Versions in this module Expand all Collapse all v1 v1.12.0 Jul 26, 2016 Changes in this version + const AgentRole + const CARole + const CertLowerRotationRange + const CertUpperRotationRange + const DefaultNodeCertExpiration + const ManagerRole + const MinNodeCertExpiration + const PassphraseENVVar + const PassphraseENVVarPrev + const RootCAExpiration + const RootKeyAlgo + const RootKeySize + var ErrNoExternalCAURLs = errors.New("no external CA URLs") + var ErrNoLocalRootCA = errors.New("local root CA certificate does not exist") + var ErrNoValidSigner = errors.New("no valid signer found") + func AuthorizeForwardedRoleAndOrg(ctx context.Context, authorizedRoles, forwarderRoles []string, org string) (string, error) + func AuthorizeOrgAndRole(ctx context.Context, org string, ou ...string) (string, error) + func BootstrapCluster(baseCertDir string) error + func DefaultCAConfig() api.CAConfig + func DefaultPolicy() *cfconfig.Signing + func EncryptECPrivateKey(key []byte, passphraseStr string) ([]byte, error) + func FormatRole(role string) (api.NodeRole, error) + func GenerateAndSignNewTLSCert(rootCA RootCA, cn, ou, org string, paths CertPaths) (*tls.Certificate, error) + func GenerateAndWriteNewKey(paths CertPaths) (csr, key []byte, err error) + func GenerateJoinToken(rootCA *RootCA) string + func GetAndValidateCertificateSubject(certs []tls.Certificate) (pkix.Name, error) + func GetRemoteSignedCertificate(ctx context.Context, csr []byte, token string, rootCAPool *x509.CertPool, ...) ([]byte, error) + func LoadTLSCreds(rootCA RootCA, paths CertPaths) (*MutableTLSCreds, *MutableTLSCreds, error) + func LogTLSState(ctx context.Context, tlsState *tls.ConnectionState) + func NewClientTLSConfig(cert *tls.Certificate, rootCAPool *x509.CertPool, serverName string) (*tls.Config, error) + func NewServerTLSConfig(cert *tls.Certificate, rootCAPool *x509.CertPool) (*tls.Config, error) + func ParseRole(apiRole api.NodeRole) (string, error) + func PrepareCSR(csrBytes []byte, cn, ou, org string) cfsigner.SignRequest + func RenewTLSConfig(ctx context.Context, s *SecurityConfig, baseCertDir string, ...) <-chan CertificateUpdate + func SigningPolicy(certExpiry time.Duration) *cfconfig.Signing + func WithMetadataForwardTLSInfo(ctx context.Context) (context.Context, error) + type CertPaths struct + Cert string + Key string + type CertificateUpdate struct + Err error + Role string + type ExternalCA struct + func NewExternalCA(rootCA *RootCA, tlsConfig *tls.Config, urls ...string) *ExternalCA + func (eca *ExternalCA) Sign(req signer.SignRequest) (cert []byte, err error) + func (eca *ExternalCA) UpdateTLSConfig(tlsConfig *tls.Config) + func (eca *ExternalCA) UpdateURLs(urls ...string) + type MutableTLSCreds struct + func NewMutableTLS(c *tls.Config) (*MutableTLSCreds, error) + func (c *MutableTLSCreds) ClientHandshake(addr string, rawConn net.Conn, timeout time.Duration) (net.Conn, credentials.AuthInfo, error) + func (c *MutableTLSCreds) Config() *tls.Config + func (c *MutableTLSCreds) GetRequestMetadata(ctx context.Context, uri ...string) (map[string]string, error) + func (c *MutableTLSCreds) Info() credentials.ProtocolInfo + func (c *MutableTLSCreds) LoadNewTLSConfig(newConfig *tls.Config) error + func (c *MutableTLSCreds) NodeID() string + func (c *MutableTLSCreds) Organization() string + func (c *MutableTLSCreds) RequireTransportSecurity() bool + func (c *MutableTLSCreds) Role() string + func (c *MutableTLSCreds) ServerHandshake(rawConn net.Conn) (net.Conn, credentials.AuthInfo, error) + type RemoteNodeInfo struct + ForwardedBy *RemoteNodeInfo + NodeID string + Organization string + RemoteAddr string + Roles []string + func RemoteNode(ctx context.Context) (RemoteNodeInfo, error) + type RootCA struct + Cert []byte + Digest digest.Digest + Key []byte + Pool *x509.CertPool + Signer cfsigner.Signer + func CreateAndWriteRootCA(rootCN string, paths CertPaths) (RootCA, error) + func GetLocalRootCA(baseDir string) (RootCA, error) + func GetRemoteCA(ctx context.Context, d digest.Digest, picker *picker.Picker) (RootCA, error) + func NewRootCA(certBytes, keyBytes []byte, certExpiry time.Duration) (RootCA, error) + func (rca *RootCA) AppendFirstRootPEM(cert []byte) ([]byte, error) + func (rca *RootCA) CanSign() bool + func (rca *RootCA) IssueAndSaveNewCertificates(paths CertPaths, cn, ou, org string) (*tls.Certificate, error) + func (rca *RootCA) NewClientTLSCredentials(cert *tls.Certificate, serverName string) (*MutableTLSCreds, error) + func (rca *RootCA) NewServerTLSCredentials(cert *tls.Certificate) (*MutableTLSCreds, error) + func (rca *RootCA) ParseValidateAndSignCSR(csrBytes []byte, cn, ou, org string) ([]byte, error) + func (rca *RootCA) RequestAndSaveNewCertificates(ctx context.Context, paths CertPaths, token string, picker *picker.Picker, ...) (*tls.Certificate, error) + type SecurityConfig struct + ClientTLSCreds *MutableTLSCreds + ServerTLSCreds *MutableTLSCreds + func LoadOrCreateSecurityConfig(ctx context.Context, baseCertDir, token, proposedRole string, ...) (*SecurityConfig, error) + func NewSecurityConfig(rootCA *RootCA, clientTLSCreds, serverTLSCreds *MutableTLSCreds) *SecurityConfig + func (s *SecurityConfig) RootCA() *RootCA + func (s *SecurityConfig) UpdateRootCA(cert, key []byte, certExpiry time.Duration) error + type SecurityConfigPaths struct + Node CertPaths + RootCA CertPaths + func NewConfigPaths(baseCertDir string) *SecurityConfigPaths + type Server struct + func NewServer(store *store.MemoryStore, securityConfig *SecurityConfig) *Server + func (s *Server) GetRootCACertificate(ctx context.Context, request *api.GetRootCACertificateRequest) (*api.GetRootCACertificateResponse, error) + func (s *Server) IssueNodeCertificate(ctx context.Context, request *api.IssueNodeCertificateRequest) (*api.IssueNodeCertificateResponse, error) + func (s *Server) NodeCertificateStatus(ctx context.Context, request *api.NodeCertificateStatusRequest) (*api.NodeCertificateStatusResponse, error) + func (s *Server) Ready() <-chan struct{} + func (s *Server) Run(ctx context.Context) error + func (s *Server) Stop() error
Go to main page