runner

package
v0.10.0 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Jun 10, 2026 License: Apache-2.0 Imports: 23 Imported by: 0

Documentation

Index

Constants

View Source 
const (
	DefaultInviteExpiryHours = 1
	MaxInviteExpiryHours     = 168 // 7 days

)

Variables

This section is empty.

Functions

This section is empty.

Types

type RegistrationServer 

type RegistrationServer struct {
	RegistrationServerConfig
}

func NewRegistrationServer 

func NewRegistrationServer(cfg RegistrationServerConfig) *RegistrationServer

func (*RegistrationServer) CreateInvite 

func (s *RegistrationServer) CreateInvite(ctx context.Context, req *runner_v1alpha.RunnerRegistrationCreateInvite) error

func (*RegistrationServer) IssueWorkloadToken added in v0.10.0 

func (s *RegistrationServer) IssueWorkloadToken(ctx context.Context, req *runner_v1alpha.RunnerRegistrationIssueWorkloadToken) error

IssueWorkloadToken mints a workload identity token for a sandbox on behalf of a distributed runner, which does not hold the cluster signing key. The caller is an mTLS-authenticated runner.

func (*RegistrationServer) Join 

func (s *RegistrationServer) Join(ctx context.Context, req *runner_v1alpha.RunnerRegistrationJoin) error

func (*RegistrationServer) ListInvites 

func (s *RegistrationServer) ListInvites(ctx context.Context, req *runner_v1alpha.RunnerRegistrationListInvites) error

func (*RegistrationServer) ListRunners 

func (s *RegistrationServer) ListRunners(ctx context.Context, req *runner_v1alpha.RunnerRegistrationListRunners) error

func (*RegistrationServer) RefreshCertificate added in v0.10.0 

func (s *RegistrationServer) RefreshCertificate(ctx context.Context, req *runner_v1alpha.RunnerRegistrationRefreshCertificate) error

RefreshCertificate re-issues the calling runner's server certificate with SANs derived from its current listen address. A runner needs this when its listen IP changes but its persisted certificate (e.g. on a disk that outlives the VM) still carries the old IP. The method is public at the RPC layer but authorizes the caller here: the presented client certificate must chain to the cluster CA and be a runner certificate, and the re-issued certificate keeps that certificate's CommonName so a runner can only refresh its own identity.

func (*RegistrationServer) RemoveRunner added in v0.7.0 

func (s *RegistrationServer) RemoveRunner(ctx context.Context, req *runner_v1alpha.RunnerRegistrationRemoveRunner) error

func (*RegistrationServer) RevokeInvite 

func (s *RegistrationServer) RevokeInvite(ctx context.Context, req *runner_v1alpha.RunnerRegistrationRevokeInvite) error

func (*RegistrationServer) WorkloadIssuerInfo added in v0.10.0 

func (s *RegistrationServer) WorkloadIssuerInfo(ctx context.Context, req *runner_v1alpha.RunnerRegistrationWorkloadIssuerInfo) error

WorkloadIssuerInfo reports whether the coordinator has a workload identity issuer configured and, if so, its issuer URL. Distributed runners call this once at startup to decide whether to mint workload identity tokens via the coordinator.

type RegistrationServerConfig added in v0.7.0 

type RegistrationServerConfig struct {
	Log             *slog.Logger
	Authority       *caauth.Authority
	EAC             *entityserver_v1alpha.EntityAccessClient
	CoordinatorAddr string
	EtcdEndpoints   []string
	EtcdPrefix      string
	NetworkBackend  string

	// Observability endpoints provided to runners at join time
	VictoriametricsAddress string
	VictorialogsAddress    string

	// WorkloadIssuer mints workload identity tokens. Distributed runners, which
	// do not hold the cluster signing key, request tokens from the coordinator
	// through this server. May be nil when no issuer is configured.
	WorkloadIssuer *workloadidentity.Issuer
}

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.