Documentation ¶
Index ¶
- Constants
- func GenerateCertificateAuthorities(k8sClusterClient kubernetes.Interface, ...) (map[string]*corev1.Secret, map[string]*Certificate, error)
- func GenerateClusterSecrets(ctx context.Context, k8sClusterClient kubernetes.Interface, ...) (map[string]*corev1.Secret, error)
- type BasicAuth
- type BasicAuthSecretConfig
- type Certificate
- type CertificateSecretConfig
- type ConfigInterface
- type ControlPlane
- type ControlPlaneSecretConfig
- type Interface
- type KubeConfigRequest
- type RSAKeys
- type RSASecretConfig
- type Secrets
- type StaticToken
- type StaticTokenSecretConfig
- type Token
- type TokenConfig
Constants ¶
const ( // BasicAuthFormatNormal indicates that the data map should be rendered the normal way (dedicated keys for // username and password. BasicAuthFormatNormal formatType = "normal" // BasicAuthFormatCSV indicates that the data map should be rendered in the CSV-format. BasicAuthFormatCSV formatType = "csv" // DataKeyCSV is the key in a secret data holding the CSV format of a secret. DataKeyCSV = "basic_auth.csv" // DataKeyUserName is the key in a secret data holding the username. DataKeyUserName = "username" // DataKeyPassword is the key in a secret data holding the password. DataKeyPassword = "password" // DataKeyPasswordBcryptHash is the key in a secret data holding the bcrypt hash of the password. DataKeyPasswordBcryptHash = "bcryptPasswordHash" )
const ( // CACert indicates that the certificate should be a certificate authority. CACert certType = "ca" // ServerCert indicates that the certificate should have the ExtKeyUsageServerAuth usage. ServerCert certType = "server" // ClientCert indicates that the certificate should have the ExtKeyUsageClientAuth usage. ClientCert certType = "client" // ServerClientCert indicates that the certificate should have both the ExtKeyUsageServerAuth and ExtKeyUsageClientAuth usage. ServerClientCert certType = "both" // DataKeyCertificate is the key in a secret data holding the certificate. DataKeyCertificate = "tls.crt" // DataKeyPrivateKey is the key in a secret data holding the private key. DataKeyPrivateKey = "tls.key" // DataKeyCertificateCA is the key in a secret data holding the CA certificate. DataKeyCertificateCA = "ca.crt" // DataKeyPrivateKeyCA is the key in a secret data holding the CA private key. DataKeyPrivateKeyCA = "ca.key" )
const ( // PKCS1 certificate format PKCS1 = iota // PKCS8 certificate format PKCS8 )
const ( // DataKeyRSAPrivateKey is the key in a secret data holding the RSA private key. DataKeyRSAPrivateKey = "id_rsa" // DataKeySSHAuthorizedKeys is the key in a secret data holding the OpenSSH authorized keys. DataKeySSHAuthorizedKeys = "id_rsa.pub" )
const ( // DataKeyStaticTokenCSV is the key in a secret data holding the CSV format of a secret. DataKeyStaticTokenCSV = "static_tokens.csv" // DataKeyUserID is the key in a secret data holding the userID. DataKeyUserID = "userID" // DataKeyGroups is the key in a secret data holding the groups. DataKeyGroups = "groups" // DataKeyToken is the key in a secret data holding the token. DataKeyToken = "token" )
const (
// DataKeyKubeconfig is the key in a secret data holding the kubeconfig.
DataKeyKubeconfig = "kubeconfig"
)
Variables ¶
This section is empty.
Functions ¶
func GenerateCertificateAuthorities ¶
func GenerateCertificateAuthorities(k8sClusterClient kubernetes.Interface, existingSecretsMap map[string]*corev1.Secret, wantedCertificateAuthorities map[string]*CertificateSecretConfig, namespace string) (map[string]*corev1.Secret, map[string]*Certificate, error)
GenerateCertificateAuthorities get a map of wanted certificates and check If they exist in the existingSecretsMap based on the keys in the map. If they exist it get only the certificate from the corresponding existing secret and makes a certificate Interface from the existing secret. If there is no existing secret contaning the wanted certificate, we make one certificate and with it we deploy in K8s cluster a secret with that certificate and then return the newly existing secret. The function returns a map of secrets contaning the wanted CA, a map with the wanted CA certificate and an error.
func GenerateClusterSecrets ¶
func GenerateClusterSecrets(ctx context.Context, k8sClusterClient kubernetes.Interface, existingSecretsMap map[string]*corev1.Secret, wantedSecretsList []ConfigInterface, namespace string) (map[string]*corev1.Secret, error)
GenerateClusterSecrets try to deploy in the k8s cluster each secret in the wantedSecretsList. If the secret already exist it jumps to the next one. The function returns a map with all of the successfully deployed wanted secrets plus those already deployed (only from the wantedSecretsList).
Types ¶
type BasicAuth ¶
type BasicAuth struct { Name string Format formatType Username string Password string BcryptPasswordHash string }
BasicAuth contains the username, the password, optionally hash of the password and the format for serializing the basic authentication
func LoadBasicAuthFromCSV ¶
LoadBasicAuthFromCSV loads the basic auth. username and the password from the given CSV-formatted <data>.
func (*BasicAuth) SecretData ¶
SecretData computes the data map which can be used in a Kubernetes secret.
type BasicAuthSecretConfig ¶
type BasicAuthSecretConfig struct { Name string Format formatType Username string PasswordLength int BcryptPasswordHashRequest bool }
BasicAuthSecretConfig contains the specification a to-be-generated basic authentication secret.
func (*BasicAuthSecretConfig) Generate ¶
func (s *BasicAuthSecretConfig) Generate() (Interface, error)
Generate implements ConfigInterface.
func (*BasicAuthSecretConfig) GenerateBasicAuth ¶
func (s *BasicAuthSecretConfig) GenerateBasicAuth() (*BasicAuth, error)
GenerateBasicAuth computes a username,password and the hash of the password keypair. It uses "admin" as username and generates a random password of length 32.
func (*BasicAuthSecretConfig) GetName ¶
func (s *BasicAuthSecretConfig) GetName() string
GetName returns the name of the secret.
type Certificate ¶
type Certificate struct { Name string CA *Certificate PrivateKey *rsa.PrivateKey PrivateKeyPEM []byte Certificate *x509.Certificate CertificatePEM []byte }
Certificate contains the private key, and the certificate. It does also contain the CA certificate in case it is no CA. Otherwise, the <CA> field is nil.
func LoadCAFromSecret ¶
func LoadCAFromSecret(k8sClient client.Client, namespace, name string) (*corev1.Secret, *Certificate, error)
LoadCAFromSecret loads a CA certificate from an existing Kubernetes secret object. It returns the secret, the Certificate and an error.
func LoadCertificate ¶
func LoadCertificate(name string, privateKeyPEM, certificatePEM []byte) (*Certificate, error)
LoadCertificate takes a byte slice representation of a certificate and the corresponding private key, and returns its de-serialized private key, certificate template and PEM certificate which can be used to sign other x509 certificates.
func (*Certificate) SecretData ¶
func (c *Certificate) SecretData() map[string][]byte
SecretData computes the data map which can be used in a Kubernetes secret.
type CertificateSecretConfig ¶
type CertificateSecretConfig struct { Name string CommonName string Organization []string DNSNames []string IPAddresses []net.IP CertType certType SigningCA *Certificate PKCS int Validity *time.Duration }
CertificateSecretConfig contains the specification a to-be-generated CA, server, or client certificate. It always contains a 2048-bit RSA private key.
func (*CertificateSecretConfig) Generate ¶
func (s *CertificateSecretConfig) Generate() (Interface, error)
Generate implements ConfigInterface.
func (*CertificateSecretConfig) GenerateCertificate ¶
func (s *CertificateSecretConfig) GenerateCertificate() (*Certificate, error)
GenerateCertificate computes a CA, server, or client certificate based on the configuration.
func (*CertificateSecretConfig) GetName ¶
func (s *CertificateSecretConfig) GetName() string
GetName returns the name of the secret.
type ConfigInterface ¶
ConfigInterface define functions needed for generating a specific secret.
type ControlPlane ¶
type ControlPlane struct { Name string Certificate *Certificate BasicAuth *BasicAuth Token *Token Kubeconfig []byte }
ControlPlane contains the certificate, and optionally the basic auth. information as well as a Kubeconfig.
func (*ControlPlane) SecretData ¶
func (c *ControlPlane) SecretData() map[string][]byte
SecretData computes the data map which can be used in a Kubernetes secret.
type ControlPlaneSecretConfig ¶
type ControlPlaneSecretConfig struct { *CertificateSecretConfig BasicAuth *BasicAuth Token *Token KubeConfigRequest *KubeConfigRequest }
ControlPlaneSecretConfig is a struct which inherits from CertificateSecretConfig and is extended with a couple of additional properties. A control plane secret will always contain a server/client certificate and optionally a kubeconfig.
func (*ControlPlaneSecretConfig) Generate ¶
func (s *ControlPlaneSecretConfig) Generate() (Interface, error)
Generate implements ConfigInterface.
func (*ControlPlaneSecretConfig) GenerateControlPlane ¶
func (s *ControlPlaneSecretConfig) GenerateControlPlane() (*ControlPlane, error)
GenerateControlPlane computes a secret for a control plane component of the clusters managed by Gardener. It may include a Kubeconfig.
func (*ControlPlaneSecretConfig) GetName ¶
func (s *ControlPlaneSecretConfig) GetName() string
GetName returns the name of the secret.
type Interface ¶
Interface defines functions needed for defining the data map of a Kubernetes secret.
type KubeConfigRequest ¶
KubeConfigRequest is a struct which holds information about a Kubeconfig to be generated.
type RSAKeys ¶
type RSAKeys struct { Name string PrivateKey *rsa.PrivateKey PublicKey *rsa.PublicKey OpenSSHAuthorizedKey []byte }
RSAKeys contains the private key, the public key, and optionally the OpenSSH-formatted authorized keys file data.
func (*RSAKeys) SecretData ¶
SecretData computes the data map which can be used in a Kubernetes secret.
type RSASecretConfig ¶
RSASecretConfig containing information about the number of bits which should be used for the to-be-created RSA private key.
func (*RSASecretConfig) Generate ¶
func (s *RSASecretConfig) Generate() (Interface, error)
Generate implements ConfigInterface.
func (*RSASecretConfig) GenerateRSAKeys ¶
func (s *RSASecretConfig) GenerateRSAKeys() (*RSAKeys, error)
GenerateRSAKeys computes a RSA private key based on the configured number of bits.
func (*RSASecretConfig) GetName ¶
func (s *RSASecretConfig) GetName() string
GetName returns the name of the secret.
type Secrets ¶
type Secrets struct { CertificateSecretConfigs map[string]*CertificateSecretConfig SecretConfigsFunc func(map[string]*Certificate, string) []ConfigInterface }
Secrets represents a set of secrets that can be deployed and deleted.
type StaticToken ¶
StaticToken contains the username, the password, optionally hash of the password and the format for serializing the static token
func LoadStaticTokenFromCSV ¶
func LoadStaticTokenFromCSV(name string, data []byte) (*StaticToken, error)
LoadStaticTokenFromCSV loads the static token data from the given CSV-formatted <data>.
func (*StaticToken) GetTokenForUsername ¶
func (b *StaticToken) GetTokenForUsername(username string) (*Token, error)
GetTokenForUsername returns the token for the given username.
func (*StaticToken) SecretData ¶
func (b *StaticToken) SecretData() map[string][]byte
SecretData computes the data map which can be used in a Kubernetes secret.
type StaticTokenSecretConfig ¶
type StaticTokenSecretConfig struct { Name string Tokens []TokenConfig }
StaticTokenSecretConfig contains the specification a to-be-generated static token secret.
func (*StaticTokenSecretConfig) Generate ¶
func (s *StaticTokenSecretConfig) Generate() (Interface, error)
Generate implements ConfigInterface.
func (*StaticTokenSecretConfig) GenerateStaticToken ¶
func (s *StaticTokenSecretConfig) GenerateStaticToken() (*StaticToken, error)
GenerateStaticToken computes a random token of length 64.
func (*StaticTokenSecretConfig) GetName ¶
func (s *StaticTokenSecretConfig) GetName() string
GetName returns the name of the secret.
type TokenConfig ¶
TokenConfig contains configuration for a token.