pkibootstrap

package
v1.30.3 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Dec 3, 2024 License: Apache-2.0 Imports: 23 Imported by: 0

Documentation

Index

Constants

View Source
const AudienceNodeAuthentication = "kops.k8s.io/node-bootstrap"

AudienceNodeAuthentication is used in case we have multiple audiences using the TPM in future

View Source
const AuthenticationTokenPrefix = "x-pki-tpm "

AuthenticationTokenPrefix is the prefix used for authentication using PKI

Variables

This section is empty.

Functions

func NewAuthenticator

func NewAuthenticator(hostname string, signer crypto.Signer) (bootstrap.Authenticator, error)

func NewAuthenticatorFromFile

func NewAuthenticatorFromFile(p string) (bootstrap.Authenticator, error)

func NewVerifier

func NewVerifier(options *Options, client client.Client) (bootstrap.Verifier, error)

NewVerifier constructs a new verifier.

Types

type AuthToken

type AuthToken struct {
	// Signature is the TPM or PKI signature for data
	Signature []byte `json:"signature,omitempty"`

	// Data is the data we are signing.
	// It is a JSON encoded form of AuthTokenData.
	Data []byte `json:"data,omitempty"`
}

AuthToken describes the authentication header data when using GCE TPM authentication.

type AuthTokenData

type AuthTokenData struct {
	// Instance is the name/id of the instance we are claiming
	Instance string `json:"instance,omitempty"`

	// KeyID is the identifier of the public key we are signing with, if we're using a fixed key.
	KeyID string `json:"keyID,omitempty"`

	// RequestHash is the hash of the request
	RequestHash []byte `json:"requestHash,omitempty"`

	// Timestamp is the time of this request (to help prevent replay attacks)
	Timestamp int64 `json:"timestamp,omitempty"`

	// Audience is the audience for this request (to help prevent replay attacks)
	Audience string `json:"audience,omitempty"`
}

AuthTokenData is the code data that is signed as part of the header.

type Options

type Options struct {
	// MaxTimeSkew is the maximum time skew to allow (in seconds)
	MaxTimeSkew int64 `json:"MaxTimeSkew,omitempty"`
}

Options describes how we authenticate instances with known-public-key authentication.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL