tls_certificate

package

v1.60.4 Latest Latest Go to latest Published: Jun 10, 2024 License: Apache-2.0 Imports: 17 Imported by: 0

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

github.com/deckhouse/deckhouse

Links

Open Source Insights

Documentation ¶

Index ¶

Constants
func ApplyCertificateSecretFilter(obj *unstructured.Unstructured) (go_hook.FilterResult, error)
func ClusterDomainSAN(san string) string
func PublicDomainSAN(s string) string
func RegisterInternalTLSHook(conf GenSelfSignedTLSHookConf) bool
func RegisterOrderCertificateHook(requests []OrderCertificateRequest) bool
type CertificateInfo
- func IssueCertificate(input *go_hook.HookInput, dc dependency.Container, ...) (*CertificateInfo, error)
type CertificateSecret
- func ParseSecret(secret *v1.Secret) *CertificateSecret
type GenSelfSignedTLSHookConf
type OrderCertificateRequest
- func (r *OrderCertificateRequest) DeepCopy() OrderCertificateRequest
type SANsGenerator
- func DefaultSANs(sans []string) SANsGenerator

Constants ¶

View Source

const (
	SnapshotKey = "secret"
)

Variables ¶

This section is empty.

Functions ¶

func ApplyCertificateSecretFilter ¶

func ApplyCertificateSecretFilter(obj *unstructured.Unstructured) (go_hook.FilterResult, error)

func ClusterDomainSAN ¶

func ClusterDomainSAN(san string) string

ClusterDomainSAN create template to enrich specified san with a cluster domain

func PublicDomainSAN ¶

func PublicDomainSAN(s string) string

PublicDomainSAN create template to enrich specified san with a public domain

func RegisterInternalTLSHook ¶

func RegisterInternalTLSHook(conf GenSelfSignedTLSHookConf) bool

RegisterInternalTLSHook Register hook which save tls cert in values from secret. If secret is not created hook generate CA with long expired time and generate tls cert for passed domains signed with generated CA. That CA cert and TLS cert and private key MUST save in secret with helm. Otherwise, every d8 restart will generate new tls cert. Tls cert also has long expired time same as CA 87600h == 10 years. Therese tls cert often use for in cluster https communication with service which order tls Clients need to use CA cert for verify connection

func RegisterOrderCertificateHook ¶

func RegisterOrderCertificateHook(requests []OrderCertificateRequest) bool

Types ¶

type CertificateInfo ¶

type CertificateInfo struct {
	Certificate        string `json:"certificate,omitempty"`
	Key                string `json:"key,omitempty"`
	CertificateUpdated bool   `json:"certificate_updated,omitempty"`
}

func IssueCertificate ¶

func IssueCertificate(input *go_hook.HookInput, dc dependency.Container, request OrderCertificateRequest) (*CertificateInfo, error)

type CertificateSecret ¶

type CertificateSecret struct {
	Name string
	Crt  []byte
	Key  []byte
}

func ParseSecret ¶

func ParseSecret(secret *v1.Secret) *CertificateSecret

type GenSelfSignedTLSHookConf ¶

type GenSelfSignedTLSHookConf struct {
	// SANs function which returns list of domain to include into cert. Use DefaultSANs helper
	SANs SANsGenerator

	// CN - Certificate common Name
	// often it is module name
	CN string

	// Namespace - namespace for TLS secret
	Namespace string
	// TLSSecretName - TLS secret name
	// secret must be TLS secret type https://kubernetes.io/docs/concepts/configuration/secret/#tls-secrets
	// CA certificate MUST set to ca.crt key
	TLSSecretName string

	// Usages specifies valid usage contexts for keys.
	// See: https://tools.ietf.org/html/rfc5280#section-4.2.1.3
	//      https://tools.ietf.org/html/rfc5280#section-4.2.1.12
	Usages []certificatesv1.KeyUsage

	// FullValuesPathPrefix - prefix full path to store CA certificate TLS private key and cert
	// full paths will be
	//   FullValuesPathPrefix + .ca  - CA certificate
	//   FullValuesPathPrefix + .crt - TLS private key
	//   FullValuesPathPrefix + .key - TLS certificate
	// Example: FullValuesPathPrefix =  'prometheusMetricsAdapter.internal.adapter'
	// Values to store:
	// prometheusMetricsAdapter.internal.adapter.ca
	// prometheusMetricsAdapter.internal.adapter.crt
	// prometheusMetricsAdapter.internal.adapter.key
	// Data in values store as plain text
	// In helm templates you need use `b64enc` function to encode
	FullValuesPathPrefix string

	// BeforeHookCheck runs check function before hook execution. Function should return boolean 'continue' value
	// if return value is false - hook will stop its execution
	// if return value is true - hook will continue
	BeforeHookCheck func(input *go_hook.HookInput) bool
}

type OrderCertificateRequest ¶

type OrderCertificateRequest struct {
	Namespace  string
	SecretName string
	CommonName string
	SANs       []string
	Groups     []string
	Usages     []certificatesv1.KeyUsage
	SignerName string

	ValueName   string
	ModuleName  string
	WaitTimeout time.Duration

	ExpirationSeconds *int32
}

func (*OrderCertificateRequest) DeepCopy ¶

func (r *OrderCertificateRequest) DeepCopy() OrderCertificateRequest

type SANsGenerator ¶

type SANsGenerator func(input *go_hook.HookInput) []string

SANsGenerator function for generating sans

func DefaultSANs ¶

func DefaultSANs(sans []string) SANsGenerator

DefaultSANs helper to generate list of sans for certificate you can also use helpers:

ClusterDomainSAN(value) to generate sans with respect of cluster domain (e.g.: "app.default.svc" with "cluster.local" value will give: app.default.svc.cluster.local
PublicDomainSAN(value)

Source Files ¶

View all Source files

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL