Documentation
¶
Overview ¶
Package secrets provides types and methods to handle base machine configuration secrets.
Index ¶
- Constants
- func NewAdminCertificateAndKey(currentTime time.Time, ca *x509.PEMEncodedCertificateAndKey, roles role.Set, ...) (p *x509.PEMEncodedCertificateAndKey, err error)
- func NewAggregatorCA(currentTime time.Time, contract *config.VersionContract) (ca *x509.CertificateAuthority, err error)
- func NewEtcdCA(currentTime time.Time, contract *config.VersionContract) (ca *x509.CertificateAuthority, err error)
- func NewKubernetesCA(currentTime time.Time, contract *config.VersionContract) (ca *x509.CertificateAuthority, err error)
- func NewTalosCA(currentTime time.Time) (ca *x509.CertificateAuthority, err error)
- type Bundle
- func LoadBundle(path string) (*Bundle, error)
- func NewBundle(clock Clock, versionContract *config.VersionContract) (*Bundle, error)
- func NewBundleFromConfig(clock Clock, c config.Config) *Bundle
- func NewBundleFromKubernetesPKI(pkiDir, bootstrapToken string, versionContract *config.VersionContract) (*Bundle, error)
- type Certs
- type Clock
- type Cluster
- type Secrets
- type SystemClock
- type TrustdInfo
Constants ¶
const CAValidityTime = 87600 * time.Hour
CAValidityTime is the default validity time for CA certificates.
Variables ¶
This section is empty.
Functions ¶
func NewAdminCertificateAndKey ¶
func NewAdminCertificateAndKey(currentTime time.Time, ca *x509.PEMEncodedCertificateAndKey, roles role.Set, ttl time.Duration) (p *x509.PEMEncodedCertificateAndKey, err error)
NewAdminCertificateAndKey generates the admin Talos certificate and key.
func NewAggregatorCA ¶
func NewAggregatorCA(currentTime time.Time, contract *config.VersionContract) (ca *x509.CertificateAuthority, err error)
NewAggregatorCA generates a CA for the Kubernetes aggregator/front-proxy.
func NewEtcdCA ¶
func NewEtcdCA(currentTime time.Time, contract *config.VersionContract) (ca *x509.CertificateAuthority, err error)
NewEtcdCA generates a CA for the Etcd PKI.
func NewKubernetesCA ¶
func NewKubernetesCA(currentTime time.Time, contract *config.VersionContract) (ca *x509.CertificateAuthority, err error)
NewKubernetesCA generates a CA for the Kubernetes PKI.
func NewTalosCA ¶
func NewTalosCA(currentTime time.Time) (ca *x509.CertificateAuthority, err error)
NewTalosCA generates a CA for the Talos PKI.
Types ¶
type Bundle ¶
type Bundle struct {
Clock Clock `yaml:"-" json:"-"`
Cluster *Cluster `json:"Cluster"`
Secrets *Secrets `json:"Secrets"`
TrustdInfo *TrustdInfo `json:"TrustdInfo"`
Certs *Certs `json:"Certs"`
}
Bundle contains all cluster secrets required to generate machine configuration.
NB: this structure is marhsalled/unmarshalled to/from JSON in various projects, so we need to keep representation compatible.
func LoadBundle ¶
LoadBundle loads secrets bundle from the given file.
func NewBundle ¶
func NewBundle(clock Clock, versionContract *config.VersionContract) (*Bundle, error)
NewBundle creates secrets bundle generating all secrets.
func NewBundleFromConfig ¶
NewBundleFromConfig creates secrets bundle using existing config.
func NewBundleFromKubernetesPKI ¶
func NewBundleFromKubernetesPKI(pkiDir, bootstrapToken string, versionContract *config.VersionContract) (*Bundle, error)
NewBundleFromKubernetesPKI creates secrets bundle by reading the contents of a Kubernetes PKI directory (typically `/etc/kubernetes/pki`) and using the provided bootstrapToken as input.
func (*Bundle) GenerateTalosAPIClientCertificate ¶
func (bundle *Bundle) GenerateTalosAPIClientCertificate(roles role.Set) (*x509.PEMEncodedCertificateAndKey, error)
GenerateTalosAPIClientCertificate generates the admin certificate.
type Certs ¶
type Certs struct {
// Etcd is etcd CA certificate and key.
Etcd *x509.PEMEncodedCertificateAndKey `json:"Etcd"`
// K8s is Kubernetes CA certificate and key.
K8s *x509.PEMEncodedCertificateAndKey `json:"K8s"`
// K8sAggregator is Kubernetes aggregator CA certificate and key.
K8sAggregator *x509.PEMEncodedCertificateAndKey `json:"K8sAggregator"`
// K8sServiceAccount is Kubernetes service account key.
K8sServiceAccount *x509.PEMEncodedKey `json:"K8sServiceAccount"`
// OS is Talos API CA certificate and key.
OS *x509.PEMEncodedCertificateAndKey `json:"OS"`
}
Certs holds the base64 encoded keys and certificates.
type Secrets ¶
type Secrets struct {
BootstrapToken string `json:"BootstrapToken"`
AESCBCEncryptionSecret string `json:"AESCBCEncryptionSecret,omitempty" yaml:",omitempty"`
SecretboxEncryptionSecret string `json:"SecretboxEncryptionSecret,omitempty" yaml:",omitempty"`
}
Secrets holds the sensitive kubeadm data.
type SystemClock ¶
type SystemClock struct {
// contains filtered or unexported fields
}
SystemClock is a real system clock, but the time returned can be made fixed.
func NewFixedClock ¶
func NewFixedClock(t time.Time) *SystemClock
NewFixedClock creates new SystemClock with fixed time.
type TrustdInfo ¶
type TrustdInfo struct {
Token string `json:"Token"`
}
TrustdInfo holds the trustd credentials.
Source Files