Documentation
¶
Index ¶
Constants ¶
const ( DefaultCertPath = "cert" DefaultClientCAPath = "clientca" )
const MaxSize = 1 << 20 // 1MB
Variables ¶
var DefaultVaultClient = &vaultClient{}
var ErrNoCertsStored = errors.New("cert: no certificates stored")
Functions ¶
func TLSConfig ¶
func TLSConfig(src Source, strictMatch bool, minVersion, maxVersion uint16, cipherSuites []uint16) (*tls.Config, error)
TLSConfig creates a tls.Config which sets the GetCertificate field to a certificate store which uses the given source to update the the certificates on-demand.
It also sets the ClientCAs field if src.LoadClientCAs returns a non-nil value and sets ClientAuth to RequireAndVerifyClientCert.
Types ¶
type ConsulSource ¶
ConsulSource implements a certificate source which loads TLS and client authentication certificates from the consul KV store. The CertURL/ClientCAURL must point to the base path of the certificates. The TLS certificates are updated automatically when the KV store changes.
func (ConsulSource) Certificates ¶
func (s ConsulSource) Certificates() chan []tls.Certificate
func (ConsulSource) LoadClientCAs ¶
func (s ConsulSource) LoadClientCAs() (*x509.CertPool, error)
type FileSource ¶
FileSource implements a certificate source for one TLS and one client authentication certificate. The certificates are loaded during startup and are cached in memory until the program exits. It exists to support the legacy configuration only. The PathSource should be used instead.
func (FileSource) Certificates ¶
func (s FileSource) Certificates() chan []tls.Certificate
func (FileSource) LoadClientCAs ¶
func (s FileSource) LoadClientCAs() (*x509.CertPool, error)
type HTTPSource ¶
type HTTPSource struct {
CertURL string
ClientCAURL string
CAUpgradeCN string
Refresh time.Duration
}
HTTPSource implements a certificate source which loads TLS and client authentication certificates from an HTTP/HTTPS server. The CertURL/ClientCAURL must point to a text file in the directory of the certificates. The text file contains all files that should be loaded from this directory - one filename per line. The TLS certificates are updated automatically when Refresh is not zero. Refresh cannot be less than one second to prevent busy loops.
func (HTTPSource) Certificates ¶
func (s HTTPSource) Certificates() chan []tls.Certificate
func (HTTPSource) LoadClientCAs ¶
func (s HTTPSource) LoadClientCAs() (*x509.CertPool, error)
type Issuer ¶ added in v1.5.3
type Issuer interface {
// Issue issues a new certificate for the given common name. Issue must
// return a certificate or an error, never (nil, nil).
Issue(commonName string) (*tls.Certificate, error)
}
Issuer is the interface implemented by sources that can issue certificates on-demand.
type PathSource ¶
type PathSource struct {
Path string
CertPath string
ClientCAPath string
CAUpgradeCN string
Refresh time.Duration
}
func (PathSource) Certificates ¶
func (s PathSource) Certificates() chan []tls.Certificate
func (PathSource) LoadClientCAs ¶
func (s PathSource) LoadClientCAs() (*x509.CertPool, error)
type Source ¶
type Source interface {
// Certificates() loads certificates for TLS connections.
// The first certificate is used as the default certificate
// if the client does not support SNI or no matching certificate
// could be found. TLS certificates can be updated at runtime.
Certificates() chan []tls.Certificate
// LoadClientCAs() provides certificates for client certificate
// authentication.
LoadClientCAs() (*x509.CertPool, error)
}
Source provides the interface for dynamic certificate sources.
type Store ¶
type Store struct {
// contains filtered or unexported fields
}
Store provides a dynamic certificate store which can be updated at runtime and is safe for concurrent use.
func (*Store) SetCertificates ¶
func (s *Store) SetCertificates(certs []tls.Certificate)
SetCertificates replaces the certificates of the store.
type VaultPKISource ¶ added in v1.5.3
type VaultPKISource struct {
Client *vaultClient
CertPath string
ClientCAPath string
CAUpgradeCN string
// Re-issue certificates this long before they expire. Cannot be less then
// one hour.
Refresh time.Duration
// contains filtered or unexported fields
}
VaultPKISource implements a certificate source which issues TLS certificates on-demand using a Vault PKI backend. Client authorization certificates are loaded from a generic backend (same as in VaultSource). The Vault token should be set through the VAULT_TOKEN environment variable.
The TLS certificates are re-issued automatically before they expire.
func NewVaultPKISource ¶ added in v1.5.3
func NewVaultPKISource() *VaultPKISource
func (*VaultPKISource) Certificates ¶ added in v1.5.3
func (s *VaultPKISource) Certificates() chan []tls.Certificate
func (*VaultPKISource) Issue ¶ added in v1.5.3
func (s *VaultPKISource) Issue(commonName string) (*tls.Certificate, error)
func (*VaultPKISource) LoadClientCAs ¶ added in v1.5.3
func (s *VaultPKISource) LoadClientCAs() (*x509.CertPool, error)
type VaultSource ¶
type VaultSource struct {
Client *vaultClient
CertPath string
ClientCAPath string
CAUpgradeCN string
Refresh time.Duration
}
VaultSource implements a certificate source which loads TLS and client authorization certificates from a Vault server. The Vault token should be set through the VAULT_TOKEN environment variable.
The TLS certificates are updated automatically when Refresh is not zero. Refresh cannot be less than one second to prevent busy loops.
func (*VaultSource) Certificates ¶
func (s *VaultSource) Certificates() chan []tls.Certificate
func (*VaultSource) LoadClientCAs ¶
func (s *VaultSource) LoadClientCAs() (*x509.CertPool, error)
Source Files