go create mode 100644 old_main.go create mode 100644 server/main.go create mode 100644 terraform/.terraform-version diff --git a/README.md b/README.md index 5e2b896..82d7696 100644 --- a/README.md +++ b/README.md @@ -22,12 +22,6 @@ To configure your deployment, create a file `.auto.tfvars` with the following co project = "my-project" region = "europe-west4" -# target cluster to forward the requests to -target_cluster = { - name = "cluster-1" - location = "europe-west4-c" -} - ## DNS managed zone accessible from the public internet dns_managed_zone = "my-managed-zone" @@ -55,13 +49,10 @@ $ terraform apply After the apply, the required IAP proxy command is printed: ``` iap_proxy_command = < 0 { + for _, v := range r.Header.Values("Authorization") { + r.Header.Add("X-Real-Authorization", v) + } + r.Header.Del("Authorization") + } + + authorization := fmt.Sprintf("%s %s", token.Type(), token.AccessToken) + r.Header.Set("Authorization", authorization) + RewriteRequestURL(r, p.targetURL) + + return r, nil +} + +func (p *Proxy) createProxy() *goproxy.ProxyHttpServer { + proxy := goproxy.NewProxyHttpServer() + proxy.Verbose = p.Debug + proxy.OnRequest(p.IsClusterEndpoint()).HandleConnect(goproxy.AlwaysMitm) + proxy.OnRequest(p.IsClusterEndpoint()).DoFunc(p.OnRequest) + + if p.Certificate != nil { + + goproxy.GoproxyCa = *p.Certificate + tlsConfig := goproxy.TLSConfigFromCA(p.Certificate) + + goproxy.OkConnect = &goproxy.ConnectAction{ + Action: goproxy.ConnectAccept, + TLSConfig: tlsConfig, + } + goproxy.MitmConnect = &goproxy.ConnectAction{ + Action: goproxy.ConnectMitm, + TLSConfig: tlsConfig, + } + goproxy.HTTPMitmConnect = &goproxy.ConnectAction{ + Action: goproxy.ConnectHTTPMitm, + TLSConfig: tlsConfig, + } + goproxy.RejectConnect = &goproxy.ConnectAction{ + Action: goproxy.ConnectReject, + TLSConfig: tlsConfig, + } + } + return proxy +} + +func (p *Proxy) Run() { + var err error + + ctx, cancel := context.WithCancel(context.Background()) + defer cancel() + + if p.targetURL, err = url.Parse(p.TargetURL); err != nil { + log.Fatalf("target url is not valid, %s", err) + } + + err = p.getCredentials(ctx) + if err != nil { + log.Fatalf("%s", err) + } + + p.clusterInfoCache, err = clusterinfo.NewClusterInfoCache(ctx, p.ProjectId, p.credentials, 5*time.Minute) + if err != nil { + log.Fatalf("%s", err) + } + + p.tokenSource, err = impersonate.IDTokenSource(ctx, impersonate.IDTokenConfig{ + TargetPrincipal: p.ServiceAccount, + Audience: p.Audience, + IncludeEmail: true, + }, + option.WithTokenSource(p.credentials.TokenSource)) + if err != nil { + log.Fatalf("failed to create a token source for audience %s as %s, %s", + p.Audience, p.ServiceAccount, err) + } + + proxy := p.createProxy() + + srv := &http.Server{ + Handler: proxy, + Addr: fmt.Sprintf(":%d", p.Port), + TLSNextProto: make(map[string]func(*http.Server, *tls.Conn, http.Handler)), + } + if p.KeyFile == "" { + err = srv.ListenAndServe() + } else { + err = srv.ListenAndServeTLS(p.CertificateFile, p.KeyFile) + } + if err != nil { + log.Fatal(err) + } +} diff --git a/client/rewrite_request_url.go b/client/rewrite_request_url.go new file mode 100644 index 0000000..7c905b6 --- /dev/null +++ b/client/rewrite_request_url.go @@ -0,0 +1,58 @@ +package client + +import ( + "net/http" + "net/url" + "strings" +) + +// function copied from httputil.reverseproxy.go +func SingleJoiningSlash(a, b string) string { + aslash := strings.HasSuffix(a, "/") + bslash := strings.HasPrefix(b, "/") + switch { + case aslash && bslash: + return a + b[1:] + case !aslash && !bslash: + return a + "/" + b + } + return a + b +} + +// function copied from httputil.reverseproxy.go +func JoinURLPath(a, b *url.URL) (path, rawpath string) { + if a.RawPath == "" && b.RawPath == "" { + return SingleJoiningSlash(a.Path, b.Path), "" + } + // Same as singleJoiningSlash, but uses EscapedPath to determine + // whether a slash should be added + apath := a.EscapedPath() + bpath := b.EscapedPath() + + aslash := strings.HasSuffix(apath, "/") + bslash := strings.HasPrefix(bpath, "/") + + switch { + case aslash && bslash: + return a.Path + b.Path[1:], apath + bpath[1:] + case !aslash && !bslash: + return a.Path + "/" + b.Path, apath + "/" + bpath + } + return a.Path + b.Path, apath + bpath +} + +func RewriteRequestURL(req *http.Request, target *url.URL) { + targetQuery := target.RawQuery + req.URL.Scheme = target.Scheme + req.URL.Host = target.Host + req.URL.Path, req.URL.RawPath = JoinURLPath(target, req.URL) + if targetQuery == "" || req.URL.RawQuery == "" { + req.URL.RawQuery = targetQuery + req.URL.RawQuery + } else { + req.URL.RawQuery = targetQuery + "&" + req.URL.RawQuery + } + if _, ok := req.Header["User-Agent"]; !ok { + // explicitly disable User-Agent so it's not set to default value + req.Header.Set("User-Agent", "") + } +} diff --git a/clusterinfo/cache.go b/clusterinfo/cache.go new file mode 100644 index 0000000..0f0eb5d --- /dev/null +++ b/clusterinfo/cache.go @@ -0,0 +1,147 @@ +package clusterinfo + +import ( + "context" + "crypto/x509" + "encoding/base64" + "fmt" + "golang.org/x/oauth2/google" + "google.golang.org/api/container/v1" + "google.golang.org/api/option" + "log" + "strings" + "sync" + "time" +) + +type ClusterInfo struct { + Name string + Endpoint string + ClusterCaCertificate string + RootCAs *x509.CertPool +} + +// map from endpoint to name and certificate +type ClusterInfoMap map[string]*ClusterInfo + +type ClusterInfoCache struct { + ctx context.Context + projectId string + credentials *google.Credentials + refresh time.Duration + clusterInfo *ClusterInfoMap + mutex sync.Mutex +} + +func NewClusterInfoCache(ctx context.Context, projectId string, credentials *google.Credentials, refresh time.Duration) (*ClusterInfoCache, error) { + cache := &ClusterInfoCache{ + ctx: ctx, + credentials: credentials, + projectId: projectId, + refresh: refresh, + } + clusterInfo, err := cache.retrieveClusters() + if err != nil { + return nil, err + } + cache.clusterInfo = clusterInfo + go cache.run() + return cache, nil +} + +func (c *ClusterInfoCache) GetClusterInfoForEndpoint(endpoint string) *ClusterInfo { + host := strings.Split(endpoint, ":") + if r, ok := (*c.clusterInfo)[host[0]]; ok { + return r + } else { + return nil + } +} + +// thread safe get cluster info +func (c *ClusterInfoCache) getClusterInfo() *ClusterInfoMap { + c.mutex.Lock() + defer c.mutex.Unlock() + return c.clusterInfo +} + +// thread safe set cluster info +func (c *ClusterInfoCache) setClusterInfo(m *ClusterInfoMap) { + c.mutex.Lock() + defer c.mutex.Unlock() + c.clusterInfo = m +} + +// returns a copy of the cluster info map +func (c *ClusterInfoCache) GetClusterInfo() *ClusterInfoMap { + result := make(ClusterInfoMap) + for k, v := range *c.getClusterInfo() { + result[k] = &ClusterInfo{ + Endpoint: v.Endpoint, + Name: v.Name, + ClusterCaCertificate: v.ClusterCaCertificate, + RootCAs: v.RootCAs, + } + } + return &result +} + +func (c *ClusterInfoCache) run() { + for { + select { + case <-c.ctx.Done(): + log.Printf("INFO: cluster info cache shutting down") + return + case <-time.After(c.refresh): + break + } + if clusterInfo, err := c.retrieveClusters(); err == nil { + c.setClusterInfo(clusterInfo) + } else { + log.Printf("ERROR: failed to refresh cluster information, %s", err) + } + } +} + +// creates a ca cert pool from the clusterCaCertificate +func createCertPool(name string, clusterCaCertificate string) *x509.CertPool { + result := x509.NewCertPool() + cert, err := base64.StdEncoding.DecodeString(clusterCaCertificate) + if err == nil { + if ok := result.AppendCertsFromPEM(cert); !ok { + log.Printf("ERROR: failed to add CA certificates of cluster %s to pool", name) + } + } else { + log.Printf("ERROR: failed to decode CA certificate of cluster %s, %s", name, err) + } + return result +} + +func (c *ClusterInfoCache) retrieveClusters() (*ClusterInfoMap, error) { + result := make(ClusterInfoMap) + + service, err := container.NewService(c.ctx, + option.WithTokenSource(c.credentials.TokenSource)) + if err != nil { + return nil, err + } + parent := fmt.Sprintf("projects/%s/locations/-", c.projectId) + response, err := service.Projects.Locations.Clusters.List(parent).Do() + if err != nil { + return nil, err + } + for _, cluster := range response.Clusters { + if cluster.Status != "RUNNING" { + log.Printf("INFO: skipping cluster %s in status %s", cluster.Name, cluster.Status) + continue + } + result[cluster.Endpoint] = &ClusterInfo{ + Name: cluster.Name, + Endpoint: cluster.Endpoint, + ClusterCaCertificate: cluster.MasterAuth.ClusterCaCertificate, + RootCAs: createCertPool(cluster.Name, cluster.MasterAuth.ClusterCaCertificate), + } + } + log.Printf("INFO: refreshed cluster information. Found %d running clusters", len(result)) + return &result, nil +} diff --git a/clusterinfo/cache_test.go b/clusterinfo/cache_test.go new file mode 100644 index 0000000..5bc331c --- /dev/null +++ b/clusterinfo/cache_test.go @@ -0,0 +1,32 @@ +package clusterinfo + +import ( + "context" + "github.com/binxio/gcloudconfig" + "log" + "testing" + "time" +) + +func TestListClusters(t *testing.T) { + ctx, cancel := context.WithCancel(context.Background()) + t.Cleanup(cancel) + + creds, err := gcloudconfig.GetCredentials("") + if err != nil { + t.Fatal(err) + } + cache, err := NewClusterInfoCache(ctx, creds.ProjectID, creds, time.Second) + if err != nil { + t.Fatal(err) + } + + clusters := cache.GetClusterInfo() + if len(*clusters) == 0 { + t.Fatalf("expected at least 1 cluster, found none") + } + + for _, cluster := range *clusters { + log.Printf("%v", cluster) + } +} diff --git a/cmd/client.go b/cmd/client.go new file mode 100644 index 0000000..6bce8ad --- /dev/null +++ b/cmd/client.go @@ -0,0 +1,78 @@ +package cmd + +import ( + "fmt" + "github.com/binxio/simple-iap-proxy/client" + "github.com/spf13/cobra" + "log" + "net/url" +) + +var ( + audience string + serviceAccount string + configurationName string + useDefaultCredentials bool + targetURL string +) + +func validateClientArguments(cmd *cobra.Command, args []string) error { + // mis-using the positional argument validator here. + if useDefaultCredentials && configurationName != "" { + return fmt.Errorf("specify either --use-default-credentials or --configuration, not both") + } + + if u, err := url.Parse(targetURL); err != nil { + return fmt.Errorf("invalid target-url %s, %s", targetURL, err) + } else { + if u.Scheme != "https" { + return fmt.Errorf("target-url must be https") + } + } + + return validateRootArguments(cmd, args) +} + +func init() { + clientCmd.Flags().StringVarP(&targetURL, "target-url", "t", "", "to forward requests to") + clientCmd.Flags().StringVarP(&audience, "iap-audience", "a", "", "of the IAP application") + clientCmd.Flags().StringVarP(&serviceAccount, "service-account", "s", "", "to impersonate") + clientCmd.Flags().BoolVarP(&useDefaultCredentials, "use-default-credentials", "u", false, "use default credentials instead of gcloud configuration") + clientCmd.Flags().StringVarP(&configurationName, "configuration", "C", "", "name of gcloud configuration to use for credentials") + clientCmd.MarkFlagRequired("iap-audience") + clientCmd.MarkFlagRequired("service-account") + clientCmd.MarkFlagRequired("target-url") + clientCmd.Flags().SortFlags = false +} + +var clientCmd = &cobra.Command{ + Use: "client", + Short: "starts a client side proxy, forwarding requests to the GKE cluster via the IAP", + Long: `The client will start a real HTTP/S proxy and forward any requests for +ip address of GKE cluster master endpoints, to the IAP proxy. +`, + Args: validateClientArguments, + Run: func(cmd *cobra.Command, args []string) { + var err error + if keyFile != "" { + certificate, err = loadCertificate(keyFile) + if err != nil { + log.Fatal(err) + } + } + c := client.Proxy{ + Debug: debug, + Port: port, + ServiceAccount: serviceAccount, + ProjectId: projectID, + UseDefaultCredentials: useDefaultCredentials, + ConfigurationName: configurationName, + Audience: audience, + TargetURL: targetURL, + KeyFile: keyFile, + CertificateFile: certificateFile, + Certificate: certificate, + } + c.Run() + }, +} diff --git a/cmd/root.go b/cmd/root.go new file mode 100644 index 0000000..05ddc50 --- /dev/null +++ b/cmd/root.go @@ -0,0 +1,99 @@ +package cmd + +import ( + "crypto/tls" + "crypto/x509" + "fmt" + "github.com/spf13/cobra" + "log" + "os" + "strconv" +) + +var ( + debug bool + projectID string + port int + keyFile string + certificateFile string + certificate *tls.Certificate + + rootCmd = &cobra.Command{ + Use: "simple-iap-proxy", + Short: "A simple proxy to forward requests over IAP to GKE", + Long: `This application allows you to gain access to GKE clusters +with a private master IP address via an IAP proxy. It consists of +a proxy which can be run on the client side, and a reverse-proxy which +is run inside the VPC. +`, + Args: validateRootArguments, + } +) + +func Execute() error { + return rootCmd.Execute() +} + +func getPort() int { + listenPort := os.Getenv("PORT") + if listenPort == "" { + return 8080 + } + port, err := strconv.ParseUint(listenPort, 10, 64) + if err != nil || port > 65535 { + log.Fatalf("the environment variable PORT is not a valid port number") + } + return int(port) +} + +func loadCertificate(keyFile string) (*tls.Certificate, error) { + + caKey, err := os.ReadFile(keyFile) + if err != nil { + return nil, fmt.Errorf("%s, %s", keyFile, err) + } + + caCert, err := os.ReadFile(certificateFile) + if err != nil { + return nil, fmt.Errorf("%s, %s", certificateFile, err) + } + + cert, err := tls.X509KeyPair(caCert, caKey) + if err != nil { + return nil, fmt.Errorf("failed to create certificate, %s", err) + } + if cert.Leaf, err = x509.ParseCertificate(cert.Certificate[0]); err != nil { + return nil, fmt.Errorf("failed to parse certificate, %s", err) + } + + return &cert, nil +} + +func validateRootArguments(_ *cobra.Command, _ []string) error { + // mis-using the positional argument validator here. + if certificateFile != "" && keyFile == "" || keyFile != "" && certificateFile == "" { + return fmt.Errorf("both --certificate-file and --key-file are required.") + } + + if keyFile != "" { + if _, err := loadCertificate(keyFile); err != nil { + return err + } + } + + return nil +} + +func init() { + rootCmd.PersistentFlags().BoolVarP(&debug, "debug", "d", false, "provide debug information") + rootCmd.PersistentFlags().IntVarP(&port, "port", "P", getPort(), "port to listen on") + rootCmd.PersistentFlags().StringVarP(&projectID, "project", "p", "", "google project id to use") + rootCmd.PersistentFlags().StringVarP(&keyFile, "key-file", "k", "", "key file for serving https") + rootCmd.PersistentFlags().StringVarP(&certificateFile, "certificate-file", "c", "", "certificate of the server") + rootCmd.MarkFlagFilename("key-file") + rootCmd.MarkFlagFilename("certificate-file") + + rootCmd.AddCommand(clientCmd) + rootCmd.AddCommand(serverCmd) + rootCmd.Flags().SortFlags = false +} diff --git a/cmd/server.go b/cmd/server.go new file mode 100644 index 0000000..504547a --- /dev/null +++ b/cmd/server.go @@ -0,0 +1,31 @@ +package cmd + +import ( + "github.com/binxio/simple-iap-proxy/server" + "github.com/spf13/cobra" +) + +func init() { + serverCmd.MarkFlagRequired("key-file") + serverCmd.MarkFlagRequired("certificate-file") +} + +var serverCmd = &cobra.Command{ + Use: "server", + Short: "forwards requests from the load balancer to the appropriate GKE cluster", + Long: `reads the Host header of the http requests and if + it matches the ip address of GKE cluster master endpoint, forwards the request to it. +`, + TraverseChildren: true, + Args: validateRootArguments, + Run: func(cmd *cobra.Command, args []string) { + s := server.ReverseProxy{ + Debug: debug, + Port: port, + ProjectID: projectID, + KeyFile: keyFile, + CertificateFile: certificateFile, + } + s.Run() + }, +} diff --git a/go.mod b/go.mod index 18f4970..80e331d 100644 --- a/go.mod +++ b/go.mod @@ -9,8 +9,24 @@ require ( require ( cloud.google.com/go v0.97.0 // indirect + github.com/binxio/gcloudconfig v0.1.5 // indirect + github.com/elazarl/goproxy v0.0.0-20211114080932-d06c3be7c11b // indirect + github.com/fsnotify/fsnotify v1.5.1 // indirect github.com/golang/groupcache v0.0.0-20200121045136-8c9f03a8e57e // indirect github.com/golang/protobuf v1.5.2 // indirect + github.com/googleapis/gax-go/v2 v2.1.1 // indirect + github.com/hashicorp/hcl v1.0.0 // indirect + github.com/inconshreveable/mousetrap v1.0.0 // indirect + github.com/magiconair/properties v1.8.5 // indirect + github.com/mitchellh/mapstructure v1.4.2 // indirect + github.com/pelletier/go-toml v1.9.4 // indirect + github.com/spf13/afero v1.6.0 // indirect + github.com/spf13/cast v1.4.1 // indirect + github.com/spf13/cobra v1.2.1 // indirect + github.com/spf13/jwalterweatherman v1.1.0 // indirect + github.com/spf13/pflag v1.0.5 // indirect + github.com/spf13/viper v1.9.0 // indirect + github.com/subosito/gotenv v1.2.0 // indirect go.opencensus.io v0.23.0 // indirect golang.org/x/net v0.0.0-20210503060351-7fd8e65b6420 // indirect golang.org/x/sys v0.0.0-20211025201205-69cdffdb9359 // indirect @@ -19,4 +35,6 @@ require ( google.golang.org/genproto v0.0.0-20211021150943-2b146023228c // indirect google.golang.org/grpc v1.40.0 // indirect google.golang.org/protobuf v1.27.1 // indirect + gopkg.in/ini.v1 v1.63.2 // indirect + gopkg.in/yaml.v2 v2.4.0 // indirect ) diff --git a/go.sum b/go.sum index e19c854..5c65577 100644 --- a/go.sum +++ b/go.sum @@ -34,6 +34,8 @@ cloud.google.com/go/bigquery v1.7.0/go.mod h1://okPTzCYNXSlb24MZs83e2Do+h+VXtc4g cloud.google.com/go/bigquery v1.8.0/go.mod h1:J5hqkt3O0uAFnINi6JXValWIb1v0goeZM77hZzJN/fQ= cloud.google.com/go/datastore v1.0.0/go.mod h1:LXYbyblFSglQ5pkeyhO+Qmw7ukd3C+pD7TKLgZqpHYE= cloud.google.com/go/datastore v1.1.0/go.mod h1:umbIZjpQpHh4hmRpGhH4tLFup+FVzqBi1b3c64qFpCk= +cloud.google.com/go/firestore v1.1.0/go.mod h1:ulACoGHTpvq5r8rxGJ4ddJZBZqakUQqClKRT5SZwBmk= +cloud.google.com/go/firestore v1.6.0/go.mod h1:afJwI0vaXwAG54kI7A//lP/lSPDkQORQuMkv56TxEPU= cloud.google.com/go/pubsub v1.0.1/go.mod h1:R0Gpsv3s54REJCy4fxDixWD93lHJMoZTyQ2kNxGRt3I= cloud.google.com/go/pubsub v1.1.0/go.mod h1:EwwdRX2sKPjnvnqCa270oGRyludottCI76h+R3AArQw= cloud.google.com/go/pubsub v1.2.0/go.mod h1:jhfEVHT8odbXTkndysNHCcx0awwzvfOlguIAii9o8iA= @@ -48,6 +50,14 @@ github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03 github.com/BurntSushi/xgb v0.0.0-20160522181843-27f122750802/go.mod h1:IVnqGOEym/WlBOVXweHU+Q+/VP0lqqI8lqeDx9IjBqo= github.com/OneOfOne/xxhash v1.2.2/go.mod h1:HSdplMjZKSmBqAxg5vPj2TmRDmfkzw+cTzAElWljhcU= github.com/antihax/optional v1.0.0/go.mod h1:uupD/76wgC+ih3iEmQUL+0Ugr19nfwCT1kdvxnR2qWY= +github.com/armon/circbuf v0.0.0-20150827004946-bbbad097214e/go.mod h1:3U/XgcO3hCbHZ8TKRvWD2dDTCfh9M9ya+I9JpbB7O8o= +github.com/armon/go-metrics v0.0.0-20180917152333-f0300d1749da/go.mod h1:Q73ZrmVTwzkszR9V5SSuryQ31EELlFMUz1kKyl939pY= +github.com/armon/go-radix v0.0.0-20180808171621-7fddfc383310/go.mod h1:ufUuZ+zHj4x4TnLV4JWEpy2hxWSpsRywHrMgIH9cCH8= +github.com/armon/go-radix v1.0.0/go.mod h1:ufUuZ+zHj4x4TnLV4JWEpy2hxWSpsRywHrMgIH9cCH8= +github.com/bgentry/speakeasy v0.1.0/go.mod h1:+zsyZBPWlz7T6j88CTgSN5bM796AkVf0kBD4zp0CCIs= +github.com/binxio/gcloudconfig v0.1.5 h1:nbvWtpqn7yJs4qPuXxTu9D3DYrSyc0FHkXraseMMCV4= +github.com/binxio/gcloudconfig v0.1.5/go.mod h1:IpQXzgqmv2JS1i+hbhqhHqzeYWg5zWkdN4sZJznJDUM= +github.com/bketelsen/crypt v0.0.4/go.mod h1:aI6NrJ0pMGgvZKL1iVgXLnfIFJtfV+bKCoqOes/6LfM= github.com/census-instrumentation/opencensus-proto v0.2.1/go.mod h1:f6KPmirojxKA12rnyqOA5BBL4O983OfeGPqjHWSTneU= github.com/cespare/xxhash v1.1.0/go.mod h1:XrSqR1VqqWfGrhpAt58auRo0WTKS1nRRg3ghfAqPWnc= github.com/chzyer/logex v1.1.10/go.mod h1:+Ywpsq7O8HXn0nuIou7OrIPyXbp3wmkHB+jjWRnGsAI= @@ -58,7 +68,14 @@ github.com/cncf/udpa/go v0.0.0-20191209042840-269d4d468f6f/go.mod h1:M8M6+tZqaGX github.com/cncf/udpa/go v0.0.0-20200629203442-efcf912fb354/go.mod h1:WmhPx2Nbnhtbo57+VJT5O0JRkEi1Wbu0z5j0R8u5Hbk= github.com/cncf/udpa/go v0.0.0-20201120205902-5459f2c99403/go.mod h1:WmhPx2Nbnhtbo57+VJT5O0JRkEi1Wbu0z5j0R8u5Hbk= github.com/cncf/xds/go v0.0.0-20210312221358-fbca930ec8ed/go.mod h1:eXthEFrGJvWHgFFCl3hGmgk+/aYT6PnTQLykKQRLhEs= +github.com/coreos/go-semver v0.3.0/go.mod h1:nnelYz7RCh+5ahJtPPxZlU+153eP4D4r3EedlOD2RNk= +github.com/coreos/go-systemd/v22 v22.3.2/go.mod h1:Y58oyj3AT4RCenI/lSvhwexgC+NSVTIJ3seZv2GcEnc= +github.com/cpuguy83/go-md2man/v2 v2.0.0/go.mod h1:maD7wRr/U5Z6m/iR4s+kqSMx2CaBsrgA7czyZG/E6dU= github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= +github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= +github.com/elazarl/goproxy v0.0.0-20211114080932-d06c3be7c11b h1:1XqENn2YoYZd6w3Awx+7oa+aR87DFIZJFLF2n1IojA0= +github.com/elazarl/goproxy v0.0.0-20211114080932-d06c3be7c11b/go.mod h1:Ro8st/ElPeALwNFlcTpWmkr6IoMFfkjXAvTHpevnDsM= +github.com/elazarl/goproxy/ext v0.0.0-20190711103511-473e67f1d7d2/go.mod h1:gNh8nYJoAm43RfaxurUnxr+N1PwuFV3ZMl/efxlIlY8= github.com/envoyproxy/go-control-plane v0.9.0/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymFceY/DCBVvsKhRF0iEA4= github.com/envoyproxy/go-control-plane v0.9.1-0.20191026205805-5f8ba28d4473/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymFceY/DCBVvsKhRF0iEA4= github.com/envoyproxy/go-control-plane v0.9.4/go.mod h1:6rpuAdCZL397s3pYoYcLgu1mIlRU8Am5FuJP05cCM98= @@ -67,10 +84,17 @@ github.com/envoyproxy/go-control-plane v0.9.9-0.20201210154907-fd9021fe5dad/go.m github.com/envoyproxy/go-control-plane v0.9.9-0.20210217033140-668b12f5399d/go.mod h1:cXg6YxExXjJnVBQHBLXeUAgxn2UodCpnH306RInaBQk= github.com/envoyproxy/go-control-plane v0.9.9-0.20210512163311-63b5d3c536b0/go.mod h1:hliV/p42l8fGbc6Y9bQ70uLwIvmJyVE5k4iMKlh8wCQ= github.com/envoyproxy/protoc-gen-validate v0.1.0/go.mod h1:iSmxcyjqTsJpI2R4NaDN7+kN2VEUnK/pcBlmesArF7c= +github.com/fatih/color v1.7.0/go.mod h1:Zm6kSWBoL9eyXnKyktHP6abPY2pDugNf5KwzbycvMj4= +github.com/fatih/color v1.9.0/go.mod h1:eQcE1qtQxscV5RaZvpXrrb8Drkc3/DdQ+uUYCNjL+zU= +github.com/fsnotify/fsnotify v1.4.9/go.mod h1:znqG4EE+3YCdAaPaxE2ZRY/06pZUdp0tY4IgpuI1SZQ= +github.com/fsnotify/fsnotify v1.5.1 h1:mZcQUHVQUQWoPXXtuf9yuEXKudkV2sx1E06UadKWpgI= +github.com/fsnotify/fsnotify v1.5.1/go.mod h1:T3375wBYaZdLLcVNkcVbzGHY7f1l/uK5T5Ai1i3InKU= github.com/ghodss/yaml v1.0.0/go.mod h1:4dBDuWmgqj2HViK6kFavaiC9ZROes6MMH2rRYeMEF04= github.com/go-gl/glfw v0.0.0-20190409004039-e6da0acd62b1/go.mod h1:vR7hzQXu2zJy9AVAgeJqvqgH9Q5CA+iKCZ2gyEVpxRU= github.com/go-gl/glfw/v3.3/glfw v0.0.0-20191125211704-12ad95a8df72/go.mod h1:tQ2UAYgL5IevRw8kRxooKSPJfGvJ9fJQFa0TUsXzTg8= github.com/go-gl/glfw/v3.3/glfw v0.0.0-20200222043503-6f7a984d4dc4/go.mod h1:tQ2UAYgL5IevRw8kRxooKSPJfGvJ9fJQFa0TUsXzTg8= +github.com/godbus/dbus/v5 v5.0.4/go.mod h1:xhWf0FNVPg57R7Z0UbKHbJfkEywrmjJnf7w5xrFpKfA= +github.com/gogo/protobuf v1.3.2/go.mod h1:P1XiOD3dCwIKUDQYPy72D8LYyHL2YPYrpS2s69NZV8Q= github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b/go.mod h1:SBH7ygxi8pfUlaOkMMuAQtPIUF8ecWP5IEl/CR7VP2Q= github.com/golang/groupcache v0.0.0-20190702054246-869f871628b6/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc= github.com/golang/groupcache v0.0.0-20191227052852-215e87163ea7/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc= @@ -119,6 +143,7 @@ github.com/google/go-cmp v0.5.4/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/ github.com/google/go-cmp v0.5.5/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= github.com/google/go-cmp v0.5.6 h1:BKbKCqvP6I+rmFHt06ZmyQtvB8xAkWdhFyr0ZUNZcxQ= github.com/google/go-cmp v0.5.6/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= +github.com/google/gofuzz v1.0.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg= github.com/google/martian v2.1.0+incompatible/go.mod h1:9I4somxYTbIHy5NJKHRl3wXiIaQGbYVAs8BPL6v8lEs= github.com/google/martian/v3 v3.0.0/go.mod h1:y5Zk1BBys9G+gd6Jrk0W3cC1+ELVxBWuIGO+w/tUAp0= github.com/google/martian/v3 v3.1.0/go.mod h1:y5Zk1BBys9G+gd6Jrk0W3cC1+ELVxBWuIGO+w/tUAp0= @@ -142,32 +167,133 @@ github.com/google/uuid v1.1.2/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+ github.com/googleapis/gax-go/v2 v2.0.4/go.mod h1:0Wqv26UfaUD9n4G6kQubkQ+KchISgw+vpHVxEJEs9eg= github.com/googleapis/gax-go/v2 v2.0.5/go.mod h1:DWXyrwAJ9X0FpwwEdw+IPEYBICEFu5mhpdKc/us6bOk= github.com/googleapis/gax-go/v2 v2.1.0/go.mod h1:Q3nei7sK6ybPYH7twZdmQpAd1MKb7pfu6SK+H1/DsU0= +github.com/googleapis/gax-go/v2 v2.1.1 h1:dp3bWCh+PPO1zjRRiCSczJav13sBvG4UhNyVTa1KqdU= github.com/googleapis/gax-go/v2 v2.1.1/go.mod h1:hddJymUZASv3XPyGkUpKj8pPO47Rmb0eJc8R6ouapiM= +github.com/gopherjs/gopherjs v0.0.0-20181017120253-0766667cb4d1/go.mod h1:wJfORRmW1u3UXTncJ5qlYoELFm8eSnnEO6hX4iZ3EWY= github.com/grpc-ecosystem/grpc-gateway v1.16.0/go.mod h1:BDjrQk3hbvj6Nolgz8mAMFbcEtjT1g+wF4CSlocrBnw= +github.com/hashicorp/consul/api v1.1.0/go.mod h1:VmuI/Lkw1nC05EYQWNKwWGbkg+FbDBtguAZLlVdkD9Q= +github.com/hashicorp/consul/api v1.10.1/go.mod h1:XjsvQN+RJGWI2TWy1/kqaE16HrR2J/FWgkYjdZQsX9M= +github.com/hashicorp/consul/sdk v0.1.1/go.mod h1:VKf9jXwCTEY1QZP2MOLRhb5i/I/ssyNV1vwHyQBF0x8= +github.com/hashicorp/consul/sdk v0.8.0/go.mod h1:GBvyrGALthsZObzUGsfgHZQDXjg4lOjagTIwIR1vPms= +github.com/hashicorp/errwrap v1.0.0/go.mod h1:YH+1FKiLXxHSkmPseP+kNlulaMuP3n2brvKWEqk/Jc4= +github.com/hashicorp/go-cleanhttp v0.5.1/go.mod h1:JpRdi6/HCYpAwUzNwuwqhbovhLtngrth3wmdIIUrZ80= +github.com/hashicorp/go-hclog v0.12.0/go.mod h1:whpDNt7SSdeAju8AWKIWsul05p54N/39EeqMAyrmvFQ= +github.com/hashicorp/go-immutable-radix v1.0.0/go.mod h1:0y9vanUI8NX6FsYoO3zeMjhV/C5i9g4Q3DwcSNZ4P60= +github.com/hashicorp/go-msgpack v0.5.3/go.mod h1:ahLV/dePpqEmjfWmKiqvPkv/twdG7iPBM1vqhUKIvfM= +github.com/hashicorp/go-multierror v1.0.0/go.mod h1:dHtQlpGsu+cZNNAkkCN/P3hoUDHhCYQXV3UM06sGGrk= +github.com/hashicorp/go-multierror v1.1.0/go.mod h1:spPvp8C1qA32ftKqdAHm4hHTbPw+vmowP0z+KUhOZdA= +github.com/hashicorp/go-rootcerts v1.0.0/go.mod h1:K6zTfqpRlCUIjkwsN4Z+hiSfzSTQa6eBIzfwKfwNnHU= +github.com/hashicorp/go-rootcerts v1.0.2/go.mod h1:pqUvnprVnM5bf7AOirdbb01K4ccR319Vf4pU3K5EGc8= +github.com/hashicorp/go-sockaddr v1.0.0/go.mod h1:7Xibr9yA9JjQq1JpNB2Vw7kxv8xerXegt+ozgdvDeDU= +github.com/hashicorp/go-syslog v1.0.0/go.mod h1:qPfqrKkXGihmCqbJM2mZgkZGvKG1dFdvsLplgctolz4= +github.com/hashicorp/go-uuid v1.0.0/go.mod h1:6SBZvOh/SIDV7/2o3Jml5SYk/TvGqwFJ/bN7x4byOro= +github.com/hashicorp/go-uuid v1.0.1/go.mod h1:6SBZvOh/SIDV7/2o3Jml5SYk/TvGqwFJ/bN7x4byOro= +github.com/hashicorp/go.net v0.0.1/go.mod h1:hjKkEWcCURg++eb33jQU7oqQcI9XDCnUzHA0oac0k90= github.com/hashicorp/golang-lru v0.5.0/go.mod h1:/m3WP610KZHVQ1SGc6re/UDhFvYD7pJ4Ao+sR/qLZy8= github.com/hashicorp/golang-lru v0.5.1/go.mod h1:/m3WP610KZHVQ1SGc6re/UDhFvYD7pJ4Ao+sR/qLZy8= +github.com/hashicorp/hcl v1.0.0 h1:0Anlzjpi4vEasTeNFn2mLJgTSwt0+6sfsiTG8qcWGx4= +github.com/hashicorp/hcl v1.0.0/go.mod h1:E5yfLk+7swimpb2L/Alb/PJmXilQ/rhwaUYs4T20WEQ= +github.com/hashicorp/logutils v1.0.0/go.mod h1:QIAnNjmIWmVIIkWDTG1z5v++HQmx9WQRO+LraFDTW64= +github.com/hashicorp/mdns v1.0.0/go.mod h1:tL+uN++7HEJ6SQLQ2/p+z2pH24WQKWjBPkE0mNTz8vQ= +github.com/hashicorp/mdns v1.0.1/go.mod h1:4gW7WsVCke5TE7EPeYliwHlRUyBtfCwuFwuMg2DmyNY= +github.com/hashicorp/memberlist v0.1.3/go.mod h1:ajVTdAv/9Im8oMAAj5G31PhhMCZJV2pPBoIllUwCN7I= +github.com/hashicorp/memberlist v0.2.2/go.mod h1:MS2lj3INKhZjWNqd3N0m3J+Jxf3DAOnAH9VT3Sh9MUE= +github.com/hashicorp/serf v0.8.2/go.mod h1:6hOLApaqBFA1NXqRQAsxw9QxuDEvNxSQRwA/JwenrHc= +github.com/hashicorp/serf v0.9.5/go.mod h1:UWDWwZeL5cuWDJdl0C6wrvrUwEqtQ4ZKBKKENpqIUyk= github.com/ianlancetaylor/demangle v0.0.0-20181102032728-5e5cf60278f6/go.mod h1:aSSvb/t6k1mPoxDqO4vJh6VOCGPwU4O0C2/Eqndh1Sc= github.com/ianlancetaylor/demangle v0.0.0-20200824232613-28f6c0f3b639/go.mod h1:aSSvb/t6k1mPoxDqO4vJh6VOCGPwU4O0C2/Eqndh1Sc= +github.com/inconshreveable/mousetrap v1.0.0 h1:Z8tu5sraLXCXIcARxBp/8cbvlwVa7Z1NHg9XEKhtSvM= +github.com/inconshreveable/mousetrap v1.0.0/go.mod h1:PxqpIevigyE2G7u3NXJIT2ANytuPF1OarO4DADm73n8= +github.com/json-iterator/go v1.1.11/go.mod h1:KdQUCv79m/52Kvf8AW2vK1V8akMuk1QjK/uOdHXbAo4= github.com/jstemmer/go-junit-report v0.0.0-20190106144839-af01ea7f8024/go.mod h1:6v2b51hI/fHJwM22ozAgKL4VKDeJcHhJFhtBdhmNjmU= github.com/jstemmer/go-junit-report v0.9.1/go.mod h1:Brl9GWCQeLvo8nXZwPNNblvFj/XSXhF0NWZEnDohbsk= +github.com/jtolds/gls v4.20.0+incompatible/go.mod h1:QJZ7F/aHp+rZTRtaJ1ow/lLfFfVYBRgL+9YlvaHOwJU= +github.com/kisielk/errcheck v1.5.0/go.mod h1:pFxgyoBC7bSaBwPgfKdkLd5X25qrDl4LWUI2bnpBCr8= github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+oQHNcck= +github.com/kr/fs v0.1.0/go.mod h1:FFnZGqtBN9Gxj7eW1uZ42v5BccTP0vu6NEaFoC2HwRg= github.com/kr/pretty v0.1.0/go.mod h1:dAy3ld7l9f0ibDNOQOHHMYYIIbhfbHSm3C4ZsoJORNo= +github.com/kr/pretty v0.2.0/go.mod h1:ipq/a2n7PKx3OHsz4KJII5eveXtPO4qwEXGdVfWzfnI= github.com/kr/pty v1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ= github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI= +github.com/magiconair/properties v1.8.5 h1:b6kJs+EmPFMYGkow9GiUyCyOvIwYetYJ3fSaWak/Gls= +github.com/magiconair/properties v1.8.5/go.mod h1:y3VJvCyxH9uVvJTWEGAELF3aiYNyPKd5NZ3oSwXrF60= +github.com/mattn/go-colorable v0.0.9/go.mod h1:9vuHe8Xs5qXnSaW/c/ABM9alt+Vo+STaOChaDxuIBZU= +github.com/mattn/go-colorable v0.1.4/go.mod h1:U0ppj6V5qS13XJ6of8GYAs25YV2eR4EVcfRqFIhoBtE= +github.com/mattn/go-colorable v0.1.6/go.mod h1:u6P/XSegPjTcexA+o6vUJrdnUu04hMope9wVRipJSqc= +github.com/mattn/go-isatty v0.0.3/go.mod h1:M+lRXTBqGeGNdLjl/ufCoiOlB5xdOkqRJdNxMWT7Zi4= +github.com/mattn/go-isatty v0.0.8/go.mod h1:Iq45c/XA43vh69/j3iqttzPXn0bhXyGjM0Hdxcsrc5s= +github.com/mattn/go-isatty v0.0.10/go.mod h1:qgIWMr58cqv1PHHyhnkY9lrL7etaEgOFcMEpPG5Rm84= +github.com/mattn/go-isatty v0.0.11/go.mod h1:PhnuNfih5lzO57/f3n+odYbM4JtupLOxQOAqxQCu2WE= +github.com/mattn/go-isatty v0.0.12/go.mod h1:cbi8OIDigv2wuxKPP5vlRcQ1OAZbq2CE4Kysco4FUpU= +github.com/miekg/dns v1.0.14/go.mod h1:W1PPwlIAgtquWBMBEV9nkV9Cazfe8ScdGz/Lj7v3Nrg= +github.com/miekg/dns v1.1.26/go.mod h1:bPDLeHnStXmXAq1m/Ch/hvfNHr14JKNPMBo3VZKjuso= +github.com/mitchellh/cli v1.0.0/go.mod h1:hNIlj7HEI86fIcpObd7a0FcrxTWetlwJDGcceTlRvqc= +github.com/mitchellh/cli v1.1.0/go.mod h1:xcISNoH86gajksDmfB23e/pu+B+GeFRMYmoHXxx3xhI= +github.com/mitchellh/go-homedir v1.0.0/go.mod h1:SfyaCUpYCn1Vlf4IUYiD9fPX4A5wJrkLzIz1N1q0pr0= +github.com/mitchellh/go-homedir v1.1.0/go.mod h1:SfyaCUpYCn1Vlf4IUYiD9fPX4A5wJrkLzIz1N1q0pr0= +github.com/mitchellh/go-testing-interface v1.0.0/go.mod h1:kRemZodwjscx+RGhAo8eIhFbs2+BFgRtFPeD/KE+zxI= +github.com/mitchellh/gox v0.4.0/go.mod h1:Sd9lOJ0+aimLBi73mGofS1ycjY8lL3uZM3JPS42BGNg= +github.com/mitchellh/iochan v1.0.0/go.mod h1:JwYml1nuB7xOzsp52dPpHFffvOCDupsG0QubkSMEySY= +github.com/mitchellh/mapstructure v0.0.0-20160808181253-ca63d7c062ee/go.mod h1:FVVH3fgwuzCH5S8UJGiWEs2h04kUh9fWfEaFds41c1Y= +github.com/mitchellh/mapstructure v1.1.2/go.mod h1:FVVH3fgwuzCH5S8UJGiWEs2h04kUh9fWfEaFds41c1Y= +github.com/mitchellh/mapstructure v1.4.1/go.mod h1:bFUtVrKA4DC2yAKiSyO/QUcy7e+RRV2QTWOzhPopBRo= +github.com/mitchellh/mapstructure v1.4.2 h1:6h7AQ0yhTcIsmFmnAwQls75jp2Gzs4iB8W7pjMO+rqo= +github.com/mitchellh/mapstructure v1.4.2/go.mod h1:bFUtVrKA4DC2yAKiSyO/QUcy7e+RRV2QTWOzhPopBRo= +github.com/modern-go/concurrent v0.0.0-20180228061459-e0a39a4cb421/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q= +github.com/modern-go/reflect2 v0.0.0-20180701023420-4b7aa43c6742/go.mod h1:bx2lNnkwVCuqBIxFjflWJWanXIb3RllmbCylyMrvgv0= +github.com/modern-go/reflect2 v1.0.1/go.mod h1:bx2lNnkwVCuqBIxFjflWJWanXIb3RllmbCylyMrvgv0= +github.com/pascaldekloe/goe v0.0.0-20180627143212-57f6aae5913c/go.mod h1:lzWF7FIEvWOWxwDKqyGYQf6ZUaNfKdP144TG7ZOy1lc= +github.com/pelletier/go-toml v1.9.3/go.mod h1:u1nR/EPcESfeI/szUZKdtJ0xRNbUoANCkoOuaOx1Y+c= +github.com/pelletier/go-toml v1.9.4 h1:tjENF6MfZAg8e4ZmZTeWaWiT2vXtsoO6+iuOjFhECwM= +github.com/pelletier/go-toml v1.9.4/go.mod h1:u1nR/EPcESfeI/szUZKdtJ0xRNbUoANCkoOuaOx1Y+c= +github.com/pkg/errors v0.8.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0= +github.com/pkg/sftp v1.10.1/go.mod h1:lYOWFsE0bwd1+KfKJaKeuokY15vzFx25BLbzYYoAxZI= github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4= +github.com/posener/complete v1.1.1/go.mod h1:em0nMJCgc9GFtwrmVmEMR/ZL6WyhyjMBndrE9hABlRI= +github.com/posener/complete v1.2.3/go.mod h1:WZIdtGGp+qx0sLrYKtIRAruyNpv6hFCicSgv7Sy7s/s= github.com/prometheus/client_model v0.0.0-20190812154241-14fe0d1b01d4/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA= github.com/rogpeppe/fastuuid v1.2.0/go.mod h1:jVj6XXZzXRy/MSR5jhDC/2q6DgLz+nrA6LYCDYWNEvQ= +github.com/rogpeppe/go-charset v0.0.0-20180617210344-2471d30d28b4/go.mod h1:qgYeAmZ5ZIpBWTGllZSQnw97Dj+woV0toclVaRGI8pc= github.com/rogpeppe/go-internal v1.3.0/go.mod h1:M8bDsm7K2OlrFYOpmOWEs/qY81heoFRclV5y23lUDJ4= +github.com/russross/blackfriday/v2 v2.0.1/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM= +github.com/ryanuber/columnize v0.0.0-20160712163229-9b3edd62028f/go.mod h1:sm1tb6uqfes/u+d4ooFouqFdy9/2g9QGwK3SQygK0Ts= +github.com/sagikazarmark/crypt v0.1.0/go.mod h1:B/mN0msZuINBtQ1zZLEQcegFJJf9vnYIR88KRMEuODE= +github.com/sean-/seed v0.0.0-20170313163322-e2103e2c3529/go.mod h1:DxrIzT+xaE7yg65j358z/aeFdxmN0P9QXhEzd20vsDc= +github.com/shurcooL/sanitized_anchor_name v1.0.0/go.mod h1:1NzhyTcUVG4SuEtjjoZeVRXNmyL/1OwPU0+IJeTBvfc= +github.com/smartystreets/assertions v0.0.0-20180927180507-b2de0cb4f26d/go.mod h1:OnSkiWE9lh6wB0YB77sQom3nweQdgAjqCqsofrRNTgc= +github.com/smartystreets/goconvey v1.6.4/go.mod h1:syvi0/a8iFYH4r/RixwvyeAJjdLS9QV7WQ/tjFTllLA= github.com/spaolacci/murmur3 v0.0.0-20180118202830-f09979ecbc72/go.mod h1:JwIasOWyU6f++ZhiEuf87xNszmSA2myDM2Kzu9HwQUA= +github.com/spf13/afero v1.6.0 h1:xoax2sJ2DT8S8xA2paPFjDCScCNeWsg75VG0DLRreiY= +github.com/spf13/afero v1.6.0/go.mod h1:Ai8FlHk4v/PARR026UzYexafAt9roJ7LcLMAmO6Z93I= +github.com/spf13/cast v1.3.1/go.mod h1:Qx5cxh0v+4UWYiBimWS+eyWzqEqokIECu5etghLkUJE= +github.com/spf13/cast v1.4.1 h1:s0hze+J0196ZfEMTs80N7UlFt0BDuQ7Q+JDnHiMWKdA= +github.com/spf13/cast v1.4.1/go.mod h1:Qx5cxh0v+4UWYiBimWS+eyWzqEqokIECu5etghLkUJE= +github.com/spf13/cobra v1.2.1 h1:+KmjbUw1hriSNMF55oPrkZcb27aECyrj8V2ytv7kWDw= +github.com/spf13/cobra v1.2.1/go.mod h1:ExllRjgxM/piMAM+3tAZvg8fsklGAf3tPfi+i8t68Nk= +github.com/spf13/jwalterweatherman v1.1.0 h1:ue6voC5bR5F8YxI5S67j9i582FU4Qvo2bmqnqMYADFk= +github.com/spf13/jwalterweatherman v1.1.0/go.mod h1:aNWZUN0dPAAO/Ljvb5BEdw96iTZ0EXowPYD95IqWIGo= +github.com/spf13/pflag v1.0.5 h1:iy+VFUOCP1a+8yFto/drg2CJ5u0yRoB7fZw3DKv/JXA= +github.com/spf13/pflag v1.0.5/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg= +github.com/spf13/viper v1.8.1/go.mod h1:o0Pch8wJ9BVSWGQMbra6iw0oQ5oktSIBaujf1rJH9Ns= +github.com/spf13/viper v1.9.0 h1:yR6EXjTp0y0cLN8OZg1CRZmOBdI88UcGkhgyJhu6nZk= +github.com/spf13/viper v1.9.0/go.mod h1:+i6ajR7OX2XaiBkrcZJFK21htRk7eDeLg7+O6bhUPP4= github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME= +github.com/stretchr/testify v1.2.2/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs= +github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI= github.com/stretchr/testify v1.4.0/go.mod h1:j7eGeouHqKxXV5pUuKE4zz7dFj8WfuZ+81PSLYec5m4= github.com/stretchr/testify v1.5.1/go.mod h1:5W2xD1RspED5o8YsWQXVCued0rvSQ+mT+I5cxcmMvtA= github.com/stretchr/testify v1.6.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg= +github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg= +github.com/subosito/gotenv v1.2.0 h1:Slr1R9HxAlEKefgq5jn9U+DnETlIUa6HfgEzj0g5d7s= +github.com/subosito/gotenv v1.2.0/go.mod h1:N0PQaV/YGNqwC0u51sEeR/aUtSLEXKX9iv69rRypqCw= github.com/yuin/goldmark v1.1.25/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74= github.com/yuin/goldmark v1.1.27/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74= github.com/yuin/goldmark v1.1.32/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74= github.com/yuin/goldmark v1.2.1/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74= github.com/yuin/goldmark v1.3.5/go.mod h1:mwnBkeHKe2W/ZEtQ+71ViKU8L12m81fl3OWwC1Zlc8k= +go.etcd.io/etcd/api/v3 v3.5.0/go.mod h1:cbVKeC6lCfl7j/8jBhAK6aIYO9XOjdptoxU/nLQcPvs= +go.etcd.io/etcd/client/pkg/v3 v3.5.0/go.mod h1:IJHfcCEKxYu1Os13ZdwCwIUTUVGYTSAM3YSwc9/Ac1g= +go.etcd.io/etcd/client/v2 v2.305.0/go.mod h1:h9puh54ZTgAKtEbut2oe9P4L/oqKCVB6xsXlzd7alYQ= go.opencensus.io v0.21.0/go.mod h1:mSImk1erAIZhrmZN+AvHh14ztQfjbGwt4TtuofqLduU= go.opencensus.io v0.22.0/go.mod h1:+kGneAE2xo2IficOXnaByMWTGM9T73dGwxeWcUqIpI8= go.opencensus.io v0.22.2/go.mod h1:yxeiOL68Rb0Xd1ddK5vPZ/oVn4vY4Ynel7k9FzqtOIw= @@ -177,11 +303,18 @@ go.opencensus.io v0.22.5/go.mod h1:5pWMHQbX5EPX2/62yrJeAkowc+lfs/XD7Uxpq3pI6kk= go.opencensus.io v0.23.0 h1:gqCw0LfLxScz8irSi8exQc7fyQ0fKQU/qnC/X8+V/1M= go.opencensus.io v0.23.0/go.mod h1:XItmlyltB5F7CS4xOC1DcqMoFqwtC6OG2xF7mCv7P7E= go.opentelemetry.io/proto/otlp v0.7.0/go.mod h1:PqfVotwruBrMGOCsRd/89rSnXhoiJIqeYNgFYFoEGnI= +go.uber.org/atomic v1.7.0/go.mod h1:fEN4uk6kAWBTFdckzkM89CLk9XfWZrxpCo0nPH17wJc= +go.uber.org/multierr v1.6.0/go.mod h1:cdWPpRnG4AhwMwsgIHip0KRBQjJy5kYEpYjJxpXp9iU= +go.uber.org/zap v1.17.0/go.mod h1:MXVU+bhUf/A7Xi2HNOnopQOrmycQ5Ih87HtOu4q5SSo= +golang.org/x/crypto v0.0.0-20181029021203-45a5f77698d3/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4= golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w= golang.org/x/crypto v0.0.0-20190510104115-cbcb75029529/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= golang.org/x/crypto v0.0.0-20190605123033-f99c8df09eb5/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= +golang.org/x/crypto v0.0.0-20190820162420-60c769a6c586/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= +golang.org/x/crypto v0.0.0-20190923035154-9ee001bba392/go.mod h1:/lpIB1dKB+9EgE3H3cr1v9wB50oz8l4C4h62xy7jSTY= golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto= +golang.org/x/crypto v0.0.0-20210817164053-32db794688a5/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc= golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= golang.org/x/exp v0.0.0-20190306152737-a1d7652674e8/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= golang.org/x/exp v0.0.0-20190510132918-efd6b22b2522/go.mod h1:ZjyILWgesfNpC6sMxTJOJm9Kp84zZh5NQWvqDGG3Qr8= @@ -219,6 +352,8 @@ golang.org/x/mod v0.4.1/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= golang.org/x/mod v0.4.2/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= golang.org/x/net v0.0.0-20180724234803-3673e40ba225/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= golang.org/x/net v0.0.0-20180826012351-8a410e7b638d/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= +golang.org/x/net v0.0.0-20181023162649-9b4f9f5ad519/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= +golang.org/x/net v0.0.0-20181201002055-351d144fa1fc/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= golang.org/x/net v0.0.0-20190108225652-1e06a53dbb7e/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= golang.org/x/net v0.0.0-20190213061140-3a22650c66bd/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= golang.org/x/net v0.0.0-20190311183353-d8887717615a/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg= @@ -229,6 +364,7 @@ golang.org/x/net v0.0.0-20190603091049-60506f45cf65/go.mod h1:HSz+uSET+XFnRR8LxR golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= golang.org/x/net v0.0.0-20190628185345-da137c7871d7/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= golang.org/x/net v0.0.0-20190724013045-ca1201d0de80/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= +golang.org/x/net v0.0.0-20190923162816-aa69164e4478/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= golang.org/x/net v0.0.0-20191209160850-c0dbc17a3553/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= golang.org/x/net v0.0.0-20200114155413-6afb5195e5aa/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= golang.org/x/net v0.0.0-20200202094626-16171245cfb2/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= @@ -264,6 +400,7 @@ golang.org/x/oauth2 v0.0.0-20201208152858-08078c50e5b5/go.mod h1:KelEdhl1UZF7XfJ golang.org/x/oauth2 v0.0.0-20210218202405-ba52d332ba99/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A= golang.org/x/oauth2 v0.0.0-20210220000619-9bb904979d93/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A= golang.org/x/oauth2 v0.0.0-20210313182246-cd4f82c27b84/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A= +golang.org/x/oauth2 v0.0.0-20210402161424-2e8d93401602/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A= golang.org/x/oauth2 v0.0.0-20210514164344-f6687ab2804c/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A= golang.org/x/oauth2 v0.0.0-20210628180205-a41e5a781914/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A= golang.org/x/oauth2 v0.0.0-20210805134026-6f1e6394065a/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A= @@ -282,8 +419,11 @@ golang.org/x/sync v0.0.0-20200625203802-6e8e738ad208/go.mod h1:RxMgew5VJxzue5/jJ golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20201207232520-09787c993a3a/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20210220032951-036812b2e83c/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= +golang.org/x/sys v0.0.0-20180823144017-11551d06cbcc/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= golang.org/x/sys v0.0.0-20180830151530-49385e6e1522/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= +golang.org/x/sys v0.0.0-20181026203630-95b1ffbd15a5/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= +golang.org/x/sys v0.0.0-20190222072716-a9d3bda3a223/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= golang.org/x/sys v0.0.0-20190312061237-fead79001313/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20190502145724-3ef323f4f1fd/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= @@ -291,11 +431,18 @@ golang.org/x/sys v0.0.0-20190507160741-ecd444e8653b/go.mod h1:h1NjWce9XRLGQEsW7w golang.org/x/sys v0.0.0-20190606165138-5da285871e9c/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20190624142023-c5567b49c5d0/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20190726091711-fc99dfbffb4e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20190922100055-0a153f010e69/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20190924154521-2837fb4f24fe/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20191001151750-bb3f8db39f24/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20191005200804-aed5e4c7ecf9/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20191008105621-543471e840be/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20191026070338-33540a1f6037/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20191204072324-ce4227a45e2e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20191228213918-04cbcbbfeed8/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20200113162924-86b910548bc1/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20200116001909-b77594299b42/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20200122134326-e047566fdf82/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20200124204421-9fbb57f87de9/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20200202164722-d101bd2416d5/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20200212091648-12a6c2dcc1e4/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20200223170610-d5e6a3e2c0ae/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= @@ -318,10 +465,12 @@ golang.org/x/sys v0.0.0-20210305230114-8fe3ee5dd75b/go.mod h1:h1NjWce9XRLGQEsW7w golang.org/x/sys v0.0.0-20210315160823-c6e025ad8005/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20210320140829-1e4c9ba3b0c4/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20210330210617-4fbd30eecc44/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20210403161142-5e06dd20ab57/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20210423082822-04245dca01da/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20210510120138-977fb7262007/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20210514084401-e8d321eab015/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20210603125802-9665404d3644/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20210616094352-59db8d763f22/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20210630005230-0f9fa26af87c/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20210806184541-e5e7981a1069/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= @@ -348,6 +497,7 @@ golang.org/x/tools v0.0.0-20190226205152-f727befe758c/go.mod h1:9Yl7xja0Znq3iFh3 golang.org/x/tools v0.0.0-20190311212946-11955173bddd/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs= golang.org/x/tools v0.0.0-20190312151545-0bb0c0a6e846/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs= golang.org/x/tools v0.0.0-20190312170243-e65039ee4138/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs= +golang.org/x/tools v0.0.0-20190328211700-ab21143f2384/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs= golang.org/x/tools v0.0.0-20190425150028-36563e24a262/go.mod h1:RgjU9mgBXZiqYHBnxXauZ1Gv1EHHAz9KjViQ78xBX0Q= golang.org/x/tools v0.0.0-20190506145303-2d16b83fe98c/go.mod h1:RgjU9mgBXZiqYHBnxXauZ1Gv1EHHAz9KjViQ78xBX0Q= golang.org/x/tools v0.0.0-20190524140312-2c0ae7006135/go.mod h1:RgjU9mgBXZiqYHBnxXauZ1Gv1EHHAz9KjViQ78xBX0Q= @@ -355,8 +505,10 @@ golang.org/x/tools v0.0.0-20190606124116-d0a3d012864b/go.mod h1:/rFqwRUd4F7ZHNgw golang.org/x/tools v0.0.0-20190621195816-6e04913cbbac/go.mod h1:/rFqwRUd4F7ZHNgwSSTFct+R/Kf4OFW1sUzUTQQTgfc= golang.org/x/tools v0.0.0-20190628153133-6cdbf07be9d0/go.mod h1:/rFqwRUd4F7ZHNgwSSTFct+R/Kf4OFW1sUzUTQQTgfc= golang.org/x/tools v0.0.0-20190816200558-6889da9d5479/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= +golang.org/x/tools v0.0.0-20190907020128-2ca718005c18/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= golang.org/x/tools v0.0.0-20190911174233-4f2ddba30aff/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= golang.org/x/tools v0.0.0-20191012152004-8de300cfc20a/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= +golang.org/x/tools v0.0.0-20191112195655-aa38f8e97acc/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= golang.org/x/tools v0.0.0-20191113191852-77e3bb0ad9e7/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= golang.org/x/tools v0.0.0-20191115202509-3a792d9c32b2/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= @@ -379,6 +531,7 @@ golang.org/x/tools v0.0.0-20200501065659-ab2804fb9c9d/go.mod h1:EkVYQZoAsY45+roY golang.org/x/tools v0.0.0-20200512131952-2bc93b1c0c88/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE= golang.org/x/tools v0.0.0-20200515010526-7d3b6ebf133d/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE= golang.org/x/tools v0.0.0-20200618134242-20370b0cb4b2/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE= +golang.org/x/tools v0.0.0-20200619180055-7c47624df98f/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE= golang.org/x/tools v0.0.0-20200729194436-6467de6f59a7/go.mod h1:njjCfa9FT2d7l9Bc6FUM5FLjQPp3cFF28FI3qnDFljA= golang.org/x/tools v0.0.0-20200804011535-6c149bb5ef0d/go.mod h1:njjCfa9FT2d7l9Bc6FUM5FLjQPp3cFF28FI3qnDFljA= golang.org/x/tools v0.0.0-20200825202427-b303f430e36d/go.mod h1:njjCfa9FT2d7l9Bc6FUM5FLjQPp3cFF28FI3qnDFljA= @@ -387,6 +540,7 @@ golang.org/x/tools v0.0.0-20201110124207-079ba7bd75cd/go.mod h1:emZCQorbCU4vsT4f golang.org/x/tools v0.0.0-20201201161351-ac6f37ff4c2a/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA= golang.org/x/tools v0.0.0-20201208233053-a543418bbed2/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA= golang.org/x/tools v0.0.0-20210105154028-b0ab187a4818/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA= +golang.org/x/tools v0.0.0-20210106214847-113979e3529a/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA= golang.org/x/tools v0.1.0/go.mod h1:xkSsbof2nBLbhDlRMhhhyNLN/zl3eTqcnHD5viDpcZ0= golang.org/x/tools v0.1.1/go.mod h1:o0xws9oXOQQZyjljx8fwUC0k7L1pTE6eaCbjGeHmOkk= golang.org/x/tools v0.1.2/go.mod h1:o0xws9oXOQQZyjljx8fwUC0k7L1pTE6eaCbjGeHmOkk= @@ -419,6 +573,7 @@ google.golang.org/api v0.36.0/go.mod h1:+z5ficQTmoYpPn8LCUNVpK5I7hwkpjbcgqA7I34q google.golang.org/api v0.40.0/go.mod h1:fYKFpnQN0DsDSKRVRcQSDQNtqWPfM9i+zNPxepjRCQ8= google.golang.org/api v0.41.0/go.mod h1:RkxM5lITDfTzmyKFPt+wGrCJbVfniCr2ool8kTBzRTU= google.golang.org/api v0.43.0/go.mod h1:nQsDGjRXMo4lvh5hP0TKqF244gqhGcr/YSIykhUk/94= +google.golang.org/api v0.44.0/go.mod h1:EBOGZqzyhtvMDoxwS97ctnh0zUmYY6CxqXsc1AvkYD8= google.golang.org/api v0.47.0/go.mod h1:Wbvgpq1HddcWVtzsVLyfLp8lDg6AA241LmgIL59tHXo= google.golang.org/api v0.48.0/go.mod h1:71Pr1vy+TAZRPkPs/xlCf5SsU8WjuAWv1Pfjbtukyy4= google.golang.org/api v0.50.0/go.mod h1:4bNT5pAuq5ji4SRZm+5QIkjny9JAyVD/3gaSihNefaw= @@ -538,10 +693,18 @@ google.golang.org/protobuf v1.27.1 h1:SnqbnDw1V7RiZcXPx5MEeqPv2s79L9i7BJUlG/+Rur google.golang.org/protobuf v1.27.1/go.mod h1:9q0QmTI4eRPtz6boOQmLYwt+qCgq0jsYwAQnmE0givc= gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= +gopkg.in/check.v1 v1.0.0-20190902080502-41f04d3bba15/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= gopkg.in/errgo.v2 v2.1.0/go.mod h1:hNsd1EY+bozCKY1Ytp96fpM3vjJbqLJn88ws8XvfDNI= +gopkg.in/ini.v1 v1.62.0/go.mod h1:pNLf8WUiyNEtQjuu5G5vTm06TEv9tsIgeAvK8hOrP4k= +gopkg.in/ini.v1 v1.63.2 h1:tGK/CyBg7SMzb60vP1M03vNZ3VDu3wGQJwn7Sxi9r3c= +gopkg.in/ini.v1 v1.63.2/go.mod h1:pNLf8WUiyNEtQjuu5G5vTm06TEv9tsIgeAvK8hOrP4k= gopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= gopkg.in/yaml.v2 v2.2.3/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= +gopkg.in/yaml.v2 v2.2.8/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= +gopkg.in/yaml.v2 v2.4.0 h1:D8xgwECY7CYvx+Y2n4sBz93Jn9JRvxdiyyo8CTfuKaY= +gopkg.in/yaml.v2 v2.4.0/go.mod h1:RDklbk79AGWmwhnvt/jBztapEOGDOx6ZbXqjP6csGnQ= gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= +gopkg.in/yaml.v3 v3.0.0-20210107192922-496545a6307b/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= honnef.co/go/tools v0.0.0-20190102054323-c2f93a96b099/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4= honnef.co/go/tools v0.0.0-20190106161140-3f1c8253044a/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4= honnef.co/go/tools v0.0.0-20190418001031-e561f6794a2a/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4= diff --git a/main.go b/main.go index 876a21b..63b9ea4 100644 --- a/main.go +++ b/main.go @@ -1,227 +1,15 @@ -// Copyright 2021 binx.io B.V. -// -// Licensed under the Apache License, Version 2.0 (the "License"); -// you may not use this file except in compliance with the License. -// You may obtain a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, software -// distributed under the License is distributed on an "AS IS" BASIS, -// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -// See the License for the specific language governing permissions and -// limitations under the License. -// package main import ( - "context" - "crypto/tls" - "flag" "fmt" - "golang.org/x/oauth2" - "google.golang.org/api/idtoken" - "google.golang.org/api/impersonate" - "log" - "net/http" - "net/http/httptest" - "net/http/httputil" - "net/url" + "github.com/binxio/simple-iap-proxy/cmd" "os" - "strconv" ) -type ProxyHandler struct { - proxy *httputil.ReverseProxy - target *url.URL - tokenSource oauth2.TokenSource - debug bool - renameAuthHeader bool -} - -func (h *ProxyHandler) ServeHTTP(w http.ResponseWriter, r *http.Request) { - - if h.renameAuthHeader { - // If there is a X-Real-Authorization header, make it Authorization header - if realAuthHeaders := r.Header.Values("X-Real-Authorization"); len(realAuthHeaders) > 0 { - for _, v := range r.Header.Values("X-Real-Authorization") { - r.Header.Add("Authorization", v) - } - } else { - // If there is a Authorization header, make it a X-Real-Authorization header - for _, v := range r.Header.Values("Authorization") { - r.Header.Add("X-Real-Authorization", v) - } - r.Header.Del("Authorization") - } - } - - if h.tokenSource != nil { - if token, err := h.tokenSource.Token(); err != nil { - http.Error(w, fmt.Sprintf("Failed to obtained IAP token, %s", err), http.StatusInternalServerError) - return - } else { - authorization := fmt.Sprintf("%s %s", token.Type(), token.AccessToken) - if r.Header.Get("Authorization") == "" { - r.Header.Set("Authorization", authorization) - } else { - r.Header.Set("Proxy-Authorization", authorization) - } - } - } - r.Host = h.target.Host - - if h.debug { - x, err := httputil.DumpRequest(r, true) - if err != nil { - log.Printf("failed to dump the response body, %s", err) - } else { - log.Println(fmt.Sprintf("%q", x)) - } - } - - rec := httptest.NewRecorder() - h.proxy.ServeHTTP(rec, r) - - if h.debug { - x, err := httputil.DumpResponse(rec.Result(), true) - if err != nil { - log.Printf("failed to dump the response body, %s", err) - } else { - log.Println(fmt.Sprintf("%q", x)) - } - } - - for key, values := range rec.Header() { - for _, value := range values { - w.Header().Add(key, value) - } - } - w.WriteHeader(rec.Code) - _, err := rec.Body.WriteTo(w) - if err != nil { - log.Printf("error writing body, %s", err) - } -} - func main() { - var insecure bool - var debug bool - var renameAuthHeader bool - var targetURL string - var listenPort string - var tokenSource oauth2.TokenSource - var certificateFile string - var keyFile string - var audience string - var serviceAccount string - - flag.StringVar(&targetURL, "target-url", "", "to forward HTTP requests to") - flag.StringVar(&serviceAccount, "service-account", "", "to impersonate") - flag.StringVar(&audience, "iap-audience", "", "to call a service behind the Identity Aware Proxy") - flag.StringVar(&certificateFile, "certificate-file", "", "for TLS") - flag.StringVar(&keyFile, "key-file", "", "for TLS") - flag.BoolVar(&insecure, "insecure", false, "allows insecure TLS connections") - flag.BoolVar(&renameAuthHeader, "rename-auth-header", false, "rename Authorization Header to X-Real-Authorization to workaround IAP limitation") - flag.BoolVar(&debug, "debug", false, "logs requests and responses") - flag.Parse() - if targetURL == "" { - log.Fatal("option -target-url is missing") - } - - if certificateFile != "" && keyFile == "" || keyFile != "" && certificateFile == "" { - log.Fatalf("both -certificate-file and -certificate-key are required.") - } else if keyFile != "" { - if s, err := os.Stat(keyFile); err != nil { - log.Fatalf("invalid option -key-file, %s", err) - } else { - if s.IsDir() { - log.Fatalf("option -key-file must be a file") - } - } - if s, err := os.Stat(certificateFile); err != nil { - log.Fatalf("invalid option -certificate-file, %s", err) - } else { - if s.IsDir() { - log.Fatalf("option -certificate-file must be a file") - } - } - } - - target, err := url.Parse(targetURL) - if err != nil { - log.Fatalf("failed to parse target URL %s, %s", targetURL, err) - } - if target.Scheme != "https" { - log.Fatalf("invalid target url %s, only HTTPS target urls are supported", targetURL) - } - - listenPort = os.Getenv("PORT") - if listenPort == "" { - if keyFile == "" { - listenPort = "8080" - } else { - listenPort = "8443" - } - } - - if port, err := strconv.ParseUint(listenPort, 10, 64); err != nil || port > 65535 { - log.Fatalf("the environment variable PORT is not a valid port number") - } - - proxy := httputil.NewSingleHostReverseProxy(target) - if audience != "" { - if serviceAccount != "" { - tokenSource, err = impersonate.IDTokenSource(context.Background(), impersonate.IDTokenConfig{ - TargetPrincipal: serviceAccount, - Audience: audience, - IncludeEmail: true, - }) - if err != nil { - log.Fatalf("failed to create a token source for audience %s as %s, %s", - audience, serviceAccount, err) - } - } else { - tokenSource, err = idtoken.NewTokenSource(context.Background(), audience) - if err != nil { - log.Fatalf("failed to create a token source for audience %s, %s", - audience, err) - } - } - } - - if tokenSource != nil { - if _, err := tokenSource.Token(); err != nil { - if serviceAccount != "" { - log.Fatalf("cannot create id token for audience %s as %s, %s", audience, serviceAccount, err) - } else { - log.Fatalf("cannot create id token for audience %s, %s", audience, err) - } - } - } - - if insecure { - proxy.Transport = - &http.Transport{ - TLSClientConfig: &tls.Config{InsecureSkipVerify: true}, - } - } - - http.Handle("/", &ProxyHandler{ - proxy: proxy, - target: target, - tokenSource: tokenSource, - renameAuthHeader: renameAuthHeader, - debug: debug}) - - if keyFile == "" { - err = http.ListenAndServe(":"+listenPort, nil) - } else { - err = http.ListenAndServeTLS(":"+listenPort, certificateFile, keyFile, nil) - } - - if err != nil { - log.Fatalf("server failed, %s", err) + if err := cmd.Execute(); err != nil { + fmt.Fprintln(os.Stderr, err) + os.Exit(1) } } diff --git a/old_main.go b/old_main.go new file mode 100644 index 0000000..2c8880c --- /dev/null +++ b/old_main.go @@ -0,0 +1,227 @@ +// Copyright 2021 binx.io B.V. +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. +// +package main + +import ( + "context" + "crypto/tls" + "flag" + "fmt" + "golang.org/x/oauth2" + "google.golang.org/api/idtoken" + "google.golang.org/api/impersonate" + "log" + "net/http" + "net/http/httptest" + "net/http/httputil" + "net/url" + "os" + "strconv" +) + +type ProxyHandler struct { + proxy *httputil.ReverseProxy + target *url.URL + tokenSource oauth2.TokenSource + debug bool + renameAuthHeader bool +} + +func (h *ProxyHandler) ServeHTTP(w http.ResponseWriter, r *http.Request) { + + if h.renameAuthHeader { + // If there is a X-Real-Authorization header, make it Authorization header + if realAuthHeaders := r.Header.Values("X-Real-Authorization"); len(realAuthHeaders) > 0 { + for _, v := range r.Header.Values("X-Real-Authorization") { + r.Header.Add("Authorization", v) + } + } else { + // If there is a Authorization header, make it a X-Real-Authorization header + for _, v := range r.Header.Values("Authorization") { + r.Header.Add("X-Real-Authorization", v) + } + r.Header.Del("Authorization") + } + } + + if h.tokenSource != nil { + if token, err := h.tokenSource.Token(); err != nil { + http.Error(w, fmt.Sprintf("Failed to obtained IAP token, %s", err), http.StatusInternalServerError) + return + } else { + authorization := fmt.Sprintf("%s %s", token.Type(), token.AccessToken) + if r.Header.Get("Authorization") == "" { + r.Header.Set("Authorization", authorization) + } else { + r.Header.Set("Proxy-Authorization", authorization) + } + } + } + r.Host = h.target.Host + + if h.debug { + x, err := httputil.DumpRequest(r, true) + if err != nil { + log.Printf("failed to dump the response body, %s", err) + } else { + log.Println(fmt.Sprintf("%q", x)) + } + } + + rec := httptest.NewRecorder() + h.proxy.ServeHTTP(rec, r) + + if h.debug { + x, err := httputil.DumpResponse(rec.Result(), true) + if err != nil { + log.Printf("failed to dump the response body, %s", err) + } else { + log.Println(fmt.Sprintf("%q", x)) + } + } + + for key, values := range rec.Header() { + for _, value := range values { + w.Header().Add(key, value) + } + } + w.WriteHeader(rec.Code) + _, err := rec.Body.WriteTo(w) + if err != nil { + log.Printf("error writing body, %s", err) + } +} + +func old_main() { + var insecure bool + var debug bool + var renameAuthHeader bool + var targetURL string + var listenPort string + var tokenSource oauth2.TokenSource + var certificateFile string + var keyFile string + var audience string + var serviceAccount string + + flag.StringVar(&targetURL, "target-url", "", "to forward HTTP requests to") + flag.StringVar(&serviceAccount, "service-account", "", "to impersonate") + flag.StringVar(&audience, "iap-audience", "", "to call a service behind the Identity Aware Proxy") + flag.StringVar(&certificateFile, "certificate-file", "", "for TLS") + flag.StringVar(&keyFile, "key-file", "", "for TLS") + flag.BoolVar(&insecure, "insecure", false, "allows insecure TLS connections") + flag.BoolVar(&renameAuthHeader, "rename-auth-header", false, "rename Authorization Header to X-Real-Authorization to workaround IAP limitation") + flag.BoolVar(&debug, "debug", false, "logs requests and responses") + flag.Parse() + if targetURL == "" { + log.Fatal("option -target-url is missing") + } + + if certificateFile != "" && keyFile == "" || keyFile != "" && certificateFile == "" { + log.Fatalf("both -certificate-file and -certificate-key are required.") + } else if keyFile != "" { + if s, err := os.Stat(keyFile); err != nil { + log.Fatalf("invalid option -key-file, %s", err) + } else { + if s.IsDir() { + log.Fatalf("option -key-file must be a file") + } + } + if s, err := os.Stat(certificateFile); err != nil { + log.Fatalf("invalid option -certificate-file, %s", err) + } else { + if s.IsDir() { + log.Fatalf("option -certificate-file must be a file") + } + } + } + + target, err := url.Parse(targetURL) + if err != nil { + log.Fatalf("failed to parse target URL %s, %s", targetURL, err) + } + if target.Scheme != "https" { + log.Fatalf("invalid target url %s, only HTTPS target urls are supported", targetURL) + } + + listenPort = os.Getenv("PORT") + if listenPort == "" { + if keyFile == "" { + listenPort = "8080" + } else { + listenPort = "8443" + } + } + + if port, err := strconv.ParseUint(listenPort, 10, 64); err != nil || port > 65535 { + log.Fatalf("the environment variable PORT is not a valid port number") + } + + proxy := httputil.NewSingleHostReverseProxy(target) + if audience != "" { + if serviceAccount != "" { + tokenSource, err = impersonate.IDTokenSource(context.Background(), impersonate.IDTokenConfig{ + TargetPrincipal: serviceAccount, + Audience: audience, + IncludeEmail: true, + }) + if err != nil { + log.Fatalf("failed to create a token source for audience %s as %s, %s", + audience, serviceAccount, err) + } + } else { + tokenSource, err = idtoken.NewTokenSource(context.Background(), audience) + if err != nil { + log.Fatalf("failed to create a token source for audience %s, %s", + audience, err) + } + } + } + + if tokenSource != nil { + if _, err := tokenSource.Token(); err != nil { + if serviceAccount != "" { + log.Fatalf("cannot create id token for audience %s as %s, %s", audience, serviceAccount, err) + } else { + log.Fatalf("cannot create id token for audience %s, %s", audience, err) + } + } + } + + if insecure { + proxy.Transport = + &http.Transport{ + TLSClientConfig: &tls.Config{InsecureSkipVerify: true}, + } + } + + http.Handle("/", &ProxyHandler{ + proxy: proxy, + target: target, + tokenSource: tokenSource, + renameAuthHeader: renameAuthHeader, + debug: debug}) + + if keyFile == "" { + err = http.ListenAndServe(":"+listenPort, nil) + } else { + err = http.ListenAndServeTLS(":"+listenPort, certificateFile, keyFile, nil) + } + + if err != nil { + log.Fatalf("server failed, %s", err) + } + +} diff --git a/server/main.go b/server/main.go new file mode 100644 index 0000000..b952b89 --- /dev/null +++ b/server/main.go @@ -0,0 +1,127 @@ +package server + +import ( + "context" + "crypto/tls" + "fmt" + "github.com/binxio/simple-iap-proxy/clusterinfo" + "golang.org/x/oauth2/google" + "log" + "net/http" + "net/http/httptest" + "net/http/httputil" + "net/url" + "time" +) + +type ReverseProxy struct { + Debug bool + Port int + ProjectID string + KeyFile string + CertificateFile string + clusterInfoCache *clusterinfo.ClusterInfoCache +} + +func (p *ReverseProxy) retrieveClusterInfo(ctx context.Context) error { + credentials, err := google.FindDefaultCredentials(ctx, + "https://www.googleapis.com/auth/cloud-platform.read-only") + if err != nil { + return err + } + if p.ProjectID == "" { + p.ProjectID = credentials.ProjectID + } + if p.ProjectID == "" { + return fmt.Errorf("specify a --project as there is no default one") + } + + p.clusterInfoCache, err = clusterinfo.NewClusterInfoCache(ctx, p.ProjectID, credentials, 5*time.Minute) + return err +} + +func (h *ReverseProxy) ServeHTTP(w http.ResponseWriter, r *http.Request) { + + clusterInfo := h.clusterInfoCache.GetClusterInfoForEndpoint(r.Host) + if clusterInfo == nil { + w.WriteHeader(http.StatusBadGateway) + w.Write([]byte(fmt.Sprintf("%s is not a cluster endpoint", r.Host))) + return + } + + targetURL, err := url.Parse(fmt.Sprintf("https://%s", r.Host)) + if clusterInfo == nil { + w.WriteHeader(http.StatusInternalServerError) + w.Write([]byte(fmt.Sprintf("failed to parse URL https://%s, %s", r.Host, err))) + return + } + proxy := httputil.NewSingleHostReverseProxy(targetURL) + proxy.Transport = &http.Transport{ + TLSClientConfig: &tls.Config{ + RootCAs: clusterInfo.RootCAs, + }, + } + + // If there is a X-Real-Authorization header, make it Authorization header + if realAuthHeaders := r.Header.Values("X-Real-Authorization"); len(realAuthHeaders) > 0 { + r.Header.Del("Authorization") + for _, v := range r.Header.Values("X-Real-Authorization") { + r.Header.Add("Authorization", v) + } + } + + if h.Debug { + x, err := httputil.DumpRequest(r, true) + if err != nil { + log.Printf("failed to dump the response body, %s", err) + } else { + log.Println(fmt.Sprintf("%q", x)) + } + } + + rec := httptest.NewRecorder() + proxy.ServeHTTP(rec, r) + + if h.Debug { + x, err := httputil.DumpResponse(rec.Result(), true) + if err != nil { + log.Printf("failed to dump the response body, %s", err) + } else { + log.Println(fmt.Sprintf("%q", x)) + } + } + + for key, values := range rec.Header() { + for _, value := range values { + w.Header().Add(key, value) + } + } + + w.WriteHeader(rec.Code) + _, err = rec.Body.WriteTo(w) + if err != nil { + log.Printf("error writing body, %s", err) + } +} + +func (p *ReverseProxy) Run() { + var err error + + ctx, cancel := context.WithCancel(context.Background()) + defer cancel() + + if err = p.retrieveClusterInfo(ctx); err != nil { + log.Fatalf("failed to retrieve cluster information, %s", err) + } + + http.Handle("/", p) + + if p.KeyFile == "" { + err = http.ListenAndServe(fmt.Sprintf(":%d", p.Port), nil) + } else { + err = http.ListenAndServeTLS(fmt.Sprintf(":%d", p.Port), p.CertificateFile, p.KeyFile, nil) + } + if err != nil { + log.Fatalf("failed to start server, %s", err) + } +} diff --git a/terraform/.terraform-version b/terraform/.terraform-version new file mode 100644 index 0000000..59e9e60 --- /dev/null +++ b/terraform/.terraform-version @@ -0,0 +1 @@ +1.0.11 diff --git a/terraform/iap-proxy.service b/terraform/iap-proxy.service index 4eedf89..ac135d9 100644 --- a/terraform/iap-proxy.service +++ b/terraform/iap-proxy.service @@ -5,21 +5,18 @@ After=docker.service network-online.target [Service] -Environment="IMAGE=gcr.io/binx-io-public/simple-iap-proxy:0.2.1" +Environment="IMAGE=gcr.io/binx-io-public/simple-iap-proxy:62785e9" -ExecStartPre=ctr images pull $${IMAGE} +ExecStartPre=ctr images pull ${IMAGE} ExecStart=ctr run \ - --rm --net-host --env PORT=8443 \ + --rm --net-host \ --mount type=bind,src=/etc/ssl,dst=/etc/ssl,options=rbind:ro \ - $${IMAGE} iap-proxy \ - /simple-iap-proxy \ + ${IMAGE} iap-proxy \ + /simple-iap-proxy server\ --certificate-file /etc/ssl/certs/iap-proxy.cert.pem \ --key-file /etc/ssl/private/iap-proxy.key \ - --rename-auth-header \ - --target-url ${target_url} - - + --port 8443 SuccessExitStatus=0 2 Restart=always diff --git a/terraform/main.tf b/terraform/main.tf index 02159ad..1531a80 100644 --- a/terraform/main.tf +++ b/terraform/main.tf @@ -86,7 +86,7 @@ resource "google_compute_health_check" "iap_proxy_tcp" { resource "google_compute_instance_template" "iap_proxy" { name_prefix = "iap-proxy-" - machine_type = "e2-micro" + machine_type = "n2-standard-2" region = data.google_client_config.current.region disk { @@ -161,15 +161,14 @@ resource "google_service_account" "iap_proxy" { display_name = "IAP proxy" } -resource "google_project_iam_member" "iap_proxy_sa_log_writer" { - member = format("serviceAccount:%s", google_service_account.iap_proxy.email) - role = "roles/logging.logWriter" - project = data.google_client_config.current.project -} - -resource "google_project_iam_member" "iap_proxy_sa_metric_writer" { - role = "roles/monitoring.metricWriter" +resource "google_project_iam_member" "iap_proxy_sa" { + for_each = { for r in [ + "roles/logging.logWriter", + "roles/monitoring.metricWriter", + "roles/container.clusterViewer", + ] : r => r } member = format("serviceAccount:%s", google_service_account.iap_proxy.email) + role = each.key project = data.google_client_config.current.project } @@ -199,24 +198,12 @@ resource "tls_self_signed_cert" "iap_proxy" { early_renewal_hours = 24 * 30 } -data "template_file" "iap_proxy_service" { - template = file("${path.module}/iap-proxy.service") - vars = { - target_url = format("https://%s", data.google_container_cluster.target.endpoint) - } -} - -data "google_container_cluster" "target" { - name = var.target_cluster.name - location = var.target_cluster.location -} - locals { cloud_config = { runcmd = [ "c_rehash > /dev/null", - "iptables -I INPUT -p tcp --dport 8443 -j ACCEPT", - "i6ptables -I INPUT -p tcp --dport 8443 -j ACCEPT", + "iptables -I INPUT -p tcp -j ACCEPT", + "i6ptables -I INPUT -p tcp -j ACCEPT", "systemctl daemon-reload", "systemctl enable --now iap-proxy.service" ] @@ -237,13 +224,7 @@ locals { path = "/etc/systemd/system/iap-proxy.service" permissions = "0644" owner = "root:root" - content = data.template_file.iap_proxy_service.rendered - }, { - path = format("/etc/ssl/certs/gke-%s.cert.pem", data.google_container_cluster.target.name) - owner = "root:root" - permissions = "0644" - encoding = "base64" - content = data.google_container_cluster.target.master_auth[0].cluster_ca_certificate + content = file("${path.module}/iap-proxy.service") }, ] } diff --git a/terraform/output.tf b/terraform/output.tf index 147cb56..e4fee03 100644 --- a/terraform/output.tf +++ b/terraform/output.tf @@ -1,11 +1,8 @@ output "iap_proxy_command" { value = <