Affected by GO-2024-2922 and 2 other vulnerabilities

GO-2024-2922: Cilium leaks sensitive information in cilium-bugtool in github.com/cilium/cilium

GO-2024-3072: Policy bypass for Host Firewall policy due to race condition in Cilium agent in github.com/cilium/cilium

GO-2024-3208: Cilium's CIDR deny policies may not take effect when a more narrow CIDR allow is present in github.com/cilium/cilium

certloader

package

v1.14.11 Latest Latest Go to latest Published: May 10, 2024 License: Apache-2.0 Imports: 13 Imported by: 7

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

github.com/cilium/cilium

Links

Open Source Insights

Documentation ¶

Overview ¶

package certloader aim to provide a facility to ease dynamic tls.Config handling.

Index ¶

Variables
func FutureWatchedServerConfig(log logrus.FieldLogger, caFiles []string, certFile, privkeyFile string) (<-chan *WatchedServerConfig, error)
func FutureWatcher(log logrus.FieldLogger, caFiles []string, certFile, privkeyFile string) (<-chan *Watcher, error)
type ClientConfigBuilder
type FileReloader
- func NewFileReloader(caFiles []string, certFile, privkeyFile string) (*FileReloader, error)
- func NewFileReloaderReady(caFiles []string, certFile, privkeyFile string) (*FileReloader, error)
type ServerConfigBuilder
type WatchedClientConfig
- func NewWatchedClientConfig(log logrus.FieldLogger, caFiles []string, certFile, privkeyFile string) (*WatchedClientConfig, error)
- func (c *WatchedClientConfig) ClientConfig(base *tls.Config) *tls.Config
- func (c *WatchedClientConfig) IsMutualTLS() bool
type WatchedServerConfig
- func NewWatchedServerConfig(log logrus.FieldLogger, caFiles []string, certFile, privkeyFile string) (*WatchedServerConfig, error)
- func (c *WatchedServerConfig) IsMutualTLS() bool
- func (c *WatchedServerConfig) ServerConfig(base *tls.Config) *tls.Config
type Watcher
- func NewWatcher(log logrus.FieldLogger, caFiles []string, certFile, privkeyFile string) (*Watcher, error)
- func (w *Watcher) Stop()
- func (w *Watcher) Watch() <-chan struct{}

Constants ¶

This section is empty.

Variables ¶

View Source

var (
	// ErrMissingCertFile is returned when the certificate file is missing.
	ErrMissingCertFile = errors.New("certificate file path is required")
	// ErrMissingPrivkeyFile is returned when the private key file is missing.
	ErrMissingPrivkeyFile = errors.New("private key file path is required")
)

View Source

var (
	// ErrInvalidKeypair is returned when either the certificate or its
	// corresponding private key is missing.
	ErrInvalidKeypair = errors.New("certificate and private key are both required, but only one was provided")
)

Functions ¶

func FutureWatchedServerConfig ¶

func FutureWatchedServerConfig(log logrus.FieldLogger, caFiles []string, certFile, privkeyFile string) (<-chan *WatchedServerConfig, error)

FutureWatchedServerConfig returns a channel where exactly one WatchedServerConfig will be sent once the given files are ready and loaded. This can be useful when the file paths are well-known, but the files themselves don't exist yet. both certFile and privkeyFile must be provided. To configure a mTLS capable ServerConfigBuilder, caFiles must contains at least one file path.

func FutureWatcher ¶

func FutureWatcher(log logrus.FieldLogger, caFiles []string, certFile, privkeyFile string) (<-chan *Watcher, error)

FutureWatcher returns a channel where exactly one Watcher will be sent once the given files are ready and loaded. This can be useful when the file paths are well-known, but the files themselves don't exist yet. Note that the requirement is that the file directories must exists.

Types ¶

type ClientConfigBuilder ¶

type ClientConfigBuilder interface {
	IsMutualTLS() bool
	ClientConfig(base *tls.Config) *tls.Config
}

ClientConfigBuilder creates tls.Config to be used as TLS client.

type FileReloader ¶

type FileReloader struct {
	// contains filtered or unexported fields
}

FileReloader is a set of TLS configuration files including custom CAs, and a certificate along with its private key (keypair) that can be reloaded dynamically via the Reload* functions.

func NewFileReloader ¶

func NewFileReloader(caFiles []string, certFile, privkeyFile string) (*FileReloader, error)

NewFileReloader create and returns a FileReloader using the given file. The files are not loaded when this function returns, and the caller is expected to call the Reload* functions until the returned FileReloader become ready.

func NewFileReloaderReady ¶

func NewFileReloaderReady(caFiles []string, certFile, privkeyFile string) (*FileReloader, error)

NewFileReloaderReady create and returns a FileReloader using the given file. The files are already loaded when this function returns, thus the returned FileReloader is readily usable.

func (*FileReloader) HasCustomCA ¶

func (r *FileReloader) HasCustomCA() bool

HasCustomCA returns true when the FileReloader has custom CAs configured, false otherwise.

func (*FileReloader) HasKeypair ¶

func (r *FileReloader) HasKeypair() bool

HasKeypair returns true when the FileReloader contains both a certificate and its private key, false otherwise.

func (*FileReloader) KeypairAndCACertPool ¶

func (r *FileReloader) KeypairAndCACertPool() (*tls.Certificate, *x509.CertPool)

KeypairAndCACertPool returns both the configured keypair and CAs. This function should only be called once the FileReloader is ready, see Ready().

func (*FileReloader) Ready ¶

func (r *FileReloader) Ready() bool

Ready returns true when the FileReloader is ready to be used, false otherwise.

func (*FileReloader) Reload ¶

func (r *FileReloader) Reload() (keypair *tls.Certificate, caCertPool *x509.CertPool, err error)

Reload update the caCertPool reading the caFiles, and the keypair reading certFile and privkeyFile.

func (*FileReloader) ReloadCA ¶

func (r *FileReloader) ReloadCA() (*x509.CertPool, error)

ReloadCA update the caCertPool by reading the caFiles.

func (*FileReloader) ReloadKeypair ¶

func (r *FileReloader) ReloadKeypair() (*tls.Certificate, error)

ReloadKeypair update the keypair by reading certFile and privkeyFile.

type ServerConfigBuilder ¶

type ServerConfigBuilder interface {
	IsMutualTLS() bool
	ServerConfig(base *tls.Config) *tls.Config
}

ServerConfigBuilder creates tls.Config to be used as TLS server.

type WatchedClientConfig ¶

type WatchedClientConfig struct {
	*Watcher
	// contains filtered or unexported fields
}

WatchedClientConfig is a ClientConfigBuilder backed up by files to be watched for changes.

func NewWatchedClientConfig ¶

func NewWatchedClientConfig(log logrus.FieldLogger, caFiles []string, certFile, privkeyFile string) (*WatchedClientConfig, error)

NewWatchedClientConfig returns a WatchedClientConfig configured with the provided files. When caFiles is nil or empty, the system CA CertPool is used. To configure a mTLS capable ClientConfigBuilder, both certFile and privkeyFile must be provided.

func (*WatchedClientConfig) ClientConfig ¶

func (c *WatchedClientConfig) ClientConfig(base *tls.Config) *tls.Config

ClientConfig implement ClientConfigBuilder.

func (*WatchedClientConfig) IsMutualTLS ¶

func (c *WatchedClientConfig) IsMutualTLS() bool

IsMutualTLS implement ClientConfigBuilder.

type WatchedServerConfig ¶

type WatchedServerConfig struct {
	*Watcher
	// contains filtered or unexported fields
}

WatchedServerConfig is a ServerConfigBuilder backed up by files to be watched for changes. The tls.Config created will use the latest CA and keypair on each TLS handshake, allowing for smooth TLS configuration rotation.

func NewWatchedServerConfig ¶

func NewWatchedServerConfig(log logrus.FieldLogger, caFiles []string, certFile, privkeyFile string) (*WatchedServerConfig, error)

NewWatchedServerConfig returns a WatchedServerConfig configured with the provided files. both certFile and privkeyFile must be provided. To configure a mTLS capable ServerConfigBuilder, caFiles must contains at least one file path.

func (*WatchedServerConfig) IsMutualTLS ¶

func (c *WatchedServerConfig) IsMutualTLS() bool

IsMutualTLS implement ServerConfigBuilder.

func (*WatchedServerConfig) ServerConfig ¶

func (c *WatchedServerConfig) ServerConfig(base *tls.Config) *tls.Config

ServerConfig implement ServerConfigBuilder.

type Watcher ¶

type Watcher struct {
	*FileReloader
	// contains filtered or unexported fields
}

Watcher is a set of TLS configuration files including CA files, and a certificate along with its private key. The files are watched for change and reloaded automatically.

func NewWatcher ¶

func NewWatcher(log logrus.FieldLogger, caFiles []string, certFile, privkeyFile string) (*Watcher, error)

NewWatcher returns a Watcher that watch over the given file paths. The given files are expected to already exists when this function is called. On success, the returned Watcher is ready to use.

func (*Watcher) Stop ¶

func (w *Watcher) Stop()

Stop watching the files.

func (*Watcher) Watch ¶

func (w *Watcher) Watch() <-chan struct{}

Watch initialize the files watcher and update goroutine. It returns a ready channel that will be closed once an update made the underlying FileReloader ready.

Source Files ¶

View all Source files

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL