{"id":37087825,"url":"https://github.com/yahoojapan/athenz-client-sidecar","last_synced_at":"2026-01-14T10:48:09.958Z","repository":{"id":45069791,"uuid":"171427713","full_name":"yahoojapan/athenz-client-sidecar","owner":"yahoojapan","description":"Moved to https://github.com/AthenZ/athenz-client-sidecar","archived":true,"fork":false,"pushed_at":"2022-12-20T10:14:44.000Z","size":637,"stargazers_count":15,"open_issues_count":0,"forks_count":5,"subscribers_count":9,"default_branch":"master","last_synced_at":"2025-09-24T01:31:47.828Z","etag":null,"topics":["archived","athenz","authentication","authorization","golang","kubernetes","sidecar"],"latest_commit_sha":null,"homepage":"https://github.com/AthenZ/athenz-client-sidecar","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/yahoojapan.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":"CONTRIBUTING.md","funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2019-02-19T07:36:38.000Z","updated_at":"2023-08-22T11:40:46.000Z","dependencies_parsed_at":"2023-01-30T00:15:39.332Z","dependency_job_id":null,"html_url":"https://github.com/yahoojapan/athenz-client-sidecar","commit_stats":null,"previous_names":[],"tags_count":33,"template":false,"template_full_name":null,"purl":"pkg:github/yahoojapan/athenz-client-sidecar","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/yahoojapan%2Fathenz-client-sidecar","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/yahoojapan%2Fathenz-client-sidecar/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/yahoojapan%2Fathenz-client-sidecar/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/yahoojapan%2Fathenz-client-sidecar/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/yahoojapan","download_url":"https://codeload.github.com/yahoojapan/athenz-client-sidecar/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/yahoojapan%2Fathenz-client-sidecar/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":28417716,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-01-14T10:47:48.104Z","status":"ssl_error","status_checked_at":"2026-01-14T10:46:19.031Z","response_time":107,"last_error":"SSL_connect returned=1 errno=0 peeraddr=140.82.121.6:443 state=error: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["archived","athenz","authentication","authorization","golang","kubernetes","sidecar"],"created_at":"2026-01-14T10:48:09.237Z","updated_at":"2026-01-14T10:48:09.951Z","avatar_url":"https://github.com/yahoojapan.png","language":"Go","funding_links":[],"categories":[],"sub_categories":[],"readme":"# Athenz client sidecar (moved)\n\n\u003e ⚠️ **Warning**: This repository has been moved to [AthenZ/athenz-client-sidecar](https://github.com/AthenZ/athenz-client-sidecar).\n\nThis repository is submitted to [Athenz Open-Source Community](https://github.com/AthenZ). All ongoing developments and maintenances will continue in the new repository.\n\n```sh\n# update your local clone\ngit remote set-url origin https://github.com/AthenZ/athenz-client-sidecar.git\n```\n\n---\n\n[![License: Apache](https://img.shields.io/badge/License-Apache%202.0-blue.svg?style=flat-square)](https://opensource.org/licenses/Apache-2.0)\n[![GitHub release (latest by date)](https://img.shields.io/github/v/release/yahoojapan/athenz-client-sidecar?style=flat-square\u0026label=Github%20version)](https://github.com/yahoojapan/athenz-client-sidecar/releases/latest)\n[![Docker Image Version (tag latest)](https://img.shields.io/docker/v/yahoojapan/athenz-client-sidecar/latest?style=flat-square\u0026label=Docker%20version)](https://hub.docker.com/r/yahoojapan/athenz-client-sidecar/tags)\n[![CircleCI](https://circleci.com/gh/yahoojapan/athenz-client-sidecar.svg)](https://circleci.com/gh/yahoojapan/athenz-client-sidecar)\n[![codecov](https://codecov.io/gh/yahoojapan/athenz-client-sidecar/branch/master/graph/badge.svg?token=2CzooNJtUu\u0026style=flat-square)](https://codecov.io/gh/yahoojapan/athenz-client-sidecar)\n[![Go Report Card](https://goreportcard.com/badge/github.com/yahoojapan/athenz-client-sidecar)](https://goreportcard.com/report/github.com/yahoojapan/athenz-client-sidecar)\n[![GolangCI](https://golangci.com/badges/github.com/yahoojapan/athenz-client-sidecar.svg?style=flat-square)](https://golangci.com/r/github.com/yahoojapan/athenz-client-sidecar)\n[![Codacy Badge](https://api.codacy.com/project/badge/Grade/f5e641145b274353919ee4a2ff6566e3)](https://www.codacy.com/app/i.can.feel.gravity/athenz-client-sidecar?utm_source=github.com\u0026utm_medium=referral\u0026utm_content=yahoojapan/athenz-client-sidecar\u0026utm_campaign=Badge_Grade)\n[![GoDoc](http://godoc.org/github.com/yahoojapan/athenz-client-sidecar?status.svg)](http://godoc.org/github.com/yahoojapan/athenz-client-sidecar)\n[![Contributor Covenant](https://img.shields.io/badge/Contributor%20Covenant-v2.0%20adopted-ff69b4.svg)](code_of_conduct.md)\n\n![logo](./images/logo.png)\n\n\u003c!-- TOC insertAnchor:false --\u003e\n\n- [Athenz client sidecar](#athenz-client-sidecar)\n    - [What is Athenz client sidecar](#what-is-athenz-client-sidecar)\n        - [Get Athenz N-token from client sidecar](#get-athenz-n-token-from-client-sidecar)\n        - [Get Athenz Access Token from client sidecar](#get-athenz-access-token-from-client-sidecar)\n        - [Get Athenz Role Token from client sidecar](#get-athenz-role-token-from-client-sidecar)\n        - [Proxy HTTP request (add corresponding Athenz authorization token)](#proxy-http-request-add-corresponding-athenz-authorization-token)\n    - [Use Case](#use-case)\n    - [Specification](#specification)\n        - [Get N-token from Athenz through client sidecar](#get-n-token-from-athenz-through-client-sidecar)\n        - [Get access token from Athenz through client sidecar](#get-access-token-from-athenz-through-client-sidecar)\n        - [Get role token from Athenz through client sidecar](#get-role-token-from-athenz-through-client-sidecar)\n        - [Get service certificate from Athenz through client sidecar](#get-service-certificate-from-athenz-through-client-sidecar)\n        - [Proxy requests and append N-token authentication header](#proxy-requests-and-append-n-token-authentication-header)\n        - [Proxy requests and append role token authentication header](#proxy-requests-and-append-role-token-authentication-header)\n    - [Configuration](#configuration)\n    - [Developer Guide](#developer-guide)\n        - [Example code](#example-code)\n            - [Get N-token from client sidecar](#get-n-token-from-client-sidecar)\n            - [Get access token from client sidecar](#get-access-token-from-client-sidecar)\n            - [Get role token from client sidecar](#get-role-token-from-client-sidecar)\n            - [Get service certificate from client sidecar](#get-service-certificate-from-client-sidecar)\n            - [Proxy request through client sidecar (append N-token)](#proxy-request-through-client-sidecar-append-n-token)\n            - [Proxy request through client sidecar (append role token)](#proxy-request-through-client-sidecar-append-role-token)\n    - [Deployment Procedure](#deployment-procedure)\n    - [License](#license)\n    - [Contributor License Agreement](#contributor-license-agreement)\n    - [About releases](#about-releases)\n    - [Authors](#authors)\n\n\u003c!-- /TOC --\u003e\n\n## What is Athenz client sidecar\n\nAthenz client sidecar is an implementation of [Kubernetes sidecar container](https://kubernetes.io/blog/2015/06/the-distributed-system-toolkit-patterns/) to provide a common interface to retrieve authentication and authorization credential from Athenz server.\n\n### Get Athenz N-token from client sidecar\n\n![Sidecar architecture (get N-token)](./docs/assets/client_sidecar_arch_n_token.png)\n\nWhenever user wants to get the N-token, user does not need to focus on extra logic to generate token, user can access client sidecar container instead of implementing the logic themselves, to avoid the extra logic implemented by user.\nFor instance, the client sidecar container caches the token and periodically generates the token automatically. For user this logic is transparent, but it improves the overall performance as it does not generate the token every time whenever the user asks for it.\n\n### Get Athenz Access Token from client sidecar\n\n![Sidecar architecture (get Access token)](./docs/assets/client_sidecar_arch_access_token.png)\n\nUser can get the access token from the client sidecar container. Whenever user requests for the access token, the sidecar process will get the access token from Athenz if it is not in the cache, and cache it in memory. The background thread will update corresponding access token periodically.\n\n### Get Athenz Role Token from client sidecar\n\n![Sidecar architecture (get Role token)](./docs/assets/client_sidecar_arch_z_token.png)\n\nUser can get the role token from the client sidecar container. Whenever user requests for the role token, the sidecar process will get the role token from Athenz if it is not in the cache, and cache it in memory. The background thread will update corresponding role token periodically.\n\n### Proxy HTTP request (add corresponding Athenz authorization token)\n\n![Sidecar architecture (proxy request)](./docs/assets/client_sidecar_arch_proxy.png)\n\nUser can also use the reverse proxy endpoint to proxy the request to another server that supports Athenz token validation. The proxy endpoint will append the necessary authorization (N-token or role token) HTTP header to the request and proxy the request to the destination server. User does not need to care about the token generation logic where this sidecar container will handle it, also it supports similar caching mechanism with the N-token usage.\n\n---\n\n## Use Case\n\n1. `GET /ntoken`\n    - Get service token from Athenz\n1. `POST /accesstoken`\n    - Get access token from Athenz\n1. `POST /roletoken`\n    - Get role token from Athenz\n1. `GET /svccert`\n   - Get service certificate from Athenz\n1. `/proxy/ntoken`\n    - Append service token to the request header, and send the request to proxy destination\n1. `/proxy/roletoken`\n    - Append role token to the request header, and send the request to proxy destination\n\n---\n\n## Specification\n\n### Get N-token from Athenz through client sidecar\n\n- Only Accept HTTP GET request.\n- Response body contains below information in JSON format.\n\n| Name  | Description           | Example                                                                                             |\n| ----- | --------------------- | --------------------------------------------------------------------------------------------------- |\n| token | The N-token generated | v=S1;d=client;n=service;h=localhost;a=6996e6fc49915494;t=1486004464;e=1486008064;k=0;s=\\[signature] |\n\nExample:\n\n```json\n{\n  \"token\": \"v=S1;d=client;n=service;h=localhost;a=6996e6fc49915494;t=1486004464;e=1486008064;k=0;s=[signature]\"\n}\n```\n\n### Get access token from Athenz through client sidecar\n\n- Only accept HTTP POST request.\n- Request body must contains below information in JSON format.\n\n| Name                | Description                                   | Required? | Example           |\n| ------------------- | --------------------------------------------- | --------- | ----------------- |\n| domain              | Access token domain name                      | Yes       | domain.shopping   |\n| role                | Access token role name (comma separated list) | No        | user              |\n| proxy_for_principal | Access token proxyForPrincipal name           | No        | proxyForPrincipal |\n| expiry              | Access token expiry time (in second)          | No        | 1000              |\n\nExample:\n\n```json\n{\n  \"domain\": \"domain.shopping\",\n  \"role\": \"user\",\n  \"proxy_for_principal\": \"proxyForPrincipal\",\n  \"expiry\": 1000\n}\n```\n\n- Response body contains below information in JSON format.\n\n| Name | Description | Example |\n| ---- | ----------- | ------- |\n| access_token | Access token | eyJraWQiOiIwIiwidHlwIjoiYXQrand0IiwiYWxnIjoiUlMyNTYifQ.eyJzdWIiOiJkb21haW4udHJhdmVsLnRyYXZlbC1zaXRlIiwiaWF0IjoxNTgzNzE0NzA0LCJleHAiOjE1ODM3MTY1MDQsImlzcyI6Imh0dHBzOi8venRzLmF0aGVuei5pbyIsImF1ZCI6ImRvbWFpbi5zaG9wcGluZyIsImF1dGhfdGltZSI6MTU4MzcxNDcwNCwidmVyIjoxLCJzY3AiOlsidXNlcnMiXSwidWlkIjoiZG9tYWluLnRyYXZlbC50cmF2ZWwtc2l0ZSIsImNsaWVudF9pZCI6ImRvbWFpbi50cmF2ZWwudHJhdmVsLXNpdGUifQ.\\[signature] |\n| token_type   | Access token token type | Bearer |\n| expires_in   | Access token expiry time (in second) | 1000 |\n| scope        | Access token scope (Only added if role is not specified, space separated) | domain.shopping:role.user |\n\nExample:\n\n```json\n{\n  \"access_token\": \"eyJraWQiOiIwIiwidHlwIjoiYXQrand0IiwiYWxnIjoiUlMyNTYifQ.eyJzdWIiOiJkb21haW4udHJhdmVsLnRyYXZlbC1zaXRlIiwiaWF0IjoxNTgzNzE0NzA0LCJleHAiOjE1ODM3MTY1MDQsImlzcyI6Imh0dHBzOi8venRzLmF0aGVuei5pbyIsImF1ZCI6ImRvbWFpbi5zaG9wcGluZyIsImF1dGhfdGltZSI6MTU4MzcxNDcwNCwidmVyIjoxLCJzY3AiOlsidXNlcnMiXSwidWlkIjoiZG9tYWluLnRyYXZlbC50cmF2ZWwtc2l0ZSIsImNsaWVudF9pZCI6ImRvbWFpbi50cmF2ZWwudHJhdmVsLXNpdGUifQ.F2x9_Q4GRmgRAXB0_tQRAWSwfJ9W3VtIoIVP1F4R19Ah8x1ml8jbxe88auOGmdElR8Gd2oQBNGMSyTkBgVBi9lRmYRpvYI94DN27zy5ZQzAPx_GgWshCbv8ebK9mHmcHkvGjJQzvoc7mgtKSRCZB4fC8-95c8Nb3BlebXWOz9evhO-xlkt5QYcavvSBzU6gNzZ7IjANTwIh4_iES-drWZOZ_yg4WS9wMpk1ycJRsdr5En5QMwQJEzcMRL-5-D8gLChXEESFSsY86ekd-fXOncP1N-V1xjfVURw_TzWKiIj6DFwRsMV1dTm9ffZC0tFKOKe9M3sUYdfkm0qWuEqLjfA\",\n  \"token_type\": \"Bearer\",\n  \"expires_in\": 1000,\n  \"scope\": \"domain.shopping:role.user\"\n}\n```\n\n### Get role token from Athenz through client sidecar\n\n- Only accept HTTP POST request.\n- Request body must contains below information in JSON format.\n\n| Name                | Description                                 | Required? | Example           |\n| ------------------- | ------------------------------------------- | --------- | ----------------- |\n| domain              | Role token domain name                      | Yes       | domain.shopping   |\n| role                | Role token role name (comma separated list) | No        | users             |\n| proxy_for_principal | Role token proxyForPrincipal name           | No        | proxyForPrincipal |\n| min_expiry          | Role token minimal expiry time (in second)  | No        | 100               |\n| max_expiry          | Role token maximum expiry time (in second)  | No        | 1000              |\n\nExample:\n\n```json\n{\n  \"domain\": \"domain.shopping\",\n  \"role\": \"users\",\n  \"proxy_for_principal\": \"proxyForPrincipal\",\n  \"min_expiry\": 100,\n  \"max_expiry\": 1000\n}\n```\n\n- Response body contains below information in JSON format.\n\n| Name       | Description                              | Example |\n| ---------- | ---------------------------------------- | ------- |\n| token      | Role token                               | v=Z1;d=domain.shopping;r=users;p=domain.travel.travel-site;h=athenz.co.jp;a=9109ee08b79e6b63;t=1528853625;e=1528860825;k=0;i=192.168.1.1;s=\\[signature] |\n| expiryTime | Role token expiry time (unix timestamp)  | 1528860825 |\n\nExample:\n\n```json\n{\n  \"token\": \"v=Z1;d=domain.shopping;r=users;p=domain.travel.travel-site;h=athenz.co.jp;a=9109ee08b79e6b63;t=1528853625;e=1528860825;k=0;i=192.168.1.1;s=s9WwmhDeO_En3dvAKvh7OKoUserfqJ0LT5Pct5Gfw5lKNKGH4vgsHLI1t0JFSQJWA1ij9ay_vWw1eKaiESfNJQOKPjAANdFZlcXqCCRUCuyAKlbX6KmWtQ9JaKSkCS8a6ReOuAmCToSqHf3STdKYF2tv1ZN17ic4se4VmT5aTig-\",\n  \"expiryTime\": 1528860825\n}\n```\n\n### Get service certificate from Athenz through client sidecar\n\n- Only Accept HTTP GET request.\n- Response body contains below information in JSON format.\n\n| Name | Description         | Example |\n| ---- | ------------------- | ------- |\n| cert | Service certificate | `\u003ccertificate in PEM format\u003e` |\n\nExample:\n\n```json\n{\n  \"cert\": \"\u003ccertificate in PEM format\u003e\"\n}\n```\n\n### Proxy requests and append N-token authentication header\n\n- Accept any HTTP request.\n- Athenz client sidecar will proxy the request and append the N-token to the request header.\n- The destination server will return back to user via proxy.\n\n### Proxy requests and append role token authentication header\n\n- Accept any HTTP request.\n- Request header must contains below information.\n\n| Name                   | Description                                                  | Required? | Example  |\n| ---------------------- | ------------------------------------------------------------ | --------- | -------- |\n| Athenz-Role            | The user role name used to generate the role token           | Yes       | users    |\n| Athenz-Domain          | The domain name used to generate the role token              | Yes       | provider |\n| Athenz-Proxy-Principal | The proxy for principal name used to generate the role token | Yes       | username |\n\nHTTP header Example:\n\n```none\nAthenz-Role: users\nAthenz-Domain: provider\nAthenz-Proxy-Principal: username\n```\n\n- The destination server will return back to user via proxy.\n\n## Configuration\n\n- [config.go](./config/config.go)\n\n## Developer Guide\n\nAfter injecting client sidecar to user application, user application can access the client sidecar to get authorization and authentication credential from Athenz server. The client sidecar can only access by the user application injected, other application cannot access to the client sidecar. User can access client sidecar by using HTTP request.\n\n### Example code\n\n#### Get N-token from client sidecar\n\n```go\nimport (\n    \"encoding/json\"\n    \"fmt\"\n    \"net/http\"\n\n    \"github.com/yahoojapan/athenz-client-sidecar/v2/model\"\n)\n\nconst scURL = \"127.0.0.1\" // sidecar URL\nconst scPort = \"8081\"\n\ntype NTokenResponse = model.NTokenResponse\n\nfunc GetNToken() (*NTokenResponse, error) {\n    url := fmt.Sprintf(\"http://%s:%s/ntoken\", scURL, scPort)\n\n    // make request\n    res, err := http.Get(url)\n    if err != nil {\n        return nil, err\n    }\n    defer res.Body.Close()\n\n    // validate response\n    if res.StatusCode != http.StatusOK {\n        err = fmt.Errorf(\"%s returned status code %d\", url, res.StatusCode)\n        return nil, err\n    }\n\n    // decode request\n    var data NTokenResponse\n    err = json.NewDecoder(res.Body).Decode(\u0026data)\n    if err != nil {\n        return nil, err\n    }\n\n    return \u0026data, nil\n}\n```\n\n#### Get access token from client sidecar\n\n```go\nimport (\n    \"bytes\"\n    \"encoding/json\"\n    \"fmt\"\n    \"net/http\"\n\n    \"github.com/yahoojapan/athenz-client-sidecar/v2/model\"\n)\n\nconst scURL = \"127.0.0.1\" // sidecar URL\nconst scPort = \"8081\"\n\ntype AccessRequest = model.AccessRequest\ntype AccessResponse = model.AccessResponse\n\nfunc GetAccessToken(domain, role, proxyForPrincipal string, expiry int64) (*AccessResponse, error) {\n    url := fmt.Sprintf(\"http://%s:%s/accesstoken\", scURL, scPort)\n\n    r := \u0026AccessRequest{\n        Domain:            domain,\n        Role:              role,\n        ProxyForPrincipal: proxyForPrincipal,\n        Expiry:            expiry,\n    }\n    reqJSON, _ := json.Marshal(r)\n\n    // create POST request\n    req, err := http.NewRequest(http.MethodPost, url, bytes.NewBuffer(reqJSON))\n    if err != nil {\n        return nil, err\n    }\n    req.Header.Set(\"Content-Type\", \"application/json\")\n\n    // make request\n    res, err := http.DefaultClient.Do(req)\n    if err != nil {\n        return nil, err\n    }\n    defer res.Body.Close()\n\n    // validate response\n    if res.StatusCode != http.StatusOK {\n        err = fmt.Errorf(\"%s returned status code %d\", url, res.StatusCode)\n        return nil, err\n    }\n\n    // decode request\n    var data AccessResponse\n    err = json.NewDecoder(res.Body).Decode(\u0026data)\n    if err != nil {\n        return nil, err\n    }\n\n    return \u0026data, nil\n}\n```\n\n#### Get role token from client sidecar\n\n```go\nimport (\n    \"bytes\"\n    \"encoding/json\"\n    \"fmt\"\n    \"net/http\"\n\n    \"github.com/yahoojapan/athenz-client-sidecar/v2/model\"\n)\n\nconst scURL = \"127.0.0.1\" // sidecar URL\nconst scPort = \"8081\"\n\ntype RoleRequest = model.RoleRequest\ntype RoleResponse = model.RoleResponse\n\nfunc GetRoleToken(domain, role, proxyForPrincipal string, minExpiry, maxExpiry int64) (*RoleResponse, error) {\n    url := fmt.Sprintf(\"http://%s:%s/roletoken\", scURL, scPort)\n\n    r := \u0026RoleRequest{\n        Domain:            domain,\n        Role:              role,\n        ProxyForPrincipal: proxyForPrincipal,\n        MinExpiry:         minExpiry,\n        MaxExpiry:         maxExpiry,\n    }\n    reqJSON, _ := json.Marshal(r)\n\n    // create POST request\n    req, err := http.NewRequest(http.MethodPost, url, bytes.NewBuffer(reqJSON))\n    if err != nil {\n        return nil, err\n    }\n    req.Header.Set(\"Content-Type\", \"application/json\")\n\n    // make request\n    res, err := http.DefaultClient.Do(req)\n    if err != nil {\n        return nil, err\n    }\n    defer res.Body.Close()\n\n    // validate response\n    if res.StatusCode != http.StatusOK {\n        err = fmt.Errorf(\"%s returned status code %d\", url, res.StatusCode)\n        return nil, err\n    }\n\n    // decode request\n    var data RoleResponse\n    err = json.NewDecoder(res.Body).Decode(\u0026data)\n    if err != nil {\n        return nil, err\n    }\n\n    return \u0026data, nil\n}\n```\n\n#### Get service certificate from client sidecar\n\n```go\nimport (\n    \"encoding/json\"\n    \"fmt\"\n    \"net/http\"\n\n    \"github.com/yahoojapan/athenz-client-sidecar/v2/model\"\n)\n\nconst scURL = \"127.0.0.1\" // sidecar URL\nconst scPort = \"8081\"\n\ntype SvcCertResponse = model.SvcCertResponse\n\nfunc GetSvcCert() (*SvcCertResponse, error) {\n    url := fmt.Sprintf(\"http://%s:%s/svccert\", scURL, scPort)\n\n    // make request\n    res, err := http.Get(url)\n    if err != nil {\n        return nil, err\n    }\n    defer res.Body.Close()\n\n    // validate response\n    if res.StatusCode != http.StatusOK {\n        err = fmt.Errorf(\"%s returned status code %d\", url, res.StatusCode)\n        return nil, err\n    }\n\n    // decode request\n    var data SvcCertResponse\n    err = json.NewDecoder(res.Body).Decode(\u0026data)\n    if err != nil {\n        return nil, err\n    }\n\n    return \u0026data, nil\n}\n```\n\n#### Proxy request through client sidecar (append N-token)\n\n```go\nconst (\n    scURL  = \"127.0.0.1\" // sidecar URL\n    scPort = \"8081\"\n)\n\nvar (\n    httpClient *http.Client // the HTTP client that use the proxy to append N-token header\n\n    // proxy URL\n    proxyNTokenURL    = fmt.Sprintf(\"http://%s:%s/proxy/ntoken\", scURL, scPort)\n)\n\nfunc initHTTPClient() error {\n    proxyURL, err := url.Parse(proxyNTokenURL)\n    if err != nil {\n        return err\n    }\n\n    // transport that use the proxy, and append to the client\n    transport := \u0026http.Transport{\n        Proxy: http.ProxyURL(proxyURL),\n    }\n    httpClient = \u0026http.Client{\n        Transport: transport,\n    }\n\n    return nil\n}\n\nfunc MakeRequestUsingProxy(method, targetURL string, body io.Reader) (*[]byte, error) {\n    // create POST request\n    req, err := http.NewRequest(method, targetURL, body)\n    if err != nil {\n        return nil, err\n    }\n\n    // make request through the proxy\n    res, err := httpClient.Do(req)\n    if err != nil {\n        return nil, err\n    }\n    defer res.Body.Close()\n\n    // validate response\n    if res.StatusCode != http.StatusOK {\n        err = fmt.Errorf(\"%s returned status code %d\", targetURL, res.StatusCode)\n        return nil, err\n    }\n\n    // process response\n    data, err := ioutil.ReadAll(res.Body)\n    if err != nil {\n        return nil, err\n    }\n\n    return \u0026data, nil\n}\n```\n\n#### Proxy request through client sidecar (append role token)\n\n```go\nconst (\n    scURL  = \"127.0.0.1\" // sidecar URL\n    scPort = \"8081\"\n)\n\nvar (\n    httpClient *http.Client // the HTTP client that use the proxy to append role token header\n\n    // proxy URL\n    proxyRoleTokenURL = fmt.Sprintf(\"http://%s:%s/proxy/roletoken\", scURL, scPort)\n)\n\nfunc initHTTPClient() error {\n    proxyURL, err := url.Parse(proxyRoleTokenURL)\n    if err != nil {\n        return err\n    }\n\n    // transport that use the proxy, and append to the client\n    transport := \u0026http.Transport{\n        Proxy: http.ProxyURL(proxyURL),\n    }\n    httpClient = \u0026http.Client{\n        Transport: transport,\n    }\n\n    return nil\n}\n\nfunc MakeRequestUsingProxy(method, targetURL string, body io.Reader, role, domain, proxyPrincipal string) (*[]byte, error) {\n    // create POST request\n    req, err := http.NewRequest(method, targetURL, body)\n    if err != nil {\n        return nil, err\n    }\n\n    // append header for the proxy\n    req.Header.Set(\"Athenz-Role\", role)\n    