Documentation
¶
Index ¶
- Constants
- func CertsFromPEM(pemCerts []byte) ([]*x509.Certificate, error)
- func CipherSuite(cipherName string) (uint16, error)
- func CipherSuiteToNameOrDie(intVal uint16) string
- func CipherSuitesOrDie(cipherNames []string) []uint16
- func CipherSuitesToNamesOrDie(intVals []uint16) []string
- func DefaultCiphers() []uint16
- func DefaultTLSVersion() uint16
- func EncodeCertificates(certs ...*x509.Certificate) ([]byte, error)
- func FilterExpiredCerts(certs ...*x509.Certificate) []*x509.Certificate
- func GolangTLSVersions() []string
- func IPAddressesDNSNames(hosts []string) ([]net.IP, []string)
- func NewKeyPair() (crypto.PublicKey, crypto.PrivateKey, error)
- func SecureTLSConfig(config *tls.Config) *tls.Config
- func TLSVersion(versionName string) (uint16, error)
- func TLSVersionOrDie(versionName string) uint16
- func TLSVersionToNameOrDie(intVal uint16) string
- func ValidCipherSuites() []string
- func ValidTLSVersions() []string
- type CA
- func EnsureCA(certFile, keyFile, serialFile, name string, expireDays int) (*CA, bool, error)
- func GetCA(certFile, keyFile, serialFile string) (*CA, error)
- func GetCAFromBytes(certBytes, keyBytes []byte) (*CA, error)
- func MakeSelfSignedCA(certFile, keyFile, serialFile, name string, expireDays int) (*CA, error)
- func (ca *CA) EnsureClientCertificate(certFile, keyFile string, u user.Info, expireDays int) (*TLSCertificateConfig, bool, error)
- func (ca *CA) EnsureServerCert(certFile, keyFile string, hostnames sets.String, expireDays int) (*TLSCertificateConfig, bool, error)
- func (ca *CA) MakeAndWriteServerCert(certFile, keyFile string, hostnames sets.String, expireDays int) (*TLSCertificateConfig, error)
- func (ca *CA) MakeClientCertificate(certFile, keyFile string, u user.Info, expireDays int) (*TLSCertificateConfig, error)
- func (ca *CA) MakeClientCertificateForDuration(u user.Info, lifetime time.Duration) (*TLSCertificateConfig, error)
- func (ca *CA) MakeServerCert(hostnames sets.String, expireDays int, fns ...CertificateExtensionFunc) (*TLSCertificateConfig, error)
- func (ca *CA) MakeServerCertForDuration(hostnames sets.String, lifetime time.Duration, fns ...CertificateExtensionFunc) (*TLSCertificateConfig, error)
- type CertificateExtensionFunc
- type RandomSerialGenerator
- type SerialFileGenerator
- type SerialGenerator
- type TLSCARoots
- type TLSCertificateConfig
- func GetServerCert(certFile, keyFile string, hostnames sets.String) (*TLSCertificateConfig, error)
- func GetTLSCertificateConfig(certFile, keyFile string) (*TLSCertificateConfig, error)
- func GetTLSCertificateConfigFromBytes(certBytes, keyBytes []byte) (*TLSCertificateConfig, error)
- func MakeCAConfigForDuration(name string, caLifetime time.Duration, issuer *CA) (*TLSCertificateConfig, error)
- func MakeSelfSignedCAConfig(name string, expireDays int) (*TLSCertificateConfig, error)
- func MakeSelfSignedCAConfigForDuration(name string, caLifetime time.Duration) (*TLSCertificateConfig, error)
Constants ¶
View Source
const ( DefaultCertificateLifetimeInDays = 365 * 2 // 2 years DefaultCACertificateLifetimeInDays = 365 * 5 // 5 years )
Variables ¶
This section is empty.
Functions ¶
func CertsFromPEM ¶
func CertsFromPEM(pemCerts []byte) ([]*x509.Certificate, error)
func CipherSuite ¶
func CipherSuiteToNameOrDie ¶
CipherSuiteToNameOrDie given a cipher suite as an int, return its readable name
func CipherSuitesOrDie ¶
func CipherSuitesToNamesOrDie ¶
CipherSuitesToNamesOrDie given a list of cipher suites as ints, return their readable names
func DefaultCiphers ¶
func DefaultCiphers() []uint16
func DefaultTLSVersion ¶
func DefaultTLSVersion() uint16
func EncodeCertificates ¶
func EncodeCertificates(certs ...*x509.Certificate) ([]byte, error)
func FilterExpiredCerts ¶
func FilterExpiredCerts(certs ...*x509.Certificate) []*x509.Certificate
FilterExpiredCerts checks are all certificates in the bundle valid, i.e. they have not expired. The function returns new bundle with only valid certificates or error if no valid certificate is found.
func GolangTLSVersions ¶
func GolangTLSVersions() []string
TLS versions that are known to golang, but may not necessarily be enabled.
func NewKeyPair ¶
func NewKeyPair() (crypto.PublicKey, crypto.PrivateKey, error)
func SecureTLSConfig ¶
SecureTLSConfig enforces the default minimum security settings for the cluster.
func TLSVersion ¶
func TLSVersionOrDie ¶
func TLSVersionToNameOrDie ¶
TLSVersionToNameOrDie given a tls version as an int, return its readable name
func ValidCipherSuites ¶
func ValidCipherSuites() []string
Types ¶
type CA ¶
type CA struct {
Config *TLSCertificateConfig
SerialGenerator SerialGenerator
}
func EnsureCA ¶
EnsureCA returns a CA, whether it was created (as opposed to pre-existing), and any error if serialFile is empty, a RandomSerialGenerator will be used
func GetCAFromBytes ¶
func MakeSelfSignedCA ¶
if serialFile is empty, a RandomSerialGenerator will be used
func (*CA) EnsureClientCertificate ¶
func (*CA) EnsureServerCert ¶
func (*CA) MakeAndWriteServerCert ¶
func (*CA) MakeClientCertificate ¶
func (*CA) MakeClientCertificateForDuration ¶
func (*CA) MakeServerCert ¶
func (ca *CA) MakeServerCert(hostnames sets.String, expireDays int, fns ...CertificateExtensionFunc) (*TLSCertificateConfig, error)
func (*CA) MakeServerCertForDuration ¶
func (ca *CA) MakeServerCertForDuration(hostnames sets.String, lifetime time.Duration, fns ...CertificateExtensionFunc) (*TLSCertificateConfig, error)
type CertificateExtensionFunc ¶
type CertificateExtensionFunc func(*x509.Certificate) error
CertificateExtensionFunc is passed a certificate that it may extend, or return an error if the extension attempt failed.
type RandomSerialGenerator ¶
type RandomSerialGenerator struct {
}
RandomSerialGenerator returns a serial based on time.Now and the subject
func (*RandomSerialGenerator) Next ¶
func (s *RandomSerialGenerator) Next(template *x509.Certificate) (int64, error)
type SerialFileGenerator ¶
type SerialFileGenerator struct {
SerialFile string
Serial int64
// contains filtered or unexported fields
}
SerialFileGenerator returns a unique, monotonically increasing serial number and ensures the CA on disk records that value.
func NewSerialFileGenerator ¶
func NewSerialFileGenerator(serialFile string) (*SerialFileGenerator, error)
func (*SerialFileGenerator) Next ¶
func (s *SerialFileGenerator) Next(template *x509.Certificate) (int64, error)
Next returns a unique, monotonically increasing serial number and ensures the CA on disk records that value.
type SerialGenerator ¶
type SerialGenerator interface {
Next(template *x509.Certificate) (int64, error)
}
SerialGenerator is an interface for getting a serial number for the cert. It MUST be thread-safe.
type TLSCARoots ¶
type TLSCARoots struct {
Roots []*x509.Certificate
}
type TLSCertificateConfig ¶
type TLSCertificateConfig struct {
Certs []*x509.Certificate
Key crypto.PrivateKey
}
func GetServerCert ¶
func GetServerCert(certFile, keyFile string, hostnames sets.String) (*TLSCertificateConfig, error)
func GetTLSCertificateConfig ¶
func GetTLSCertificateConfig(certFile, keyFile string) (*TLSCertificateConfig, error)
func GetTLSCertificateConfigFromBytes ¶
func GetTLSCertificateConfigFromBytes(certBytes, keyBytes []byte) (*TLSCertificateConfig, error)
func MakeCAConfigForDuration ¶
func MakeSelfSignedCAConfig ¶
func MakeSelfSignedCAConfig(name string, expireDays int) (*TLSCertificateConfig, error)
func MakeSelfSignedCAConfigForDuration ¶
func MakeSelfSignedCAConfigForDuration(name string, caLifetime time.Duration) (*TLSCertificateConfig, error)
func (*TLSCertificateConfig) GetPEMBytes ¶
func (c *TLSCertificateConfig) GetPEMBytes() ([]byte, []byte, error)
func (*TLSCertificateConfig) WriteCertConfig ¶
func (c *TLSCertificateConfig) WriteCertConfig(certFile, keyFile io.Writer) error
func (*TLSCertificateConfig) WriteCertConfigFile ¶
func (c *TLSCertificateConfig) WriteCertConfigFile(certFile, keyFile string) error
Source Files
Click to show internal directories.
Click to hide internal directories.