legobridge

package
v0.12.1 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Mar 6, 2024 License: Apache-2.0 Imports: 37 Imported by: 0

Documentation

Index

Constants

View Source
const (
	// PKCS12SecretKey is the name of the data entry in the Secret resource used to store the p12 file.
	PKCS12SecretKey = "keystore.p12"
	// PKCS12TruststoreKey is the name of the data entry in the Secret resource for PKCS12 containing Certificate Authority
	PKCS12TruststoreKey = "truststore.p12"

	// JKSSecretKey is the name of the data entry in the Secret resource used to store the jks file.
	JKSSecretKey = "keystore.jks"
	// JKSTruststoreKey is the name of the data entry in the Secret resource for JKS containing Certificate Authority
	JKSTruststoreKey = "truststore.jks"
)
View Source
const (
	// DefaultPubKeyAlgo is the default Public Key Algorithm (letsencrypt default).
	DefaultPubKeyAlgo x509.PublicKeyAlgorithm = x509.RSA
	// DefaultCertKeyUsage is the default Key Usage (letsencrypt default).
	DefaultCertKeyUsage x509.KeyUsage = x509.KeyUsageDigitalSignature

	// RSAKeyUsage is a specific KeyUsage for RSA keys. In the context of TLS,
	// this KeyUsage is particular to RSA key exchange and authentication.
	RSAKeyUsage x509.KeyUsage = x509.KeyUsageKeyEncipherment
	// CAKeyUsage is the KeyUsage required for a Certificate Authority.
	CAKeyUsage x509.KeyUsage = x509.KeyUsageCertSign

	// DefaultCertDuration is the default Certificate validity period (letsencrypt default).
	DefaultCertDuration time.Duration = 24 * time.Hour * 90

	// RSAMinSize is the minimum size for an RSA key
	RSAMinSize int = 2048
	// RSAMaxSize is the maximum size for an RSA key
	RSAMaxSize int = 8192

	// ECCurve256 represents a 256bit ECDSA key.
	ECCurve256 int = 256
	// ECCurve384 represents a 384bit ECDSA key.
	ECCurve384 int = 384
	// ECCurve521 represents a 521bit ECDSA key.
	ECCurve521 int = 521
)
View Source
const (
	// KeyPrivateKey is the secret data key for the private key.
	KeyPrivateKey = "privateKey"
	// KeyHmacKey is the secret data key for the MAC key for external account binding.
	KeyHmacKey = "hmacKey"
)
View Source
const TLSCAKey = "ca.crt"

TLSCAKey is the secret data key for the CA key.

Variables

View Source
var (
	// DefaultCertExtKeyUsage are the default Extended KeyUsage (letsencrypt default).
	DefaultCertExtKeyUsage []x509.ExtKeyUsage = []x509.ExtKeyUsage{
		x509.ExtKeyUsageClientAuth,
		x509.ExtKeyUsageServerAuth,
	}
)

Functions

func AddKeystoresToSecret added in v0.12.0

func AddKeystoresToSecret(secretResources resources.Interface, secret *corev1.Secret, keystores *certv1alpha1.CertificateKeystores) error

AddKeystoresToSecret adds keystore data entries in the secret if requested.

func CertificatesToSecretData

func CertificatesToSecretData(certificates *certificate.Resource) map[string][]byte

CertificatesToSecretData converts a certificate resource to secret data.

func DecodeCertificate

func DecodeCertificate(tlsCrt []byte) (*x509.Certificate, error)

DecodeCertificate decodes the crt byte array.

func DecodeCertificateFromSecretData

func DecodeCertificateFromSecretData(data map[string][]byte) (*x509.Certificate, error)

DecodeCertificateFromSecretData decodes the cert key from secret data to a x509 certificate.

func ExtractOrGeneratePrivateKey added in v0.12.0

func ExtractOrGeneratePrivateKey(secretData map[string][]byte) (crypto.PrivateKey, error)

ExtractOrGeneratePrivateKey extracts the private key from the secret or generates a new one.

func IsCertCA added in v0.12.0

func IsCertCA(crt x509.Certificate) bool

IsCertCA returns true if a certificate is a CA.

func IsCertExpired added in v0.12.0

func IsCertExpired(crt x509.Certificate) bool

IsCertExpired returns true if a certificate is expired.

func PublicKeyFromPrivateKey added in v0.12.0

func PublicKeyFromPrivateKey(key interface{}) (crypto.PublicKey, error)

PublicKeyFromPrivateKey returns the crypto.PublicKey for a crypto.PrivateKey or a crypto.Signer.

func PublicKeysEqual added in v0.12.0

func PublicKeysEqual(a, b crypto.PublicKey) (bool, error)

PublicKeysEqual returns true if two crypto.PublicKey are equal

func RemoveKeystoresFromSecret added in v0.12.0

func RemoveKeystoresFromSecret(secret *corev1.Secret)

RemoveKeystoresFromSecret removes all keystore data entries.

func RevokeCertificate added in v0.12.0

func RevokeCertificate(user *RegistrationUser, cert []byte) error

RevokeCertificate revokes a certificate

func SecretDataToCertificates

func SecretDataToCertificates(data map[string][]byte) *certificate.Resource

SecretDataToCertificates converts secret data to a certicate resource.

func UpdateKeystoresToSecret added in v0.12.0

func UpdateKeystoresToSecret(secretResources resources.Interface, secret *corev1.Secret, keystores *certv1alpha1.CertificateKeystores) (modified bool, err error)

UpdateKeystoresToSecret adds, updates, or deletes keystore data entries in the secret. Return value `modified` is true if the secret was changed.

func ValidatePublicKeyWithPrivateKey added in v0.12.0

func ValidatePublicKeyWithPrivateKey(checkPubKey crypto.PublicKey, privKey crypto.PrivateKey) (bool, error)

ValidatePublicKeyWithPrivateKey returns true if a crypto.PublicKey matches the crypto.PublicKey contained in a crypto.PrivateKey

Types

type ConcurrentObtainError added in v0.2.10

type ConcurrentObtainError struct {
	// DomainName is the domain name concurrently requested
	DomainName string
}

ConcurrentObtainError is returned if Obtain should be postponed because of concurrent obtain request for at least one domain name.

func (*ConcurrentObtainError) Error added in v0.2.10

func (d *ConcurrentObtainError) Error() string

type DNSControllerSettings

type DNSControllerSettings struct {
	// Cluster is the cluster where the DNSEntries will be created
	Cluster resources.Cluster
	// Namespace to set for challenge DNSEntry
	Namespace string
	// OwnerID to set for challenge DNSEntry
	// +optional
	OwnerID *string
	// PrecheckNameservers for checking DNS propagation of DNS challenge TXT record
	PrecheckNameservers []string
	// AdditionalWait is the additional wait time after DNS propagation
	// to wait for "last mile" propagation to DNS server used by the ACME server
	AdditionalWait time.Duration
	// PropagationTimeout is the propagation timeout for the DNS challenge.
	PropagationTimeout time.Duration
	// FollowCNAME if true checks and follows CNAME records for DNS01 challenge domains.
	FollowCNAME bool
}

DNSControllerSettings are the settings for the DNSController.

type ObtainInput

type ObtainInput struct {
	// User is the registration user.
	User *RegistrationUser
	// CAKeyPair are the private key and the public key cert of the CA.
	CAKeyPair *TLSKeyPair
	// DNSSettings are the settings for the DNSController.
	DNSSettings *DNSControllerSettings
	// IssuerKey is a cluster-aware key of the issuer to use.
	IssuerKey utils.IssuerKey
	// CommonName is the CN.
	CommonName *string
	// DNSNames are optional domain names.
	DNSNames []string
	// CSR is the optional Certificate Signing Request.
	CSR []byte
	// Request name is the request object name.
	RequestName resources.ObjectName
	// TargetClass is the target class of the DNSEntry.
	TargetClass string
	// Callback is the callback function to return the ObtainOutput.
	Callback ObtainerCallback
	// RenewCert is the certificate to renew.
	RenewCert *certificate.Resource
	// AlwaysDeactivateAuthorizations deactivates authorizations to avoid their caching
	AlwaysDeactivateAuthorizations bool
	// PreferredChain
	PreferredChain string
}

ObtainInput contains all data needed to obtain a certificate.

type ObtainOutput

type ObtainOutput struct {
	// Certificates contains the certificates.
	Certificates *certificate.Resource
	// IssuerInfo is the name and type of the issuer.
	IssuerInfo utils.IssuerInfo
	// CommonName is the copy from the input.
	CommonName *string
	// DNSNames are the copies from the input.
	DNSNames []string
	// CSR is the copy from the input.
	CSR []byte
	// Renew is the flag if this was a renew request.
	Renew bool
	// Err contains the obtain request error.
	Err error
}

ObtainOutput is the result of the certificate obtain request.

type Obtainer added in v0.2.10

type Obtainer interface {
	// Obtain starts the async obtain request.
	Obtain(input ObtainInput) error
}

Obtainer provides a Obtain method to start a certificate request

func NewObtainer added in v0.2.10

func NewObtainer() Obtainer

NewObtainer creates a new Obtainer

type ObtainerCallback

type ObtainerCallback func(output *ObtainOutput)

ObtainerCallback is callback function type

type PendingCertificateRequests

type PendingCertificateRequests struct {
	// contains filtered or unexported fields
}

PendingCertificateRequests contains the pending certificate requests.

func NewPendingRequests

func NewPendingRequests() *PendingCertificateRequests

NewPendingRequests creates a new PendingCertificateRequests

func (*PendingCertificateRequests) Add

Add adds a certificate object name.

func (*PendingCertificateRequests) Contains

Contains check if a certificate object name is pending.

func (*PendingCertificateRequests) Remove

Remove removes a certificate object name from the pending list.

type PendingResults

type PendingResults struct {
	// contains filtered or unexported fields
}

PendingResults caches the ObtainOutput results.

func NewPendingResults

func NewPendingResults() *PendingResults

NewPendingResults creates a new PendingResults.

func (*PendingResults) Add

func (pr *PendingResults) Add(name resources.ObjectName, result *ObtainOutput)

Add adds a object name / ObtainOutput pair.

func (*PendingResults) Peek added in v0.2.16

Peek fetches a pending result by object name.

func (*PendingResults) Remove

func (pr *PendingResults) Remove(name resources.ObjectName)

Remove removes a pending result by object name.

type ProviderWithCount

type ProviderWithCount interface {
	challenge.Provider
	GetChallengesCount() int
	// GetPendingTXTRecordError returns error with details if a TXT record for DNS challenge is not ready.
	GetPendingTXTRecordError() error
}

ProviderWithCount is an extended Provider interface.

type RegistrationUser

type RegistrationUser struct {
	// contains filtered or unexported fields
}

RegistrationUser contains the data of a registration user.

func NewRegistrationUserFromEmail

func NewRegistrationUserFromEmail(issuerKey utils.IssuerKey,
	email string, caDirURL string, secretData map[string][]byte, eabKeyID, eabHmacKey string) (*RegistrationUser, error)

NewRegistrationUserFromEmail generates a private key and requests a new registration for the user.

func NewRegistrationUserFromEmailAndPrivateKey

func NewRegistrationUserFromEmailAndPrivateKey(issuerKey utils.IssuerKey,
	email string, caDirURL string, privateKey crypto.PrivateKey, eabKid, eabHmacKey string) (*RegistrationUser, error)

NewRegistrationUserFromEmailAndPrivateKey requests a user registration.

func RegistrationUserFromSecretData

func RegistrationUserFromSecretData(issuerKey utils.IssuerKey,
	email, caDirURL string, registrationRaw []byte, data map[string][]byte, eabKeyID, eabHmacKey string) (*RegistrationUser, error)

RegistrationUserFromSecretData restores a RegistrationUser from a secret data map.

func (*RegistrationUser) CADirURL added in v0.12.0

func (u *RegistrationUser) CADirURL() string

CADirURL returns the URL of the ACME directory server

func (*RegistrationUser) EabHmacKey added in v0.12.0

func (u *RegistrationUser) EabHmacKey() string

EabHmacKey returns the MAC key if it is an external account binding

func (*RegistrationUser) EabKeyID added in v0.12.0

func (u *RegistrationUser) EabKeyID() string

EabKeyID returns the key ID if it is an external account binding

func (*RegistrationUser) GetEmail

func (u *RegistrationUser) GetEmail() string

GetEmail returns the email of the registration user.

func (*RegistrationUser) GetPrivateKey

func (u *RegistrationUser) GetPrivateKey() crypto.PrivateKey

GetPrivateKey returns the private key of the registration user.

func (*RegistrationUser) GetRegistration

func (u *RegistrationUser) GetRegistration() *registration.Resource

GetRegistration returns the registration resource.

func (*RegistrationUser) NewConfig

func (u *RegistrationUser) NewConfig(caDirURL string) *lego.Config

NewConfig creates a new lego config.

func (*RegistrationUser) RawRegistration

func (u *RegistrationUser) RawRegistration() ([]byte, error)

RawRegistration returns the registration as a byte array.

func (*RegistrationUser) ToSecretData

func (u *RegistrationUser) ToSecretData() (map[string][]byte, error)

ToSecretData returns the registration user as a secret data map.

type TLSKeyPair added in v0.12.0

type TLSKeyPair struct {
	Cert x509.Certificate
	Key  crypto.PrivateKey
}

TLSKeyPair contains a certificate and a private key.

func CAKeyPairFromSecretData added in v0.12.0

func CAKeyPairFromSecretData(data map[string][]byte) (*TLSKeyPair, error)

CAKeyPairFromSecretData restores a TLSKeyPair from a secret data map.

func (*TLSKeyPair) RawCertInfo added in v0.12.0

func (c *TLSKeyPair) RawCertInfo() ([]byte, error)

RawCertInfo returns some info from the CA Certificate.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL