credential

package
v0.15.3 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Jul 2, 2020 License: Apache-2.0 Imports: 19 Imported by: 0

Documentation

Index

Constants

View Source 
const CacheFileExtension = "enc"
View Source 
const FingerprintFileExtension = "fingerprint"

Variables

This section is empty.

Functions

func EncryptionConfig 

func EncryptionConfig() (string, error)

func RandomTokenString 

func RandomTokenString() (string, error)

Types

type CompactAssets 

type CompactAssets struct {
	// PEM -> encrypted -> gzip -> base64 encoded TLS assets.
	CACert                    string
	CAKey                     string
	WorkerCACert              string
	WorkerCAKey               string
	APIServerCert             string
	APIServerKey              string
	APIServerAggregatorCert   string
	APIServerAggregatorKey    string
	KubeControllerManagerCert string
	KubeControllerManagerKey  string
	KubeSchedulerCert         string
	KubeSchedulerKey          string
	WorkerCert                string
	WorkerKey                 string
	AdminCert                 string
	AdminKey                  string
	EtcdCert                  string
	EtcdClientCert            string
	EtcdClientKey             string
	EtcdKey                   string
	EtcdTrustedCA             string
	ServiceAccountKey         string

	// Encrypted -> gzip -> base64 encoded assets.
	AuthTokens        string
	TLSBootstrapToken string

	// Encrypted -> base64 encoded EncryptionConfig.
	EncryptionConfig string
}

func ReadOrCreateCompactAssets 

func ReadOrCreateCompactAssets(assetsDir string, manageCertificates bool, caKeyRequiredOnController bool, kmsConfig KMSConfig) (*CompactAssets, error)

func ReadOrCreateUnencryptedCompactAssets 

func ReadOrCreateUnencryptedCompactAssets(assetsDir string, manageCertificates bool, caKeyRequiredOnController bool) (*CompactAssets, error)

func (*CompactAssets) HasAuthTokens 

func (a *CompactAssets) HasAuthTokens() bool

func (*CompactAssets) HasTLSBootstrapToken 

func (a *CompactAssets) HasTLSBootstrapToken() bool

type EncryptedAssetsOnDisk 

type EncryptedAssetsOnDisk struct {
	// Encrypted PEM encoded TLS assets.
	CACert                    EncryptedFile
	CAKey                     EncryptedFile
	WorkerCACert              EncryptedFile
	WorkerCAKey               EncryptedFile
	APIServerCert             EncryptedFile
	APIServerKey              EncryptedFile
	APIServerAggregatorCert   EncryptedFile
	APIServerAggregatorKey    EncryptedFile
	KubeControllerManagerCert EncryptedFile
	KubeControllerManagerKey  EncryptedFile
	KubeSchedulerCert         EncryptedFile
	KubeSchedulerKey          EncryptedFile
	WorkerCert                EncryptedFile
	WorkerKey                 EncryptedFile
	AdminCert                 EncryptedFile
	AdminKey                  EncryptedFile
	EtcdCert                  EncryptedFile
	EtcdClientCert            EncryptedFile
	EtcdKey                   EncryptedFile
	EtcdClientKey             EncryptedFile
	EtcdTrustedCA             EncryptedFile
	ServiceAccountKey         EncryptedFile

	// Other encrypted assets.
	AuthTokens        EncryptedFile
	TLSBootstrapToken EncryptedFile
	EncryptionConfig  EncryptedFile
}

func ReadOrCreateEncryptedAssets 

func ReadOrCreateEncryptedAssets(tlsAssetsDir string, manageCertificates bool, caKeyRequiredOnController bool, kmsConfig KMSConfig) (*EncryptedAssetsOnDisk, error)

func ReadOrEncryptAssets 

func ReadOrEncryptAssets(dirname string, manageCertificates bool, caKeyRequiredOnController bool, store Store) (*EncryptedAssetsOnDisk, error)

func (*EncryptedAssetsOnDisk) Compact 

func (r *EncryptedAssetsOnDisk) Compact() (*CompactAssets, error)

func (*EncryptedAssetsOnDisk) WriteToDir 

func (r *EncryptedAssetsOnDisk) WriteToDir(dirname string) error

type EncryptedFile 

type EncryptedFile struct {
	// contains filtered or unexported fields
}

The fact KMS encryption produces different ciphertexts for the same plaintext had been causing unnecessary node replacements(https://github.com/kubernetes-incubator/kube-aws/issues/107) Persist encrypted assets for caching purpose so that we can avoid that.

func CreateEncryptedFile 

func CreateEncryptedFile(path string, bytes []byte, svc Encryptor) (*EncryptedFile, error)

func EncryptedCredentialCacheFromPath 

func EncryptedCredentialCacheFromPath(filePath string, doLoadFingerprint bool) (*EncryptedFile, error)

func EncryptedCredentialCacheFromRawCredential 

func EncryptedCredentialCacheFromRawCredential(raw *PlaintextFile, encSvc Encryptor) (*EncryptedFile, error)

func (*EncryptedFile) Bytes 

func (c *EncryptedFile) Bytes() []byte

func (*EncryptedFile) Fingerprint 

func (c *EncryptedFile) Fingerprint() string

func (*EncryptedFile) Persist 

func (c *EncryptedFile) Persist() error

func (*EncryptedFile) SetBytes 

func (c *EncryptedFile) SetBytes(bytes []byte)

func (*EncryptedFile) String 

func (c *EncryptedFile) String() string

type Encryptor 

type Encryptor interface {
	EncryptedBytes(raw []byte) ([]byte, error)
}

type Generator 

type Generator struct {
	TLSCADurationDays                int
	TLSCertDurationDays              int
	TLSBootstrapEnabled              bool
	ManageCertificates               bool
	Region                           string
	APIServerExternalDNSNames        []string
	APIServerAdditionalDNSSans       []string
	APIServerAdditionalIPAddressSans []string
	EtcdNodeDNSNames                 []string
	ServiceCIDR                      string
}

func (Generator) GenerateAssetsOnDisk 

func (c Generator) GenerateAssetsOnDisk(dir string, o GeneratorOptions) (*RawAssetsOnDisk, error)

func (Generator) GenerateAssetsOnMemory 

func (c Generator) GenerateAssetsOnMemory(caKey *rsa.PrivateKey, caCert *x509.Certificate, generatorOptions GeneratorOptions) (*RawAssetsOnMemory, error)

type GeneratorOptions 

type GeneratorOptions struct {
	AwsDebug   bool
	GenerateCA bool
	CaCertPath string
	CommonName string
	// Paths for private certificate keys.
	AdminKeyPath                 string
	ApiServerAggregatorKeyPath   string
	ApiServerKeyPath             string
	CaKeyPath                    string
	EtcdClientKeyPath            string
	EtcdKeyPath                  string
	KubeControllerManagerKeyPath string
	KubeSchedulerKeyPath         string
	ServiceAccountKeyPath        string
	WorkerKeyPath                string
}

type KMSConfig 

type KMSConfig struct {
	KMSSvc    KMSEncryptionService
	KMSKeyARN string
}

func NewKMSConfig 

func NewKMSConfig(kmsKeyARN string, encSvc KMSEncryptionService, session *session.Session) KMSConfig

func (KMSConfig) Encryptor 

func (c KMSConfig) Encryptor() Encryptor

func (KMSConfig) Store 

func (c KMSConfig) Store() Store

type KMSEncryptionService 

type KMSEncryptionService interface {
	Encrypt(*kms.EncryptInput) (*kms.EncryptOutput, error)
}

type KMSEncryptor 

type KMSEncryptor struct {
	KmsKeyARN string
	KmsSvc    KMSEncryptionService
}

func (KMSEncryptor) EncryptedBytes 

func (s KMSEncryptor) EncryptedBytes(data []byte) ([]byte, error)

type PlaintextFile 

type PlaintextFile struct {
	// contains filtered or unexported fields
}

func RawCredentialFileFromPath 

func RawCredentialFileFromPath(filePath string, defaultValue *string) (*PlaintextFile, error)

func (*PlaintextFile) Bytes 

func (c *PlaintextFile) Bytes() []byte

func (*PlaintextFile) Fingerprint 

func (c *PlaintextFile) Fingerprint() string

func (*PlaintextFile) Persist 

func (c *PlaintextFile) Persist() error

func (*PlaintextFile) String 

func (c *PlaintextFile) String() string

type ProtectedPKI 

type ProtectedPKI struct {
	Encryptor
	*pki.PKI
}

func NewProtectedPKI 

func NewProtectedPKI(enc Encryptor) *ProtectedPKI

func (*ProtectedPKI) CreateKeyaPair 

func (ppki *ProtectedPKI) CreateKeyaPair(spec api.KeyPairSpec) error

func (*ProtectedPKI) EnsureKeyPairsCreated 

func (ppki *ProtectedPKI) EnsureKeyPairsCreated(specs []api.KeyPairSpec) error

type RawAssetsOnDisk 

type RawAssetsOnDisk struct {
	// PEM encoded TLS assets.
	CACert                    PlaintextFile
	CAKey                     PlaintextFile
	WorkerCACert              PlaintextFile
	WorkerCAKey               PlaintextFile
	APIServerCert             PlaintextFile
	APIServerKey              PlaintextFile
	APIServerAggregatorCert   PlaintextFile
	APIServerAggregatorKey    PlaintextFile
	KubeControllerManagerCert PlaintextFile
	KubeControllerManagerKey  PlaintextFile
	KubeSchedulerCert         PlaintextFile
	KubeSchedulerKey          PlaintextFile
	WorkerCert                PlaintextFile
	WorkerKey                 PlaintextFile
	AdminCert                 PlaintextFile
	AdminKey                  PlaintextFile
	EtcdCert                  PlaintextFile
	EtcdClientCert            PlaintextFile
	EtcdKey                   PlaintextFile
	EtcdClientKey             PlaintextFile
	EtcdTrustedCA             PlaintextFile
	ServiceAccountKey         PlaintextFile

	// Other assets.
	AuthTokens        PlaintextFile
	TLSBootstrapToken PlaintextFile
	EncryptionConfig  PlaintextFile
}

func ReadRawAssets 

func ReadRawAssets(dirname string, manageCertificates bool, caKeyRequiredOnController bool) (*RawAssetsOnDisk, error)

func (*RawAssetsOnDisk) Compact 

func (r *RawAssetsOnDisk) Compact() (*CompactAssets, error)

type RawAssetsOnMemory 

type RawAssetsOnMemory struct {
	// PEM encoded TLS assets.
	CACert                    []byte
	CAKey                     []byte
	WorkerCACert              []byte
	WorkerCAKey               []byte
	APIServerCert             []byte
	APIServerKey              []byte
	APIServerAggregatorCert   []byte
	APIServerAggregatorKey    []byte
	KubeControllerManagerCert []byte
	KubeControllerManagerKey  []byte
	KubeSchedulerCert         []byte
	KubeSchedulerKey          []byte
	WorkerCert                []byte
	WorkerKey                 []byte
	AdminCert                 []byte
	AdminKey                  []byte
	EtcdCert                  []byte
	EtcdClientCert            []byte
	EtcdKey                   []byte
	EtcdClientKey             []byte
	EtcdTrustedCA             []byte
	ServiceAccountKey         []byte

	// Other assets.
	AuthTokens        []byte
	TLSBootstrapToken []byte
	EncryptionConfig  []byte
}

func (*RawAssetsOnMemory) WriteToDir 

func (r *RawAssetsOnMemory) WriteToDir(dirname string, includeCAKey bool) error

type Store 

type Store struct {
	Encryptor Encryptor
}

func (Store) EncryptedCredentialFromPath 

func (e Store) EncryptedCredentialFromPath(filePath string, defaultValue *string) (*EncryptedFile, error)

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.