certs

package
v0.0.0-...-35c3564 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Jun 23, 2023 License: Apache-2.0 Imports: 16 Imported by: 0

Documentation

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

func CheckCertificatePeriodValidity 

func CheckCertificatePeriodValidity(baseName string, cert *x509.Certificate)

CheckCertificatePeriodValidity takes a certificate and prints a warning if its period is not valid related to the current time. It does so only if the certificate was not validated already by keeping track with a cache.

func CreateCACertAndKeyFiles 

func CreateCACertAndKeyFiles(client kubernetes.Interface, certSpec *KubeadmCert, cfg *kubeadmapi.InitConfiguration) error

CreateCACertAndKeyFiles generates and writes out a given certificate authority. The certSpec should be one of the variables from this package.

func CreateCSR 

func CreateCSR(client kubernetes.Interface, certSpec *KubeadmCert, cfg *kubeadmapi.InitConfiguration, path string) error

CreateCSR creates a certificate signing request

func CreateCertAndKeyFilesWithCA 

func CreateCertAndKeyFilesWithCA(client kubernetes.Interface, certSpec *KubeadmCert, caCertSpec *KubeadmCert, cfg *kubeadmapi.InitConfiguration) error

CreateCertAndKeyFilesWithCA loads the given certificate authority from disk, then generates and writes out the given certificate and key. The certSpec and caCertSpec should both be one of the variables from this package.

func CreateDefaultKeysAndCSRFiles 

func CreateDefaultKeysAndCSRFiles(out io.Writer, client kubernetes.Interface, config *kubeadmapi.InitConfiguration) error

CreateDefaultKeysAndCSRFiles is used in ExternalCA mode to create key files and adjacent CSR files.

func CreatePKIAssets 

func CreatePKIAssets(client kubernetes.Interface, cfg *kubeadmapi.InitConfiguration) error

CreatePKIAssets will create and write to disk all PKI assets necessary to establish the control plane. If the PKI assets already exists in the target folder, they are used only if evaluated equal; otherwise an error is returned.

func CreateServiceAccountKeyAndPublicKeyFiles 

func CreateServiceAccountKeyAndPublicKeyFiles(certsDir string, keyType x509.PublicKeyAlgorithm) error

CreateServiceAccountKeyAndPublicKeyFiles creates new public/private key files for signing service account users. If the sa public/private key files already exist in the target folder, they are used only if evaluated equals; otherwise an error is returned.

func LoadCertificateAuthority 

func LoadCertificateAuthority(pkiDir string, baseName string) (*x509.Certificate, crypto.Signer, error)

LoadCertificateAuthority tries to load a CA in the given directory with the given name.

func NewCSR 

func NewCSR(client kubernetes.Interface, certSpec *KubeadmCert, cfg *kubeadmapi.InitConfiguration) (*x509.CertificateRequest, crypto.Signer, error)

NewCSR will generate a new CSR and accompanying key

func SharedCertificateExists 

func SharedCertificateExists(cfg *kubeadmapi.ClusterConfiguration) (bool, error)

SharedCertificateExists verifies if the shared certificates exist and are still valid - the certificates must be equal across control-plane nodes: ca.key, ca.crt, sa.key, sa.pub, front-proxy-ca.key, front-proxy-ca.crt and etcd/ca.key, etcd/ca.crt if local/stacked etcd Missing private keys of CA are non-fatal and produce warnings.

func UsingExternalCA 

func UsingExternalCA(cfg *kubeadmapi.ClusterConfiguration) (bool, error)

UsingExternalCA determines whether the user is relying on an external CA. We currently implicitly determine this is the case when the CA Cert is present but the CA Key is not. This allows us to, e.g., skip generating certs or not start the csr signing controller. In case we are using an external front-proxy CA, the function validates the certificates signed by front-proxy CA that should be provided by the user.

func UsingExternalEtcdCA 

func UsingExternalEtcdCA(cfg *kubeadmapi.ClusterConfiguration) (bool, error)

UsingExternalEtcdCA determines whether the user is relying on an external etcd CA. We currently implicitly determine this is the case when the etcd CA Cert is present but the etcd CA Key is not. In case we are using an external etcd CA, the function validates the certificates signed by etcd CA that should be provided by the user.

func UsingExternalFrontProxyCA 

func UsingExternalFrontProxyCA(cfg *kubeadmapi.ClusterConfiguration) (bool, error)

UsingExternalFrontProxyCA determines whether the user is relying on an external front-proxy CA. We currently implicitly determine this is the case when the front proxy CA Cert is present but the front proxy CA Key is not. In case we are using an external front-proxy CA, the function validates the certificates signed by front-proxy CA that should be provided by the user.

Types

type CertificateMap 

type CertificateMap map[string]*KubeadmCert

CertificateMap is a flat map of certificates, keyed by Name.

func (CertificateMap) CertTree 

func (m CertificateMap) CertTree() (CertificateTree, error)

CertTree returns a one-level-deep tree, mapping a CA cert to an array of certificates that should be signed by it.

type CertificateTree 

type CertificateTree map[*KubeadmCert]Certificates

CertificateTree is represents a one-level-deep tree, mapping a CA to the certs that depend on it.

func (CertificateTree) CreateTree 

func (t CertificateTree) CreateTree(client kubernetes.Interface, ic *kubeadmapi.InitConfiguration) error

CreateTree creates the CAs, certs signed by the CAs, and writes them all to disk.

type Certificates 

type Certificates []*KubeadmCert

Certificates is a list of Certificates that Kubeadm should create.

func GetCertsWithoutEtcd 

func GetCertsWithoutEtcd() Certificates

GetCertsWithoutEtcd returns all of the certificates kubeadm needs when etcd is hosted externally.

func GetDefaultCertList 

func GetDefaultCertList() Certificates

GetDefaultCertList returns all of the certificates kubeadm requires to function.

func (Certificates) AsMap 

func (c Certificates) AsMap() CertificateMap

AsMap returns the list of certificates as a map, keyed by name.

type KubeadmCert 

type KubeadmCert struct {
	Name     string
	LongName string
	BaseName string
	CAName   string
	// contains filtered or unexported fields
}

KubeadmCert represents a certificate that Kubeadm will create to function properly.

func KubeadmCertAPIServer 

func KubeadmCertAPIServer() *KubeadmCert

KubeadmCertAPIServer is the definition of the cert used to serve the Kubernetes API.

func KubeadmCertEtcdAPIClient 

func KubeadmCertEtcdAPIClient() *KubeadmCert

KubeadmCertEtcdAPIClient is the definition of the cert used by the API server to access etcd.

func KubeadmCertEtcdCA 

func KubeadmCertEtcdCA() *KubeadmCert

KubeadmCertEtcdCA is the definition of the root CA used by the hosted etcd server.

func KubeadmCertEtcdHealthcheck 

func KubeadmCertEtcdHealthcheck() *KubeadmCert

KubeadmCertEtcdHealthcheck is the definition of the cert used by Kubernetes to check the health of the etcd server.

func KubeadmCertEtcdPeer 

func KubeadmCertEtcdPeer() *KubeadmCert

KubeadmCertEtcdPeer is the definition of the cert used by etcd peers to access each other.

func KubeadmCertEtcdServer 

func KubeadmCertEtcdServer() *KubeadmCert

KubeadmCertEtcdServer is the definition of the cert used to serve etcd to clients.

func KubeadmCertFrontProxyCA 

func KubeadmCertFrontProxyCA() *KubeadmCert

KubeadmCertFrontProxyCA is the definition of the CA used for the front end proxy.

func KubeadmCertFrontProxyClient 

func KubeadmCertFrontProxyClient() *KubeadmCert

KubeadmCertFrontProxyClient is the definition of the cert used by the API server to access the front proxy.

func KubeadmCertKubeletClient 

func KubeadmCertKubeletClient() *KubeadmCert

KubeadmCertKubeletClient is the definition of the cert used by the API server to access the kubelet.

func KubeadmCertRootCA 

func KubeadmCertRootCA() *KubeadmCert

KubeadmCertRootCA is the definition of the Kubernetes Root CA for the API Server and kubelet.

func (*KubeadmCert) CreateAsCA 

func (k *KubeadmCert) CreateAsCA(client kubernetes.Interface, ic *kubeadmapi.InitConfiguration) (*x509.Certificate, crypto.Signer, error)

CreateAsCA creates a certificate authority, writing the files to disk and also returning the created CA so it can be used to sign child certs.

func (*KubeadmCert) CreateFromCA 

func (k *KubeadmCert) CreateFromCA(client kubernetes.Interface, ic *kubeadmapi.InitConfiguration, caCert *x509.Certificate, caKey crypto.Signer) error

CreateFromCA makes and writes a certificate using the given CA cert and key.

func (*KubeadmCert) GetConfig 

func (k *KubeadmCert) GetConfig(client kubernetes.Interface, ic *kubeadmapi.InitConfiguration) (*pkiutil.CertConfig, error)

GetConfig returns the definition for the given cert given the provided InitConfiguration

Source Files

View all Source files

Directories

Path Synopsis

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.