req.Header.Set(\"Athenz-Domain\", domain)\n    req.Header.Set(\"Athenz-Proxy-Principal\", proxyPrincipal)\n\n    // make request through the proxy\n    res, err := httpClient.Do(req)\n    if err != nil {\n        return nil, err\n    }\n    defer res.Body.Close()\n\n    // validate response\n    if res.StatusCode != http.StatusOK {\n        err = fmt.Errorf(\"%s returned status code %d\", targetURL, res.StatusCode)\n        return nil, err\n    }\n\n    // process response\n    data, err := ioutil.ReadAll(res.Body)\n    if err != nil {\n        return nil, err\n    }\n\n    return \u0026data, nil\n}\n```\n\nWe only provided golang example, but user can implement a client using any other language and connect to sidecar container using HTTP request.\n\n## Deployment Procedure\n\n1. Inject client sidecar to your K8s deployment file.\n\n2. Deploy to K8s.\n\n   ```bash\n   kubectl apply -f injected_deployments.yaml\n   ```\n\n3. Verify if the application running\n\n   ```bash\n   # list all the pods\n   kubectl get pods -n \u003cnamespace\u003e\n   # if you are not sure which namespace your application deployed, use `--all-namespaces` option\n   kubectl get pods --all-namespaces\n\n   # describe the pod to show detail information\n   kubectl describe pods \u003cpod_name\u003e\n\n   # check application logs\n   kubectl logs \u003cpod_name\u003e -c \u003ccontainer_name\u003e\n   # e.g. to show client sidecar logs\n   kubectl logs nginx-deployment-6cc8764f9c-5c6hm -c athenz-client-sidecar\n   ```\n\n## License\n\n```markdown\nCopyright (C) 2018 Yahoo Japan Corporation Athenz team.\n\nLicensed under the Apache License, Version 2.0 (the \"License\");\nyou may not use this file except in compliance with the License.\nYou may obtain a copy of the License at\n\n    http://www.apache.org/licenses/LICENSE-2.0\n\nUnless required by applicable law or agreed to in writing, software\ndistributed under the License is distributed on an \"AS IS\" BASIS,\nWITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\nSee the License for the specific language governing permissions and\nlimitations under the License.\n```\n\n## Contributor License Agreement\n\nThis project requires contributors to agree to a [Contributor License Agreement (CLA)](https://gist.github.com/ydnjp/3095832f100d5c3d2592).\n\nNote that only for contributions to the `athenz-client-sidecar` repository on the [GitHub](https://github.com/yahoojapan/garathenz-client-sidecarm), the contributors of them shall be deemed to have agreed to the CLA without individual written agreements.\n\n## About releases\n\n- Releases\n    - [![GitHub release (latest by date)](https://img.shields.io/github/v/release/yahoojapan/athenz-client-sidecar?style=flat-square\u0026label=Github%20version)](https://github.com/yahoojapan/athenz-client-sidecar/releases/latest)\n    - [![Docker Image Version (tag latest)](https://img.shields.io/docker/v/yahoojapan/athenz-client-sidecar/latest?style=flat-square\u0026label=Docker%20version)](https://hub.docker.com/r/yahoojapan/athenz-client-sidecar/tags)\n\n## Authors\n\n- [kpango](https://github.com/kpango)\n- [kevindiu](https://github.com/kevindiu)\n- [TakuyaMatsu](https://github.com/TakuyaMatsu)\n- [tatyano](https://github.com/tatyano)\n- [WindzCUHK](https://github.com/WindzCUHK)\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fyahoojapan%2Fathenz-client-sidecar","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fyahoojapan%2Fathenz-client-sidecar","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fyahoojapan%2Fathenz-client-sidecar/lists"}