Documentation ¶
Index ¶
- func GenerateCA(commonName string) (signer crypto.Signer, keyPem string, caCertPem string, ...)
- func GenerateCert(commonName string, expiry time.Duration, caCert *x509.Certificate, ...) (string, string, error)
- func ParseCert(pemValue []byte) (*x509.Certificate, error)
- func ParseSigner(pemValue string) (crypto.Signer, error)
- type Bundle
- type GenSource
- type MetaBundle
- type Notify
- type Source
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
func GenerateCA ¶ added in v0.13.0
func GenerateCA(commonName string) ( signer crypto.Signer, keyPem string, caCertPem string, caCertTemplate *x509.Certificate, err error)
GenerateCA generates a CA with the provided common name valid for 10 years. It returns the private key as a crypto.Signer and a PEM string and certificate as a *x509.Certificate and a PEM string or an error.
func GenerateCert ¶ added in v0.13.0
func GenerateCert( commonName string, expiry time.Duration, caCert *x509.Certificate, caCertSigner crypto.Signer, hosts []string) (string, string, error)
GenerateCert generates a leaf certificate with the given common name, expiry, hosts as SANs, and CA. It returns a PEM encoded certificate and private key of the generated certificate or an error.
Types ¶
type Bundle ¶
Bundle is the set of certificates to serve and optionally the CA certificate (if available).
type GenSource ¶
type GenSource struct { Name string // Name is used as part of the common name Hosts []string // Hosts is the list of hosts to make the leaf valid for // Expiry is the duration that a certificate is valid for. This // defaults to 24 hours. Expiry time.Duration // ExpiryWithin is the duration value used for determining whether to // regenerate a new leaf certificate. If the old leaf certificate is // expiring within this value, then a new leaf will be generated. Default // is about 10% of Expiry. ExpiryWithin time.Duration // contains filtered or unexported fields }
GenSource generates a self-signed CA and certificate pair.
This generator is stateful. On the first run (last == nil to Certificate), a CA will be generated. On subsequent calls, the same CA will be used to create a new certificate when the expiry is near. To create a new CA, a new GenSource must be allocated.
type MetaBundle ¶ added in v0.19.0
type MetaBundle struct { Bundle // WebhookConfigName is the name of the MutatingWebhookConfiguration // that will be updated with the CA bundle when a new CA is generated. WebhookConfigName string // SecretName is the name of the Kubernetes TLS secret that will be // be created/updated with the leaf certificate and it's private key when // a new certificate key pair are generated. SecretName string // SecretNamespace is the namespace in which the aforementioned secret // will be created/updated. SecretNamespace string }
MetaBundle is a composition of a certificate bundle with fields indicating the name of a MutatingWebhookConfiguration and a Secret that will be updated when a new Bundle is available.
type Notify ¶
type Notify struct { // Ch is where the notifications for new bundles are sent. If this // blocks then the notify loop will also be blocked, so downstream // users should process this channel in a timely manner. Ch chan<- MetaBundle // Source is the source of certificates. Source Source // WebhookConfigName is the name of the MutatingWebhookConfiguration // that will be updated with the CA bundle when a new CA is generated. WebhookConfigName string // SecretName is the name of the Kubernetes TLS secret that will be // be created/updated with the leaf certificate and it's private key when // a new certificate key pair are generated. SecretName string // SecretNamespace is the namespace in which the aforementioned secret // will be created/updated. SecretNamespace string // contains filtered or unexported fields }
Notify sends an update on a channel whenever a Source has an updated cert bundle. This struct maintains state, performs backoffs, etc.
type Source ¶
type Source interface { // Certificate returns the certificates to use for the TLS listener. // If `last` is given, this should block until new certificates are // available. If last is nil, then this is an initial certificate request // and new certificates should be loaded. // // If this is a blocking call, a done context should cancel the result // and return immediately with an error (usually ctx.Err()). // // If any errors occur then an error should be returned. Higher level // systems should deal with safely backing off to prevent calling this // method too frequently. Certificate(ctx context.Context, last *Bundle) (Bundle, error) }
Source should be implemented by systems that support loading TLS certificates. These are run for the lifetime of an application and are expected to provide continuous updates to certificates as needed (updates, rotation, etc.).