Documentation
¶
Index ¶
Constants ¶
const ( // JWTKeyBucketName is the NATS KV bucket for JWT signing key distribution JWTKeyBucketName = "neuwerk-jwt-key" // JWTKeyName is the key name for the JWT signing key in the KV bucket JWTKeyName = "signing-key" )
Variables ¶
This section is empty.
Functions ¶
This section is empty.
Types ¶
type Manager ¶
type Manager struct {
// contains filtered or unexported fields
}
Manager handles JWT signing key generation and distribution for multi-node clusters. It follows the same encryption pattern as CA key distribution:
- Leader generates JWT signing key during bootstrap
- Key is encrypted with bootstrap token (using HKDF + AES-GCM like CA keys)
- Encrypted key is stored in NATS KV bucket
- Followers retrieve and decrypt the key from NATS KV
- All nodes save the key to local disk for persistence across restarts
func NewManager ¶
func NewManager(bootstrapToken token.SecureToken, jwtKeyPath string, logger logr.Logger) (*Manager, error)
NewManager creates a new JWT key distribution manager.
func (*Manager) GenerateAndDistribute ¶
GenerateAndDistribute generates a JWT signing key and stores it in NATS KV. Called by the bootstrap leader before CA generation. The key is encrypted using the same pattern as CA keys (PKCS#8 with AES-256-GCM).
func (*Manager) LoadOrRetrieve ¶
func (m *Manager) LoadOrRetrieve(ctx context.Context, js jetstream.JetStream) (*rsa.PrivateKey, error)
LoadOrRetrieve loads the JWT signing key from local disk if it exists, otherwise retrieves it from NATS KV (for restart scenarios). Returns the private key or error if neither disk nor KV contains the key.
func (*Manager) RetrieveAndSave ¶
RetrieveAndSave retrieves the JWT signing key from NATS KV and saves it to local disk. Called by bootstrap followers after CAs are received. Polls with backoff for up to 30 seconds (matches CA distribution timeout).
Source Files