replace platformiam library with custom opensource implementation

Author: linki

auth/tokens.go

@@ -0,0 +1,61 @@
+package auth
+
+import (
+	"fmt"
+	"net/http"
+	"os"
+	"path"
+
+	"golang.org/x/oauth2"
+	"k8s.io/client-go/transport"
+)
+
+const (
+	DefaultCredentialsDir = "/meta/credentials"
+	CredentialsDirEnvar   = "CREDENTIALS_DIR"
+)
+
+type platformCredentialsTokenSource struct {
+	tokenName      string
+	credentialsDir string
+}
+
+func NewPlatformCredentialsTokenSource(tokenName string, credentialsDir string) *platformCredentialsTokenSource {
+	return &platformCredentialsTokenSource{
+		tokenName:      tokenName,
+		credentialsDir: credentialsDir,
+	}
+}
+
+func (s *platformCredentialsTokenSource) Token() (*oauth2.Token, error) {
+	filePath := path.Join(s.credentialsDir, fmt.Sprintf("%s-token-secret", s.tokenName))
+	contents, err := os.ReadFile(filePath)
+	if err != nil {
+		return nil, err
+	}
+	return &oauth2.Token{AccessToken: string(contents)}, nil
+}
+
+type tokenInjector struct {
+	tokenSource oauth2.TokenSource
+	next        http.RoundTripper
+}
+
+func TokenInjector(tokenSource oauth2.TokenSource) transport.WrapperFunc {
+	return func(rt http.RoundTripper) http.RoundTripper {
+		return &tokenInjector{
+			tokenSource: tokenSource,
+			next:        rt,
+		}
+	}
+}
+
+func (i *tokenInjector) RoundTrip(request *http.Request) (*http.Response, error) {
+	token, err := i.tokenSource.Token()
+	if err != nil {
+		return nil, err
+	}
+
+	request.Header.Set("Authorization", "Bearer "+token.AccessToken)
+	return i.next.RoundTrip(request)
+}

go.mod

@@ -17,9 +17,8 @@ require (
 	github.com/pkg/errors v0.9.1
 	github.com/prometheus/client_golang v1.20.4
 	github.com/sirupsen/logrus v1.9.3
-	github.com/stretchr/testify v1.11.1
-	github.com/zalando-build/credentials-loader v0.0.0-20251013185331-dad2c8c72ce9
-	golang.org/x/oauth2 v0.32.0
+	github.com/stretchr/testify v1.10.0
+	golang.org/x/oauth2 v0.27.0
 	k8s.io/api v0.33.5
 	k8s.io/apimachinery v0.33.5
 	k8s.io/client-go v0.33.5
@@ -53,7 +52,6 @@ require (
 	github.com/go-playground/locales v0.14.1 // indirect
 	github.com/go-playground/universal-translator v0.18.1 // indirect
 	github.com/gogo/protobuf v1.3.2 // indirect
-	github.com/golang-jwt/jwt/v5 v5.3.0 // indirect
 	github.com/google/gnostic-models v0.6.9 // indirect
 	github.com/google/go-cmp v0.7.0 // indirect
 	github.com/jmespath/go-jmespath v0.4.0 // indirect

go.sum

@@ -79,8 +79,6 @@ github.com/go-task/slim-sprig/v3 v3.0.0 h1:sUs3vkvUymDpBKi3qH1YSqBQk9+9D/8M2mN1v
 github.com/go-task/slim-sprig/v3 v3.0.0/go.mod h1:W848ghGpv3Qj3dhTPRyJypKRiqCdHZiAzKg9hl15HA8=
 github.com/gogo/protobuf v1.3.2 h1:Ov1cvc58UF3b5XjBnZv7+opcTcQFZebYjWzi34vdm4Q=
 github.com/gogo/protobuf v1.3.2/go.mod h1:P1XiOD3dCwIKUDQYPy72D8LYyHL2YPYrpS2s69NZV8Q=
-github.com/golang-jwt/jwt/v5 v5.3.0 h1:pv4AsKCKKZuqlgs5sUmn4x8UlGa0kEVt/puTpKx9vvo=
-github.com/golang-jwt/jwt/v5 v5.3.0/go.mod h1:fxCRLWMO43lRc8nhHWY6LGqRcf+1gQWArsqaEUEa5bE=
 github.com/google/gnostic-models v0.6.9 h1:MU/8wDLif2qCXZmzncUQ/BOfxWfthHi63KqpoNbWqVw=
 github.com/google/gnostic-models v0.6.9/go.mod h1:CiWsm0s6BSQd1hRn8/QmxqB6BesYcbSZxsz9b0KuDBw=
 github.com/google/go-cmp v0.5.9/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
@@ -158,16 +156,14 @@ github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO
 github.com/stretchr/testify v1.8.1/go.mod h1:w2LPCIKwWwSfY2zedu0+kehJoqGctiVI29o6fzry7u4=
 github.com/stretchr/testify v1.8.4/go.mod h1:sz/lmYIOXD/1dqDmKjjqLyZ2RngseejIcXlSw2iwfAo=
 github.com/stretchr/testify v1.9.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY=
-github.com/stretchr/testify v1.11.1 h1:7s2iGBzp5EwR7/aIZr8ao5+dra3wiQyKjjFuvgVKu7U=
-github.com/stretchr/testify v1.11.1/go.mod h1:wZwfW3scLgRK+23gO65QZefKpKQRnfz6sD981Nm4B6U=
+github.com/stretchr/testify v1.10.0 h1:Xv5erBjTwe/5IxqUQTdXv5kgmIvbHo3QQyRwhJsOfJA=
+github.com/stretchr/testify v1.10.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY=
 github.com/x448/float16 v0.8.4 h1:qLwI1I70+NjRFUR3zs1JPUCgaCXSh3SW62uAKT1mSBM=
 github.com/x448/float16 v0.8.4/go.mod h1:14CWIYCyZA/cWjXOioeEpHeN/83MdbZDRQHoFcYsOfg=
 github.com/xhit/go-str2duration/v2 v2.1.0 h1:lxklc02Drh6ynqX+DdPyp5pCKLUQpRT8bp8Ydu2Bstc=
 github.com/xhit/go-str2duration/v2 v2.1.0/go.mod h1:ohY8p+0f07DiV6Em5LKB0s2YpLtXVyJfNt1+BlmyAsU=
 github.com/yuin/goldmark v1.1.27/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
 github.com/yuin/goldmark v1.2.1/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
-github.com/zalando-build/credentials-loader v0.0.0-20251013185331-dad2c8c72ce9 h1:MeB2BcFDoyl9wbX3ABSHGiDytRhe1Bvq9sko2QWEXr8=
-github.com/zalando-build/credentials-loader v0.0.0-20251013185331-dad2c8c72ce9/go.mod h1:iPUMtmKVg7nrQD6qlq54mULsaybwIopouDLLgWIKsVY=
 go.uber.org/goleak v1.3.0 h1:2K3zAYmnTNqV73imy9J1T3WC+gmCePx2hEGkimedGto=
 go.uber.org/goleak v1.3.0/go.mod h1:CoHD4mav9JJNrW/WLlf7HGZPjdw8EucARQHekz1X6bE=
 golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
@@ -181,8 +177,8 @@ golang.org/x/net v0.0.0-20200226121028-0de0cce0169b/go.mod h1:z5CRVTTTmAJ677TzLL
 golang.org/x/net v0.0.0-20201021035429-f5854403a974/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU=
 golang.org/x/net v0.38.0 h1:vRMAPTMaeGqVhG5QyLJHqNDwecKTomGeqbnfZyKlBI8=
 golang.org/x/net v0.38.0/go.mod h1:ivrbrMbzFq5J41QOQh0siUuly180yBYtLp+CKbEaFx8=
-golang.org/x/oauth2 v0.32.0 h1:jsCblLleRMDrxMN29H3z/k1KliIvpLgCkE6R8FXXNgY=
-golang.org/x/oauth2 v0.32.0/go.mod h1:lzm5WQJQwKZ3nwavOZ3IS5Aulzxi68dUSgRHujetwEA=
+golang.org/x/oauth2 v0.27.0 h1:da9Vo7/tDv5RH/7nZDz1eMGS/q1Vv1N/7FCrBhI9I3M=
+golang.org/x/oauth2 v0.27.0/go.mod h1:onh5ek6nERTohokkhCD/y2cV4Do3fxFHFuAejCkRWT8=
 golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=

main.go

@@ -13,18 +13,15 @@ import (
 	"github.com/aws/aws-sdk-go-v2/config"
 	"github.com/prometheus/client_golang/prometheus/promhttp"
 	log "github.com/sirupsen/logrus"
+	"github.com/szuecs/kube-static-egress-controller/auth"
 	"github.com/szuecs/kube-static-egress-controller/controller"
 	"github.com/szuecs/kube-static-egress-controller/kube"
 	"github.com/szuecs/kube-static-egress-controller/provider"
 	"github.com/szuecs/kube-static-egress-controller/provider/aws"
 	"github.com/szuecs/kube-static-egress-controller/provider/noop"
-	"github.com/zalando-build/credentials-loader/platformiam"
-	"golang.org/x/oauth2"
 	v1 "k8s.io/api/core/v1"
 	"k8s.io/client-go/kubernetes"
-	"k8s.io/client-go/rest"
 	"k8s.io/client-go/tools/clientcmd"
-	"k8s.io/client-go/transport"
 )
 
 const (
@@ -59,6 +56,9 @@ type Config struct {
 	Namespace                  string
 	ResyncInterval             time.Duration
 	Address                    string
+	// required by Platform credentials
+	UsePlatformCredentials bool
+	CredentialsDir         string
 }
 
 var defaultConfig = &Config{
@@ -124,6 +124,8 @@ Example:
 	// Flags related to Kubernetes
 	app.Flag("master", "The Kubernetes API server to connect to (default: auto-detect)").Default(defaultConfig.Master).StringVar(&cfg.Master)
 	app.Flag("kubeconfig", "Retrieve target cluster configuration from a Kubernetes configuration file (default: auto-detect)").Default(defaultConfig.KubeConfig).StringVar(&cfg.KubeConfig)
+	app.Flag("use-platform-credentials", "Use Platform credentials (default: disabled)").BoolVar(&cfg.UsePlatformCredentials)
+	app.Flag("credentials-dir", "Directory where the Platform credentials are stored").Default(auth.DefaultCredentialsDir).Envar(auth.CredentialsDirEnvar).StringVar(&cfg.CredentialsDir)
 	app.Flag("provider", "Provider implementing static egress <noop|aws> (default: auto-detect)").Default(defaultConfig.Provider).StringVar(&cfg.Provider)
 	app.Flag("cluster-id", "Cluster ID used define ownership of Egress stack.").StringVar(&cfg.ClusterID)
 	app.Flag("cluster-id-tag-prefix", "Prefix for the Cluster ID tag set on the Egress stack.").Default(defaultConfig.ClusterIDTagPrefix).StringVar(&cfg.ClusterIDTagPrefix)
@@ -173,7 +175,7 @@ func main() {
 	}
 
 	configsChan := make(chan provider.EgressConfig)
-	cmWatcher, err := kube.NewConfigMapWatcher(newKubeClient(), cfg.Namespace, "egress=static", configsChan)
+	cmWatcher, err := kube.NewConfigMapWatcher(newKubeClient(cfg), cfg.Namespace, "egress=static", configsChan)
 	if err != nil {
 		log.Fatalf("Failed to setup ConfigMap watcher: %v", err)
 	}
@@ -192,7 +194,7 @@ func main() {
 }
 
 // newKubeClient returns a new Kubernetes client with the default config.
-func newKubeClient() kubernetes.Interface {
+func newKubeClient(cfg *Config) kubernetes.Interface {
 	var kubeconfig string
 	if _, err := os.Stat(clientcmd.RecommendedHomeFile); err == nil {
 		kubeconfig = clientcmd.RecommendedHomeFile
@@ -203,12 +205,11 @@ func newKubeClient() kubernetes.Interface {
 		log.Fatalf("build config failed: %v", err)
 	}
 
-	platformIAMTokenSource := platformiam.NewTokenSource("kube-static-egress-controller", DefaultCredentialsDir)
-
-	platformIAMRestConfig := rest.AnonymousClientConfig(config)
-	platformIAMRestConfig.Wrap(TokenInjector(platformIAMTokenSource))
+	if cfg.UsePlatformCredentials {
+		config.Wrap(auth.TokenInjector(auth.NewPlatformCredentialsTokenSource(name, cfg.CredentialsDir)))
+	}
 
-	client, err := kubernetes.NewForConfig(platformIAMRestConfig)
+	client, err := kubernetes.NewForConfig(config)
 	if err != nil {
 		log.Fatalf("initialize kubernetes client failed: %v", err)
 	}
@@ -247,33 +248,3 @@ func serve(ctx context.Context, address string, handler http.Handler) {
 		}
 	}
 }
-
-const (
-	DefaultCredentialsDir = "/meta/credentials"
-
-// CredentialsDirEnvar   = "CREDENTIALS_DIR"
-)
-
-type kubeTokenInjector struct {
-	tokenSource oauth2.TokenSource
-	next        http.RoundTripper
-}
-
-func TokenInjector(tokenSource oauth2.TokenSource) transport.WrapperFunc {
-	return func(rt http.RoundTripper) http.RoundTripper {
-		return &kubeTokenInjector{
-			tokenSource: tokenSource,
-			next:        rt,
-		}
-	}
-}
-
-func (i *kubeTokenInjector) RoundTrip(request *http.Request) (*http.Response, error) {
-	token, err := i.tokenSource.Token()
-	if err != nil {
-		return nil, err
-	}
-
-	request.Header.Set("Authorization", "Bearer "+token.AccessToken)
-	return i.next.RoundTrip(request)
-}