cert

package
v0.2.0 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Jan 31, 2020 License: MPL-2.0 Imports: 21 Imported by: 2

Documentation

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

This section is empty.

Types

type Bundle

type Bundle struct {
	Cert   []byte
	Key    []byte
	CACert []byte // CA cert bundle, optional.
}

Bundle is the set of certificates to serve and optionally the CA certificate (if available).

func (*Bundle) Equal

func (b *Bundle) Equal(b2 *Bundle) bool

Equal returns true if the two cert bundles contain equivalent certs.

type DiskSource

type DiskSource struct {
	CertPath string // CertPath is the path to the PEM-encoded cert
	KeyPath  string // KeyPath is the path to the PEM-encoded private key
	CAPath   string // CAPath is the path to the PEM-encoded CA root bundle (optional)
	// contains filtered or unexported fields
}

DiskSource sources certificates from files on disk. It sets up a file watcher that detects when the content changes and sends an update on the configured channel.

func (*DiskSource) Certificate

func (s *DiskSource) Certificate(ctx context.Context, last *Bundle) (Bundle, error)

Certificate implements source

type GenSource

type GenSource struct {
	Name  string   // Name is used as part of the common name
	Hosts []string // Hosts is the list of hosts to make the leaf valid for

	// Expiry is the duration that a certificate is valid for. This
	// defaults to 24 hours.
	Expiry time.Duration

	// ExpiryWithin is the duration value used for determining whether to
	// regenerate a new leaf certificate. If the old leaf certificate is
	// expiring within this value, then a new leaf will be generated. Default
	// is about 10% of Expiry.
	ExpiryWithin time.Duration
	// contains filtered or unexported fields
}

GenSource generates a self-signed CA and certificate pair.

This generator is stateful. On the first run (last == nil to Certificate), a CA will be generated. On subsequent calls, the same CA will be used to create a new certificate when the expiry is near. To create a new CA, a new GenSource must be allocated.

func (*GenSource) Certificate

func (s *GenSource) Certificate(ctx context.Context, last *Bundle) (Bundle, error)

Certificate implements source

type Notify

type Notify struct {
	// contains filtered or unexported fields
}

Notify sends an update on a channel whenever a source has an updated cert bundle. This struct maintains state, performs backoffs, etc.

func NewNotify

func NewNotify(ctx context.Context, newBundle chan<- Bundle, source Source) *Notify

func (*Notify) Run

func (n *Notify) Run()

Run starts the notifier. This blocks and should be started in a goroutine. To stop the notifier, the passed in context can be cancelled OR Stop can be called. In either case, Stop will block until the notifier is stopped.

type Source

type Source interface {
	// Certificate returns the certificates to use for the TLS listener.
	// If `last` is given, this should block until new certificates are
	// available. If last is nil, then this is an initial certificate request
	// and new certificates should be loaded.
	//
	// If this is a blocking call, a done context should cancel the result
	// and return immediately with an error (usually ctx.Err()).
	//
	// If any errors occur then an error should be returned. Higher level
	// systems should deal with safely backing off to prevent calling this
	// method too frequently.
	Certificate(ctx context.Context, last *Bundle) (Bundle, error)
}

source should be implemented by systems that support loading TLS certificates. These are run for the lifetime of an application and are expected to provide continuous updates to certificates as needed (updates, rotation, etc.).

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL