Dustin
196a43c49c
In order to prevent arbitrary clients from using the provisioner to retrieve WireGuard keys and Kubernetes bootstrap tokens, access to those resources *must* be restricted to the EC2 machines created by the Kubernetes Cloud Autoscaler. The key to the authentication process will be SNS notifications from AWS to indicate when new EC2 instances are created; everything that the provisioner does will be associated with an instance it discovered through an SNS notification. SNS messages are signed using PKCS#1 v1.5 RSA-SHA1, with a public key distributed in an X.509 certificate. To ensure that messages received are indeed from AWS, the provisioner will need to verify those signatures. Messages with missing or invalid signatures will be considered unsafe and ignored. The `model::sns` module includes the data structures that represent SNS messages. The `sns::sig` module includes the primitive operations for implementing signature verification. |
||
|---|---|---|
| src | ||
| .editorconfig | ||
| .gitattributes | ||
| .gitignore | ||
| Cargo.lock | ||
| Cargo.toml | ||
| rustfmt.toml | ||