iam-runtime-infratographer - An Infratographer IAM runtime implementation

iam-runtime-infratographer is an IAM runtime implementation that uses identity-api for authenticating subjects and permissions-api for checking access to resources and managing relationships. This allows applications to make use of Infratographer IAM functionality without needing to include dependencies directly in application code or mock services in development.

Usage

iam-runtime-infratographer can be run as a standalone binary or a sidecar in a Kubernetes deployment.

To run it as a standalone binary using the provided example config, use the following commands:

$ make build # macOS users may need to run "GOOS=darwin make build"
$ ./iam-runtime-infratographer serve --config config.example.yaml

Configuration

iam-runtime-infratographer can be configured using either a config file, command line arguments, or environment variables. An example config file is located at config.example.yaml.

Example Kubernetes deployment

Below provides an example of adding the IAM runtime as a sidecar to your app deployment.

Alternatively you could use the helm chart.

---
apiVersion: v1
kind: ConfigMap
metadata:
  name: iam-runtime-config
data:
  config.yaml: |
    server:
      socketpath: /var/iam-runtime/runtime.sock
    permissions:
      host: permissions-api.internal.example.net
    jwt:
      jwksuri: https://iam.example.com/jwks.json
      issuer: https://iam.example.com/
    events:
      enabled: true
      nats:
        url: nats://nats:4222
        credsFile: /etc/nats/nats.creds
        publishTopic: myapp
    tracing:
      enabled: true
      url: app-collector:4317
      insecure: true
---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: my-app
spec:
  replicas: 1
  selector:
    matchLabels:
      app: my-app
  template:
    metadata:
      labels:
        app: my-app
    spec:
      containers:
        - name: app
            image: example/my-app:latest
            volumeMounts:
              - name: iam-runtime-socket
                mountPath: /var/iam-runtime/
        - name: iam-runtime
            image: ghcr.io/infratographer/iam-runtime-infratographer:v0.3.1
            volumeMounts:
              - name: iam-runtime-config
                mountPath: /etc/iam-runtime-infratographer/
              - name: iam-runtime-socket
                mountPath: /var/iam-runtime/
      volumes:
        - name: iam-runtime-config
          configMap:
            name: iam-runtime-config
        - name: iam-runtime-socket
            emptyDir: {}