Documentation
¶
Index ¶
- func ApplyAttestation(log *slog.Logger, attest *provision.AgentAttestConfig, machineName string, ...) phases.Task
- func CleanupAttestArtifacts()
- func ConfigureNFTables(log *slog.Logger) phases.Task
- func ConfigureOS(log *slog.Logger) phases.Task
- func DisableDocker(log *slog.Logger) phases.Task
- func DisableSwap(log *slog.Logger) phases.Task
- func EnableDaemon(log *slog.Logger) phases.Task
- func InstallPackages(log *slog.Logger) phases.Task
- func TPMAttest(log *slog.Logger, attestURL, machineName string, result *AttestResult) phases.Task
- type AttestResult
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
func ApplyAttestation ¶
func ApplyAttestation(log *slog.Logger, attest *provision.AgentAttestConfig, machineName string, goalState *goalstates.NodeStart) phases.Task
ApplyAttestation returns a task that performs TPM attestation when the provided config enables it. If attest is nil or its URL is empty, the task succeeds immediately without contacting the TPM or any server.
On successful attestation the bootstrap token (and, if present, the cluster CA certificate) in goalState.Kubelet are replaced with the values obtained from the attestation server.
func CleanupAttestArtifacts ¶
func CleanupAttestArtifacts()
CleanupAttestArtifacts is a no-op now that the attestation is performed entirely in Go. The TPM handles are cleaned up when the device file descriptor is closed, and no scripts or config files are written to disk.
func ConfigureNFTables ¶
ConfigureNFTables returns a task that installs a oneshot systemd unit which flushes all nftables rules to a clean state before kubelet starts. This ensures stale rules (e.g. left behind by Docker) do not interfere with Kubernetes networking.
func ConfigureOS ¶
ConfigureOS returns a task that writes host-level OS configuration (e.g. sysctl tunables) that must be in place before any nspawn machine starts so that kubelet inside the container sees the correct kernel parameter values.
func DisableDocker ¶
DisableDocker returns a task that disables the Docker service and configures the Docker daemon with "iptables": false. This prevents Docker from manipulating iptables rules, which would conflict with Kubernetes networking.
func DisableSwap ¶
DisableSwap returns a task that disables swap on the host. Kubernetes requires swap to be off so the kubelet memory management and pod QoS guarantees work correctly. The task runs swapoff -a and comments out any swap entries in /etc/fstab so swap stays disabled across reboots.
func EnableDaemon ¶
EnableDaemon returns a task that installs, enables, and starts the unbounded-agent-daemon systemd unit on the host. The unit runs "unbounded-agent daemon" which watches the Machine CR for this node and reconciles the local state to match.
func InstallPackages ¶
InstallPackages returns a task that installs the required OS packages on the host.
TODO: support package managers beyond apt (e.g. dnf, zypper) for non-Debian distros.
func TPMAttest ¶
TPMAttest returns a task that performs TPM attestation against a metalman serve-pxe instance to obtain a bootstrap token. The attestation uses the google/go-tpm library to interact with the TPM device directly via /dev/tpmrm0, eliminating the need for tpm2-tools or Python.
The result pointer is populated on success so that subsequent phases can use the retrieved token.
Types ¶
type AttestResult ¶
type AttestResult struct {
// Token is the bootstrap token obtained from the attestation server.
Token string
// CACert is the PEM-encoded cluster CA certificate returned by the
// server. May be empty if the server did not include it.
CACert string
}
AttestResult holds the output of a successful TPM attestation.
Source Files