Documentation ¶
Overview ¶
Package mesh contains the mesh store and related interfaces.
Package store provides raft consensus and data storage for webmesh nodes.
Index ¶
Constants ¶
const ( AuthBasicEnabledEnvVar = "AUTH_BASIC_ENABLED" AuthBasicUsernameEnvVar = "AUTH_BASIC_USERNAME" AuthBasicPasswordEnvVar = "AUTH_BASIC_PASSWORD" MTLSEnabledEnvVar = "AUTH_MTLS_ENABLED" MTLSKeyFileEnvVar = "AUTH_MTLS_KEY_FILE" MTLSCertFileEnvVar = "AUTH_MTLS_CERT_FILE" )
const ( BootstrapEnabledEnvVar = "BOOTSTRAP_ENABLED" AdvertiseAddressEnvVar = "BOOTSTRAP_ADVERTISE_ADDRESS" BootstrapServersEnvVar = "BOOTSTRAP_SERVERS" BootstrapServersGRPCPortsEnvVar = "BOOTSTRAP_SERVERS_GRPC_PORTS" BootstrapIPv4NetworkEnvVar = "BOOTSTRAP_IPV4_NETWORK" BootstrapMeshDomainEnvVar = "BOOTSTRAP_MESH_DOMAIN" BootstrapAdminEnvVar = "BOOTSTRAP_ADMIN" BootstrapVotersEnvVar = "BOOTSTRAP_VOTERS" BootstrapDefaultNetworkPolicyEnvVar = "BOOTSTRAP_DEFAULT_NETWORK_POLICY" BootstrapRestoreSnapshotEnvVar = "BOOTSTRAP_RESTORE_SNAPSHOT" ForceBootstrapClusterEnvVar = "BOOTSTRAP_FORCE" )
const ( DefaultIPv4Network = "172.16.0.0/12" DefaultMeshDomain = "webmesh.internal." DefaultAdminUser = "admin" DefaultNetworkPolicy = NetworkPolicyDeny )
const ( NodeIDEnvVar = "MESH_NODE_ID" ZoneAwarenessIDEnvVar = "MESH_ZONE_AWARENESS_ID" JoinAddressEnvVar = "MESH_JOIN_ADDRESS" PeerDiscoveryAddressesEnvVar = "MESH_PEER_DISCOVERY_ADDRESSES" JoinAsVoterEnvVar = "MESH_JOIN_AS_VOTER" MaxJoinRetriesEnvVar = "MESH_MAX_JOIN_RETRIES" JoinTimeoutEnvVar = "MESH_JOIN_TIMEOUT" GRPCAdvertisePortEnvVar = "MESH_GRPC_PORT" DNSAdvertisePortEnvVar = "MESH_MESHDNS_PORT" UseMeshDNSEnvVar = "MESH_USE_MESHDNS" PrimaryEndpointEnvVar = "MESH_PRIMARY_ENDPOINT" NodeRoutesEnvVar = "MESH_ROUTES" NodeDirectPeersEnvVar = "MESH_DIRECT_PEERS" NoIPv4EnvVar = "MESH_NO_IPV4" NoIPv6EnvVar = "MESH_NO_IPV6" )
const ( CAFileEnvVar = "TLS_CA_FILE" VerifyChainOnlyEnvVar = "TLS_VERIFY_CHAIN_ONLY" InsecureSkipVerifyEnvVar = "TLS_INSECURE_SKIP_VERIFY" InsecureEnvVar = "TLS_INSECURE" )
const ( WireguardListenPortEnvVar = "WIREGUARD_LISTEN_PORT" WireguardNameEnvVar = "WIREGUARD_INTERFACE_NAME" WireguardForceNameEnvVar = "WIREGUARD_FORCE_INTERFACE_NAME" WireguardForceTUNEnvVar = "WIREGUARD_FORCE_TUN" WireguardModprobeEnvVar = "WIREGUARD_MODPROBE" WireguardMasqueradeEnvVar = "WIREGUARD_MASQUERADE" WireguardAllowedIPsEnvVar = "WIREGUARD_ALLOWED_IPS" WireguardPersistentKeepaliveEnvVar = "WIREGUARD_PERSISTENT_KEEPALIVE" WireguardMTUEnvVar = "WIREGUARD_MTU" WireGuardEndpointsEnvVar = "WIREGUARD_ENDPOINTS" WireGuardKeyFileEnvVar = "WIREGUARD_KEY_FILE" WireGuardKeyRotationIntervalEnvVar = "WIREGUARD_KEY_ROTATION_INTERVAL" WireGuardRecordMetricsEnvVar = "WIREGUARD_RECORD_METRICS" WireGuardRecordMetricsIntervalEnvVar = "WIREGUARD_RECORD_METRICS_INTERVAL" )
Variables ¶
var ( // ErrNotOpen is returned when attempting to close a store that is not open. ErrNotOpen = fmt.Errorf("not open") // ErrOpen is returned when a store is already open. ErrOpen = fmt.Errorf("already open") )
Functions ¶
This section is empty.
Types ¶
type AuthOptions ¶
type AuthOptions struct { // Basic are options for basic authentication. Basic *BasicAuthOptions `json:"basic,omitempty" yaml:"basic,omitempty" toml:"basic,omitempty"` // MTLS are options for mutual TLS. MTLS *MTLSOptions `json:"mtls,omitempty" yaml:"mtls,omitempty" toml:"mtls,omitempty"` // LDAP are options for LDAP authentication. LDAP *LDAPAuthOptions `json:"ldap,omitempty" yaml:"ldap,omitempty" toml:"ldap,omitempty"` }
AuthOptions are options for authentication.
func (*AuthOptions) BindFlags ¶
func (o *AuthOptions) BindFlags(fl *flag.FlagSet)
BindFlags binds the flags to the options.
func (*AuthOptions) Validate ¶
func (o *AuthOptions) Validate() error
type BasicAuthOptions ¶
type BasicAuthOptions struct { // Username is the username. Username string `json:"username,omitempty" yaml:"username,omitempty" toml:"username,omitempty"` // Password is the password. Password string `json:"password,omitempty" yaml:"password,omitempty" toml:"password,omitempty"` }
BasicAuthOptions are options for basic authentication.
type BootstrapOptions ¶
type BootstrapOptions struct { // Enabled is the flag to attempt bootstrapping. If true, the node will only bootstrap a new cluster // if no data is found. To force a bootstrap, set Force to true. Enabled bool `json:"enabled,omitempty" yaml:"enabled,omitempty" toml:"enabled,omitempty"` // AdvertiseAddress is the initial address to advertise for raft consensus. AdvertiseAddress string `json:"advertise-address,omitempty" yaml:"advertise-address,omitempty" toml:"advertise-address,omitempty"` // Servers is a map of node IDs to addresses to bootstrap with. If empty, the node will use the advertise // address as the bootstrap server. If not empty, all nodes in the map should be started with the same // list configurations. If any are different then the first node to become leader will pick them. This // can cause bootstrap to fail when using ACLs. Servers should be in the form of <node-id>=<address>. Servers map[string]string `json:"servers,omitempty" yaml:"servers,omitempty" toml:"servers,omitempty"` // ServersGRPCPorts is a map of node IDs to gRPC ports to bootstrap with. If empty, the node will use the // advertise address and locally configured gRPC port for every node in bootstrap-servers. Ports should // be in the form of <node-id>=<port>. ServersGRPCPorts map[string]int `json:"servers-grpc-ports,omitempty" yaml:"servers-grpc-ports,omitempty" toml:"servers-grpc-ports,omitempty"` // IPv4Network is the IPv4 network of the mesh to write to the database when bootstraping a new cluster. IPv4Network string `json:"ipv4-network,omitempty" yaml:"ipv4-network,omitempty" toml:"ipv4-network,omitempty"` // MeshDomain is the domain of the mesh to write to the database when bootstraping a new cluster. MeshDomain string `json:"mesh-domain,omitempty" yaml:"mesh-domain,omitempty" toml:"mesh-domain,omitempty"` // Admin is the user and/or node name to assign administrator privileges to when bootstraping a new cluster. Admin string `json:"admin,omitempty" yaml:"admin,omitempty" toml:"admin,omitempty"` // Voters is a comma separated list of node IDs to assign voting privileges to when bootstraping a new cluster. // BootstrapServers are automatically added to this list. Voters string `json:"voters,omitempty" yaml:"voters,omitempty" toml:"voters,omitempty"` // DefaultNetworkPolicy is the default network policy to apply to the mesh when bootstraping a new cluster. DefaultNetworkPolicy string `json:"default-network-policy,omitempty" yaml:"default-network-policy,omitempty" toml:"default-network-policy,omitempty"` // RestoreSnapshot is the path to a snapshot to restore from when bootstrapping a new cluster. RestoreSnapshot string `json:"restore-snapshot,omitempty" yaml:"restore-snapshot,omitempty" toml:"restore-snapshot,omitempty"` // Force is the force new bootstrap flag. Force bool `json:"force,omitempty" yaml:"force,omitempty" toml:"force,omitempty"` }
BootstrapOptions are the bootstrap options.
func NewBootstrapOptions ¶
func NewBootstrapOptions() *BootstrapOptions
NewBootstrapOptions creates a new BootstrapOptions.
func (*BootstrapOptions) BindFlags ¶
func (o *BootstrapOptions) BindFlags(fl *flag.FlagSet)
BindFlags binds the bootstrap options to the flag set.
func (*BootstrapOptions) Validate ¶
func (o *BootstrapOptions) Validate() error
Validate validates the bootstrap options.
type LDAPAuthOptions ¶
type LDAPAuthOptions struct { // Username is the username. Username string `json:"username,omitempty" yaml:"username,omitempty" toml:"username,omitempty"` // Password is the password. Password string `json:"password,omitempty" yaml:"password,omitempty" toml:"password,omitempty"` }
LDAPAuthOptions are options for LDAP authentication.
type MTLSOptions ¶
type MTLSOptions struct { // CertFile is the path to a TLS certificate file to present when joining. Either this // or CertData must be set. CertFile string `yaml:"cert-file,omitempty" json:"cert-file,omitempty" toml:"cert-file,omitempty"` // CertData is the base64 encoded TLS certificate data to present when joining. Either this // or CertFile must be set. CertData string `yaml:"cert-data,omitempty" json:"cert-data,omitempty" toml:"cert-data,omitempty"` // KeyFile is the path to a TLS key file for the certificate. Either this or KeyData must be set. KeyFile string `yaml:"key-file,omitempty" json:"key-file,omitempty" toml:"tls-file,omitempty"` // KeyData is the base64 encoded TLS key data for the certificate. Either this or KeyFile must be set. KeyData string `yaml:"key-data,omitempty" json:"key-data,omitempty" toml:"tls-data,omitempty"` }
MTLSOptions are options for mutual TLS.
type Mesh ¶
type Mesh interface { // ID returns the node ID. ID() string // Domain returns the domain of the mesh network. Domain() string // Open opens the connection to the mesh. This must be called before // other methods can be used. Open(ctx context.Context, features []v1.Feature) error // Close closes the connection to the mesh and shuts down the storage. Close() error // Leader returns the current Raft leader ID. Leader() (string, error) // LeaderRPCAddr returns the current Raft leader's gRPC address. LeaderRPCAddr(ctx context.Context) (string, error) // Storage returns a storage interface for use by the application. Storage() storage.Storage // Raft returns the Raft interface. Raft() raft.Raft // Network returns the Network manager. Network() net.Manager // Plugins returns the Plugin manager. Plugins() plugins.Manager }
Mesh is the connection to the Webmesh. It controls raft consensus, plugins, data storage, and WireGuard connections.
func New ¶
New creates a new Mesh. You must call Open() on the returned mesh before it can become ready to use.
func NewTestCluster ¶
NewTestCluster creates a new test cluster and waits for it to be ready. The context is used to enforce startup timeouts. Clusters cannot be created in parallel without specifying unique raft ports. If startPort is 0, a default port will be used. The number of nodes must be greater than 0.
type MeshOptions ¶
type MeshOptions struct { // NodeID is the node ID. NodeID string `json:"node-id,omitempty" yaml:"node-id,omitempty" toml:"node-id,omitempty"` // ZoneAwarenessID is the zone awareness ID. ZoneAwarenessID string `json:"zone-awareness-id,omitempty" yaml:"zone-awareness-id,omitempty" toml:"zone-awareness-id,omitempty"` // JoinAddress is the address of a node to join. JoinAddress string `json:"join-address,omitempty" yaml:"join-address,omitempty" toml:"join-address,omitempty"` // PeerDiscoveryAddresses are the addresses to use for peer discovery. PeerDiscoveryAddresses []string `json:"peer-discovery-addresses,omitempty" yaml:"peer-discovery-addresses,omitempty" toml:"peer-discovery-addresses,omitempty"` // MaxJoinRetries is the maximum number of join retries. MaxJoinRetries int `json:"max-join-retries,omitempty" yaml:"max-join-retries,omitempty" toml:"max-join-retries,omitempty"` // Voter is true if the node should be a voter. JoinAsVoter bool `json:"voter,omitempty" yaml:"voter,omitempty" toml:"voter,omitempty"` // PrimaryEndpoint is the primary endpoint to advertise when joining. PrimaryEndpoint string `json:"primary-endpoint,omitempty" yaml:"primary-endpoint,omitempty" toml:"primary-endpoint,omitempty"` // Routes are additional routes to advertise to the mesh. These routes are advertised to all peers. // If the node is not allowed to put routes in the mesh, the node will be unable to join. Routes []string `json:"routes,omitempty" yaml:"routes,omitempty" toml:"routes,omitempty"` // DirectPeers are peers to request direct edges to. If the node is not allowed to create edges // and data channels, the node will be unable to join. DirectPeers []string `json:"direct-peers,omitempty" yaml:"direct-peers,omitempty" toml:"direct-peers,omitempty"` // GRPCPort is the port to advertise for gRPC. GRPCPort int `json:"grpc-port,omitempty" yaml:"grpc-port,omitempty" toml:"grpc-port,omitempty"` // MeshDNSPort is the port to advertise for DNS. MeshDNSPort int `json:"meshdns-port,omitempty" yaml:"meshdns-port,omitempty" toml:"meshdns-port,omitempty"` // UseMeshDNS indicates whether to set mesh DNS servers in the system configuration. UseMeshDNS bool `json:"use-meshdns,omitempty" yaml:"use-meshdns,omitempty" toml:"use-meshdns,omitempty"` // NoIPv4 disables IPv4 usage. NoIPv4 bool `json:"no-ipv4,omitempty" yaml:"no-ipv4,omitempty" toml:"no-ipv4,omitempty"` // NoIPv6 disables IPv6 usage. NoIPv6 bool `json:"no-ipv6,omitempty" yaml:"no-ipv6,omitempty" toml:"no-ipv6,omitempty"` }
MeshOptions are the options for participating in a mesh.
func NewMeshOptions ¶
func NewMeshOptions() *MeshOptions
NewMeshOptions creates a new MeshOptions with default values.
func (*MeshOptions) BindFlags ¶
func (o *MeshOptions) BindFlags(fl *flag.FlagSet)
BindFlags binds the MeshOptions to a flag set.
func (*MeshOptions) Validate ¶
func (o *MeshOptions) Validate() error
Validate validates the MeshOptions.
type NetworkPolicy ¶
type NetworkPolicy string
NetworkPolicy is a type of network policy.
const ( // NetworkPolicyAccept is the accept network policy. NetworkPolicyAccept NetworkPolicy = "accept" // NetworkPolicyDeny is the deny network policy. NetworkPolicyDeny NetworkPolicy = "deny" )
func (NetworkPolicy) IsValid ¶
func (n NetworkPolicy) IsValid() bool
IsValid returns if the network policy is valid.
type Options ¶
type Options struct { // Auth are options for authentication to the mesh. Auth *AuthOptions `json:"auth,omitempty" yaml:"auth,omitempty" toml:"auth,omitempty"` // Mesh are options for participating in an existing mesh. Mesh *MeshOptions `json:"mesh,omitempty" yaml:"mesh,omitempty" toml:"mesh,omitempty"` // Bootstrap are options for bootstrapping the store. Bootstrap *BootstrapOptions `json:"bootstrap,omitempty" yaml:"bootstrap,omitempty" toml:"bootstrap,omitempty"` // Raft are options for the raft store. Raft *raft.Options `json:"raft,omitempty" yaml:"raft,omitempty" toml:"raft,omitempty"` // TLS are options for TLS. TLS *TLSOptions `json:"tls,omitempty" yaml:"tls,omitempty" toml:"tls,omitempty"` // WireGuard are options for WireGuard. WireGuard *WireGuardOptions `json:"wireguard,omitempty" yaml:"wireguard,omitempty" toml:"wireguard,omitempty"` // Plugins are options for plugins. Plugins *plugins.Options `yaml:"plugins,omitempty" json:"plugins,omitempty" toml:"plugins,omitempty"` }
Options are the options for the store.
type TLSOptions ¶
type TLSOptions struct { // CAFile is the path to a TLS CA file for verification. If this and CAData are empty, the system CA pool is used. CAFile string `yaml:"tls-ca-file,omitempty" json:"tls-ca-file,omitempty" toml:"tls-ca-file,omitempty"` // CAData is the base64 encoded TLS CA data for verification. If this and CAFile are empty, the system CA pool is used. CAData string `yaml:"tls-ca-data,omitempty" json:"tls-ca-data,omitempty" toml:"tls-ca-data,omitempty"` // VerifyChainOnly is true if only the certificate chain should be verified. VerifyChainOnly bool `yaml:"verify-chain-only,omitempty" json:"verify-chain-only,omitempty" toml:"verify-chain-only,omitempty"` // InsecureSkipVerify is true if the server TLS cert should not be verified. InsecureSkipVerify bool `yaml:"insecure-skip-verify,omitempty" json:"insecure-skip-verify,omitempty" toml:"insecure-skip-verify,omitempty"` // Insecure is true if the gRPC connection should be insecure. Insecure bool `yaml:"insecure,omitempty" json:"insecure,omitempty" toml:"insecure,omitempty"` }
TLSOptions are options for TLS communication when joining a mesh.
func NewTLSOptions ¶
func NewTLSOptions() *TLSOptions
NewTLSOptions creates a new TLSOptions with default values.
func (*TLSOptions) BindFlags ¶
func (o *TLSOptions) BindFlags(fl *flag.FlagSet)
BindFlags binds the TLS options to the flag set.
type WireGuardOptions ¶
type WireGuardOptions struct { // ListenPort is the port to listen on. ListenPort int `yaml:"listen-port,omitempty" json:"listen-port,omitempty" toml:"listen-port,omitempty"` // InterfaceName is the name of the interface. InterfaceName string `yaml:"interface-name,omitempty" json:"interface-name,omitempty" toml:"interface-name,omitempty"` // ForceInterfaceName forces the use of the given name by deleting // any pre-existing interface with the same name. ForceInterfaceName bool `yaml:"force-interface-name,omitempty" json:"force-interface-name,omitempty" toml:"force-interface-name,omitempty"` // ForceTUN forces the use of a TUN interface. ForceTUN bool `yaml:"force-tun,omitempty" json:"force-tun,omitempty" toml:"force-tun,omitempty"` // Modprobe attempts to probe the wireguard module. Modprobe bool `yaml:"modprobe,omitempty" json:"modprobe,omitempty" toml:"modprobe,omitempty"` // Masquerade enables masquerading of traffic from the wireguard interface. Masquerade bool `yaml:"masquerade,omitempty" json:"masquerade,omitempty" toml:"masquerade,omitempty"` // PersistentKeepAlive is the interval at which to send keepalive packets // to peers. If unset, keepalive packets will automatically be sent to publicly // accessible peers when this instance is behind a NAT. Otherwise, no keep-alive // packets are sent. PersistentKeepAlive time.Duration `yaml:"persistent-keepalive,omitempty" json:"persistent-keepalive,omitempty" toml:"persistent-keepalive,omitempty"` // MTU is the MTU to use for the interface. MTU int `yaml:"mtu,omitempty" json:"mtu,omitempty" toml:"mtu,omitempty"` // Endpoints are additional WireGuard endpoints to broadcast when joining. Endpoints []string `json:"endpoints,omitempty" yaml:"endpoints,omitempty" toml:"endpoints,omitempty"` // KeyFile is the path to the WireGuard private key. If it does not exist it will be created. KeyFile string `json:"key-file,omitempty" yaml:"key-file,omitempty" toml:"key-file,omitempty"` // KeyRotationInterval is the interval to rotate wireguard keys. // Set this to 0 to disable key rotation. KeyRotationInterval time.Duration `json:"key-rotation-interval,omitempty" yaml:"key-rotation-interval,omitempty" toml:"key-rotation-interval,omitempty"` // RecordMetrics enables recording of WireGuard metrics. These are only exposed if the // metrics server is enabled. RecordMetrics bool `json:"record-metrics,omitempty" yaml:"record-metrics,omitempty" toml:"record-metrics,omitempty"` // RecordMetricsInterval is the interval at which to update WireGuard metrics. RecordMetricsInterval time.Duration `json:"record-metrics-interval,omitempty" yaml:"record-metrics-interval,omitempty" toml:"record-metrics-interval,omitempty"` }
WireGuardOptions are options for configuring the WireGuard interface.
func NewWireGuardOptions ¶
func NewWireGuardOptions() *WireGuardOptions
WireGuardOptions returns a new WireGuardOptions with sensible defaults.
func (*WireGuardOptions) BindFlags ¶
func (o *WireGuardOptions) BindFlags(fl *flag.FlagSet)
BindFlags binds the options to the given flag set.
func (*WireGuardOptions) Validate ¶
func (o *WireGuardOptions) Validate() error
Validate validates the options.