rotation

package

v0.2.10 Latest Latest Go to latest Published: Feb 6, 2024 License: MPL-2.0 Imports: 13 Imported by: 0

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

github.com/hashicorp/nodeenrollment

Links

Open Source Insights

Documentation ¶

Index ¶

func RotateNodeCredentials(ctx context.Context, storage nodeenrollment.Storage, ...) (*types.RotateNodeCredentialsResponse, error)
func RotateRootCertificates(ctx context.Context, storage nodeenrollment.Storage, ...) (*types.RootCertificates, error)

Constants ¶

This section is empty.

Variables ¶

This section is empty.

Functions ¶

func RotateNodeCredentials ¶

func RotateNodeCredentials(
	ctx context.Context,
	storage nodeenrollment.Storage,
	req *types.RotateNodeCredentialsRequest,
	opt ...nodeenrollment.Option,
) (*types.RotateNodeCredentialsResponse, error)

RotateNodeCredentials accepts a request containing an encrypted fetch node credentials request and expects to be able to decrypt it via the key ID from the contained value. If valid, the credentials contained in the request will be registered to the system as valid credentials.

Note that unlike RotateRootCertificates, where ownership of the roots belongs to this library, this is not a method that does nothing if it is not time to rotate. The node owns its credentials and should track when it's time to rotate and initiate rotation at that time.

Although WithState is not explicitly supported, keep in mind that State will be transferred to the new NodeInformation. This fact can be used to match the new credentials to an external ID corresponding to the current credentials.

Supported options: WithStorageWrapper/WithRandomReader/WithNotBeforeClockSkew/WithNotAfterClockSkew (passed through to AuthorizeNode and others), WithLogger

func RotateRootCertificates ¶

func RotateRootCertificates(ctx context.Context, storage nodeenrollment.Storage, opt ...nodeenrollment.Option) (*types.RootCertificates, error)

RotateRootCertificates generates roots: private keys and self-signed CA root certificates. At the end of this function, there should always be two certificates in existence. How we get there depends on the current state; see the switch statement below.

If things seem off in a way that this function should not allow to occur (for instance, one root is missing, or timing is weird), err on the side of failing secure and redo the roots.

It is safe to call this periodically; if the current root is still valid and no issues are detected with next, nothing will change.

Supported options: WithRandomReader, WithCertificateLifetime, WithStorageWrapper (passed through to LoadRootCertificates and RootCertificates.Store), WithSkipStorage, WithNotBeforeClockSkew, WithNotAfterClockSkew, WithReinitializeRoots, WithLogger

Note that WithNotAfterClockSkew is cumulative with WithCertificatLifetime

Types ¶

This section is empty.

Source Files ¶

View all Source files

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL