cli

package
v0.6.0 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Jun 13, 2026 License: MIT Imports: 34 Imported by: 0

Documentation

Index

Constants

View Source 
const DefaultAdminUsername = "admin"

DefaultAdminUsername is the username assigned to the auto-seeded admin operator.

Variables

This section is empty.

Functions

func APIKeyCreate 

func APIKeyCreate(serverURL, apiKey, operatorID, name string) error

APIKeyCreate creates a new per-operator API key. The plaintext key is printed once.

func APIKeyRevoke 

func APIKeyRevoke(serverURL, apiKey, operatorID, keyID string) error

APIKeyRevoke revokes an existing per-operator API key.

func CACreate 

func CACreate(serverURL, apiKey, name, duration string) error

CACreate creates a new CA via the API.

func CADelete 

func CADelete(serverURL, apiKey, id string) error

CADelete deletes a CA by id. Fails if any network still references it.

func CAList 

func CAList(serverURL, apiKey string) error

CAList prints the CAs visible to the caller.

func CARotate 

func CARotate(serverURL, apiKey, id string) error

CARotate rotates a CA via the API.

func HashAPIKey 

func HashAPIKey(key string) string

HashAPIKey hashes an API key for storage. Used by both bootstrap and the API auth middleware so the same algorithm is applied on insert and lookup.

func HostBlock 

func HostBlock(serverURL, apiKey, hostID string) error

HostBlock blocks a host via the API.

func HostCreate 

func HostCreate(serverURL, apiKey, networkID, name, nebulaIP, role string, groups []string, publicIP string, listenPort int) error

HostCreate creates a host via the API.

func HostDelete 

func HostDelete(serverURL, apiKey, hostID string) error

HostDelete deletes a host via the API.

func HostList 

func HostList(serverURL, apiKey, networkID string) error

HostList lists hosts via the API.

func HostUnblock 

func HostUnblock(serverURL, apiKey, hostID string) error

HostUnblock unblocks a host via the API. The host is moved back to pending and must re-enroll to obtain a new certificate.

func Init 

func Init(configPath string) error

Init initializes the management server: creates CA, generates API key, and initializes the database. configPath is required — the generated API key is written back to this file.

func NetworkCreate 

func NetworkCreate(serverURL, apiKey, name, cidr string) error

NetworkCreate creates a network via the API.

func NetworkList 

func NetworkList(serverURL, apiKey string) error

NetworkList lists networks via the API.

func OpsBackup added in v0.5.0 

func OpsBackup(configPath, outputPath, passphrase, appVersion string) error

OpsBackup writes a consistent snapshot of the control-plane database referenced by configPath to outputPath. When passphrase is non-empty the archive is encrypted. appVersion is recorded in the manifest. The master key is intentionally not included — restore requires the operator to supply it.

func OpsMintAdminKey 

func OpsMintAdminKey(configPath string) error

OpsMintAdminKey opens the SQLite store referenced by configPath, looks up the admin operator by DefaultAdminUsername, mints a fresh operator_api_keys row with a SHA-256 hashed plaintext, records an audit entry, and prints the plaintext to stdout once. Used for break-glass recovery when the initial admin key is lost.

func OpsRestore added in v0.5.0 

func OpsRestore(configPath, inputPath, passphrase string, force bool) error

OpsRestore restores a backup archive into the data dir referenced by configPath. It refuses to overwrite an existing live database unless force is set (in which case the current DB is moved aside). After restoring it runs migrations forward and verifies the master key can decrypt every restored CA, failing loudly on mismatch rather than at first signing.

func SeedAdminOperator 

func SeedAdminOperator(ctx context.Context, s store.Store, uiPassword, apiKey string) (bool, error)

SeedAdminOperator creates the initial admin operator from the configured password and API key when no operators exist yet. It is safe to call on every startup: it is idempotent and a no-op if the operators table is already populated. Either uiPassword or apiKey may be empty.

When apiKey is non-empty it is hashed and stored as the admin's first operator API key. The apiKey value comes from the caller (Init generates it inline; Serve passes ""), not from a persisted config field. Runtime auth via bearerAuth middleware authenticates exclusively through operator_api_keys.

The empty-table check and the inserts are delegated to the store as a single atomic operation (SeedInitialAdminOperator). Two concurrent first-boot invocations therefore cannot both seed an admin row: the race-loser's conditional INSERT sees a non-empty operators table and returns (false, nil) without writing.

It returns true if this call performed the seed so the caller can log it.

func Serve 

func Serve(configPath string, insecureHTTP bool) error

Serve starts the management server.

func UserCreate 

func UserCreate(serverURL, apiKey, username, password, displayName, role string) error

UserCreate creates a new operator via the API.

func UserDisable 

func UserDisable(serverURL, apiKey, id string) error

UserDisable disables an operator via the API. Their sessions are invalidated and API keys revoked atomically.

func UserEnable 

func UserEnable(serverURL, apiKey, id string) error

UserEnable re-enables a disabled operator.

func UserList 

func UserList(serverURL, apiKey string) error

UserList lists operators via the API.

Types

This section is empty.

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.