cert

package
v0.23.0 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Jan 22, 2021 License: MPL-2.0 Imports: 20 Imported by: 0

Documentation

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

func GenerateCA added in v0.13.0

func GenerateCA(commonName string) (
	signer crypto.Signer,
	keyPem string,
	caCertPem string,
	caCertTemplate *x509.Certificate,
	err error)

GenerateCA generates a CA with the provided common name valid for 10 years. It returns the private key as a crypto.Signer and a PEM string and certificate as a *x509.Certificate and a PEM string or an error.

func GenerateCert added in v0.13.0

func GenerateCert(
	commonName string,
	expiry time.Duration,
	caCert *x509.Certificate,
	caCertSigner crypto.Signer,
	hosts []string) (string, string, error)

GenerateCert generates a leaf certificate with the given common name, expiry, hosts as SANs, and CA. It returns a PEM encoded certificate and private key of the generated certificate or an error.

func ParseCert added in v0.13.0

func ParseCert(pemValue []byte) (*x509.Certificate, error)

ParseCert parses the x509 certificate from a PEM-encoded value.

func ParseSigner added in v0.23.0

func ParseSigner(pemValue string) (crypto.Signer, error)

ParseSigner parses a crypto.Signer from a PEM-encoded key. The private key is expected to be the first block in the PEM value.

Types

type Bundle

type Bundle struct {
	Cert   []byte
	Key    []byte
	CACert []byte // CA cert bundle, optional.
}

Bundle is the set of certificates to serve and optionally the CA certificate (if available).

func (*Bundle) Equal

func (b *Bundle) Equal(b2 *Bundle) bool

Equal returns true if the two cert bundles contain equivalent certs.

type DiskSource

type DiskSource struct {
	CertPath string // CertPath is the path to the PEM-encoded cert
	KeyPath  string // KeyPath is the path to the PEM-encoded private key
	CAPath   string // CAPath is the path to the PEM-encoded CA root bundle (optional)
	// contains filtered or unexported fields
}

DiskSource sources certificates from files on disk. It sets up a file watcher that detects when the content changes and sends an update on the configured channel.

func (*DiskSource) Certificate

func (s *DiskSource) Certificate(ctx context.Context, last *Bundle) (Bundle, error)

Certificate implements Source

type GenSource

type GenSource struct {
	Name  string   // Name is used as part of the common name
	Hosts []string // Hosts is the list of hosts to make the leaf valid for

	// Expiry is the duration that a certificate is valid for. This
	// defaults to 24 hours.
	Expiry time.Duration

	// ExpiryWithin is the duration value used for determining whether to
	// regenerate a new leaf certificate. If the old leaf certificate is
	// expiring within this value, then a new leaf will be generated. Default
	// is about 10% of Expiry.
	ExpiryWithin time.Duration
	// contains filtered or unexported fields
}

GenSource generates a self-signed CA and certificate pair.

This generator is stateful. On the first run (last == nil to Certificate), a CA will be generated. On subsequent calls, the same CA will be used to create a new certificate when the expiry is near. To create a new CA, a new GenSource must be allocated.

func (*GenSource) Certificate

func (s *GenSource) Certificate(ctx context.Context, last *Bundle) (Bundle, error)

Certificate implements Source

type MetaBundle added in v0.19.0

type MetaBundle struct {
	Bundle
	// WebhookConfigName is the name of the MutatingWebhookConfiguration
	// that will be updated with the CA bundle when a new CA is generated.
	WebhookConfigName string
	// SecretName is the name of the Kubernetes TLS secret that will be
	// be created/updated with the leaf certificate and it's private key when
	// a new certificate key pair are generated.
	SecretName string
	// SecretNamespace is the namespace in which the aforementioned secret
	// will be created/updated.
	SecretNamespace string
}

MetaBundle is a composition of a certificate bundle with fields indicating the name of a MutatingWebhookConfiguration and a Secret that will be updated when a new Bundle is available.

type Notify

type Notify struct {
	// Ch is where the notifications for new bundles are sent. If this
	// blocks then the notify loop will also be blocked, so downstream
	// users should process this channel in a timely manner.
	Ch chan<- MetaBundle

	// Source is the source of certificates.
	Source Source

	// WebhookConfigName is the name of the MutatingWebhookConfiguration
	// that will be updated with the CA bundle when a new CA is generated.
	WebhookConfigName string
	// SecretName is the name of the Kubernetes TLS secret that will be
	// be created/updated with the leaf certificate and it's private key when
	// a new certificate key pair are generated.
	SecretName string
	// SecretNamespace is the namespace in which the aforementioned secret
	// will be created/updated.
	SecretNamespace string
	// contains filtered or unexported fields
}

Notify sends an update on a channel whenever a Source has an updated cert bundle. This struct maintains state, performs backoffs, etc.

func (*Notify) Start

func (n *Notify) Start(ctx context.Context)

Start starts the notifier. This blocks and should be started in a goroutine. To stop the notifier, the passed in context can be cancelled OR Stop can be called. In either case, Stop will block until the notifier is stopped.

func (*Notify) Stop

func (n *Notify) Stop()

Stops the notifier. Blocks until stopped. If the notifier isn't running this returns immediately.

type Source

type Source interface {
	// Certificate returns the certificates to use for the TLS listener.
	// If `last` is given, this should block until new certificates are
	// available. If last is nil, then this is an initial certificate request
	// and new certificates should be loaded.
	//
	// If this is a blocking call, a done context should cancel the result
	// and return immediately with an error (usually ctx.Err()).
	//
	// If any errors occur then an error should be returned. Higher level
	// systems should deal with safely backing off to prevent calling this
	// method too frequently.
	Certificate(ctx context.Context, last *Bundle) (Bundle, error)
}

Source should be implemented by systems that support loading TLS certificates. These are run for the lifetime of an application and are expected to provide continuous updates to certificates as needed (updates, rotation, etc.).

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL