tls

package
v1.4.1 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Jun 24, 2021 License: Apache-2.0 Imports: 24 Imported by: 1

Documentation

Index

Constants

View Source 
const (
	// ManagedByLabel is added to Kyverno managed secrets
	ManagedByLabel string = "cert.kyverno.io/managed-by"

	SelfSignedAnnotation string = "self-signed-cert"
	RootCAKey            string = "rootCA.crt"
)
View Source 
const CertRenewalInterval time.Duration = 12 * time.Hour

CertRenewalInterval is the renewal interval for rootCA

View Source 
const CertValidityDuration time.Duration = 365 * 24 * time.Hour

CertValidityDuration is the valid duration for a new cert

Variables

View Source 
var ErrorsNotFound = "root CA certificate not found"

Functions

func CertificateToPem added in v1.3.0 

func CertificateToPem(certificateDER []byte) []byte

CertificateToPem ...

func GenerateCACert added in v1.2.0 

func GenerateCACert(certValidityDuration time.Duration) (*KeyPair, *PemPair, error)

GenerateCACert creates the self-signed CA cert and private key it will be used to sign the webhook server certificate

func GeneratePrivateKey added in v1.3.0 

func GeneratePrivateKey() (*rsa.PrivateKey, error)

GeneratePrivateKey Generates RSA private key

func IsKyvernoInRollingUpdate added in v1.4.0 

func IsKyvernoInRollingUpdate(deploy map[string]interface{}, logger logr.Logger) bool

IsKyvernoInRollingUpdate returns true if Kyverno is in rolling update

func IsTLSPairShouldBeUpdated added in v1.1.0 

func IsTLSPairShouldBeUpdated(tlsPair *PemPair) bool

IsTLSPairShouldBeUpdated checks if TLS pair has expited and needs to be updated

func PrivateKeyToPem added in v1.3.0 

func PrivateKeyToPem(rsaKey *rsa.PrivateKey) []byte

PrivateKeyToPem Creates PEM block from private key object

func ReadRootCASecret added in v1.3.5 

func ReadRootCASecret(restConfig *rest.Config, client *client.Client) (result []byte, err error)

ReadRootCASecret returns the RootCA from the pre-defined secret

Types

type CertRenewer added in v1.3.5 

type CertRenewer struct {
	// contains filtered or unexported fields
}

CertRenewer creates rootCA and pem pair to register webhook configurations and webhook server renews RootCA at the given interval

func NewCertRenewer added in v1.3.5 

func NewCertRenewer(client *client.Client, clientConfig *rest.Config, certRenewalInterval, certValidityDuration time.Duration, serverIP string, log logr.Logger) *CertRenewer

NewCertRenewer returns an instance of CertRenewer

func (*CertRenewer) Client added in v1.4.0 

func (c *CertRenewer) Client() *client.Client

func (*CertRenewer) ClientConfig added in v1.4.0 

func (c *CertRenewer) ClientConfig() *rest.Config

func (*CertRenewer) InitTLSPemPair added in v1.3.5 

func (c *CertRenewer) InitTLSPemPair() (*PemPair, error)

InitTLSPemPair Loads or creates PEM private key and TLS certificate for webhook server. Created pair is stored in cluster's secret. Returns struct with key/certificate pair.

func (*CertRenewer) RollingUpdate added in v1.3.5 

func (c *CertRenewer) RollingUpdate() error

RollingUpdate triggers a rolling update of Kyverno pod. It is used when the rootCA is renewed, the restart of Kyverno pod will register webhook server with new cert

func (*CertRenewer) ValidCert added in v1.3.5 

func (c *CertRenewer) ValidCert() (bool, error)

ValidCert validates the CA Cert

func (*CertRenewer) WriteCACertToSecret added in v1.3.5 

func (c *CertRenewer) WriteCACertToSecret(caPEM *PemPair, props CertificateProps) error

WriteCACertToSecret stores the CA cert in secret

func (*CertRenewer) WriteTLSPairToSecret added in v1.3.5 

func (c *CertRenewer) WriteTLSPairToSecret(props CertificateProps, pemPair *PemPair) error

WriteTLSPairToSecret Writes the pair of TLS certificate and key to the specified secret. Updates existing secret or creates new one.

type CertificateProps added in v1.3.0 

type CertificateProps struct {
	Service       string
	Namespace     string
	APIServerHost string
	ServerIP      string
}

CertificateProps Properties of TLS certificate which should be issued for webhook server

func GetTLSCertProps added in v1.3.5 

func GetTLSCertProps(configuration *rest.Config) (certProps CertificateProps, err error)

GetTLSCertProps provides the TLS Certificate Properties

type KeyPair added in v1.2.0 

type KeyPair struct {
	Cert *x509.Certificate
	Key  *rsa.PrivateKey
}

KeyPair ...

type PemPair added in v1.3.0 

type PemPair struct {
	Certificate []byte
	PrivateKey  []byte
}

PemPair The pair of TLS certificate corresponding private key, both in PEM format

func GenerateCertPem added in v1.2.0 

func GenerateCertPem(caCert *KeyPair, props CertificateProps, serverIP string, certValidityDuration time.Duration) (*PemPair, error)

GenerateCertPem takes the results of GenerateCACert and uses it to create the PEM-encoded public certificate and private key, respectively

func ReadTLSPair added in v1.3.5 

func ReadTLSPair(restConfig *rest.Config, client *client.Client) (*PemPair, error)

ReadTLSPair returns the pem pair from the pre-defined secret

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.