certificate

package
v1.1.4 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Apr 20, 2023 License: Apache-2.0 Imports: 16 Imported by: 0

README

Package: Certificate

This package contains tools for issuing and renewing certificates for the service mesh.

For design and details on mTLS and certificate issuance please see docs/patterns/certificates.md.

Interfaces

In types.go we define a single interface, certificate.Manager, the interface exposing a particular certificate provider. The certificate manager is responsible for issuing and renewing certificates. It abstracts away the particular methods of signing, renewing, and storing certificates away from the rest of the service mesh components.

Providers

The directory providers contains implementations of certificate issuers (certificate.Managers):

  1. tresor is a minimal internal implementation of a certificate issuer, which leverages Go's crypto library and uses Kubernetes' etcd for storage.
  2. keyvault is a certificate issuer leveraging Azure Key Vault for secrets storage.
  3. vault is another implementation of the certificate.Manager interface, which provides a way for all service mesh certificates to be stored on and signed by Hashicorp Vault.
  4. cert-manager is a certificate issuer leveraging cert-manager to sign certificates from Issuers.

Certificate Rotation

In the rotor directory we implement a certificate rotation mechanism, which may or may not be leveraged by the certificate issuers (providers).

Documentation

Overview

Package certificate is a generated GoMock package.

Package certificate implements utility routines to endcode and decode certificates, and provides the interface definitions for Certificate and Certificate Manager.

Index

Constants

View Source
const (
	// TypeCertificate is a string constant to be used in the generation of a certificate.
	TypeCertificate = "CERTIFICATE"

	// TypePrivateKey is a string constant to be used in the generation of a private key for a certificate.
	TypePrivateKey = "PRIVATE KEY"

	// TypeCertificateRequest is a string constant to be used in the generation
	// of a certificate requests.
	TypeCertificateRequest = "CERTIFICATE REQUEST"
)
View Source
const (
	// RenewBeforeCertExpires signifies how much earlier (before expiration) should a certificate be renewed
	RenewBeforeCertExpires = 30 * time.Second
)

Variables

View Source
var ErrNoCertificateInPEM = errors.New("no certificate in PEM")

ErrNoCertificateInPEM is the errror for no certificate in PEM

Functions

func DecodePEMCertificate

func DecodePEMCertificate(certPEM []byte) (*x509.Certificate, error)

DecodePEMCertificate converts a certificate from PEM to x509 encoding

func DecodePEMPrivateKey

func DecodePEMPrivateKey(keyPEM []byte) (*rsa.PrivateKey, error)

DecodePEMPrivateKey converts a certificate from PEM to x509 encoding

func EncodeCertDERtoPEM

func EncodeCertDERtoPEM(derBytes []byte) (pem.Certificate, error)

EncodeCertDERtoPEM encodes the certificate provided in DER format into PEM format More information on the 2 formats is available in the following article: https://support.ssl.com/Knowledgebase/Article/View/19/0/der-vs-crt-vs-cer-vs-pem-certificates-and-how-to-convert-them

func EncodeCertReqDERtoPEM added in v0.4.0

func EncodeCertReqDERtoPEM(derBytes []byte) (pem.CertificateRequest, error)

EncodeCertReqDERtoPEM encodes the certificate request provided in DER format into PEM format.

func EncodeKeyDERtoPEM

func EncodeKeyDERtoPEM(priv *rsa.PrivateKey) (pem.PrivateKey, error)

EncodeKeyDERtoPEM converts a DER encoded private key into a PEM encoded key

func NewManager added in v1.1.0

func NewManager(
	ca *Certificate,
	client client,
	serviceCertValidityDuration time.Duration,
	msgBroker *messaging.Broker) (*manager, error)

NewManager creates a new CertManager with the passed CA and CA Private Key

Types

type Certificate added in v1.1.0

type Certificate struct {
	// The CommonName of the certificate
	CommonName CommonName

	// The serial number of the certificate
	SerialNumber SerialNumber

	// When the cert expires
	Expiration time.Time

	// PEM encoded Certificate and Key (byte arrays)
	CertChain  pem.Certificate
	PrivateKey pem.PrivateKey

	// Certificate authority signing this certificate
	IssuingCA pem.RootCertificate
}

Certificate represents an x509 certificate.

func (*Certificate) GetCertificateChain added in v1.1.0

func (c *Certificate) GetCertificateChain() pem.Certificate

GetCertificateChain returns the certificate chain of the certificate

func (*Certificate) GetCommonName added in v1.1.0

func (c *Certificate) GetCommonName() CommonName

GetCommonName returns the Common Name of the certificate

func (*Certificate) GetExpiration added in v1.1.0

func (c *Certificate) GetExpiration() time.Time

GetExpiration returns the expiration time of the certificate

func (*Certificate) GetIssuingCA added in v1.1.0

func (c *Certificate) GetIssuingCA() pem.RootCertificate

GetIssuingCA returns the issuing CA of the certificate

func (*Certificate) GetPrivateKey added in v1.1.0

func (c *Certificate) GetPrivateKey() pem.PrivateKey

GetPrivateKey returns the private key of the certificate

func (*Certificate) GetSerialNumber added in v1.1.0

func (c *Certificate) GetSerialNumber() SerialNumber

GetSerialNumber returns the serial number of the certificate

func (*Certificate) ShouldRotate added in v1.1.0

func (c *Certificate) ShouldRotate() bool

ShouldRotate determines whether a certificate should be rotated.

type CommonName

type CommonName string

CommonName is the Subject Common Name from a given SSL certificate.

func (CommonName) String

func (cn CommonName) String() string

type Manager

type Manager interface {
	// IssueCertificate issues a new certificate.
	IssueCertificate(CommonName, time.Duration) (*Certificate, error)

	// GetCertificate returns a certificate given its Common Name (CN)
	GetCertificate(CommonName) (*Certificate, error)

	// RotateCertificate rotates an existing certificate.
	RotateCertificate(CommonName) (*Certificate, error)

	// GetRootCertificate returns the root certificate in PEM format and its expiration.
	GetRootCertificate() (*Certificate, error)

	// ListCertificates lists all certificates issued
	ListCertificates() ([]*Certificate, error)

	// ReleaseCertificate informs the underlying certificate issuer that the given cert will no longer be needed.
	// This method could be called when a given payload is terminated. Calling this should remove certs from cache and free memory if possible.
	ReleaseCertificate(CommonName)
}

Manager is the interface declaring the methods for the Certificate Manager.

type MockManager added in v0.6.0

type MockManager struct {
	// contains filtered or unexported fields
}

MockManager is a mock of Manager interface.

func NewMockManager added in v0.6.0

func NewMockManager(ctrl *gomock.Controller) *MockManager

NewMockManager creates a new mock instance.

func (*MockManager) EXPECT added in v0.6.0

func (m *MockManager) EXPECT() *MockManagerMockRecorder

EXPECT returns an object that allows the caller to indicate expected use.

func (*MockManager) GetCertificate added in v0.6.0

func (m *MockManager) GetCertificate(arg0 CommonName) (*Certificate, error)

GetCertificate mocks base method.

func (*MockManager) GetRootCertificate added in v0.6.0

func (m *MockManager) GetRootCertificate() (*Certificate, error)

GetRootCertificate mocks base method.

func (*MockManager) IssueCertificate added in v0.6.0

func (m *MockManager) IssueCertificate(arg0 CommonName, arg1 time.Duration) (*Certificate, error)

IssueCertificate mocks base method.

func (*MockManager) ListCertificates added in v0.6.0

func (m *MockManager) ListCertificates() ([]*Certificate, error)

ListCertificates mocks base method.

func (*MockManager) ReleaseCertificate added in v0.6.0

func (m *MockManager) ReleaseCertificate(arg0 CommonName)

ReleaseCertificate mocks base method.

func (*MockManager) RotateCertificate added in v0.6.0

func (m *MockManager) RotateCertificate(arg0 CommonName) (*Certificate, error)

RotateCertificate mocks base method.

type MockManagerMockRecorder added in v0.6.0

type MockManagerMockRecorder struct {
	// contains filtered or unexported fields
}

MockManagerMockRecorder is the mock recorder for MockManager.

func (*MockManagerMockRecorder) GetCertificate added in v0.6.0

func (mr *MockManagerMockRecorder) GetCertificate(arg0 interface{}) *gomock.Call

GetCertificate indicates an expected call of GetCertificate.

func (*MockManagerMockRecorder) GetRootCertificate added in v0.6.0

func (mr *MockManagerMockRecorder) GetRootCertificate() *gomock.Call

GetRootCertificate indicates an expected call of GetRootCertificate.

func (*MockManagerMockRecorder) IssueCertificate added in v0.6.0

func (mr *MockManagerMockRecorder) IssueCertificate(arg0, arg1 interface{}) *gomock.Call

IssueCertificate indicates an expected call of IssueCertificate.

func (*MockManagerMockRecorder) ListCertificates added in v0.6.0

func (mr *MockManagerMockRecorder) ListCertificates() *gomock.Call

ListCertificates indicates an expected call of ListCertificates.

func (*MockManagerMockRecorder) ReleaseCertificate added in v0.6.0

func (mr *MockManagerMockRecorder) ReleaseCertificate(arg0 interface{}) *gomock.Call

ReleaseCertificate indicates an expected call of ReleaseCertificate.

func (*MockManagerMockRecorder) RotateCertificate added in v0.6.0

func (mr *MockManagerMockRecorder) RotateCertificate(arg0 interface{}) *gomock.Call

RotateCertificate indicates an expected call of RotateCertificate.

type SerialNumber added in v0.7.0

type SerialNumber string

SerialNumber is the Serial Number of the given certificate.

func (SerialNumber) String added in v0.7.0

func (sn SerialNumber) String() string

Directories

Path Synopsis
Package pem defines the types for the attributes of a Certificate.
Package pem defines the types for the attributes of a Certificate.
Package providers implements generic certificate provider related functionality
Package providers implements generic certificate provider related functionality
certmanager
Package certmanager implements the certificate.Manager interface for cert-manager.io as the certificate provider.
Package certmanager implements the certificate.Manager interface for cert-manager.io as the certificate provider.
tresor
Package tresor implements the certificate.Manager interface for Tresor, a custom certificate provider in OSM.
Package tresor implements the certificate.Manager interface for Tresor, a custom certificate provider in OSM.
vault
Package vault implements the certificate.Manager interface for Hashicorp Vault as the certificate provider.
Package vault implements the certificate.Manager interface for Hashicorp Vault as the certificate provider.
Package rotor implements functionality to rotate certificates provided by a certificate provider.
Package rotor implements functionality to rotate certificates provided by a certificate provider.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL