Skip to main content

Module providers

hackamore_control

Module providers 

Source
Expand description

Minting, rotating credential providers.

The base crate::credentials::InMemoryCredentials vault is static: an id maps to a pre-provisioned secret. Real upstreams instead want short-lived credentials minted on demand and rotated before they expire — an AWS EKS get-token (a presigned STS URL, ~15 min) or a GitHub-App installation token (~1 h). This module adds that without changing the data plane: a CredentialProvider mints a secret, and CachingCredentials caches the latest minted value behind the synchronous CredentialStore the gateway already calls on the request path. A background refresher (CachingCredentials::refresh_due, driven by spawn_refresher) re-mints before expiry, so resolve stays fast and never blocks — and fails closed: until a value is minted, resolve returns None and the request is denied.

Structs§

CachingCredentials
A credential store that serves the latest minted value for each provider-backed id, and pre-seeded static secrets for the rest. The data plane calls CredentialStore::resolve (sync); minting happens out of band in Self::refresh_due.
EksGetTokenProvider
Mints an EKS get-token credential: a presigned STS GetCallerIdentity URL (SigV4 query auth, scoped to the cluster via the signed x-k8s-aws-id header), base64url- encoded with the k8s-aws-v1. prefix — exactly what aws eks get-token produces and what the kubelet/kubectl send as a bearer token. Fully local: no network, just the account credential and the SigV4 primitives.
GitHubAppProvider
Mints a GitHub-App installation token: sign a short-lived RS256 JWT with the app’s private key, then exchange it at POST /app/installations/{id}/access_tokens for an installation token (~1 h). The JWT signing is local; the exchange is one HTTP call.
MintedSecret
A freshly minted secret and when it expires (epoch ms).

Traits§

CredentialProvider
Mints a short-lived upstream credential, and re-mints it on rotation. Async because real minters call out (the GitHub-App exchange is HTTP; the EKS presign is local but shares the signature). Returns the secret and its expiry; an error fails closed (the cache keeps the previous value until it too expires).

Functions§

pkcs8_from_pem
Decode a PKCS#8 PEM private key (-----BEGIN PRIVATE KEY-----) into DER bytes for GitHubAppProvider::private_key_pkcs8_der.
spawn_refresher
Spawn a background task that calls CachingCredentials::refresh_due every interval, using clock for the current time. Priming and rotation both flow through it. The task lives for the process; it is dropped when the runtime shuts down.