[Feature] AWS Client (#1755)

Author: ajanikow

CHANGELOG.md

@@ -11,6 +11,7 @@
 - (Maintenance) Inspector Generics
 - (Bugfix) Fix Gateway Options
 - (Feature) StorageV2 Integration Service Definition
+- (Feature) AWS Client
 
 ## [1.2.43](https://github.com/arangodb/kube-arangodb/tree/1.2.43) (2024-10-14)
 - (Feature) ArangoRoute CRD

go.mod

@@ -88,6 +88,7 @@ require (
 	github.com/Microsoft/hcsshim v0.11.4 // indirect
 	github.com/arangodb/go-velocypack v0.0.0-20200318135517-5af53c29c67e // indirect
 	github.com/asaskevich/govalidator v0.0.0-20230301143203-a9d515a09cc2 // indirect
+	github.com/aws/aws-sdk-go v1.55.5 // indirect
 	github.com/beorn7/perks v1.0.1 // indirect
 	github.com/blang/semver/v4 v4.0.0 // indirect
 	github.com/bytedance/sonic v1.9.1 // indirect
@@ -146,6 +147,7 @@ require (
 	github.com/huandu/xstrings v1.5.0 // indirect
 	github.com/imdario/mergo v0.3.16 // indirect
 	github.com/inconshreveable/mousetrap v1.1.0 // indirect
+	github.com/jmespath/go-jmespath v0.4.0 // indirect
 	github.com/jmoiron/sqlx v1.4.0 // indirect
 	github.com/josharian/intern v1.0.0 // indirect
 	github.com/json-iterator/go v1.1.12 // indirect

go.sum

@@ -50,6 +50,8 @@ github.com/armon/go-socks5 v0.0.0-20160902184237-e75332964ef5 h1:0CwZNZbxp69SHPd
 github.com/armon/go-socks5 v0.0.0-20160902184237-e75332964ef5/go.mod h1:wHh0iHkYZB8zMSxRWpUBQtwG5a7fFgvEO+odwuTv2gs=
 github.com/asaskevich/govalidator v0.0.0-20230301143203-a9d515a09cc2 h1:DklsrG3dyBCFEj5IhUbnKptjxatkF07cF2ak3yi77so=
 github.com/asaskevich/govalidator v0.0.0-20230301143203-a9d515a09cc2/go.mod h1:WaHUgvxTVq04UNunO+XhnAqY/wQc+bxr74GqbsZ/Jqw=
+github.com/aws/aws-sdk-go v1.55.5 h1:KKUZBfBoyqy5d3swXyiC7Q76ic40rYcbqH7qjh59kzU=
+github.com/aws/aws-sdk-go v1.55.5/go.mod h1:eRwEWoyTWFMVYVQzKMNHWP5/RV4xIUGMQfXQHfHkpNU=
 github.com/beorn7/perks v0.0.0-20180321164747-3a771d992973/go.mod h1:Dwedo/Wpr24TaqPxmxbtue+5NUziq4I4S80YR8gNf3Q=
 github.com/beorn7/perks v1.0.0/go.mod h1:KWe93zE9D1o94FZ5RNwFwVgaQK1VOXiVxmqh+CedLV8=
 github.com/beorn7/perks v1.0.1 h1:VlbKKnNfV8bJzeqoa4cOKqO6bYr3WgKZxO8Z16+hsOM=
@@ -104,6 +106,7 @@ github.com/creack/pty v1.1.18 h1:n56/Zwd5o6whRC5PMGretI4IdRLlmBXYNjScPaBgsbY=
 github.com/creack/pty v1.1.18/go.mod h1:MOBLtS5ELjhRRrroQr9kyvTxUAFNvYEK993ew/Vr4O4=
 github.com/cyphar/filepath-securejoin v0.3.1 h1:1V7cHiaW+C+39wEfpH6XlLBQo3j/PciWFrgfCLS8XrE=
 github.com/cyphar/filepath-securejoin v0.3.1/go.mod h1:F7i41x/9cBF7lzCrVsYs9fuzwRZm4NQsGTBdpp6mETc=
+github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc h1:U9qPSI2PIWSS1VwoXQT9A3Wy9MM3WgvqSxFWenqJduM=
 github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
@@ -268,6 +271,9 @@ github.com/inconshreveable/mousetrap v1.1.0 h1:wN+x4NVGpMsO7ErUn/mUI3vEoE6Jt13X2
 github.com/inconshreveable/mousetrap v1.1.0/go.mod h1:vpF70FUmC8bwa3OWnCshd2FqLfsEA9PFc4w1p2J65bw=
 github.com/jessevdk/go-assets v0.0.0-20160921144138-4f4301a06e15 h1:cW/amwGEJK5MSKntPXRjX4dxs/nGxGT8gXKIsKFmHGc=
 github.com/jessevdk/go-assets v0.0.0-20160921144138-4f4301a06e15/go.mod h1:Fdm/oWRW+CH8PRbLntksCNtmcCBximKPkVQYvmMl80k=
+github.com/jmespath/go-jmespath v0.4.0 h1:BEgLn5cpjn8UN1mAw4NjwDrS35OdebyEtFe+9YPoQUg=
+github.com/jmespath/go-jmespath v0.4.0/go.mod h1:T8mJZnbsbmF+m6zOOFylbeCJqk5+pHWvzYPziyZiYoo=
+github.com/jmespath/go-jmespath/internal/testify v1.5.1/go.mod h1:L3OGu8Wl2/fWfCI6z80xFu9LTZmf1ZRjMHUOPmWr69U=
 github.com/jmoiron/sqlx v1.4.0 h1:1PLqN7S1UYp5t4SrVVnt4nUVNemrDAtxlulVe+Qgm3o=
 github.com/jmoiron/sqlx v1.4.0/go.mod h1:ZrZ7UsYB/weZdl2Bxg6jCRO9c3YHl8r3ahlKmRT4JLY=
 github.com/josephburnett/jd v1.6.1 h1:Uzqhcje4WqvVyp85F3Oj0ezISPTlnhnr/KaLZIy8qh0=
@@ -432,6 +438,7 @@ github.com/spf13/cobra v1.8.1 h1:e5/vxKd/rZsfSJMUX1agtjeTDf+qv1/JdBF8gg5k9ZM=
 github.com/spf13/cobra v1.8.1/go.mod h1:wHxEcudfqmLYa8iTfL+OuZPbBZkmvliBWKIezN3kD9Y=
 github.com/spf13/pflag v1.0.5 h1:iy+VFUOCP1a+8yFto/drg2CJ5u0yRoB7fZw3DKv/JXA=
 github.com/spf13/pflag v1.0.5/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg=
+github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
 github.com/stretchr/objx v0.1.1/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
 github.com/stretchr/objx v0.5.2 h1:xuMeJ0Sdp5ZMRXx/aWO6RZxdr3beISkG5/G/aIRr3pY=
 github.com/stretchr/objx v0.5.2/go.mod h1:FRsXN1f5AsAjCGJKqEizvkpNtU+EGNCLh3NxZ/8L+MA=

pkg/util/aws/config.go

@@ -0,0 +1,89 @@
+//
+// DISCLAIMER
+//
+// Copyright 2024 ArangoDB GmbH, Cologne, Germany
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+//
+// Copyright holder is ArangoDB GmbH, Cologne, Germany
+//
+
+package aws
+
+import (
+	"net/http"
+
+	"github.com/aws/aws-sdk-go/aws"
+	"github.com/aws/aws-sdk-go/aws/client"
+	"github.com/aws/aws-sdk-go/aws/credentials"
+	"github.com/aws/aws-sdk-go/aws/session"
+
+	"github.com/arangodb/kube-arangodb/pkg/util"
+	"github.com/arangodb/kube-arangodb/pkg/util/errors"
+)
+
+type Config struct {
+	Endpoint string
+	Region   string
+
+	DisableSSL bool
+
+	HTTP     HTTP
+	Provider Provider
+	TLS      TLS
+}
+
+func (c Config) GetRegion() string {
+	if c.Region == "" {
+		return "us-east-1"
+	}
+
+	return c.Region
+}
+
+func (c Config) GetProvider() (credentials.Provider, error) {
+	return c.Provider.Provider()
+}
+
+func (c Config) GetHttpClient() (*http.Client, error) {
+	tls, err := c.TLS.configuration()
+	if err != nil {
+		return nil, errors.Wrapf(err, "Unable to create TLS")
+	}
+
+	return &http.Client{
+		Transport: c.HTTP.configuration(tls),
+	}, nil
+}
+
+func (c Config) GetAWSSession() (client.ConfigProvider, error) {
+	prov, err := c.GetProvider()
+	if err != nil {
+		return nil, errors.Wrapf(err, "Unable to create Provider")
+	}
+
+	cl, err := c.GetHttpClient()
+	if err != nil {
+		return nil, errors.Wrapf(err, "Unable to create HTTP Client")
+	}
+
+	return session.NewSessionWithOptions(session.Options{
+		Config: aws.Config{
+			Credentials:      credentials.NewCredentials(prov),
+			Endpoint:         util.NewType(c.Endpoint),
+			S3ForcePathStyle: util.NewType(true),
+			DisableSSL:       util.NewType(c.DisableSSL),
+			HTTPClient:       cl,
+		},
+	})
+}

pkg/util/aws/file.go

@@ -0,0 +1,86 @@
+//
+// DISCLAIMER
+//
+// Copyright 2024 ArangoDB GmbH, Cologne, Germany
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+//
+// Copyright holder is ArangoDB GmbH, Cologne, Germany
+//
+
+package aws
+
+import (
+	"os"
+	"sync"
+	"time"
+
+	"github.com/aws/aws-sdk-go/aws/credentials"
+
+	"github.com/arangodb/kube-arangodb/pkg/util"
+	"github.com/arangodb/kube-arangodb/pkg/util/errors"
+)
+
+type fileProvider struct {
+	lock sync.Mutex
+
+	accessKeyIDFile     string
+	secretAccessKeyFile string
+	sessionTokenFile    string
+
+	recent time.Time
+}
+
+func (f *fileProvider) Retrieve() (credentials.Value, error) {
+	if f == nil {
+		return credentials.Value{}, errors.Errorf("Object is nil")
+	}
+
+	f.lock.Lock()
+	defer f.lock.Unlock()
+
+	var v credentials.Value
+
+	v.ProviderName = "dynamic-file-provider"
+
+	if data, err := os.ReadFile(f.accessKeyIDFile); err != nil {
+		return credentials.Value{}, errors.Wrapf(err, "Unable to open AccessKeyID File")
+	} else {
+		v.AccessKeyID = string(data)
+	}
+
+	if data, err := os.ReadFile(f.secretAccessKeyFile); err != nil {
+		return credentials.Value{}, errors.Wrapf(err, "Unable to open SecretAccessKey File")
+	} else {
+		v.SecretAccessKey = string(data)
+	}
+
+	if f.sessionTokenFile != "" {
+		if data, err := os.ReadFile(f.sessionTokenFile); err != nil {
+			return credentials.Value{}, errors.Wrapf(err, "Unable to open SessionToken File")
+		} else {
+			v.SessionToken = string(data)
+		}
+	}
+
+	f.recent = util.RecentFileModTime(f.accessKeyIDFile, f.secretAccessKeyFile, f.sessionTokenFile)
+
+	return credentials.Value{}, nil
+}
+
+func (f *fileProvider) IsExpired() bool {
+	f.lock.Lock()
+	defer f.lock.Unlock()
+
+	return util.RecentFileModTime(f.accessKeyIDFile, f.secretAccessKeyFile, f.sessionTokenFile).After(f.recent)
+}

pkg/util/aws/http.go

@@ -0,0 +1,44 @@
+//
+// DISCLAIMER
+//
+// Copyright 2024 ArangoDB GmbH, Cologne, Germany
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+//
+// Copyright holder is ArangoDB GmbH, Cologne, Germany
+//
+
+package aws
+
+import (
+	"crypto/tls"
+	"net/http"
+	"time"
+)
+
+type HTTP struct {
+}
+
+func (s HTTP) configuration(t *tls.Config) http.RoundTripper {
+	var c = http.Transport{
+		Proxy:                 http.ProxyFromEnvironment,
+		ForceAttemptHTTP2:     true,
+		MaxIdleConns:          100,
+		IdleConnTimeout:       90 * time.Second,
+		TLSHandshakeTimeout:   10 * time.Second,
+		ExpectContinueTimeout: 1 * time.Second,
+		TLSClientConfig:       t,
+	}
+
+	return &c
+}

pkg/util/aws/impersonate.go

@@ -0,0 +1,89 @@
+//
+// DISCLAIMER
+//
+// Copyright 2024 ArangoDB GmbH, Cologne, Germany
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+//
+// Copyright holder is ArangoDB GmbH, Cologne, Germany
+//
+
+package aws
+
+import (
+	"context"
+	"sync"
+	"time"
+
+	"github.com/aws/aws-sdk-go/aws"
+	"github.com/aws/aws-sdk-go/aws/credentials"
+	"github.com/aws/aws-sdk-go/aws/session"
+	"github.com/aws/aws-sdk-go/service/sts"
+
+	"github.com/arangodb/kube-arangodb/pkg/util"
+)
+
+type impersonate struct {
+	lock sync.Mutex
+
+	credentials credentials.Value
+	expires     time.Time
+
+	config ProviderImpersonate
+
+	creds credentials.Provider
+}
+
+func (i *impersonate) Retrieve() (credentials.Value, error) {
+	i.lock.Lock()
+	defer i.lock.Unlock()
+
+	awsSession, err := session.NewSessionWithOptions(session.Options{
+		Config: aws.Config{
+			Credentials:      credentials.NewCredentials(i.creds),
+			S3ForcePathStyle: util.NewType(true),
+		},
+	})
+	if err != nil {
+		return credentials.Value{}, err
+	}
+
+	s := sts.New(awsSession)
+
+	resp, err := s.AssumeRoleWithContext(context.Background(), &sts.AssumeRoleInput{
+		RoleArn:         util.NewType(i.config.Role),
+		RoleSessionName: util.NewType(i.config.Name),
+	})
+	if err != nil {
+		return credentials.Value{}, err
+	}
+
+	if e := resp.Credentials.Expiration; e != nil {
+		i.expires = *e
+	}
+
+	i.credentials = credentials.Value{
+		AccessKeyID:     util.WithDefault(resp.Credentials.AccessKeyId),
+		SecretAccessKey: util.WithDefault(resp.Credentials.SecretAccessKey),
+		SessionToken:    util.WithDefault(resp.Credentials.SessionToken),
+	}
+
+	return i.credentials, nil
+}
+
+func (i *impersonate) IsExpired() bool {
+	i.lock.Lock()
+	defer i.lock.Unlock()
+
+	return time.Now().After(i.expires)
+}