Documentation ¶
Index ¶
- Constants
- Variables
- func AdjustToClockSkew(t time.Time) time.Time
- func ControlPlaneSecretDataKeyCertificatePEM(name string) string
- func ControlPlaneSecretDataKeyPrivateKey(name string) string
- func SelfGenerateTLSServerCertificate(name string, dnsNames []string, ips []net.IP) (cert *Certificate, ca *Certificate, dir string, rErr error)
- type BasicAuth
- type BasicAuthSecretConfig
- type Bundle
- type CertType
- type Certificate
- type CertificateBundleSecretConfig
- type CertificateSecretConfig
- type ConfigInterface
- type ControlPlane
- type ControlPlaneSecretConfig
- type DataInterface
- type ETCDEncryptionKey
- type ETCDEncryptionKeySecretConfig
- type KubeConfigRequest
- type Kubeconfig
- type KubeconfigSecretConfig
- type RSAKeys
- type RSAPrivateKeyBundleSecretConfig
- type RSASecretConfig
- type StaticToken
- type StaticTokenSecretConfig
- type Token
- type TokenConfig
- type VPNTLSAuth
- type VPNTLSAuthConfig
Constants ¶
const ( // BasicAuthFormatNormal indicates that the data map should be rendered the normal way (dedicated keys for // username and password. BasicAuthFormatNormal formatType = "normal" // DataKeyUserName is the key in a secret data holding the username. DataKeyUserName = "username" // DataKeyPassword is the key in a secret data holding the password. DataKeyPassword = "password" // DataKeyAuth is the key in a secret data holding the basic authentication schemed credentials pair as string. DataKeyAuth = "auth" )
const ( // DataKeyCertificateBundle is the key in the data map for the certificate bundle. DataKeyCertificateBundle = "bundle.crt" // DataKeyPrivateKeyBundle is the key in the data map for the private key bundle. DataKeyPrivateKeyBundle = "bundle.key" )
const ( // CACert indicates that the certificate should be a certificate authority. CACert CertType = "ca" // ServerCert indicates that the certificate should have the ExtKeyUsageServerAuth usage. ServerCert CertType = "server" // ClientCert indicates that the certificate should have the ExtKeyUsageClientAuth usage. ClientCert CertType = "client" // ServerClientCert indicates that the certificate should have both the ExtKeyUsageServerAuth and ExtKeyUsageClientAuth usage. ServerClientCert CertType = "both" // DataKeyCertificate is the key in a secret data holding the certificate. DataKeyCertificate = "tls.crt" // DataKeyPrivateKey is the key in a secret data holding the private key. DataKeyPrivateKey = "tls.key" // DataKeyCertificateCA is the key in a secret data or config map data holding the CA certificate. DataKeyCertificateCA = "ca.crt" // DataKeyPrivateKeyCA is the key in a secret data holding the CA private key. DataKeyPrivateKeyCA = "ca.key" )
const ( // PKCS1 certificate format PKCS1 = iota // PKCS8 certificate format PKCS8 )
const ( // DataKeyEncryptionKeyName is the key in a secret data holding the key. DataKeyEncryptionKeyName = "key" // DataKeyEncryptionSecret is the key in a secret data holding the secret. DataKeyEncryptionSecret = "secret" )
const ( // DataKeyRSAPrivateKey is the key in a secret data holding the RSA private key. DataKeyRSAPrivateKey = "id_rsa" // DataKeySSHAuthorizedKeys is the key in a secret data holding the OpenSSH authorized keys. DataKeySSHAuthorizedKeys = "id_rsa.pub" )
const ( // DataKeyStaticTokenCSV is the key in a secret data holding the CSV format of a secret. DataKeyStaticTokenCSV = "static_tokens.csv" // #nosec G101 -- No credential. // DataKeyToken is the key in a secret data holding the token. DataKeyToken = "token" )
const DataKeyKubeconfig = "kubeconfig"
DataKeyKubeconfig is the key in a secret data holding the kubeconfig.
const DataKeyVPNTLSAuth = "vpn.tlsauth"
DataKeyVPNTLSAuth is the key in a secret data holding the vpn tlsauth key.
const TemporaryDirectoryForSelfGeneratedTLSCertificatesPattern = "self-generated-server-certificates-"
TemporaryDirectoryForSelfGeneratedTLSCertificatesPattern is a constant for the pattern used when creating a temporary directory for self-generated certificates.
Variables ¶
var ( // GenerateRandomString is an alias for utils.GenerateRandomString. Exposed for testing. GenerateRandomString = utils.GenerateRandomString // FakeGenerateRandomString is a fake for GenerateRandomString. FakeGenerateRandomString = func(n int) (string, error) { return strings.Repeat("_", n), nil } // GenerateKey is an alias for rsa.GenerateKey. Exposed for testing. GenerateKey = rsa.GenerateKey // FakeGenerateKey is a fake for GenerateKey. FakeGenerateKey = func(_ io.Reader, _ int) (*rsa.PrivateKey, error) { return utils.DecodePrivateKey([]byte(`-----BEGIN RSA PRIVATE KEY----- MIIEogIBAAKCAQEAyV6ZuR4gSzCF/zO06xEv6RGmDUnXOHAZVck4pVhY/Id8j2zj rVlBZp1klARK/Mt1BPOmRKQtg753UCewYjpRdThyzsicKz4Flg4m72p57bWs/wi+ j2N5Rc0eF98Ry//FY6Gbs5VJViz7WSfEoXaSFEYIkv+CKKAQ9J0kkiYztiyz+p/u SD7sIOAVksj4M5/D+4GVtqJV+4aSdUotoueehJ1fwmc/ZTsczMXAnLcV6BP9N0GX 5bUBW+s/HSMLndEy+GSye1KdgLZilzAodmtetQdLYCOXZsivfdCeF8lsLjLV/ouA M+FwwM5QbU1i+iYRqVk8Apyzs9WMvuAp8mq5UQIDAQABAoH/O8fZ2xsWezvsi9bN 3vs7PfX/VfKV8itVWiJirrOLt2yBjhLFhLD6uXwAX/DmUiYUl2O9+KLE4FerFCC0 PHUTubkIXFsyAaRoBCQvauQxTmCg+xWdfPQLDK3YQT34CpfkAa/4iVfIbczs0Yr8 1PJea6Ze5UT1Xxol7ni4Yqr0ryAPbJBn+18OifcSxh2H+d7+AEFo/Vg2LVFTiuhW kpg2xvkmSFjOcIWGUYOlwwnaOjlhiAmCntCAXbz2Ly44rfJlBLzfAAB5CqGzDs2B Z0YGZoFPQurxkzNGh2d9sV0aHcyf4ZwSbvcsd4gvBhpSp2/Q/mvfdl4av5cKnsli WJWxAoGBAOqdWcE42I/botGEIfqxssHKyxqQld8RiXjAypPlhx8uRH949sToevZs BVCgLId8mPJxuTSvbgbdHyZ14dzc+cIcDSNnW8anUTW98lmwTWIJN/awOTSlgpV2 4wBdVCLxlutsE6fEQTIJRkQ+XeVV0n8hOiz4GJQWLV1pp1rzYy73AoGBANu5fKR7 8FXWAfC5zmJAkisK02l7FeRQoHUfgACLE74Vt3BEZhLJHpYTJZrYi9r/buMsi52g +Rgz4pItgy85ibe21+5G6yQtQP68mjnecMEjSZIa8G6RoY13Ki4+UOysGWul48rR Lwq75Cv+0AHUS0A9NxYrY+X2Q9cLsg6Mm5/3AoGBAOe38WX9lya+btkv/79ysnLk sCTUmLFwyK4S/AGGuSX6tHySJGfmlUu89KLlEBXg4c7Ss3FtsuXkj1eVJjbVqXgl 7HQDKYnSx0qlCC+9CTDCmhtzgYyVy5uDiEBb7TV2FvD+FYulMh8ROe09C8/uK7CU SLkRcHUSUkvohfo2WMeRAoGAa0hK2okFVPPUKLSgV4rNk6SKiyMlEkBnyCgkOJ+v eQ1jbraG3D9E5uPcZZm716cGfndeiA1z8mRLCTKdre47Fu94yQfpgdVyua5e40h/ 512Sa3spz+LdbZQ0jTWyD40MMGpkKcAvZt9MzkpxR6NfRrNc9T8kXMD8aMB2JPJ0 fgsCgYEAzBjM5L4kKcyF5mC1v6NyEaQB8Cve3gfFatLfFrjNwHbvdY5PEa/x0NqS 4qJs/0Ieluo9jRo5pPd0O1u9hDVeSh2sSs9fzOtjHzbnZ7o8pTY3dzMBhO7fxPBU i/WyG5dokMowEJSvpCBwHbAYMLlNK7oMUpXlqcRoYo24U6Mwj68= -----END RSA PRIVATE KEY-----`)) } // GenerateVPNKey is an alias for generateVPNKey. Exposed for testing. GenerateVPNKey = generateVPNKey // FakeGenerateVPNKey is a fake for GenerateVPNKey. FakeGenerateVPNKey = func() ([]byte, error) { return []byte("key"), nil } // Clock is an alias for clock.RealClock. Exposed for testing. Clock clock.Clock = clock.RealClock{} )
Functions ¶
func AdjustToClockSkew ¶ added in v1.106.0
AdjustToClockSkew adjusts the given time by the maximum allowed clock skew as clock skew can cause non-trivial errors.
func ControlPlaneSecretDataKeyCertificatePEM ¶ added in v1.10.0
ControlPlaneSecretDataKeyCertificatePEM returns the data key inside a Secret of type ControlPlane whose value contains the certificate PEM.
func ControlPlaneSecretDataKeyPrivateKey ¶ added in v1.10.0
ControlPlaneSecretDataKeyPrivateKey returns the data key inside a Secret of type ControlPlane whose value contains the private key PEM.
func SelfGenerateTLSServerCertificate ¶ added in v1.5.0
func SelfGenerateTLSServerCertificate(name string, dnsNames []string, ips []net.IP) (cert *Certificate, ca *Certificate, dir string, rErr error)
SelfGenerateTLSServerCertificate generates a new CA certificate and signs a server certificate with it. It'll store the generated CA + server certificate bytes into a temporary directory with the default filenames, e.g. `DataKeyCertificateCA`. The function will return the *Certificate object as well as the path of the temporary directory where the certificates are stored.
Types ¶
type BasicAuth ¶
type BasicAuth struct { Name string Username string Password string // contains filtered or unexported fields }
BasicAuth contains the username, the password and optionally hash of the password.
func (*BasicAuth) SecretData ¶
SecretData computes the data map which can be used in a Kubernetes secret.
type BasicAuthSecretConfig ¶
type BasicAuthSecretConfig struct { Name string // Format is the format type. // // Do not remove this field, even though the field is not used and there is only one supported format ("normal"). // The secret manager computes the Secret hash based on the config object (BasicAuthSecretConfig). A field removal in the // BasicAuthSecretConfig object would compute a new Secret hash and this would lead the existing Secrets to be regenerated. // Hence, usages of the BasicAuthSecretConfig should continue to pass the Format field with value "normal". Format formatType Username string PasswordLength int }
BasicAuthSecretConfig contains the specification for a to-be-generated basic authentication secret.
func (*BasicAuthSecretConfig) Generate ¶
func (s *BasicAuthSecretConfig) Generate() (DataInterface, error)
Generate implements ConfigInterface.
func (*BasicAuthSecretConfig) GetName ¶
func (s *BasicAuthSecretConfig) GetName() string
GetName returns the name of the secret.
type Bundle ¶ added in v1.48.0
Bundle contains the name and the generated certificate bundle.
func (*Bundle) SecretData ¶ added in v1.48.0
SecretData computes the data map which can be used in a Kubernetes secret.
type CertType ¶ added in v1.32.0
type CertType string
CertType is a string alias for certificate types.
type Certificate ¶
type Certificate struct { Name string CA *Certificate CertType CertType SkipPublishingCACertificate bool IncludeCACertificateInServerChain bool PrivateKey *rsa.PrivateKey PrivateKeyPEM []byte Certificate *x509.Certificate CertificatePEM []byte }
Certificate contains the private key, and the certificate. It does also contain the CA certificate in case it is no CA. Otherwise, the <CA> field is nil.
func LoadCertificate ¶
func LoadCertificate(name string, privateKeyPEM, certificatePEM []byte) (*Certificate, error)
LoadCertificate takes a byte slice representation of a certificate and the corresponding private key, and returns its de-serialized private key, certificate template and PEM certificate which can be used to sign other x509 certificates.
func (*Certificate) SecretData ¶
func (c *Certificate) SecretData() map[string][]byte
SecretData computes the data map which can be used in a Kubernetes secret.
type CertificateBundleSecretConfig ¶ added in v1.43.0
CertificateBundleSecretConfig is configuration for certificate bundles.
func (*CertificateBundleSecretConfig) Generate ¶ added in v1.43.0
func (s *CertificateBundleSecretConfig) Generate() (DataInterface, error)
Generate implements ConfigInterface.
func (*CertificateBundleSecretConfig) GetName ¶ added in v1.43.0
func (s *CertificateBundleSecretConfig) GetName() string
GetName returns the name of the secret.
type CertificateSecretConfig ¶
type CertificateSecretConfig struct { Name string CommonName string Organization []string DNSNames []string IPAddresses []net.IP CertType CertType SigningCA *Certificate PKCS int Validity *time.Duration SkipPublishingCACertificate bool IncludeCACertificateInServerChain bool }
CertificateSecretConfig contains the specification a to-be-generated CA, server, or client certificate. It always contains a 3072-bit RSA private key.
func (*CertificateSecretConfig) Generate ¶
func (s *CertificateSecretConfig) Generate() (DataInterface, error)
Generate implements ConfigInterface.
func (*CertificateSecretConfig) GenerateCertificate ¶
func (s *CertificateSecretConfig) GenerateCertificate() (*Certificate, error)
GenerateCertificate is the same as Generate but returns a *Certificate instead of the DataInterface.
func (*CertificateSecretConfig) GetName ¶
func (s *CertificateSecretConfig) GetName() string
GetName returns the name of the secret.
type ConfigInterface ¶
type ConfigInterface interface { // GetName returns the name of the configuration. GetName() string // Generate generates a secret interface Generate() (DataInterface, error) }
ConfigInterface define functions needed for generating a specific secret.
type ControlPlane ¶
type ControlPlane struct { Name string Certificate *Certificate BasicAuth *BasicAuth Token *Token Kubeconfig []byte }
ControlPlane contains the certificate, and optionally the basic auth. information as well as a Kubeconfig.
func (*ControlPlane) SecretData ¶
func (c *ControlPlane) SecretData() map[string][]byte
SecretData computes the data map which can be used in a Kubernetes secret.
type ControlPlaneSecretConfig ¶
type ControlPlaneSecretConfig struct { Name string CertificateSecretConfig *CertificateSecretConfig BasicAuth *BasicAuth Token *Token KubeConfigRequests []KubeConfigRequest }
ControlPlaneSecretConfig is a struct which inherits from CertificateSecretConfig and is extended with a couple of additional properties. A control plane secret will always contain a server/client certificate and optionally a kubeconfig.
func (*ControlPlaneSecretConfig) Generate ¶
func (s *ControlPlaneSecretConfig) Generate() (DataInterface, error)
Generate implements ConfigInterface.
func (*ControlPlaneSecretConfig) GetName ¶
func (s *ControlPlaneSecretConfig) GetName() string
GetName returns the name of the secret.
type DataInterface ¶ added in v1.8.0
type DataInterface interface { // SecretData computes the data map which can be used in a Kubernetes secret. SecretData() map[string][]byte }
DataInterface defines functions needed for defining the data map of a Kubernetes secret.
type ETCDEncryptionKey ¶ added in v1.44.0
ETCDEncryptionKey contains the generated key.
func (*ETCDEncryptionKey) SecretData ¶ added in v1.44.0
func (b *ETCDEncryptionKey) SecretData() map[string][]byte
SecretData computes the data map which can be used in a Kubernetes secret.
type ETCDEncryptionKeySecretConfig ¶ added in v1.44.0
ETCDEncryptionKeySecretConfig contains the specification for a to-be-generated random key.
func (*ETCDEncryptionKeySecretConfig) Generate ¶ added in v1.44.0
func (s *ETCDEncryptionKeySecretConfig) Generate() (DataInterface, error)
Generate implements ConfigInterface.
func (*ETCDEncryptionKeySecretConfig) GetName ¶ added in v1.44.0
func (s *ETCDEncryptionKeySecretConfig) GetName() string
GetName returns the name of the secret.
type KubeConfigRequest ¶
KubeConfigRequest is a struct which holds information about a Kubeconfig to be generated.
type Kubeconfig ¶ added in v1.43.0
type Kubeconfig struct { Name string Kubeconfig *clientcmdv1.Config // contains filtered or unexported fields }
Kubeconfig contains the name and the generated kubeconfig.
func (*Kubeconfig) SecretData ¶ added in v1.43.0
func (v *Kubeconfig) SecretData() map[string][]byte
SecretData computes the data map which can be used in a Kubernetes secret.
type KubeconfigSecretConfig ¶ added in v1.43.0
type KubeconfigSecretConfig struct { Name string ContextName string Cluster clientcmdv1.Cluster AuthInfo clientcmdv1.AuthInfo }
KubeconfigSecretConfig is configuration for kubeconfig secrets.
func (*KubeconfigSecretConfig) Generate ¶ added in v1.43.0
func (s *KubeconfigSecretConfig) Generate() (DataInterface, error)
Generate implements ConfigInterface.
func (*KubeconfigSecretConfig) GetName ¶ added in v1.43.0
func (s *KubeconfigSecretConfig) GetName() string
GetName returns the name of the secret.
type RSAKeys ¶
type RSAKeys struct { Name string PrivateKey *rsa.PrivateKey PublicKey *rsa.PublicKey OpenSSHAuthorizedKey []byte }
RSAKeys contains the private key, the public key, and optionally the OpenSSH-formatted authorized keys file data.
func (*RSAKeys) SecretData ¶
SecretData computes the data map which can be used in a Kubernetes secret.
type RSAPrivateKeyBundleSecretConfig ¶ added in v1.48.0
RSAPrivateKeyBundleSecretConfig is configuration for certificate bundles.
func (*RSAPrivateKeyBundleSecretConfig) Generate ¶ added in v1.48.0
func (s *RSAPrivateKeyBundleSecretConfig) Generate() (DataInterface, error)
Generate implements ConfigInterface.
func (*RSAPrivateKeyBundleSecretConfig) GetName ¶ added in v1.48.0
func (s *RSAPrivateKeyBundleSecretConfig) GetName() string
GetName returns the name of the secret.
type RSASecretConfig ¶
RSASecretConfig containing information about the number of bits which should be used for the to-be-created RSA private key.
func (*RSASecretConfig) Generate ¶
func (s *RSASecretConfig) Generate() (DataInterface, error)
Generate implements ConfigInterface.
func (*RSASecretConfig) GetName ¶
func (s *RSASecretConfig) GetName() string
GetName returns the name of the secret.
type StaticToken ¶
StaticToken contains the username, the password, optionally hash of the password and the format for serializing the static token
func LoadStaticTokenFromCSV ¶
func LoadStaticTokenFromCSV(name string, data []byte) (*StaticToken, error)
LoadStaticTokenFromCSV loads the static token data from the given CSV-formatted <data>.
func (*StaticToken) GetTokenForUsername ¶
func (b *StaticToken) GetTokenForUsername(username string) (*Token, error)
GetTokenForUsername returns the token for the given username.
func (*StaticToken) SecretData ¶
func (b *StaticToken) SecretData() map[string][]byte
SecretData computes the data map which can be used in a Kubernetes secret.
type StaticTokenSecretConfig ¶
type StaticTokenSecretConfig struct { Name string Tokens map[string]TokenConfig }
StaticTokenSecretConfig contains the specification a to-be-generated static token secret.
func (*StaticTokenSecretConfig) Generate ¶
func (s *StaticTokenSecretConfig) Generate() (DataInterface, error)
Generate implements ConfigInterface.
func (*StaticTokenSecretConfig) GetName ¶
func (s *StaticTokenSecretConfig) GetName() string
GetName returns the name of the secret.
type TokenConfig ¶
TokenConfig contains configuration for a token.
type VPNTLSAuth ¶ added in v1.7.0
VPNTLSAuth contains the name and the generated vpn tls authentication key.
func (*VPNTLSAuth) SecretData ¶ added in v1.7.0
func (v *VPNTLSAuth) SecretData() map[string][]byte
SecretData computes the data map which can be used in a Kubernetes secret.
type VPNTLSAuthConfig ¶ added in v1.7.0
VPNTLSAuthConfig contains the specification for a to-be-generated vpn tls authentication secret. The key will be generated by the provided VPNTLSAuthKeyGenerator. By default the openvpn command is used to generate the key if no generator function is specified.
func (*VPNTLSAuthConfig) Generate ¶ added in v1.7.0
func (s *VPNTLSAuthConfig) Generate() (DataInterface, error)
Generate implements ConfigInterface.
func (*VPNTLSAuthConfig) GetName ¶ added in v1.7.0
func (s *VPNTLSAuthConfig) GetName() string
GetName returns the name of the secret.