coordinate

package
v0.10.0 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Jun 10, 2026 License: Apache-2.0 Imports: 80 Imported by: 0

Documentation

Index

Constants

View Source 
const (
	DefaultProjectOwner = "miren.system@miren.dev"
	DefaultCloudURL     = "https://api.miren.cloud"
)

Variables

This section is empty.

Functions

This section is empty.

Types

type AdvertiseCandidate added in v0.8.0 

type AdvertiseCandidate struct {
	Source         string // "listen", "explicit", "discovered", "netcheck"
	HostPort       string
	IP             net.IP
	Classification string // loopback / link-local / private / global-unicast / other
	Included       bool
	Reason         string
}

AdvertiseCandidate describes one candidate address the advertise logic considered, and whether it ended up in the final advertised set. Used by both production (building the final list) and debug tooling (explaining the decision for every IP).

func ComputeAdvertise added in v0.8.0 

func ComputeAdvertise(in AdvertiseInput) ([]AdvertiseCandidate, []string)

ComputeAdvertise is the single source of truth for computing the addresses the server advertises. It returns the ordered list of candidates (including rejected ones, so callers can explain why) and the final list of advertised host:port strings.

The returned list is intended for StatusReport.APIAddresses, i.e. the addresses miren.cloud hands out to clients that want to reach this cluster. Loopback and unspecified (0.0.0.0, ::) addresses are never included — a client coming in through miren.cloud is by definition not running on the same host, so those entries would only produce failed connection attempts.

Filtering rules:

  1. Listen address: included if it parses as host:port with a literal, non-loopback, non-unspecified IP.

  2. Explicit IPs (user-configured): always included, except loopback and unspecified which are dropped with a reason.

  3. Discovered IPs (auto-scanned from interfaces): a. Loopback and unspecified are dropped. b. CGNAT addresses (100.64.0.0/10) are dropped. c. Public (global-unicast, non-private) IPs are dropped if netcheck ran for that address family and proved the family unreachable or found reachable addresses (replaced by netcheck-confirmed ones). d. Otherwise kept as a fallback.

  4. Netcheck public addresses: included when reachable on at least one port.

type AdvertiseInput added in v0.8.0 

type AdvertiseInput struct {
	// ListenAddr is the server's own listen address (e.g. "0.0.0.0:8443").
	// Included in the advertised list only if it has a literal,
	// non-loopback, non-unspecified IP.
	ListenAddr string

	// IPs is the unified list of all candidate IP addresses, each
	// tagged as explicit (user-configured) or discovered (interface scan).
	// Explicit IPs bypass all filtering except loopback / unspecified.
	// Discovered IPs are subject to CGNAT, netcheck, and other pruning.
	IPs []SourcedIP

	// Netcheck is the result of the dual-stack netcheck, if one has run.
	// A nil pointer means netcheck never ran / failed entirely.
	Netcheck *cloudauth.NetcheckDualStackResult

	// Port is the port to append to bare IPs (defaults to 8443).
	Port int
}

AdvertiseInput is the raw input for computing the set of API addresses the server should advertise to clients and to miren.cloud.

type CloudAuthConfig 

type CloudAuthConfig struct {
	Enabled     bool              `json:"enabled" yaml:"enabled"`
	CloudURL    string            `json:"cloud_url" yaml:"cloud_url"`       // URL of miren.cloud (default: https://api.miren.cloud)
	PrivateKey  string            `json:"private_key" yaml:"private_key"`   // Required: Path to service account private key when enabled
	Tags        map[string]string `json:"tags" yaml:"tags"`                 // Tags from registration for RBAC evaluation
	ClusterID   string            `json:"cluster_id" yaml:"cluster_id"`     // Cluster ID for status reporting
	DNSHostname string            `json:"dns_hostname" yaml:"dns_hostname"` // Cloud-provisioned DNS hostname for the cluster
}

CloudAuthConfig contains cloud authentication settings

type Coordinator 

type Coordinator struct {
	CoordinatorConfig

	Log *slog.Logger
	// contains filtered or unexported fields
}

func NewCoordinator 

func NewCoordinator(log *slog.Logger, cfg CoordinatorConfig) *Coordinator

func (*Coordinator) Activator 

func (c *Coordinator) Activator() activator.AppActivator

func (*Coordinator) AutocertReadySignal added in v0.6.0 

func (c *Coordinator) AutocertReadySignal() func()

AutocertReadySignal returns a function that signals the autocert controller that the port-80 ACME challenge server is ready. Returns nil when the DNS-01 path is used (which doesn't need port 80).

func (*Coordinator) CertificateProvider 

func (c *Coordinator) CertificateProvider() autotls.CertificateProvider

CertificateProvider returns the certificate provider for use by autotls.

func (*Coordinator) HttpIngress added in v0.3.1 

func (c *Coordinator) HttpIngress() *httpingress.Server

func (*Coordinator) IssueCertificate 

func (c *Coordinator) IssueCertificate(name string) (*caauth.ClientCertificate, error)

func (*Coordinator) ListenAddress 

func (c *Coordinator) ListenAddress() string

func (*Coordinator) LoadAPICert 

func (c *Coordinator) LoadAPICert(ctx context.Context) error

func (*Coordinator) LoadCA 

func (c *Coordinator) LoadCA(ctx context.Context) error

func (*Coordinator) LocalConfig 

func (c *Coordinator) LocalConfig() (*clientconfig.Config, error)

func (*Coordinator) NamedConfig 

func (c *Coordinator) NamedConfig(name string) (*clientconfig.Config, error)

func (*Coordinator) PublicIPs added in v0.7.0 

func (c *Coordinator) PublicIPs() []net.IP

PublicIPs returns the cluster's known public IP addresses, applying the same filtering rules as the advertised API addresses. Routes through ComputeAdvertise so the AutocertController's DNS sanity check honors per-family netcheck state (no leaking the source IP when its family has zero reachable ports) and the CGNAT filter (no advertising tailnet addresses as "public").

func (*Coordinator) ReportStartupStatus 

func (c *Coordinator) ReportStartupStatus(ctx context.Context) error

ReportStatus reports the current cluster status to miren.cloud

func (*Coordinator) ReportStatus 

func (c *Coordinator) ReportStatus(ctx context.Context) error

ReportStatus reports the current cluster status to miren.cloud

func (*Coordinator) RunnerConfig added in v0.2.0 

func (c *Coordinator) RunnerConfig(listenAddress string) (*clientconfig.Config, error)

RunnerConfig returns a client config for a runner service with proper TLS certificate SANs. The certificate will be valid for localhost and the runner's listen address.

func (*Coordinator) SandboxPoolManager 

func (c *Coordinator) SandboxPoolManager() *sandboxpool.Manager

func (*Coordinator) Server 

func (c *Coordinator) Server() *rpc.Server

func (*Coordinator) ServiceConfig 

func (c *Coordinator) ServiceConfig() (*clientconfig.Config, error)

func (*Coordinator) Start 

func (c *Coordinator) Start(ctx context.Context) error

func (*Coordinator) Stop 

func (c *Coordinator) Stop()

Stop stops the coordinator and all managed controllers

type CoordinatorConfig 

type CoordinatorConfig struct {
	Address         string              `json:"address" yaml:"address"`
	EtcdEndpoints   []string            `json:"etcd_endpoints" yaml:"etcd_endpoints"`
	Prefix          string              `json:"prefix" yaml:"prefix"`
	NetworkBackend  string              `json:"network_backend" yaml:"network_backend"`
	Resolver        netresolve.Resolver `json:"resolver" yaml:"resolver"`
	TempDir         string              `json:"temp_dir" yaml:"temp_dir"`
	DataPath        string              `json:"data_path" yaml:"data_path"`
	AdditionalNames []string            `json:"additional_names" yaml:"additional_names"`
	IPs             *IPSet              `json:"ips" yaml:"ips"`

	// ACME certificate configuration
	AcmeEmail       string `json:"acme_email" yaml:"acme_email"`
	AcmeDNSProvider string `json:"acme_dns_provider" yaml:"acme_dns_provider"`

	// Cloud authentication configuration
	CloudAuth CloudAuthConfig `json:"cloud_auth" yaml:"cloud_auth"`

	// NoAuth disables authentication entirely (for testing only)
	NoAuth bool `json:"no_auth" yaml:"no_auth"`

	// EtcdTLS holds mTLS configuration for etcd connections (optional).
	// When set, the coordinator will use mTLS to connect to etcd.
	EtcdTLS *EtcdTLSConfig `json:"etcd_tls" yaml:"etcd_tls"`

	Mem       *metrics.MemoryUsage
	Cpu       *metrics.CPUUsage
	HTTP      *metrics.HTTPMetrics
	Logs      *observability.LogReader
	LogWriter observability.LogWriter

	// Observability addresses for distributed runners
	VictoriametricsAddress string
	VictorialogsAddress    string

	// BuildKit is the persistent BuildKit component for container image builds
	BuildKit *buildkit.Component

	// HTTPRequestTimeout is the timeout for HTTP requests to app sandboxes
	HTTPRequestTimeout time.Duration

	// WorkloadIssuer signs workload identity tokens for sandbox containers
	WorkloadIssuer *workloadidentity.Issuer
}

type EtcdTLSConfig added in v0.4.0 

type EtcdTLSConfig struct {
	CertPEM []byte // Client certificate PEM
	KeyPEM  []byte // Client private key PEM
	CACert  []byte // CA certificate PEM for verifying server
}

EtcdTLSConfig holds TLS configuration for connecting to etcd with mTLS.

type EtcdTLSSetupResult added in v0.4.0 

type EtcdTLSSetupResult struct {
	// CertsDir is the directory containing etcd server certs (ca.crt, server.crt, server.key)
	CertsDir string
	// ClientTLS is the TLS config for clients connecting to etcd
	ClientTLS *EtcdTLSConfig
	// ClientCertFile is the path to the client certificate on disk
	ClientCertFile string
	// ClientKeyFile is the path to the client private key on disk
	ClientKeyFile string
	// CAFile is the path to the CA certificate on disk
	CAFile string
}

EtcdTLSSetupResult contains the results of setting up etcd TLS.

func SetupEtcdTLS added in v0.4.0 

func SetupEtcdTLS(log *slog.Logger, dataPath string, extraDNSNames []string, extraIPs []net.IP) (*EtcdTLSSetupResult, error)

SetupEtcdTLS loads the existing CA and ensures valid etcd mTLS certificates. Existing certificates are reused if their SANs match and they aren't near expiry; otherwise they are regenerated. The dataPath should be the same path used for CoordinatorConfig.DataPath. The CA must already exist (created by the coordinator's LoadCA). Additional DNS names and IPs are included in the server certificate SANs so that distributed runners can connect to etcd over the network.

type IPSet added in v0.8.0 

type IPSet struct {
	// contains filtered or unexported fields
}

IPSet is an ordered, de-duplicated collection of SourcedIP entries. When a duplicate IP is added, the Explicit flag is sticky: adding an IP as explicit promotes a previously-discovered entry, but adding it as discovered never demotes an explicit one. Iteration order matches first-insertion order.

func NewIPSet added in v0.8.0 

func NewIPSet() *IPSet

NewIPSet creates an empty IPSet.

func (*IPSet) Add added in v0.8.0 

func (s *IPSet) Add(sip SourcedIP)

Add inserts an IP. If the IP already exists and the new entry is explicit, it promotes the existing entry. Discovered duplicates are silently ignored.

func (*IPSet) AddDiscovered added in v0.8.0 

func (s *IPSet) AddDiscovered(ip net.IP)

AddDiscovered is a convenience for Add(SourcedIP{IP: ip, Explicit: false}).

func (*IPSet) AddExplicit added in v0.8.0 

func (s *IPSet) AddExplicit(ip net.IP)

AddExplicit is a convenience for Add(SourcedIP{IP: ip, Explicit: true}).

func (*IPSet) All added in v0.8.0 

func (s *IPSet) All() []SourcedIP

All returns the entries in insertion order. The returned slice is a copy — callers may not modify it. Safe to call on a nil receiver.

func (*IPSet) Len added in v0.8.0 

func (s *IPSet) Len() int

Len returns the number of unique IPs in the set. Safe to call on a nil receiver.

func (*IPSet) RawIPs added in v0.8.0 

func (s *IPSet) RawIPs() []net.IP

RawIPs extracts just the net.IP values in insertion order. Safe to call on a nil receiver.

type SourcedIP added in v0.8.0 

type SourcedIP struct {
	IP       net.IP
	Explicit bool // true = user-configured, false = auto-discovered
}

SourcedIP is an IP address tagged with how it was obtained. Explicit IPs (user-configured via AdditionalIPs or the server config) always pass through to the advertised list. Discovered IPs (auto-scanned from local interfaces) are subject to netcheck pruning, CGNAT filtering, etc.

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.