tls

package
v0.1.0 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Oct 2, 2018 License: Apache-2.0 Imports: 22 Imported by: 0

Documentation

Overview

Package tls defines and generates the tls assets based on its dependencies.

Index

Constants

View Source 
const (
	// KeyIndex is the index into a CertKey asset's contents at which the key
	// can be found.
	KeyIndex = 0

	// CertIndex is the index into a CertKey asset's contents at which the
	// certificate can be found.
	CertIndex = 1
)
View Source 
const (
	// RootCAKeyName is the filename of the RootCAKey.
	RootCAKeyName = "root-ca.key"
	// RootCACertName is the filename of the RootCACert.
	RootCACertName = "root-ca.crt"
	// KubeCAKeyName is the filename of the KubeCAKey.
	KubeCAKeyName = "kube-ca.key"
	// KubeCACertName is the filename of the KubeCACert.
	KubeCACertName = "kube-ca.crt"
	// EtcdCAKeyName is the filename of the EtcdCAKey.
	EtcdCAKeyName = "etcd-client-ca.key"
	// EtcdCACertName is the filename of the EtcdCACert.
	EtcdCACertName = "etcd-client-ca.crt"
	// AggregatorCAKeyName is the filename of the AggregatorCAKey.
	AggregatorCAKeyName = "aggregator-ca.key"
	// AggregatorCACertName is the filename of the AggregatorCACert.
	AggregatorCACertName = "aggregator-ca.crt"
	// ServiceServingCAKeyName is the filename of the ServiceServingCAKey.
	ServiceServingCAKeyName = "service-serving-ca.key"
	// ServiceServingCACertName is the filename of the ServiceServingCACert.
	ServiceServingCACertName = "service-serving-ca.crt"
	// EtcdClientKeyName is the filename of the EtcdClientKey.
	EtcdClientKeyName = "etcd-client.key"
	// EtcdClientCertName is the filename of the EtcdClientCert.
	EtcdClientCertName = "etcd-client.crt"
	// AdminKeyName is the filename of the AdminKey.
	AdminKeyName = "admin.key"
	// AdminCertName is the filename of the AdminCert.
	AdminCertName = "admin.crt"
	// IngressKeyName is the filename of the IngressKey.
	IngressKeyName = "ingress.key"
	// IngressCertName is the filename of the IngressCert.
	IngressCertName = "ingress.crt"
	// APIServerKeyName is the filename of the APIServerKey.
	APIServerKeyName = "apiserver.key"
	// APIServerCertName is the filename of the APIServerCert.
	APIServerCertName = "apiserver.crt"
	// OpenshiftAPIServerKeyName is the filename of the OpenshiftAPIServerKey.
	OpenshiftAPIServerKeyName = "openshift-apiserver.key"
	// OpenshiftAPIServerCertName is the filename of the OpenshiftAPIServerCert.
	OpenshiftAPIServerCertName = "openshift-apiserver.crt"
	// APIServerProxyKeyName is the filename of the APIServerProxyKey.
	APIServerProxyKeyName = "apiserver-proxy.key"
	// APIServerProxyCertName is the filename of the APIServerProxyCert.
	APIServerProxyCertName = "apiserver-proxy.crt"
	// KubeletKeyName is the filename of the KubeletKey.
	KubeletKeyName = "kubelet.key"
	// KubeletCertName is the filename of the KubeletCert.
	KubeletCertName = "kubelet.crt"
	// MCSKeyName is the filename of the MCSKey.
	MCSKeyName = "machine-config-server.key"
	// MCSCertName is the filename of the MCSCert.
	MCSCertName = "machine-config-server.crt"
	// ClusterAPIServerCAKeyName is the filename of the ClusterAPIServerCAKey.
	ClusterAPIServerCAKeyName = "cluster-apiserver-ca.key"
	// ClusterAPIServerCACertName is the filename of the ClusterAPIServerCACert.
	ClusterAPIServerCACertName = "cluster-apiserver-ca.crt"
	// ServiceAccountPrivateKeyName is the filename of the ServiceAccountPrivateKey.
	ServiceAccountPrivateKeyName = "service-account.key"
	// ServiceAccountPublicKeyName is the filename of the ServiceAccountPublicKey.
	ServiceAccountPublicKeyName = "service-account.pub"
)
View Source 
const (

	// ValidityTenYears sets the validity of a cert to 10 years.
	ValidityTenYears = time.Hour * 24 * 365 * 10

	// ValidityThirtyMinutes sets the validity of a cert to 30 minutes.
	// This is for the kubelet bootstrap.
	ValidityThirtyMinutes = time.Minute * 30
)

Variables

This section is empty.

Functions

func CSRToPem 

func CSRToPem(cert *x509.CertificateRequest) string

CSRToPem converts an x509.CertificateRequest to a pem string

func CertToPem 

func CertToPem(cert *x509.Certificate) string

CertToPem converts an x509.Certificate object to a pem string

func GenerateCert 

func GenerateCert(caKey *rsa.PrivateKey,
	caCert *x509.Certificate,
	cfg *CertCfg) (*rsa.PrivateKey, *x509.Certificate, error)

GenerateCert creates a key, csr & a signed cert This is useful for apiserver and openshift-apiser cert which will be authenticated by the kubeconfig using root-ca.

func GenerateRootCA 

func GenerateRootCA(key *rsa.PrivateKey, cfg *CertCfg) (*x509.Certificate, error)

GenerateRootCA creates and returns the root CA

func GenerateRootCertKey 

func GenerateRootCertKey(cfg *CertCfg) (*rsa.PrivateKey, *x509.Certificate, error)

GenerateRootCertKey generates a root key/cert pair.

func GenerateSignedCert 

func GenerateSignedCert(cfg *CertCfg,
	csr *x509.CertificateRequest,
	key *rsa.PrivateKey,
	caKey *rsa.PrivateKey,
	caCert *x509.Certificate) (*x509.Certificate, error)

GenerateSignedCert generates a signed certificate.

func PemToCertificate 

func PemToCertificate(data []byte) (*x509.Certificate, error)

PemToCertificate converts a data block to x509.Certificate.

func PemToPrivateKey 

func PemToPrivateKey(data []byte) (*rsa.PrivateKey, error)

PemToPrivateKey converts a data block to rsa.PrivateKey.

func PrivateKey 

func PrivateKey() (*rsa.PrivateKey, error)

PrivateKey generates an RSA Private key and returns the value

func PrivateKeyToPem 

func PrivateKeyToPem(key *rsa.PrivateKey) string

PrivateKeyToPem converts an rsa.PrivateKey object to pem string

func PublicKeyToPem 

func PublicKeyToPem(key *rsa.PublicKey) (string, error)

PublicKeyToPem converts an rsa.PublicKey object to pem string

func SelfSignedCACert 

func SelfSignedCACert(cfg *CertCfg, key *rsa.PrivateKey) (*x509.Certificate, error)

SelfSignedCACert Creates a self signed CA certificate

func SignedCertificate 

func SignedCertificate(
	cfg *CertCfg,
	csr *x509.CertificateRequest,
	key *rsa.PrivateKey,
	caCert *x509.Certificate,
	caKey *rsa.PrivateKey,
) (*x509.Certificate, error)

SignedCertificate creates a new X.509 certificate based on a template.

Types

type CertCfg 

type CertCfg struct {
	DNSNames     []string
	ExtKeyUsages []x509.ExtKeyUsage
	IPAddresses  []net.IP
	KeyUsages    x509.KeyUsage
	Subject      pkix.Name
	Validity     time.Duration
	IsCA         bool
}

CertCfg contains all needed fields to configure a new certificate

type CertKey 

type CertKey struct {

	// Common fields.
	Subject      pkix.Name
	KeyUsages    x509.KeyUsage
	ExtKeyUsages []x509.ExtKeyUsage
	Validity     time.Duration
	KeyFileName  string
	CertFileName string
	ParentCA     asset.Asset

	IsCA         bool
	AppendParent bool // Whether append the parent CA in the cert.

	// Some certs might need to set Subject, DNSNames and IPAddresses.
	GenDNSNames    func(*types.InstallConfig) ([]string, error)
	GenIPAddresses func(*types.InstallConfig) ([]net.IP, error)
	GenSubject     func(*types.InstallConfig) (pkix.Name, error)
	// contains filtered or unexported fields
}

CertKey contains the private key and the cert that's signed by the parent CA.

func (*CertKey) Dependencies 

func (c *CertKey) Dependencies() []asset.Asset

Dependencies returns the dependency of the the cert/key pair, which includes the parent CA, and install config if it depends on the install config for DNS names, etc.

func (*CertKey) Generate 

func (c *CertKey) Generate(parents map[asset.Asset]*asset.State) (*asset.State, error)

Generate generates the cert/key pair based on its dependencies.

func (*CertKey) Name 

func (c *CertKey) Name() string

Name returns the human-friendly name of the asset.

type KeyPair 

type KeyPair struct {
	PrivKeyFileName string
	PubKeyFileName  string
}

KeyPair implements the Asset interface and generates an RSA public/private key pair.

func (*KeyPair) Dependencies 

func (k *KeyPair) Dependencies() []asset.Asset

Dependencies returns the dependency of an rsa private / public key pair.

func (*KeyPair) Generate 

func (k *KeyPair) Generate(map[asset.Asset]*asset.State) (*asset.State, error)

Generate generates the rsa private / public key pair.

func (*KeyPair) Name 

func (k *KeyPair) Name() string

Name returns the human-friendly name of the asset.

type RootCA 

type RootCA struct{}

RootCA contains the private key and the cert that's self-signed as the root CA.

func (*RootCA) Dependencies 

func (c *RootCA) Dependencies() []asset.Asset

Dependencies returns the dependency of the root-ca, which is empty.

func (*RootCA) Generate 

func (c *RootCA) Generate(parents map[asset.Asset]*asset.State) (*asset.State, error)

Generate generates the root-ca key and cert pair.

func (*RootCA) Name 

func (c *RootCA) Name() string

Name returns the human-friendly name of the asset.

type Stock 

type Stock interface {
	// RootCA is the asset that generates the root-ca key/cert pair.
	RootCA() asset.Asset
	// KubeCA is the asset that generates the kube-ca key/cert pair.
	KubeCA() asset.Asset
	// EtcdCA is the asset that generates the etcd-ca key/cert pair.
	EtcdCA() asset.Asset
	// AggregatorCA is the asset that generates the aggregator-ca key/cert pair.
	AggregatorCA() asset.Asset
	// ServiceServingCA is the asset that generates the service-serving-ca key/cert pair.
	ServiceServingCA() asset.Asset
	// EtcdClientCertKey is the asset that generates the etcd client key/cert pair.
	EtcdClientCertKey() asset.Asset
	// AdminCertKey is the asset that generates the admin key/cert pair.
	AdminCertKey() asset.Asset
	// IngressCertKey is the asset that generates the ingress key/cert pair.
	IngressCertKey() asset.Asset
	// APIServerCertKey is the asset that generates the API server key/cert pair.
	APIServerCertKey() asset.Asset
	// OpenshiftAPIServerCertKey is the asset that generates the Openshift API server key/cert pair.
	OpenshiftAPIServerCertKey() asset.Asset
	// APIServerProxyCertKey is the asset that generates the API server proxy key/cert pair.
	APIServerProxyCertKey() asset.Asset
	// KubeletCertKey is the asset that generates the kubelet key/cert pair.
	KubeletCertKey() asset.Asset
	// MCSCertKey is the asset that generates the MCS key/cert pair.
	MCSCertKey() asset.Asset
	// ClusterAPIServerCertKey is the asset that generates the cluster API server key/cert pair.
	ClusterAPIServerCertKey() asset.Asset
	// ServiceAccountKeyPair is the asset that generates the service-account public/private key pair.
	ServiceAccountKeyPair() asset.Asset
}

Stock is the stock of TLS assets that can be generated.

type StockImpl 

type StockImpl struct {
	// contains filtered or unexported fields
}

StockImpl implements the Stock interface for tls assets.

func (*StockImpl) APIServerCertKey 

func (s *StockImpl) APIServerCertKey() asset.Asset

APIServerCertKey is the asset that generates the API server key/cert pair.

func (*StockImpl) APIServerProxyCertKey 

func (s *StockImpl) APIServerProxyCertKey() asset.Asset

APIServerProxyCertKey is the asset that generates the API server proxy key/cert pair.

func (*StockImpl) AdminCertKey 

func (s *StockImpl) AdminCertKey() asset.Asset

AdminCertKey is the asset that generates the admin key/cert pair.

func (*StockImpl) AggregatorCA 

func (s *StockImpl) AggregatorCA() asset.Asset

AggregatorCA is the asset that generates the aggregator-ca key/cert pair.

func (*StockImpl) ClusterAPIServerCertKey 

func (s *StockImpl) ClusterAPIServerCertKey() asset.Asset

ClusterAPIServerCertKey is the asset that generates the cluster API server key/cert pair.

func (*StockImpl) EstablishStock 

func (s *StockImpl) EstablishStock(stock installconfig.Stock)

EstablishStock establishes the stock of assets.

func (*StockImpl) EtcdCA 

func (s *StockImpl) EtcdCA() asset.Asset

EtcdCA is the asset that generates the etcd-ca key/cert pair.

func (*StockImpl) EtcdClientCertKey 

func (s *StockImpl) EtcdClientCertKey() asset.Asset

EtcdClientCertKey is the asset that generates the etcd client key/cert pair.

func (*StockImpl) IngressCertKey 

func (s *StockImpl) IngressCertKey() asset.Asset

IngressCertKey is the asset that generates the ingress key/cert pair.

func (*StockImpl) KubeCA 

func (s *StockImpl) KubeCA() asset.Asset

KubeCA is the asset that generates the kube-ca key/cert pair.

func (*StockImpl) KubeletCertKey 

func (s *StockImpl) KubeletCertKey() asset.Asset

KubeletCertKey is the asset that generates the kubelet key/cert pair.

func (*StockImpl) MCSCertKey 

func (s *StockImpl) MCSCertKey() asset.Asset

MCSCertKey is the asset that generates the MCS key/cert pair.

func (*StockImpl) OpenshiftAPIServerCertKey 

func (s *StockImpl) OpenshiftAPIServerCertKey() asset.Asset

OpenshiftAPIServerCertKey is the asset that generates the Openshift API server key/cert pair.

func (*StockImpl) RootCA 

func (s *StockImpl) RootCA() asset.Asset

RootCA is the asset that generates the root-ca key/cert pair.

func (*StockImpl) ServiceAccountKeyPair 

func (s *StockImpl) ServiceAccountKeyPair() asset.Asset

ServiceAccountKeyPair is the asset that generates the service-account public/private key pair.

func (*StockImpl) ServiceServingCA 

func (s *StockImpl) ServiceServingCA() asset.Asset

ServiceServingCA is the asset that generates the service-serving-ca key/cert pair.

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.