Documentation
¶
Index ¶
- Constants
- Variables
- type CertificateInfo
- type Controller
- func (c *Controller) Close()
- func (c *Controller) GenerateDiagnosticBundle(ctx context.Context) (*sysdump.BundleResult, error)
- func (c *Controller) GetAPIServerCRLVerifier() *crl.Verifier
- func (c *Controller) GetBPFCollection() *bpf.Collection
- func (c *Controller) GetBroadcaster() *crl.Broadcaster
- func (c *Controller) GetCRLManager() *crl.Manager
- func (c *Controller) GetCertificateStatus() map[string]CertificateInfo
- func (c *Controller) GetDiscoveryResult() *discovery.DiscoveryResult
- func (c *Controller) GetIngressAddress() string
- func (c *Controller) GetJetStream() jetstream.JetStream
- func (c *Controller) GetManagementAddress() string
- func (c *Controller) GetMembership() cluster.Membership
- func (c *Controller) GetNATSConn() *nats.Conn
- func (c *Controller) GetReadinessStatus() ReadinessStatus
- func (c *Controller) GetResolvedHosts() cluster.DMap
- func (c *Controller) GetRuleProvider() ruleset.RuleProvider
- func (c *Controller) GetSysdumpManager() *sysdump.Manager
- func (c *Controller) GetWatcherManager() *k8s.WatcherManager
- func (c *Controller) IsBootstrapMode() bool
- func (c *Controller) RotateCertificate(ctx context.Context, certType rotation.CertificateType) error
- func (c *Controller) TriggerReconcile() error
- func (c *Controller) VerifyHostname(sourceAddr net.IP, host string) bool
- type ControllerConfig
- type ReadinessStatus
Constants ¶
const ( MaxNetworks = 1024 CHANNEL_OBSERVE_DNS = "observe-dns" CHANNEL_GC_PKT_MAP = "gc-pktmap" DMAP_RESOLVED_HOSTS = "resolved-hosts" DMAP_PKT_TRACK = "pkt-track" // Timing configuration // ReconcileInterval controls how often network rules are synced to BPF maps ReconcileInterval = 10 * time.Second // ShutdownTimeout is the maximum time to wait for graceful shutdown ShutdownTimeout = 10 * time.Second )
const ( // GCPushInterval controls how often last-seen packet timestamps are pushed to Olric GCPushInterval = 1 * time.Minute // GCCheckInterval controls how often stale connections are cleaned up GCCheckInterval = 1 * time.Minute // KeepaliveWindow is the duration after which a connection is considered stale // TCP keepalive time is by default ~2h, so we use 3m for testing KeepaliveWindow = 3 * time.Minute )
Variables ¶
var InnerPolicyMap = &ebpf.MapSpec{ Name: "network_policy", Type: ebpf.Hash, KeySize: 8, ValueSize: 4, MaxEntries: 65535, }
Functions ¶
This section is empty.
Types ¶
type CertificateInfo ¶
type CertificateInfo struct {
CertType string `json:"certType"`
NotBefore time.Time `json:"notBefore"`
NotAfter time.Time `json:"notAfter"`
Serial string `json:"serial"`
}
CertificateInfo contains certificate metadata for health checks
type Controller ¶
type Controller struct {
// contains filtered or unexported fields
}
func New ¶
func New(ctx context.Context, opts *ControllerConfig) (*Controller, error)
func (*Controller) Close ¶
func (c *Controller) Close()
func (*Controller) GenerateDiagnosticBundle ¶
func (c *Controller) GenerateDiagnosticBundle(ctx context.Context) (*sysdump.BundleResult, error)
GenerateDiagnosticBundle collects diagnostics from all registered collectors
func (*Controller) GetAPIServerCRLVerifier ¶
func (c *Controller) GetAPIServerCRLVerifier() *crl.Verifier
GetAPIServerCRLVerifier returns the API server CRL verifier for TLS revocation checking Returns nil if bootstrap ceremony was not completed or verifier not initialized
func (*Controller) GetBPFCollection ¶
func (c *Controller) GetBPFCollection() *bpf.Collection
GetBPFCollection returns the BPF collection for accessing BPF maps and settings
func (*Controller) GetBroadcaster ¶
func (c *Controller) GetBroadcaster() *crl.Broadcaster
GetBroadcaster returns the CRL broadcaster for atomic revocation operations Returns nil if bootstrap ceremony was not completed or broadcaster not initialized
func (*Controller) GetCRLManager ¶
func (c *Controller) GetCRLManager() *crl.Manager
GetCRLManager returns the CRL manager for certificate revocation operations Returns nil if bootstrap ceremony was not completed or CRL manager not initialized
func (*Controller) GetCertificateStatus ¶
func (c *Controller) GetCertificateStatus() map[string]CertificateInfo
GetCertificateStatus returns certificate information for all three CA domains. Returns empty map if bootstrap has not completed or certificates not yet loaded.
func (*Controller) GetDiscoveryResult ¶
func (c *Controller) GetDiscoveryResult() *discovery.DiscoveryResult
GetDiscoveryResult returns the peer discovery result from startup No mutex needed - field is written once during startup, read-only afterward
func (*Controller) GetIngressAddress ¶
func (c *Controller) GetIngressAddress() string
GetIngressAddress returns the ingress address for diagnostic purposes
func (*Controller) GetJetStream ¶
func (c *Controller) GetJetStream() jetstream.JetStream
GetJetStream returns the JetStream instance for authentication storage (Phase 28-29) Returns nil if NATS store is not initialized or store is not NATS-based
func (*Controller) GetManagementAddress ¶
func (c *Controller) GetManagementAddress() string
GetManagementAddress returns the management address for diagnostic purposes
func (*Controller) GetMembership ¶
func (c *Controller) GetMembership() cluster.Membership
GetMembership returns the cluster membership interface Used for determining node list during broadcast operations
func (*Controller) GetNATSConn ¶
func (c *Controller) GetNATSConn() *nats.Conn
GetNATSConn returns the NATS connection for cluster-wide operations (Phase 35) Returns nil if store is not NATS-backed or not initialized
func (*Controller) GetReadinessStatus ¶
func (c *Controller) GetReadinessStatus() ReadinessStatus
GetReadinessStatus returns the current readiness state of the controller
func (*Controller) GetResolvedHosts ¶
func (c *Controller) GetResolvedHosts() cluster.DMap
GetResolvedHosts returns the distributed map for resolved DNS hostnames
func (*Controller) GetRuleProvider ¶
func (c *Controller) GetRuleProvider() ruleset.RuleProvider
GetRuleProvider returns the rule provider for diagnostic access
func (*Controller) GetSysdumpManager ¶
func (c *Controller) GetSysdumpManager() *sysdump.Manager
GetSysdumpManager returns the sysdump manager for diagnostic collection (Phase 35)
func (*Controller) GetWatcherManager ¶ added in v1.6.1
func (c *Controller) GetWatcherManager() *k8s.WatcherManager
GetWatcherManager returns the Kubernetes watcher manager (Phase 48)
func (*Controller) IsBootstrapMode ¶
func (c *Controller) IsBootstrapMode() bool
IsBootstrapMode returns true if bootstrap manager is active
func (*Controller) RotateCertificate ¶
func (c *Controller) RotateCertificate(ctx context.Context, certType rotation.CertificateType) error
RotateCertificate triggers manual certificate rotation for a specific certificate type. Returns error if rotation scheduler is not initialized or rotation fails.
This method is used by the API endpoint to handle manual rotation requests. The rotation uses the same CertificateRenewer infrastructure as automatic rotation, ensuring consistent behavior between manual and automatic rotation flows.
func (*Controller) TriggerReconcile ¶
func (c *Controller) TriggerReconcile() error
TriggerReconcile triggers an immediate synchronization of network rules to BPF maps This is useful for tests to avoid waiting for the periodic reconcile interval
func (*Controller) VerifyHostname ¶
func (c *Controller) VerifyHostname(sourceAddr net.IP, host string) bool
type ControllerConfig ¶
type ControllerConfig struct {
Integration string
// Name of the neuwerk cluster
ClusterName string
// Name of the target device where packets should be redirected to
// this is the egress device.
EgressDeviceName string
IngressDeviceName string
BPFFS string
DNSListenHostPort string
DNSUpstreamHostPort string
Peers []string
ManagementAddress string
MgmtPort int
DBBindPort int
IngressAddress string
StorageDir string
RuleProvider ruleset.RuleProvider
CoordinatorReconcilerFunc func(ctx context.Context, isCoordinator bool) error
// ClusterStore allows injecting a custom cluster store implementation (for testing)
// If nil, a NATS-backed store will be created automatically
ClusterStore cluster.Store
// Bootstrap configuration (Phase 15)
BootstrapTokenFile string // Path to bootstrap token file (enables TLS bootstrap)
RaftBindAddr string // Raft listener address for bootstrap election
CustomSANs []string // Additional SANs for certificates (Phase 18)
CertDir string // Certificate storage directory (Phase 18)
// Discovery implementation (Phase 22 - Cloud Peer Discovery)
// If nil, a static discovery will be created from Peers list
Discovery discovery.Discovery
// CLI flags for diagnostic collection (Phase 31)
CLIFlags map[string]interface{}
// Tunnel mode for cloud load balancer integration (Phase 37)
// Valid values: "" (no tunneling), "geneve" (AWS GWLB), "vxlan" (Azure GWLB)
TunnelMode string
// Session replication configuration (Phase 42)
EnableSessionReplication bool
ReplicationInterval time.Duration
// BPF map sizes (Phase 48 - memory optimization)
// Zero values use defaults compiled into the BPF ELF
MapSizes bpf.MapSizes
}
type ReadinessStatus ¶
type ReadinessStatus struct {
Ready bool `json:"ready"`
ClusterReady bool `json:"clusterReady"`
BPFReady bool `json:"bpfReady"`
InitialSyncDone bool `json:"initialSyncDone"`
Message string `json:"message,omitempty"`
}
ReadinessStatus represents the current readiness state of the controller
Source Files