Documentation
¶
Overview ¶
Package certs handle the PKI infrastructure of the operator
Index ¶
- Constants
- func DumpSecretToDir(secret *v1.Secret, certDir string, basename string) error
- func EnsureRootCACertificate(ctx context.Context, client kubernetes.Interface, ...) (*v1.Secret, error)
- func RenewLeafCertificate(caSecret *v1.Secret, secret *v1.Secret) (bool, error)
- type CertType
- type KeyPair
- func (pair KeyPair) CreateAndSignPair(host string, usage CertType, altDNSNames []string) (*KeyPair, error)
- func (pair *KeyPair) CreateDerivedCA(commonName string, organizationalUnit string) (*KeyPair, error)
- func (pair KeyPair) GenerateCASecret(namespace, name string) *v1.Secret
- func (pair KeyPair) GenerateCertificateSecret(namespace, name string) *v1.Secret
- func (pair *KeyPair) IsExpiring() (bool, *time.Time, error)
- func (pair KeyPair) IsValid(caPair *KeyPair, opts *x509.VerifyOptions) error
- func (pair KeyPair) ParseCertificate() (*x509.Certificate, error)
- func (pair KeyPair) ParseECPrivateKey() (*ecdsa.PrivateKey, error)
- func (pair *KeyPair) RenewCertificate(caPrivateKey *ecdsa.PrivateKey, parentCertificate *x509.Certificate) error
- type PublicKeyInfrastructure
- func (pki PublicKeyInfrastructure) Cleanup(ctx context.Context, client *kubernetes.Clientset) error
- func (pki PublicKeyInfrastructure) EnsureCertificate(ctx context.Context, client kubernetes.Interface, caSecret *v1.Secret) (*v1.Secret, error)
- func (pki PublicKeyInfrastructure) InjectPublicKeyIntoCRD(ctx context.Context, apiClient apiextensionsclientset.Interface, name string, ...) error
- func (pki PublicKeyInfrastructure) InjectPublicKeyIntoMutatingWebhook(ctx context.Context, client kubernetes.Interface, tlsSecret *v1.Secret) error
- func (pki PublicKeyInfrastructure) InjectPublicKeyIntoValidatingWebhook(ctx context.Context, client kubernetes.Interface, tlsSecret *v1.Secret) error
- func (pki PublicKeyInfrastructure) SchedulePeriodicMaintenance(ctx context.Context, client kubernetes.Interface, ...) error
- func (pki PublicKeyInfrastructure) Setup(ctx context.Context, client kubernetes.Interface, ...) error
Constants ¶
const ( // CACertKey is the key for certificates in a CA secret CACertKey = "ca.crt" // CAPrivateKeyKey is the key for the private key field in a CA secret CAPrivateKeyKey = "ca.key" // TLSCertKey is the key for certificates in a CA secret TLSCertKey = "tls.crt" // TLSPrivateKeyKey is the key for the private key field in a CA secret TLSPrivateKeyKey = "tls.key" )
const ( // CertTypeClient means a certificate for a client CertTypeClient = "client" // CertTypeServer means a certificate for a server CertTypeServer = "server" )
Variables ¶
This section is empty.
Functions ¶
func DumpSecretToDir ¶
DumpSecretToDir dumps the contents of a secret inside a directory creating a file to every key/value couple in the required Secret.
The actual files written in the directory will be named accordingly to the basename, i.e., given a secret with the following data:
data: test.crt: <test.crt.contents> test.key: <test.key.contents>
The following files will be written:
<certdir>/<basename>.crt <certdir>/<basename>.key
func EnsureRootCACertificate ¶
func EnsureRootCACertificate( ctx context.Context, client kubernetes.Interface, namespace, name, operatorLabelSelector string, ) (*v1.Secret, error)
EnsureRootCACertificate ensure that in the cluster there is a root CA Certificate
Types ¶
type KeyPair ¶
type KeyPair struct { // The private key PEM block Private []byte // The certificate PEM block Certificate []byte }
KeyPair represent a pair of keys to be used for asymmetric encryption and a certificate declaring the intended usage of those keys
func CreateRootCA ¶
CreateRootCA generates a CA returning its keys
func ParseCASecret ¶
ParseCASecret parse a CA secret to a key pair
func ParseServerSecret ¶
ParseServerSecret parse a secret for a server to a key pair
func (KeyPair) CreateAndSignPair ¶
func (pair KeyPair) CreateAndSignPair(host string, usage CertType, altDNSNames []string) (*KeyPair, error)
CreateAndSignPair given a CA keypair, generate and sign a leaf keypair
func (*KeyPair) CreateDerivedCA ¶
func (pair *KeyPair) CreateDerivedCA(commonName string, organizationalUnit string) (*KeyPair, error)
CreateDerivedCA create a new CA derived from the certificate in the keypair
func (KeyPair) GenerateCASecret ¶
GenerateCASecret create a k8s CA secret from a key pair
func (KeyPair) GenerateCertificateSecret ¶
GenerateCertificateSecret creates a k8s server secret from a key pair
func (*KeyPair) IsExpiring ¶
IsExpiring check if the certificate will expire in the configured duration
func (KeyPair) IsValid ¶
func (pair KeyPair) IsValid(caPair *KeyPair, opts *x509.VerifyOptions) error
IsValid checks if given CA and verify options match the server
func (KeyPair) ParseCertificate ¶
func (pair KeyPair) ParseCertificate() (*x509.Certificate, error)
ParseCertificate parse certificate stored in the pair
func (KeyPair) ParseECPrivateKey ¶
func (pair KeyPair) ParseECPrivateKey() (*ecdsa.PrivateKey, error)
ParseECPrivateKey parse the ECDSA private key stored in the pair
func (*KeyPair) RenewCertificate ¶
func (pair *KeyPair) RenewCertificate(caPrivateKey *ecdsa.PrivateKey, parentCertificate *x509.Certificate) error
RenewCertificate create a new certificate for the embedded private key, replacing the existing one. The certificate will be signed with the passed private key and will have as parent the specified parent certificate. If the parent certificate is nil the certificate will be self-signed
type PublicKeyInfrastructure ¶
type PublicKeyInfrastructure struct { // Where to store the certificates CertDir string // The name of the secret where the CA certificate will be stored CaSecretName string // The name of the secret where the certificates will be stored SecretName string // The name of the service where the webhook server will be reachable ServiceName string // The name of the namespace where the operator is set up OperatorNamespace string // The name of the mutating webhook configuration in k8s, used to // inject the caBundle MutatingWebhookConfigurationName string // The name of the validating webhook configuration in k8s, used // to inject the caBundle ValidatingWebhookConfigurationName string // The name of every CRD that has a reference to a conversion webhook // on which we need to inject our public key CustomResourceDefinitionsName []string // The labelSelector to be used to get the operators deployment, // e.g. "app.kubernetes.io/name=cloudnative-pg" OperatorDeploymentLabelSelector string }
PublicKeyInfrastructure represent the PKI under which the operator and the WebHook server will work
func (PublicKeyInfrastructure) Cleanup ¶
func (pki PublicKeyInfrastructure) Cleanup(ctx context.Context, client *kubernetes.Clientset) error
Cleanup will remove the PKI infrastructure from the operator namespace
func (PublicKeyInfrastructure) EnsureCertificate ¶
func (pki PublicKeyInfrastructure) EnsureCertificate( ctx context.Context, client kubernetes.Interface, caSecret *v1.Secret, ) (*v1.Secret, error)
EnsureCertificate will ensure that a webhook certificate exists and is usable
func (PublicKeyInfrastructure) InjectPublicKeyIntoCRD ¶
func (pki PublicKeyInfrastructure) InjectPublicKeyIntoCRD( ctx context.Context, apiClient apiextensionsclientset.Interface, name string, tlsSecret *v1.Secret, ) error
InjectPublicKeyIntoCRD inject the TLS public key into the admitted ones from a certain conversion webhook inside a CRD
func (PublicKeyInfrastructure) InjectPublicKeyIntoMutatingWebhook ¶
func (pki PublicKeyInfrastructure) InjectPublicKeyIntoMutatingWebhook( ctx context.Context, client kubernetes.Interface, tlsSecret *v1.Secret, ) error
InjectPublicKeyIntoMutatingWebhook inject the TLS public key into the admitted ones for a certain mutating webhook configuration
func (PublicKeyInfrastructure) InjectPublicKeyIntoValidatingWebhook ¶
func (pki PublicKeyInfrastructure) InjectPublicKeyIntoValidatingWebhook( ctx context.Context, client kubernetes.Interface, tlsSecret *v1.Secret, ) error
InjectPublicKeyIntoValidatingWebhook inject the TLS public key into the admitted ones for a certain validating webhook configuration
func (PublicKeyInfrastructure) SchedulePeriodicMaintenance ¶
func (pki PublicKeyInfrastructure) SchedulePeriodicMaintenance( ctx context.Context, client kubernetes.Interface, apiClient apiextensionsclientset.Interface, ) error
SchedulePeriodicMaintenance schedule a background periodic certificate maintenance, to automatically renew TLS certificates
func (PublicKeyInfrastructure) Setup ¶
func (pki PublicKeyInfrastructure) Setup( ctx context.Context, client kubernetes.Interface, apiClient apiextensionsclientset.Interface, ) error
Setup will setup the PKI infrastructure that is needed for the operator to correctly work, and copy the certificates which are required for the webhook server to run in the right folder