bootstrap

package

v1.34.1 Latest Latest Go to latest Published: Nov 25, 2025 License: Apache-2.0 Imports: 27 Imported by: 0

Details

Valid go.mod file
Redistributable license
Tagged version
Stable version
Learn more about best practices

Repository

github.com/kubernetes/kops

Links

Open Source Insights

Documentation ¶

Index ¶

Variables
func BuildChallengeServerCertificate(clusterName string) (*tls.Certificate, error)
type Authenticator
type ChainVerifier
- func (v *ChainVerifier) VerifyToken(ctx context.Context, rawRequest *http.Request, token string, body []byte) (*VerifyResult, error)
type Challenge
type ChallengeClient
- func NewChallengeClient(keystore pki.Keystore) (*ChallengeClient, error)
- func (c *ChallengeClient) DoCallbackChallenge(ctx context.Context, clusterName string, targetEndpoint string, ...) error
type ChallengeListener
type ChallengeServer
- func NewChallengeServer(clusterName string, caBundle []byte) (*ChallengeServer, error)
- func (s *ChallengeServer) Challenge(ctx context.Context, req *pb.ChallengeRequest) (*pb.ChallengeResponse, error)
- func (s *ChallengeServer) NewListener(ctx context.Context, listen string) (*ChallengeListener, error)
type Verifier
- func NewChainVerifier(chain ...Verifier) Verifier
type VerifyResult

Constants ¶

This section is empty.

Variables ¶

View Source

var ErrAlreadyExists = errors.New("node already exists")

View Source

var ErrNotThisVerifier = errors.New("token not valid for this verifier")

ErrNotThisVerifier is returned when a verifier receives a token that is not intended for it.

Functions ¶

func BuildChallengeServerCertificate ¶ added in v1.27.0

func BuildChallengeServerCertificate(clusterName string) (*tls.Certificate, error)

Types ¶

type Authenticator ¶

type Authenticator interface {
	CreateToken(body []byte) (string, error)
}

Authenticator generates authentication credentials for requests.

type ChainVerifier ¶ added in v1.29.0

type ChainVerifier struct {
	// contains filtered or unexported fields
}

ChainVerifier wraps multiple Verifiers; the first positive verification from any Verifier will be returned.

func (*ChainVerifier) VerifyToken ¶ added in v1.29.0

func (v *ChainVerifier) VerifyToken(ctx context.Context, rawRequest *http.Request, token string, body []byte) (*VerifyResult, error)

VerifyToken will return the first positive verification from any Verifier in the chain.

type Challenge ¶ added in v1.27.0

type Challenge struct {
	ChallengeID     string
	ChallengeSecret []byte
}

type ChallengeClient ¶ added in v1.27.0

type ChallengeClient struct {
	// contains filtered or unexported fields
}

func NewChallengeClient ¶ added in v1.27.0

func NewChallengeClient(keystore pki.Keystore) (*ChallengeClient, error)

func (*ChallengeClient) DoCallbackChallenge ¶ added in v1.27.0

func (c *ChallengeClient) DoCallbackChallenge(ctx context.Context, clusterName string, targetEndpoint string, bootstrapRequest *nodeup.BootstrapRequest) error

type ChallengeListener ¶ added in v1.27.0

type ChallengeListener struct {
	// contains filtered or unexported fields
}

func (*ChallengeListener) CreateChallenge ¶ added in v1.27.0

func (s *ChallengeListener) CreateChallenge() *nodeup.ChallengeRequest

func (*ChallengeListener) Endpoint ¶ added in v1.27.0

func (s *ChallengeListener) Endpoint() string

func (*ChallengeListener) Stop ¶ added in v1.27.0

func (s *ChallengeListener) Stop()

type ChallengeServer ¶ added in v1.27.0

type ChallengeServer struct {
	RequiredSubject pkix.Name

	pb.UnimplementedCallbackServiceServer
	// contains filtered or unexported fields
}

func NewChallengeServer ¶ added in v1.27.0

func NewChallengeServer(clusterName string, caBundle []byte) (*ChallengeServer, error)

func (*ChallengeServer) Challenge ¶ added in v1.27.0

func (s *ChallengeServer) Challenge(ctx context.Context, req *pb.ChallengeRequest) (*pb.ChallengeResponse, error)

Answers challenges to cross-check bootstrap requests.

func (*ChallengeServer) NewListener ¶ added in v1.27.0

func (s *ChallengeServer) NewListener(ctx context.Context, listen string) (*ChallengeListener, error)

type Verifier ¶

type Verifier interface {
	// VerifyToken performs full validation of the provided token, often making cloud API calls to verify the caller.
	// It should return either an error or a validated VerifyResult.
	// If the token looks like it is intended for a different verifier
	// (for example it has the wrong prefix), we should return ErrNotThisVerifier
	VerifyToken(ctx context.Context, rawRequest *http.Request, token string, body []byte) (*VerifyResult, error)
}

Verifier verifies authentication credentials for requests.

func NewChainVerifier ¶ added in v1.29.0

func NewChainVerifier(chain ...Verifier) Verifier

NewChainVerifier creates a new Verifier that will return the first positive verification from the provided Verifiers.

type VerifyResult ¶

type VerifyResult struct {
	// Nodename is the name that this node is authorized to use.
	NodeName string

	// InstanceGroupName is the name of the kops InstanceGroup this node is a member of.
	InstanceGroupName string

	// CertificateNames is the alternate names the node is authorized to use for certificates.
	CertificateNames []string

	// ChallengeEndpoint is a valid endpoints to which we should issue a challenge request,
	// corresponding to the node the request identified as.
	// This should be sourced from e.g. the cloud, and acts as a cross-check
	// that this is the correct instance.
	ChallengeEndpoint string
}

VerifyResult is the result of a successfully verified request.

Source Files ¶

View all Source files

Directories ¶

Path	Synopsis
pkibootstrap

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL