pki

package
v1.7.0 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Nov 11, 2024 License: Apache-2.0 Imports: 29 Imported by: 366

Documentation

Index

Constants

View Source
const (
	K8sBaseDir              = "/etc/kubernetes/"
	CertPathPrefix          = K8sBaseDir + "ssl/"
	CertificatesServiceName = "certificates"
	CrtDownloaderContainer  = "cert-deployer"
	CertFetcherContainer    = "cert-fetcher"
	CertificatesSecretName  = "k8s-certs"
	TempCertPath            = "/etc/kubernetes/.tmp/"
	ClusterConfig           = "cluster.yml"
	ClusterStateFile        = "cluster-state.yml"
	ClusterStateExt         = ".rkestate"
	ClusterStateEnv         = "CLUSTER_STATE"
	BundleCertPath          = "/backup/pki.bundle.tar.gz"

	CACertName                 = "kube-ca"
	RequestHeaderCACertName    = "kube-apiserver-requestheader-ca"
	KubeAPICertName            = "kube-apiserver"
	KubeControllerCertName     = "kube-controller-manager"
	KubeSchedulerCertName      = "kube-scheduler"
	KubeProxyCertName          = "kube-proxy"
	KubeNodeCertName           = "kube-node"
	KubeletCertName            = "kube-kubelet"
	EtcdCertName               = "kube-etcd"
	EtcdClientCACertName       = "kube-etcd-client-ca"
	EtcdClientCertName         = "kube-etcd-client"
	APIProxyClientCertName     = "kube-apiserver-proxy-client"
	ServiceAccountTokenKeyName = "kube-service-account-token"

	KubeNodeCommonName       = "system:node"
	KubeNodeOrganizationName = "system:nodes"

	KubeAdminCertName         = "kube-admin"
	KubeAdminOrganizationName = "system:masters"
	KubeAdminConfigPrefix     = "kube_config_"
)
View Source
const (
	BundleCertContainer = "rke-bundle-cert"
)
View Source
const (
	StateDeployerContainerName = "cluster-state-deployer"
)

Variables

This section is empty.

Functions

func DeepEqualIPsAltNames added in v1.0.0

func DeepEqualIPsAltNames(oldIPs, newIPs []net.IP) bool

func DeployAdminConfig

func DeployAdminConfig(ctx context.Context, kubeConfig, localConfigPath string) error

func DeployCertificatesOnPlaneHost added in v0.1.1

func DeployCertificatesOnPlaneHost(
	ctx context.Context,
	host *hosts.Host,
	rkeConfig v3.RancherKubernetesEngineConfig,
	crtMap map[string]CertificatePKI,
	certDownloaderImage string,
	prsMap map[string]v3.PrivateRegistry,
	forceDeploy bool,
	env []string,
	k8sVersion string) error

func DeployStateOnPlaneHost added in v0.1.10

func DeployStateOnPlaneHost(ctx context.Context, host *hosts.Host, stateDownloaderImage string, prsMap map[string]v3.PrivateRegistry, stateFilePath, snapshotName, k8sVersion string) error

func FetchCertificatesFromHost

func FetchCertificatesFromHost(ctx context.Context, extraHosts []*hosts.Host, host *hosts.Host, image, localConfigPath string, prsMap map[string]v3.PrivateRegistry, k8sVersion string) (map[string]CertificatePKI, error)

func FetchFileFromHost added in v0.1.7

func FetchFileFromHost(ctx context.Context, filePath, image string, host *hosts.Host, prsMap map[string]v3.PrivateRegistry, containerName, state, k8sVersion string) (string, error)

func GenerateAPIProxyClientCSR added in v0.2.0

func GenerateAPIProxyClientCSR(ctx context.Context, certs map[string]CertificatePKI, rkeConfig v3.RancherKubernetesEngineConfig) error

func GenerateAPIProxyClientCertificate added in v0.2.0

func GenerateAPIProxyClientCertificate(ctx context.Context, certs map[string]CertificatePKI, rkeConfig v3.RancherKubernetesEngineConfig, configPath, configDir string, rotate bool) error

func GenerateCACertAndKey added in v0.1.9

func GenerateCACertAndKey(commonName string, privateKey *rsa.PrivateKey) (*x509.Certificate, *rsa.PrivateKey, error)

func GenerateCertSigningRequestAndKey added in v0.2.0

func GenerateCertSigningRequestAndKey(
	serverCrt bool,
	commonName string,
	altNames *cert.AltNames,
	reusedKey *rsa.PrivateKey,
	orgs []string) ([]byte, *rsa.PrivateKey, error)

func GenerateEtcdCSRs added in v0.2.0

func GenerateEtcdCSRs(ctx context.Context, certs map[string]CertificatePKI, rkeConfig v3.RancherKubernetesEngineConfig) error

func GenerateEtcdCertificates added in v0.2.0

func GenerateEtcdCertificates(ctx context.Context, certs map[string]CertificatePKI, rkeConfig v3.RancherKubernetesEngineConfig, configPath, configDir string, rotate bool) error

func GenerateExternalEtcdCertificates added in v0.2.0

func GenerateExternalEtcdCertificates(ctx context.Context, certs map[string]CertificatePKI, rkeConfig v3.RancherKubernetesEngineConfig, configPath, configDir string, rotate bool) error

func GenerateKubeAPICSR added in v0.2.0

func GenerateKubeAPICSR(ctx context.Context, certs map[string]CertificatePKI, rkeConfig v3.RancherKubernetesEngineConfig) error

func GenerateKubeAPICertificate added in v0.2.0

func GenerateKubeAPICertificate(ctx context.Context, certs map[string]CertificatePKI, rkeConfig v3.RancherKubernetesEngineConfig, configPath, configDir string, rotate bool) error

func GenerateKubeAdminCSR added in v0.2.0

func GenerateKubeAdminCSR(ctx context.Context, certs map[string]CertificatePKI, rkeConfig v3.RancherKubernetesEngineConfig) error

func GenerateKubeAdminCertificate added in v0.2.0

func GenerateKubeAdminCertificate(ctx context.Context, certs map[string]CertificatePKI, rkeConfig v3.RancherKubernetesEngineConfig, configPath, configDir string, rotate bool) error

func GenerateKubeControllerCSR added in v0.2.0

func GenerateKubeControllerCSR(ctx context.Context, certs map[string]CertificatePKI, rkeConfig v3.RancherKubernetesEngineConfig) error

func GenerateKubeControllerCertificate added in v0.2.0

func GenerateKubeControllerCertificate(ctx context.Context, certs map[string]CertificatePKI, rkeConfig v3.RancherKubernetesEngineConfig, configPath, configDir string, rotate bool) error

func GenerateKubeNodeCSR added in v0.2.0

func GenerateKubeNodeCSR(ctx context.Context, certs map[string]CertificatePKI, rkeConfig v3.RancherKubernetesEngineConfig) error

func GenerateKubeNodeCertificate added in v0.2.0

func GenerateKubeNodeCertificate(ctx context.Context, certs map[string]CertificatePKI, rkeConfig v3.RancherKubernetesEngineConfig, configPath, configDir string, rotate bool) error

func GenerateKubeProxyCSR added in v0.2.0

func GenerateKubeProxyCSR(ctx context.Context, certs map[string]CertificatePKI, rkeConfig v3.RancherKubernetesEngineConfig) error

func GenerateKubeProxyCertificate added in v0.2.0

func GenerateKubeProxyCertificate(ctx context.Context, certs map[string]CertificatePKI, rkeConfig v3.RancherKubernetesEngineConfig, configPath, configDir string, rotate bool) error

func GenerateKubeSchedulerCSR added in v0.2.0

func GenerateKubeSchedulerCSR(ctx context.Context, certs map[string]CertificatePKI, rkeConfig v3.RancherKubernetesEngineConfig) error

func GenerateKubeSchedulerCertificate added in v0.2.0

func GenerateKubeSchedulerCertificate(ctx context.Context, certs map[string]CertificatePKI, rkeConfig v3.RancherKubernetesEngineConfig, configPath, configDir string, rotate bool) error

func GenerateKubeletCSR added in v1.0.0

func GenerateKubeletCSR(ctx context.Context, certs map[string]CertificatePKI, rkeConfig v3.RancherKubernetesEngineConfig) error

func GenerateKubeletCertificate added in v1.0.0

func GenerateKubeletCertificate(ctx context.Context, certs map[string]CertificatePKI, rkeConfig v3.RancherKubernetesEngineConfig, configPath, configDir string, rotate bool) error

func GenerateRKECACerts added in v0.2.0

func GenerateRKECACerts(ctx context.Context, certs map[string]CertificatePKI, configPath, configDir string) error

func GenerateRKECerts added in v0.1.2

func GenerateRKECerts(ctx context.Context, rkeConfig v3.RancherKubernetesEngineConfig, configPath, configDir string) (map[string]CertificatePKI, error)

func GenerateRKEMasterCACert added in v0.2.0

func GenerateRKEMasterCACert(ctx context.Context, certs map[string]CertificatePKI, configPath, configDir string) error

func GenerateRKENodeCerts added in v0.1.2

func GenerateRKENodeCerts(ctx context.Context, rkeConfig v3.RancherKubernetesEngineConfig, nodeAddress string, certBundle map[string]CertificatePKI) map[string]CertificatePKI

func GenerateRKERequestHeaderCACert added in v0.2.0

func GenerateRKERequestHeaderCACert(ctx context.Context, certs map[string]CertificatePKI, configPath, configDir string) error

func GenerateRKEServicesCSRs added in v0.2.0

func GenerateRKEServicesCSRs(ctx context.Context, certs map[string]CertificatePKI, rkeConfig v3.RancherKubernetesEngineConfig) error

func GenerateRKEServicesCerts added in v0.2.0

func GenerateRKEServicesCerts(ctx context.Context, certs map[string]CertificatePKI, rkeConfig v3.RancherKubernetesEngineConfig, configPath, configDir string, rotate bool) error

func GenerateServiceTokenKey added in v0.2.0

func GenerateServiceTokenKey(ctx context.Context, certs map[string]CertificatePKI, rkeConfig v3.RancherKubernetesEngineConfig, configPath, configDir string, rotate bool) error

func GenerateSignedCertAndKey added in v0.1.1

func GenerateSignedCertAndKey(
	caCrt *x509.Certificate,
	caKey *rsa.PrivateKey,
	serverCrt bool,
	commonName string,
	altNames *cert.AltNames,
	reusedKey *rsa.PrivateKey,
	orgs []string) (*x509.Certificate, *rsa.PrivateKey, error)

func GetAltNames

func GetAltNames(cpHosts []*hosts.Host, clusterDomain string, KubernetesServiceIP []net.IP, SANs []string) *cert.AltNames

func GetCertPath added in v0.1.1

func GetCertPath(name string) string

func GetCertTempPath added in v0.1.1

func GetCertTempPath(name string) string

func GetConfigPath added in v0.1.1

func GetConfigPath(name string) string

func GetConfigTempPath added in v0.1.1

func GetConfigTempPath(name string) string

func GetCrtNameForHost added in v1.0.0

func GetCrtNameForHost(host *hosts.Host, prefix string) string

func GetIPHostAltnamesForHost added in v1.0.0

func GetIPHostAltnamesForHost(host *hosts.Host) *cert.AltNames

func GetKeyPath added in v0.1.1

func GetKeyPath(name string) string

func GetKeyTempPath added in v0.1.1

func GetKeyTempPath(name string) string

func GetKubeConfigX509WithData

func GetKubeConfigX509WithData(kubernetesURL string, clusterName string, componentName string, cacrt string, crt string, key string) string

func GetKubernetesServiceIP added in v0.1.2

func GetKubernetesServiceIP(serviceClusterRange string) ([]net.IP, error)

func GetLocalKubeConfig added in v0.1.2

func GetLocalKubeConfig(configPath, configDir string) string

func IsKubeletGenerateServingCertificateEnabledinConfig added in v1.0.0

func IsKubeletGenerateServingCertificateEnabledinConfig(rkeConfig *v3.RancherKubernetesEngineConfig) bool

func IsValidCertStr added in v0.2.5

func IsValidCertStr(c string) (bool, error)

func ReadCSRsAndKeysFromDir added in v0.2.0

func ReadCSRsAndKeysFromDir(certDir string) (map[string]CertificatePKI, error)

func ReadCertToStr added in v0.2.5

func ReadCertToStr(file string) (string, error)

func ReadCertsAndKeysFromDir added in v0.2.0

func ReadCertsAndKeysFromDir(certDir string) (map[string]CertificatePKI, error)

func RegenerateEtcdCertificate added in v0.1.1

func RegenerateEtcdCertificate(
	ctx context.Context,
	crtMap map[string]CertificatePKI,
	etcdHost *hosts.Host,
	etcdHosts []*hosts.Host,
	clusterDomain string,
	KubernetesServiceIP []net.IP) (map[string]CertificatePKI, error)

func RemoveAdminConfig

func RemoveAdminConfig(ctx context.Context, localConfigPath string)

func SaveBackupBundleOnHost added in v0.1.8

func SaveBackupBundleOnHost(ctx context.Context, host *hosts.Host, alpineSystemImage, etcdSnapshotPath string, prsMap map[string]v3.PrivateRegistry, k8sVersion string) error

func TransformPEMToObject added in v0.2.0

func TransformPEMToObject(in map[string]CertificatePKI) map[string]CertificatePKI

func ValidateBundleContent added in v0.2.0

func ValidateBundleContent(rkeConfig *v3.RancherKubernetesEngineConfig, certBundle map[string]CertificatePKI, configPath, configDir string) error

func WriteCertificates added in v0.2.0

func WriteCertificates(certDirPath string, certBundle map[string]CertificatePKI) error

Types

type CSRFunc added in v0.2.0

type CertificatePKI

type CertificatePKI struct {
	Certificate    *x509.Certificate        `json:"-"`
	Key            *rsa.PrivateKey          `json:"-"`
	CSR            *x509.CertificateRequest `json:"-"`
	CertificatePEM string                   `json:"certificatePEM"`
	KeyPEM         string                   `json:"keyPEM"`
	CSRPEM         string                   `json:"-"`
	Config         string                   `json:"config"`
	Name           string                   `json:"name"`
	CommonName     string                   `json:"commonName"`
	OUName         string                   `json:"ouName"`
	EnvName        string                   `json:"envName"`
	Path           string                   `json:"path"`
	KeyEnvName     string                   `json:"keyEnvName"`
	KeyPath        string                   `json:"keyPath"`
	ConfigEnvName  string                   `json:"configEnvName"`
	ConfigPath     string                   `json:"configPath"`
}

func ToCertObject added in v0.1.1

func ToCertObject(componentName, commonName, ouName string, certificate *x509.Certificate, key *rsa.PrivateKey, csrASN1 []byte) CertificatePKI

func (*CertificatePKI) CertToEnv

func (c *CertificatePKI) CertToEnv() string

func (*CertificatePKI) ConfigToEnv

func (c *CertificatePKI) ConfigToEnv() string

func (*CertificatePKI) KeyToEnv

func (c *CertificatePKI) KeyToEnv() string

func (*CertificatePKI) ToEnv

func (c *CertificatePKI) ToEnv() []string

Directories

Path Synopsis

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL