Documentation ¶
Overview ¶
Package certs handle the PKI infrastructure of the operator
Index ¶
- Constants
- func RenewLeafCertificate(caSecret *v1.Secret, secret *v1.Secret) (bool, error)
- type CertType
- type KeyPair
- func (pair KeyPair) CreateAndSignPair(host string, usage CertType, altDNSNames []string) (*KeyPair, error)
- func (pair *KeyPair) CreateDerivedCA(commonName string, organizationalUnit string) (*KeyPair, error)
- func (pair KeyPair) GenerateCASecret(namespace, name string) *v1.Secret
- func (pair KeyPair) GenerateCertificateSecret(namespace, name string) *v1.Secret
- func (pair *KeyPair) IsExpiring() (bool, *time.Time, error)
- func (pair KeyPair) IsValid(caPair *KeyPair, opts *x509.VerifyOptions) error
- func (pair KeyPair) ParseCertificate() (*x509.Certificate, error)
- func (pair KeyPair) ParseECPrivateKey() (*ecdsa.PrivateKey, error)
- func (pair *KeyPair) RenewCertificate(caPrivateKey *ecdsa.PrivateKey, parentCertificate *x509.Certificate) error
- type PublicKeyInfrastructure
Constants ¶
const ( // CACertKey is the key for certificates in a CA secret CACertKey = "ca.crt" // CAPrivateKeyKey is the key for the private key field in a CA secret CAPrivateKeyKey = "ca.key" // TLSCertKey is the key for certificates in a CA secret TLSCertKey = "tls.crt" // TLSPrivateKeyKey is the key for the private key field in a CA secret TLSPrivateKeyKey = "tls.key" )
const ( // CertTypeClient means a certificate for a client CertTypeClient = "client" // CertTypeServer means a certificate for a server CertTypeServer = "server" )
Variables ¶
This section is empty.
Functions ¶
Types ¶
type KeyPair ¶
type KeyPair struct { // The private key PEM block Private []byte // The certificate PEM block Certificate []byte }
KeyPair represent a pair of keys to be used for asymmetric encryption and a certificate declaring the intended usage of those keys
func CreateRootCA ¶
CreateRootCA generates a CA returning its keys
func ParseCASecret ¶
ParseCASecret parse a CA secret to a key pair
func ParseServerSecret ¶
ParseServerSecret parse a secret for a server to a key pair
func (KeyPair) CreateAndSignPair ¶
func (pair KeyPair) CreateAndSignPair(host string, usage CertType, altDNSNames []string) (*KeyPair, error)
CreateAndSignPair given a CA keypair, generate and sign a leaf keypair
func (*KeyPair) CreateDerivedCA ¶
func (pair *KeyPair) CreateDerivedCA(commonName string, organizationalUnit string) (*KeyPair, error)
CreateDerivedCA create a new CA derived from the certificate in the keypair
func (KeyPair) GenerateCASecret ¶
GenerateCASecret create a k8s CA secret from a key pair
func (KeyPair) GenerateCertificateSecret ¶
GenerateCertificateSecret creates a k8s server secret from a key pair
func (*KeyPair) IsExpiring ¶
IsExpiring check if the certificate will expire in the configured duration
func (KeyPair) IsValid ¶
func (pair KeyPair) IsValid(caPair *KeyPair, opts *x509.VerifyOptions) error
IsValid checks if given CA and verify options match the server
func (KeyPair) ParseCertificate ¶
func (pair KeyPair) ParseCertificate() (*x509.Certificate, error)
ParseCertificate parse certificate stored in the pair
func (KeyPair) ParseECPrivateKey ¶
func (pair KeyPair) ParseECPrivateKey() (*ecdsa.PrivateKey, error)
ParseECPrivateKey parse the ECDSA private key stored in the pair
func (*KeyPair) RenewCertificate ¶
func (pair *KeyPair) RenewCertificate(caPrivateKey *ecdsa.PrivateKey, parentCertificate *x509.Certificate) error
RenewCertificate create a new certificate for the embedded private key, replacing the existing one. The certificate will be signed with the passed private key and will have as parent the specified parent certificate. If the parent certificate is nil the certificate will be self-signed
type PublicKeyInfrastructure ¶
type PublicKeyInfrastructure struct { // Where to store the certificates CertDir string // The name of the secret where the CA certificate will be stored CaSecretName string // The name of the secret where the certificates will be stored SecretName string // The name of the service where the webhook server will be reachable ServiceName string // The name of the namespace where the operator is set up OperatorNamespace string // The name of the mutating webhook configuration in k8s, used to // inject the caBundle MutatingWebhookConfigurationName string // The name of the validating webhook configuration in k8s, used // to inject the caBundle ValidatingWebhookConfigurationName string // The name of every CRD that has a reference to a conversion webhook // on which we need to inject our public key CustomResourceDefinitionsName []string // The labelSelector to be used to get the operators deployment, // e.g. "app.kubernetes.io/name=cloudnative-pg" OperatorDeploymentLabelSelector string }
PublicKeyInfrastructure represent the PKI under which the operator and the WebHook server will work
func (*PublicKeyInfrastructure) Setup ¶
func (pki *PublicKeyInfrastructure) Setup( ctx context.Context, clientSet *kubernetes.Clientset, apiClientSet *apiextensionsclientset.Clientset, ) error
Setup ensures that we have the required PKI infrastructure to make the operator and the clusters working