pki

package
v0.1.20 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Feb 27, 2024 License: Apache-2.0 Imports: 15 Imported by: 0

Documentation

Index

Constants

View Source
const (
	EtcdClientCrtKey = "etcd-client.crt"
	EtcdClientKeyKey = "etcd-client.key"

	EtcdServerCrtKey = "server.crt"
	EtcdServerKeyKey = "server.key"

	EtcdPeerCrtKey = "peer.crt"
	EtcdPeerKeyKey = "peer.key"
)

Etcd secret keys

View Source
const (
	// Service signer secret keys
	ServiceSignerPrivateKey = "service-account.key"
	ServiceSignerPublicKey  = "service-account.pub"
)

Variables

View Source
var (
	X509UsageClientAuth       = []x509.ExtKeyUsage{x509.ExtKeyUsageClientAuth}
	X509UsageServerAuth       = []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth}
	X509UsageClientServerAuth = append(X509UsageClientAuth, X509UsageServerAuth...)

	X509DefaultUsage = x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature
	X509SignerUsage  = X509DefaultUsage | x509.KeyUsageCertSign
)

Functions

func AddBracketsIfIPv6 added in v0.1.17

func AddBracketsIfIPv6(apiAddress string) string

AddBracketsIfIPv6 function is needed to build the serverAPI url for every kubeconfig created. The function returns a string in 3 ways. - Without brackets if it's an URL or an IPv4 - With brackets if it's a valid IPv6

func ReconcileAWSPodIdentityWebhookServingCert

func ReconcileAWSPodIdentityWebhookServingCert(secret, ca *corev1.Secret, ownerRef config.OwnerRef) error

func ReconcileAdminKubeconfigSigner

func ReconcileAdminKubeconfigSigner(secret *corev1.Secret, ownerRef config.OwnerRef) error

func ReconcileAggregatorClientCA

func ReconcileAggregatorClientCA(cm *corev1.ConfigMap, ownerRef config.OwnerRef, signer *corev1.Secret) error

func ReconcileAggregatorClientSigner

func ReconcileAggregatorClientSigner(secret *corev1.Secret, ownerRef config.OwnerRef) error

func ReconcileCSISnapshotWebhookTLS

func ReconcileCSISnapshotWebhookTLS(secret, ca *corev1.Secret, ownerRef config.OwnerRef) error

Create TLS keys for csi-snapshot-webhook. In standalone OCP it's created automatically when csi-snapshot-controller-operator creates Service for the webhook with annotation `service.openshift.io/serving-cert-secret-name`, in HyperShift it must be done by control-plane-operator.

func ReconcileCVOServerSecret

func ReconcileCVOServerSecret(secret, ca *corev1.Secret, ownerRef config.OwnerRef) error

func ReconcileEtcdClientSecret

func ReconcileEtcdClientSecret(secret, ca *corev1.Secret, ownerRef config.OwnerRef) error

func ReconcileEtcdMetricsClientSecret

func ReconcileEtcdMetricsClientSecret(secret, ca *corev1.Secret, ownerRef config.OwnerRef) error

func ReconcileEtcdMetricsSignerConfigMap

func ReconcileEtcdMetricsSignerConfigMap(cm *corev1.ConfigMap, ownerRef config.OwnerRef, etcdMetricsSigner *corev1.Secret) error

func ReconcileEtcdMetricsSignerSecret

func ReconcileEtcdMetricsSignerSecret(secret *corev1.Secret, ownerref config.OwnerRef) error

func ReconcileEtcdPeerSecret

func ReconcileEtcdPeerSecret(secret, ca *corev1.Secret, ownerRef config.OwnerRef) error

func ReconcileEtcdServerSecret

func ReconcileEtcdServerSecret(secret, ca *corev1.Secret, ownerRef config.OwnerRef) error

func ReconcileEtcdSignerConfigMap

func ReconcileEtcdSignerConfigMap(cm *corev1.ConfigMap, ownerRef config.OwnerRef, etcdSigner *corev1.Secret) error

func ReconcileEtcdSignerSecret

func ReconcileEtcdSignerSecret(secret *corev1.Secret, ownerRef config.OwnerRef) error

func ReconcileIgnitionServerCertSecret added in v0.1.9

func ReconcileIgnitionServerCertSecret(secret, ca *corev1.Secret, ownerRef config.OwnerRef) error

func ReconcileIngressCert

func ReconcileIngressCert(secret, ca *corev1.Secret, ownerRef config.OwnerRef, ingressSubdomain string) error

func ReconcileKASAggregatorCertSecret

func ReconcileKASAggregatorCertSecret(secret, ca *corev1.Secret, ownerRef config.OwnerRef) error

func ReconcileKASKubeletClientCertSecret

func ReconcileKASKubeletClientCertSecret(secret, ca *corev1.Secret, ownerRef config.OwnerRef) error

func ReconcileKASMachineBootstrapClientCertSecret

func ReconcileKASMachineBootstrapClientCertSecret(secret, ca *corev1.Secret, ownerRef config.OwnerRef) error

func ReconcileKASServerCertSecret

func ReconcileKASServerCertSecret(secret, ca *corev1.Secret, ownerRef config.OwnerRef, externalAPIAddress, internalAPIAddress string, serviceCIDRs []string) error

func ReconcileKASToKubeletSigner

func ReconcileKASToKubeletSigner(secret *corev1.Secret, ownerRef config.OwnerRef) error

func ReconcileKCMServerSecret

func ReconcileKCMServerSecret(secret, ca *corev1.Secret, ownerRef config.OwnerRef) error

func ReconcileKonnectivityAgentSecret

func ReconcileKonnectivityAgentSecret(secret, ca *corev1.Secret, ownerRef config.OwnerRef) error

func ReconcileKonnectivityClientSecret

func ReconcileKonnectivityClientSecret(secret, ca *corev1.Secret, ownerRef config.OwnerRef) error

func ReconcileKonnectivityClusterSecret

func ReconcileKonnectivityClusterSecret(secret, ca *corev1.Secret, ownerRef config.OwnerRef, externalKconnectivityAddress string) error

func ReconcileKonnectivityConfigMap

func ReconcileKonnectivityConfigMap(cm *corev1.ConfigMap, ownerRef config.OwnerRef, konnectivityCA *corev1.Secret) error

func ReconcileKonnectivityServerSecret

func ReconcileKonnectivityServerSecret(secret, ca *corev1.Secret, ownerRef config.OwnerRef) error

func ReconcileKonnectivitySignerSecret

func ReconcileKonnectivitySignerSecret(secret *corev1.Secret, ownerRef config.OwnerRef) error

func ReconcileKubeCSRSigner

func ReconcileKubeCSRSigner(secret *corev1.Secret, ownerRef config.OwnerRef) error

func ReconcileKubeConfig

func ReconcileKubeConfig(secret, cert *corev1.Secret, ca *corev1.ConfigMap, url string, key string, scope manifests.KubeconfigScope, ownerRef config.OwnerRef) error

func ReconcileKubeControlPlaneSigner

func ReconcileKubeControlPlaneSigner(secret *corev1.Secret, ownerRef config.OwnerRef) error

func ReconcileKubeControllerManagerClientCertSecret

func ReconcileKubeControllerManagerClientCertSecret(secret, ca *corev1.Secret, ownerRef config.OwnerRef) error

func ReconcileKubeSchedulerClientCertSecret

func ReconcileKubeSchedulerClientCertSecret(secret, ca *corev1.Secret, ownerRef config.OwnerRef) error

func ReconcileKubeletClientCA

func ReconcileKubeletClientCA(cm *corev1.ConfigMap, ownerRef config.OwnerRef, signers ...*corev1.Secret) error

func ReconcileMachineConfigServerCert

func ReconcileMachineConfigServerCert(secret, ca *corev1.Secret, ownerRef config.OwnerRef) error

func ReconcileMetricsSAClientCertSecret

func ReconcileMetricsSAClientCertSecret(secret, ca *corev1.Secret, ownerRef config.OwnerRef) error

func ReconcileNodeTuningOperatorServingCertSecret added in v0.1.3

func ReconcileNodeTuningOperatorServingCertSecret(secret, ca *corev1.Secret, ownerRef config.OwnerRef) error

func ReconcileOAuthMasterCABundle added in v0.1.2

func ReconcileOAuthMasterCABundle(caBundle *corev1.ConfigMap, ownerRef config.OwnerRef, sourceCerts []*corev1.Secret) error

func ReconcileOAuthServerCert

func ReconcileOAuthServerCert(secret, ca *corev1.Secret, ownerRef config.OwnerRef, externalOAuthAddress string) error

func ReconcileOLMCatalogOperatorServingCertSecret

func ReconcileOLMCatalogOperatorServingCertSecret(secret, ca *corev1.Secret, ownerRef config.OwnerRef) error

func ReconcileOLMOperatorServingCertSecret

func ReconcileOLMOperatorServingCertSecret(secret, ca *corev1.Secret, ownerRef config.OwnerRef) error

func ReconcileOLMPackageServerCertSecret

func ReconcileOLMPackageServerCertSecret(secret, ca *corev1.Secret, ownerRef config.OwnerRef) error

func ReconcileOpenShiftAPIServerCertSecret

func ReconcileOpenShiftAPIServerCertSecret(secret, ca *corev1.Secret, ownerRef config.OwnerRef) error

func ReconcileOpenShiftAuthenticatorCertSecret

func ReconcileOpenShiftAuthenticatorCertSecret(secret, ca *corev1.Secret, ownerRef config.OwnerRef) error

func ReconcileOpenShiftControllerManagerCertSecret

func ReconcileOpenShiftControllerManagerCertSecret(secret, ca *corev1.Secret, ownerRef config.OwnerRef) error

func ReconcileOpenShiftOAuthAPIServerCertSecret

func ReconcileOpenShiftOAuthAPIServerCertSecret(secret, ca *corev1.Secret, ownerRef config.OwnerRef) error

func ReconcileRegistryOperatorServingCert

func ReconcileRegistryOperatorServingCert(secret, ca *corev1.Secret, ownerRef config.OwnerRef) error

func ReconcileRootCA

func ReconcileRootCA(secret *corev1.Secret, ownerRef config.OwnerRef) error

func ReconcileRootCAConfigMap

func ReconcileRootCAConfigMap(cm *corev1.ConfigMap, ownerRef config.OwnerRef, rootCA *corev1.Secret, observedDefaultIngressCert *corev1.ConfigMap) error

func ReconcileServiceAccountKubeconfig

func ReconcileServiceAccountKubeconfig(secret, csrSigner *corev1.Secret, ca *corev1.ConfigMap, hcp *hyperv1.HostedControlPlane, serviceAccountNamespace, serviceAccountName string) error

func ReconcileServiceAccountSigningKeySecret

func ReconcileServiceAccountSigningKeySecret(secret *corev1.Secret, ownerRef config.OwnerRef) error

func ReconcileSystemAdminClientCertSecret

func ReconcileSystemAdminClientCertSecret(secret, ca *corev1.Secret, ownerRef config.OwnerRef) error

func ReconcileTotalClientCA

func ReconcileTotalClientCA(cm *corev1.ConfigMap, ownerRef config.OwnerRef, additional []*corev1.ConfigMap, signers ...*corev1.Secret) error

Types

type PKIParams

type PKIParams struct {
	// ServiceCIDR
	// Subnet for cluster services
	ServiceCIDR []string `json:"serviceCIDR"`

	// ClusterCIDR
	// Subnet for pods
	ClusterCIDR []string `json:"clusterCIDR"`

	// ExternalAPIAddress
	// An externally accessible DNS name or IP for the API server. Currently obtained from the load balancer DNS name.
	ExternalAPIAddress string `json:"externalAPIAddress"`

	// InternalAPIAddress
	// An internally accessible DNS name or IP for the API server.
	InternalAPIAddress string `json:"internalAPIAddress"`

	// ExternalKconnectivityAddress
	// An externally accessible DNS name or IP for the Konnectivity proxy. Currently obtained from the load balancer DNS name.
	ExternalKconnectivityAddress string `json:"externalKconnectivityAddress"`

	// NodeInternalAPIServerIP
	// A fixed IP that pods on worker nodes will use to communicate with the API server - 172.20.0.1 for IPv4 and fd00::1 in IPv6 case
	NodeInternalAPIServerIP string `json:"nodeInternalAPIServerIP"`

	// ExternalOauthAddress
	// An externally accessible DNS name or IP for the Oauth server. Currently obtained from Oauth load balancer DNS name.
	ExternalOauthAddress string `json:"externalOauthAddress"`

	// IngressSubdomain
	// Subdomain for cluster ingress. Used to generate the wildcard certificate for ingress.
	IngressSubdomain string `json:"ingressSubdomain"`

	// Namespace used to generate internal DNS names for services.
	Namespace string `json:"namespace"`

	// Owner reference for resources
	OwnerRef config.OwnerRef `json:"ownerRef"`
}

func NewPKIParams

func NewPKIParams(hcp *hyperv1.HostedControlPlane,
	apiExternalAddress,
	oauthExternalAddress,
	konnectivityExternalAddress string) *PKIParams

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL