edgeonboarding

package
v1.1.2 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Feb 20, 2026 License: Apache-2.0 Imports: 26 Imported by: 0

README

Edge Onboarding Library

This package provides a common onboarding library for ServiceRadar edge services (gateways, agents, checkers) to automatically bootstrap themselves using an onboarding token.

Overview

The edge onboarding library eliminates the need for manual shell scripts and configuration by providing a single, simple Bootstrap() call that handles the entire onboarding process.

Design Philosophy
  • KV (datasvc) is the source of truth - All dynamic configuration comes from KV, not ConfigMaps
  • Sticky bootstrap configs - Only KV/Core addresses are in static config (chicken/egg problem)
  • Deployment-aware - Automatically detects Docker, Kubernetes, or bare-metal and uses appropriate addresses
  • Component-specific - Gateways get nested SPIRE server, agents/checkers use workload API
  • Self-contained - Services only need an onboarding token to start

Usage

Basic Example
package main

import (
	"context"
	"log"

	"github.com/carverauto/serviceradar/pkg/edgeonboarding"
	"github.com/carverauto/serviceradar/pkg/models"
)

func main() {
	// Create bootstrapper with minimal config
	b, err := edgeonboarding.NewBootstrapper(&edgeonboarding.Config{
		Token:      "your-onboarding-token-here",
		KVEndpoint: "23.138.124.23:50057", // Bootstrap config
		ServiceType: models.EdgeOnboardingComponentTypeGateway,
	})
	if err != nil {
		log.Fatal(err)
	}

	// Run onboarding
	ctx := context.Background()
	if err := b.Bootstrap(ctx); err != nil {
		log.Fatal(err)
	}

	// Get generated configs
	gatewayConfig, _ := b.GetConfig("gateway.json")
	spireConfig, _ := b.GetConfig("spire-server.conf")

	log.Printf("SPIFFE ID: %s", b.GetSPIFFEID())
	log.Printf("Onboarding complete!")
}
Docker Deployment Example
# Just set the onboarding token - everything else is automatic
docker run \
  -e ONBOARDING_TOKEN=abc123xyz456 \
  -e KV_ENDPOINT=23.138.124.23:50057 \
  ghcr.io/carverauto/serviceradar-agent-gateway:latest

Architecture

Onboarding Flow

  1. Deployment Detection

    • Auto-detects: Docker, Kubernetes, or bare-metal
    • Determines appropriate addresses (LoadBalancer IPs for Docker, DNS for k8s)

  2. Package Download

    • Downloads onboarding package from Core using token
    • Validates package contents and status
    • Extracts decrypted SPIRE credentials

  3. SPIRE Configuration

    • Gateways: Set up nested SPIRE server with upstream attestation
    • Agents: Configure workload API access to gateway's SPIRE
    • Checkers: Configure workload API access

  4. Service Configuration

    • Generates component-specific config based on deployment type
    • Merges metadata from package (contains KV-sourced config)
    • Creates all required configuration files

  5. Registration

    • Service automatically registers when it first connects
    • Core detects activation via SPIFFE ID in status reports
Component Types
Gateway
  • Runs nested SPIRE server that attests to upstream (k8s) SPIRE
  • Provides workload API for co-located agent
  • Connects to Core and reports status
  • Configuration includes: Core address, KV address, agent address, SPIRE config
Agent
  • Uses workload API from parent gateway's nested SPIRE
  • Shares network namespace with gateway (in Docker)
  • Connects to KV to fetch checker configs
  • Configuration includes: KV address, parent gateway ID, workload API socket
Checker
  • Uses workload API from parent agent
  • Minimal configuration
  • Configuration includes: Checker kind, parent agent ID, checker-specific config
Deployment Types
Docker
  • Detection: Checks for /.dockerenv or docker in cgroups
  • Addresses: Uses LoadBalancer IPs (can't resolve k8s DNS)
  • SPIRE: Nested server for gateways, shared workload API for agents
  • Network: Agent shares network namespace with gateway (network_mode: "service:agent-gateway")
Kubernetes
  • Detection: Checks for KUBERNETES_SERVICE_HOST or service account token
  • Addresses: Uses service DNS names
  • SPIRE: Uses k8s SPIRE controller and CRDs (automatic enrollment)
  • Note: k8s deployments typically don't use this library - SPIFFE controller handles it
Bare Metal
  • Detection: Default when not Docker or k8s
  • Addresses: Uses configured addresses from package
  • SPIRE: Same as Docker (nested server for gateways)
  • Network: Standard networking

Configuration

Config Struct
type Config struct {
	// Required
	Token      string                              // Onboarding token
	KVEndpoint string                              // KV (datasvc) address

	// Optional
	ServiceType     models.EdgeOnboardingComponentType // Auto-detected from package if not set
	ServiceID       string                              // Readable name override
	StoragePath     string                              // Default: /var/lib/serviceradar
	DeploymentType  DeploymentType                      // Auto-detected if not set
	CoreEndpoint    string                              // Auto-discovered from package
	Logger          logger.Logger                       // Default logger created if nil
}
Sticky vs Dynamic Config

Sticky (Bootstrap Config - Static File):

  • KV endpoint address
  • Core endpoint address (if not in package metadata)
  • Storage path

Dynamic (From KV - Fetched at Runtime):

  • Checker configurations
  • Known gateways list
  • Service-specific settings
  • Feature flags
Environment Variables

Services can use these environment variables:

# Required
ONBOARDING_TOKEN=<token>      # From edge package
KV_ENDPOINT=<host:port>        # Bootstrap config

# Optional
STORAGE_PATH=/var/lib/serviceradar
DEPLOYMENT_TYPE=docker         # docker, kubernetes, bare-metal
SERVICE_ID=my-gateway-1         # Override component ID

Generated Configurations

The bootstrapper generates these configuration files/data:

All Components
  • spire-workload-api-socket - Path to workload API socket
Gateways
  • gateway.json - Gateway service configuration
  • spire-server.conf - Nested SPIRE server config
  • spire-agent.conf - Nested SPIRE agent config
  • SPIRE trust bundle (upstream-bundle.pem)
  • SPIRE join token (upstream-join-token)
Agents
  • agent.json - Agent service configuration
  • Workload API socket path
Checkers
  • checker.json - Checker service configuration
  • Checker-specific config from package

API Reference

NewBootstrapper
func NewBootstrapper(cfg *Config) (*Bootstrapper, error)

Creates a new bootstrapper instance. Validates configuration and sets defaults.

Bootstrap
func (b *Bootstrapper) Bootstrap(ctx context.Context) error

Executes the complete onboarding process. Returns error if any step fails.

GetConfig
func (b *Bootstrapper) GetConfig(key string) ([]byte, bool)

Retrieves a specific generated configuration file by key.

GetAllConfigs
func (b *Bootstrapper) GetAllConfigs() map[string][]byte

Returns all generated configuration files.

GetSPIFFEID
func (b *Bootstrapper) GetSPIFFEID() string

Returns the assigned SPIFFE ID for this service.

Rotate
func Rotate(ctx context.Context, storagePath string, log logger.Logger) error

Handles SPIRE credential rotation. Should be called periodically (e.g., via cron).

Implementation Status

Completed ✅
  • Package structure and interfaces
  • Deployment type detection
  • SPIRE configuration (structure)
  • Service config generation
  • Component-specific logic (gateway, agent, checker)
TODO 🔴
  • Actual API calls to Core for package download
  • Complete SPIRE HCL config generation
  • Credential rotation implementation
  • Integration tests
  • Service integration (gateway, agent, checker binaries)

Example Integration

In Gateway Service
package main

import (
	"context"
	"os"

	"github.com/carverauto/serviceradar/pkg/edgeonboarding"
	"github.com/carverauto/serviceradar/pkg/models"
)

func main() {
	token := os.Getenv("ONBOARDING_TOKEN")
	kvEndpoint := os.Getenv("KV_ENDPOINT")

	if token != "" {
		// Edge deployment - use onboarding
		b, err := edgeonboarding.NewBootstrapper(&edgeonboarding.Config{
			Token:       token,
			KVEndpoint:  kvEndpoint,
			ServiceType: models.EdgeOnboardingComponentTypeGateway,
		})
		if err != nil {
			log.Fatal(err)
		}

		if err := b.Bootstrap(context.Background()); err != nil {
			log.Fatal(err)
		}

		// Use generated configs to start gateway
		startGatewayWithConfig(b.GetAllConfigs())
	} else {
		// k8s deployment - use traditional config
		startGatewayWithStaticConfig()
	}
}

Testing

Unit Tests
go test ./pkg/edgeonboarding/...
E2E Tests
# Create test package
./scripts/create-test-package.sh

# Run onboarding
go run ./cmd/test-onboarding/ --token <token>
  • Server-side: pkg/core/edge_onboarding.go - Core service that creates packages
  • Models: pkg/models/edge_onboarding.go - Shared data models
  • Database: pkg/db/edge_onboarding.go - Database operations
  • Issues: GitHub #1915, bd serviceradar-57

Migration

For existing edge deployments using shell scripts:

  1. Update to latest serviceradar version with onboarding library
  2. Create onboarding package via UI or CLI
  3. Set ONBOARDING_TOKEN and KV_ENDPOINT environment variables
  4. Remove all shell scripts (setup-edge-e2e.sh, etc.)
  5. Start service - onboarding happens automatically

Support

For issues or questions:

Documentation

Index

Constants

This section is empty.

Variables

View Source 
var (
	ErrBundleDownloadFailed = errors.New("bundle download failed")
	ErrConfigAlreadyExists  = errors.New("config already exists")
	ErrCertsAlreadyExist    = errors.New("certs already exist")
	ErrBundleMissingConfig  = errors.New("bundle missing config.json")
	ErrBundleMissingCerts   = errors.New("bundle missing certificate files")
	ErrCoreAPIHostRequired  = errors.New("core API host is required")
)
View Source 
var (
	// ErrConfigRequired is returned when no config is provided.
	ErrConfigRequired = errors.New("config is required")
	// ErrTokenRequired is returned when no onboarding token is provided.
	ErrTokenRequired = errors.New("onboarding token is required")
	// ErrTokenOrPackageRequired is returned when neither token nor package path are provided.
	ErrTokenOrPackageRequired = errors.New("onboarding token or package archive is required")
	// ErrCredentialRotationNotImplemented is returned when credential rotation is attempted.
	ErrCredentialRotationNotImplemented = errors.New("not implemented: credential rotation")
	// ErrRotationInfoNotImplemented is returned when rotation info is requested.
	ErrRotationInfoNotImplemented = errors.New("not implemented: rotation info")
)
View Source 
var (
	ErrCollectorTokenInvalid         = errors.New("collector token is invalid")
	ErrCollectorTokenExpired         = errors.New("collector token is expired")
	ErrCollectorBundleDownloadFailed = errors.New("collector bundle download failed")
	ErrCollectorBundleIncomplete     = errors.New("collector bundle is incomplete")
	ErrCollectorConfigExists         = errors.New("collector config already exists")
	ErrCollectorCertsExist           = errors.New("collector certs already exist")
	ErrCollectorCredsExist           = errors.New("collector creds already exist")
)
View Source 
var (
	// ErrUnsupportedComponentType is returned when an unknown component type is encountered.
	ErrUnsupportedComponentType = errors.New("unsupported component type")
	// ErrCoreAddressNotFound is returned when core_address is missing from metadata.
	ErrCoreAddressNotFound = errors.New("core_address not found in metadata")
	// ErrCoreSPIFFEIDNotFound is returned when core_spiffe_id is missing from metadata.
	ErrCoreSPIFFEIDNotFound = errors.New("core_spiffe_id not found in metadata")
	// ErrSPIREUpstreamAddressNotFound is returned when spire_upstream_address is missing from metadata.
	ErrSPIREUpstreamAddressNotFound = errors.New("spire_upstream_address not found in metadata")
	// ErrSPIREParentIDNotFound is returned when spire_parent_id is missing from metadata.
	ErrSPIREParentIDNotFound = errors.New("spire_parent_id not found in metadata")
	// ErrAgentSPIFFEIDNotFound is returned when agent_spiffe_id is missing from metadata.
	ErrAgentSPIFFEIDNotFound = errors.New("agent_spiffe_id not found in metadata")
	// ErrSPIREUpstreamPortNotFound is returned when spire_upstream_port is missing from metadata.
	ErrSPIREUpstreamPortNotFound = errors.New("spire_upstream_port not found in metadata")
	// ErrGatewayIDNotFound is returned when gateway_id is missing from metadata.
	ErrGatewayIDNotFound = errors.New("gateway_id not found in metadata")
	// ErrKVAddressNotFound is returned when kv_address is missing from metadata.
	ErrKVAddressNotFound = errors.New("kv_address not found in metadata")
	// ErrKVSPIFFEIDNotFound is returned when kv_spiffe_id is missing from metadata.
	ErrKVSPIFFEIDNotFound = errors.New("kv_spiffe_id not found in metadata")
	// ErrAgentIDNotFound is returned when agent_id is missing from metadata.
	ErrAgentIDNotFound = errors.New("agent_id not found in metadata")
	// ErrGatewayAddrRequired is returned when gateway_addr is missing for agent/sync bootstrap config.
	ErrGatewayAddrRequired = errors.New("gateway_addr is required to generate bootstrap config")
)
View Source 
var (
	// ErrPackageNotDownloaded is returned when package validation is attempted before download.
	ErrPackageNotDownloaded = errors.New("package not downloaded")
	// ErrDownloadResultNotAvailable is returned when download result is missing.
	ErrDownloadResultNotAvailable = errors.New("download result not available")
	// ErrPackageIDEmpty is returned when package_id is empty.
	ErrPackageIDEmpty = errors.New("package_id is empty")
	// ErrComponentIDEmpty is returned when component_id is empty.
	ErrComponentIDEmpty = errors.New("component_id is empty")
	// ErrComponentTypeNotSet is returned when component_type is not set.
	ErrComponentTypeNotSet = errors.New("component_type is not set")
	// ErrDownstreamSPIFFEIDEmpty is returned when downstream_spiffe_id is empty.
	ErrDownstreamSPIFFEIDEmpty = errors.New("downstream_spiffe_id is empty")
	// ErrJoinTokenEmpty is returned when join token is empty.
	ErrJoinTokenEmpty = errors.New("join token is empty")
	// ErrBundlePEMEmpty is returned when bundle PEM is empty.
	ErrBundlePEMEmpty = errors.New("bundle PEM is empty")
	// ErrDownloadTokenEmpty is returned when the download token segment is missing.
	ErrDownloadTokenEmpty = errors.New("download token is empty")
	// ErrCoreAPIURLRequired is returned when the Core API URL cannot be determined.
	ErrCoreAPIURLRequired = errors.New("core API URL is required")
	// ErrPackageRevoked is returned when package has been revoked.
	ErrPackageRevoked = errors.New("package has been revoked")
	// ErrPackageExpired is returned when package has expired.
	ErrPackageExpired = errors.New("package has expired")
	// ErrPackageDeleted is returned when package has been deleted.
	ErrPackageDeleted = errors.New("package has been deleted")
	// ErrPackageNotDelivered is returned when package is still in issued state.
	ErrPackageNotDelivered = errors.New("package has not been delivered yet")
	// ErrPackageArchiveMissingMetadata is returned when metadata.json is missing from archived package.
	ErrPackageArchiveMissingMetadata = errors.New("package archive missing metadata.json")
	// ErrPackageArchiveMissingJoinToken is returned when the archive is missing the join token.
	ErrPackageArchiveMissingJoinToken = errors.New("package archive missing SPIRE join token")
	// ErrPackageArchiveMissingBundle is returned when the archive is missing the SPIRE trust bundle.
	ErrPackageArchiveMissingBundle = errors.New("package archive missing SPIRE trust bundle")
	// ErrPackageArchiveInvalid is returned when the archive is malformed.
	ErrPackageArchiveInvalid = errors.New("package archive invalid")
	// ErrCoreDeliverEndpoint indicates the Core deliver endpoint returned an error.
	ErrCoreDeliverEndpoint = errors.New("core deliver endpoint error")
	// ErrCoreAPIURLMissingHost indicates the base URL lacks a host.
	ErrCoreAPIURLMissingHost = errors.New("core api url missing host")
)
View Source 
var (
	// ErrOperatorJWTRequired is returned when no operator JWT is provided for config generation.
	ErrOperatorJWTRequired = errors.New("operator JWT is required")
	// ErrSystemAccountPublicKeyRequired is returned when no system account public key is provided.
	ErrSystemAccountPublicKeyRequired = errors.New("system account public key is required")
)
View Source 
var (
	// ErrSPIREAddressResolutionNotImplemented is returned when SPIRE address resolution is attempted.
	ErrSPIREAddressResolutionNotImplemented = errors.New("not implemented: SPIRE address resolution")
)

Functions

func BuildHTTPClient added in v1.0.85 

func BuildHTTPClient(caFile string, insecure bool) (*http.Client, error)

BuildHTTPClient returns a client configured for optional TLS overrides.

func EncodeToken 

func EncodeToken(packageID, downloadToken, coreAPIURL string) (string, error)

EncodeToken builds an edgepkg-v1 token that embeds the package id, download token, and optional Core API base URL so bootstrap clients only need ONBOARDING_TOKEN.

func EnrollAgentFromToken added in v1.0.85 

func EnrollAgentFromToken(ctx context.Context, opts EnrollOptions) error

EnrollAgentFromToken downloads an edge onboarding bundle and writes agent config + certs.

func EnrollCollectorFromToken added in v1.0.85 

func EnrollCollectorFromToken(ctx context.Context, opts CollectorEnrollOptions) error

EnrollCollectorFromToken downloads a collector bundle and installs config/creds/certs.

func GenerateCollectorPermissions added in v1.0.79 

func GenerateCollectorPermissions(namespace, collectorType string) (publishAllow, subscribeAllow []string)

GenerateCollectorPermissions returns NATS permissions for a specific collector type.

func GenerateNATSConfig added in v1.0.79 

func GenerateNATSConfig(cfg *NATSServerConfig) ([]byte, error)

GenerateNATSConfig generates a nats-server configuration file.

func Rotate 

func Rotate(ctx context.Context, storagePath string, log logger.Logger) error

Rotate handles SPIRE credential rotation. This should be called periodically (e.g., via cron or goroutine).

Types

type Bootstrapper 

type Bootstrapper struct {
	// contains filtered or unexported fields
}

Bootstrapper handles the complete onboarding flow for edge services.

func NewBootstrapper 

func NewBootstrapper(cfg *Config) (*Bootstrapper, error)

NewBootstrapper creates a new bootstrapper instance.

For SaaS mode, only GatewayEndpoint is required - agents receive all configuration dynamically via GetConfig after connecting. For legacy/on-prem mode, KVEndpoint may still be used.

func (*Bootstrapper) Bootstrap 

func (b *Bootstrapper) Bootstrap(ctx context.Context) error

Bootstrap executes the complete onboarding process. Steps: 1. Download package from Core using token 2. Validate and extract package contents 3. Configure SPIRE (nested server for gateway, workload API for others) 4. Auto-register with Core via database (update edge_packages table) 5. Generate service config based on deployment type 6. Set up credential rotation 7. Return ready-to-use config

func (*Bootstrapper) GetAllConfigs 

func (b *Bootstrapper) GetAllConfigs() map[string][]byte

GetAllConfigs returns all generated configuration files.

func (*Bootstrapper) GetConfig 

func (b *Bootstrapper) GetConfig(key string) ([]byte, bool)

GetConfig returns the generated configuration for a specific file/key.

func (*Bootstrapper) GetCoreEndpoint 

func (b *Bootstrapper) GetCoreEndpoint() string

GetCoreEndpoint returns the Core service endpoint (legacy/on-prem use).

func (*Bootstrapper) GetGatewayEndpoint added in v1.0.79 

func (b *Bootstrapper) GetGatewayEndpoint() string

GetGatewayEndpoint returns the Gateway service endpoint (primary for SaaS mode).

func (*Bootstrapper) GetJoinToken 

func (b *Bootstrapper) GetJoinToken() string

GetJoinToken returns the SPIRE join token (only available before SPIRE is configured).

func (*Bootstrapper) GetKVEndpoint 

func (b *Bootstrapper) GetKVEndpoint() string

GetKVEndpoint returns the KV service endpoint (legacy/on-prem use). In SaaS mode, agents receive config from gateway via GetConfig instead.

func (*Bootstrapper) GetPackage 

func (b *Bootstrapper) GetPackage() *models.EdgeOnboardingPackage

GetPackage returns the downloaded package information.

func (*Bootstrapper) GetSPIFFEID 

func (b *Bootstrapper) GetSPIFFEID() string

GetSPIFFEID returns the assigned SPIFFE ID for this service.

type CollectorCredsConfig added in v1.0.79 

type CollectorCredsConfig struct {
	// Namespace is the namespace for subject prefixing
	Namespace string

	// CollectorType is the type of collector (flowgger, trapd, netflow, otel)
	CollectorType string

	// UserName is the NATS user name
	UserName string

	// CredsContent is the .creds file content
	CredsContent string

	// ConfigContent is the collector-specific configuration
	ConfigContent string
}

CollectorCredsConfig contains parameters for generating collector NATS credentials.

type CollectorEnrollOptions added in v1.0.85 

type CollectorEnrollOptions struct {
	Token         string
	BaseURL       string
	ConfigDir     string
	ConfigFile    string
	CertsDir      string
	CredsDir      string
	HTTPClient    *http.Client
	Logf          func(string, ...interface{})
	SkipOverwrite bool
}

CollectorEnrollOptions controls collector enrollment.

type Config 

type Config struct {
	// Token is the onboarding/download token from the package
	Token string

	// GatewayEndpoint is the agent-gateway gRPC endpoint (required for SaaS mode)
	// Format: "host:port" e.g., "agent-gateway:50052"
	// This is the only required endpoint - all config is delivered via GetConfig.
	GatewayEndpoint string

	// CoreEndpoint is the Core service gRPC endpoint (optional: legacy/on-prem use)
	// Format: "host:port" e.g., "23.138.124.18:50052"
	CoreEndpoint string

	// KVEndpoint is the KV service (datasvc) gRPC endpoint (optional: legacy/on-prem use)
	// In SaaS mode, agents get configuration from gateway via GetConfig.
	// Format: "host:port" e.g., "23.138.124.23:50057"
	KVEndpoint string

	// CoreAPIURL is the HTTP(S) endpoint for the Core API (e.g., https://serviceradar.local)
	// If empty, the token payload or environment variables may provide it.
	CoreAPIURL string

	// PackagePath points to a pre-downloaded onboarding archive (tar.gz) for offline installs.
	// When set, Token/CoreAPIURL are optional and the archive is used instead of contacting Core.
	PackagePath string

	// PackageID optionally overrides the package identifier when the token format does not embed it.
	PackageID string

	// ServiceType identifies what type of service is being onboarded
	ServiceType models.EdgeOnboardingComponentType

	// ServiceID is an optional readable name override for the service
	// If not provided, will use the component_id from the package
	ServiceID string

	// StoragePath is where to persist configuration and credentials
	// Default: "/var/lib/serviceradar" or "./data" for non-root
	StoragePath string

	// DeploymentType specifies the deployment environment
	// Values: "docker", "kubernetes", "bare-metal"
	// If empty, will auto-detect
	DeploymentType DeploymentType

	// HTTPClient allows callers to override the HTTP client used for Core API requests.
	HTTPClient *http.Client

	// Logger is optional; if nil, a default logger will be created
	Logger logger.Logger
}

Config contains all parameters needed for edge service onboarding. This is the client-side configuration for edge services (gateway, agent, checker; sync uses agent bootstrap config) to bootstrap themselves from an onboarding token.

## Minimal Bootstrap Configuration

Per the SaaS connectivity spec, the on-disk bootstrap config only needs: - GatewayEndpoint: Where to connect - mTLS credentials: For authentication

All monitoring configuration (checks, schedules, etc.) is delivered dynamically via GetConfig after the agent connects to the gateway.

type DeploymentType 

type DeploymentType string

DeploymentType represents the environment where the service is running. 

const (
	DeploymentTypeDocker     DeploymentType = "docker"
	DeploymentTypeKubernetes DeploymentType = "kubernetes"
	DeploymentTypeBareMetal  DeploymentType = "bare-metal"
)

type EnrollOptions added in v1.0.85 

type EnrollOptions struct {
	Token         string
	CoreHost      string
	HostIP        string
	ConfigPath    string
	CertDir       string
	HTTPClient    *http.Client
	Logf          func(string, ...interface{})
	Errorf        func(string, ...interface{})
	SkipOverwrite bool
}

EnrollOptions controls the agent enrollment workflow.

type NATSBootstrapFiles added in v1.0.79 

type NATSBootstrapFiles struct {
	// ConfigFile is the nats.conf content
	ConfigFile []byte

	// OperatorJWT is the operator JWT content
	OperatorJWT []byte

	// SystemAccountJWT is the system account JWT content
	SystemAccountJWT []byte

	// OperatorSeed is the operator seed (sensitive - only for initial setup)
	OperatorSeed string

	// SystemAccountSeed is the system account seed (sensitive - only for initial setup)
	SystemAccountSeed string
}

NATSBootstrapFiles represents the files generated during NATS bootstrap.

type NATSBootstrapRequest added in v1.0.79 

type NATSBootstrapRequest struct {
	// OperatorName is the name for the NATS operator
	OperatorName string

	// ExistingOperatorSeed allows importing an existing operator seed
	ExistingOperatorSeed string

	// GenerateSystemAccount indicates whether to generate a system account
	GenerateSystemAccount bool

	// ConfigOverrides allows customizing the generated configuration
	ConfigOverrides *NATSServerConfig
}

NATSBootstrapRequest contains parameters for bootstrapping a NATS server.

type NATSServerConfig added in v1.0.79 

type NATSServerConfig struct {
	// ServerName is the name of the NATS server instance
	ServerName string

	// ListenPort is the main client connection port (default: 4222)
	ListenPort int

	// OperatorJWTPath is the path to the operator JWT file
	OperatorJWTPath string

	// SystemAccountPublicKey is the public key of the system account
	SystemAccountPublicKey string

	// ResolverDir is the directory where the JWT resolver stores account JWTs
	ResolverDir string

	// TLSEnabled enables TLS for client connections
	TLSEnabled bool

	// TLSCertPath is the path to the server certificate
	TLSCertPath string

	// TLSKeyPath is the path to the server private key
	TLSKeyPath string

	// TLSCAPath is the path to the CA certificate for client verification
	TLSCAPath string

	// TLSVerify enables mutual TLS (client certificate verification)
	TLSVerify bool

	// JetStreamEnabled enables JetStream for persistence
	JetStreamEnabled bool

	// JetStreamStoreDir is the directory for JetStream storage
	JetStreamStoreDir string

	// JetStreamMaxMemory is the maximum memory for JetStream (in bytes, 0 = default)
	JetStreamMaxMemory int64

	// JetStreamMaxFile is the maximum file storage for JetStream (in bytes, 0 = default)
	JetStreamMaxFile int64

	// ClusterEnabled enables NATS clustering
	ClusterEnabled bool

	// ClusterName is the name of the NATS cluster
	ClusterName string

	// ClusterPort is the port for cluster communication
	ClusterPort int

	// ClusterRoutes are the routes to other cluster members
	ClusterRoutes []string

	// LeafNodeEnabled enables leaf node connections
	LeafNodeEnabled bool

	// LeafNodePort is the port for leaf node connections
	LeafNodePort int

	// HTTPMonitorPort is the port for the HTTP monitoring endpoint (0 = disabled)
	HTTPMonitorPort int

	// LogFile is the path to the log file (empty = stdout)
	LogFile string

	// Debug enables debug logging
	Debug bool

	// Trace enables trace logging
	Trace bool

	// MaxPayload is the maximum message payload size (default: 1MB)
	MaxPayload int

	// PingInterval is the interval for client pings (in seconds)
	PingInterval int

	// MaxPingsOut is the maximum outstanding pings before disconnect
	MaxPingsOut int
}

NATSServerConfig contains parameters for generating nats-server configuration.

func DefaultNATSServerConfig added in v1.0.79 

func DefaultNATSServerConfig() *NATSServerConfig

DefaultNATSServerConfig returns a NATSServerConfig with sensible defaults.

type RotationInfo 

type RotationInfo struct {
	LastRotation  time.Time
	NextRotation  time.Time
	RotationCount int64
	Healthy       bool
	Error         string
}

RotationInfo contains information about credential rotation status.

func GetRotationInfo 

func GetRotationInfo(storagePath string) (*RotationInfo, error)

GetRotationInfo returns the current rotation status.

Source Files

View all Source files

Directories

Path Synopsis
Package mtls provides mTLS bootstrap functionality for edge services.
 Package mtls provides mTLS bootstrap functionality for edge services.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.