Documentation ¶
Index ¶
- Variables
- func CreateCACertAndKeyFiles(certSpec *KubeadmCert, cfg *kubeadmapi.InitConfiguration) error
- func CreateCSR(certSpec *KubeadmCert, cfg *kubeadmapi.InitConfiguration, path string) error
- func CreateCertAndKeyFilesWithCA(certSpec *KubeadmCert, caCertSpec *KubeadmCert, ...) error
- func CreatePKIAssets(cfg *kubeadmapi.InitConfiguration) error
- func CreateServiceAccountKeyAndPublicKeyFiles(certsDir string) error
- func LoadCertificateAuthority(pkiDir string, baseName string) (*x509.Certificate, *rsa.PrivateKey, error)
- func NewCACertAndKey(certSpec *certutil.Config) (*x509.Certificate, *rsa.PrivateKey, error)
- func NewCSR(certSpec *KubeadmCert, cfg *kubeadmapi.InitConfiguration) (*x509.CertificateRequest, *rsa.PrivateKey, error)
- func NewServiceAccountSigningKey() (*rsa.PrivateKey, error)
- func SharedCertificateExists(cfg *kubeadmapi.ClusterConfiguration) (bool, error)
- func UsingExternalCA(cfg *kubeadmapi.ClusterConfiguration) (bool, error)
- type CertificateMap
- type CertificateTree
- type Certificates
- type KubeadmCert
- func (k *KubeadmCert) CreateAsCA(ic *kubeadmapi.InitConfiguration) (*x509.Certificate, *rsa.PrivateKey, error)
- func (k *KubeadmCert) CreateFromCA(ic *kubeadmapi.InitConfiguration, caCert *x509.Certificate, ...) error
- func (k *KubeadmCert) GetConfig(ic *kubeadmapi.InitConfiguration) (*certutil.Config, error)
Constants ¶
This section is empty.
Variables ¶
var ( // KubeadmCertRootCA is the definition of the Kubernetes Root CA for the API Server and kubelet. KubeadmCertRootCA = KubeadmCert{ Name: "ca", LongName: "self-signed Kubernetes CA to provision identities for other Kubernetes components", BaseName: kubeadmconstants.CACertAndKeyBaseName, // contains filtered or unexported fields } // KubeadmCertAPIServer is the definition of the cert used to serve the Kubernetes API. KubeadmCertAPIServer = KubeadmCert{ Name: "apiserver", LongName: "certificate for serving the Kubernetes API", BaseName: kubeadmconstants.APIServerCertAndKeyBaseName, CAName: "ca", // contains filtered or unexported fields } // KubeadmCertKubeletClient is the definition of the cert used by the API server to access the kubelet. KubeadmCertKubeletClient = KubeadmCert{ Name: "apiserver-kubelet-client", LongName: "Client certificate for the API server to connect to kubelet", BaseName: kubeadmconstants.APIServerKubeletClientCertAndKeyBaseName, CAName: "ca", // contains filtered or unexported fields } // KubeadmCertFrontProxyCA is the definition of the CA used for the front end proxy. KubeadmCertFrontProxyCA = KubeadmCert{ Name: "front-proxy-ca", LongName: "self-signed CA to provision identities for front proxy", BaseName: kubeadmconstants.FrontProxyCACertAndKeyBaseName, // contains filtered or unexported fields } // KubeadmCertFrontProxyClient is the definition of the cert used by the API server to access the front proxy. KubeadmCertFrontProxyClient = KubeadmCert{ Name: "front-proxy-client", BaseName: kubeadmconstants.FrontProxyClientCertAndKeyBaseName, LongName: "client for the front proxy", CAName: "front-proxy-ca", // contains filtered or unexported fields } // KubeadmCertEtcdCA is the definition of the root CA used by the hosted etcd server. KubeadmCertEtcdCA = KubeadmCert{ Name: "etcd-ca", LongName: "self-signed CA to provision identities for etcd", BaseName: kubeadmconstants.EtcdCACertAndKeyBaseName, // contains filtered or unexported fields } // KubeadmCertEtcdServer is the definition of the cert used to serve etcd to clients. KubeadmCertEtcdServer = KubeadmCert{ Name: "etcd-server", LongName: "certificate for serving etcd", BaseName: kubeadmconstants.EtcdServerCertAndKeyBaseName, CAName: "etcd-ca", // contains filtered or unexported fields } // KubeadmCertEtcdPeer is the definition of the cert used by etcd peers to access each other. KubeadmCertEtcdPeer = KubeadmCert{ Name: "etcd-peer", LongName: "credentials for etcd nodes to communicate with each other", BaseName: kubeadmconstants.EtcdPeerCertAndKeyBaseName, CAName: "etcd-ca", // contains filtered or unexported fields } // KubeadmCertEtcdHealthcheck is the definition of the cert used by Kubernetes to check the health of the etcd server. KubeadmCertEtcdHealthcheck = KubeadmCert{ Name: "etcd-healthcheck-client", LongName: "client certificate for liveness probes to healtcheck etcd", BaseName: kubeadmconstants.EtcdHealthcheckClientCertAndKeyBaseName, CAName: "etcd-ca", // contains filtered or unexported fields } // KubeadmCertEtcdAPIClient is the definition of the cert used by the API server to access etcd. KubeadmCertEtcdAPIClient = KubeadmCert{ Name: "apiserver-etcd-client", LongName: "client apiserver uses to access etcd", BaseName: kubeadmconstants.APIServerEtcdClientCertAndKeyBaseName, CAName: "etcd-ca", // contains filtered or unexported fields } )
Functions ¶
func CreateCACertAndKeyFiles ¶ added in v1.10.0
func CreateCACertAndKeyFiles(certSpec *KubeadmCert, cfg *kubeadmapi.InitConfiguration) error
CreateCACertAndKeyFiles generates and writes out a given certificate authority. The certSpec should be one of the variables from this package.
func CreateCSR ¶
func CreateCSR(certSpec *KubeadmCert, cfg *kubeadmapi.InitConfiguration, path string) error
CreateCSR creates a certificate signing request
func CreateCertAndKeyFilesWithCA ¶ added in v1.12.0
func CreateCertAndKeyFilesWithCA(certSpec *KubeadmCert, caCertSpec *KubeadmCert, cfg *kubeadmapi.InitConfiguration) error
CreateCertAndKeyFilesWithCA loads the given certificate authority from disk, then generates and writes out the given certificate and key. The certSpec and caCertSpec should both be one of the variables from this package.
func CreatePKIAssets ¶
func CreatePKIAssets(cfg *kubeadmapi.InitConfiguration) error
CreatePKIAssets will create and write to disk all PKI assets necessary to establish the control plane. If the PKI assets already exists in the target folder, they are used only if evaluated equal; otherwise an error is returned.
func CreateServiceAccountKeyAndPublicKeyFiles ¶ added in v1.8.0
CreateServiceAccountKeyAndPublicKeyFiles create a new public/private key files for signing service account users. If the sa public/private key files already exists in the target folder, they are used only if evaluated equals; otherwise an error is returned.
func LoadCertificateAuthority ¶ added in v1.12.0
func LoadCertificateAuthority(pkiDir string, baseName string) (*x509.Certificate, *rsa.PrivateKey, error)
LoadCertificateAuthority tries to load a CA in the given directory with the given name.
func NewCACertAndKey ¶ added in v1.8.0
func NewCACertAndKey(certSpec *certutil.Config) (*x509.Certificate, *rsa.PrivateKey, error)
NewCACertAndKey will generate a self signed CA.
func NewCSR ¶
func NewCSR(certSpec *KubeadmCert, cfg *kubeadmapi.InitConfiguration) (*x509.CertificateRequest, *rsa.PrivateKey, error)
NewCSR will generate a new CSR and accompanying key
func NewServiceAccountSigningKey ¶ added in v1.8.0
func NewServiceAccountSigningKey() (*rsa.PrivateKey, error)
NewServiceAccountSigningKey generate public/private key pairs for signing service account tokens.
func SharedCertificateExists ¶ added in v1.12.0
func SharedCertificateExists(cfg *kubeadmapi.ClusterConfiguration) (bool, error)
SharedCertificateExists verifies if the shared certificates - the certificates that must be equal across masters: ca.key, ca.crt, sa.key, sa.pub + etcd/ca.key, etcd/ca.crt if local/stacked etcd
func UsingExternalCA ¶ added in v1.8.0
func UsingExternalCA(cfg *kubeadmapi.ClusterConfiguration) (bool, error)
UsingExternalCA determines whether the user is relying on an external CA. We currently implicitly determine this is the case when both the CA Cert and the front proxy CA Cert are present but the CA Key and front proxy CA Key are not. This allows us to, e.g., skip generating certs or not start the csr signing controller.
Types ¶
type CertificateMap ¶ added in v1.12.0
type CertificateMap map[string]*KubeadmCert
CertificateMap is a flat map of certificates, keyed by Name.
func (CertificateMap) CertTree ¶ added in v1.12.0
func (m CertificateMap) CertTree() (CertificateTree, error)
CertTree returns a one-level-deep tree, mapping a CA cert to an array of certificates that should be signed by it.
type CertificateTree ¶ added in v1.12.0
type CertificateTree map[*KubeadmCert]Certificates
CertificateTree is represents a one-level-deep tree, mapping a CA to the certs that depend on it.
func (CertificateTree) CreateTree ¶ added in v1.12.0
func (t CertificateTree) CreateTree(ic *kubeadmapi.InitConfiguration) error
CreateTree creates the CAs, certs signed by the CAs, and writes them all to disk.
type Certificates ¶ added in v1.12.0
type Certificates []*KubeadmCert
Certificates is a list of Certificates that Kubeadm should create.
func GetCertsWithoutEtcd ¶ added in v1.12.0
func GetCertsWithoutEtcd() Certificates
GetCertsWithoutEtcd returns all of the certificates kubeadm needs when etcd is hosted externally.
func GetDefaultCertList ¶ added in v1.12.0
func GetDefaultCertList() Certificates
GetDefaultCertList returns all of the certificates kubeadm requires to function.
func (Certificates) AsMap ¶ added in v1.12.0
func (c Certificates) AsMap() CertificateMap
AsMap returns the list of certificates as a map, keyed by name.
type KubeadmCert ¶ added in v1.12.0
type KubeadmCert struct { Name string LongName string BaseName string CAName string // contains filtered or unexported fields }
KubeadmCert represents a certificate that Kubeadm will create to function properly.
func (*KubeadmCert) CreateAsCA ¶ added in v1.12.0
func (k *KubeadmCert) CreateAsCA(ic *kubeadmapi.InitConfiguration) (*x509.Certificate, *rsa.PrivateKey, error)
CreateAsCA creates a certificate authority, writing the files to disk and also returning the created CA so it can be used to sign child certs.
func (*KubeadmCert) CreateFromCA ¶ added in v1.12.0
func (k *KubeadmCert) CreateFromCA(ic *kubeadmapi.InitConfiguration, caCert *x509.Certificate, caKey *rsa.PrivateKey) error
CreateFromCA makes and writes a certificate using the given CA cert and key.
func (*KubeadmCert) GetConfig ¶ added in v1.12.0
func (k *KubeadmCert) GetConfig(ic *kubeadmapi.InitConfiguration) (*certutil.Config, error)
GetConfig returns the definition for the given cert given the provided InitConfiguration