Documentation ¶
Index ¶
Constants ¶
const ( DefaultCertPath = "cert" DefaultClientCAPath = "clientca" )
const MaxSize = 1 << 20 // 1MB
Variables ¶
This section is empty.
Functions ¶
func TLSConfig ¶
TLSConfig creates a tls.Config which sets the GetCertificate field to a certificate store which uses the given source to update the the certificates on demand.
It also sets the ClientCAs field if src.LoadClientCAs returns a non-nil value and sets ClientAuth to RequireAndVerifyClientCert.
Types ¶
type ConsulSource ¶
ConsulSource implements a certificate source which loads TLS and client authentication certificates from the consul KV store. The CertURL/ClientCAURL must point to the base path of the certificates. The TLS certificates are updated automatically when the KV store changes.
func (ConsulSource) Certificates ¶
func (s ConsulSource) Certificates() chan []tls.Certificate
func (ConsulSource) LoadClientCAs ¶
func (s ConsulSource) LoadClientCAs() (*x509.CertPool, error)
type FileSource ¶
FileSource implements a certificate source for one TLS and one client authentication certificate. The certificates are loaded during startup and are cached in memory until the program exits. It exists to support the legacy configuration only. The PathSource should be used instead.
func (FileSource) Certificates ¶
func (s FileSource) Certificates() chan []tls.Certificate
func (FileSource) LoadClientCAs ¶
func (s FileSource) LoadClientCAs() (*x509.CertPool, error)
type HTTPSource ¶
type HTTPSource struct { CertURL string ClientCAURL string CAUpgradeCN string Refresh time.Duration }
HTTPSource implements a certificate source which loads TLS and client authentication certificates from an HTTP/HTTPS server. The CertURL/ClientCAURL must point to a text file in the directory of the certificates. The text file contains all files that should be loaded from this directory - one filename per line. The TLS certificates are updated automatically when Refresh is not zero. Refresh cannot be less than one second to prevent busy loops.
func (HTTPSource) Certificates ¶
func (s HTTPSource) Certificates() chan []tls.Certificate
func (HTTPSource) LoadClientCAs ¶
func (s HTTPSource) LoadClientCAs() (*x509.CertPool, error)
type PathSource ¶
type PathSource struct { Path string CertPath string ClientCAPath string CAUpgradeCN string Refresh time.Duration }
func (PathSource) Certificates ¶
func (s PathSource) Certificates() chan []tls.Certificate
func (PathSource) LoadClientCAs ¶
func (s PathSource) LoadClientCAs() (*x509.CertPool, error)
type Source ¶
type Source interface { Certificates() chan []tls.Certificate LoadClientCAs() (*x509.CertPool, error) }
Source provides the interface for dynamic certificate sources.
Certificates() loads certificates for TLS connections. The first certificate is used as the default certificate if the client does not support SNI or no matching certificate could be found. TLS certificates can be updated at runtime.
LoadClientCAs() provides certificates for client certificate authentication.
type Store ¶
type Store struct {
// contains filtered or unexported fields
}
Store provides a dynamic certificate store which can be updated at runtime and is safe for concurrent use.
func (*Store) GetCertificate ¶
func (s *Store) GetCertificate(clientHello *tls.ClientHelloInfo) (cert *tls.Certificate, err error)
GetCertificate returns a matching certificate for the given clientHello if possible or the first certificate from the store.
func (*Store) SetCertificates ¶
func (s *Store) SetCertificates(certs []tls.Certificate)
SetCertificates replaces the certificates of the store.
type VaultSource ¶
type VaultSource struct { Addr string CertPath string ClientCAPath string CAUpgradeCN string Refresh time.Duration // contains filtered or unexported fields }
VaultSource implements a certificate source which loads TLS and client authorization certificates from a Vault server. The Vault token should be set through the VAULT_TOKEN environment variable.
The TLS certificates are updated automatically when Refresh is not zero. Refresh cannot be less than one second to prevent busy loops.
func (VaultSource) Certificates ¶
func (s VaultSource) Certificates() chan []tls.Certificate
func (VaultSource) LoadClientCAs ¶
func (s VaultSource) LoadClientCAs() (*x509.CertPool, error)