Documentation
¶
Overview ¶
Package bootstrap orchestrates the TLS bootstrap ceremony with Raft-based leader election. This package coordinates single-node vs multi-node detection, Raft election, and leadership stability checking before CA generation.
Index ¶
- type BootstrapManager
- func (b *BootstrapManager) DistributeJWTKey(ctx context.Context, js jetstream.JetStream) error
- func (b *BootstrapManager) GetCAManager() *ca.Manager
- func (b *BootstrapManager) IsLeader() bool
- func (b *BootstrapManager) RetrieveJWTKey(ctx context.Context, js jetstream.JetStream) error
- func (b *BootstrapManager) Run(ctx context.Context) error
- func (b *BootstrapManager) Shutdown() error
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
This section is empty.
Types ¶
type BootstrapManager ¶
type BootstrapManager struct {
// contains filtered or unexported fields
}
BootstrapManager orchestrates the TLS bootstrap ceremony. It handles both single-node and multi-node deployment scenarios, running Raft leader election for multi-node to prevent split-brain CA generation.
func NewBootstrapManager ¶
func NewBootstrapManager(nodeID string, bindAddr string, bootstrapToken token.SecureToken, discoveryResult *discovery.DiscoveryResult, customSANs []string, certDir string, logger logr.Logger) (*BootstrapManager, error)
NewBootstrapManager creates a new bootstrap ceremony manager. Parameters:
- nodeID: Unique identifier for this node (hostname or configured ID)
- bindAddr: Raft listener address (e.g., "0.0.0.0:7000")
- bootstrapToken: Pre-shared key for Raft encryption
- discoveryResult: Result from Phase 14 peer discovery
- customSANs: Additional Subject Alternative Names for certificates
- certDir: Certificate storage directory (e.g., "/var/lib/neuwerk/certs")
- logger: Structured logger for bootstrap events
func (*BootstrapManager) DistributeJWTKey ¶
DistributeJWTKey distributes the JWT signing key via NATS KV after NATS initialization. Called by the controller after NATS store is created (leader only).
func (*BootstrapManager) GetCAManager ¶
func (b *BootstrapManager) GetCAManager() *ca.Manager
GetCAManager returns the CA manager instance (may be nil if not yet created). Used by controller to access generated CAs for certificate issuance.
func (*BootstrapManager) IsLeader ¶
func (b *BootstrapManager) IsLeader() bool
IsLeader returns true if this node is the bootstrap leader. Phase 16 CA manager checks this to decide whether to generate or wait for CA.
func (*BootstrapManager) RetrieveJWTKey ¶
RetrieveJWTKey retrieves the JWT signing key from NATS KV after NATS initialization. Called by the controller after NATS store is created (follower only).
func (*BootstrapManager) Run ¶
func (b *BootstrapManager) Run(ctx context.Context) error
Run executes the bootstrap ceremony and determines leadership. Flow:
- Check if CA already exists (skip bootstrap if yes)
- Single-node: Skip Raft, self-elect as leader
- Multi-node: Run Raft election, wait for stability if leader
Returns nil on success, error if bootstrap fails. Context should have sufficient timeout (60+ seconds for full ceremony).
func (*BootstrapManager) Shutdown ¶
func (b *BootstrapManager) Shutdown() error
Shutdown gracefully stops the bootstrap manager. If Raft was started, shuts it down without leaving cluster.
Source Files