trustee

package

v0.14.0 Latest Latest Go to latest Published: May 3, 2026 License: Apache-2.0 Imports: 25 Imported by: 0

Details

Valid go.mod file
Redistributable license
Tagged version
Stable version
Learn more about best practices

Repository

github.com/confidential-devhub/cococtl

Links

Open Source Insights

Documentation ¶

Overview ¶

Package trustee handles Trustee KBS deployment and management.

Index ¶

func ConvertDockercfgToDockerConfigJSON(dockercfgData []byte) ([]byte, error)
func DefaultAuthDir(override string) (string, error)
func Deploy(ctx context.Context, clientset kubernetes.Interface, cfg *Config) error
func GetKBSKeyName(secretKey string) string
func GetKBSPodName(ctx context.Context, clientset kubernetes.Interface, namespace string) (string, error)
func GetServiceURL(namespace, serviceName string) string
func IsDeployed(ctx context.Context, clientset kubernetes.Interface, namespace string) (bool, error)
func NewClientWithPortForward(ctx context.Context, restConfig *rest.Config, clientset kubernetes.Interface, ...) (*kbsclient.Client, func(), error)
func NewClientWithPortForwardFromPEM(ctx context.Context, restConfig *rest.Config, clientset kubernetes.Interface, ...) (*kbsclient.Client, func(), error)
func UploadResource(ctx context.Context, client *kbsclient.Client, resourcePath string, ...) error
func UploadResources(ctx context.Context, client *kbsclient.Client, resources map[string][]byte) error
func WaitForKBSReady(ctx context.Context, clientset kubernetes.Interface, namespace string) error
type Config
type DockerAuthEntry
type DockerConfig
type SecretResource
- func ParseSecretSpec(spec string) (*SecretResource, error)

Constants ¶

This section is empty.

Variables ¶

This section is empty.

Functions ¶

func ConvertDockercfgToDockerConfigJSON ¶ added in v0.8.0

func ConvertDockercfgToDockerConfigJSON(dockercfgData []byte) ([]byte, error)

ConvertDockercfgToDockerConfigJSON converts the old .dockercfg format to .dockerconfigjson format The .dockercfg format is: { "registry": { "auth": "...", "email": "..." } } The .dockerconfigjson format is: { "auths": { "registry": { "auth": "...", "email": "..." } } }

func DefaultAuthDir ¶ added in v0.13.0

func DefaultAuthDir(override string) (string, error)

DefaultAuthDir returns the resolved, cleaned KBS auth directory. If override is empty it defaults to ~/.kube/coco-kbs-auth. A leading ~ in override is expanded to the user's home directory.

func Deploy ¶

func Deploy(ctx context.Context, clientset kubernetes.Interface, cfg *Config) error

Deploy deploys Trustee all-in-one KBS to the specified namespace. cfg.RESTConfig must be set; it is used to port-forward to the KBS pod so that the admin HTTP API can be called without requiring an externally reachable service URL.

func GetKBSKeyName ¶ added in v0.8.0

func GetKBSKeyName(secretKey string) string

GetKBSKeyName returns the KBS key name for a given secret key. This centralizes the logic for determining what key name will be used in KBS, handling both format conversions (.dockercfg -> .dockerconfigjson) and key name normalization (stripping leading dots).

This function should be used consistently when: - Building KBS URIs for initdata - Uploading secrets to KBS

Returns the final key name that will be used in the KBS repository.

func GetKBSPodName ¶ added in v0.6.0

func GetKBSPodName(ctx context.Context, clientset kubernetes.Interface, namespace string) (string, error)

GetKBSPodName retrieves the name of the KBS pod in the specified namespace.

func GetServiceURL ¶

func GetServiceURL(namespace, serviceName string) string

GetServiceURL returns the URL of the deployed Trustee KBS service

func IsDeployed ¶

func IsDeployed(ctx context.Context, clientset kubernetes.Interface, namespace string) (bool, error)

IsDeployed checks if Trustee is already running in the namespace

func NewClientWithPortForward ¶ added in v0.13.0

func NewClientWithPortForward(ctx context.Context, restConfig *rest.Config, clientset kubernetes.Interface, namespace, authDir string) (*kbsclient.Client, func(), error)

NewClientWithPortForward creates a kbsclient.Client connected to the KBS pod via a temporary port-forward. The caller must invoke the returned stop function when done to release the port-forward. ctx bounds only the port-forward handshake; subsequent HTTP calls use the kbsclient's own per-request timeout.

authDir is the directory containing private.key (the Ed25519 key written during init). If empty, DefaultAuthDir is used.

func NewClientWithPortForwardFromPEM ¶ added in v0.13.0

func NewClientWithPortForwardFromPEM(ctx context.Context, restConfig *rest.Config, clientset kubernetes.Interface, namespace string, privateKeyPEM []byte) (*kbsclient.Client, func(), error)

NewClientWithPortForwardFromPEM creates a kbsclient.Client connected to the KBS pod via a temporary port-forward, using a caller-supplied PEM-encoded Ed25519 private key instead of reading it from an auth directory. Use this when the key has already been loaded from an explicit path (e.g. via --auth-key). The caller must invoke the returned stop function when done. ctx bounds only the port-forward handshake.

func UploadResource ¶ added in v0.6.0

func UploadResource(ctx context.Context, client *kbsclient.Client, resourcePath string, data []byte) error

UploadResource uploads a single resource to Trustee KBS via the KBS admin HTTP API. The resourcePath should be relative (e.g., "default/sidecar-tls/server-cert"). The data is the raw bytes to upload.

func UploadResources ¶ added in v0.6.0

func UploadResources(ctx context.Context, client *kbsclient.Client, resources map[string][]byte) error

UploadResources uploads multiple resources to Trustee KBS via the KBS admin HTTP API. Each resource is specified as a map entry where key is the resource path (e.g., "default/sidecar-tls/server-cert") and value is the data bytes.

func WaitForKBSReady ¶ added in v0.6.0

func WaitForKBSReady(ctx context.Context, clientset kubernetes.Interface, namespace string) error

WaitForKBSReady waits for a KBS pod to reach the Ready condition using the Kubernetes watch API. It re-lists and re-watches if the API server closes the watch channel normally. The caller is responsible for setting a deadline on ctx if a hard timeout is required.

Types ¶

type Config ¶

type Config struct {
	Namespace   string
	ServiceName string
	KBSImage    string
	PCCSURL     string
	Secrets     []SecretResource

	// RESTConfig is required for port-forwarding to the KBS pod during Deploy.
	RESTConfig *rest.Config

	// AuthDir is the directory where the generated KBS admin private key is
	// persisted for later use by 'kbs populate'.  If empty, defaults to
	// ~/.kube/coco-kbs-auth (resolved via DefaultAuthDir).
	AuthDir string
}

Config holds Trustee deployment configuration

type DockerAuthEntry ¶ added in v0.8.0

type DockerAuthEntry struct {
	Auth  string `json:"auth,omitempty"`
	Email string `json:"email,omitempty"`
}

DockerAuthEntry represents an auth entry in the Docker config

type DockerConfig ¶ added in v0.8.0

type DockerConfig struct {
	Auths map[string]DockerAuthEntry `json:"auths"`
}

DockerConfig represents the new .dockerconfigjson format

type SecretResource ¶

type SecretResource struct {
	URI  string
	Path string
	Data []byte
}

SecretResource represents a secret to be stored in KBS

func ParseSecretSpec ¶

func ParseSecretSpec(spec string) (*SecretResource, error)

ParseSecretSpec parses a secret specification and reads the file

Source Files ¶

View all Source files

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL