secrets

package
v1.108.1 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Nov 21, 2024 License: Apache-2.0 Imports: 20 Imported by: 85

Documentation

Index

Constants

View Source
const (
	// BasicAuthFormatNormal indicates that the data map should be rendered the normal way (dedicated keys for
	// username and password.
	BasicAuthFormatNormal formatType = "normal"

	// DataKeyUserName is the key in a secret data holding the username.
	DataKeyUserName = "username"
	// DataKeyPassword is the key in a secret data holding the password.
	DataKeyPassword = "password"
	// DataKeyAuth is the key in a secret data holding the basic authentication schemed credentials pair as string.
	DataKeyAuth = "auth"
)
View Source
const (
	// DataKeyCertificateBundle is the key in the data map for the certificate bundle.
	DataKeyCertificateBundle = "bundle.crt"
	// DataKeyPrivateKeyBundle is the key in the data map for the private key bundle.
	DataKeyPrivateKeyBundle = "bundle.key"
)
View Source
const (
	// CACert indicates that the certificate should be a certificate authority.
	CACert CertType = "ca"
	// ServerCert indicates that the certificate should have the ExtKeyUsageServerAuth usage.
	ServerCert CertType = "server"
	// ClientCert indicates that the certificate should have the ExtKeyUsageClientAuth usage.
	ClientCert CertType = "client"
	// ServerClientCert indicates that the certificate should have both the ExtKeyUsageServerAuth and ExtKeyUsageClientAuth usage.
	ServerClientCert CertType = "both"

	// DataKeyCertificate is the key in a secret data holding the certificate.
	DataKeyCertificate = "tls.crt"
	// DataKeyPrivateKey is the key in a secret data holding the private key.
	DataKeyPrivateKey = "tls.key"
	// DataKeyCertificateCA is the key in a secret data or config map data holding the CA certificate.
	DataKeyCertificateCA = "ca.crt"
	// DataKeyPrivateKeyCA is the key in a secret data holding the CA private key.
	DataKeyPrivateKeyCA = "ca.key"
)
View Source
const (
	// PKCS1 certificate format
	PKCS1 = iota
	// PKCS8 certificate format
	PKCS8
)
View Source
const (
	// DataKeyEncryptionKeyName is the key in a secret data holding the key.
	DataKeyEncryptionKeyName = "key"
	// DataKeyEncryptionSecret is the key in a secret data holding the secret.
	DataKeyEncryptionSecret = "secret"
)
View Source
const (
	// DataKeyRSAPrivateKey is the key in a secret data holding the RSA private key.
	DataKeyRSAPrivateKey = "id_rsa"
	// DataKeySSHAuthorizedKeys is the key in a secret data holding the OpenSSH authorized keys.
	DataKeySSHAuthorizedKeys = "id_rsa.pub"
)
View Source
const (
	// DataKeyStaticTokenCSV is the key in a secret data holding the CSV format of a secret.
	DataKeyStaticTokenCSV = "static_tokens.csv" // #nosec G101 -- No credential.
	// DataKeyToken is the key in a secret data holding the token.
	DataKeyToken = "token"
)
View Source
const DataKeyKubeconfig = "kubeconfig"

DataKeyKubeconfig is the key in a secret data holding the kubeconfig.

View Source
const DataKeyVPNTLSAuth = "vpn.tlsauth"

DataKeyVPNTLSAuth is the key in a secret data holding the vpn tlsauth key.

View Source
const TemporaryDirectoryForSelfGeneratedTLSCertificatesPattern = "self-generated-server-certificates-"

TemporaryDirectoryForSelfGeneratedTLSCertificatesPattern is a constant for the pattern used when creating a temporary directory for self-generated certificates.

Variables

View Source
var (
	// GenerateRandomString is an alias for utils.GenerateRandomString. Exposed for testing.
	GenerateRandomString = utils.GenerateRandomString
	// FakeGenerateRandomString is a fake for GenerateRandomString.
	FakeGenerateRandomString = func(n int) (string, error) {
		return strings.Repeat("_", n), nil
	}

	// GenerateKey is an alias for rsa.GenerateKey. Exposed for testing.
	GenerateKey = rsa.GenerateKey
	// FakeGenerateKey is a fake for GenerateKey.
	FakeGenerateKey = func(_ io.Reader, _ int) (*rsa.PrivateKey, error) {
		return utils.DecodePrivateKey([]byte(`-----BEGIN RSA PRIVATE KEY-----
MIIEogIBAAKCAQEAyV6ZuR4gSzCF/zO06xEv6RGmDUnXOHAZVck4pVhY/Id8j2zj
rVlBZp1klARK/Mt1BPOmRKQtg753UCewYjpRdThyzsicKz4Flg4m72p57bWs/wi+
j2N5Rc0eF98Ry//FY6Gbs5VJViz7WSfEoXaSFEYIkv+CKKAQ9J0kkiYztiyz+p/u
SD7sIOAVksj4M5/D+4GVtqJV+4aSdUotoueehJ1fwmc/ZTsczMXAnLcV6BP9N0GX
5bUBW+s/HSMLndEy+GSye1KdgLZilzAodmtetQdLYCOXZsivfdCeF8lsLjLV/ouA
M+FwwM5QbU1i+iYRqVk8Apyzs9WMvuAp8mq5UQIDAQABAoH/O8fZ2xsWezvsi9bN
3vs7PfX/VfKV8itVWiJirrOLt2yBjhLFhLD6uXwAX/DmUiYUl2O9+KLE4FerFCC0
PHUTubkIXFsyAaRoBCQvauQxTmCg+xWdfPQLDK3YQT34CpfkAa/4iVfIbczs0Yr8
1PJea6Ze5UT1Xxol7ni4Yqr0ryAPbJBn+18OifcSxh2H+d7+AEFo/Vg2LVFTiuhW
kpg2xvkmSFjOcIWGUYOlwwnaOjlhiAmCntCAXbz2Ly44rfJlBLzfAAB5CqGzDs2B
Z0YGZoFPQurxkzNGh2d9sV0aHcyf4ZwSbvcsd4gvBhpSp2/Q/mvfdl4av5cKnsli
WJWxAoGBAOqdWcE42I/botGEIfqxssHKyxqQld8RiXjAypPlhx8uRH949sToevZs
BVCgLId8mPJxuTSvbgbdHyZ14dzc+cIcDSNnW8anUTW98lmwTWIJN/awOTSlgpV2
4wBdVCLxlutsE6fEQTIJRkQ+XeVV0n8hOiz4GJQWLV1pp1rzYy73AoGBANu5fKR7
8FXWAfC5zmJAkisK02l7FeRQoHUfgACLE74Vt3BEZhLJHpYTJZrYi9r/buMsi52g
+Rgz4pItgy85ibe21+5G6yQtQP68mjnecMEjSZIa8G6RoY13Ki4+UOysGWul48rR
Lwq75Cv+0AHUS0A9NxYrY+X2Q9cLsg6Mm5/3AoGBAOe38WX9lya+btkv/79ysnLk
sCTUmLFwyK4S/AGGuSX6tHySJGfmlUu89KLlEBXg4c7Ss3FtsuXkj1eVJjbVqXgl
7HQDKYnSx0qlCC+9CTDCmhtzgYyVy5uDiEBb7TV2FvD+FYulMh8ROe09C8/uK7CU
SLkRcHUSUkvohfo2WMeRAoGAa0hK2okFVPPUKLSgV4rNk6SKiyMlEkBnyCgkOJ+v
eQ1jbraG3D9E5uPcZZm716cGfndeiA1z8mRLCTKdre47Fu94yQfpgdVyua5e40h/
512Sa3spz+LdbZQ0jTWyD40MMGpkKcAvZt9MzkpxR6NfRrNc9T8kXMD8aMB2JPJ0
fgsCgYEAzBjM5L4kKcyF5mC1v6NyEaQB8Cve3gfFatLfFrjNwHbvdY5PEa/x0NqS
4qJs/0Ieluo9jRo5pPd0O1u9hDVeSh2sSs9fzOtjHzbnZ7o8pTY3dzMBhO7fxPBU
i/WyG5dokMowEJSvpCBwHbAYMLlNK7oMUpXlqcRoYo24U6Mwj68=
-----END RSA PRIVATE KEY-----`))
	}

	// GenerateVPNKey is an alias for generateVPNKey. Exposed for testing.
	GenerateVPNKey = generateVPNKey
	// FakeGenerateVPNKey is a fake for GenerateVPNKey.
	FakeGenerateVPNKey = func() ([]byte, error) {
		return []byte("key"), nil
	}

	// Clock is an alias for clock.RealClock. Exposed for testing.
	Clock clock.Clock = clock.RealClock{}
)

Functions

func AdjustToClockSkew added in v1.106.0

func AdjustToClockSkew(t time.Time) time.Time

AdjustToClockSkew adjusts the given time by the maximum allowed clock skew as clock skew can cause non-trivial errors.

func ControlPlaneSecretDataKeyCertificatePEM added in v1.10.0

func ControlPlaneSecretDataKeyCertificatePEM(name string) string

ControlPlaneSecretDataKeyCertificatePEM returns the data key inside a Secret of type ControlPlane whose value contains the certificate PEM.

func ControlPlaneSecretDataKeyPrivateKey added in v1.10.0

func ControlPlaneSecretDataKeyPrivateKey(name string) string

ControlPlaneSecretDataKeyPrivateKey returns the data key inside a Secret of type ControlPlane whose value contains the private key PEM.

func SelfGenerateTLSServerCertificate added in v1.5.0

func SelfGenerateTLSServerCertificate(name string, dnsNames []string, ips []net.IP) (cert *Certificate, ca *Certificate, dir string, rErr error)

SelfGenerateTLSServerCertificate generates a new CA certificate and signs a server certificate with it. It'll store the generated CA + server certificate bytes into a temporary directory with the default filenames, e.g. `DataKeyCertificateCA`. The function will return the *Certificate object as well as the path of the temporary directory where the certificates are stored.

Types

type BasicAuth

type BasicAuth struct {
	Name string

	Username string
	Password string
	// contains filtered or unexported fields
}

BasicAuth contains the username, the password and optionally hash of the password.

func (*BasicAuth) SecretData

func (b *BasicAuth) SecretData() map[string][]byte

SecretData computes the data map which can be used in a Kubernetes secret.

type BasicAuthSecretConfig

type BasicAuthSecretConfig struct {
	Name string
	// Format is the format type.
	//
	// Do not remove this field, even though the field is not used and there is only one supported format ("normal").
	// The secret manager computes the Secret hash based on the config object (BasicAuthSecretConfig). A field removal in the
	// BasicAuthSecretConfig object would compute a new Secret hash and this would lead the existing Secrets to be regenerated.
	// Hence, usages of the BasicAuthSecretConfig should continue to pass the Format field with value "normal".
	Format formatType

	Username       string
	PasswordLength int
}

BasicAuthSecretConfig contains the specification for a to-be-generated basic authentication secret.

func (*BasicAuthSecretConfig) Generate

func (s *BasicAuthSecretConfig) Generate() (DataInterface, error)

Generate implements ConfigInterface.

func (*BasicAuthSecretConfig) GetName

func (s *BasicAuthSecretConfig) GetName() string

GetName returns the name of the secret.

type Bundle added in v1.48.0

type Bundle struct {
	Name        string
	Bundle      []byte
	DataKeyName string
}

Bundle contains the name and the generated certificate bundle.

func (*Bundle) SecretData added in v1.48.0

func (b *Bundle) SecretData() map[string][]byte

SecretData computes the data map which can be used in a Kubernetes secret.

type CertType added in v1.32.0

type CertType string

CertType is a string alias for certificate types.

type Certificate

type Certificate struct {
	Name string

	CA                                *Certificate
	CertType                          CertType
	SkipPublishingCACertificate       bool
	IncludeCACertificateInServerChain bool

	PrivateKey    *rsa.PrivateKey
	PrivateKeyPEM []byte

	Certificate    *x509.Certificate
	CertificatePEM []byte
}

Certificate contains the private key, and the certificate. It does also contain the CA certificate in case it is no CA. Otherwise, the <CA> field is nil.

func LoadCertificate

func LoadCertificate(name string, privateKeyPEM, certificatePEM []byte) (*Certificate, error)

LoadCertificate takes a byte slice representation of a certificate and the corresponding private key, and returns its de-serialized private key, certificate template and PEM certificate which can be used to sign other x509 certificates.

func (*Certificate) SecretData

func (c *Certificate) SecretData() map[string][]byte

SecretData computes the data map which can be used in a Kubernetes secret.

type CertificateBundleSecretConfig added in v1.43.0

type CertificateBundleSecretConfig struct {
	Name            string
	CertificatePEMs [][]byte
}

CertificateBundleSecretConfig is configuration for certificate bundles.

func (*CertificateBundleSecretConfig) Generate added in v1.43.0

Generate implements ConfigInterface.

func (*CertificateBundleSecretConfig) GetName added in v1.43.0

GetName returns the name of the secret.

type CertificateSecretConfig

type CertificateSecretConfig struct {
	Name string

	CommonName   string
	Organization []string
	DNSNames     []string
	IPAddresses  []net.IP

	CertType  CertType
	SigningCA *Certificate
	PKCS      int

	Validity                          *time.Duration
	SkipPublishingCACertificate       bool
	IncludeCACertificateInServerChain bool
}

CertificateSecretConfig contains the specification a to-be-generated CA, server, or client certificate. It always contains a 3072-bit RSA private key.

func (*CertificateSecretConfig) Generate

func (s *CertificateSecretConfig) Generate() (DataInterface, error)

Generate implements ConfigInterface.

func (*CertificateSecretConfig) GenerateCertificate

func (s *CertificateSecretConfig) GenerateCertificate() (*Certificate, error)

GenerateCertificate is the same as Generate but returns a *Certificate instead of the DataInterface.

func (*CertificateSecretConfig) GetName

func (s *CertificateSecretConfig) GetName() string

GetName returns the name of the secret.

type ConfigInterface

type ConfigInterface interface {
	// GetName returns the name of the configuration.
	GetName() string
	// Generate generates a secret interface
	Generate() (DataInterface, error)
}

ConfigInterface define functions needed for generating a specific secret.

type ControlPlane

type ControlPlane struct {
	Name string

	Certificate *Certificate
	BasicAuth   *BasicAuth
	Token       *Token
	Kubeconfig  []byte
}

ControlPlane contains the certificate, and optionally the basic auth. information as well as a Kubeconfig.

func (*ControlPlane) SecretData

func (c *ControlPlane) SecretData() map[string][]byte

SecretData computes the data map which can be used in a Kubernetes secret.

type ControlPlaneSecretConfig

type ControlPlaneSecretConfig struct {
	Name string

	CertificateSecretConfig *CertificateSecretConfig

	BasicAuth *BasicAuth
	Token     *Token

	KubeConfigRequests []KubeConfigRequest
}

ControlPlaneSecretConfig is a struct which inherits from CertificateSecretConfig and is extended with a couple of additional properties. A control plane secret will always contain a server/client certificate and optionally a kubeconfig.

func (*ControlPlaneSecretConfig) Generate

func (s *ControlPlaneSecretConfig) Generate() (DataInterface, error)

Generate implements ConfigInterface.

func (*ControlPlaneSecretConfig) GetName

func (s *ControlPlaneSecretConfig) GetName() string

GetName returns the name of the secret.

type DataInterface added in v1.8.0

type DataInterface interface {
	// SecretData computes the data map which can be used in a Kubernetes secret.
	SecretData() map[string][]byte
}

DataInterface defines functions needed for defining the data map of a Kubernetes secret.

type ETCDEncryptionKey added in v1.44.0

type ETCDEncryptionKey struct {
	Name   string
	Key    string
	Secret string
}

ETCDEncryptionKey contains the generated key.

func (*ETCDEncryptionKey) SecretData added in v1.44.0

func (b *ETCDEncryptionKey) SecretData() map[string][]byte

SecretData computes the data map which can be used in a Kubernetes secret.

type ETCDEncryptionKeySecretConfig added in v1.44.0

type ETCDEncryptionKeySecretConfig struct {
	Name         string
	SecretLength int
}

ETCDEncryptionKeySecretConfig contains the specification for a to-be-generated random key.

func (*ETCDEncryptionKeySecretConfig) Generate added in v1.44.0

Generate implements ConfigInterface.

func (*ETCDEncryptionKeySecretConfig) GetName added in v1.44.0

GetName returns the name of the secret.

type KubeConfigRequest

type KubeConfigRequest struct {
	ClusterName   string
	APIServerHost string
	CAData        []byte
}

KubeConfigRequest is a struct which holds information about a Kubeconfig to be generated.

type Kubeconfig added in v1.43.0

type Kubeconfig struct {
	Name       string
	Kubeconfig *clientcmdv1.Config
	// contains filtered or unexported fields
}

Kubeconfig contains the name and the generated kubeconfig.

func (*Kubeconfig) SecretData added in v1.43.0

func (v *Kubeconfig) SecretData() map[string][]byte

SecretData computes the data map which can be used in a Kubernetes secret.

type KubeconfigSecretConfig added in v1.43.0

type KubeconfigSecretConfig struct {
	Name        string
	ContextName string
	Cluster     clientcmdv1.Cluster
	AuthInfo    clientcmdv1.AuthInfo
}

KubeconfigSecretConfig is configuration for kubeconfig secrets.

func (*KubeconfigSecretConfig) Generate added in v1.43.0

func (s *KubeconfigSecretConfig) Generate() (DataInterface, error)

Generate implements ConfigInterface.

func (*KubeconfigSecretConfig) GetName added in v1.43.0

func (s *KubeconfigSecretConfig) GetName() string

GetName returns the name of the secret.

type RSAKeys

type RSAKeys struct {
	Name string

	PrivateKey *rsa.PrivateKey
	PublicKey  *rsa.PublicKey

	OpenSSHAuthorizedKey []byte
}

RSAKeys contains the private key, the public key, and optionally the OpenSSH-formatted authorized keys file data.

func (*RSAKeys) SecretData

func (r *RSAKeys) SecretData() map[string][]byte

SecretData computes the data map which can be used in a Kubernetes secret.

type RSAPrivateKeyBundleSecretConfig added in v1.48.0

type RSAPrivateKeyBundleSecretConfig struct {
	Name           string
	PrivateKeyPEMs [][]byte
}

RSAPrivateKeyBundleSecretConfig is configuration for certificate bundles.

func (*RSAPrivateKeyBundleSecretConfig) Generate added in v1.48.0

Generate implements ConfigInterface.

func (*RSAPrivateKeyBundleSecretConfig) GetName added in v1.48.0

GetName returns the name of the secret.

type RSASecretConfig

type RSASecretConfig struct {
	Name string

	Bits       int
	UsedForSSH bool
}

RSASecretConfig containing information about the number of bits which should be used for the to-be-created RSA private key.

func (*RSASecretConfig) Generate

func (s *RSASecretConfig) Generate() (DataInterface, error)

Generate implements ConfigInterface.

func (*RSASecretConfig) GetName

func (s *RSASecretConfig) GetName() string

GetName returns the name of the secret.

type StaticToken

type StaticToken struct {
	Name string

	Tokens []Token
}

StaticToken contains the username, the password, optionally hash of the password and the format for serializing the static token

func LoadStaticTokenFromCSV

func LoadStaticTokenFromCSV(name string, data []byte) (*StaticToken, error)

LoadStaticTokenFromCSV loads the static token data from the given CSV-formatted <data>.

func (*StaticToken) GetTokenForUsername

func (b *StaticToken) GetTokenForUsername(username string) (*Token, error)

GetTokenForUsername returns the token for the given username.

func (*StaticToken) SecretData

func (b *StaticToken) SecretData() map[string][]byte

SecretData computes the data map which can be used in a Kubernetes secret.

type StaticTokenSecretConfig

type StaticTokenSecretConfig struct {
	Name string

	Tokens map[string]TokenConfig
}

StaticTokenSecretConfig contains the specification a to-be-generated static token secret.

func (*StaticTokenSecretConfig) Generate

func (s *StaticTokenSecretConfig) Generate() (DataInterface, error)

Generate implements ConfigInterface.

func (*StaticTokenSecretConfig) GetName

func (s *StaticTokenSecretConfig) GetName() string

GetName returns the name of the secret.

type Token

type Token struct {
	Username string
	UserID   string
	Groups   []string
	Token    string
}

Token contains fields of a generated token.

type TokenConfig

type TokenConfig struct {
	Username string
	UserID   string
	Groups   []string
}

TokenConfig contains configuration for a token.

type VPNTLSAuth added in v1.7.0

type VPNTLSAuth struct {
	Name       string
	TLSAuthKey []byte
}

VPNTLSAuth contains the name and the generated vpn tls authentication key.

func (*VPNTLSAuth) SecretData added in v1.7.0

func (v *VPNTLSAuth) SecretData() map[string][]byte

SecretData computes the data map which can be used in a Kubernetes secret.

type VPNTLSAuthConfig added in v1.7.0

type VPNTLSAuthConfig struct {
	Name                   string
	VPNTLSAuthKeyGenerator func() ([]byte, error)
}

VPNTLSAuthConfig contains the specification for a to-be-generated vpn tls authentication secret. The key will be generated by the provided VPNTLSAuthKeyGenerator. By default the openvpn command is used to generate the key if no generator function is specified.

func (*VPNTLSAuthConfig) Generate added in v1.7.0

func (s *VPNTLSAuthConfig) Generate() (DataInterface, error)

Generate implements ConfigInterface.

func (*VPNTLSAuthConfig) GetName added in v1.7.0

func (s *VPNTLSAuthConfig) GetName() string

GetName returns the name of the secret.

Directories

Path Synopsis

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL