certs

package
v0.1.46 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Aug 29, 2024 License: Apache-2.0 Imports: 24 Imported by: 2

Documentation

Index

Constants

View Source 
const (
	ValidityOneDay   = 24 * time.Hour
	ValidityOneYear  = 365 * ValidityOneDay
	ValidityTenYears = 10 * ValidityOneYear

	CAHashAnnotation = "hypershiftlite.openshift.io/ca-hash"
	// CASignerCertMapKey is the key value in a CA cert utilized by the control plane operator.
	CASignerCertMapKey = "ca.crt"
	// OCPCASignerCertMapKey is the key value in a CA cert created by OCP library-go mechanisms.
	OCPCASignerCertMapKey = "ca-bundle.crt"
	// CASignerKeyMapKey is the key for the private key field in a CA cert utilized by the control plane operator.
	CASignerKeyMapKey = "ca.key"
	// TLSSignerCertMapKey is the key value the default k8s cert-manager looks for in a TLS certificate in a TLS secret.
	//TLSSignerCertMapKey is programmatically enforced to have the same data as CASignerCertMapKey.
	TLSSignerCertMapKey = "tls.crt"
	// TLSSignerKeyMapKey is the key the default k8s cert-manager looks for in a private key field in a TLS secret.
	// TLSSignerKeyMapKey is programmatically enforced to have the same data as CASignerKeyMapKey.
	TLSSignerKeyMapKey = "tls.key"
	// UserCABundleMapKeyis the key value in a user-provided CA configMap.
	UserCABundleMapKey = "ca-bundle.crt"
	// Custom certificate validity. The format of the annotation is a go duration string with a numeric component and unit.
	// Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h"
	CertificateValidityAnnotation = "hypershift.openshift.io/certificate-validity"
	CertificateValidityEnvVar     = "CERTIFICATE_VALIDITY"
	// Custom certificate renewal percentage. The format of the annotation is a float64 value between 0 and 1.
	// The certificate will renew when less than CertificateRenewalEnvVar of its validity period remains.
	// For example, if you set the validity period to 100 days and the renewal percentage to 0.30,
	// the certificate will renew when there are fewer than 30 days remaining (100 days * 0.30 = 30 days) before it expires.
	CertificateRenewalAnnotation = "hypershift.openshift.io/certificate-renewal"
	CertificateRenewalEnvVar     = "CERTIFICATE_RENEWAL_PERCENTAGE"
)

Variables

This section is empty.

Functions

func Base64 

func Base64(data []byte) string

func CertToPem 

func CertToPem(cert *x509.Certificate) []byte

CertToPem converts an x509.Certificate object to a pem string

func GenerateSelfSignedCertificate 

func GenerateSelfSignedCertificate(cfg *CertCfg) (*rsa.PrivateKey, *x509.Certificate, error)

GenerateSelfSignedCertificate generates a key/cert pair defined by CertCfg.

func GenerateSignedCertificate 

func GenerateSignedCertificate(caKey *rsa.PrivateKey, caCert *x509.Certificate,
	cfg *CertCfg) (*rsa.PrivateKey, *x509.Certificate, error)

GenerateSignedCertificate generate a key and cert defined by CertCfg and signed by CA.

func HasCAHash 

func HasCAHash(secret *corev1.Secret, ca *corev1.Secret, opts *CAOpts) bool

func PemToCertificate 

func PemToCertificate(data []byte) (*x509.Certificate, error)

PemToCertificate converts a data block to x509.Certificate.

func PemToPrivateKey 

func PemToPrivateKey(data []byte) (*rsa.PrivateKey, error)

PemToPrivateKey converts a data block to rsa.PrivateKey.

func PrivateKey 

func PrivateKey() (*rsa.PrivateKey, error)

PrivateKey generates an RSA Private key and returns the value

func PrivateKeyToPem 

func PrivateKeyToPem(key *rsa.PrivateKey) []byte

PrivateKeyToPem converts a rsa.PrivateKey object to pem string

func PublicKeyToPem 

func PublicKeyToPem(key *rsa.PublicKey) ([]byte, error)

PublicKeyToPem converts a rsa.PublicKey object to pem string

func Reader added in v0.1.38 

func Reader() io.Reader

func ReconcileSelfSignedCA 

func ReconcileSelfSignedCA(secret *corev1.Secret, cn, ou string, o ...func(*CAOpts)) error

ReconcileSelfSignedCA reconciles a CA secret. It is a oneshot function that will never regenerate the CA unless the cert or key entry is missing from the secret.

func ReconcileSignedCert 

func ReconcileSignedCert(
	secret *corev1.Secret,
	ca *corev1.Secret,
	cn string,
	org []string,
	extUsages []x509.ExtKeyUsage,
	crtKey string,
	keyKey string,
	caKey string,
	dnsNames []string,
	ips []string,
	o ...func(*CAOpts),
) error

ReconcileSignedCert reconciles a certificate secret using the provided config. It will rotate the cert if there are less than 30 days of validity left.

func SelfSignedCertificate 

func SelfSignedCertificate(cfg *CertCfg, key *rsa.PrivateKey) (*x509.Certificate, error)

SelfSignedCertificate creates a self-signed certificate

func UnsafeSeed added in v0.1.38 

func UnsafeSeed(seed int64)

UnsafeSeed seeds the rng with the provided seed. This is not safe to do in production code and should only be used to make tests that interact with this package deterministic.

func ValidateKeyPair 

func ValidateKeyPair(pemKey, pemCertificate []byte, cfg *CertCfg, minimumRemainingValidity time.Duration) error

Types

type CAOpts 

type CAOpts struct {
	CASignerCertMapKey string
	CASignerKeyMapKey  string
}

type CertCfg 

type CertCfg struct {
	DNSNames     []string
	ExtKeyUsages []x509.ExtKeyUsage
	IPAddresses  []net.IP
	KeyUsages    x509.KeyUsage
	Subject      pkix.Name
	Validity     time.Duration
	IsCA         bool
}

CertCfg contains all needed fields to configure a new certificate

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.