certs

package

v0.1.34 Latest Latest Go to latest Published: May 29, 2024 License: Apache-2.0 Imports: 19 Imported by: 2

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

github.com/openshift/hypershift

Links

Open Source Insights

Documentation ¶

Index ¶

Constants
func Base64(data []byte) string
func CertToPem(cert *x509.Certificate) []byte
func GenerateSelfSignedCertificate(cfg *CertCfg) (*rsa.PrivateKey, *x509.Certificate, error)
func GenerateSignedCertificate(caKey *rsa.PrivateKey, caCert *x509.Certificate, cfg *CertCfg) (*rsa.PrivateKey, *x509.Certificate, error)
func HasCAHash(secret *corev1.Secret, ca *corev1.Secret, opts *CAOpts) bool
func PemToCertificate(data []byte) (*x509.Certificate, error)
func PemToPrivateKey(data []byte) (*rsa.PrivateKey, error)
func PrivateKey() (*rsa.PrivateKey, error)
func PrivateKeyToPem(key *rsa.PrivateKey) []byte
func PublicKeyToPem(key *rsa.PublicKey) ([]byte, error)
func ReconcileSelfSignedCA(secret *corev1.Secret, cn, ou string, o ...func(*CAOpts)) error
func ReconcileSignedCert(secret *corev1.Secret, ca *corev1.Secret, cn string, org []string, ...) error
func SelfSignedCertificate(cfg *CertCfg, key *rsa.PrivateKey) (*x509.Certificate, error)
func ValidateKeyPair(pemKey, pemCertificate []byte, cfg *CertCfg, ...) error
type CAOpts
type CertCfg

Constants ¶

View Source

const (
	ValidityOneDay   = 24 * time.Hour
	ValidityOneYear  = 365 * ValidityOneDay
	ValidityTenYears = 10 * ValidityOneYear

	CAHashAnnotation = "hypershiftlite.openshift.io/ca-hash"
	// CASignerCertMapKey is the key value in a CA cert utilized by the control plane operator.
	CASignerCertMapKey = "ca.crt"
	// OCPCASignerCertMapKey is the key value in a CA cert created by OCP library-go mechanisms.
	OCPCASignerCertMapKey = "ca-bundle.crt"
	// CASignerKeyMapKey is the key for the private key field in a CA cert utilized by the control plane operator.
	CASignerKeyMapKey = "ca.key"
	// TLSSignerCertMapKey is the key value the default k8s cert-manager looks for in a TLS certificate in a TLS secret.
	//TLSSignerCertMapKey is programmatically enforced to have the same data as CASignerCertMapKey.
	TLSSignerCertMapKey = "tls.crt"
	// TLSSignerKeyMapKey is the key the default k8s cert-manager looks for in a private key field in a TLS secret.
	// TLSSignerKeyMapKey is programmatically enforced to have the same data as CASignerKeyMapKey.
	TLSSignerKeyMapKey = "tls.key"
	// UserCABundleMapKeyis the key value in a user-provided CA configMap.
	UserCABundleMapKey = "ca-bundle.crt"
)

Variables ¶

This section is empty.

Functions ¶

func Base64 ¶

func Base64(data []byte) string

func CertToPem ¶

func CertToPem(cert *x509.Certificate) []byte

CertToPem converts an x509.Certificate object to a pem string

func GenerateSelfSignedCertificate ¶

func GenerateSelfSignedCertificate(cfg *CertCfg) (*rsa.PrivateKey, *x509.Certificate, error)

GenerateSelfSignedCertificate generates a key/cert pair defined by CertCfg.

func GenerateSignedCertificate ¶

func GenerateSignedCertificate(caKey *rsa.PrivateKey, caCert *x509.Certificate,
	cfg *CertCfg) (*rsa.PrivateKey, *x509.Certificate, error)

GenerateSignedCertificate generate a key and cert defined by CertCfg and signed by CA.

func HasCAHash ¶

func HasCAHash(secret *corev1.Secret, ca *corev1.Secret, opts *CAOpts) bool

func PemToCertificate ¶

func PemToCertificate(data []byte) (*x509.Certificate, error)

PemToCertificate converts a data block to x509.Certificate.

func PemToPrivateKey ¶

func PemToPrivateKey(data []byte) (*rsa.PrivateKey, error)

PemToPrivateKey converts a data block to rsa.PrivateKey.

func PrivateKey ¶

func PrivateKey() (*rsa.PrivateKey, error)

PrivateKey generates an RSA Private key and returns the value

func PrivateKeyToPem ¶

func PrivateKeyToPem(key *rsa.PrivateKey) []byte

PrivateKeyToPem converts a rsa.PrivateKey object to pem string

func PublicKeyToPem ¶

func PublicKeyToPem(key *rsa.PublicKey) ([]byte, error)

PublicKeyToPem converts a rsa.PublicKey object to pem string

func ReconcileSelfSignedCA ¶

func ReconcileSelfSignedCA(secret *corev1.Secret, cn, ou string, o ...func(*CAOpts)) error

ReconcileSelfSignedCA reconciles a CA secret. It is a oneshot function that will never regenerate the CA unless the cert or key entry is missing from the secret.

func ReconcileSignedCert ¶

func ReconcileSignedCert(
	secret *corev1.Secret,
	ca *corev1.Secret,
	cn string,
	org []string,
	extUsages []x509.ExtKeyUsage,
	crtKey string,
	keyKey string,
	caKey string,
	dnsNames []string,
	ips []string,
	o ...func(*CAOpts),
) error

ReconcileSignedCert reconciles a certificate secret using the provided config. It will rotate the cert if there are less than 30 days of validity left.

func SelfSignedCertificate ¶

func SelfSignedCertificate(cfg *CertCfg, key *rsa.PrivateKey) (*x509.Certificate, error)

SelfSignedCertificate creates a self-signed certificate

func ValidateKeyPair ¶

func ValidateKeyPair(pemKey, pemCertificate []byte, cfg *CertCfg, minimumRemainingValidity time.Duration) error

Types ¶

type CAOpts ¶

type CAOpts struct {
	CASignerCertMapKey string
	CASignerKeyMapKey  string
}

type CertCfg ¶

type CertCfg struct {
	DNSNames     []string
	ExtKeyUsages []x509.ExtKeyUsage
	IPAddresses  []net.IP
	KeyUsages    x509.KeyUsage
	Subject      pkix.Name
	Validity     time.Duration
	IsCA         bool
}

CertCfg contains all needed fields to configure a new certificate

Source Files ¶

View all Source files

tls.go

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL