Documentation
¶
Index ¶
Constants ¶
View Source
const ( BootstrapSAName = "metalman-bootstrap" BootstrapSANamespace = "unbounded-kube" )
Variables ¶
This section is empty.
Functions ¶
func ClusterCAFromConfig ¶
ClusterCAFromConfig extracts the cluster CA certificate from a rest.Config.
Types ¶
type AttestRequest ¶
type AttestResponse ¶
type AttestResponse struct {
CredentialBlob []byte `json:"credentialBlob"` // MakeCredential output: HMAC + encrypted credential
EncryptedSecret []byte `json:"encryptedSecret"` // RSA-OAEP encrypted seed
EncryptedToken []byte `json:"encryptedToken"` // AES-256-GCM encrypted bootstrap token
GCMNonce []byte `json:"gcmNonce"` // AES-GCM nonce
ClusterCA string `json:"clusterCA,omitempty"` // PEM-encoded CA certificate
}
type Handler ¶
type Handler struct {
Clientset kubernetes.Interface
ClusterCA []byte // PEM-encoded cluster CA certificate
LookupNodeByIP func(ctx context.Context, ip string) (*v1alpha3.Machine, error)
StatusUpdater StatusUpdater
}
func (*Handler) Attest ¶
func (h *Handler) Attest(w http.ResponseWriter, r *http.Request)
Attest handles the single-round-trip TPM attestation flow. The node sends its EK and SRK public keys. The server wraps a random AES-256 key via CreateCredential (bound to the EK and SRK), encrypts a bootstrap token with that key, and returns both. Only the node with the matching TPM can recover the AES key and decrypt the token.
Click to show internal directories.
Click to hide internal directories.