tls

package

v0.7.0 Latest Latest Go to latest Published: Feb 27, 2025 License: Apache-2.0 Imports: 24 Imported by: 0

Details

Valid go.mod file
Redistributable license
Tagged version
Stable version
Learn more about best practices

Repository

github.com/bytedance/vArmor

Documentation ¶

Index ¶

Constants
func CertificateToPem(certificateDER []byte) []byte
func GenerateCACert(certValidityDuration time.Duration) (*KeyPair, *PemPair, error)
func GenerateInClusterServiceName(props CertificateProps) string
func GenerateRootCASecretName(props CertificateProps) string
func GenerateTLSPairSecretName(props CertificateProps) string
func IsVarmorManagerInRollingUpdate(deploy *appsv1.Deployment) bool
func PrivateKeyToPem(rsaKey *rsa.PrivateKey) []byte
func ReadRootCASecret(secretInterface corev1.SecretInterface, secretName string) (result []byte, err error)
type CertRenewer
- func NewCertRenewer(clientConfig *rest.Config, secretInterface corev1.SecretInterface, ...) *CertRenewer
type CertificateProps
- func GetTLSCertProps(configuration *rest.Config) (certProps CertificateProps, err error)
type KeyPair
type PemPair
- func GenerateCertPem(caCert *KeyPair, props CertificateProps, certValidityDuration time.Duration, ...) (*PemPair, error)
- func ReadTLSPair(secretInterface corev1.SecretInterface, secretName string) (*PemPair, error)

Constants ¶

View Source

const (
	SelfSignedAnnotation string = "self-signed-cert"
	RootCAKey            string = "rootCA.crt"
)

View Source

const ErrorsNotFound = "root CA certificate not found"

Variables ¶

This section is empty.

Functions ¶

func CertificateToPem ¶

func CertificateToPem(certificateDER []byte) []byte

CertificateToPem ...

func GenerateCACert ¶

func GenerateCACert(certValidityDuration time.Duration) (*KeyPair, *PemPair, error)

GenerateCACert creates the self-signed CA cert and private key. It will be used to sign the webhook server certificate.

func GenerateInClusterServiceName ¶

func GenerateInClusterServiceName(props CertificateProps) string

GenerateInClusterServiceName The generated service name should be the common name for TLS certificate.

func GenerateRootCASecretName ¶

func GenerateRootCASecretName(props CertificateProps) string

func GenerateTLSPairSecretName ¶

func GenerateTLSPairSecretName(props CertificateProps) string

func IsVarmorManagerInRollingUpdate ¶

func IsVarmorManagerInRollingUpdate(deploy *appsv1.Deployment) bool

func PrivateKeyToPem ¶

func PrivateKeyToPem(rsaKey *rsa.PrivateKey) []byte

PrivateKeyToPem Creates PEM block from private key object.

func ReadRootCASecret ¶

func ReadRootCASecret(secretInterface corev1.SecretInterface, secretName string) (result []byte, err error)

ReadRootCASecret returns the RootCA from the pre-defined secret.

Types ¶

type CertRenewer ¶

type CertRenewer struct {
	// contains filtered or unexported fields
}

CertRenewer creates rootCA and pem pair to register webhook configurations and webhook server renews RootCA at the given interval.

func NewCertRenewer ¶

func NewCertRenewer(
	clientConfig *rest.Config,
	secretInterface corev1.SecretInterface,
	deploymentInterface appsv1.DeploymentInterface,
	certRenewalInterval, certValidityDuration time.Duration,
	managerIP string,
	inContainer bool,
	log logr.Logger) *CertRenewer

NewCertRenewer returns an instance of CertRenewer.

func (*CertRenewer) InitTLSPemPair ¶

func (c *CertRenewer) InitTLSPemPair() (*PemPair, error)

InitTLSPemPair Loads or creates PEM private key and TLS certificate for webhook server. Created pair is stored in cluster's secret. Returns struct with key/certificate pair.

func (*CertRenewer) RollingUpdateVarmorManager ¶

func (c *CertRenewer) RollingUpdateVarmorManager() error

RollingUpdate triggers a rolling update of varmor-manager pod. It is used when the rootCA is renewed, the restart of varmor-manager pod will register webhook server with new cert.

func (*CertRenewer) ValidCert ¶

func (c *CertRenewer) ValidCert(certProps CertificateProps) (bool, error)

ValidCert validates the CA Cert.

func (*CertRenewer) WriteCACertToSecret ¶

func (c *CertRenewer) WriteCACertToSecret(caPEM *PemPair, secretName string) error

WriteCACertToSecret stores the CA cert in secret.

func (*CertRenewer) WriteTLSPairToSecret ¶

func (c *CertRenewer) WriteTLSPairToSecret(pemPair *PemPair, secretName string) error

WriteTLSPairToSecret writes the pair of TLS certificate and key to the specified secret.

type CertificateProps ¶

type CertificateProps struct {
	Service       string
	Namespace     string
	APIServerHost string
	ServerIP      string
}

CertificateProps Properties of TLS certificate which should be issued for webhook server.

func GetTLSCertProps ¶

func GetTLSCertProps(configuration *rest.Config) (certProps CertificateProps, err error)

GetTLSCertProps provides the TLS Certificate Properties.

type KeyPair ¶

type KeyPair struct {
	Cert *x509.Certificate
	Key  *rsa.PrivateKey
}

KeyPair ...

type PemPair ¶

type PemPair struct {
	Certificate []byte
	PrivateKey  []byte
}

PemPair The pair of TLS certificate corresponding private key, both in PEM format.

func GenerateCertPem ¶

func GenerateCertPem(caCert *KeyPair, props CertificateProps, certValidityDuration time.Duration, managerIP string, inContainer bool) (*PemPair, error)

GenerateCertPem takes the results of GenerateCACert and uses it to create the PEM-encoded public certificate and private key, respectively.

func ReadTLSPair ¶

func ReadTLSPair(secretInterface corev1.SecretInterface, secretName string) (*PemPair, error)

ReadTLSPair returns the pem pair from the pre-defined secret.

Source Files ¶

View all Source files

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL