Documentation
¶
Index ¶
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
func ApplyAttestation ¶
func ApplyAttestation(log *slog.Logger, attest *provision.AgentAttestConfig, machineName string, goalState *goalstates.NodeStart) phases.Task
ApplyAttestation returns a task that performs TPM attestation when the provided config enables it. If attest is nil or its URL is empty, the task succeeds immediately without contacting the TPM or any server.
On successful attestation the bootstrap token (and, if present, the cluster CA certificate) in goalState.Kubelet are replaced with the values obtained from the attestation server.
func CleanupAttestArtifacts ¶
func CleanupAttestArtifacts()
CleanupAttestArtifacts is a no-op now that the attestation is performed entirely in Go. The TPM handles are cleaned up when the device file descriptor is closed, and no scripts or config files are written to disk.
func TPMAttest ¶
TPMAttest returns a task that performs TPM attestation against a metalman serve-pxe instance to obtain a bootstrap token. The attestation uses the google/go-tpm library to interact with the TPM device directly via /dev/tpmrm0, eliminating the need for tpm2-tools or Python.
The result pointer is populated on success so that subsequent phases can use the retrieved token.
Types ¶
type AttestResult ¶
type AttestResult struct {
// Token is the bootstrap token obtained from the attestation server.
Token string
// CACert is the PEM-encoded cluster CA certificate returned by the
// server. May be empty if the server did not include it.
CACert string
}
AttestResult holds the output of a successful TPM attestation.
Source Files