server

package
v0.0.52 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: May 26, 2026 License: Apache-2.0 Imports: 20 Imported by: 0

Documentation

Index

Constants

View Source 
const (
	// AuthnModeUnauthenticated: sidecar binds all interfaces; every
	// caller is trusted. Acceptable only on validator-only pod
	// networks.
	AuthnModeUnauthenticated = ""

	// AuthnModeTrustedHeader pairs the sidecar with an in-pod
	// kube-rbac-proxy on TLS :8443. The proxy performs TokenReview +
	// SAR against the K8s API and forwards passed requests to
	// 127.0.0.1:7777 with X-Remote-User naming the authenticated
	// identity.
	AuthnModeTrustedHeader = "trusted-header"
)
View Source 
const (
	BackendTest = keyring.BackendTest
	BackendFile = keyring.BackendFile
	BackendOS   = keyring.BackendOS
)

Values accepted by SEI_KEYRING_BACKEND. Aliased so the env-contract surface lives in one place.

Variables

View Source 
var AllowedBackends = []string{BackendTest, BackendFile, BackendOS}

AllowedBackends is the narrow set supported today; KMS / Vault are deferred.

Functions

func AuthnMode added in v0.0.50 

func AuthnMode() (string, error)

AuthnMode reads SEI_SIDECAR_AUTHN_MODE and returns the canonical value. Strict: an unrecognized non-empty value is an error, so a typo (e.g. "trusted_header" with underscore) cannot silently degrade a hardened deployment to wide-open :7777.

func BindAddress added in v0.0.50 

func BindAddress(port, mode string) string

BindAddress returns the listen address for the given mode. The loopback bind in trusted-header mode is load-bearing — it confines the listen socket to the pod's network namespace so the only path to :7777 is through the in-pod proxy.

func BypassPaths added in v0.0.50 

func BypassPaths() []string

BypassPaths returns the set of paths exempt from the X-Remote-User check, sorted, so serve.go can log them at startup and the controller-side PR can keep --allow-paths in sync.

func OpenKeyring added in v0.0.50 

func OpenKeyring(backend, dir, passphrase string) (keyring.Keyring, error)

OpenKeyring constructs a Cosmos SDK keyring for the given backend. For file backend, the passphrase is fed twice because the underlying 99designs/keyring asks for it twice on key-creation paths. Caller is responsible for unsetting SEI_KEYRING_PASSPHRASE post-return.

func SmokeTestKeyring added in v0.0.50 

func SmokeTestKeyring(kr keyring.Keyring) error

SmokeTestKeyring verifies the keyring is structurally usable. An empty keyring is permitted; first sign-tx surfaces missing keys. Panic recovery exists so the retry loop runs even if the underlying lib panics on a malformed config.

Types

type ErrorResponse 

type ErrorResponse struct {
	Error string `json:"error"`
}

ErrorResponse is a standard JSON error envelope.

type Server 

type Server struct {
	// contains filtered or unexported fields
}

Server is the HTTP API for the sidecar.

func NewServer 

func NewServer(addr string, eng *engine.Engine, homeDir, authnMode string) *Server

NewServer wires a Server to the engine. authnMode must come from AuthnMode() so the env read and validation happen once at startup.

func (*Server) ListenAndServe 

func (s *Server) ListenAndServe(ctx context.Context) error

ListenAndServe starts the HTTP server and blocks until ctx is cancelled.

type TaskRequest 

type TaskRequest struct {
	ID     string         `json:"id,omitempty"`
	Type   string         `json:"type"`
	Params map[string]any `json:"params,omitempty"`
}

TaskRequest is the JSON body for POST /v0/tasks. When ID is provided, the engine uses it as the task's canonical identifier; otherwise a random UUID is generated.

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.