Documentation ¶
Index ¶
- Constants
- Variables
- func AddKeystoresToSecret(secretResources resources.Interface, secret *corev1.Secret, ...) error
- func CertificatesToSecretData(certificates *certificate.Resource) map[string][]byte
- func DecodeCertificate(tlsCrt []byte) (*x509.Certificate, error)
- func DecodeCertificateFromSecretData(data map[string][]byte) (*x509.Certificate, error)
- func ExtractOrGeneratePrivateKey(secretData map[string][]byte) (crypto.PrivateKey, error)
- func FromKeyType(keyType certcrypto.KeyType) *api.CertificatePrivateKey
- func IsCertCA(crt x509.Certificate) bool
- func IsCertExpired(crt x509.Certificate) bool
- func PublicKeyFromPrivateKey(key interface{}) (crypto.PublicKey, error)
- func PublicKeysEqual(a, b crypto.PublicKey) (bool, error)
- func RemoveKeystoresFromSecret(secret *corev1.Secret)
- func RevokeCertificate(user *RegistrationUser, cert []byte) error
- func SecretDataToCertificates(data map[string][]byte) *certificate.Resource
- func UpdateKeystoresToSecret(secretResources resources.Interface, secret *corev1.Secret, ...) (modified bool, err error)
- func ValidatePublicKeyWithPrivateKey(checkPubKey crypto.PublicKey, privKey crypto.PrivateKey) (bool, error)
- type CertificatePrivateKeyDefaults
- type ConcurrentObtainError
- type DNSControllerSettings
- type DNSRecordSettings
- type ObtainInput
- type ObtainOutput
- type Obtainer
- type ObtainerCallback
- type PendingCertificateRequests
- type PendingResults
- type ProviderWithCount
- type RegistrationUser
- func NewRegistrationUserFromEmail(issuerKey utils.IssuerKeyItf, email string, caDirURL string, ...) (*RegistrationUser, error)
- func NewRegistrationUserFromEmailAndPrivateKey(issuerKey utils.IssuerKeyItf, email string, caDirURL string, ...) (*RegistrationUser, error)
- func RegistrationUserFromSecretData(issuerKey utils.IssuerKeyItf, email, caDirURL string, registrationRaw []byte, ...) (*RegistrationUser, error)
- func (u *RegistrationUser) CADirURL() string
- func (u *RegistrationUser) EabHmacKey() string
- func (u *RegistrationUser) EabKeyID() string
- func (u *RegistrationUser) GetEmail() string
- func (u *RegistrationUser) GetPrivateKey() crypto.PrivateKey
- func (u *RegistrationUser) GetRegistration() *registration.Resource
- func (u *RegistrationUser) NewConfig(caDirURL string) *lego.Config
- func (u *RegistrationUser) RawRegistration() ([]byte, error)
- func (u *RegistrationUser) ToSecretData() (map[string][]byte, error)
- type TLSKeyPair
Constants ¶
const ( // PKCS12SecretKey is the name of the data entry in the Secret resource used to store the p12 file. PKCS12SecretKey = "keystore.p12" // PKCS12TruststoreKey is the name of the data entry in the Secret resource for PKCS12 containing Certificate Authority PKCS12TruststoreKey = "truststore.p12" // JKSSecretKey is the name of the data entry in the Secret resource used to store the jks file. JKSSecretKey = "keystore.jks" // #nosec G101 -- this is no credential // JKSTruststoreKey is the name of the data entry in the Secret resource for JKS containing Certificate Authority JKSTruststoreKey = "truststore.jks" )
const ( // DefaultPubKeyAlgo is the default Public Key Algorithm (letsencrypt default). DefaultPubKeyAlgo x509.PublicKeyAlgorithm = x509.RSA // DefaultCertKeyUsage is the default Key Usage (letsencrypt default). DefaultCertKeyUsage x509.KeyUsage = x509.KeyUsageDigitalSignature // RSAKeyUsage is a specific KeyUsage for RSA keys. In the context of TLS, // this KeyUsage is particular to RSA key exchange and authentication. RSAKeyUsage x509.KeyUsage = x509.KeyUsageKeyEncipherment // CAKeyUsage is the KeyUsage required for a Certificate Authority. CAKeyUsage x509.KeyUsage = x509.KeyUsageCertSign // DefaultCertDuration is the default Certificate validity period (letsencrypt default). DefaultCertDuration time.Duration = 24 * time.Hour * 90 // RSAMinSize is the minimum size for an RSA key RSAMinSize int = 2048 // RSAMaxSize is the maximum size for an RSA key RSAMaxSize int = 8192 // ECCurve256 represents a 256bit ECDSA key. ECCurve256 int = 256 // ECCurve384 represents a 384bit ECDSA key. ECCurve384 int = 384 // ECCurve521 represents a 521bit ECDSA key. ECCurve521 int = 521 )
const ( // KeyPrivateKey is the secret data key for the private key. KeyPrivateKey = "privateKey" // KeyHmacKey is the secret data key for the MAC key for external account binding. KeyHmacKey = "hmacKey" )
const TLSCAKey = "ca.crt"
TLSCAKey is the secret data key for the CA key.
Variables ¶
var ( // DefaultCertExtKeyUsage are the default Extended KeyUsage (letsencrypt default). DefaultCertExtKeyUsage []x509.ExtKeyUsage = []x509.ExtKeyUsage{ x509.ExtKeyUsageClientAuth, x509.ExtKeyUsageServerAuth, } )
Functions ¶
func AddKeystoresToSecret ¶ added in v0.12.0
func AddKeystoresToSecret(secretResources resources.Interface, secret *corev1.Secret, keystores *certv1alpha1.CertificateKeystores) error
AddKeystoresToSecret adds keystore data entries in the secret if requested.
func CertificatesToSecretData ¶
func CertificatesToSecretData(certificates *certificate.Resource) map[string][]byte
CertificatesToSecretData converts a certificate resource to secret data.
func DecodeCertificate ¶
func DecodeCertificate(tlsCrt []byte) (*x509.Certificate, error)
DecodeCertificate decodes the crt byte array.
func DecodeCertificateFromSecretData ¶
func DecodeCertificateFromSecretData(data map[string][]byte) (*x509.Certificate, error)
DecodeCertificateFromSecretData decodes the cert key from secret data to a x509 certificate.
func ExtractOrGeneratePrivateKey ¶ added in v0.12.0
func ExtractOrGeneratePrivateKey(secretData map[string][]byte) (crypto.PrivateKey, error)
ExtractOrGeneratePrivateKey extracts the private key from the secret or generates a new one.
func FromKeyType ¶ added in v0.13.0
func FromKeyType(keyType certcrypto.KeyType) *api.CertificatePrivateKey
FromKeyType converts key type back to a private key spec.
func IsCertCA ¶ added in v0.12.0
func IsCertCA(crt x509.Certificate) bool
IsCertCA returns true if a certificate is a CA.
func IsCertExpired ¶ added in v0.12.0
func IsCertExpired(crt x509.Certificate) bool
IsCertExpired returns true if a certificate is expired.
func PublicKeyFromPrivateKey ¶ added in v0.12.0
PublicKeyFromPrivateKey returns the crypto.PublicKey for a crypto.PrivateKey or a crypto.Signer.
func PublicKeysEqual ¶ added in v0.12.0
PublicKeysEqual returns true if two crypto.PublicKey are equal
func RemoveKeystoresFromSecret ¶ added in v0.12.0
RemoveKeystoresFromSecret removes all keystore data entries.
func RevokeCertificate ¶ added in v0.12.0
func RevokeCertificate(user *RegistrationUser, cert []byte) error
RevokeCertificate revokes a certificate
func SecretDataToCertificates ¶
func SecretDataToCertificates(data map[string][]byte) *certificate.Resource
SecretDataToCertificates converts secret data to a certicate resource.
func UpdateKeystoresToSecret ¶ added in v0.12.0
func UpdateKeystoresToSecret(secretResources resources.Interface, secret *corev1.Secret, keystores *certv1alpha1.CertificateKeystores) (modified bool, err error)
UpdateKeystoresToSecret adds, updates, or deletes keystore data entries in the secret. Return value `modified` is true if the secret was changed.
func ValidatePublicKeyWithPrivateKey ¶ added in v0.12.0
func ValidatePublicKeyWithPrivateKey(checkPubKey crypto.PublicKey, privKey crypto.PrivateKey) (bool, error)
ValidatePublicKeyWithPrivateKey returns true if a crypto.PublicKey matches the crypto.PublicKey contained in a crypto.PrivateKey
Types ¶
type CertificatePrivateKeyDefaults ¶ added in v0.14.0
type CertificatePrivateKeyDefaults struct {
// contains filtered or unexported fields
}
CertificatePrivateKeyDefaults contains default algorithms and sizes for new private keys. These defaults are only used for new certificates or on renewal.
func NewCertificatePrivateKeyDefaults ¶ added in v0.14.0
func NewCertificatePrivateKeyDefaults(algorithm api.PrivateKeyAlgorithm, rsaKeySize, ecdsaKeySize api.PrivateKeySize) (*CertificatePrivateKeyDefaults, error)
NewCertificatePrivateKeyDefaults creates a defaults for certifcate private key generation.
func (CertificatePrivateKeyDefaults) IsDefaultKeyType ¶ added in v0.14.0
func (d CertificatePrivateKeyDefaults) IsDefaultKeyType(keyType certcrypto.KeyType) bool
IsDefaultKeyType returns true if the keyType matched the default one.
func (CertificatePrivateKeyDefaults) String ¶ added in v0.14.0
func (d CertificatePrivateKeyDefaults) String() string
func (CertificatePrivateKeyDefaults) ToKeyType ¶ added in v0.14.0
func (d CertificatePrivateKeyDefaults) ToKeyType(privateKeySpec *api.CertificatePrivateKey) (certcrypto.KeyType, error)
ToKeyType extracts the key type from the private key spec.
type ConcurrentObtainError ¶ added in v0.2.10
type ConcurrentObtainError struct { // DomainName is the domain name concurrently requested DomainName string }
ConcurrentObtainError is returned if Obtain should be postponed because of concurrent obtain request for at least one domain name.
func (*ConcurrentObtainError) Error ¶ added in v0.2.10
func (d *ConcurrentObtainError) Error() string
type DNSControllerSettings ¶
type DNSControllerSettings struct { // Cluster is the cluster where the DNSEntries will be created Cluster resources.Cluster // Namespace to set for challenge DNSEntry Namespace string // OwnerID to set for challenge DNSEntry // +optional OwnerID *string // PrecheckNameservers for checking DNS propagation of DNS challenge TXT record PrecheckNameservers []string // AdditionalWait is the additional wait time after DNS propagation // to wait for "last mile" propagation to DNS server used by the ACME server AdditionalWait time.Duration // PropagationTimeout is the propagation timeout for the DNS challenge. PropagationTimeout time.Duration // FollowCNAME if true checks and follows CNAME records for DNS01 challenge domains. FollowCNAME bool // DNSRecordSettings are additional fields needed to create a DNSRecord. If set, DNSChallenge will use DNSRecords instead of DNSEntries. DNSRecordSettings *DNSRecordSettings }
DNSControllerSettings are the settings for the DNSController.
type DNSRecordSettings ¶ added in v0.15.0
type DNSRecordSettings struct { // Type is the provider type. Type string // SecretRef is a reference to a secret that contains the cloud provider specific credentials. SecretRef corev1.SecretReference }
DNSRecordSettings are additional fields needed to create a DNSRecord.
type ObtainInput ¶
type ObtainInput struct { // User is the registration user. User *RegistrationUser // CAKeyPair are the private key and the public key cert of the CA. CAKeyPair *TLSKeyPair // DNSSettings are the settings for the DNSController. DNSSettings *DNSControllerSettings // IssuerKey is a cluster-aware key of the issuer to use. IssuerKey utils.IssuerKeyItf // CommonName is the CN. CommonName *string // DNSNames are optional domain names. DNSNames []string // CSR is the optional Certificate Signing Request. CSR []byte // Request name is the request object name. RequestName resources.ObjectName // TargetClass is the target class of the DNSEntry. TargetClass string // Callback is the callback function to return the ObtainOutput. Callback ObtainerCallback // Renew is flag if it is a renew request. Renew bool // AlwaysDeactivateAuthorizations deactivates authorizations to avoid their caching AlwaysDeactivateAuthorizations bool // PreferredChain PreferredChain string // KeyType represents the algo and size to use for the private key (only used if CSR is not set). KeyType certcrypto.KeyType }
ObtainInput contains all data needed to obtain a certificate.
type ObtainOutput ¶
type ObtainOutput struct { // Certificates contains the certificates. Certificates *certificate.Resource // IssuerInfo is the name and type of the issuer. IssuerInfo utils.IssuerInfo // CommonName is the copy from the input. CommonName *string // DNSNames are the copies from the input. DNSNames []string // CSR is the copy from the input. CSR []byte // KeyType is the copy from the input. KeyType certcrypto.KeyType // Err contains the obtain request error. Err error }
ObtainOutput is the result of the certificate obtain request.
type Obtainer ¶ added in v0.2.10
type Obtainer interface { // Obtain starts the async obtain request. Obtain(input ObtainInput) error }
Obtainer provides a Obtain method to start a certificate request
type ObtainerCallback ¶
type ObtainerCallback func(output *ObtainOutput)
ObtainerCallback is callback function type
type PendingCertificateRequests ¶
type PendingCertificateRequests struct {
// contains filtered or unexported fields
}
PendingCertificateRequests contains the pending certificate requests.
func NewPendingRequests ¶
func NewPendingRequests() *PendingCertificateRequests
NewPendingRequests creates a new PendingCertificateRequests
func (*PendingCertificateRequests) Add ¶
func (pr *PendingCertificateRequests) Add(name resources.ObjectName)
Add adds a certificate object name.
func (*PendingCertificateRequests) Contains ¶
func (pr *PendingCertificateRequests) Contains(name resources.ObjectName) bool
Contains check if a certificate object name is pending.
func (*PendingCertificateRequests) Remove ¶
func (pr *PendingCertificateRequests) Remove(name resources.ObjectName)
Remove removes a certificate object name from the pending list.
type PendingResults ¶
type PendingResults struct {
// contains filtered or unexported fields
}
PendingResults caches the ObtainOutput results.
func NewPendingResults ¶
func NewPendingResults() *PendingResults
NewPendingResults creates a new PendingResults.
func (*PendingResults) Add ¶
func (pr *PendingResults) Add(name resources.ObjectName, result *ObtainOutput)
Add adds a object name / ObtainOutput pair.
func (*PendingResults) Peek ¶ added in v0.2.16
func (pr *PendingResults) Peek(name resources.ObjectName) *ObtainOutput
Peek fetches a pending result by object name.
func (*PendingResults) Remove ¶
func (pr *PendingResults) Remove(name resources.ObjectName)
Remove removes a pending result by object name.
type ProviderWithCount ¶
type ProviderWithCount interface { challenge.Provider GetChallengesCount() int // GetPendingTXTRecordError returns error with details if a TXT record for DNS challenge is not ready. GetPendingTXTRecordError() error }
ProviderWithCount is an extended Provider interface.
type RegistrationUser ¶
type RegistrationUser struct {
// contains filtered or unexported fields
}
RegistrationUser contains the data of a registration user.
func NewRegistrationUserFromEmail ¶
func NewRegistrationUserFromEmail(issuerKey utils.IssuerKeyItf, email string, caDirURL string, secretData map[string][]byte, eabKeyID, eabHmacKey string) (*RegistrationUser, error)
NewRegistrationUserFromEmail generates a private key and requests a new registration for the user.
func NewRegistrationUserFromEmailAndPrivateKey ¶
func NewRegistrationUserFromEmailAndPrivateKey(issuerKey utils.IssuerKeyItf, email string, caDirURL string, privateKey crypto.PrivateKey, eabKid, eabHmacKey string) (*RegistrationUser, error)
NewRegistrationUserFromEmailAndPrivateKey requests a user registration.
func RegistrationUserFromSecretData ¶
func RegistrationUserFromSecretData(issuerKey utils.IssuerKeyItf, email, caDirURL string, registrationRaw []byte, data map[string][]byte, eabKeyID, eabHmacKey string) (*RegistrationUser, error)
RegistrationUserFromSecretData restores a RegistrationUser from a secret data map.
func (*RegistrationUser) CADirURL ¶ added in v0.12.0
func (u *RegistrationUser) CADirURL() string
CADirURL returns the URL of the ACME directory server
func (*RegistrationUser) EabHmacKey ¶ added in v0.12.0
func (u *RegistrationUser) EabHmacKey() string
EabHmacKey returns the MAC key if it is an external account binding
func (*RegistrationUser) EabKeyID ¶ added in v0.12.0
func (u *RegistrationUser) EabKeyID() string
EabKeyID returns the key ID if it is an external account binding
func (*RegistrationUser) GetEmail ¶
func (u *RegistrationUser) GetEmail() string
GetEmail returns the email of the registration user.
func (*RegistrationUser) GetPrivateKey ¶
func (u *RegistrationUser) GetPrivateKey() crypto.PrivateKey
GetPrivateKey returns the private key of the registration user.
func (*RegistrationUser) GetRegistration ¶
func (u *RegistrationUser) GetRegistration() *registration.Resource
GetRegistration returns the registration resource.
func (*RegistrationUser) NewConfig ¶
func (u *RegistrationUser) NewConfig(caDirURL string) *lego.Config
NewConfig creates a new lego config.
func (*RegistrationUser) RawRegistration ¶
func (u *RegistrationUser) RawRegistration() ([]byte, error)
RawRegistration returns the registration as a byte array.
func (*RegistrationUser) ToSecretData ¶
func (u *RegistrationUser) ToSecretData() (map[string][]byte, error)
ToSecretData returns the registration user as a secret data map.
type TLSKeyPair ¶ added in v0.12.0
type TLSKeyPair struct { Cert x509.Certificate Key crypto.PrivateKey }
TLSKeyPair contains a certificate and a private key.
func CAKeyPairFromSecretData ¶ added in v0.12.0
func CAKeyPairFromSecretData(data map[string][]byte) (*TLSKeyPair, error)
CAKeyPairFromSecretData restores a TLSKeyPair from a secret data map.
func (*TLSKeyPair) RawCertInfo ¶ added in v0.12.0
func (c *TLSKeyPair) RawCertInfo() ([]byte, error)
RawCertInfo returns some info from the CA Certificate.