Documentation
¶
Index ¶
- Constants
- Variables
- func PublicKeyFromPEM(pemData string) (crypto.PublicKey, error)
- func VerifySignature(publicKey ed25519.PublicKey, message []byte, signatureBase64 string) bool
- type AuthClient
- type BeginAuthRequest
- type BeginAuthResponse
- type CompleteAuthRequest
- type CompleteAuthResponse
- type Config
- type KeyPair
- type NetcheckPort
- type NetcheckRequest
- type NetcheckResponse
- type NetcheckResult
- type PolicyFetcher
- func (pf *PolicyFetcher) Fetch(ctx context.Context) error
- func (pf *PolicyFetcher) GetPolicy() *rbac.Policy
- func (pf *PolicyFetcher) RefreshIfNeeded(ctx context.Context)
- func (pf *PolicyFetcher) SetEvaluator(evaluator *rbac.Evaluator)
- func (pf *PolicyFetcher) Start(ctx context.Context) error
- func (pf *PolicyFetcher) Stop()
- type PolicyFetcherOption
- type PolicyFetcherOptions
- type RPCAuthenticator
- func (a *RPCAuthenticator) Authenticate(ctx context.Context, r *http.Request) (*rpc.Identity, error)
- func (a *RPCAuthenticator) Authorize(ctx context.Context, identity *rpc.Identity, resource, action string) error
- func (a *RPCAuthenticator) GetEvaluator() *rbac.Evaluator
- func (a *RPCAuthenticator) GetPolicyFetcher() *PolicyFetcher
- func (a *RPCAuthenticator) Stop()
- type ResourceUsage
- type StatusReport
Constants ¶
const DefaultCloudURL = "https://api.miren.cloud"
DefaultCloudURL is the default URL for miren.cloud
const DefaultRefreshInterval = 60 * time.Second
DefaultRefreshInterval is the default interval for refreshing policies
Variables ¶
var ErrPrivateAddress = errors.New("client IP is not a public address")
ErrPrivateAddress is returned when the cloud rejects the request because the cluster's IP is private/loopback/link-local.
Functions ¶
func PublicKeyFromPEM ¶
PublicKeyFromPEM parses a public key from PEM format
Types ¶
type AuthClient ¶
type AuthClient struct {
// contains filtered or unexported fields
}
AuthClient handles service account authentication with miren.cloud
func NewAuthClient ¶
func NewAuthClient(serverURL string, keyPair *KeyPair) (*AuthClient, error)
NewAuthClient creates a new authentication client
func (*AuthClient) Authenticate ¶
func (a *AuthClient) Authenticate(ctx context.Context) (string, error)
Authenticate performs the public key authentication flow and returns a JWT
func (*AuthClient) GetToken ¶
func (a *AuthClient) GetToken(ctx context.Context) (string, error)
GetToken returns a valid JWT, refreshing if necessary
func (*AuthClient) InvalidateToken ¶
func (a *AuthClient) InvalidateToken()
InvalidateToken clears the cached token
func (*AuthClient) ReportClusterStatus ¶
func (a *AuthClient) ReportClusterStatus(ctx context.Context, status *StatusReport) error
ReportClusterStatus sends a status report for the specified cluster
type BeginAuthRequest ¶
type BeginAuthRequest struct {
Fingerprint string `json:"fingerprint"`
}
BeginAuthRequest is the request to begin authentication
type BeginAuthResponse ¶
type BeginAuthResponse struct {
Envelope string `json:"envelope"`
Challenge string `json:"challenge"`
}
BeginAuthResponse is the response from begin authentication
type CompleteAuthRequest ¶
type CompleteAuthRequest struct {
Envelope string `json:"envelope"`
Signature string `json:"signature"`
}
CompleteAuthRequest is the request to complete authentication
type CompleteAuthResponse ¶
type CompleteAuthResponse struct {
ServiceAccount struct {
ID string `json:"id"`
Name string `json:"name"`
} `json:"service_account"`
Token string `json:"token"`
ExpiresIn int `json:"expires_in,omitempty"` // Optional: seconds until expiry
}
CompleteAuthResponse is the response from complete authentication
type Config ¶
type Config struct {
CloudURL string
AuthClient *AuthClient
Logger *slog.Logger
Tags map[string]any // Tags for this runtime/cluster
}
Config for RPCAuthenticator
type KeyPair ¶
type KeyPair struct {
PrivateKey ed25519.PrivateKey
PublicKey ed25519.PublicKey
}
KeyPair represents an ED25519 key pair for cluster authentication
func GenerateKeyPair ¶
GenerateKeyPair generates a new ED25519 key pair
func LoadKeyPairFromPEM ¶
LoadKeyPairFromPEM loads a key pair from PEM encoded strings
func (*KeyPair) Fingerprint ¶
Fingerprint returns the SHA256 fingerprint of the public key in the format "SHA256:base64encoded" to match the server
func (*KeyPair) PrivateKeyPEM ¶
PrivateKeyPEM returns the private key in PEM format
func (*KeyPair) PublicKeyPEM ¶
PublicKeyPEM returns the public key in PEM format
type NetcheckPort ¶ added in v0.6.1
type NetcheckPort struct {
Port int `json:"port"`
Protocol string `json:"protocol"` // "http", "https", "http3"
}
NetcheckPort describes a port and protocol to check for reachability.
type NetcheckRequest ¶ added in v0.6.1
type NetcheckRequest struct {
Ports []NetcheckPort `json:"ports"`
}
NetcheckRequest is the request body for the netcheck endpoint.
type NetcheckResponse ¶ added in v0.6.1
type NetcheckResponse struct {
SourceAddress string `json:"source_address"`
Results []NetcheckResult `json:"results"`
DurationMs int `json:"duration_ms"`
}
NetcheckResponse is the response from the netcheck endpoint.
func Netcheck ¶ added in v0.6.1
func Netcheck(ctx context.Context, cloudURL string, ports []NetcheckPort) (*NetcheckResponse, error)
Netcheck calls the cloud's netcheck endpoint to determine whether the cluster is publicly reachable on the given ports. The endpoint requires no authentication — it uses the request's source IP for probing.
type NetcheckResult ¶ added in v0.6.1
type NetcheckResult struct {
Port int `json:"port"`
Protocol string `json:"protocol"`
Reachable bool `json:"reachable"`
LatencyMs int `json:"latency_ms"`
Error string `json:"error,omitempty"`
}
NetcheckResult is the result of a single port check.
type PolicyFetcher ¶
type PolicyFetcher struct {
// contains filtered or unexported fields
}
PolicyFetcher fetches RBAC policies from miren.cloud
func NewPolicyFetcher ¶
func NewPolicyFetcher(cloudURL string, authClient *AuthClient, opts ...PolicyFetcherOption) *PolicyFetcher
NewPolicyFetcher creates a new policy fetcher
func (*PolicyFetcher) Fetch ¶
func (pf *PolicyFetcher) Fetch(ctx context.Context) error
Fetch performs an immediate, synchronous fetch of the policy This is useful for one-time operations like debugging
func (*PolicyFetcher) GetPolicy ¶
func (pf *PolicyFetcher) GetPolicy() *rbac.Policy
GetPolicy returns the current policy
func (*PolicyFetcher) RefreshIfNeeded ¶
func (pf *PolicyFetcher) RefreshIfNeeded(ctx context.Context)
RefreshIfNeeded performs an immediate refresh if more than 30 seconds have passed since last refresh
func (*PolicyFetcher) SetEvaluator ¶
func (pf *PolicyFetcher) SetEvaluator(evaluator *rbac.Evaluator)
SetEvaluator sets the RBAC evaluator (for cache clearing on refresh)
type PolicyFetcherOption ¶
type PolicyFetcherOption func(*PolicyFetcherOptions)
PolicyFetcherOption is a functional option for PolicyFetcher
func WithHTTPTimeout ¶
func WithHTTPTimeout(timeout time.Duration) PolicyFetcherOption
WithHTTPTimeout sets the HTTP client timeout
func WithLogger ¶
func WithLogger(logger *slog.Logger) PolicyFetcherOption
WithLogger sets the logger
func WithRefreshInterval ¶
func WithRefreshInterval(interval time.Duration) PolicyFetcherOption
WithRefreshInterval sets the refresh interval for policy fetching
type PolicyFetcherOptions ¶
type PolicyFetcherOptions struct {
CloudURL string
AuthClient *AuthClient
Logger *slog.Logger
RefreshInterval time.Duration
HTTPTimeout time.Duration
}
PolicyFetcherOptions configures a PolicyFetcher
type RPCAuthenticator ¶
type RPCAuthenticator struct {
// contains filtered or unexported fields
}
RPCAuthenticator adapts cloud authentication for RPC usage
func NewRPCAuthenticator ¶
func NewRPCAuthenticator(ctx context.Context, config Config) (*RPCAuthenticator, error)
NewRPCAuthenticator creates a new RPC authenticator
func (*RPCAuthenticator) Authenticate ¶ added in v0.3.1
func (a *RPCAuthenticator) Authenticate(ctx context.Context, r *http.Request) (*rpc.Identity, error)
Authenticate implements rpc.Authenticator. It tries JWT authentication first, then falls back to TLS client certificate. Authorization (RBAC) is handled separately via the Authorize method.
func (*RPCAuthenticator) Authorize ¶ added in v0.3.1
func (a *RPCAuthenticator) Authorize(ctx context.Context, identity *rpc.Identity, resource, action string) error
Authorize implements rpc.Authorizer. It performs RBAC evaluation to determine if the identity can perform the action.
func (*RPCAuthenticator) GetEvaluator ¶
func (a *RPCAuthenticator) GetEvaluator() *rbac.Evaluator
GetEvaluator returns the RBAC evaluator
func (*RPCAuthenticator) GetPolicyFetcher ¶
func (a *RPCAuthenticator) GetPolicyFetcher() *PolicyFetcher
GetPolicyFetcher returns the policy fetcher
type ResourceUsage ¶
type ResourceUsage struct {
CPUCores float64 `json:"cpu_cores,omitempty"`
CPUPercent float64 `json:"cpu_percent,omitempty"`
MemoryBytes int64 `json:"memory_bytes,omitempty"`
MemoryPercent float64 `json:"memory_percent,omitempty"`
StorageBytes int64 `json:"storage_bytes,omitempty"`
StoragePercent float64 `json:"storage_percent,omitempty"`
}
ResourceUsage represents resource utilization metrics
type StatusReport ¶
type StatusReport struct {
ClusterID string `json:"cluster_id"`
Version string `json:"version,omitempty"`
State string `json:"state"` // required: active, degraded, inactive, unknown
NodeCount int `json:"node_count,omitempty"`
WorkloadCount int `json:"workload_count,omitempty"`
ResourceUsage ResourceUsage `json:"resource_usage,omitempty"`
HealthChecks map[string]string `json:"health_checks,omitempty"`
RBACRulesVersion string `json:"rbac_rules_version,omitempty"`
LastRBACSync *time.Time `json:"last_rbac_sync,omitempty"`
APIAddresses []string `json:"api_addresses,omitempty"`
CACertFingerprint string `json:"ca_cert_fingerprint,omitempty"`
}
StatusReport represents the cluster status to report
Source Files