Documentation
¶
Index ¶
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
This section is empty.
Types ¶
type AdminPageData ¶ added in v0.0.3
type AdminPageData struct {
Stats admin.Stats
Certs []admin.CertRecord
CurrentTime time.Time
LoggedIn bool
Error string
}
AdminPageData holds the data for the admin dashboard template.
type CertResponse ¶
type CertResponse struct {
CA string `json:"ca"`
Cert string `json:"cert"`
Key string `json:"key"`
Endpoints []string `json:"endpoints"`
TTL int `json:"ttl_seconds"`
}
CertResponse is the JSON response returned to clients after successful token exchange.
type Config ¶
type Config struct {
// ListenAddr is the address to listen on (e.g. ":8443").
ListenAddr string
// CA is the parsed Talos CA used to sign ephemeral client certificates.
CA *certsign.CA
// CertTTL is the lifetime of issued client certificates.
CertTTL time.Duration
// Roles are the Talos roles to assign to issued certificates.
Roles []string
// IssuerURL is the OIDC provider issuer URL for token validation.
IssuerURL string
// ClientID is the expected OIDC client ID (audience).
ClientID string
// ClientSecret is the OIDC client secret, required for HS256-signed tokens.
ClientSecret string
// Endpoints are the Talos node endpoints to include in the response.
Endpoints []string
// TLSCertFile is the path to a TLS certificate file.
// When set (together with TLSKeyFile), the server serves HTTPS with these certs.
TLSCertFile string
// TLSKeyFile is the path to a TLS private key file.
TLSKeyFile string
// Insecure, when true, serves plain HTTP without TLS.
// A warning is logged at startup.
Insecure bool
// DataDir is an optional directory path for persisting the self-signed TLS
// certificate across restarts. When set and the server is in self-signed mode,
// the CA and server certificate are saved to this directory on first run and
// reloaded on subsequent starts. When empty, certificates are generated in
// memory and lost on restart.
DataDir string
// AuditLogger is an optional structured audit logger. When non-nil, the
// server emits audit events for every authentication attempt and certificate
// issuance.
AuditLogger *audit.Logger
// AdminToken, when set, protects the /admin/* endpoints with a bearer token.
AdminToken string
// AdminTracker is the in-memory tracker for issued certs and stats.
// When non-nil, the /admin/certs and /admin/stats endpoints are enabled.
AdminTracker *admin.Tracker
// RateLimiter is an optional rate limiter for the /exchange endpoint.
// When non-nil, requests are rate-limited per IP.
RateLimiter *ratelimit.Limiter
// Allowlist is an optional IP allowlist for the /exchange endpoint.
// When non-nil, only IPs in the allowlist can access the endpoint.
Allowlist *allowlist.Allowlist
// RBACMapper is an optional RBAC mapper for dynamic role assignment
// based on OIDC claims. When non-nil, roles are determined dynamically
// instead of using the static Roles field.
RBACMapper *rbac.Mapper
// Blocklist is an optional in-memory certificate revocation blocklist.
// Certificates whose fingerprints are in the blocklist will not be issued.
Blocklist *admin.Blocklist
}
Config holds the configuration for the cert exchange server.
type ErrorResponse ¶
type ErrorResponse struct {
Error string `json:"error"`
}
ErrorResponse is the JSON error response.
type Server ¶
type Server struct {
// contains filtered or unexported fields
}
Server is the cert exchange HTTP server.
Source Files
Click to show internal directories.
Click to hide internal directories.