certificates

package
v0.107.0 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Jun 18, 2024 License: Apache-2.0 Imports: 21 Imported by: 0

Documentation

Index

Constants

View Source 
const (
	// CACert indicates that the certificate should be a certificate authority.
	CACert certType = "ca"
	// ServerCert indicates that the certificate should have the ExtKeyUsageServerAuth usage.
	ServerCert certType = "server"
	// ClientCert indicates that the certificate should have the ExtKeyUsageClientAuth usage.
	ClientCert certType = "client"
	// ServerClientCert indicates that the certificate should have both the ExtKeyUsageServerAuth and ExtKeyUsageClientAuth usage.
	ServerClientCert certType = "both"

	// DataKeyCertificate is the key in a secret data holding the certificate.
	DataKeyCertificate = "tls.crt"
	// DataKeyPrivateKey is the key in a secret data holding the private key.
	DataKeyPrivateKey = "tls.key"
	// DataKeyCertificateCA is the key in a secret data holding the CA certificate.
	DataKeyCertificateCA = "ca.crt"
	// DataKeyPrivateKeyCA is the key in a secret data holding the CA private key.
	DataKeyPrivateKeyCA = "ca.key"

	// PKCS1 certificate format
	PKCS1 = 1
	// PKCS8 certificate format
	PKCS8 = 8
)
View Source 
const (
	// DataKeyRSAPrivateKey is the key in a secret data holding the RSA private key.
	DataKeyRSAPrivateKey = "id_rsa"
	// DataKeySSHAuthorizedKeys is the key in a secret data holding the OpenSSH authorized keys.
	DataKeySSHAuthorizedKeys = "id_rsa.pub"
)
View Source 
const CertificateDataType = TypeVersion("certificate")

CertificateDataType is the type used to denote an CertificateJSONData structure in the ShootState

View Source 
const PrivateKeyDataType = TypeVersion("privateKey")

PrivateKeyDataType is the type used to denote an PrivateKeyJSONData structure in the ShootState

View Source 
const TemporaryDirectoryForSelfGeneratedTLSCertificatesPattern = "self-generated-server-certificates-"

TemporaryDirectoryForSelfGeneratedTLSCertificatesPattern is a constant for the pattern used when creating a temporary directory for self-generated certificates.

Variables

View Source 
var EmptyInfoData = &emptyInfoData{}

EmptyInfoData is an infodata which does not contain any information.

Functions

func DecodeCertificate 

func DecodeCertificate(bytes []byte) (*x509.Certificate, error)

DecodeCertificate takes a byte slice, decodes it from the PEM format, converts it to an x509.Certificate object, and returns it. In case an error occurs, it returns the error.

func DecodePrivateKey 

func DecodePrivateKey(bytes []byte) (*rsa.PrivateKey, error)

DecodePrivateKey takes a byte slice, decodes it from the PEM format, converts it to an rsa.PrivateKey object, and returns it. In case an error occurs, it returns the error.

func DecodeRSAPrivateKeyFromPKCS8 

func DecodeRSAPrivateKeyFromPKCS8(bytes []byte) (*rsa.PrivateKey, error)

DecodeRSAPrivateKeyFromPKCS8 takes a byte slice, decodes it from the PKCS8 format, tries to convert it to an rsa.PrivateKey object, and returns it. In case an error occurs, it returns the error.

func EncodeCertificate 

func EncodeCertificate(certificate []byte) []byte

EncodeCertificate takes a certificate as a byte slice, encodes it to the PEM format, and returns it as byte slice.

func EncodePrivateKey 

func EncodePrivateKey(key *rsa.PrivateKey) []byte

EncodePrivateKey takes a RSA private key object, encodes it to the PEM format, and returns it as a byte slice.

func EncodePrivateKeyInPKCS8 

func EncodePrivateKeyInPKCS8(key *rsa.PrivateKey) ([]byte, error)

EncodePrivateKeyInPKCS8 takes a RSA private key object, encodes it to the PKCS8 format, and returns it as a byte slice.

func GenerateCertificateAuthorities 

func GenerateCertificateAuthorities(k8sClusterClient client.Client, existingSecretsMap map[string]*corev1.Secret, wantedCertificateAuthorities map[string]*CertificateSecretConfig, namespace string, pkcs int) (map[string]*corev1.Secret, map[string]*Certificate, error)

GenerateCertificateAuthorities get a map of wanted certificates and check If they exist in the existingSecretsMap based on the keys in the map. If they exist it get only the certificate from the corresponding existing secret and makes a certificate DataInterface from the existing secret. If there is no existing secret contaning the wanted certificate, we make one certificate and with it we deploy in K8s cluster a secret with that certificate and then return the newly existing secret. The function returns a map of secrets contaning the wanted CA, a map with the wanted CA certificate and an error.

func GenerateClusterSecrets 

func GenerateClusterSecrets(ctx context.Context, k8sClusterClient client.Client, existingSecretsMap map[string]*corev1.Secret, wantedSecretsList []ConfigInterface, namespace string) (map[string]*corev1.Secret, error)

GenerateClusterSecrets try to deploy in the k8s cluster each secret in the wantedSecretsList. If the secret already exist it jumps to the next one. The function returns a map with all of the successfully deployed wanted secrets plus those already deployed (only from the wantedSecretsList).

func GenerateClusterSecretsWithFunc 

func GenerateClusterSecretsWithFunc(ctx context.Context, k8sClusterClient client.Client, existingSecretsMap map[string]*corev1.Secret, wantedSecretsList []ConfigInterface, namespace string, SecretsGeneratorFunc func(s ConfigInterface) (DataInterface, error)) (map[string]*corev1.Secret, error)

GenerateClusterSecretsWithFunc will try to deploy in the k8s cluster each secret in the wantedSecretsList. If the secret already exist it jumps to the next one. The function will used the SecretsGeneratorFunc to create the secret DataInterface from the wantedSecret configs.

Types

type Certificate 

type Certificate struct {
	Name string

	CA *Certificate

	PrivateKey    *rsa.PrivateKey
	PrivateKeyPEM []byte

	Certificate    *x509.Certificate
	CertificatePEM []byte
}

Certificate contains the private key, and the certificate. It does also contain the CA certificate in case it is no CA. Otherwise, the <CA> field is nil.

func LoadCAFromSecret 

func LoadCAFromSecret(k8sClient client.Client, namespace, name string, pkcs int) (*corev1.Secret, *Certificate, error)

LoadCAFromSecret loads a CA certificate from an existing Kubernetes secret object. It returns the secret, the Certificate and an error.

func LoadCertificate 

func LoadCertificate(name string, privateKeyPEM, certificatePEM []byte, pkcs int) (*Certificate, error)

LoadCertificate takes a byte slice representation of a certificate and the corresponding private key, and returns its de-serialized private key, certificate template and PEM certificate which can be used to sign other x509 certificates.

func SelfGenerateTLSServerCertificate 

func SelfGenerateTLSServerCertificate(name string, dnsNames []string) (*Certificate, string, error)

SelfGenerateTLSServerCertificate generates a new CA certificate and signs a server certificate with it. It'll store the generated CA + server certificate bytes into a temporary directory with the default filenames, e.g. `DataKeyCertificateCA`. The function will return the *Certificate object as well as the path of the temporary directory where the certificates are stored.

func (*Certificate) SecretData 

func (c *Certificate) SecretData() map[string][]byte

SecretData computes the data map which can be used in a Kubernetes secret.

type CertificateInfoData 

type CertificateInfoData struct {
	PrivateKey  []byte
	Certificate []byte
}

CertificateInfoData holds a certificate's private key data and certificate data.

func NewCertificateInfoData 

func NewCertificateInfoData(privateKey, certificate []byte) *CertificateInfoData

NewCertificateInfoData creates a new CertificateInfoData struct

func (*CertificateInfoData) Marshal 

func (c *CertificateInfoData) Marshal() ([]byte, error)

Marshal implements InfoData

func (*CertificateInfoData) TypeVersion 

func (c *CertificateInfoData) TypeVersion() TypeVersion

TypeVersion implements InfoData

type CertificateJSONData 

type CertificateJSONData struct {
	PrivateKey  []byte `json:"privateKey"`
	Certificate []byte `json:"certificate"`
}

CertificateJSONData is the json representation of CertificateInfoData used to store Certificate metadata in the ShootState

type CertificateSecretConfig 

type CertificateSecretConfig struct {
	Name string

	CommonName   string
	Organization []string
	DNSNames     []string
	IPAddresses  []net.IP

	CertType  certType
	SigningCA *Certificate
	PKCS      int

	Validity *time.Duration
}

CertificateSecretConfig contains the specification a to-be-generated CA, server, or client certificate. It always contains a 2048-bit RSA private key.

func (*CertificateSecretConfig) Generate 

func (s *CertificateSecretConfig) Generate() (DataInterface, error)

Generate implements ConfigInterface.

func (*CertificateSecretConfig) GenerateCertificate 

func (s *CertificateSecretConfig) GenerateCertificate() (*Certificate, error)

GenerateCertificate computes a CA, server, or client certificate based on the configuration.

func (*CertificateSecretConfig) GenerateFromInfoData 

func (s *CertificateSecretConfig) GenerateFromInfoData(infoData InfoData) (DataInterface, error)

GenerateFromInfoData implements ConfigInterface

func (*CertificateSecretConfig) GenerateInfoData 

func (s *CertificateSecretConfig) GenerateInfoData() (InfoData, error)

GenerateInfoData implements ConfigInterface

func (*CertificateSecretConfig) GetName 

func (s *CertificateSecretConfig) GetName() string

GetName returns the name of the secret.

func (*CertificateSecretConfig) LoadFromSecretData 

func (s *CertificateSecretConfig) LoadFromSecretData(secretData map[string][]byte) (InfoData, error)

LoadFromSecretData implements infodata.Loader

type ConfigInterface 

type ConfigInterface interface {
	// GetName returns the name of the configuration.
	GetName() string
	// Generate generates a secret interface
	Generate() (DataInterface, error)
	// GenerateInfoData generates only the InfoData (metadata) which can later be used to generate a secret.
	GenerateInfoData() (InfoData, error)
	// GenerateFromInfoData combines the configuration and the provided InfoData (metadata) and generates a secret.
	GenerateFromInfoData(infoData InfoData) (DataInterface, error)
}

ConfigInterface define functions needed for generating a specific secret.

type DataInterface 

type DataInterface interface {
	// SecretData computes the data map which can be used in a Kubernetes secret.
	SecretData() map[string][]byte
}

DataInterface defines functions needed for defining the data map of a Kubernetes secret.

type InfoData 

type InfoData interface {
	TypeVersion() TypeVersion
	Marshal() ([]byte, error)
}

InfoData is an interface which allows

func UnmarshalCert 

func UnmarshalCert(bytes []byte) (InfoData, error)

UnmarshalCert unmarshals an CertificateJSONData into a CertificateInfoData.

func UnmarshalPrivateKey 

func UnmarshalPrivateKey(bytes []byte) (InfoData, error)

UnmarshalPrivateKey unmarshals an PrivateKeyJSONData into an PrivateKeyInfoData.

type Interface 

type Interface interface {
	// Deploy generates and deploys the secrets into the given namespace, taking into account existing secrets.
	Deploy(context.Context, client.Client, string) (map[string]*corev1.Secret, error)
	// Delete deletes the secrets from the given namespace.
	Delete(context.Context, client.Client, string) error
}

Interface represents a set of secrets that can be deployed and deleted.

type PrivateKeyInfoData 

type PrivateKeyInfoData struct {
	PrivateKey []byte
}

PrivateKeyInfoData holds the data of a private key.

func NewPrivateKeyInfoData 

func NewPrivateKeyInfoData(privateKey []byte) *PrivateKeyInfoData

NewPrivateKeyInfoData creates a new PrivateKeyInfoData struct

func (*PrivateKeyInfoData) Marshal 

func (r *PrivateKeyInfoData) Marshal() ([]byte, error)

Marshal implements InfoData

func (*PrivateKeyInfoData) TypeVersion 

func (r *PrivateKeyInfoData) TypeVersion() TypeVersion

TypeVersion implements InfoData

type PrivateKeyJSONData 

type PrivateKeyJSONData struct {
	PrivateKey []byte `json:"privateKey"`
}

PrivateKeyJSONData is the json representation of PrivateKeyInfoData used to store private key in the ShootState

type RSAKeys 

type RSAKeys struct {
	Name string

	PrivateKey *rsa.PrivateKey
	PublicKey  *rsa.PublicKey

	OpenSSHAuthorizedKey []byte
}

RSAKeys contains the private key, the public key, and optionally the OpenSSH-formatted authorized keys file data.

func (*RSAKeys) SecretData 

func (r *RSAKeys) SecretData() map[string][]byte

SecretData computes the data map which can be used in a Kubernetes secret.

type RSASecretConfig 

type RSASecretConfig struct {
	Name string

	Bits       int
	UsedForSSH bool
}

RSASecretConfig containing information about the number of bits which should be used for the to-be-created RSA private key.

func (*RSASecretConfig) Generate 

func (s *RSASecretConfig) Generate() (DataInterface, error)

Generate implements ConfigInterface.

func (*RSASecretConfig) GenerateFromInfoData 

func (s *RSASecretConfig) GenerateFromInfoData(infoData InfoData) (DataInterface, error)

GenerateFromInfoData implements ConfigInterface

func (*RSASecretConfig) GenerateInfoData 

func (s *RSASecretConfig) GenerateInfoData() (InfoData, error)

GenerateInfoData implements ConfigInterface.

func (*RSASecretConfig) GenerateRSAKeys 

func (s *RSASecretConfig) GenerateRSAKeys() (*RSAKeys, error)

GenerateRSAKeys computes a RSA private key based on the configured number of bits.

func (*RSASecretConfig) GetName 

func (s *RSASecretConfig) GetName() string

GetName returns the name of the secret.

func (*RSASecretConfig) LoadFromSecretData 

func (s *RSASecretConfig) LoadFromSecretData(secretData map[string][]byte) (InfoData, error)

LoadFromSecretData implements infodata.Loader

type Secrets 

type Secrets struct {
	CertificateSecretConfigs map[string]*CertificateSecretConfig
	SecretConfigsFunc        func(map[string]*Certificate, string) []ConfigInterface
}

Secrets represents a set of secrets that can be deployed and deleted.

func (*Secrets) Delete 

func (s *Secrets) Delete(ctx context.Context, c client.Client, namespace string) error

Delete deletes the secrets from the given namespace.

func (*Secrets) Deploy 

func (s *Secrets) Deploy(ctx context.Context, c client.Client, namespace string, pkcs int) (map[string]*corev1.Secret, error)

Deploy generates and deploys the secrets into the given namespace, taking into account existing secrets.

type TypeVersion 

type TypeVersion string

TypeVersion is the potentially versioned type name of an InfoData representation.

type Unmarshaller 

type Unmarshaller func(data []byte) (InfoData, error)

Unmarshaller is a factory to create a dedicated InfoData object from a byte stream

func GetUnmarshaller 

func GetUnmarshaller(typeName TypeVersion) Unmarshaller

GetUnmarshaller returns an Unmarshaller for the given typeName.

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.