bootstrap

package
v1.30.3 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Dec 3, 2024 License: Apache-2.0 Imports: 27 Imported by: 0

Documentation

Index

Constants

This section is empty.

Variables

View Source
var ErrAlreadyExists = errors.New("node already exists")
View Source
var ErrNotThisVerifier = errors.New("token not valid for this verifier")

ErrNotThisVerifier is returned when a verifier receives a token that is not intended for it.

Functions

func BuildChallengeServerCertificate added in v1.27.0

func BuildChallengeServerCertificate(clusterName string) (*tls.Certificate, error)

Types

type Authenticator

type Authenticator interface {
	CreateToken(body []byte) (string, error)
}

Authenticator generates authentication credentials for requests.

type ChainVerifier added in v1.29.0

type ChainVerifier struct {
	// contains filtered or unexported fields
}

ChainVerifier wraps multiple Verifiers; the first positive verification from any Verifier will be returned.

func (*ChainVerifier) VerifyToken added in v1.29.0

func (v *ChainVerifier) VerifyToken(ctx context.Context, rawRequest *http.Request, token string, body []byte) (*VerifyResult, error)

VerifyToken will return the first positive verification from any Verifier in the chain.

type Challenge added in v1.27.0

type Challenge struct {
	ChallengeID     string
	ChallengeSecret []byte
}

type ChallengeClient added in v1.27.0

type ChallengeClient struct {
	// contains filtered or unexported fields
}

func NewChallengeClient added in v1.27.0

func NewChallengeClient(keystore pki.Keystore) (*ChallengeClient, error)

func (*ChallengeClient) DoCallbackChallenge added in v1.27.0

func (c *ChallengeClient) DoCallbackChallenge(ctx context.Context, clusterName string, targetEndpoint string, bootstrapRequest *nodeup.BootstrapRequest) error

type ChallengeListener added in v1.27.0

type ChallengeListener struct {
	// contains filtered or unexported fields
}

func (*ChallengeListener) CreateChallenge added in v1.27.0

func (s *ChallengeListener) CreateChallenge() *nodeup.ChallengeRequest

func (*ChallengeListener) Endpoint added in v1.27.0

func (s *ChallengeListener) Endpoint() string

func (*ChallengeListener) Stop added in v1.27.0

func (s *ChallengeListener) Stop()

type ChallengeServer added in v1.27.0

type ChallengeServer struct {
	RequiredSubject pkix.Name

	pb.UnimplementedCallbackServiceServer
	// contains filtered or unexported fields
}

func NewChallengeServer added in v1.27.0

func NewChallengeServer(clusterName string, caBundle []byte) (*ChallengeServer, error)

func (*ChallengeServer) Challenge added in v1.27.0

Answers challenges to cross-check bootstrap requests.

func (*ChallengeServer) NewListener added in v1.27.0

func (s *ChallengeServer) NewListener(ctx context.Context, listen string) (*ChallengeListener, error)

type Verifier

type Verifier interface {
	// VerifyToken performs full validation of the provided token, often making cloud API calls to verify the caller.
	// It should return either an error or a validated VerifyResult.
	// If the token looks like it is intended for a different verifier
	// (for example it has the wrong prefix), we should return ErrNotThisVerifier
	VerifyToken(ctx context.Context, rawRequest *http.Request, token string, body []byte) (*VerifyResult, error)
}

Verifier verifies authentication credentials for requests.

func NewChainVerifier added in v1.29.0

func NewChainVerifier(chain ...Verifier) Verifier

NewChainVerifier creates a new Verifier that will return the first positive verification from the provided Verifiers.

type VerifyResult

type VerifyResult struct {
	// Nodename is the name that this node is authorized to use.
	NodeName string

	// InstanceGroupName is the name of the kops InstanceGroup this node is a member of.
	InstanceGroupName string

	// CertificateNames is the alternate names the node is authorized to use for certificates.
	CertificateNames []string

	// ChallengeEndpoint is a valid endpoints to which we should issue a challenge request,
	// corresponding to the node the request identified as.
	// This should be sourced from e.g. the cloud, and acts as a cross-check
	// that this is the correct instance.
	ChallengeEndpoint string
}

VerifyResult is the result of a successfully verified request.

Directories

Path Synopsis

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL