Documentation ¶
Index ¶
- Constants
- Variables
- func AuthorizeForwardedRoleAndOrg(ctx context.Context, authorizedRoles, forwarderRoles []string, org string, ...) (string, error)
- func AuthorizeOrgAndRole(ctx context.Context, org string, ...) (string, error)
- func DefaultCAConfig() api.CAConfig
- func EncryptECPrivateKey(key []byte, passphraseStr string) ([]byte, error)
- func FormatRole(role string) (api.NodeRole, error)
- func GenerateJoinToken(rootCA *RootCA) string
- func GenerateNewCSR() (csr, key []byte, err error)
- func GetAndValidateCertificateSubject(certs []tls.Certificate) (pkix.Name, error)
- func GetRemoteSignedCertificate(ctx context.Context, csr []byte, rootCAPool *x509.CertPool, ...) ([]byte, error)
- func LogTLSState(ctx context.Context, tlsState *tls.ConnectionState)
- func NewClientTLSConfig(cert *tls.Certificate, rootCAPool *x509.CertPool, serverName string) (*tls.Config, error)
- func NewServerTLSConfig(cert *tls.Certificate, rootCAPool *x509.CertPool) (*tls.Config, error)
- func ParseRole(apiRole api.NodeRole) (string, error)
- func PrepareCSR(csrBytes []byte, cn, ou, org string) cfsigner.SignRequest
- func RenewTLSConfig(ctx context.Context, s *SecurityConfig, connBroker *connectionbroker.Broker, ...) <-chan CertificateUpdate
- func RenewTLSConfigNow(ctx context.Context, s *SecurityConfig, connBroker *connectionbroker.Broker) error
- func SigningPolicy(certExpiry time.Duration) *cfconfig.Signing
- func WithMetadataForwardTLSInfo(ctx context.Context) (context.Context, error)
- type CertPaths
- type CertificateRequestConfig
- type CertificateUpdate
- type ErrInvalidKEK
- type ExternalCA
- type KEKData
- type KeyReadWriter
- func (k *KeyReadWriter) GetCurrentState() (PEMKeyHeaders, KEKData)
- func (k *KeyReadWriter) Migrate() error
- func (k *KeyReadWriter) Read() ([]byte, []byte, error)
- func (k *KeyReadWriter) Target() string
- func (k *KeyReadWriter) ViewAndRotateKEK(cb func(KEKData, PEMKeyHeaders) (KEKData, PEMKeyHeaders, error)) error
- func (k *KeyReadWriter) ViewAndUpdateHeaders(cb func(PEMKeyHeaders) (PEMKeyHeaders, error)) error
- func (k *KeyReadWriter) Write(certBytes, plaintextKeyBytes []byte, kekData *KEKData) error
- type KeyReader
- type KeyWriter
- type MutableTLSCreds
- func (c *MutableTLSCreds) ClientHandshake(ctx context.Context, addr string, rawConn net.Conn) (net.Conn, credentials.AuthInfo, error)
- func (c *MutableTLSCreds) Clone() credentials.TransportCredentials
- func (c *MutableTLSCreds) Config() *tls.Config
- func (c *MutableTLSCreds) GetRequestMetadata(ctx context.Context, uri ...string) (map[string]string, error)
- func (c *MutableTLSCreds) Info() credentials.ProtocolInfo
- func (c *MutableTLSCreds) LoadNewTLSConfig(newConfig *tls.Config) error
- func (c *MutableTLSCreds) NodeID() string
- func (c *MutableTLSCreds) Organization() string
- func (c *MutableTLSCreds) OverrideServerName(name string) error
- func (c *MutableTLSCreds) RequireTransportSecurity() bool
- func (c *MutableTLSCreds) Role() string
- func (c *MutableTLSCreds) ServerHandshake(rawConn net.Conn) (net.Conn, credentials.AuthInfo, error)
- type PEMKeyHeaders
- type RemoteNodeInfo
- type RootCA
- func CreateRootCA(rootCN string, paths CertPaths) (RootCA, error)
- func DownloadRootCA(ctx context.Context, paths CertPaths, token string, ...) (RootCA, error)
- func GetLocalRootCA(paths CertPaths) (RootCA, error)
- func GetRemoteCA(ctx context.Context, d digest.Digest, connBroker *connectionbroker.Broker) (RootCA, error)
- func NewRootCA(certBytes, keyBytes []byte, certExpiry time.Duration) (RootCA, error)
- func (rca *RootCA) CanSign() bool
- func (rootCA RootCA) CreateSecurityConfig(ctx context.Context, krw *KeyReadWriter, config CertificateRequestConfig) (*SecurityConfig, error)
- func (rca *RootCA) IssueAndSaveNewCertificates(kw KeyWriter, cn, ou, org string) (*tls.Certificate, error)
- func (rootCA *RootCA) NewClientTLSCredentials(cert *tls.Certificate, serverName string) (*MutableTLSCreds, error)
- func (rootCA *RootCA) NewServerTLSCredentials(cert *tls.Certificate) (*MutableTLSCreds, error)
- func (rca *RootCA) ParseValidateAndSignCSR(csrBytes []byte, cn, ou, org string) ([]byte, error)
- func (rca *RootCA) RequestAndSaveNewCertificates(ctx context.Context, kw KeyWriter, config CertificateRequestConfig) (*tls.Certificate, error)
- type SecurityConfig
- type SecurityConfigPaths
- type Server
- func (s *Server) GetRootCACertificate(ctx context.Context, request *api.GetRootCACertificateRequest) (*api.GetRootCACertificateResponse, error)
- func (s *Server) GetUnlockKey(ctx context.Context, request *api.GetUnlockKeyRequest) (*api.GetUnlockKeyResponse, error)
- func (s *Server) IssueNodeCertificate(ctx context.Context, request *api.IssueNodeCertificateRequest) (*api.IssueNodeCertificateResponse, error)
- func (s *Server) NodeCertificateStatus(ctx context.Context, request *api.NodeCertificateStatusRequest) (*api.NodeCertificateStatusResponse, error)
- func (s *Server) Ready() <-chan struct{}
- func (s *Server) Run(ctx context.Context) error
- func (s *Server) SetReconciliationRetryInterval(reconciliationRetryInterval time.Duration)
- func (s *Server) Stop() error
Constants ¶
const ( // RootKeySize is the default size of the root CA key // It would be ideal for the root key to use P-384, but in P-384 is not optimized in go yet :( RootKeySize = 256 // RootKeyAlgo defines the default algorithm for the root CA Key RootKeyAlgo = "ecdsa" // PassphraseENVVar defines the environment variable to look for the // root CA private key material encryption key PassphraseENVVar = "SWARM_ROOT_CA_PASSPHRASE" // PassphraseENVVarPrev defines the alternate environment variable to look for the // root CA private key material encryption key. It can be used for seamless // KEK rotations. PassphraseENVVarPrev = "SWARM_ROOT_CA_PASSPHRASE_PREV" // RootCAExpiration represents the default expiration for the root CA in seconds (20 years) RootCAExpiration = "630720000s" // DefaultNodeCertExpiration represents the default expiration for node certificates (3 months) DefaultNodeCertExpiration = 2160 * time.Hour // CertBackdate represents the amount of time each certificate is backdated to try to avoid // clock drift issues. CertBackdate = 1 * time.Hour // CertLowerRotationRange represents the minimum fraction of time that we will wait when randomly // choosing our next certificate rotation CertLowerRotationRange = 0.5 // CertUpperRotationRange represents the maximum fraction of time that we will wait when randomly // choosing our next certificate rotation CertUpperRotationRange = 0.8 // MinNodeCertExpiration represents the minimum expiration for node certificates MinNodeCertExpiration = 1 * time.Hour )
const ( // DefaultRootCN represents the root CN that we should create roots CAs with by default DefaultRootCN = "swarm-ca" // ManagerRole represents the Manager node type, and is used for authorization to endpoints ManagerRole = "swarm-manager" // WorkerRole represents the Worker node type, and is used for authorization to endpoints WorkerRole = "swarm-worker" // CARole represents the CA node type, and is used for clients attempting to get new certificates issued CARole = "swarm-ca" )
Variables ¶
var ErrNoExternalCAURLs = errors.New("no external CA URLs")
ErrNoExternalCAURLs is an error used it indicate that an ExternalCA is configured with no URLs to which it can proxy certificate signing requests.
var ErrNoLocalRootCA = errors.New("local root CA certificate does not exist")
ErrNoLocalRootCA is an error type used to indicate that the local root CA certificate file does not exist.
var ErrNoValidSigner = recoverableErr{/* contains filtered or unexported fields */}
ErrNoValidSigner is an error type used to indicate that our RootCA doesn't have the ability to sign certificates.
var LocalRequestKey = localRequestKeyType{}
LocalRequestKey is a context key to mark a request that originating on the local node. The associated value is a RemoteNodeInfo structure describing the local node.
var RenewTLSExponentialBackoff = events.ExponentialBackoffConfig{ Base: time.Second * 5, Factor: time.Second * 5, Max: 1 * time.Hour, }
RenewTLSExponentialBackoff sets the exponential backoff when trying to renew TLS certificates that have expired
Functions ¶
func AuthorizeForwardedRoleAndOrg ¶
func AuthorizeForwardedRoleAndOrg(ctx context.Context, authorizedRoles, forwarderRoles []string, org string, blacklistedCerts map[string]*api.BlacklistedCertificate) (string, error)
AuthorizeForwardedRoleAndOrg checks for proper roles and organization of caller. The RPC may have been proxied by a manager, in which case the manager is authenticated and so is the certificate information that it forwarded. It returns the node ID of the original client.
func AuthorizeOrgAndRole ¶
func AuthorizeOrgAndRole(ctx context.Context, org string, blacklistedCerts map[string]*api.BlacklistedCertificate, ou ...string) (string, error)
AuthorizeOrgAndRole takes in a context and a list of roles, and returns the Node ID of the node.
func DefaultCAConfig ¶
DefaultCAConfig returns the default CA Config, with a default expiration.
func EncryptECPrivateKey ¶
EncryptECPrivateKey receives a PEM encoded private key and returns an encrypted AES256 version using a passphrase TODO: Make this method generic to handle RSA keys
func FormatRole ¶
FormatRole parses an internal role string into an apiRole
func GenerateJoinToken ¶
GenerateJoinToken creates a new join token.
func GenerateNewCSR ¶
GenerateNewCSR returns a newly generated key and CSR signed with said key
func GetAndValidateCertificateSubject ¶
func GetAndValidateCertificateSubject(certs []tls.Certificate) (pkix.Name, error)
GetAndValidateCertificateSubject is a helper method to retrieve and validate the subject from the x509 certificate underlying a tls.Certificate
func GetRemoteSignedCertificate ¶
func GetRemoteSignedCertificate(ctx context.Context, csr []byte, rootCAPool *x509.CertPool, config CertificateRequestConfig) ([]byte, error)
GetRemoteSignedCertificate submits a CSR to a remote CA server address, and that is part of a CA identified by a specific certificate pool.
func LogTLSState ¶
func LogTLSState(ctx context.Context, tlsState *tls.ConnectionState)
LogTLSState logs information about the TLS connection and remote peers
func NewClientTLSConfig ¶
func NewClientTLSConfig(cert *tls.Certificate, rootCAPool *x509.CertPool, serverName string) (*tls.Config, error)
NewClientTLSConfig returns a tls.Config configured for a TLS Client, given a tls.Certificate the PEM-encoded root CA Certificate, and the name of the remote server the client wants to connect to.
func NewServerTLSConfig ¶
NewServerTLSConfig returns a tls.Config configured for a TLS Server, given a tls.Certificate and the PEM-encoded root CA Certificate
func PrepareCSR ¶
func PrepareCSR(csrBytes []byte, cn, ou, org string) cfsigner.SignRequest
PrepareCSR creates a CFSSL Sign Request based on the given raw CSR and overrides the Subject and Hosts with the given extra args.
func RenewTLSConfig ¶
func RenewTLSConfig(ctx context.Context, s *SecurityConfig, connBroker *connectionbroker.Broker, renew <-chan struct{}) <-chan CertificateUpdate
RenewTLSConfig will continuously monitor for the necessity of renewing the local certificates, either by issuing them locally if key-material is available, or requesting them from a remote CA.
func RenewTLSConfigNow ¶
func RenewTLSConfigNow(ctx context.Context, s *SecurityConfig, connBroker *connectionbroker.Broker) error
RenewTLSConfigNow gets a new TLS cert and key, and updates the security config if provided. This is similar to RenewTLSConfig, except while that monitors for expiry, and periodically renews, this renews once and is blocking
func SigningPolicy ¶
SigningPolicy creates a policy used by the signer to ensure that the only fields from the remote CSRs we trust are: PublicKey, PublicKeyAlgorithm and SignatureAlgorithm. It receives the duration a certificate will be valid for
Types ¶
type CertPaths ¶
type CertPaths struct {
Cert, Key string
}
CertPaths is a helper struct that keeps track of the paths of a Cert and corresponding Key
type CertificateRequestConfig ¶
type CertificateRequestConfig struct { // Token is the join token that authenticates us with the CA. Token string // Availability allows a user to control the current scheduling status of a node Availability api.NodeSpec_Availability // ConnBroker provides connections to CAs. ConnBroker *connectionbroker.Broker // Credentials provides transport credentials for communicating with the // remote server. Credentials credentials.TransportCredentials // ForceRemote specifies that only a remote (TCP) connection should // be used to request the certificate. This may be necessary in cases // where the local node is running a manager, but is in the process of // being demoted. ForceRemote bool }
CertificateRequestConfig contains the information needed to request a certificate from a remote CA.
type CertificateUpdate ¶
CertificateUpdate represents a change in the underlying TLS configuration being returned by a certificate renewal event.
type ErrInvalidKEK ¶
type ErrInvalidKEK struct {
Wrapped error
}
ErrInvalidKEK means that we cannot decrypt the TLS key for some reason
func (ErrInvalidKEK) Error ¶
func (e ErrInvalidKEK) Error() string
type ExternalCA ¶
type ExternalCA struct {
// contains filtered or unexported fields
}
ExternalCA is able to make certificate signing requests to one of a list remote CFSSL API endpoints.
func NewExternalCA ¶
func NewExternalCA(rootCA *RootCA, tlsConfig *tls.Config, urls ...string) *ExternalCA
NewExternalCA creates a new ExternalCA which uses the given tlsConfig to authenticate to any of the given URLS of CFSSL API endpoints.
func (*ExternalCA) Sign ¶
func (eca *ExternalCA) Sign(ctx context.Context, req signer.SignRequest) (cert []byte, err error)
Sign signs a new certificate by proxying the given certificate signing request to an external CFSSL API server.
func (*ExternalCA) UpdateTLSConfig ¶
func (eca *ExternalCA) UpdateTLSConfig(tlsConfig *tls.Config)
UpdateTLSConfig updates the HTTP Client for this ExternalCA by creating a new client which uses the given tlsConfig.
func (*ExternalCA) UpdateURLs ¶
func (eca *ExternalCA) UpdateURLs(urls ...string)
UpdateURLs updates the list of CSR API endpoints by setting it to the given urls.
type KEKData ¶
KEKData provides an optional update to the kek when writing. The structure is needed so that we can tell the difference between "do not encrypt anymore" and there is "no update".
type KeyReadWriter ¶
type KeyReadWriter struct {
// contains filtered or unexported fields
}
KeyReadWriter is an object that knows how to read and write TLS keys and certs to disk, optionally encrypted and optionally updating PEM headers.
func NewKeyReadWriter ¶
func NewKeyReadWriter(paths CertPaths, kek []byte, headersObj PEMKeyHeaders) *KeyReadWriter
NewKeyReadWriter creates a new KeyReadWriter
func (*KeyReadWriter) GetCurrentState ¶
func (k *KeyReadWriter) GetCurrentState() (PEMKeyHeaders, KEKData)
GetCurrentState returns the current KEK data, including version
func (*KeyReadWriter) Migrate ¶
func (k *KeyReadWriter) Migrate() error
Migrate checks to see if a temporary key file exists. Older versions of swarmkit wrote temporary keys instead of temporary certificates, so migrate that temporary key if it exists. We want to write temporary certificates, instead of temporary keys, because we may need to periodically re-encrypt the keys and modify the headers, and it's easier to have a single canonical key location than two possible key locations.
func (*KeyReadWriter) Read ¶
func (k *KeyReadWriter) Read() ([]byte, []byte, error)
Read will read a TLS cert and key from the given paths
func (*KeyReadWriter) Target ¶
func (k *KeyReadWriter) Target() string
Target returns a string representation of this KeyReadWriter, namely where it is writing to
func (*KeyReadWriter) ViewAndRotateKEK ¶
func (k *KeyReadWriter) ViewAndRotateKEK(cb func(KEKData, PEMKeyHeaders) (KEKData, PEMKeyHeaders, error)) error
ViewAndRotateKEK re-encrypts the key with a new KEK
func (*KeyReadWriter) ViewAndUpdateHeaders ¶
func (k *KeyReadWriter) ViewAndUpdateHeaders(cb func(PEMKeyHeaders) (PEMKeyHeaders, error)) error
ViewAndUpdateHeaders updates the header manager, and updates any headers on the existing key
func (*KeyReadWriter) Write ¶
func (k *KeyReadWriter) Write(certBytes, plaintextKeyBytes []byte, kekData *KEKData) error
Write attempts write a cert and key to text. This can also optionally update the KEK while writing, if an updated KEK is provided. If the pointer to the update KEK is nil, then we don't update. If the updated KEK itself is nil, then we update the KEK to be nil (data should be unencrypted).
type KeyWriter ¶
type KeyWriter interface { Write([]byte, []byte, *KEKData) error ViewAndUpdateHeaders(func(PEMKeyHeaders) (PEMKeyHeaders, error)) error ViewAndRotateKEK(func(KEKData, PEMKeyHeaders) (KEKData, PEMKeyHeaders, error)) error GetCurrentState() (PEMKeyHeaders, KEKData) Target() string }
KeyWriter writes a TLS key and cert to disk
type MutableTLSCreds ¶
type MutableTLSCreds struct { // Mutex for the tls config sync.Mutex // contains filtered or unexported fields }
MutableTLSCreds is the credentials required for authenticating a connection using TLS.
func NewMutableTLS ¶
func NewMutableTLS(c *tls.Config) (*MutableTLSCreds, error)
NewMutableTLS uses c to construct a mutable TransportCredentials based on TLS.
func (*MutableTLSCreds) ClientHandshake ¶
func (c *MutableTLSCreds) ClientHandshake(ctx context.Context, addr string, rawConn net.Conn) (net.Conn, credentials.AuthInfo, error)
ClientHandshake implements the credentials.TransportCredentials interface
func (*MutableTLSCreds) Clone ¶
func (c *MutableTLSCreds) Clone() credentials.TransportCredentials
Clone returns new MutableTLSCreds created from underlying *tls.Config. It panics if validation of underlying config fails.
func (*MutableTLSCreds) Config ¶
func (c *MutableTLSCreds) Config() *tls.Config
Config returns the current underlying TLS config.
func (*MutableTLSCreds) GetRequestMetadata ¶
func (c *MutableTLSCreds) GetRequestMetadata(ctx context.Context, uri ...string) (map[string]string, error)
GetRequestMetadata implements the credentials.TransportCredentials interface
func (*MutableTLSCreds) Info ¶
func (c *MutableTLSCreds) Info() credentials.ProtocolInfo
Info implements the credentials.TransportCredentials interface
func (*MutableTLSCreds) LoadNewTLSConfig ¶
func (c *MutableTLSCreds) LoadNewTLSConfig(newConfig *tls.Config) error
LoadNewTLSConfig replaces the currently loaded TLS config with a new one
func (*MutableTLSCreds) NodeID ¶
func (c *MutableTLSCreds) NodeID() string
NodeID returns the CN for the certificate encapsulated in this TransportCredentials
func (*MutableTLSCreds) Organization ¶
func (c *MutableTLSCreds) Organization() string
Organization returns the O for the certificate encapsulated in this TransportCredentials
func (*MutableTLSCreds) OverrideServerName ¶
func (c *MutableTLSCreds) OverrideServerName(name string) error
OverrideServerName overrides *tls.Config.ServerName.
func (*MutableTLSCreds) RequireTransportSecurity ¶
func (c *MutableTLSCreds) RequireTransportSecurity() bool
RequireTransportSecurity implements the credentials.TransportCredentials interface
func (*MutableTLSCreds) Role ¶
func (c *MutableTLSCreds) Role() string
Role returns the OU for the certificate encapsulated in this TransportCredentials
func (*MutableTLSCreds) ServerHandshake ¶
func (c *MutableTLSCreds) ServerHandshake(rawConn net.Conn) (net.Conn, credentials.AuthInfo, error)
ServerHandshake implements the credentials.TransportCredentials interface
type PEMKeyHeaders ¶
type PEMKeyHeaders interface { // UnmarshalHeaders loads the headers map given the current KEK UnmarshalHeaders(map[string]string, KEKData) (PEMKeyHeaders, error) // MarshalHeaders returns a header map given the current KEK MarshalHeaders(KEKData) (map[string]string, error) // UpdateKEK may get a new PEMKeyHeaders if the KEK changes UpdateKEK(KEKData, KEKData) PEMKeyHeaders }
PEMKeyHeaders is something that needs to know about PEM headers when reading or writing TLS keys.
type RemoteNodeInfo ¶
type RemoteNodeInfo struct { // Roles is a list of roles contained in the node's certificate // (or forwarded by a trusted node). Roles []string // Organization is the organization contained in the node's certificate // (or forwarded by a trusted node). Organization string // NodeID is the node's ID, from the CN field in its certificate // (or forwarded by a trusted node). NodeID string // ForwardedBy contains information for the node that forwarded this // request. It is set to nil if the request was received directly. ForwardedBy *RemoteNodeInfo // RemoteAddr is the address that this node is connecting to the cluster // from. RemoteAddr string }
RemoteNodeInfo describes a node sending an RPC request.
func RemoteNode ¶
func RemoteNode(ctx context.Context) (RemoteNodeInfo, error)
RemoteNode returns the node ID and role from the client's TLS certificate. If the RPC was forwarded, the original client's ID and role is returned, as well as the forwarder's ID. This function does not do authorization checks - it only looks up the node ID.
type RootCA ¶
type RootCA struct { // Key will only be used by the original manager to put the private // key-material in raft, no signing operations depend on it. Key []byte // Cert includes the PEM encoded Certificate for the Root CA Cert []byte Pool *x509.CertPool // Digest of the serialized bytes of the certificate Digest digest.Digest // This signer will be nil if the node doesn't have the appropriate key material Signer cfsigner.Signer }
RootCA is the representation of everything we need to sign certificates
func CreateRootCA ¶
CreateRootCA creates a Certificate authority for a new Swarm Cluster, potentially overwriting any existing CAs.
func DownloadRootCA ¶
func DownloadRootCA(ctx context.Context, paths CertPaths, token string, connBroker *connectionbroker.Broker) (RootCA, error)
DownloadRootCA tries to retrieve a remote root CA and matches the digest against the provided token.
func GetLocalRootCA ¶
GetLocalRootCA validates if the contents of the file are a valid self-signed CA certificate, and returns the PEM-encoded Certificate if so
func GetRemoteCA ¶
func GetRemoteCA(ctx context.Context, d digest.Digest, connBroker *connectionbroker.Broker) (RootCA, error)
GetRemoteCA returns the remote endpoint's CA certificate bundle
func NewRootCA ¶
NewRootCA creates a new RootCA object from unparsed PEM cert bundle and key byte slices. key may be nil, and in this case NewRootCA will return a RootCA without a signer.
func (*RootCA) CanSign ¶
CanSign ensures that the signer has all three necessary elements needed to operate
func (RootCA) CreateSecurityConfig ¶
func (rootCA RootCA) CreateSecurityConfig(ctx context.Context, krw *KeyReadWriter, config CertificateRequestConfig) (*SecurityConfig, error)
CreateSecurityConfig creates a new key and cert for this node, either locally or via a remote CA.
func (*RootCA) IssueAndSaveNewCertificates ¶
func (rca *RootCA) IssueAndSaveNewCertificates(kw KeyWriter, cn, ou, org string) (*tls.Certificate, error)
IssueAndSaveNewCertificates generates a new key-pair, signs it with the local root-ca, and returns a tls certificate
func (*RootCA) NewClientTLSCredentials ¶
func (rootCA *RootCA) NewClientTLSCredentials(cert *tls.Certificate, serverName string) (*MutableTLSCreds, error)
NewClientTLSCredentials returns GRPC credentials for a TLS GRPC client, given a tls.Certificate a PEM-Encoded root CA Certificate, and the name of the remote server the client wants to connect to.
func (*RootCA) NewServerTLSCredentials ¶
func (rootCA *RootCA) NewServerTLSCredentials(cert *tls.Certificate) (*MutableTLSCreds, error)
NewServerTLSCredentials returns GRPC credentials for a TLS GRPC client, given a tls.Certificate a PEM-Encoded root CA Certificate, and the name of the remote server the client wants to connect to.
func (*RootCA) ParseValidateAndSignCSR ¶
ParseValidateAndSignCSR returns a signed certificate from a particular rootCA and a CSR.
func (*RootCA) RequestAndSaveNewCertificates ¶
func (rca *RootCA) RequestAndSaveNewCertificates(ctx context.Context, kw KeyWriter, config CertificateRequestConfig) (*tls.Certificate, error)
RequestAndSaveNewCertificates gets new certificates issued, either by signing them locally if a signer is available, or by requesting them from the remote server at remoteAddr.
type SecurityConfig ¶
type SecurityConfig struct { ServerTLSCreds *MutableTLSCreds ClientTLSCreds *MutableTLSCreds // contains filtered or unexported fields }
SecurityConfig is used to represent a node's security configuration. It includes information about the RootCA and ServerTLSCreds/ClientTLSCreds transport authenticators to be used for MTLS
func LoadSecurityConfig ¶
func LoadSecurityConfig(ctx context.Context, rootCA RootCA, krw *KeyReadWriter, allowExpired bool) (*SecurityConfig, error)
LoadSecurityConfig loads TLS credentials from disk, or returns an error if these credentials do not exist or are unusable.
func NewSecurityConfig ¶
func NewSecurityConfig(rootCA *RootCA, krw *KeyReadWriter, clientTLSCreds, serverTLSCreds *MutableTLSCreds) *SecurityConfig
NewSecurityConfig initializes and returns a new SecurityConfig.
func (*SecurityConfig) KeyReader ¶
func (s *SecurityConfig) KeyReader() KeyReader
KeyReader returns the object that can read keys from disk
func (*SecurityConfig) KeyWriter ¶
func (s *SecurityConfig) KeyWriter() KeyWriter
KeyWriter returns the object that can write keys to disk
func (*SecurityConfig) RootCA ¶
func (s *SecurityConfig) RootCA() *RootCA
RootCA returns the root CA.
func (*SecurityConfig) UpdateRootCA ¶
func (s *SecurityConfig) UpdateRootCA(cert, key []byte, certExpiry time.Duration) error
UpdateRootCA replaces the root CA with a new root CA based on the specified certificate, key, and the number of hours the certificates issue should last.
type SecurityConfigPaths ¶
type SecurityConfigPaths struct {
Node, RootCA CertPaths
}
SecurityConfigPaths is used as a helper to hold all the paths of security relevant files
func NewConfigPaths ¶
func NewConfigPaths(baseCertDir string) *SecurityConfigPaths
NewConfigPaths returns the absolute paths to all of the different types of files
type Server ¶
type Server struct {
// contains filtered or unexported fields
}
Server is the CA and NodeCA API gRPC server. TODO(aaronl): At some point we may want to have separate implementations of CA, NodeCA, and other hypothetical future CA services. At the moment, breaking it apart doesn't seem worth it.
func NewServer ¶
func NewServer(store *store.MemoryStore, securityConfig *SecurityConfig) *Server
NewServer creates a CA API server.
func (*Server) GetRootCACertificate ¶
func (s *Server) GetRootCACertificate(ctx context.Context, request *api.GetRootCACertificateRequest) (*api.GetRootCACertificateResponse, error)
GetRootCACertificate returns the certificate of the Root CA. It is used as a convenience for distributing the root of trust for the swarm. Clients should be using the CA hash to verify if they weren't target to a MiTM. If they fail to do so, node bootstrap works with TOFU semantics.
func (*Server) GetUnlockKey ¶
func (s *Server) GetUnlockKey(ctx context.Context, request *api.GetUnlockKeyRequest) (*api.GetUnlockKeyResponse, error)
GetUnlockKey is responsible for returning the current unlock key used for encrypting TLS private keys and other at rest data. Access to this RPC call should only be allowed via mutual TLS from managers.
func (*Server) IssueNodeCertificate ¶
func (s *Server) IssueNodeCertificate(ctx context.Context, request *api.IssueNodeCertificateRequest) (*api.IssueNodeCertificateResponse, error)
IssueNodeCertificate is responsible for gatekeeping both certificate requests from new nodes in the swarm, and authorizing certificate renewals. If a node presented a valid certificate, the corresponding certificate is set in a RENEW state. If a node failed to present a valid certificate, we check for a valid join token and set the role accordingly. A new random node ID is generated, and the corresponding node entry is created. IssueNodeCertificate is the only place where new node entries to raft should be created.
func (*Server) NodeCertificateStatus ¶
func (s *Server) NodeCertificateStatus(ctx context.Context, request *api.NodeCertificateStatusRequest) (*api.NodeCertificateStatusResponse, error)
NodeCertificateStatus returns the current issuance status of an issuance request identified by the nodeID
func (*Server) Ready ¶
func (s *Server) Ready() <-chan struct{}
Ready waits on the ready channel and returns when the server is ready to serve.
func (*Server) Run ¶
Run runs the CA signer main loop. The CA signer can be stopped with cancelling ctx or calling Stop().
func (*Server) SetReconciliationRetryInterval ¶
SetReconciliationRetryInterval changes the time interval between reconciliation attempts. This function must be called before Run.