bootstrap

package

v1.31.0-alpha.1 Latest Latest Go to latest Published: Oct 14, 2024 License: Apache-2.0 Imports: 27 Imported by: 0

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

github.com/kubernetes/kops

Documentation ¶

Index ¶

Variables
func BuildChallengeServerCertificate(clusterName string) (*tls.Certificate, error)
type Authenticator
type ChainVerifier
- func (v *ChainVerifier) VerifyToken(ctx context.Context, rawRequest *http.Request, token string, body []byte) (*VerifyResult, error)
type Challenge
type ChallengeClient
- func NewChallengeClient(keystore pki.Keystore) (*ChallengeClient, error)
- func (c *ChallengeClient) DoCallbackChallenge(ctx context.Context, clusterName string, targetEndpoint string, ...) error
type ChallengeListener
type ChallengeServer
- func NewChallengeServer(clusterName string, caBundle []byte) (*ChallengeServer, error)
- func (s *ChallengeServer) Challenge(ctx context.Context, req *pb.ChallengeRequest) (*pb.ChallengeResponse, error)
- func (s *ChallengeServer) NewListener(ctx context.Context, listen string) (*ChallengeListener, error)
type Verifier
- func NewChainVerifier(chain ...Verifier) Verifier
type VerifyResult

Constants ¶

This section is empty.

Variables ¶

View Source

var ErrAlreadyExists = errors.New("node already exists")

View Source

var ErrNotThisVerifier = errors.New("token not valid for this verifier")

ErrNotThisVerifier is returned when a verifier receives a token that is not intended for it.

Functions ¶

func BuildChallengeServerCertificate ¶ added in v1.27.0

func BuildChallengeServerCertificate(clusterName string) (*tls.Certificate, error)

Types ¶

type Authenticator ¶

type Authenticator interface {
	CreateToken(body []byte) (string, error)
}

Authenticator generates authentication credentials for requests.

type ChainVerifier ¶ added in v1.29.0

type ChainVerifier struct {
	// contains filtered or unexported fields
}

ChainVerifier wraps multiple Verifiers; the first positive verification from any Verifier will be returned.

func (*ChainVerifier) VerifyToken ¶ added in v1.29.0

func (v *ChainVerifier) VerifyToken(ctx context.Context, rawRequest *http.Request, token string, body []byte) (*VerifyResult, error)

VerifyToken will return the first positive verification from any Verifier in the chain.

type Challenge ¶ added in v1.27.0

type Challenge struct {
	ChallengeID     string
	ChallengeSecret []byte
}

type ChallengeClient ¶ added in v1.27.0

type ChallengeClient struct {
	// contains filtered or unexported fields
}

func NewChallengeClient ¶ added in v1.27.0

func NewChallengeClient(keystore pki.Keystore) (*ChallengeClient, error)

func (*ChallengeClient) DoCallbackChallenge ¶ added in v1.27.0

func (c *ChallengeClient) DoCallbackChallenge(ctx context.Context, clusterName string, targetEndpoint string, bootstrapRequest *nodeup.BootstrapRequest) error

type ChallengeListener ¶ added in v1.27.0

type ChallengeListener struct {
	// contains filtered or unexported fields
}

func (*ChallengeListener) CreateChallenge ¶ added in v1.27.0

func (s *ChallengeListener) CreateChallenge() *nodeup.ChallengeRequest

func (*ChallengeListener) Endpoint ¶ added in v1.27.0

func (s *ChallengeListener) Endpoint() string

func (*ChallengeListener) Stop ¶ added in v1.27.0

func (s *ChallengeListener) Stop()

type ChallengeServer ¶ added in v1.27.0

type ChallengeServer struct {
	RequiredSubject pkix.Name

	pb.UnimplementedCallbackServiceServer
	// contains filtered or unexported fields
}

func NewChallengeServer ¶ added in v1.27.0

func NewChallengeServer(clusterName string, caBundle []byte) (*ChallengeServer, error)

func (*ChallengeServer) Challenge ¶ added in v1.27.0

func (s *ChallengeServer) Challenge(ctx context.Context, req *pb.ChallengeRequest) (*pb.ChallengeResponse, error)

Answers challenges to cross-check bootstrap requests.

func (*ChallengeServer) NewListener ¶ added in v1.27.0

func (s *ChallengeServer) NewListener(ctx context.Context, listen string) (*ChallengeListener, error)

type Verifier ¶

type Verifier interface {
	// VerifyToken performs full validation of the provided token, often making cloud API calls to verify the caller.
	// It should return either an error or a validated VerifyResult.
	// If the token looks like it is intended for a different verifier
	// (for example it has the wrong prefix), we should return ErrNotThisVerifier
	VerifyToken(ctx context.Context, rawRequest *http.Request, token string, body []byte) (*VerifyResult, error)
}

Verifier verifies authentication credentials for requests.

func NewChainVerifier ¶ added in v1.29.0

func NewChainVerifier(chain ...Verifier) Verifier

NewChainVerifier creates a new Verifier that will return the first positive verification from the provided Verifiers.

type VerifyResult ¶

type VerifyResult struct {
	// Nodename is the name that this node is authorized to use.
	NodeName string

	// InstanceGroupName is the name of the kops InstanceGroup this node is a member of.
	InstanceGroupName string

	// CertificateNames is the alternate names the node is authorized to use for certificates.
	CertificateNames []string

	// ChallengeEndpoint is a valid endpoints to which we should issue a challenge request,
	// corresponding to the node the request identified as.
	// This should be sourced from e.g. the cloud, and acts as a cross-check
	// that this is the correct instance.
	ChallengeEndpoint string
}

VerifyResult is the result of a successfully verified request.

Source Files ¶

View all Source files

Directories ¶

Path	Synopsis
pkibootstrap

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL