manugarg · December 10, 2019 19:40 · manugarg · Dec 10, 2019
diff --git a/gistfile1.txt b/gistfile1.txt
 OAuth is a widely used HTTP authentication mechanism these days. It will be nice to add some OAuth support to Cloudprober.
 This feature has also been requested by the users:
 https://github.com/google/cloudprober/issues/27

 Main complexity in adding OAuth support is in managing the token itself: How do we get it -- from config or retrieve from 
 somewhere at the runtime, how often to refresh it, etc.

 Since OAuth tokens usually expire, it's not very useful to specify tokens in the config or even environment variable 
 (environment variables are passed at the process at the start time). In the config, we should specify the token source
 and how often to access that token source. For example, a config could look like this:

 oauth_config {
  bearer_token {
    # Run the following command to get the bearer token
    cmd: 'cat /var/lib/access/token | cut -d2 -f:'
      
    # Refresh token every 300s. Set to 0 for no caching.
    refresh_interval_sec: 300 # refresh every 5 min.
  }
 }

 Options in token_source could be:

 * file  (read a file -- for example, this will work for default tokens on GCE, GKE and AWS environments)
 * cmd (command's output)
 * url (just access a URL)
 * gce_service_account (Get token from GCE metadata)
 * default_aws (AWS's default application credentials)
 
 We should define this config in such a way that we can use same notation for non-probe parts too -- for example, for k8s
 API server authentication while not running in the same cluster, etc.

 Implementation:

 * Common OAuth module:

 There will be a common OAuth module:
 cloudprober/common/oauth/.
                        /proto/config.proto
                        oauth.go
                        
 It will likely have the following interface:

 ts, err := oauth.TokenSource(config)
 ...

 tok := ts.Token() [or tokHeader := ts.TokenHeader()]

 ts.Token() will take care of caching the token and refreshing it whenever required.
	OAuth is a widely used HTTP authentication mechanism these days. It will be nice to add some OAuth support to Cloudprober.
	This feature has also been requested by the users:
	https://github.com/google/cloudprober/issues/27

	Main complexity in adding OAuth support is in managing the token itself: How do we get it -- from config or retrieve from
	somewhere at the runtime, how often to refresh it, etc.

	Since OAuth tokens usually expire, it's not very useful to specify tokens in the config or even environment variable
	(environment variables are passed at the process at the start time). In the config, we should specify the token source
	and how often to access that token source. For example, a config could look like this:

	oauth_config {
	bearer_token {
	# Run the following command to get the bearer token
	cmd: 'cat /var/lib/access/token \| cut -d2 -f:'

	# Refresh token every 300s. Set to 0 for no caching.
	refresh_interval_sec: 300 # refresh every 5 min.
	}
	}

	Options in token_source could be:

	* file (read a file -- for example, this will work for default tokens on GCE, GKE and AWS environments)
	* cmd (command's output)
	* url (just access a URL)
	* gce_service_account (Get token from GCE metadata)
	* default_aws (AWS's default application credentials)

	We should define this config in such a way that we can use same notation for non-probe parts too -- for example, for k8s
	API server authentication while not running in the same cluster, etc.

	Implementation:

	* Common OAuth module:

	There will be a common OAuth module:
	cloudprober/common/oauth/.
	/proto/config.proto
	oauth.go

	It will likely have the following interface:

	ts, err := oauth.TokenSource(config)
	...

	tok := ts.Token() [or tokHeader := ts.TokenHeader()]

	ts.Token() will take care of caching the token and refreshing it whenever required.