certs

package
v0.7.0-alpha.0 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Feb 17, 2022 License: Apache-2.0 Imports: 33 Imported by: 2

Documentation

Index

Constants

View Source 
const (
	// CertificateValidity defines the validity for all the signed certificates generated by kubeadm
	CertificateValidity = time.Hour * 24 * 365 * 10

	// CACertAndKeyBaseName defines certificate authority base name
	CACertAndKeyBaseName = "ca"
	// CACertName defines certificate name
	CACertName = "ca.crt"
	// CAKeyName defines certificate name
	CAKeyName = "ca.key"

	// APIServerCertAndKeyBaseName defines API's server certificate and key base name
	APIServerCertAndKeyBaseName = "apiserver"
	// APIServerCertName defines API's server certificate name
	APIServerCertName = "apiserver.crt"
	// APIServerKeyName defines API's server key name
	APIServerKeyName = "apiserver.key"
	// APIServerCertCommonName defines API's server certificate common name (CN)
	APIServerCertCommonName = "kube-apiserver"

	// APIServerKubeletClientCertAndKeyBaseName defines kubelet client certificate and key base name
	APIServerKubeletClientCertAndKeyBaseName = "apiserver-kubelet-client"
	// APIServerKubeletClientCertName defines kubelet client certificate name
	APIServerKubeletClientCertName = "apiserver-kubelet-client.crt"
	// APIServerKubeletClientKeyName defines kubelet client key name
	APIServerKubeletClientKeyName = "apiserver-kubelet-client.key"
	// APIServerKubeletClientCertCommonName defines kubelet client certificate common name (CN)
	APIServerKubeletClientCertCommonName = "kube-apiserver-kubelet-client"

	// EtcdCACertAndKeyBaseName defines etcd's CA certificate and key base name
	EtcdCACertAndKeyBaseName = "etcd/ca"
	// EtcdCACertName defines etcd's CA certificate name
	EtcdCACertName = "etcd/ca.crt"
	// EtcdCAKeyName defines etcd's CA key name
	EtcdCAKeyName = "etcd/ca.key"

	// EtcdServerCertAndKeyBaseName defines etcd's server certificate and key base name
	EtcdServerCertAndKeyBaseName = "etcd/server"
	// EtcdServerCertName defines etcd's server certificate name
	EtcdServerCertName = "etcd/server.crt"
	// EtcdServerKeyName defines etcd's server key name
	EtcdServerKeyName = "etcd/server.key"

	// EtcdPeerCertAndKeyBaseName defines etcd's peer certificate and key base name
	EtcdPeerCertAndKeyBaseName = "etcd/peer"
	// EtcdPeerCertName defines etcd's peer certificate name
	EtcdPeerCertName = "etcd/peer.crt"
	// EtcdPeerKeyName defines etcd's peer key name
	EtcdPeerKeyName = "etcd/peer.key"

	// EtcdHealthcheckClientCertAndKeyBaseName defines etcd's healthcheck client certificate and key base name
	EtcdHealthcheckClientCertAndKeyBaseName = "etcd/healthcheck-client"
	// EtcdHealthcheckClientCertName defines etcd's healthcheck client certificate name
	EtcdHealthcheckClientCertName = "etcd/healthcheck-client.crt"
	// EtcdHealthcheckClientKeyName defines etcd's healthcheck client key name
	EtcdHealthcheckClientKeyName = "etcd/healthcheck-client.key"
	// EtcdHealthcheckClientCertCommonName defines etcd's healthcheck client certificate common name (CN)
	EtcdHealthcheckClientCertCommonName = "kube-etcd-healthcheck-client"

	// APIServerEtcdClientCertAndKeyBaseName defines apiserver's etcd client certificate and key base name
	APIServerEtcdClientCertAndKeyBaseName = "apiserver-etcd-client"
	// APIServerEtcdClientCertName defines apiserver's etcd client certificate name
	APIServerEtcdClientCertName = "apiserver-etcd-client.crt"
	// APIServerEtcdClientKeyName defines apiserver's etcd client key name
	APIServerEtcdClientKeyName = "apiserver-etcd-client.key"
	// APIServerEtcdClientCertCommonName defines apiserver's etcd client certificate common name (CN)
	APIServerEtcdClientCertCommonName = "kube-apiserver-etcd-client"

	// ServiceAccountKeyBaseName defines SA key base name
	ServiceAccountKeyBaseName = "sa"
	// ServiceAccountPublicKeyName defines SA public key base name
	ServiceAccountPublicKeyName = "sa.pub"
	// ServiceAccountPrivateKeyName defines SA private key base name
	ServiceAccountPrivateKeyName = "sa.key"

	// FrontProxyCACertAndKeyBaseName defines front proxy CA certificate and key base name
	FrontProxyCACertAndKeyBaseName = "front-proxy-ca"
	// FrontProxyCACertName defines front proxy CA certificate name
	FrontProxyCACertName = "front-proxy-ca.crt"
	// FrontProxyCAKeyName defines front proxy CA key name
	FrontProxyCAKeyName = "front-proxy-ca.key"

	// FrontProxyClientCertAndKeyBaseName defines front proxy certificate and key base name
	FrontProxyClientCertAndKeyBaseName = "front-proxy-client"
	// FrontProxyClientCertName defines front proxy certificate name
	FrontProxyClientCertName = "front-proxy-client.crt"
	// FrontProxyClientKeyName defines front proxy key name
	FrontProxyClientKeyName = "front-proxy-client.key"
	// FrontProxyClientCertCommonName defines front proxy certificate common name
	FrontProxyClientCertCommonName = "front-proxy-client" //used as subject.commonname attribute (CN)

	// AdminKubeConfigFileName defines name for the kubeconfig aimed to be used by the superuser/admin of the cluster
	AdminKubeConfigFileName = "admin.conf"
	// ControllerManagerKubeConfigFileName defines the file name for the controller manager's kubeconfig file
	ControllerManagerKubeConfigFileName = "controller-manager.conf"
	// SchedulerKubeConfigFileName defines the file name for the scheduler's kubeconfig file
	SchedulerKubeConfigFileName = "scheduler.conf"

	// ControllerManagerUser defines the well-known user the controller-manager should be authenticated as
	ControllerManagerUser = "system:kube-controller-manager"
	// SchedulerUser defines the well-known user the scheduler should be authenticated as
	SchedulerUser = "system:kube-scheduler"
	// SystemPrivilegedGroup defines the well-known group for the apiservers. This group is also superuser by default
	// (i.e. bound to the cluster-admin ClusterRole)
	SystemPrivilegedGroup = "system:masters"

	// DefaultAPIServerBindAddress is the default bind address for the API Server
	DefaultAPIServerBindAddress = "0.0.0.0"
)
View Source 
const (
	// PublicKeyBlockType is a possible value for pem.Block.Type.
	PublicKeyBlockType = "PUBLIC KEY"
	// CertificateBlockType is a possible value for pem.Block.Type.
	CertificateBlockType = "CERTIFICATE"
)

Variables

View Source 
var NewPrivateKey = GeneratePrivateKey

NewPrivateKey returns a new private key.

Functions

func CertOrKeyExist 

func CertOrKeyExist(pkiPath, name string) bool

CertOrKeyExist returns a boolean whether the cert or the key exists

func CheckCertificatePeriodValidity 

func CheckCertificatePeriodValidity(baseName string, cert *x509.Certificate)

CheckCertificatePeriodValidity takes a certificate and prints a warning if its period is not valid related to the current time. It does so only if the certificate was not validated already by keeping track with a cache.

func ChooseAPIServerBindAddress 

func ChooseAPIServerBindAddress(bindAddress net.IP) (net.IP, error)

ChooseAPIServerBindAddress is a wrapper for netutil.ResolveBindAddress that also handles the case where no default routes were found and an IP for the API server could not be obtained.

func CreateBasic 

func CreateBasic(serverURL, clusterName, userName string, caCert []byte) *clientcmdapi.Config

CreateBasic creates a basic, general KubeConfig object that then can be extended

func CreateJoinControlPlaneKubeConfigFiles 

func CreateJoinControlPlaneKubeConfigFiles(outDir string, cfg *InitConfiguration) error

CreateJoinControlPlaneKubeConfigFiles will create and write to disk the kubeconfig files required by kubeadm join --control-plane workflow, plus the admin kubeconfig file used by the administrator and kubeadm itself; the kubelet.conf file must not be created because it will be created and signed by the kubelet TLS bootstrap process. When not using external CA mode, if a kubeconfig file already exists it is used only if evaluated equal, otherwise an error is returned. For external CA mode, the creation of kubeconfig files is skipped.

func CreatePKIAssets 

func CreatePKIAssets(cfg *InitConfiguration) error

CreatePKIAssets will create and write to disk all PKI assets necessary to establish the control plane. If the PKI assets already exists in the target folder, they are used only if evaluated equal; otherwise an error is returned.

func CreateServiceAccountKeyAndPublicKeyFiles 

func CreateServiceAccountKeyAndPublicKeyFiles(certsDir string, keyType x509.PublicKeyAlgorithm) error

CreateServiceAccountKeyAndPublicKeyFiles creates new public/private key files for signing service account users. If the sa public/private key files already exist in the target folder, they are used only if evaluated equals; otherwise an error is returned.

func CreateWithCerts 

func CreateWithCerts(serverURL, clusterName, userName string, caCert []byte, clientKey []byte, clientCert []byte) *clientcmdapi.Config

CreateWithCerts creates a KubeConfig object with access to the API server with client certificates

func CreateWithToken 

func CreateWithToken(serverURL, clusterName, userName string, caCert []byte, token string) *clientcmdapi.Config

CreateWithToken creates a KubeConfig object with access to the API server with a token

func EncodeCertPEM 

func EncodeCertPEM(cert *x509.Certificate) []byte

EncodeCertPEM returns PEM-endcoded certificate data

func EncodePublicKeyPEM 

func EncodePublicKeyPEM(key crypto.PublicKey) ([]byte, error)

EncodePublicKeyPEM returns PEM-encoded public data

func GeneratePrivateKey 

func GeneratePrivateKey(keyType x509.PublicKeyAlgorithm) (crypto.Signer, error)

func GetAPIServerAltNames 

func GetAPIServerAltNames(cfg *InitConfiguration) (*certutil.AltNames, error)

GetAPIServerAltNames builds an AltNames object for to be used when generating apiserver certificate

func GetAPIServerVirtualIP 

func GetAPIServerVirtualIP(svcSubnetList string) (net.IP, error)

GetAPIServerVirtualIP returns the IP of the internal Kubernetes API service

func GetControlPlaneEndpoint 

func GetControlPlaneEndpoint(controlPlaneEndpoint string, localEndpoint *APIEndpoint) (string, error)

GetControlPlaneEndpoint returns a properly formatted endpoint for the control plane built according following rules: - If the controlPlaneEndpoint is defined, use it. - if the controlPlaneEndpoint is defined but without a port number, use the controlPlaneEndpoint + localEndpoint.BindPort is used. - Otherwise, in case the controlPlaneEndpoint is not defined, use the localEndpoint.AdvertiseAddress + the localEndpoint.BindPort.

func GetEtcdAltNames 

func GetEtcdAltNames(cfg *InitConfiguration) (*certutil.AltNames, error)

GetEtcdAltNames builds an AltNames object for generating the etcd server certificate. `advertise address` and localhost are included in the SAN since this is the interfaces the etcd static pod listens on. The user can override the listen address with `Etcd.ExtraArgs` and add SANs with `Etcd.ServerCertSANs`.

func GetEtcdPeerAltNames 

func GetEtcdPeerAltNames(cfg *InitConfiguration) (*certutil.AltNames, error)

GetEtcdPeerAltNames builds an AltNames object for generating the etcd peer certificate. Hostname and `API.AdvertiseAddress` are included if the user chooses to promote the single node etcd cluster into a multi-node one (stacked etcd). The user can override the listen address with `Etcd.ExtraArgs` and add SANs with `Etcd.PeerCertSANs`.

func GetKubernetesServiceCIDR 

func GetKubernetesServiceCIDR(svcSubnetList string) (*net.IPNet, error)

GetKubernetesServiceCIDR returns the default Service CIDR for the Kubernetes internal service

func GetLocalAPIEndpoint 

func GetLocalAPIEndpoint(localEndpoint *APIEndpoint) (string, error)

GetLocalAPIEndpoint parses an APIEndpoint and returns it as a string, or returns and error in case it cannot be parsed.

func HasServerAuth 

func HasServerAuth(cert *x509.Certificate) bool

HasServerAuth returns true if the given certificate is a ServerAuth

func LowercaseSANs 

func LowercaseSANs(sans []string)

LowercaseSANs can be used to force all SANs to be lowercase so it passes IsDNS1123Subdomain

func NewCertAndKey 

func NewCertAndKey(caCert *x509.Certificate, caKey crypto.Signer, config *CertConfig) (*x509.Certificate, crypto.Signer, error)

NewCertAndKey creates new certificate and key by passing the certificate authority certificate and key

func NewCertificateAuthority 

func NewCertificateAuthority(config *CertConfig) (*x509.Certificate, crypto.Signer, error)

NewCertificateAuthority creates new certificate and private key for the certificate authority

func NewSignedCert 

func NewSignedCert(cfg *CertConfig, key crypto.Signer, caCert *x509.Certificate, caKey crypto.Signer, isCA bool) (*x509.Certificate, error)

NewSignedCert creates a signed certificate using the given CA certificate and key

func ParseHostPort 

func ParseHostPort(hostport string) (string, string, error)

ParseHostPort parses a network address of the form "host:port", "ipv4:port", "[ipv6]:port" into host and port; ":port" can be eventually omitted. If the string is not a valid representation of network address, ParseHostPort returns an error.

func ParsePort 

func ParsePort(port string) (int, error)

ParsePort parses a string representing a TCP port. If the string is not a valid representation of a TCP port, ParsePort returns an error.

func PathsForCertAndKey 

func PathsForCertAndKey(pkiPath, name string) (string, string)

PathsForCertAndKey returns the paths for the certificate and key given the path and basename.

func RemoveDuplicateAltNames 

func RemoveDuplicateAltNames(altNames *certutil.AltNames)

RemoveDuplicateAltNames removes duplicate items in altNames.

func SetAPIEndpointDynamicDefaults 

func SetAPIEndpointDynamicDefaults(cfg *APIEndpoint) error

SetAPIEndpointDynamicDefaults checks and sets configuration values for the APIEndpoint object

func SetClusterDynamicDefaults 

func SetClusterDynamicDefaults(cfg *ClusterConfiguration, localAPIEndpoint *APIEndpoint, nodeRegOpts *NodeRegistrationOptions) error

SetClusterDynamicDefaults checks and sets values for the ClusterConfiguration object

func TryLoadCertAndKeyFromDisk 

func TryLoadCertAndKeyFromDisk(pkiPath, name string) (*x509.Certificate, crypto.Signer, error)

TryLoadCertAndKeyFromDisk tries to load a cert and a key from the disk and validates that they are valid

func TryLoadCertChainFromDisk 

func TryLoadCertChainFromDisk(pkiPath, name string) (*x509.Certificate, []*x509.Certificate, error)

TryLoadCertChainFromDisk tries to load the cert chain from the disk

func TryLoadCertFromDisk 

func TryLoadCertFromDisk(pkiPath, name string) (*x509.Certificate, error)

TryLoadCertFromDisk tries to load the cert from the disk

func TryLoadKeyFromDisk 

func TryLoadKeyFromDisk(pkiPath, name string) (crypto.Signer, error)

TryLoadKeyFromDisk tries to load the key from the disk and validates that it is valid

func ValidateCertPeriod 

func ValidateCertPeriod(cert *x509.Certificate, offset time.Duration) error

ValidateCertPeriod checks if the certificate is valid relative to the current time (+/- offset)

func VerifyCertChain 

func VerifyCertChain(cert *x509.Certificate, intermediates []*x509.Certificate, root *x509.Certificate) error

VerifyCertChain verifies that a certificate has a valid chain of intermediate CAs back to the root CA

func WriteCert 

func WriteCert(pkiPath, name string, cert *x509.Certificate) error

WriteCert stores the given certificate at the given location

func WriteCertAndKey 

func WriteCertAndKey(pkiPath string, name string, cert *x509.Certificate, key crypto.Signer) error

WriteCertAndKey stores certificate and key at the specified location

func WriteKey 

func WriteKey(pkiPath, name string, key crypto.Signer) error

WriteKey stores the given key at the given location

func WritePublicKey 

func WritePublicKey(pkiPath, name string, key crypto.PublicKey) error

WritePublicKey stores the given public key at the given location

func WriteToDisk 

func WriteToDisk(filename string, kubeconfig *clientcmdapi.Config) error

WriteToDisk writes a KubeConfig object down to disk with mode 0600

Types

type APIEndpoint 

type APIEndpoint struct {
	// AdvertiseAddress sets the IP address for the API server to advertise.
	AdvertiseAddress string

	// BindPort sets the secure port for the API Server to bind to.
	// Defaults to 6443.
	BindPort int32
}

APIEndpoint struct contains elements of API server instance deployed on a node.

type APIServer 

type APIServer struct {
	// CertSANs sets extra Subject Alternative Names for the API Server signing cert.
	CertSANs []string

	// TimeoutForControlPlane controls the timeout that we use for API server to appear
	TimeoutForControlPlane *metav1.Duration
}

APIServer holds settings necessary for API server deployments in the cluster

type CertConfig 

type CertConfig struct {
	certutil.Config
	NotAfter           *time.Time
	PublicKeyAlgorithm x509.PublicKeyAlgorithm
}

CertConfig is a wrapper around certutil.Config extending it with PublicKeyAlgorithm.

type CertificateMap 

type CertificateMap map[string]*KubeadmCert

CertificateMap is a flat map of certificates, keyed by Name.

func (CertificateMap) CertTree 

func (m CertificateMap) CertTree() (CertificateTree, error)

CertTree returns a one-level-deep tree, mapping a CA cert to an array of certificates that should be signed by it.

type CertificateTree 

type CertificateTree map[*KubeadmCert]Certificates

CertificateTree is represents a one-level-deep tree, mapping a CA to the certs that depend on it.

func (CertificateTree) CreateTree 

func (t CertificateTree) CreateTree(ic *InitConfiguration) error

CreateTree creates the CAs, certs signed by the CAs, and writes them all to disk.

type Certificates 

type Certificates []*KubeadmCert

Certificates is a list of Certificates that Kubeadm should create.

func GetCertsWithoutEtcd 

func GetCertsWithoutEtcd() Certificates

GetCertsWithoutEtcd returns all of the certificates kubeadm needs when etcd is hosted externally.

func GetDefaultCertList 

func GetDefaultCertList() Certificates

GetDefaultCertList returns all of the certificates kubeadm requires to function.

func (Certificates) AsMap 

func (c Certificates) AsMap() CertificateMap

AsMap returns the list of certificates as a map, keyed by name.

type ClusterConfiguration 

type ClusterConfiguration struct {
	// Etcd holds configuration for etcd.
	Etcd Etcd

	// Networking holds configuration for the networking topology of the cluster.
	Networking Networking

	// ControlPlaneEndpoint sets a stable IP address or DNS name for the control plane; it
	// can be a valid IP address or a RFC-1123 DNS subdomain, both with optional TCP port.
	// In case the ControlPlaneEndpoint is not specified, the AdvertiseAddress + BindPort
	// are used; in case the ControlPlaneEndpoint is specified but without a TCP port,
	// the BindPort is used.
	// Possible usages are:
	// e.g. In a cluster with more than one control plane instances, this field should be
	// assigned the address of the external load balancer in front of the
	// control plane instances.
	// e.g.  in environments with enforced node recycling, the ControlPlaneEndpoint
	// could be used for assigning a stable DNS to the control plane.
	ControlPlaneEndpoint string

	// APIServer contains extra settings for the API server control plane component
	APIServer APIServer

	// CertificatesDir specifies where to store or look for all required certificates.
	CertificatesDir string
}

ClusterConfiguration contains cluster-wide configuration for a kubeadm cluster

func (*ClusterConfiguration) PublicKeyAlgorithm 

func (cfg *ClusterConfiguration) PublicKeyAlgorithm() x509.PublicKeyAlgorithm

PublicKeyAlgorithm returns the type of encryption keys used in the cluster.

type DocumentMap 

type DocumentMap map[schema.GroupVersionKind][]byte

DocumentMap is a convenient way to describe a map between a YAML document and its GVK type +k8s:deepcopy-gen=false

type Etcd 

type Etcd struct {

	// Local provides configuration knobs for configuring the local etcd instance
	// Local and External are mutually exclusive
	Local *LocalEtcd

	// External describes how to connect to an external etcd cluster
	// Local and External are mutually exclusive
	External *ExternalEtcd
}

Etcd contains elements describing Etcd configuration.

type ExternalEtcd 

type ExternalEtcd struct {

	// Endpoints of etcd members. Useful for using external etcd.
	// If not provided, kubeadm will run etcd in a static pod.
	Endpoints []string
	// CAFile is an SSL Certificate Authority file used to secure etcd communication.
	CAFile string
	// CertFile is an SSL certification file used to secure etcd communication.
	CertFile string
	// KeyFile is an SSL key file used to secure etcd communication.
	KeyFile string
}

ExternalEtcd describes an external etcd cluster

type InitConfiguration 

type InitConfiguration struct {
	metav1.TypeMeta

	ClusterName string

	// ClusterConfiguration holds the cluster-wide information, and embeds that struct (which can be (un)marshalled separately as well)
	// When InitConfiguration is marshalled to bytes in the external version, this information IS NOT preserved (which can be seen from
	// the `json:"-"` tag in the external variant of these API types.
	ClusterConfiguration `json:"-"`

	// NodeRegistration holds fields that relate to registering the new control-plane node to the cluster
	NodeRegistration NodeRegistrationOptions

	// LocalAPIEndpoint represents the endpoint of the API server instance that's deployed on this control plane node
	// In HA setups, this differs from ClusterConfiguration.ControlPlaneEndpoint in the sense that ControlPlaneEndpoint
	// is the global endpoint for the cluster, which then loadbalances the requests to each individual API server. This
	// configuration object lets you customize what IP/DNS name and port the local API server advertises it's accessible
	// on. By default, kubeadm tries to auto-detect the IP of the default interface and use that, but in case that process
	// fails you may set the desired value here.
	LocalAPIEndpoint APIEndpoint

	// CertificateKey sets the key with which certificates and keys are encrypted prior to being uploaded in
	// a secret in the cluster during the uploadcerts init phase.
	CertificateKey string
}

InitConfiguration contains a list of fields that are specifically "kubeadm init"-only runtime information. The cluster-wide config is stored in ClusterConfiguration. The InitConfiguration object IS NOT uploaded to the kubeadm-config ConfigMap in the cluster, only the ClusterConfiguration is.

func SetInitDynamicDefaults 

func SetInitDynamicDefaults() (*InitConfiguration, error)

SetInitDynamicDefaults checks and sets configuration values for the InitConfiguration object

type KubeadmCert 

type KubeadmCert struct {
	Name     string
	LongName string
	BaseName string
	CAName   string
	// contains filtered or unexported fields
}

KubeadmCert represents a certificate that Kubeadm will create to function properly.

func KubeadmCertAPIServer 

func KubeadmCertAPIServer() *KubeadmCert

KubeadmCertAPIServer is the definition of the cert used to serve the Kubernetes API.

func KubeadmCertEtcdAPIClient 

func KubeadmCertEtcdAPIClient() *KubeadmCert

KubeadmCertEtcdAPIClient is the definition of the cert used by the API server to access etcd.

func KubeadmCertEtcdCA 

func KubeadmCertEtcdCA() *KubeadmCert

KubeadmCertEtcdCA is the definition of the root CA used by the hosted etcd server.

func KubeadmCertEtcdHealthcheck 

func KubeadmCertEtcdHealthcheck() *KubeadmCert

KubeadmCertEtcdHealthcheck is the definition of the cert used by Kubernetes to check the health of the etcd server.

func KubeadmCertEtcdPeer 

func KubeadmCertEtcdPeer() *KubeadmCert

KubeadmCertEtcdPeer is the definition of the cert used by etcd peers to access each other.

func KubeadmCertEtcdServer 

func KubeadmCertEtcdServer() *KubeadmCert

KubeadmCertEtcdServer is the definition of the cert used to serve etcd to clients.

func KubeadmCertFrontProxyCA 

func KubeadmCertFrontProxyCA() *KubeadmCert

KubeadmCertFrontProxyCA is the definition of the CA used for the front end proxy.

func KubeadmCertFrontProxyClient 

func KubeadmCertFrontProxyClient() *KubeadmCert

KubeadmCertFrontProxyClient is the definition of the cert used by the API server to access the front proxy.

func KubeadmCertKubeletClient 

func KubeadmCertKubeletClient() *KubeadmCert

KubeadmCertKubeletClient is the definition of the cert used by the API server to access the kubelet.

func KubeadmCertRootCA 

func KubeadmCertRootCA() *KubeadmCert

KubeadmCertRootCA is the definition of the Kubernetes Root CA for the API Server and kubelet.

func (*KubeadmCert) CreateAsCA 

func (k *KubeadmCert) CreateAsCA(ic *InitConfiguration) (*x509.Certificate, crypto.Signer, error)

CreateAsCA creates a certificate authority, writing the files to disk and also returning the created CA so it can be used to sign child certs.

func (*KubeadmCert) CreateFromCA 

func (k *KubeadmCert) CreateFromCA(ic *InitConfiguration, caCert *x509.Certificate, caKey crypto.Signer) error

CreateFromCA makes and writes a certificate using the given CA cert and key.

func (*KubeadmCert) GetConfig 

func (k *KubeadmCert) GetConfig(ic *InitConfiguration) (*CertConfig, error)

GetConfig returns the definition for the given cert given the provided InitConfiguration

type LocalEtcd 

type LocalEtcd struct {
	// ServerCertSANs sets extra Subject Alternative Names for the etcd server signing cert.
	ServerCertSANs []string
	// PeerCertSANs sets extra Subject Alternative Names for the etcd peer signing cert.
	PeerCertSANs []string
}

LocalEtcd describes that kubeadm should run an etcd cluster locally

type Networking 

type Networking struct {
	// ServiceSubnet is the subnet used by k8s services. Defaults to "10.96.0.0/12".
	ServiceSubnet string
	// DNSDomain is the dns domain used by k8s services. Defaults to "cluster.local".
	DNSDomain string
}

Networking contains elements describing cluster's networking configuration.

type NodeRegistrationOptions 

type NodeRegistrationOptions struct {

	// Name is the `.Metadata.Name` field of the Node API object that will be created in this `kubeadm init` or `kubeadm join` operation.
	// This field is also used in the CommonName field of the kubelet's client certificate to the API server.
	// Defaults to the hostname of the node if not provided.
	Name string
}

NodeRegistrationOptions holds fields that relate to registering a new control-plane or node to the cluster, either via "kubeadm init" or "kubeadm join"

type Patches 

type Patches struct {
	// Directory is a path to a directory that contains files named "target[suffix][+patchtype].extension".
	// For example, "kube-apiserver0+merge.yaml" or just "etcd.json". "target" can be one of
	// "kube-apiserver", "kube-controller-manager", "kube-scheduler", "etcd". "patchtype" can be one
	// of "strategic" "merge" or "json" and they match the patch formats supported by kubectl.
	// The default "patchtype" is "strategic". "extension" must be either "json" or "yaml".
	// "suffix" is an optional string that can be used to determine which patches are applied
	// first alpha-numerically.
	Directory string
}

Patches contains options related to applying patches to components deployed by kubeadm.

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.