pki

package
v0.0.0-...-9e6982f Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Aug 26, 2021 License: Apache-2.0 Imports: 13 Imported by: 0

Documentation

Index

Constants

View Source
const (
	EtcdClientCrtKey = "etcd-client.crt"
	EtcdClientKeyKey = "etcd-client.key"
	EtcdClientCAKey  = "etcd-client-ca.crt"

	EtcdServerCrtKey = "server.crt"
	EtcdServerKeyKey = "server.key"
	EtcdServerCAKey  = "server-ca.crt"

	EtcdPeerCrtKey = "peer.crt"
	EtcdPeerKeyKey = "peer.key"
	EtcdPeerCAKey  = "peer-ca.crt"
)

Etcd secret keys

View Source
const (
	// Service signer secret keys
	ServiceSignerPrivateKey = "service-account.key"
	ServiceSignerPublicKey  = "service-account.pub"
)
View Source
const (
	CASignerCertMapKey = "ca.crt"
	CASignerKeyMapKey  = "ca.key"
	CAHashAnnotation   = "hypershiftlite.openshift.io/ca-hash"
)

Variables

View Source
var (
	X509UsageClientAuth       = []x509.ExtKeyUsage{x509.ExtKeyUsageClientAuth}
	X509UsageServerAuth       = []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth}
	X509UsageClientServerAuth = append(X509UsageClientAuth, X509UsageServerAuth...)

	X509DefaultUsage = x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature
	X509SignerUsage  = X509DefaultUsage | x509.KeyUsageCertSign
)

Functions

func AnnotateWithCA

func AnnotateWithCA(secret, ca *corev1.Secret)

func ReconcileClusterPolicyControllerCertSecret

func ReconcileClusterPolicyControllerCertSecret(secret, ca *corev1.Secret, ownerRef config.OwnerRef) error

func ReconcileClusterSignerCA

func ReconcileClusterSignerCA(secret *corev1.Secret, ownerRef config.OwnerRef) error

func ReconcileCombinedCA

func ReconcileCombinedCA(cm *corev1.ConfigMap, ownerRef config.OwnerRef, rootCA, signerCA *corev1.Secret) error

func ReconcileEtcdClientSecret

func ReconcileEtcdClientSecret(secret, ca *corev1.Secret, ownerRef config.OwnerRef) error

func ReconcileEtcdPeerSecret

func ReconcileEtcdPeerSecret(secret, ca *corev1.Secret, ownerRef config.OwnerRef) error

func ReconcileEtcdServerSecret

func ReconcileEtcdServerSecret(secret, ca *corev1.Secret, ownerRef config.OwnerRef) error

func ReconcileIngressCert

func ReconcileIngressCert(secret, ca *corev1.Secret, ownerRef config.OwnerRef, externalOAuthAddress, ingressSubdomain string) error

func ReconcileKASAdminClientCertSecret

func ReconcileKASAdminClientCertSecret(secret, ca *corev1.Secret, ownerRef config.OwnerRef) error

func ReconcileKASAggregatorCertSecret

func ReconcileKASAggregatorCertSecret(secret, ca *corev1.Secret, ownerRef config.OwnerRef) error

func ReconcileKASKubeletClientCertSecret

func ReconcileKASKubeletClientCertSecret(secret, ca *corev1.Secret, ownerRef config.OwnerRef) error

func ReconcileKASMachineBootstrapClientCertSecret

func ReconcileKASMachineBootstrapClientCertSecret(secret, ca *corev1.Secret, ownerRef config.OwnerRef) error

func ReconcileKASServerCertSecret

func ReconcileKASServerCertSecret(secret, ca *corev1.Secret, ownerRef config.OwnerRef, externalAPIAddress, serviceCIDR string) error

func ReconcileKonnectivityAgentSecret

func ReconcileKonnectivityAgentSecret(secret, ca *corev1.Secret, ownerRef config.OwnerRef) error

func ReconcileKonnectivityClientSecret

func ReconcileKonnectivityClientSecret(secret, ca *corev1.Secret, ownerRef config.OwnerRef) error

func ReconcileKonnectivityClusterSecret

func ReconcileKonnectivityClusterSecret(secret, ca *corev1.Secret, ownerRef config.OwnerRef, externalKconnectivityAddress string) error

func ReconcileKonnectivityServerSecret

func ReconcileKonnectivityServerSecret(secret, ca *corev1.Secret, ownerRef config.OwnerRef) error

func ReconcileKonnectivityWorkerAgentSecret

func ReconcileKonnectivityWorkerAgentSecret(cm *corev1.ConfigMap, ca *corev1.Secret, ownerRef config.OwnerRef) error

func ReconcileMachineConfigServerCert

func ReconcileMachineConfigServerCert(secret, ca *corev1.Secret, ownerRef config.OwnerRef) error

func ReconcileOLMPackageServerCertSecret

func ReconcileOLMPackageServerCertSecret(secret, ca *corev1.Secret, ownerRef config.OwnerRef) error

func ReconcileOpenShiftAPIServerCertSecret

func ReconcileOpenShiftAPIServerCertSecret(secret, ca *corev1.Secret, ownerRef config.OwnerRef) error

func ReconcileOpenShiftControllerManagerCertSecret

func ReconcileOpenShiftControllerManagerCertSecret(secret, ca *corev1.Secret, ownerRef config.OwnerRef) error

func ReconcileOpenShiftOAuthAPIServerCertSecret

func ReconcileOpenShiftOAuthAPIServerCertSecret(secret, ca *corev1.Secret, ownerRef config.OwnerRef) error

func ReconcileRootCA

func ReconcileRootCA(secret *corev1.Secret, ownerRef config.OwnerRef) error

func ReconcileServiceAccountSigningKeySecret

func ReconcileServiceAccountSigningKeySecret(secret, signingKey *corev1.Secret, ownerRef config.OwnerRef) error

func SecretUpToDate

func SecretUpToDate(secret *corev1.Secret, keys []string) bool

func SignCertificate

func SignCertificate(cfg *certs.CertCfg, ca *corev1.Secret) (crtBytes []byte, keyBytes []byte, caBytes []byte, err error)

func SignedSecretUpToDate

func SignedSecretUpToDate(secret, ca *corev1.Secret, keys []string) bool

func ValidCA

func ValidCA(secret *corev1.Secret) bool

Types

type PKIParams

type PKIParams struct {
	// ServiceCIDR
	// Subnet for cluster services
	ServiceCIDR string `json:"serviceCIDR"`

	// PodCIDR
	// Subnet for pods
	PodCIDR string `json:"podCIDR"`

	// ExternalAPIAddress
	// An externally accessible DNS name or IP for the API server. Currently obtained from the load balancer DNS name.
	ExternalAPIAddress string `json:"externalAPIAddress"`

	// ExternalKconnectivityAddress
	// An externally accessible DNS name or IP for the Konnectivity proxy. Currently obtained from the load balancer DNS name.
	ExternalKconnectivityAddress string `json:"externalKconnectivityAddress"`

	// NodeInternalAPIServerIP
	// A fixed IP that pods on worker nodes will use to communicate with the API server - 172.20.0.1
	NodeInternalAPIServerIP string `json:"nodeInternalAPIServerIP"`

	// ExternalOauthAddress
	// An externally accessible DNS name or IP for the Oauth server. Currently obtained from Oauth load balancer DNS name.
	ExternalOauthAddress string `json:"externalOauthAddress"`

	// IngressSubdomain
	// Subdomain for cluster ingress. Used to generate the wildcard certificate for ingress.
	IngressSubdomain string `json:"ingressSubdomain"`

	// Namespace used to generate internal DNS names for services.
	Namespace string `json:"namespace"`

	// Owner reference for resources
	OwnerRef config.OwnerRef `json:"ownerRef"`
}

func NewPKIParams

func NewPKIParams(hcp *hyperv1.HostedControlPlane,
	apiExternalAddress,
	oauthExternalAddress,
	konnectivityExternalAddress string) *PKIParams

func (*PKIParams) ReconcileOAuthServerCert

func (p *PKIParams) ReconcileOAuthServerCert(secret, sourceSecret, ca *corev1.Secret) error

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL