ca

package
v0.0.0-...-120fae7 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Feb 16, 2017 License: Apache-2.0 Imports: 52 Imported by: 0

Documentation

Index

Constants

View Source 
const (

	// RootKeySize is the default size of the root CA key
	// It would be ideal for the root key to use P-384, but in P-384 is not optimized in go yet :(
	RootKeySize = 256
	// RootKeyAlgo defines the default algorithm for the root CA Key
	RootKeyAlgo = "ecdsa"
	// PassphraseENVVar defines the environment variable to look for the
	// root CA private key material encryption key
	PassphraseENVVar = "SWARM_ROOT_CA_PASSPHRASE"
	// PassphraseENVVarPrev defines the alternate environment variable to look for the
	// root CA private key material encryption key. It can be used for seamless
	// KEK rotations.
	PassphraseENVVarPrev = "SWARM_ROOT_CA_PASSPHRASE_PREV"
	// RootCAExpiration represents the default expiration for the root CA in seconds (20 years)
	RootCAExpiration = "630720000s"
	// DefaultNodeCertExpiration represents the default expiration for node certificates (3 months)
	DefaultNodeCertExpiration = 2160 * time.Hour
	// CertBackdate represents the amount of time each certificate is backdated to try to avoid
	// clock drift issues.
	CertBackdate = 1 * time.Hour
	// CertLowerRotationRange represents the minimum fraction of time that we will wait when randomly
	// choosing our next certificate rotation
	CertLowerRotationRange = 0.5
	// CertUpperRotationRange represents the maximum fraction of time that we will wait when randomly
	// choosing our next certificate rotation
	CertUpperRotationRange = 0.8
	// MinNodeCertExpiration represents the minimum expiration for node certificates
	MinNodeCertExpiration = 1 * time.Hour
)
View Source 
const (

	// DefaultRootCN represents the root CN that we should create roots CAs with by default
	DefaultRootCN = "swarm-ca"
	// ManagerRole represents the Manager node type, and is used for authorization to endpoints
	ManagerRole = "swarm-manager"
	// WorkerRole represents the Worker node type, and is used for authorization to endpoints
	WorkerRole = "swarm-worker"
	// CARole represents the CA node type, and is used for clients attempting to get new certificates issued
	CARole = "swarm-ca"
)

Variables

View Source 
var ErrNoExternalCAURLs = errors.New("no external CA URLs")

ErrNoExternalCAURLs is an error used it indicate that an ExternalCA is configured with no URLs to which it can proxy certificate signing requests.

View Source 
var ErrNoLocalRootCA = errors.New("local root CA certificate does not exist")

ErrNoLocalRootCA is an error type used to indicate that the local root CA certificate file does not exist.

View Source 
var ErrNoValidSigner = recoverableErr{/* contains filtered or unexported fields */}

ErrNoValidSigner is an error type used to indicate that our RootCA doesn't have the ability to sign certificates.

View Source 
var LocalRequestKey = localRequestKeyType{}

LocalRequestKey is a context key to mark a request that originating on the local node. The associated value is a RemoteNodeInfo structure describing the local node.

View Source 
var RenewTLSExponentialBackoff = events.ExponentialBackoffConfig{
	Base:   time.Second * 5,
	Factor: time.Minute,
	Max:    1 * time.Hour,
}

RenewTLSExponentialBackoff sets the exponential backoff when trying to renew TLS certificates that have expired

Functions

func AuthorizeForwardedRoleAndOrg 

func AuthorizeForwardedRoleAndOrg(ctx context.Context, authorizedRoles, forwarderRoles []string, org string, blacklistedCerts map[string]*api.BlacklistedCertificate) (string, error)

AuthorizeForwardedRoleAndOrg checks for proper roles and organization of caller. The RPC may have been proxied by a manager, in which case the manager is authenticated and so is the certificate information that it forwarded. It returns the node ID of the original client.

func AuthorizeOrgAndRole 

func AuthorizeOrgAndRole(ctx context.Context, org string, blacklistedCerts map[string]*api.BlacklistedCertificate, ou ...string) (string, error)

AuthorizeOrgAndRole takes in a context and a list of roles, and returns the Node ID of the node.

func DefaultCAConfig 

func DefaultCAConfig() api.CAConfig

DefaultCAConfig returns the default CA Config, with a default expiration.

func EncryptECPrivateKey 

func EncryptECPrivateKey(key []byte, passphraseStr string) ([]byte, error)

EncryptECPrivateKey receives a PEM encoded private key and returns an encrypted AES256 version using a passphrase TODO: Make this method generic to handle RSA keys

func FormatRole 

func FormatRole(role string) (api.NodeRole, error)

FormatRole parses an internal role string into an apiRole

func GenerateJoinToken 

func GenerateJoinToken(rootCA *RootCA) string

GenerateJoinToken creates a new join token.

func GenerateNewCSR 

func GenerateNewCSR() (csr, key []byte, err error)

GenerateNewCSR returns a newly generated key and CSR signed with said key

func GetAndValidateCertificateSubject 

func GetAndValidateCertificateSubject(certs []tls.Certificate) (pkix.Name, error)

GetAndValidateCertificateSubject is a helper method to retrieve and validate the subject from the x509 certificate underlying a tls.Certificate

func GetRemoteSignedCertificate 

func GetRemoteSignedCertificate(ctx context.Context, csr []byte, rootCAPool *x509.CertPool, config CertificateRequestConfig) ([]byte, error)

GetRemoteSignedCertificate submits a CSR to a remote CA server address, and that is part of a CA identified by a specific certificate pool.

func LogTLSState 

func LogTLSState(ctx context.Context, tlsState *tls.ConnectionState)

LogTLSState logs information about the TLS connection and remote peers

func NewClientTLSConfig 

func NewClientTLSConfig(cert *tls.Certificate, rootCAPool *x509.CertPool, serverName string) (*tls.Config, error)

NewClientTLSConfig returns a tls.Config configured for a TLS Client, given a tls.Certificate the PEM-encoded root CA Certificate, and the name of the remote server the client wants to connect to.

func NewServerTLSConfig 

func NewServerTLSConfig(cert *tls.Certificate, rootCAPool *x509.CertPool) (*tls.Config, error)

NewServerTLSConfig returns a tls.Config configured for a TLS Server, given a tls.Certificate and the PEM-encoded root CA Certificate

func ParseRole 

func ParseRole(apiRole api.NodeRole) (string, error)

ParseRole parses an apiRole into an internal role string

func PrepareCSR 

func PrepareCSR(csrBytes []byte, cn, ou, org string) cfsigner.SignRequest

PrepareCSR creates a CFSSL Sign Request based on the given raw CSR and overrides the Subject and Hosts with the given extra args.

func RenewTLSConfig 

func RenewTLSConfig(ctx context.Context, s *SecurityConfig, connBroker *connectionbroker.Broker, renew <-chan struct{}) <-chan CertificateUpdate

RenewTLSConfig will continuously monitor for the necessity of renewing the local certificates, either by issuing them locally if key-material is available, or requesting them from a remote CA.

func RenewTLSConfigNow 

func RenewTLSConfigNow(ctx context.Context, s *SecurityConfig, connBroker *connectionbroker.Broker) error

RenewTLSConfigNow gets a new TLS cert and key, and updates the security config if provided. This is similar to RenewTLSConfig, except while that monitors for expiry, and periodically renews, this renews once and is blocking

func SigningPolicy 

func SigningPolicy(certExpiry time.Duration) *cfconfig.Signing

SigningPolicy creates a policy used by the signer to ensure that the only fields from the remote CSRs we trust are: PublicKey, PublicKeyAlgorithm and SignatureAlgorithm. It receives the duration a certificate will be valid for

func WithMetadataForwardTLSInfo 

func WithMetadataForwardTLSInfo(ctx context.Context) (context.Context, error)

WithMetadataForwardTLSInfo reads certificate from context and returns context where ForwardCert is set based on original certificate.

Types

type CertPaths 

type CertPaths struct {
	Cert, Key string
}

CertPaths is a helper struct that keeps track of the paths of a Cert and corresponding Key

type CertificateRequestConfig 

type CertificateRequestConfig struct {
	// Token is the join token that authenticates us with the CA.
	Token string
	// Availability allows a user to control the current scheduling status of a node
	Availability api.NodeSpec_Availability
	// ConnBroker provides connections to CAs.
	ConnBroker *connectionbroker.Broker
	// Credentials provides transport credentials for communicating with the
	// remote server.
	Credentials credentials.TransportCredentials
	// ForceRemote specifies that only a remote (TCP) connection should
	// be used to request the certificate. This may be necessary in cases
	// where the local node is running a manager, but is in the process of
	// being demoted.
	ForceRemote bool
}

CertificateRequestConfig contains the information needed to request a certificate from a remote CA.

type CertificateUpdate 

type CertificateUpdate struct {
	Role string
	Err  error
}

CertificateUpdate represents a change in the underlying TLS configuration being returned by a certificate renewal event.

type ErrInvalidKEK 

type ErrInvalidKEK struct {
	Wrapped error
}

ErrInvalidKEK means that we cannot decrypt the TLS key for some reason

func (ErrInvalidKEK) Error 

func (e ErrInvalidKEK) Error() string

type ExternalCA 

type ExternalCA struct {
	// contains filtered or unexported fields
}

ExternalCA is able to make certificate signing requests to one of a list remote CFSSL API endpoints.

func NewExternalCA 

func NewExternalCA(rootCA *RootCA, tlsConfig *tls.Config, urls ...string) *ExternalCA

NewExternalCA creates a new ExternalCA which uses the given tlsConfig to authenticate to any of the given URLS of CFSSL API endpoints.

func (*ExternalCA) Sign 

func (eca *ExternalCA) Sign(ctx context.Context, req signer.SignRequest) (cert []byte, err error)

Sign signs a new certificate by proxying the given certificate signing request to an external CFSSL API server.

func (*ExternalCA) UpdateTLSConfig 

func (eca *ExternalCA) UpdateTLSConfig(tlsConfig *tls.Config)

UpdateTLSConfig updates the HTTP Client for this ExternalCA by creating a new client which uses the given tlsConfig.

func (*ExternalCA) UpdateURLs 

func (eca *ExternalCA) UpdateURLs(urls ...string)

UpdateURLs updates the list of CSR API endpoints by setting it to the given urls.

type KEKData 

type KEKData struct {
	KEK     []byte
	Version uint64
}

KEKData provides an optional update to the kek when writing. The structure is needed so that we can tell the difference between "do not encrypt anymore" and there is "no update".

type KeyReadWriter 

type KeyReadWriter struct {
	// contains filtered or unexported fields
}

KeyReadWriter is an object that knows how to read and write TLS keys and certs to disk, optionally encrypted and optionally updating PEM headers.

func NewKeyReadWriter 

func NewKeyReadWriter(paths CertPaths, kek []byte, headersObj PEMKeyHeaders) *KeyReadWriter

NewKeyReadWriter creates a new KeyReadWriter

func (*KeyReadWriter) GetCurrentState 

func (k *KeyReadWriter) GetCurrentState() (PEMKeyHeaders, KEKData)

GetCurrentState returns the current KEK data, including version

func (*KeyReadWriter) Migrate 

func (k *KeyReadWriter) Migrate() error

Migrate checks to see if a temporary key file exists. Older versions of swarmkit wrote temporary keys instead of temporary certificates, so migrate that temporary key if it exists. We want to write temporary certificates, instead of temporary keys, because we may need to periodically re-encrypt the keys and modify the headers, and it's easier to have a single canonical key location than two possible key locations.

func (*KeyReadWriter) Read 

func (k *KeyReadWriter) Read() ([]byte, []byte, error)

Read will read a TLS cert and key from the given paths

func (*KeyReadWriter) Target 

func (k *KeyReadWriter) Target() string

Target returns a string representation of this KeyReadWriter, namely where it is writing to

func (*KeyReadWriter) ViewAndRotateKEK 

func (k *KeyReadWriter) ViewAndRotateKEK(cb func(KEKData, PEMKeyHeaders) (KEKData, PEMKeyHeaders, error)) error

ViewAndRotateKEK re-encrypts the key with a new KEK

func (*KeyReadWriter) ViewAndUpdateHeaders 

func (k *KeyReadWriter) ViewAndUpdateHeaders(cb func(PEMKeyHeaders) (PEMKeyHeaders, error)) error

ViewAndUpdateHeaders updates the header manager, and updates any headers on the existing key

func (*KeyReadWriter) Write 

func (k *KeyReadWriter) Write(certBytes, plaintextKeyBytes []byte, kekData *KEKData) error

Write attempts write a cert and key to text. This can also optionally update the KEK while writing, if an updated KEK is provided. If the pointer to the update KEK is nil, then we don't update. If the updated KEK itself is nil, then we update the KEK to be nil (data should be unencrypted).

type KeyReader 

type KeyReader interface {
	Read() ([]byte, []byte, error)
	Target() string
}

KeyReader reads a TLS cert and key from disk

type KeyWriter 

type KeyWriter interface {
	Write([]byte, []byte, *KEKData) error
	ViewAndUpdateHeaders(func(PEMKeyHeaders) (PEMKeyHeaders, error)) error
	ViewAndRotateKEK(func(KEKData, PEMKeyHeaders) (KEKData, PEMKeyHeaders, error)) error
	GetCurrentState() (PEMKeyHeaders, KEKData)
	Target() string
}

KeyWriter writes a TLS key and cert to disk

type MutableTLSCreds 

type MutableTLSCreds struct {
	// Mutex for the tls config
	sync.Mutex
	// contains filtered or unexported fields
}

MutableTLSCreds is the credentials required for authenticating a connection using TLS.

func NewMutableTLS 

func NewMutableTLS(c *tls.Config) (*MutableTLSCreds, error)

NewMutableTLS uses c to construct a mutable TransportCredentials based on TLS.

func (*MutableTLSCreds) ClientHandshake 

func (c *MutableTLSCreds) ClientHandshake(ctx context.Context, addr string, rawConn net.Conn) (net.Conn, credentials.AuthInfo, error)

ClientHandshake implements the credentials.TransportCredentials interface

func (*MutableTLSCreds) Clone 

func (c *MutableTLSCreds) Clone() credentials.TransportCredentials

Clone returns new MutableTLSCreds created from underlying *tls.Config. It panics if validation of underlying config fails.

func (*MutableTLSCreds) Config 

func (c *MutableTLSCreds) Config() *tls.Config

Config returns the current underlying TLS config.

func (*MutableTLSCreds) GetRequestMetadata 

func (c *MutableTLSCreds) GetRequestMetadata(ctx context.Context, uri ...string) (map[string]string, error)

GetRequestMetadata implements the credentials.TransportCredentials interface

func (*MutableTLSCreds) Info 

func (c *MutableTLSCreds) Info() credentials.ProtocolInfo

Info implements the credentials.TransportCredentials interface

func (*MutableTLSCreds) LoadNewTLSConfig 

func (c *MutableTLSCreds) LoadNewTLSConfig(newConfig *tls.Config) error

LoadNewTLSConfig replaces the currently loaded TLS config with a new one

func (*MutableTLSCreds) NodeID 

func (c *MutableTLSCreds) NodeID() string

NodeID returns the CN for the certificate encapsulated in this TransportCredentials

func (*MutableTLSCreds) Organization 

func (c *MutableTLSCreds) Organization() string

Organization returns the O for the certificate encapsulated in this TransportCredentials

func (*MutableTLSCreds) OverrideServerName 

func (c *MutableTLSCreds) OverrideServerName(name string) error

OverrideServerName overrides *tls.Config.ServerName.

func (*MutableTLSCreds) RequireTransportSecurity 

func (c *MutableTLSCreds) RequireTransportSecurity() bool

RequireTransportSecurity implements the credentials.TransportCredentials interface

func (*MutableTLSCreds) Role 

func (c *MutableTLSCreds) Role() string

Role returns the OU for the certificate encapsulated in this TransportCredentials

func (*MutableTLSCreds) ServerHandshake 

func (c *MutableTLSCreds) ServerHandshake(rawConn net.Conn) (net.Conn, credentials.AuthInfo, error)

ServerHandshake implements the credentials.TransportCredentials interface

type PEMKeyHeaders 

type PEMKeyHeaders interface {
	// UnmarshalHeaders loads the headers map given the current KEK
	UnmarshalHeaders(map[string]string, KEKData) (PEMKeyHeaders, error)
	// MarshalHeaders returns a header map given the current KEK
	MarshalHeaders(KEKData) (map[string]string, error)
	// UpdateKEK may get a new PEMKeyHeaders if the KEK changes
	UpdateKEK(KEKData, KEKData) PEMKeyHeaders
}

PEMKeyHeaders is something that needs to know about PEM headers when reading or writing TLS keys.

type RemoteNodeInfo 

type RemoteNodeInfo struct {
	// Roles is a list of roles contained in the node's certificate
	// (or forwarded by a trusted node).
	Roles []string

	// Organization is the organization contained in the node's certificate
	// (or forwarded by a trusted node).
	Organization string

	// NodeID is the node's ID, from the CN field in its certificate
	// (or forwarded by a trusted node).
	NodeID string

	// ForwardedBy contains information for the node that forwarded this
	// request. It is set to nil if the request was received directly.
	ForwardedBy *RemoteNodeInfo

	// RemoteAddr is the address that this node is connecting to the cluster
	// from.
	RemoteAddr string
}

RemoteNodeInfo describes a node sending an RPC request.

func RemoteNode 

func RemoteNode(ctx context.Context) (RemoteNodeInfo, error)

RemoteNode returns the node ID and role from the client's TLS certificate. If the RPC was forwarded, the original client's ID and role is returned, as well as the forwarder's ID. This function does not do authorization checks - it only looks up the node ID.

type RootCA 

type RootCA struct {
	// Key will only be used by the original manager to put the private
	// key-material in raft, no signing operations depend on it.
	Key []byte
	// Cert includes the PEM encoded Certificate for the Root CA
	Cert []byte
	Pool *x509.CertPool
	// Digest of the serialized bytes of the certificate
	Digest digest.Digest
	// This signer will be nil if the node doesn't have the appropriate key material
	Signer cfsigner.Signer
}

RootCA is the representation of everything we need to sign certificates

func CreateRootCA 

func CreateRootCA(rootCN string, paths CertPaths) (RootCA, error)

CreateRootCA creates a Certificate authority for a new Swarm Cluster, potentially overwriting any existing CAs.

func DownloadRootCA 

func DownloadRootCA(ctx context.Context, paths CertPaths, token string, connBroker *connectionbroker.Broker) (RootCA, error)

DownloadRootCA tries to retrieve a remote root CA and matches the digest against the provided token.

func GetLocalRootCA 

func GetLocalRootCA(paths CertPaths) (RootCA, error)

GetLocalRootCA validates if the contents of the file are a valid self-signed CA certificate, and returns the PEM-encoded Certificate if so

func GetRemoteCA 

func GetRemoteCA(ctx context.Context, d digest.Digest, connBroker *connectionbroker.Broker) (RootCA, error)

GetRemoteCA returns the remote endpoint's CA certificate bundle

func NewRootCA 

func NewRootCA(certBytes, keyBytes []byte, certExpiry time.Duration) (RootCA, error)

NewRootCA creates a new RootCA object from unparsed PEM cert bundle and key byte slices. key may be nil, and in this case NewRootCA will return a RootCA without a signer.

func (*RootCA) CanSign 

func (rca *RootCA) CanSign() bool

CanSign ensures that the signer has all three necessary elements needed to operate

func (RootCA) CreateSecurityConfig 

func (rootCA RootCA) CreateSecurityConfig(ctx context.Context, krw *KeyReadWriter, config CertificateRequestConfig) (*SecurityConfig, error)

CreateSecurityConfig creates a new key and cert for this node, either locally or via a remote CA.

func (*RootCA) IssueAndSaveNewCertificates 

func (rca *RootCA) IssueAndSaveNewCertificates(kw KeyWriter, cn, ou, org string) (*tls.Certificate, error)

IssueAndSaveNewCertificates generates a new key-pair, signs it with the local root-ca, and returns a tls certificate

func (*RootCA) NewClientTLSCredentials 

func (rootCA *RootCA) NewClientTLSCredentials(cert *tls.Certificate, serverName string) (*MutableTLSCreds, error)

NewClientTLSCredentials returns GRPC credentials for a TLS GRPC client, given a tls.Certificate a PEM-Encoded root CA Certificate, and the name of the remote server the client wants to connect to.

func (*RootCA) NewServerTLSCredentials 

func (rootCA *RootCA) NewServerTLSCredentials(cert *tls.Certificate) (*MutableTLSCreds, error)

NewServerTLSCredentials returns GRPC credentials for a TLS GRPC client, given a tls.Certificate a PEM-Encoded root CA Certificate, and the name of the remote server the client wants to connect to.

func (*RootCA) ParseValidateAndSignCSR 

func (rca *RootCA) ParseValidateAndSignCSR(csrBytes []byte, cn, ou, org string) ([]byte, error)

ParseValidateAndSignCSR returns a signed certificate from a particular rootCA and a CSR.

func (*RootCA) RequestAndSaveNewCertificates 

func (rca *RootCA) RequestAndSaveNewCertificates(ctx context.Context, kw KeyWriter, config CertificateRequestConfig) (*tls.Certificate, error)

RequestAndSaveNewCertificates gets new certificates issued, either by signing them locally if a signer is available, or by requesting them from the remote server at remoteAddr.

type SecurityConfig 

type SecurityConfig struct {
	ServerTLSCreds *MutableTLSCreds
	ClientTLSCreds *MutableTLSCreds
	// contains filtered or unexported fields
}

SecurityConfig is used to represent a node's security configuration. It includes information about the RootCA and ServerTLSCreds/ClientTLSCreds transport authenticators to be used for MTLS

func LoadSecurityConfig 

func LoadSecurityConfig(ctx context.Context, rootCA RootCA, krw *KeyReadWriter, allowExpired bool) (*SecurityConfig, error)

LoadSecurityConfig loads TLS credentials from disk, or returns an error if these credentials do not exist or are unusable.

func NewSecurityConfig 

func NewSecurityConfig(rootCA *RootCA, krw *KeyReadWriter, clientTLSCreds, serverTLSCreds *MutableTLSCreds) *SecurityConfig

NewSecurityConfig initializes and returns a new SecurityConfig.

func (*SecurityConfig) KeyReader 

func (s *SecurityConfig) KeyReader() KeyReader

KeyReader returns the object that can read keys from disk

func (*SecurityConfig) KeyWriter 

func (s *SecurityConfig) KeyWriter() KeyWriter

KeyWriter returns the object that can write keys to disk

func (*SecurityConfig) RootCA 

func (s *SecurityConfig) RootCA() *RootCA

RootCA returns the root CA.

func (*SecurityConfig) UpdateRootCA 

func (s *SecurityConfig) UpdateRootCA(cert, key []byte, certExpiry time.Duration) error

UpdateRootCA replaces the root CA with a new root CA based on the specified certificate, key, and the number of hours the certificates issue should last.

type SecurityConfigPaths 

type SecurityConfigPaths struct {
	Node, RootCA CertPaths
}

SecurityConfigPaths is used as a helper to hold all the paths of security relevant files

func NewConfigPaths 

func NewConfigPaths(baseCertDir string) *SecurityConfigPaths

NewConfigPaths returns the absolute paths to all of the different types of files

type Server 

type Server struct {
	// contains filtered or unexported fields
}

Server is the CA and NodeCA API gRPC server. TODO(aaronl): At some point we may want to have separate implementations of CA, NodeCA, and other hypothetical future CA services. At the moment, breaking it apart doesn't seem worth it.

func NewServer 

func NewServer(store *store.MemoryStore, securityConfig *SecurityConfig) *Server

NewServer creates a CA API server.

func (*Server) GetRootCACertificate 

func (s *Server) GetRootCACertificate(ctx context.Context, request *api.GetRootCACertificateRequest) (*api.GetRootCACertificateResponse, error)

GetRootCACertificate returns the certificate of the Root CA. It is used as a convenience for distributing the root of trust for the swarm. Clients should be using the CA hash to verify if they weren't target to a MiTM. If they fail to do so, node bootstrap works with TOFU semantics.

func (*Server) GetUnlockKey 

func (s *Server) GetUnlockKey(ctx context.Context, request *api.GetUnlockKeyRequest) (*api.GetUnlockKeyResponse, error)

GetUnlockKey is responsible for returning the current unlock key used for encrypting TLS private keys and other at rest data. Access to this RPC call should only be allowed via mutual TLS from managers.

func (*Server) IssueNodeCertificate 

func (s *Server) IssueNodeCertificate(ctx context.Context, request *api.IssueNodeCertificateRequest) (*api.IssueNodeCertificateResponse, error)

IssueNodeCertificate is responsible for gatekeeping both certificate requests from new nodes in the swarm, and authorizing certificate renewals. If a node presented a valid certificate, the corresponding certificate is set in a RENEW state. If a node failed to present a valid certificate, we check for a valid join token and set the role accordingly. A new random node ID is generated, and the corresponding node entry is created. IssueNodeCertificate is the only place where new node entries to raft should be created.

func (*Server) NodeCertificateStatus 

func (s *Server) NodeCertificateStatus(ctx context.Context, request *api.NodeCertificateStatusRequest) (*api.NodeCertificateStatusResponse, error)

NodeCertificateStatus returns the current issuance status of an issuance request identified by the nodeID

func (*Server) Ready 

func (s *Server) Ready() <-chan struct{}

Ready waits on the ready channel and returns when the server is ready to serve.

func (*Server) Run 

func (s *Server) Run(ctx context.Context) error

Run runs the CA signer main loop. The CA signer can be stopped with cancelling ctx or calling Stop().

func (*Server) SetReconciliationRetryInterval 

func (s *Server) SetReconciliationRetryInterval(reconciliationRetryInterval time.Duration)

SetReconciliationRetryInterval changes the time interval between reconciliation attempts. This function must be called before Run.

func (*Server) Stop 

func (s *Server) Stop() error

Stop stops the CA and closes all grpc streams.

Source Files

View all Source files

Directories

Path Synopsis

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.