legobridge

package
v0.16.0 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Oct 21, 2024 License: Apache-2.0 Imports: 41 Imported by: 0

Documentation

Index

Constants

View Source
const (
	// PKCS12SecretKey is the name of the data entry in the Secret resource used to store the p12 file.
	PKCS12SecretKey = "keystore.p12"
	// PKCS12TruststoreKey is the name of the data entry in the Secret resource for PKCS12 containing Certificate Authority
	PKCS12TruststoreKey = "truststore.p12"

	// JKSSecretKey is the name of the data entry in the Secret resource used to store the jks file.
	JKSSecretKey = "keystore.jks" // #nosec G101 -- this is no credential
	// JKSTruststoreKey is the name of the data entry in the Secret resource for JKS containing Certificate Authority
	JKSTruststoreKey = "truststore.jks"
)
View Source
const (
	// DefaultPubKeyAlgo is the default Public Key Algorithm (letsencrypt default).
	DefaultPubKeyAlgo x509.PublicKeyAlgorithm = x509.RSA
	// DefaultCertKeyUsage is the default Key Usage (letsencrypt default).
	DefaultCertKeyUsage x509.KeyUsage = x509.KeyUsageDigitalSignature

	// RSAKeyUsage is a specific KeyUsage for RSA keys. In the context of TLS,
	// this KeyUsage is particular to RSA key exchange and authentication.
	RSAKeyUsage x509.KeyUsage = x509.KeyUsageKeyEncipherment
	// CAKeyUsage is the KeyUsage required for a Certificate Authority.
	CAKeyUsage x509.KeyUsage = x509.KeyUsageCertSign

	// DefaultCertDuration is the default Certificate validity period (letsencrypt default).
	DefaultCertDuration time.Duration = 24 * time.Hour * 90

	// RSAMinSize is the minimum size for an RSA key
	RSAMinSize int = 2048
	// RSAMaxSize is the maximum size for an RSA key
	RSAMaxSize int = 8192

	// ECCurve256 represents a 256bit ECDSA key.
	ECCurve256 int = 256
	// ECCurve384 represents a 384bit ECDSA key.
	ECCurve384 int = 384
	// ECCurve521 represents a 521bit ECDSA key.
	ECCurve521 int = 521
)
View Source
const (
	// KeyPrivateKey is the secret data key for the private key.
	KeyPrivateKey = "privateKey"
	// KeyHmacKey is the secret data key for the MAC key for external account binding.
	KeyHmacKey = "hmacKey"
)
View Source
const TLSCAKey = "ca.crt"

TLSCAKey is the secret data key for the CA key.

Variables

View Source
var (
	// DefaultCertExtKeyUsage are the default Extended KeyUsage (letsencrypt default).
	DefaultCertExtKeyUsage []x509.ExtKeyUsage = []x509.ExtKeyUsage{
		x509.ExtKeyUsageClientAuth,
		x509.ExtKeyUsageServerAuth,
	}
)

Functions

func AddKeystoresToSecret added in v0.12.0

func AddKeystoresToSecret(secretResources resources.Interface, secret *corev1.Secret, keystores *certv1alpha1.CertificateKeystores) error

AddKeystoresToSecret adds keystore data entries in the secret if requested.

func CertificatesToSecretData

func CertificatesToSecretData(certificates *certificate.Resource) map[string][]byte

CertificatesToSecretData converts a certificate resource to secret data.

func DecodeCertificate

func DecodeCertificate(tlsCrt []byte) (*x509.Certificate, error)

DecodeCertificate decodes the crt byte array.

func DecodeCertificateFromSecretData

func DecodeCertificateFromSecretData(data map[string][]byte) (*x509.Certificate, error)

DecodeCertificateFromSecretData decodes the cert key from secret data to a x509 certificate.

func ExtractOrGeneratePrivateKey added in v0.12.0

func ExtractOrGeneratePrivateKey(secretData map[string][]byte) (crypto.PrivateKey, error)

ExtractOrGeneratePrivateKey extracts the private key from the secret or generates a new one.

func FromKeyType added in v0.13.0

func FromKeyType(keyType certcrypto.KeyType) *api.CertificatePrivateKey

FromKeyType converts key type back to a private key spec.

func IsCertCA added in v0.12.0

func IsCertCA(crt x509.Certificate) bool

IsCertCA returns true if a certificate is a CA.

func IsCertExpired added in v0.12.0

func IsCertExpired(crt x509.Certificate) bool

IsCertExpired returns true if a certificate is expired.

func PublicKeyFromPrivateKey added in v0.12.0

func PublicKeyFromPrivateKey(key interface{}) (crypto.PublicKey, error)

PublicKeyFromPrivateKey returns the crypto.PublicKey for a crypto.PrivateKey or a crypto.Signer.

func PublicKeysEqual added in v0.12.0

func PublicKeysEqual(a, b crypto.PublicKey) (bool, error)

PublicKeysEqual returns true if two crypto.PublicKey are equal

func RemoveKeystoresFromSecret added in v0.12.0

func RemoveKeystoresFromSecret(secret *corev1.Secret)

RemoveKeystoresFromSecret removes all keystore data entries.

func RevokeCertificate added in v0.12.0

func RevokeCertificate(user *RegistrationUser, cert []byte) error

RevokeCertificate revokes a certificate

func SecretDataToCertificates

func SecretDataToCertificates(data map[string][]byte) *certificate.Resource

SecretDataToCertificates converts secret data to a certicate resource.

func UpdateKeystoresToSecret added in v0.12.0

func UpdateKeystoresToSecret(secretResources resources.Interface, secret *corev1.Secret, keystores *certv1alpha1.CertificateKeystores) (modified bool, err error)

UpdateKeystoresToSecret adds, updates, or deletes keystore data entries in the secret. Return value `modified` is true if the secret was changed.

func ValidatePublicKeyWithPrivateKey added in v0.12.0

func ValidatePublicKeyWithPrivateKey(checkPubKey crypto.PublicKey, privKey crypto.PrivateKey) (bool, error)

ValidatePublicKeyWithPrivateKey returns true if a crypto.PublicKey matches the crypto.PublicKey contained in a crypto.PrivateKey

Types

type CertificatePrivateKeyDefaults added in v0.14.0

type CertificatePrivateKeyDefaults struct {
	// contains filtered or unexported fields
}

CertificatePrivateKeyDefaults contains default algorithms and sizes for new private keys. These defaults are only used for new certificates or on renewal.

func NewCertificatePrivateKeyDefaults added in v0.14.0

func NewCertificatePrivateKeyDefaults(algorithm api.PrivateKeyAlgorithm, rsaKeySize, ecdsaKeySize api.PrivateKeySize) (*CertificatePrivateKeyDefaults, error)

NewCertificatePrivateKeyDefaults creates a defaults for certifcate private key generation.

func (CertificatePrivateKeyDefaults) IsDefaultKeyType added in v0.14.0

func (d CertificatePrivateKeyDefaults) IsDefaultKeyType(keyType certcrypto.KeyType) bool

IsDefaultKeyType returns true if the keyType matched the default one.

func (CertificatePrivateKeyDefaults) String added in v0.14.0

func (CertificatePrivateKeyDefaults) ToKeyType added in v0.14.0

ToKeyType extracts the key type from the private key spec.

type ConcurrentObtainError added in v0.2.10

type ConcurrentObtainError struct {
	// DomainName is the domain name concurrently requested
	DomainName string
}

ConcurrentObtainError is returned if Obtain should be postponed because of concurrent obtain request for at least one domain name.

func (*ConcurrentObtainError) Error added in v0.2.10

func (d *ConcurrentObtainError) Error() string

type DNSControllerSettings

type DNSControllerSettings struct {
	// Cluster is the cluster where the DNSEntries will be created
	Cluster resources.Cluster
	// Namespace to set for challenge DNSEntry
	Namespace string
	// OwnerID to set for challenge DNSEntry
	// +optional
	OwnerID *string
	// PrecheckNameservers for checking DNS propagation of DNS challenge TXT record
	PrecheckNameservers []string
	// AdditionalWait is the additional wait time after DNS propagation
	// to wait for "last mile" propagation to DNS server used by the ACME server
	AdditionalWait time.Duration
	// PropagationTimeout is the propagation timeout for the DNS challenge.
	PropagationTimeout time.Duration
	// FollowCNAME if true checks and follows CNAME records for DNS01 challenge domains.
	FollowCNAME bool
	// DNSRecordSettings are additional fields needed to create a DNSRecord. If set, DNSChallenge will use DNSRecords instead of DNSEntries.
	DNSRecordSettings *DNSRecordSettings
}

DNSControllerSettings are the settings for the DNSController.

type DNSRecordSettings added in v0.15.0

type DNSRecordSettings struct {
	// Type is the provider type.
	Type string
	// SecretRef is a reference to a secret that contains the cloud provider specific credentials.
	SecretRef corev1.SecretReference
}

DNSRecordSettings are additional fields needed to create a DNSRecord.

type ObtainInput

type ObtainInput struct {
	// User is the registration user.
	User *RegistrationUser
	// CAKeyPair are the private key and the public key cert of the CA.
	CAKeyPair *TLSKeyPair
	// DNSSettings are the settings for the DNSController.
	DNSSettings *DNSControllerSettings
	// IssuerKey is a cluster-aware key of the issuer to use.
	IssuerKey utils.IssuerKeyItf
	// CommonName is the CN.
	CommonName *string
	// DNSNames are optional domain names.
	DNSNames []string
	// CSR is the optional Certificate Signing Request.
	CSR []byte
	// Request name is the request object name.
	RequestName resources.ObjectName
	// TargetClass is the target class of the DNSEntry.
	TargetClass string
	// Callback is the callback function to return the ObtainOutput.
	Callback ObtainerCallback
	// Renew is flag if it is a renew request.
	Renew bool
	// AlwaysDeactivateAuthorizations deactivates authorizations to avoid their caching
	AlwaysDeactivateAuthorizations bool
	// PreferredChain
	PreferredChain string
	// KeyType represents the algo and size to use for the private key (only used if CSR is not set).
	KeyType certcrypto.KeyType
}

ObtainInput contains all data needed to obtain a certificate.

type ObtainOutput

type ObtainOutput struct {
	// Certificates contains the certificates.
	Certificates *certificate.Resource
	// IssuerInfo is the name and type of the issuer.
	IssuerInfo utils.IssuerInfo
	// CommonName is the copy from the input.
	CommonName *string
	// DNSNames are the copies from the input.
	DNSNames []string
	// CSR is the copy from the input.
	CSR []byte
	// KeyType is the copy from the input.
	KeyType certcrypto.KeyType
	// Err contains the obtain request error.
	Err error
}

ObtainOutput is the result of the certificate obtain request.

type Obtainer added in v0.2.10

type Obtainer interface {
	// Obtain starts the async obtain request.
	Obtain(input ObtainInput) error
}

Obtainer provides a Obtain method to start a certificate request

func NewObtainer added in v0.2.10

func NewObtainer() Obtainer

NewObtainer creates a new Obtainer

type ObtainerCallback

type ObtainerCallback func(output *ObtainOutput)

ObtainerCallback is callback function type

type PendingCertificateRequests

type PendingCertificateRequests struct {
	// contains filtered or unexported fields
}

PendingCertificateRequests contains the pending certificate requests.

func NewPendingRequests

func NewPendingRequests() *PendingCertificateRequests

NewPendingRequests creates a new PendingCertificateRequests

func (*PendingCertificateRequests) Add

Add adds a certificate object name.

func (*PendingCertificateRequests) Contains

Contains check if a certificate object name is pending.

func (*PendingCertificateRequests) Remove

Remove removes a certificate object name from the pending list.

type PendingResults

type PendingResults struct {
	// contains filtered or unexported fields
}

PendingResults caches the ObtainOutput results.

func NewPendingResults

func NewPendingResults() *PendingResults

NewPendingResults creates a new PendingResults.

func (*PendingResults) Add

func (pr *PendingResults) Add(name resources.ObjectName, result *ObtainOutput)

Add adds a object name / ObtainOutput pair.

func (*PendingResults) Peek added in v0.2.16

Peek fetches a pending result by object name.

func (*PendingResults) Remove

func (pr *PendingResults) Remove(name resources.ObjectName)

Remove removes a pending result by object name.

type ProviderWithCount

type ProviderWithCount interface {
	challenge.Provider
	GetChallengesCount() int
	// GetPendingTXTRecordError returns error with details if a TXT record for DNS challenge is not ready.
	GetPendingTXTRecordError() error
}

ProviderWithCount is an extended Provider interface.

type RegistrationUser

type RegistrationUser struct {
	// contains filtered or unexported fields
}

RegistrationUser contains the data of a registration user.

func NewRegistrationUserFromEmail

func NewRegistrationUserFromEmail(issuerKey utils.IssuerKeyItf,
	email string, caDirURL string, secretData map[string][]byte, eabKeyID, eabHmacKey string) (*RegistrationUser, error)

NewRegistrationUserFromEmail generates a private key and requests a new registration for the user.

func NewRegistrationUserFromEmailAndPrivateKey

func NewRegistrationUserFromEmailAndPrivateKey(issuerKey utils.IssuerKeyItf,
	email string, caDirURL string, privateKey crypto.PrivateKey, eabKid, eabHmacKey string) (*RegistrationUser, error)

NewRegistrationUserFromEmailAndPrivateKey requests a user registration.

func RegistrationUserFromSecretData

func RegistrationUserFromSecretData(issuerKey utils.IssuerKeyItf,
	email, caDirURL string, registrationRaw []byte, data map[string][]byte, eabKeyID, eabHmacKey string) (*RegistrationUser, error)

RegistrationUserFromSecretData restores a RegistrationUser from a secret data map.

func (*RegistrationUser) CADirURL added in v0.12.0

func (u *RegistrationUser) CADirURL() string

CADirURL returns the URL of the ACME directory server

func (*RegistrationUser) EabHmacKey added in v0.12.0

func (u *RegistrationUser) EabHmacKey() string

EabHmacKey returns the MAC key if it is an external account binding

func (*RegistrationUser) EabKeyID added in v0.12.0

func (u *RegistrationUser) EabKeyID() string

EabKeyID returns the key ID if it is an external account binding

func (*RegistrationUser) GetEmail

func (u *RegistrationUser) GetEmail() string

GetEmail returns the email of the registration user.

func (*RegistrationUser) GetPrivateKey

func (u *RegistrationUser) GetPrivateKey() crypto.PrivateKey

GetPrivateKey returns the private key of the registration user.

func (*RegistrationUser) GetRegistration

func (u *RegistrationUser) GetRegistration() *registration.Resource

GetRegistration returns the registration resource.

func (*RegistrationUser) NewConfig

func (u *RegistrationUser) NewConfig(caDirURL string) *lego.Config

NewConfig creates a new lego config.

func (*RegistrationUser) RawRegistration

func (u *RegistrationUser) RawRegistration() ([]byte, error)

RawRegistration returns the registration as a byte array.

func (*RegistrationUser) ToSecretData

func (u *RegistrationUser) ToSecretData() (map[string][]byte, error)

ToSecretData returns the registration user as a secret data map.

type TLSKeyPair added in v0.12.0

type TLSKeyPair struct {
	Cert x509.Certificate
	Key  crypto.PrivateKey
}

TLSKeyPair contains a certificate and a private key.

func CAKeyPairFromSecretData added in v0.12.0

func CAKeyPairFromSecretData(data map[string][]byte) (*TLSKeyPair, error)

CAKeyPairFromSecretData restores a TLSKeyPair from a secret data map.

func (*TLSKeyPair) RawCertInfo added in v0.12.0

func (c *TLSKeyPair) RawCertInfo() ([]byte, error)

RawCertInfo returns some info from the CA Certificate.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL