diff --git a/bootstrap/bootstrap.go b/bootstrap/bootstrap.go
new file mode 100644
index 0000000..e340945
--- /dev/null
+++ b/bootstrap/bootstrap.go
@@ -0,0 +1,143 @@
+package bootstrap
+
+import (
+	"crypto/tls"
+	"crypto/x509"
+	"encoding/pem"
+	"fmt"
+
+	"github.com/combust-labs/firebuild-mmds/mmds"
+	"github.com/combust-labs/firebuild-shared/build/commands"
+	"github.com/combust-labs/firebuild-shared/build/rootfs"
+	"github.com/hashicorp/go-hclog"
+	"github.com/pkg/errors"
+)
+
+type Bootstrapper interface {
+	Execute() error
+	WithCommandRunner(CommandRunner) Bootstrapper
+	WithResourceDeployer(ResourceDeployer) Bootstrapper
+}
+
+type defaultBootstrapper struct {
+	commandRunner    CommandRunner
+	bootstrapData    *mmds.MMDSBootstrap
+	logger           hclog.Logger
+	resourceDeployer ResourceDeployer
+}
+
+func NewDefaultBoostrapper(logger hclog.Logger, bootstrapData *mmds.MMDSBootstrap) Bootstrapper {
+	return &defaultBootstrapper{
+		commandRunner:    &noopCommandRunner{logger: logger.Named("noop-runner")},
+		bootstrapData:    bootstrapData,
+		logger:           logger,
+		resourceDeployer: &noopResourceDeployer{logger: logger.Named("noo-deployer")},
+	}
+}
+
+// DoBootstrap executes the bootstrap sequence on the machine.
+func (b *defaultBootstrapper) Execute() error {
+	clientTLSConfig, err := getTLSConfig(b.bootstrapData)
+	if err != nil {
+		b.logger.Error("failed creating client TLS config", "reason", err)
+		return err
+	}
+
+	clientConfig := &rootfs.GRPCClientConfig{
+		HostPort:       b.bootstrapData.HostPort,
+		TLSConfig:      clientTLSConfig,
+		MaxRecvMsgSize: rootfs.DefaultMaxRecvMsgSize,
+	}
+
+	client, err := rootfs.NewClient(b.logger.Named("grpc-client"), clientConfig)
+	if err != nil {
+		b.logger.Error("failed constructing gRPC client", "reason", err)
+		return err
+	}
+
+	if err := client.Commands(); err != nil {
+		b.logger.Error("failed fetching bootstrap commands over gRPC", "reason", err)
+		return err
+	}
+
+	for {
+
+		serializableCommand := client.NextCommand()
+		if serializableCommand == nil {
+			break // finished
+		}
+
+		switch vCommand := serializableCommand.(type) {
+		case commands.Run:
+			if err := b.commandRunner.Execute(vCommand, client); err != nil {
+				b.logger.Error("bootstrap failed, executing RUN command failed", "reason", err)
+				client.Abort(err)
+				return err
+			}
+		case commands.Add:
+			if err := b.resourceDeployer.Add(vCommand, client); err != nil {
+				b.logger.Error("bootstrap failed, executing ADD command failed", "reason", err)
+				client.Abort(err)
+				return err
+			}
+		case commands.Copy:
+			if err := b.resourceDeployer.Copy(vCommand, client); err != nil {
+				b.logger.Error("bootstrap failed, executing COPY command failed", "reason", err)
+				client.Abort(err)
+				return err
+			}
+		}
+
+	}
+
+	client.Success()
+
+	return nil
+}
+
+func (b *defaultBootstrapper) WithCommandRunner(input CommandRunner) Bootstrapper {
+	b.commandRunner = input
+	return b
+}
+func (b *defaultBootstrapper) WithResourceDeployer(input ResourceDeployer) Bootstrapper {
+	b.resourceDeployer = input
+	return b
+}
+
+func getTLSConfig(bootstrapData *mmds.MMDSBootstrap) (*tls.Config, error) {
+	roots := x509.NewCertPool()
+	input := []byte(bootstrapData.Certificate)
+	for {
+		block, remaning := pem.Decode(input)
+		if block == nil {
+			break
+		}
+		cert, err := x509.ParseCertificate(block.Bytes)
+		if err != nil {
+			return nil, errors.Wrap(err, "failed parsing certificate")
+		}
+		roots.AddCert(cert)
+		input = remaning
+	}
+
+	ok := roots.AppendCertsFromPEM([]byte(bootstrapData.CaChain))
+	if !ok {
+		return nil, fmt.Errorf("failed appending root to the cert pool")
+	}
+
+	block, _ := pem.Decode([]byte(bootstrapData.Certificate))
+	if block == nil {
+		return nil, fmt.Errorf("failed to parse certificate PEM")
+	}
+
+	tlsCert, err := tls.X509KeyPair([]byte(bootstrapData.Certificate), []byte(bootstrapData.Key))
+	if err != nil {
+		return nil, errors.Wrap(err, "failed loading TLS certificate")
+	}
+
+	return &tls.Config{
+		ServerName:   bootstrapData.ServerName,
+		RootCAs:      roots,
+		Certificates: []tls.Certificate{tlsCert},
+	}, nil
+}
diff --git a/bootstrap/bootstrap_test.go b/bootstrap/bootstrap_test.go
new file mode 100644
index 0000000..44ca15f
--- /dev/null
+++ b/bootstrap/bootstrap_test.go
@@ -0,0 +1,554 @@
+package bootstrap
+
+import (
+	"bytes"
+	"io"
+	"io/fs"
+	"io/ioutil"
+	"os"
+	"path/filepath"
+	"strings"
+	"testing"
+	"time"
+
+	"github.com/combust-labs/firebuild-embedded-ca/ca"
+	"github.com/combust-labs/firebuild-mmds/mmds"
+	"github.com/combust-labs/firebuild-shared/build/commands"
+	"github.com/combust-labs/firebuild-shared/build/resources"
+	"github.com/combust-labs/firebuild-shared/build/rootfs"
+	"github.com/hashicorp/go-hclog"
+	"github.com/stretchr/testify/assert"
+)
+
+func TestFailingRunCommandBootstrap(t *testing.T) {
+
+	testServerAppName := "test-server-app"
+
+	logger := hclog.Default()
+	logger.SetLevel(hclog.Trace)
+
+	// recreate a work context manually:
+	buildCtx := &rootfs.WorkContext{
+		ExecutableCommands: []commands.VMInitSerializableCommand{
+			commands.Run{
+				OriginalCommand: "RUN echo ${BUILD_ARG}; apkArch=\"$(apk --print-arch)\" && case \"${apkArch}\"",
+				Args: map[string]string{
+					"BUILD_ARG": "value",
+				},
+				Command: "echo ${BUILD_ARG}; apkArch=\"$(apk --print-arch)\" && case \"${apkArch}\"",
+				Env:     map[string]string{},
+				Shell: commands.Shell{
+					Commands: []string{"/bin/echo", "-e"},
+				},
+				User:    commands.DefaultUser(),
+				Workdir: commands.DefaultWorkdir(),
+			},
+			commands.Run{
+				OriginalCommand: "RUN exit 1",
+				Args:            map[string]string{},
+				Command:         "exit 1",
+				Env:             map[string]string{},
+				Shell:           commands.DefaultShell(),
+				User:            commands.DefaultUser(),
+				Workdir:         commands.DefaultWorkdir(),
+			},
+		},
+	}
+
+	// construct an embedded CA to manually handle TLS configs:
+	embeddedCAConfig := &ca.EmbeddedCAConfig{
+		Addresses:     []string{testServerAppName},
+		CertsValidFor: time.Hour,
+		KeySize:       1024,
+	}
+
+	embeddedCA, err := ca.NewDefaultEmbeddedCAWithLogger(embeddedCAConfig, logger.Named("embedded-ca"))
+	if err != nil {
+		t.Fatal("failed constructing embedded CA", err)
+	}
+
+	serverTLSConfig, err := embeddedCA.NewServerCertTLSConfig()
+	if err != nil {
+		t.Fatal("failed creating test server TLS config", err)
+	}
+
+	grpcConfig := &rootfs.GRPCServiceConfig{
+		ServerName:      testServerAppName,
+		BindHostPort:    "127.0.0.1:0",
+		TLSConfigServer: serverTLSConfig,
+	}
+
+	testServer := rootfs.NewTestServer(t, logger.Named("grpc-server"), grpcConfig, buildCtx)
+	testServer.Start()
+	select {
+	case startErr := <-testServer.FailedNotify():
+		t.Fatal("expected the GRPC server to start but it failed", startErr)
+	case <-testServer.ReadyNotify():
+		t.Log("GRPC server started and serving on", grpcConfig.BindHostPort)
+	}
+
+	clientCertData, err := embeddedCA.NewClientCert()
+	if err != nil {
+		t.Fatal("failed creating test client certitifcate", err)
+	}
+
+	bootstrapConfig := &mmds.MMDSBootstrap{
+		HostPort:    grpcConfig.BindHostPort,
+		CaChain:     strings.Join(embeddedCA.CAPEMChain(), "\n"),
+		Certificate: string(clientCertData.CertificatePEM()),
+		Key:         string(clientCertData.KeyPEM()),
+		ServerName:  testServerAppName,
+	}
+
+	bootstrapper := NewDefaultBoostrapper(logger.Named("bootstrapper"), bootstrapConfig).
+		WithCommandRunner(NewShellCommandRunner(logger.Named("shell-runner"))).
+		WithResourceDeployer(NewExecutingResourceDeployer(logger.Named("executing-deployer")))
+
+	bootstrapErr := bootstrapper.Execute()
+	assert.NotNil(t, bootstrapErr)
+
+	<-testServer.FinishedNotify()
+
+	serverOutput := testServer.ConsumedStdout()
+	assert.Equal(t, serverOutput, []string{
+		"echo value; apkArch=\"$(apk --print-arch)\" && case \"${apkArch}\"\n",
+	})
+}
+
+func TestFailingAddBootstrap(t *testing.T) {
+
+	testServerAppName := "test-server-app"
+
+	logger := hclog.Default()
+	logger.SetLevel(hclog.Debug)
+
+	// use this directory as the workdir for ADD and COPY resources:
+	tempDir, err := ioutil.TempDir("", "")
+	if err != nil {
+		t.Fatal("expected temp dir, got error", err)
+	}
+	defer os.RemoveAll(tempDir)
+
+	// recreate a work context manually:
+	buildCtx := &rootfs.WorkContext{
+		ExecutableCommands: []commands.VMInitSerializableCommand{
+			commands.Run{
+				OriginalCommand: "RUN apt-get update && apt-get install ca-certificates && mkdir -p ${HOME}/test",
+				Args:            map[string]string{},
+				Command:         "apt-get update && apt-get install ca-certificates && mkdir -p ${HOME}/test",
+				Env: map[string]string{
+					"HOME": "/home/test-user",
+				},
+				Shell: commands.Shell{
+					Commands: []string{"/bin/echo", "-e"},
+				},
+				User:    commands.DefaultUser(),
+				Workdir: commands.DefaultWorkdir(),
+			},
+			commands.Run{
+				OriginalCommand: "RUN echo ${BUILD_ARG}; apkArch=\"$(apk --print-arch)\" && case \"${apkArch}\"",
+				Args: map[string]string{
+					"BUILD_ARG": "value",
+				},
+				Command: "echo ${BUILD_ARG}; apkArch=\"$(apk --print-arch)\" && case \"${apkArch}\"",
+				Env:     map[string]string{},
+				Shell: commands.Shell{
+					Commands: []string{"/bin/echo", "-e"},
+				},
+				User:    commands.DefaultUser(),
+				Workdir: commands.DefaultWorkdir(),
+			},
+			commands.Add{
+				OriginalCommand: "ADD etc/test-file1 /etc/test-file1",
+				OriginalSource:  "etc/test-file1",
+				Source:          "etc/test-file1",
+				Target:          "/etc/test-file1",
+				User:            commands.DefaultUser(),
+				Workdir:         commands.Workdir{Value: tempDir},
+			},
+		},
+	}
+
+	// construct an embedded CA to manually handle TLS configs:
+	embeddedCAConfig := &ca.EmbeddedCAConfig{
+		Addresses:     []string{testServerAppName},
+		CertsValidFor: time.Hour,
+		KeySize:       1024,
+	}
+
+	embeddedCA, err := ca.NewDefaultEmbeddedCAWithLogger(embeddedCAConfig, logger.Named("embedded-ca"))
+	if err != nil {
+		t.Fatal("failed constructing embedded CA", err)
+	}
+
+	serverTLSConfig, err := embeddedCA.NewServerCertTLSConfig()
+	if err != nil {
+		t.Fatal("failed creating test server TLS config", err)
+	}
+
+	grpcConfig := &rootfs.GRPCServiceConfig{
+		ServerName:      testServerAppName,
+		BindHostPort:    "127.0.0.1:0",
+		TLSConfigServer: serverTLSConfig,
+	}
+
+	testServer := rootfs.NewTestServer(t, logger.Named("grpc-server"), grpcConfig, buildCtx)
+	testServer.Start()
+	select {
+	case startErr := <-testServer.FailedNotify():
+		t.Fatal("expected the GRPC server to start but it failed", startErr)
+	case <-testServer.ReadyNotify():
+		t.Log("GRPC server started and serving on", grpcConfig.BindHostPort)
+	}
+
+	clientCertData, err := embeddedCA.NewClientCert()
+	if err != nil {
+		t.Fatal("failed creating test client certitifcate", err)
+	}
+
+	bootstrapConfig := &mmds.MMDSBootstrap{
+		HostPort:    grpcConfig.BindHostPort,
+		CaChain:     strings.Join(embeddedCA.CAPEMChain(), "\n"),
+		Certificate: string(clientCertData.CertificatePEM()),
+		Key:         string(clientCertData.KeyPEM()),
+		ServerName:  testServerAppName,
+	}
+
+	bootstrapper := NewDefaultBoostrapper(logger.Named("bootstrapper"), bootstrapConfig).
+		WithCommandRunner(NewShellCommandRunner(logger.Named("shell-runner"))).
+		WithResourceDeployer(NewExecutingResourceDeployer(logger.Named("executing-deployer")))
+
+	bootstrapErr := bootstrapper.Execute()
+	assert.NotNil(t, bootstrapErr)
+
+	<-testServer.FinishedNotify()
+
+	serverOutput := testServer.ConsumedStdout()
+	assert.Equal(t, serverOutput, []string{
+		"apt-get update && apt-get install ca-certificates && mkdir -p /home/test-user/test\n",
+		"echo value; apkArch=\"$(apk --print-arch)\" && case \"${apkArch}\"\n",
+	})
+}
+
+func TestFailingCopyBootstrap(t *testing.T) {
+
+	testServerAppName := "test-server-app"
+
+	logger := hclog.Default()
+	logger.SetLevel(hclog.Debug)
+
+	// use this directory as the workdir for ADD and COPY resources:
+	tempDir, err := ioutil.TempDir("", "")
+	if err != nil {
+		t.Fatal("expected temp dir, got error", err)
+	}
+	defer os.RemoveAll(tempDir)
+
+	// recreate a work context manually:
+	buildCtx := &rootfs.WorkContext{
+		ExecutableCommands: []commands.VMInitSerializableCommand{
+			commands.Run{
+				OriginalCommand: "RUN apt-get update && apt-get install ca-certificates && mkdir -p ${HOME}/test",
+				Args:            map[string]string{},
+				Command:         "apt-get update && apt-get install ca-certificates && mkdir -p ${HOME}/test",
+				Env: map[string]string{
+					"HOME": "/home/test-user",
+				},
+				Shell: commands.Shell{
+					Commands: []string{"/bin/echo", "-e"},
+				},
+				User:    commands.DefaultUser(),
+				Workdir: commands.DefaultWorkdir(),
+			},
+			commands.Run{
+				OriginalCommand: "RUN echo ${BUILD_ARG}; apkArch=\"$(apk --print-arch)\" && case \"${apkArch}\"",
+				Args: map[string]string{
+					"BUILD_ARG": "value",
+				},
+				Command: "echo ${BUILD_ARG}; apkArch=\"$(apk --print-arch)\" && case \"${apkArch}\"",
+				Env:     map[string]string{},
+				Shell: commands.Shell{
+					Commands: []string{"/bin/echo", "-e"},
+				},
+				User:    commands.DefaultUser(),
+				Workdir: commands.DefaultWorkdir(),
+			},
+			commands.Copy{
+				OriginalCommand: "COPY etc/directory /etc/directory",
+				OriginalSource:  "etc/directory",
+				Source:          "etc/directory",
+				Target:          "/etc/directory",
+				User:            commands.DefaultUser(),
+				Workdir:         commands.Workdir{Value: tempDir},
+			},
+		},
+	}
+
+	// construct an embedded CA to manually handle TLS configs:
+	embeddedCAConfig := &ca.EmbeddedCAConfig{
+		Addresses:     []string{testServerAppName},
+		CertsValidFor: time.Hour,
+		KeySize:       1024,
+	}
+
+	embeddedCA, err := ca.NewDefaultEmbeddedCAWithLogger(embeddedCAConfig, logger.Named("embedded-ca"))
+	if err != nil {
+		t.Fatal("failed constructing embedded CA", err)
+	}
+
+	serverTLSConfig, err := embeddedCA.NewServerCertTLSConfig()
+	if err != nil {
+		t.Fatal("failed creating test server TLS config", err)
+	}
+
+	grpcConfig := &rootfs.GRPCServiceConfig{
+		ServerName:      testServerAppName,
+		BindHostPort:    "127.0.0.1:0",
+		TLSConfigServer: serverTLSConfig,
+	}
+
+	testServer := rootfs.NewTestServer(t, logger.Named("grpc-server"), grpcConfig, buildCtx)
+	testServer.Start()
+	select {
+	case startErr := <-testServer.FailedNotify():
+		t.Fatal("expected the GRPC server to start but it failed", startErr)
+	case <-testServer.ReadyNotify():
+		t.Log("GRPC server started and serving on", grpcConfig.BindHostPort)
+	}
+
+	clientCertData, err := embeddedCA.NewClientCert()
+	if err != nil {
+		t.Fatal("failed creating test client certitifcate", err)
+	}
+
+	bootstrapConfig := &mmds.MMDSBootstrap{
+		HostPort:    grpcConfig.BindHostPort,
+		CaChain:     strings.Join(embeddedCA.CAPEMChain(), "\n"),
+		Certificate: string(clientCertData.CertificatePEM()),
+		Key:         string(clientCertData.KeyPEM()),
+		ServerName:  testServerAppName,
+	}
+
+	bootstrapper := NewDefaultBoostrapper(logger.Named("bootstrapper"), bootstrapConfig).
+		WithCommandRunner(NewShellCommandRunner(logger.Named("shell-runner"))).
+		WithResourceDeployer(NewExecutingResourceDeployer(logger.Named("executing-deployer")))
+
+	bootstrapErr := bootstrapper.Execute()
+	assert.NotNil(t, bootstrapErr)
+
+	<-testServer.FinishedNotify()
+
+	serverOutput := testServer.ConsumedStdout()
+	assert.Equal(t, serverOutput, []string{
+		"apt-get update && apt-get install ca-certificates && mkdir -p /home/test-user/test\n",
+		"echo value; apkArch=\"$(apk --print-arch)\" && case \"${apkArch}\"\n",
+	})
+}
+
+func TestSuccessfulBootstrapWithResources(t *testing.T) {
+
+	testServerAppName := "test-server-app"
+
+	logger := hclog.Default()
+	logger.SetLevel(hclog.Debug)
+
+	// use this directory as the workdir for ADD and COPY resources:
+	tempDir, err := ioutil.TempDir("", "")
+	if err != nil {
+		t.Fatal("expected temp dir, got error", err)
+	}
+	defer os.RemoveAll(tempDir)
+
+	etcTestFile1Contents := []byte("test-file1 contents")
+
+	mustPutTestResource(t, filepath.Join(tempDir, "etc/test-file1"), etcTestFile1Contents)
+	mustPutTestResource(t, filepath.Join(tempDir, "etc/directory/file1"), []byte("etc/directory/file1 contents"))
+	mustPutTestResource(t, filepath.Join(tempDir, "etc/directory/file2"), []byte("etc/directory/file2 contents"))
+	mustPutTestResource(t, filepath.Join(tempDir, "etc/directory/subdir/subdir-file1"), []byte("etc/directory/subdir/subdir-file1 contents"))
+
+	// recreate a work context manually:
+	buildCtx := &rootfs.WorkContext{
+		ExecutableCommands: []commands.VMInitSerializableCommand{
+			commands.Run{
+				OriginalCommand: "RUN apt-get update && apt-get install ca-certificates && mkdir -p ${HOME}/test",
+				Args:            map[string]string{},
+				Command:         "apt-get update && apt-get install ca-certificates && mkdir -p ${HOME}/test",
+				Env: map[string]string{
+					"HOME": "/home/test-user",
+				},
+				Shell: commands.Shell{
+					Commands: []string{"/bin/echo", "-e"},
+				},
+				User:    commands.DefaultUser(),
+				Workdir: commands.DefaultWorkdir(),
+			},
+			commands.Run{
+				OriginalCommand: "RUN echo ${BUILD_ARG}; apkArch=\"$(apk --print-arch)\" && case \"${apkArch}\"",
+				Args: map[string]string{
+					"BUILD_ARG": "value",
+				},
+				Command: "echo ${BUILD_ARG}; apkArch=\"$(apk --print-arch)\" && case \"${apkArch}\"",
+				Env:     map[string]string{},
+				Shell: commands.Shell{
+					Commands: []string{"/bin/echo", "-e"},
+				},
+				User:    commands.DefaultUser(),
+				Workdir: commands.DefaultWorkdir(),
+			},
+			commands.Add{
+				OriginalCommand: "ADD etc/test-file1 /etc/test-file1",
+				OriginalSource:  "etc/test-file1",
+				Source:          "etc/test-file1",
+				Target:          "/etc/test-file1",
+				User:            commands.DefaultUser(),
+				Workdir:         commands.Workdir{Value: tempDir},
+			},
+			commands.Copy{
+				OriginalCommand: "COPY etc/directory /etc/directory",
+				OriginalSource:  "etc/directory",
+				Source:          "etc/directory",
+				Target:          "/etc/directory",
+				User:            commands.DefaultUser(),
+				Workdir:         commands.Workdir{Value: tempDir},
+			},
+		},
+		ResourcesResolved: rootfs.Resources{
+			"etc/test-file1": []resources.ResolvedResource{
+				resources.NewResolvedFileResourceWithPath(func() (io.ReadCloser, error) {
+					return io.NopCloser(bytes.NewReader(etcTestFile1Contents)), nil
+				},
+					fs.FileMode(0755),
+					"etc/test-file1",
+					"/etc/test-file1",
+					commands.Workdir{Value: tempDir},
+					commands.DefaultUser(),
+					filepath.Join(tempDir, "etc/test-file1")),
+			},
+			"etc/directory": []resources.ResolvedResource{
+				resources.NewResolvedDirectoryResourceWithPath(fs.FileMode(0755),
+					filepath.Join(tempDir, "etc/directory"),
+					"etc/directory",
+					"/etc/directory",
+					commands.Workdir{Value: tempDir},
+					commands.DefaultUser()),
+			},
+		},
+	}
+
+	// construct an embedded CA to manually handle TLS configs:
+	embeddedCAConfig := &ca.EmbeddedCAConfig{
+		Addresses:     []string{testServerAppName},
+		CertsValidFor: time.Hour,
+		KeySize:       1024,
+	}
+
+	embeddedCA, err := ca.NewDefaultEmbeddedCAWithLogger(embeddedCAConfig, logger.Named("embedded-ca"))
+	if err != nil {
+		t.Fatal("failed constructing embedded CA", err)
+	}
+
+	serverTLSConfig, err := embeddedCA.NewServerCertTLSConfig()
+	if err != nil {
+		t.Fatal("failed creating test server TLS config", err)
+	}
+
+	grpcConfig := &rootfs.GRPCServiceConfig{
+		ServerName:      testServerAppName,
+		BindHostPort:    "127.0.0.1:0",
+		TLSConfigServer: serverTLSConfig,
+	}
+
+	testServer := rootfs.NewTestServer(t, logger.Named("grpc-server"), grpcConfig, buildCtx)
+	testServer.Start()
+	select {
+	case startErr := <-testServer.FailedNotify():
+		t.Fatal("expected the GRPC server to start but it failed", startErr)
+	case <-testServer.ReadyNotify():
+		t.Log("GRPC server started and serving on", grpcConfig.BindHostPort)
+	}
+
+	clientCertData, err := embeddedCA.NewClientCert()
+	if err != nil {
+		t.Fatal("failed creating test client certitifcate", err)
+	}
+
+	bootstrapConfig := &mmds.MMDSBootstrap{
+		HostPort:    grpcConfig.BindHostPort,
+		CaChain:     strings.Join(embeddedCA.CAPEMChain(), "\n"),
+		Certificate: string(clientCertData.CertificatePEM()),
+		Key:         string(clientCertData.KeyPEM()),
+		ServerName:  testServerAppName,
+	}
+
+	bootstrapper := NewDefaultBoostrapper(logger.Named("bootstrapper"), bootstrapConfig).
+		WithCommandRunner(NewShellCommandRunner(logger.Named("shell-runner"))).
+		WithResourceDeployer(NewExecutingResourceDeployer(logger.Named("executing-deployer")))
+
+	bootstrapErr := bootstrapper.Execute()
+	assert.Nil(t, bootstrapErr)
+
+	<-testServer.FinishedNotify()
+
+	serverOutput := testServer.ConsumedStdout()
+	assert.Equal(t, serverOutput, []string{
+		"apt-get update && apt-get install ca-certificates && mkdir -p /home/test-user/test\n",
+		"echo value; apkArch=\"$(apk --print-arch)\" && case \"${apkArch}\"\n",
+	})
+}
+
+func TestGetTLSConfig(t *testing.T) {
+
+	logger := hclog.Default()
+	logger.SetLevel(hclog.Debug)
+
+	embeddedCAConfig := &ca.EmbeddedCAConfig{
+		Addresses:     []string{"test-app"},
+		CertsValidFor: time.Hour,
+		KeySize:       1024,
+	}
+
+	embeddedCA, err := ca.NewDefaultEmbeddedCAWithLogger(embeddedCAConfig, logger.Named("embedded-ca"))
+	if err != nil {
+		t.Fatal("failed constructing embedded CA", err)
+	}
+
+	clientCertData, err := embeddedCA.NewClientCert()
+	if err != nil {
+		t.Fatal("failed creating test client certitifcate", err)
+	}
+
+	bootstrapConfig := &mmds.MMDSBootstrap{
+		HostPort:    "127.0.0.1:0",
+		CaChain:     strings.Join(embeddedCA.CAPEMChain(), "\n"),
+		Certificate: string(clientCertData.CertificatePEM()),
+		Key:         string(clientCertData.KeyPEM()),
+		ServerName:  "irrelevant",
+	}
+
+	_, tlsConfigErr := getTLSConfig(bootstrapConfig)
+	if tlsConfigErr != nil {
+		t.Fatal("expected TLS config, got error", tlsConfigErr)
+	}
+
+}
+
+func mustPutTestResource(t *testing.T, path string, contents []byte) {
+	if err := os.MkdirAll(filepath.Dir(path), fs.ModePerm); err != nil {
+		t.Fatal("failed creating parent directory for the resource, got error", err)
+	}
+	if err := ioutil.WriteFile(path, contents, fs.ModePerm); err != nil {
+		t.Fatal("expected resource to be written, got error", err)
+	}
+}
+
+const testDockerfileMultiStage = `FROM alpine:3.13 as builder
+
+FROM alpine:3.13
+ARG PARAM1=value
+ENV ENVPARAM1=envparam1
+RUN mkdir -p /dir
+ADD resource1 /target/resource1
+COPY resource2 /target/resource2
+COPY --from=builder /etc/test /etc/test
+RUN cp /dir/${ENVPARAM1} \
+	&& call --arg=${PARAM1}`
diff --git a/bootstrap/command_runner.go b/bootstrap/command_runner.go
new file mode 100644
index 0000000..005c1ea
--- /dev/null
+++ b/bootstrap/command_runner.go
@@ -0,0 +1,148 @@
+package bootstrap
+
+import (
+	"fmt"
+	"os/exec"
+	"strings"
+
+	"github.com/combust-labs/firebuild-shared/build/commands"
+	"github.com/combust-labs/firebuild-shared/build/rootfs"
+	"github.com/combust-labs/firebuild-shared/env"
+	"github.com/hashicorp/go-hclog"
+	"github.com/pkg/errors"
+)
+
+type CommandRunner interface {
+	Execute(commands.Run, rootfs.ClientProvider) error
+}
+
+type noopCommandRunner struct {
+	logger hclog.Logger
+}
+
+func (n *noopCommandRunner) Execute(cmd commands.Run, grpcClient rootfs.ClientProvider) error {
+
+	cmdEnv := env.NewBuildEnv()
+	for k, v := range cmd.Args {
+		cmdEnv.Put(k, v)
+	}
+	for k, v := range cmd.Env {
+		cmdEnv.Put(k, v)
+	}
+
+	// We're running the commands by wrapping the command in the shell call so sshSession.Setenv might not do what we intend.
+	// Also, we don't really know which shell are we running because it comes as an argument to us
+	// so we can't, for example, assume bourne shell -a...
+	envString := ""
+	for k, v := range cmd.Env {
+		envString = fmt.Sprintf("export %s%s=\"%s\"; ", envString, k, v)
+	}
+
+	executableCommand := fmt.Sprintf("mkdir -p %s && cd %s && %s '%s'\n",
+		cmd.Workdir.Value,
+		cmd.Workdir.Value,
+		strings.Join(cmd.Shell.Commands, " "),
+		strings.ReplaceAll(envString+cmdEnv.Expand(cmd.Command), "'", "'\\''"))
+
+	n.logger.Debug("executing RUN command", "command", executableCommand)
+
+	return nil
+}
+
+type shellCommandRunner struct {
+	defaultUser commands.User
+	logger      hclog.Logger
+}
+
+func NewShellCommandRunner(logger hclog.Logger) CommandRunner {
+	return &shellCommandRunner{
+		defaultUser: commands.DefaultUser(),
+		logger:      logger,
+	}
+}
+
+func (n *shellCommandRunner) Execute(cmd commands.Run, grpcClient rootfs.ClientProvider) error {
+
+	logValues := []interface{}{
+		"workdir", cmd.Workdir.Value,
+		"user", cmd.User.Value,
+		"shell", cmd.Shell.Commands,
+	}
+	if n.logger.IsTrace() {
+		logValues = append(logValues, []interface{}{"raw-command", cmd}...)
+	}
+
+	n.logger.Debug("executing command", logValues...)
+
+	cmdEnv := env.NewBuildEnv()
+	for k, v := range cmd.Args {
+		cmdEnv.Put(k, v)
+	}
+	for k, v := range cmd.Env {
+		cmdEnv.Put(k, v)
+	}
+
+	// TODO: https://github.com/combust-labs/firebuild/issues/2
+
+	cmdargs := cmd.Shell.Commands
+	cmdargs = append(cmdargs, cmdEnv.Expand(cmd.Command))
+
+	shellCmd := exec.Command(cmdargs[0], cmdargs[1:]...)
+	shellCmd.Dir = cmd.Workdir.Value
+	shellCmd.Env = func() []string {
+		result := []string{}
+		for k, v := range cmdEnv.Snapshot() {
+			result = append(result, fmt.Sprintf("%s=%s", k, v))
+		}
+		return result
+	}()
+	shellCmd.Stderr = &shellCommandWriter{
+		writerFunc: func(p []byte) error {
+			n.logger.Trace("writing stderr", "data", string(p))
+			return grpcClient.StdErr([]string{string(p)})
+		},
+	}
+	shellCmd.Stdout = &shellCommandWriter{
+		writerFunc: func(p []byte) error {
+			n.logger.Trace("writing stdout", "data", string(p))
+			return grpcClient.StdOut([]string{string(p)})
+		},
+	}
+
+	// Start the command
+	if err := shellCmd.Start(); err != nil {
+		n.logger.Error("failed starting command", "reason", err)
+		return err
+	}
+
+	if err := shellCmd.Wait(); err != nil {
+		if exiterr, ok := err.(*exec.ExitError); ok {
+
+			// The program has exited with an exit code != 0
+			// This works on both Unix and Windows. Although package
+			// syscall is generally platform dependent, WaitStatus is
+			// defined for both Unix and Windows and in both cases has
+			// an ExitStatus() method with the same signature.
+			n.logger.Error("command finished with error", "reason", exiterr)
+			return errors.Wrapf(exiterr, "command exited with code: %d, message %q", exiterr.ExitCode(), exiterr.String())
+		} else {
+			n.logger.Error("wait returned a non exec.ExitError error", "reason", err)
+			return err
+		}
+	}
+
+	n.logger.Debug("command finished successfully")
+
+	return nil
+}
+
+type shellCommandWriter struct {
+	writerFunc func([]byte) error
+}
+
+func (e *shellCommandWriter) Write(p []byte) (n int, err error) {
+	if err := e.writerFunc(p); err != nil {
+		return 0, err
+	}
+	return len(p), nil
+}
diff --git a/bootstrap/resource_deployer.go b/bootstrap/resource_deployer.go
new file mode 100644
index 0000000..03b990f
--- /dev/null
+++ b/bootstrap/resource_deployer.go
@@ -0,0 +1,205 @@
+package bootstrap
+
+import (
+	"fmt"
+	"io"
+	"os"
+	"path/filepath"
+	"strconv"
+	"strings"
+
+	"github.com/combust-labs/firebuild-shared/build/commands"
+	"github.com/combust-labs/firebuild-shared/build/resources"
+	"github.com/combust-labs/firebuild-shared/build/rootfs"
+	"github.com/hashicorp/go-hclog"
+)
+
+type ResourceDeployer interface {
+	Add(commands.Add, rootfs.ClientProvider) error
+	Copy(commands.Copy, rootfs.ClientProvider) error
+}
+
+type noopResourceDeployer struct {
+	logger hclog.Logger
+}
+
+func (n *noopResourceDeployer) Add(cmd commands.Add, grpcClient rootfs.ClientProvider) error {
+	n.logger.Debug("executing ADD command", "command", cmd)
+	return nil
+}
+func (n *noopResourceDeployer) Copy(cmd commands.Copy, grpcClient rootfs.ClientProvider) error {
+	n.logger.Debug("executing COPY command", "command", cmd)
+	return nil
+}
+
+type executingResourceDeployer struct {
+	defaultUser commands.User
+	logger      hclog.Logger
+}
+
+func NewExecutingResourceDeployer(logger hclog.Logger) ResourceDeployer {
+	return &executingResourceDeployer{
+		defaultUser: commands.DefaultUser(),
+		logger:      logger,
+	}
+}
+
+func (n *executingResourceDeployer) Add(cmd commands.Add, grpcClient rootfs.ClientProvider) error {
+	n.logger.Debug("executing ADD command", "command", cmd)
+	return n.deployResources(cmd.Source, grpcClient)
+}
+func (n *executingResourceDeployer) Copy(cmd commands.Copy, grpcClient rootfs.ClientProvider) error {
+	n.logger.Debug("executing COPY command", "command", cmd)
+	return n.deployResources(cmd.Source, grpcClient)
+}
+
+func (n *executingResourceDeployer) deployResources(source string, grpcClient rootfs.ClientProvider) error {
+
+	resourceChannel, err := grpcClient.Resource(source)
+
+	if err != nil {
+		return err
+	}
+
+	nResourcesTransferred := 0
+
+	for {
+		select {
+		case item := <-resourceChannel:
+			switch titem := item.(type) {
+			case nil:
+				if nResourcesTransferred == 0 {
+					// there was nothing transferred, this is an error implying the resource was not found:
+					n.logger.Error("no resources transferred for",
+						"resource-path", source)
+					return os.ErrNotExist
+				}
+				n.logger.Debug("resource deployed",
+					"resource-path", source,
+					"number-of-resources", nResourcesTransferred)
+				return nil // finished successfully
+			case resources.ResolvedResource:
+
+				nResourcesTransferred = nResourcesTransferred + 1
+
+				fullTargetResourcePath := filepath.Join(titem.TargetWorkdir().Value, titem.TargetPath())
+
+				if titem.IsDir() {
+
+					// create a directory:
+					if err := os.MkdirAll(fullTargetResourcePath, titem.TargetMode()); err != nil {
+						n.logger.Error("error while creating directory",
+							"resource-path", titem.TargetPath(),
+							"on-disk-path", fullTargetResourcePath)
+						return err
+					}
+
+					n.logger.Debug("created directory",
+						"resource-path", titem.TargetPath(),
+						"on-disk-path", fullTargetResourcePath)
+
+					if titem.TargetUser().Value != n.defaultUser.Value {
+						uid, gid, err := stringToUidAndGid(titem.TargetUser().Value)
+						if err != nil {
+							n.logger.Error("error while chowning directory",
+								"resource-path", titem.TargetPath(),
+								"on-disk-path", fullTargetResourcePath,
+								"reason", err)
+							return err
+						}
+						if err := os.Chown(fullTargetResourcePath, uid, gid); err != nil {
+							n.logger.Error("error while chowning directory",
+								"resource-path", titem.TargetPath(),
+								"on-disk-path", fullTargetResourcePath,
+								"reason", err)
+							return err
+						}
+					}
+					continue
+				}
+
+				resourceReader, err := titem.Contents()
+				if err != nil {
+					n.logger.Error("error while fetching resource reader",
+						"resource-path", titem.TargetPath(),
+						"on-disk-path", fullTargetResourcePath,
+						"reason", err)
+					return err
+				}
+				defer resourceReader.Close()
+
+				targetFile, err := os.OpenFile(fullTargetResourcePath, os.O_CREATE|os.O_RDWR, titem.TargetMode())
+
+				if err != nil {
+					n.logger.Error("error while creating target file",
+						"resource-path", titem.TargetPath(),
+						"on-disk-path", fullTargetResourcePath,
+						"reason", err)
+					return err
+				}
+
+				written, err := io.Copy(targetFile, resourceReader)
+				if err != nil {
+					targetFile.Close()
+					n.logger.Error("error while writing target file",
+						"resource-path", titem.TargetPath(),
+						"on-disk-path", fullTargetResourcePath,
+						"reason", err)
+					return err
+				}
+
+				targetFile.Close()
+
+				n.logger.Info("file written",
+					"resource-path", titem.TargetPath(),
+					"on-disk-path", fullTargetResourcePath,
+					"written-bytes", written)
+
+				// chown the file:
+
+				if titem.TargetUser().Value != n.defaultUser.Value {
+					uid, gid, err := stringToUidAndGid(titem.TargetUser().Value)
+					if err != nil {
+						n.logger.Error("error while chowning file",
+							"resource-path", titem.TargetPath(),
+							"on-disk-path", fullTargetResourcePath,
+							"reason", err)
+						return err
+					}
+					if err := os.Chown(fullTargetResourcePath, uid, gid); err != nil {
+						n.logger.Error("error while chowning file",
+							"resource-path", titem.TargetPath(),
+							"on-disk-path", fullTargetResourcePath,
+							"reason", err)
+						return err
+					}
+				}
+
+			case error:
+				return titem
+			}
+		}
+	}
+
+}
+
+func stringToUidAndGid(input string) (int, int, error) {
+	parts := strings.Split(input, ":")
+	if len(parts) == 0 {
+		return -1, -1, fmt.Errorf("empty uid:gid")
+	}
+	if len(parts) == 1 {
+		// uid only:
+		uid, err := strconv.Atoi(parts[0])
+		return uid, -1, err
+	}
+	if len(parts) == 2 {
+		uid, uiderr := strconv.Atoi(parts[0])
+		if uiderr != nil {
+			return uid, -1, uiderr
+		}
+		gid, giderr := strconv.Atoi(parts[1])
+		return uid, gid, giderr
+	}
+	return -1, -1, fmt.Errorf("invalid uid:gid")
+}
diff --git a/bootstrap/resource_deployer_test.go b/bootstrap/resource_deployer_test.go
new file mode 100644
index 0000000..09b56fe
--- /dev/null
+++ b/bootstrap/resource_deployer_test.go
@@ -0,0 +1,33 @@
+package bootstrap
+
+import (
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+)
+
+func TestUidGidParser(t *testing.T) {
+
+	_, _, err1 := stringToUidAndGid("")
+	assert.NotNil(t, err1)
+
+	_, _, err2 := stringToUidAndGid("a:b:c")
+	assert.NotNil(t, err2)
+
+	_, _, err3 := stringToUidAndGid("0:a")
+	assert.NotNil(t, err3)
+
+	_, _, err4 := stringToUidAndGid("a")
+	assert.NotNil(t, err4)
+
+	uid, gid, err5 := stringToUidAndGid("10")
+	assert.Nil(t, err5)
+	assert.Equal(t, 10, uid)
+	assert.Equal(t, -1, gid)
+
+	uid, gid, err6 := stringToUidAndGid("10:10")
+	assert.Nil(t, err6)
+	assert.Equal(t, 10, uid)
+	assert.Equal(t, 10, gid)
+
+}
diff --git a/cmd/vminit/main.go b/cmd/vminit/main.go
index 47dbdcf..96b1345 100644
--- a/cmd/vminit/main.go
+++ b/cmd/vminit/main.go
@@ -4,6 +4,7 @@ import (
 	"fmt"
 	"os"
 
+	"github.com/combust-labs/firebuild-mmds/bootstrap"
 	"github.com/combust-labs/firebuild-mmds/configs"
 	"github.com/combust-labs/firebuild-mmds/injectors"
 	"github.com/combust-labs/firebuild-mmds/mmds"
@@ -98,29 +99,43 @@ func processCommand() int {
 		return 1
 	}
 
+	if mmdsData.Bootstrap != nil {
+		// server is in the bootstrap mode:
+		bootstrapper := bootstrap.
+			NewDefaultBoostrapper(rootLogger.Named("bootstrap"), mmdsData.Bootstrap).
+			WithCommandRunner(bootstrap.NewShellCommandRunner(rootLogger.Named("shell-runner"))).
+			WithResourceDeployer(bootstrap.NewExecutingResourceDeployer(rootLogger.Named("executing-deployer")))
+		// TODO: needs properly executing resource deployer
+		if err := bootstrapper.Execute(); err != nil {
+			rootLogger.Error("bootstrap failed", "reason", err)
+			return 2
+		}
+		return 0
+	}
+
 	if err := injectors.InjectSSHKeys(rootLogger, mmdsData, config.PathAuthorizedKeysPatternFile); err != nil {
 		rootLogger.Error("error injecting ssh keys from MMDS data", "reason", err.Error())
-		return 1
+		return 3
 	}
 
 	if err := injectors.InjectEnvironment(rootLogger, mmdsData, config.PathEnvFile); err != nil {
 		rootLogger.Error("error injecting environment from MMDS data", "reason", err.Error())
-		return 1
+		return 3
 	}
 
 	if err := injectors.InjectHostname(rootLogger, mmdsData, config.PathHostnameFile); err != nil {
 		rootLogger.Error("error injecting local hostname from MMDS data", "reason", err.Error())
-		return 1
+		return 3
 	}
 
 	if err := injectors.InjectHosts(rootLogger, mmdsData, defaultHosts, config.PathHostsFile); err != nil {
 		rootLogger.Error("error injecting hosts from MMDS data", "reason", err.Error())
-		return 1
+		return 3
 	}
 
 	if err := injectors.InjectEntrypoint(rootLogger, mmdsData, config.PathEntrypointRunnerFile, config.PathEnvFile); err != nil {
 		rootLogger.Error("error injecting hosts from MMDS data", "reason", err.Error())
-		return 1
+		return 3
 	}
 
 	return 0
diff --git a/go.mod b/go.mod
index 1cb19a3..165d2ca 100644
--- a/go.mod
+++ b/go.mod
@@ -3,9 +3,12 @@ module github.com/combust-labs/firebuild-mmds
 go 1.16
 
 require (
+	github.com/combust-labs/firebuild-embedded-ca v0.0.2
+	github.com/combust-labs/firebuild-shared v0.0.4
 	github.com/hashicorp/go-hclog v0.15.0
-	github.com/mitchellh/mapstructure v1.3.2
-	github.com/pkg/errors v0.8.1
+	github.com/mitchellh/mapstructure v1.4.1
+	github.com/pkg/errors v0.9.1
 	github.com/spf13/cobra v1.1.3
 	github.com/spf13/pflag v1.0.5
+	github.com/stretchr/testify v1.6.1
 )
diff --git a/go.sum b/go.sum
index b167162..b8720d4 100644
--- a/go.sum
+++ b/go.sum
@@ -23,8 +23,14 @@ github.com/beorn7/perks v0.0.0-20180321164747-3a771d992973/go.mod h1:Dwedo/Wpr24
 github.com/beorn7/perks v1.0.0/go.mod h1:KWe93zE9D1o94FZ5RNwFwVgaQK1VOXiVxmqh+CedLV8=
 github.com/bgentry/speakeasy v0.1.0/go.mod h1:+zsyZBPWlz7T6j88CTgSN5bM796AkVf0kBD4zp0CCIs=
 github.com/bketelsen/crypt v0.0.3-0.20200106085610-5cbc8cc4026c/go.mod h1:MKsuJmJgSg28kpZDP6UIiPt0e0Oz0kqKNGyRaWEPv84=
+github.com/census-instrumentation/opencensus-proto v0.2.1/go.mod h1:f6KPmirojxKA12rnyqOA5BBL4O983OfeGPqjHWSTneU=
 github.com/cespare/xxhash v1.1.0/go.mod h1:XrSqR1VqqWfGrhpAt58auRo0WTKS1nRRg3ghfAqPWnc=
 github.com/client9/misspell v0.3.4/go.mod h1:qj6jICC3Q7zFZvVWo7KLAzC3yx5G7kyvSDkc90ppPyw=
+github.com/cncf/udpa/go v0.0.0-20201120205902-5459f2c99403/go.mod h1:WmhPx2Nbnhtbo57+VJT5O0JRkEi1Wbu0z5j0R8u5Hbk=
+github.com/combust-labs/firebuild-embedded-ca v0.0.2 h1:0eSWNiO8qw2RLwHbvkk7jvTjMdGQpBoj1jesYyEd8vA=
+github.com/combust-labs/firebuild-embedded-ca v0.0.2/go.mod h1:aX6H7DxiBXhYwBHxe2IVlJf2vwMz9SaQtK9O/3VAHdU=
+github.com/combust-labs/firebuild-shared v0.0.4 h1:XPIlAgae2e81wFGSlo6LSegISvUWDvEvCfPtnTGCzVw=
+github.com/combust-labs/firebuild-shared v0.0.4/go.mod h1:NcM03wlGqNOK1ciSSM46Xv6mE6rsjl3FZUs9jGA6wW0=
 github.com/coreos/bbolt v1.3.2/go.mod h1:iRUV2dpdMOn7Bo10OQBFzIJO9kkE559Wcmn+qkEiiKk=
 github.com/coreos/etcd v3.3.13+incompatible/go.mod h1:uF7uidLiAD3TWHmW31ZFd/JWoc32PjwdhPthX9715RE=
 github.com/coreos/go-semver v0.3.0/go.mod h1:nnelYz7RCh+5ahJtPPxZlU+153eP4D4r3EedlOD2RNk=
@@ -36,6 +42,10 @@ github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c
 github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/dgrijalva/jwt-go v3.2.0+incompatible/go.mod h1:E3ru+11k8xSBh+hMPgOLZmtrrCbhqsmaPHjLKYnJCaQ=
 github.com/dgryski/go-sip13 v0.0.0-20181026042036-e10d5fee7954/go.mod h1:vAd38F8PWV+bWy6jNmig1y/TA+kYO4g3RSRF0IAv0no=
+github.com/envoyproxy/go-control-plane v0.9.0/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymFceY/DCBVvsKhRF0iEA4=
+github.com/envoyproxy/go-control-plane v0.9.1-0.20191026205805-5f8ba28d4473/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymFceY/DCBVvsKhRF0iEA4=
+github.com/envoyproxy/go-control-plane v0.9.9-0.20201210154907-fd9021fe5dad/go.mod h1:cXg6YxExXjJnVBQHBLXeUAgxn2UodCpnH306RInaBQk=
+github.com/envoyproxy/protoc-gen-validate v0.1.0/go.mod h1:iSmxcyjqTsJpI2R4NaDN7+kN2VEUnK/pcBlmesArF7c=
 github.com/fatih/color v1.7.0 h1:DkWD4oS2D8LGGgTQ6IvwJJXSL5Vp2ffcQg58nFV38Ys=
 github.com/fatih/color v1.7.0/go.mod h1:Zm6kSWBoL9eyXnKyktHP6abPY2pDugNf5KwzbycvMj4=
 github.com/fsnotify/fsnotify v1.4.7/go.mod h1:jwhsz4b93w/PPRr/qN1Yymfu8t87LnFCMoQvtojpjFo=
@@ -45,6 +55,8 @@ github.com/go-kit/kit v0.8.0/go.mod h1:xBxKIO96dXMWWy0MnWVtmwkA9/13aqxPnvrjFYMA2
 github.com/go-logfmt/logfmt v0.3.0/go.mod h1:Qt1PoO58o5twSAckw1HlFXLmHsOX5/0LbT9GBnD5lWE=
 github.com/go-logfmt/logfmt v0.4.0/go.mod h1:3RMwSq7FuexP4Kalkev3ejPJsZTpXXBr9+V4qmtdjCk=
 github.com/go-stack/stack v1.8.0/go.mod h1:v0f6uXyyMGvRgIKkXu+yp6POWl0qKG85gN/melR3HDY=
+github.com/gofrs/uuid v4.0.0+incompatible h1:1SD/1F5pU8p29ybwgQSwpQk+mwdRrXCYuPhW6m+TnJw=
+github.com/gofrs/uuid v4.0.0+incompatible/go.mod h1:b2aQJv3Z4Fp6yNu3cdSllBxTCLRxnplIgP/c0N/04lM=
 github.com/gogo/protobuf v1.1.1/go.mod h1:r8qH/GZQm5c6nD/R0oafs1akxWv10x8SbQlK7atdtwQ=
 github.com/gogo/protobuf v1.2.1/go.mod h1:hp+jE20tsWTFYpLwKvXlhS1hjn+gTNwPg2I6zVXpSg4=
 github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b/go.mod h1:SBH7ygxi8pfUlaOkMMuAQtPIUF8ecWP5IEl/CR7VP2Q=
@@ -55,14 +67,29 @@ github.com/golang/mock v1.3.1/go.mod h1:sBzyDLLjw3U8JLTeZvSv8jJB+tU5PVekmnlKIyFU
 github.com/golang/protobuf v1.2.0/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=
 github.com/golang/protobuf v1.3.1/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=
 github.com/golang/protobuf v1.3.2/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=
+github.com/golang/protobuf v1.4.0-rc.1/go.mod h1:ceaxUfeHdC40wWswd/P6IGgMaK3YpKi5j83Wpe3EHw8=
+github.com/golang/protobuf v1.4.0-rc.1.0.20200221234624-67d41d38c208/go.mod h1:xKAWHe0F5eneWXFV3EuXVDTCmh+JuBKY0li0aMyXATA=
+github.com/golang/protobuf v1.4.0-rc.2/go.mod h1:LlEzMj4AhA7rCAGe4KMBDvJI+AwstrUpVNzEA03Pprs=
+github.com/golang/protobuf v1.4.0-rc.4.0.20200313231945-b860323f09d0/go.mod h1:WU3c8KckQ9AFe+yFwt9sWVRKCVIyN9cPHBJSNnbL67w=
+github.com/golang/protobuf v1.4.0/go.mod h1:jodUvKwWbYaEsadDk5Fwe5c77LiNKVO9IDvqG2KuDX0=
+github.com/golang/protobuf v1.4.1/go.mod h1:U8fpvMrcmy5pZrNK1lt4xCsGvpyWQ/VVv6QDs8UjoX8=
+github.com/golang/protobuf v1.4.2/go.mod h1:oDoupMAO8OvCJWAcko0GGGIgR6R6ocIYbsSw735rRwI=
+github.com/golang/protobuf v1.5.0 h1:LUVKkCeviFUMKqHa4tXIIij/lbhnMbP7Fn5wKdKkRh4=
+github.com/golang/protobuf v1.5.0/go.mod h1:FsONVRAS9T7sI+LIUmWTfcYkHO4aIWwzhcaSAoJOfIk=
 github.com/google/btree v0.0.0-20180813153112-4030bb1f1f0c/go.mod h1:lNA+9X1NB3Zf8V7Ke586lFgjr2dZNuvo3lPJSGZ5JPQ=
 github.com/google/btree v1.0.0/go.mod h1:lNA+9X1NB3Zf8V7Ke586lFgjr2dZNuvo3lPJSGZ5JPQ=
 github.com/google/go-cmp v0.2.0/go.mod h1:oXzfMopK8JAjlY9xF4vHSVASa0yLyX7SntLO5aqRK0M=
 github.com/google/go-cmp v0.3.0/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU=
+github.com/google/go-cmp v0.3.1/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU=
+github.com/google/go-cmp v0.4.0/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
+github.com/google/go-cmp v0.5.0/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
+github.com/google/go-cmp v0.5.5 h1:Khx7svrCpmxxtHBq5j2mp/xVjsi8hQMfNLvJFAlrGgU=
+github.com/google/go-cmp v0.5.5/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
 github.com/google/martian v2.1.0+incompatible/go.mod h1:9I4somxYTbIHy5NJKHRl3wXiIaQGbYVAs8BPL6v8lEs=
 github.com/google/pprof v0.0.0-20181206194817-3ea8567a2e57/go.mod h1:zfwlbNMJ+OItoe0UupaVj+oy1omPYYDuagoSzA8v9mc=
 github.com/google/pprof v0.0.0-20190515194954-54271f7e092f/go.mod h1:zfwlbNMJ+OItoe0UupaVj+oy1omPYYDuagoSzA8v9mc=
 github.com/google/renameio v0.1.0/go.mod h1:KWCgfxg9yswjAJkECMjeO8J8rahYeXnNhOm40UhjYkI=
+github.com/google/uuid v1.1.2/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
 github.com/googleapis/gax-go/v2 v2.0.4/go.mod h1:0Wqv26UfaUD9n4G6kQubkQ+KchISgw+vpHVxEJEs9eg=
 github.com/googleapis/gax-go/v2 v2.0.5/go.mod h1:DWXyrwAJ9X0FpwwEdw+IPEYBICEFu5mhpdKc/us6bOk=
 github.com/gopherjs/gopherjs v0.0.0-20181017120253-0766667cb4d1/go.mod h1:wJfORRmW1u3UXTncJ5qlYoELFm8eSnnEO6hX4iZ3EWY=
@@ -103,8 +130,10 @@ github.com/kisielk/errcheck v1.1.0/go.mod h1:EZBBE59ingxPouuu3KfxchcWSUPOHkagtvW
 github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+oQHNcck=
 github.com/konsorten/go-windows-terminal-sequences v1.0.1/go.mod h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ=
 github.com/kr/logfmt v0.0.0-20140226030751-b84e30acd515/go.mod h1:+0opPa2QZZtGFBFZlji/RkVcI2GknAs/DXo4wKdlNEc=
+github.com/kr/pretty v0.1.0 h1:L/CwN0zerZDmRFUapSPitk6f+Q3+0za1rQkzVuMiMFI=
 github.com/kr/pretty v0.1.0/go.mod h1:dAy3ld7l9f0ibDNOQOHHMYYIIbhfbHSm3C4ZsoJORNo=
 github.com/kr/pty v1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ=
+github.com/kr/text v0.1.0 h1:45sCR5RtlFHMR4UwH9sdQ5TC8v0qDQCHnXt+kaKSTVE=
 github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI=
 github.com/magiconair/properties v1.8.1/go.mod h1:PppfXfuXeibc/6YijjN8zIbojt8czPbwD3XqdrwzmxQ=
 github.com/mattn/go-colorable v0.0.9/go.mod h1:9vuHe8Xs5qXnSaW/c/ABM9alt+Vo+STaOChaDxuIBZU=
@@ -124,8 +153,8 @@ github.com/mitchellh/gox v0.4.0/go.mod h1:Sd9lOJ0+aimLBi73mGofS1ycjY8lL3uZM3JPS4
 github.com/mitchellh/iochan v1.0.0/go.mod h1:JwYml1nuB7xOzsp52dPpHFffvOCDupsG0QubkSMEySY=
 github.com/mitchellh/mapstructure v0.0.0-20160808181253-ca63d7c062ee/go.mod h1:FVVH3fgwuzCH5S8UJGiWEs2h04kUh9fWfEaFds41c1Y=
 github.com/mitchellh/mapstructure v1.1.2/go.mod h1:FVVH3fgwuzCH5S8UJGiWEs2h04kUh9fWfEaFds41c1Y=
-github.com/mitchellh/mapstructure v1.3.2 h1:mRS76wmkOn3KkKAyXDu42V+6ebnXWIztFSYGN7GeoRg=
-github.com/mitchellh/mapstructure v1.3.2/go.mod h1:bFUtVrKA4DC2yAKiSyO/QUcy7e+RRV2QTWOzhPopBRo=
+github.com/mitchellh/mapstructure v1.4.1 h1:CpVNEelQCZBooIPDn+AR3NpivK/TIKU8bDxdASFVQag=
+github.com/mitchellh/mapstructure v1.4.1/go.mod h1:bFUtVrKA4DC2yAKiSyO/QUcy7e+RRV2QTWOzhPopBRo=
 github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q=
 github.com/modern-go/reflect2 v1.0.1/go.mod h1:bx2lNnkwVCuqBIxFjflWJWanXIb3RllmbCylyMrvgv0=
 github.com/mwitkow/go-conntrack v0.0.0-20161129095857-cc309e4a2223/go.mod h1:qRWi+5nqEBWmkhHvq77mSJWrCKwh8bxhgT7d/eI7P4U=
@@ -133,8 +162,9 @@ github.com/oklog/ulid v1.3.1/go.mod h1:CirwcVhetQ6Lv90oh/F+FBtV6XMibvdAFo93nm5qn
 github.com/pascaldekloe/goe v0.0.0-20180627143212-57f6aae5913c/go.mod h1:lzWF7FIEvWOWxwDKqyGYQf6ZUaNfKdP144TG7ZOy1lc=
 github.com/pelletier/go-toml v1.2.0/go.mod h1:5z9KED0ma1S8pY6P1sdut58dfprrGBbd/94hg7ilaic=
 github.com/pkg/errors v0.8.0/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
-github.com/pkg/errors v0.8.1 h1:iURUrRGxPUNPdy5/HRSm+Yj6okJ6UtLINN0Q9M4+h3I=
 github.com/pkg/errors v0.8.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
+github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4=
+github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
 github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
 github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
 github.com/posener/complete v1.1.1/go.mod h1:em0nMJCgc9GFtwrmVmEMR/ZL6WyhyjMBndrE9hABlRI=
@@ -142,6 +172,7 @@ github.com/prometheus/client_golang v0.9.1/go.mod h1:7SWBe2y4D6OKWSNQJUaRYU/AaXP
 github.com/prometheus/client_golang v0.9.3/go.mod h1:/TN21ttK/J9q6uSwhBd54HahCDft0ttaMvbicHlPoso=
 github.com/prometheus/client_model v0.0.0-20180712105110-5c3871d89910/go.mod h1:MbSGuTsp3dbXC40dX6PRTWyKYBIrTGTE9sqQNg2J8bo=
 github.com/prometheus/client_model v0.0.0-20190129233127-fd36f4220a90/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA=
+github.com/prometheus/client_model v0.0.0-20190812154241-14fe0d1b01d4/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA=
 github.com/prometheus/common v0.0.0-20181113130724-41aa239b4cce/go.mod h1:daVV7qP5qjZbuso7PdcryaAu0sAZbrN9i7WWcTMWvro=
 github.com/prometheus/common v0.4.0/go.mod h1:TNfzLD0ON7rHzMJeJkieUDPYmFC7Snx/y86RQel1bk4=
 github.com/prometheus/procfs v0.0.0-20181005140218-185b4288413d/go.mod h1:c3At6R/oaqEKCNdg8wHV1ftS6bRYblBhIjjI8uT2IGk=
@@ -170,8 +201,10 @@ github.com/spf13/viper v1.7.0/go.mod h1:8WkrPz2fc9jxqZNCJI/76HCieCp4Q8HaLFoCha5q
 github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
 github.com/stretchr/objx v0.1.1/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
 github.com/stretchr/testify v1.2.2/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs=
-github.com/stretchr/testify v1.3.0 h1:TivCn/peBQ7UY8ooIcPgZFpTNSz0Q2U6UrFlUfqbe0Q=
 github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI=
+github.com/stretchr/testify v1.5.1/go.mod h1:5W2xD1RspED5o8YsWQXVCued0rvSQ+mT+I5cxcmMvtA=
+github.com/stretchr/testify v1.6.1 h1:hDPOHmpOpP40lSULcqw7IrRb/u7w6RpDC9399XyoNd0=
+github.com/stretchr/testify v1.6.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
 github.com/subosito/gotenv v1.2.0/go.mod h1:N0PQaV/YGNqwC0u51sEeR/aUtSLEXKX9iv69rRypqCw=
 github.com/tmc/grpc-websocket-proxy v0.0.0-20190109142713-0ad062ec5ee5/go.mod h1:ncp9v5uamzpCO7NfCPTXjqaC+bZgJeR0sMTm6dMHP7U=
 github.com/xiang90/probing v0.0.0-20190116061207-43a291ad63a2/go.mod h1:UETIi67q53MR2AWcXfiuqkDkRtnGDLqkBTpCHuJHxtU=
@@ -217,6 +250,7 @@ golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn
 golang.org/x/net v0.0.0-20190501004415-9ce7a6920f09/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
 golang.org/x/net v0.0.0-20190503192946-f4e77d36d62c/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
 golang.org/x/net v0.0.0-20190603091049-60506f45cf65/go.mod h1:HSz+uSET+XFnRR8LxR5pz3Of3rY3CfYBVs4xY44aLks=
+golang.org/x/net v0.0.0-20190620200207-3b0461eec859 h1:R/3boaszxrf1GEUWTVDzSKVwLmSJpwZ1yqXm8j0v2QI=
 golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
 golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U=
 golang.org/x/oauth2 v0.0.0-20190226205417-e64efc72b421/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
@@ -244,6 +278,7 @@ golang.org/x/sys v0.0.0-20191008105621-543471e840be h1:QAcqgptGM8IQBC9K/RC4o+O9Y
 golang.org/x/sys v0.0.0-20191008105621-543471e840be/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.1-0.20180807135948-17ff2d5776d2/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
+golang.org/x/text v0.3.2 h1:tW2bmiBqwgJj/UpqtC8EpXEZVYOwU0yG4iWbprSVAcs=
 golang.org/x/text v0.3.2/go.mod h1:bEr9sfX3Q8Zfm5fL9x+3itogRgK3+ptLWKqgva+5dAk=
 golang.org/x/time v0.0.0-20181108054448-85acf8d2951c/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
 golang.org/x/time v0.0.0-20190308202827-9d24e82272b4/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
@@ -257,6 +292,7 @@ golang.org/x/tools v0.0.0-20190312170243-e65039ee4138/go.mod h1:LCzVGOaR6xXOjkQ3
 golang.org/x/tools v0.0.0-20190328211700-ab21143f2384/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs=
 golang.org/x/tools v0.0.0-20190425150028-36563e24a262/go.mod h1:RgjU9mgBXZiqYHBnxXauZ1Gv1EHHAz9KjViQ78xBX0Q=
 golang.org/x/tools v0.0.0-20190506145303-2d16b83fe98c/go.mod h1:RgjU9mgBXZiqYHBnxXauZ1Gv1EHHAz9KjViQ78xBX0Q=
+golang.org/x/tools v0.0.0-20190524140312-2c0ae7006135/go.mod h1:RgjU9mgBXZiqYHBnxXauZ1Gv1EHHAz9KjViQ78xBX0Q=
 golang.org/x/tools v0.0.0-20190606124116-d0a3d012864b/go.mod h1:/rFqwRUd4F7ZHNgwSSTFct+R/Kf4OFW1sUzUTQQTgfc=
 golang.org/x/tools v0.0.0-20190621195816-6e04913cbbac/go.mod h1:/rFqwRUd4F7ZHNgwSSTFct+R/Kf4OFW1sUzUTQQTgfc=
 golang.org/x/tools v0.0.0-20190628153133-6cdbf07be9d0/go.mod h1:/rFqwRUd4F7ZHNgwSSTFct+R/Kf4OFW1sUzUTQQTgfc=
@@ -265,6 +301,8 @@ golang.org/x/tools v0.0.0-20190911174233-4f2ddba30aff/go.mod h1:b+2E5dAYhXwXZwtn
 golang.org/x/tools v0.0.0-20191012152004-8de300cfc20a/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
 golang.org/x/tools v0.0.0-20191112195655-aa38f8e97acc/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
 golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
+golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543 h1:E7g+9GITq07hpfrRu66IVDexMakfv52eLZ2CXBWiKr4=
+golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 google.golang.org/api v0.4.0/go.mod h1:8k5glujaEP+g9n7WNsDg8QP6cUVNI86fCNMcbazEtwE=
 google.golang.org/api v0.7.0/go.mod h1:WtwebWUNSVBH/HAw79HIFXZNqEvBhG+Ra+ax0hx3E3M=
 google.golang.org/api v0.8.0/go.mod h1:o4eAsZoiT+ibD93RtjEohWalFOjRDx6CVaqeizhEnKg=
@@ -283,21 +321,45 @@ google.golang.org/genproto v0.0.0-20190801165951-fa694d86fc64/go.mod h1:DMBHOl98
 google.golang.org/genproto v0.0.0-20190819201941-24fa4b261c55/go.mod h1:DMBHOl98Agz4BDEuKkezgsaosCRResVns1a3J2ZsMNc=
 google.golang.org/genproto v0.0.0-20190911173649-1774047e7e51/go.mod h1:IbNlFCBrqXvoKpeg0TB2l7cyZUmoaFKYIwrEpbDKLA8=
 google.golang.org/genproto v0.0.0-20191108220845-16a3f7862a1a/go.mod h1:n3cpQtvxv34hfy77yVDNjmbRyujviMdxYliBSkLhpCc=
+google.golang.org/genproto v0.0.0-20200526211855-cb27e3aa2013 h1:+kGHl1aib/qcwaRi1CbqBZ1rk19r85MNUf8HaBghugY=
+google.golang.org/genproto v0.0.0-20200526211855-cb27e3aa2013/go.mod h1:NbSheEEYHJ7i3ixzK3sjbqSGDJWnxyFXZblF3eUsNvo=
 google.golang.org/grpc v1.19.0/go.mod h1:mqu4LbDTu4XGKhr4mRzUsmM4RtVoemTSY81AxZiDr8c=
 google.golang.org/grpc v1.20.1/go.mod h1:10oTOabMzJvdu6/UiuZezV6QK5dSlG84ov/aaiqXj38=
 google.golang.org/grpc v1.21.1/go.mod h1:oYelfM1adQP15Ek0mdvEgi9Df8B9CZIaU1084ijfRaM=
+google.golang.org/grpc v1.23.0/go.mod h1:Y5yQAOtifL1yxbo5wqy6BxZv8vAUGQwXBOALyacEbxg=
+google.golang.org/grpc v1.25.1/go.mod h1:c3i+UQWmh7LiEpx4sFZnkU36qjEYZ0imhYfXVyQciAY=
+google.golang.org/grpc v1.27.0/go.mod h1:qbnxyOmOxrQa7FizSgH+ReBfzJrCY1pSN7KXBS8abTk=
+google.golang.org/grpc v1.36.1 h1:cmUfbeGKnz9+2DD/UYsMQXeqbHZqZDs4eQwW0sFOpBY=
+google.golang.org/grpc v1.36.1/go.mod h1:qjiiYl8FncCW8feJPdyg3v6XW24KsRHe+dy9BAGRRjU=
+google.golang.org/protobuf v0.0.0-20200109180630-ec00e32a8dfd/go.mod h1:DFci5gLYBciE7Vtevhsrf46CRTquxDuWsQurQQe4oz8=
+google.golang.org/protobuf v0.0.0-20200221191635-4d8936d0db64/go.mod h1:kwYJMbMJ01Woi6D6+Kah6886xMZcty6N08ah7+eCXa0=
+google.golang.org/protobuf v0.0.0-20200228230310-ab0ca4ff8a60/go.mod h1:cfTl7dwQJ+fmap5saPgwCLgHXTUD7jkjRqWcaiX5VyM=
+google.golang.org/protobuf v1.20.1-0.20200309200217-e05f789c0967/go.mod h1:A+miEFZTKqfCUM6K7xSMQL9OKL/b6hQv+e19PK+JZNE=
+google.golang.org/protobuf v1.21.0/go.mod h1:47Nbq4nVaFHyn7ilMalzfO3qCViNmqZ2kzikPIcrTAo=
+google.golang.org/protobuf v1.22.0/go.mod h1:EGpADcykh3NcUnDUJcl1+ZksZNG86OlYog2l/sGQquU=
+google.golang.org/protobuf v1.23.0/go.mod h1:EGpADcykh3NcUnDUJcl1+ZksZNG86OlYog2l/sGQquU=
+google.golang.org/protobuf v1.23.1-0.20200526195155-81db48ad09cc/go.mod h1:EGpADcykh3NcUnDUJcl1+ZksZNG86OlYog2l/sGQquU=
+google.golang.org/protobuf v1.25.0/go.mod h1:9JNX74DMeImyA3h4bdi1ymwjUzf21/xIlbajtzgsN7c=
+google.golang.org/protobuf v1.26.0-rc.1/go.mod h1:jlhhOSvTdKEhbULTjvd4ARK9grFBp09yW+WbY/TyQbw=
+google.golang.org/protobuf v1.26.0 h1:bxAC2xTBsZGibn2RTntX0oH50xLsqy1OxA9tTL3p/lk=
+google.golang.org/protobuf v1.26.0/go.mod h1:9q0QmTI4eRPtz6boOQmLYwt+qCgq0jsYwAQnmE0givc=
 gopkg.in/alecthomas/kingpin.v2 v2.2.6/go.mod h1:FMv+mEhP44yOT+4EoQTLFTRgOQ1FBLkstjWtayDeSgw=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
+gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127 h1:qIbj1fsPNlZgppZ+VLlY7N33q108Sa+fhmuc+sWQYwY=
 gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/errgo.v2 v2.1.0/go.mod h1:hNsd1EY+bozCKY1Ytp96fpM3vjJbqLJn88ws8XvfDNI=
 gopkg.in/ini.v1 v1.51.0/go.mod h1:pNLf8WUiyNEtQjuu5G5vTm06TEv9tsIgeAvK8hOrP4k=
 gopkg.in/resty.v1 v1.12.0/go.mod h1:mDo4pnntr5jdWRML875a/NmxYqAlA73dVijT2AXvQQo=
 gopkg.in/yaml.v2 v2.0.0-20170812160011-eb3733d160e7/go.mod h1:JAlM8MvJe8wmxCU4Bli9HhUf9+ttbYbLASfIpnQbh74=
 gopkg.in/yaml.v2 v2.2.1/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
+gopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
 gopkg.in/yaml.v2 v2.2.4/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
 gopkg.in/yaml.v2 v2.4.0/go.mod h1:RDklbk79AGWmwhnvt/jBztapEOGDOx6ZbXqjP6csGnQ=
+gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c h1:dUUwHk2QECo/6vqA44rthZ8ie2QXMNeKRTHCNY2nXvo=
+gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
 honnef.co/go/tools v0.0.0-20190102054323-c2f93a96b099/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
 honnef.co/go/tools v0.0.0-20190106161140-3f1c8253044a/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
 honnef.co/go/tools v0.0.0-20190418001031-e561f6794a2a/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
+honnef.co/go/tools v0.0.0-20190523083050-ea95bdfd59fc/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
 honnef.co/go/tools v0.0.1-2019.2.3/go.mod h1:a3bituU0lyd329TUQxRnasdCoJDkEUEAqEt0JzvZhAg=
 rsc.io/binaryregexp v0.2.0/go.mod h1:qTv7/COck+e2FymRvadv62gMdZztPaShugOCi3I+8D8=
diff --git a/mmds/mmds.go b/mmds/mmds.go
index d235a0a..ff81578 100644
--- a/mmds/mmds.go
+++ b/mmds/mmds.go
@@ -25,6 +25,7 @@ type MMDSLatestMetadata struct {
 }
 
 type MMDSData struct {
+	Bootstrap      *MMDSBootstrap        `json:"bootstrap,omitempty" mapstructure:"bootstrap,omitempty"`
 	VMMID          string                `json:"vmm-id" mapstructure:"vmm-id"`
 	Drives         map[string]*MMDSDrive `json:"drives" mapstructure:"drives"`
 	EntrypointJSON string                `json:"entrypoint-json" mapstructure:"entrypoint-json"`
@@ -36,6 +37,14 @@ type MMDSData struct {
 	Users          map[string]*MMDSUser  `json:"users" mapstructure:"users"`
 }
 
+type MMDSBootstrap struct {
+	HostPort    string `json:"host-port" mapstructure:"host-port"`
+	CaChain     string `json:"ca-chain" mapstructure:"ca-chain"`
+	Certificate string `json:"cert" mapstructure:"cert"`
+	Key         string `json:"key" mapstructure:"key"`
+	ServerName  string `json:"server-name" mapstructure:"server-name"`
+}
+
 type MMDSDrive struct {
 	DriveID      string `json:"drive-id" mapstructure:"drive-id"`
 	IsReadOnly   string `json:"is-read-only" mapstructure:"is-read-only"`