tls

package
v1.6.0-rc1 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Jan 25, 2022 License: Apache-2.0 Imports: 25 Imported by: 1

Documentation

Index

Constants

View Source
const (
	// ManagedByLabel is added to Kyverno managed secrets
	ManagedByLabel      string = "cert.kyverno.io/managed-by"
	MasterDeploymentUID string = "cert.kyverno.io/master-deployment-uid"

	SelfSignedAnnotation string = "self-signed-cert"
	RootCAKey            string = "rootCA.crt"
)
View Source
const CertRenewalInterval time.Duration = 12 * time.Hour

CertRenewalInterval is the renewal interval for rootCA

View Source
const CertValidityDuration time.Duration = 365 * 24 * time.Hour

CertValidityDuration is the valid duration for a new cert

Variables

View Source
var ErrorsNotFound = "root CA certificate not found"

Functions

func CanAddAnnotationToSecret added in v1.5.4

func CanAddAnnotationToSecret(deplHash string, secret *unstructured.Unstructured) bool

func CertificateToPem added in v1.3.0

func CertificateToPem(certificateDER []byte) []byte

CertificateToPem ...

func GenerateCACert added in v1.2.0

func GenerateCACert(certValidityDuration time.Duration) (*KeyPair, *PemPair, error)

GenerateCACert creates the self-signed CA cert and private key it will be used to sign the webhook server certificate

func GeneratePrivateKey added in v1.3.0

func GeneratePrivateKey() (*rsa.PrivateKey, error)

GeneratePrivateKey Generates RSA private key

func GenerateRootCASecretName added in v1.5.4

func GenerateRootCASecretName(props CertificateProps) string

func GenerateTLSPairSecretName added in v1.5.4

func GenerateTLSPairSecretName(props CertificateProps) string

func IsKyvernoInRollingUpdate added in v1.4.0

func IsKyvernoInRollingUpdate(deploy map[string]interface{}, logger logr.Logger) bool

IsKyvernoInRollingUpdate returns true if Kyverno is in rolling update

func IsTLSPairShouldBeUpdated added in v1.1.0

func IsTLSPairShouldBeUpdated(tlsPair *PemPair) bool

IsTLSPairShouldBeUpdated checks if TLS pair has expited and needs to be updated

func PrivateKeyToPem added in v1.3.0

func PrivateKeyToPem(rsaKey *rsa.PrivateKey) []byte

PrivateKeyToPem Creates PEM block from private key object

func ReadRootCASecret added in v1.3.5

func ReadRootCASecret(restConfig *rest.Config, client *client.Client) (result []byte, err error)

ReadRootCASecret returns the RootCA from the pre-defined secret

Types

type CertRenewer added in v1.3.5

type CertRenewer struct {
	// contains filtered or unexported fields
}

CertRenewer creates rootCA and pem pair to register webhook configurations and webhook server renews RootCA at the given interval

func NewCertRenewer added in v1.3.5

func NewCertRenewer(client *client.Client, clientConfig *rest.Config, certRenewalInterval, certValidityDuration time.Duration, serverIP string, log logr.Logger) *CertRenewer

NewCertRenewer returns an instance of CertRenewer

func (*CertRenewer) Client added in v1.4.0

func (c *CertRenewer) Client() *client.Client

func (*CertRenewer) ClientConfig added in v1.4.0

func (c *CertRenewer) ClientConfig() *rest.Config

func (*CertRenewer) InitTLSPemPair added in v1.3.5

func (c *CertRenewer) InitTLSPemPair() (*PemPair, error)

InitTLSPemPair Loads or creates PEM private key and TLS certificate for webhook server. Created pair is stored in cluster's secret. Returns struct with key/certificate pair.

func (*CertRenewer) RollingUpdate added in v1.3.5

func (c *CertRenewer) RollingUpdate() error

RollingUpdate triggers a rolling update of Kyverno pod. It is used when the rootCA is renewed, the restart of Kyverno pod will register webhook server with new cert

func (*CertRenewer) ValidCert added in v1.3.5

func (c *CertRenewer) ValidCert() (bool, error)

ValidCert validates the CA Cert

func (*CertRenewer) WriteCACertToSecret added in v1.3.5

func (c *CertRenewer) WriteCACertToSecret(caPEM *PemPair, props CertificateProps) error

WriteCACertToSecret stores the CA cert in secret

func (*CertRenewer) WriteTLSPairToSecret added in v1.3.5

func (c *CertRenewer) WriteTLSPairToSecret(props CertificateProps, pemPair *PemPair) error

WriteTLSPairToSecret Writes the pair of TLS certificate and key to the specified secret. Updates existing secret or creates new one.

type CertificateProps added in v1.3.0

type CertificateProps struct {
	Service       string
	Namespace     string
	APIServerHost string
	ServerIP      string
}

CertificateProps Properties of TLS certificate which should be issued for webhook server

func GetTLSCertProps added in v1.3.5

func GetTLSCertProps(configuration *rest.Config) (certProps CertificateProps, err error)

GetTLSCertProps provides the TLS Certificate Properties

type KeyPair added in v1.2.0

type KeyPair struct {
	Cert *x509.Certificate
	Key  *rsa.PrivateKey
}

KeyPair ...

type PemPair added in v1.3.0

type PemPair struct {
	Certificate []byte
	PrivateKey  []byte
}

PemPair The pair of TLS certificate corresponding private key, both in PEM format

func GenerateCertPem added in v1.2.0

func GenerateCertPem(caCert *KeyPair, props CertificateProps, serverIP string, certValidityDuration time.Duration) (*PemPair, error)

GenerateCertPem takes the results of GenerateCACert and uses it to create the PEM-encoded public certificate and private key, respectively

func ReadTLSPair added in v1.3.5

func ReadTLSPair(restConfig *rest.Config, client *client.Client) (*PemPair, error)

ReadTLSPair returns the pem pair from the pre-defined secret

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL