secrets

package
v1.6.4 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Feb 1, 2024 License: MPL-2.0 Imports: 15 Imported by: 13

Documentation

Overview

Package secrets provides types and methods to handle base machine configuration secrets.

Index

Constants

View Source
const CAValidityTime = 87600 * time.Hour

CAValidityTime is the default validity time for CA certificates.

Variables

This section is empty.

Functions

func NewAdminCertificateAndKey

func NewAdminCertificateAndKey(currentTime time.Time, ca *x509.PEMEncodedCertificateAndKey, roles role.Set, ttl time.Duration) (p *x509.PEMEncodedCertificateAndKey, err error)

NewAdminCertificateAndKey generates the admin Talos certificate and key.

func NewAggregatorCA

func NewAggregatorCA(currentTime time.Time, contract *config.VersionContract) (ca *x509.CertificateAuthority, err error)

NewAggregatorCA generates a CA for the Kubernetes aggregator/front-proxy.

func NewEtcdCA

func NewEtcdCA(currentTime time.Time, contract *config.VersionContract) (ca *x509.CertificateAuthority, err error)

NewEtcdCA generates a CA for the Etcd PKI.

func NewKubernetesCA

func NewKubernetesCA(currentTime time.Time, contract *config.VersionContract) (ca *x509.CertificateAuthority, err error)

NewKubernetesCA generates a CA for the Kubernetes PKI.

func NewTalosCA

func NewTalosCA(currentTime time.Time) (ca *x509.CertificateAuthority, err error)

NewTalosCA generates a CA for the Talos PKI.

Types

type Bundle

type Bundle struct {
	Clock      Clock       `yaml:"-" json:"-"`
	Cluster    *Cluster    `json:"Cluster"`
	Secrets    *Secrets    `json:"Secrets"`
	TrustdInfo *TrustdInfo `json:"TrustdInfo"`
	Certs      *Certs      `json:"Certs"`
}

Bundle contains all cluster secrets required to generate machine configuration.

NB: this structure is marhsalled/unmarshalled to/from JSON in various projects, so we need to keep representation compatible.

func LoadBundle

func LoadBundle(path string) (*Bundle, error)

LoadBundle loads secrets bundle from the given file.

func NewBundle

func NewBundle(clock Clock, versionContract *config.VersionContract) (*Bundle, error)

NewBundle creates secrets bundle generating all secrets.

func NewBundleFromConfig

func NewBundleFromConfig(clock Clock, c config.Config) *Bundle

NewBundleFromConfig creates secrets bundle using existing config.

func NewBundleFromKubernetesPKI

func NewBundleFromKubernetesPKI(pkiDir, bootstrapToken string, versionContract *config.VersionContract) (*Bundle, error)

NewBundleFromKubernetesPKI creates secrets bundle by reading the contents of a Kubernetes PKI directory (typically `/etc/kubernetes/pki`) and using the provided bootstrapToken as input.

func (*Bundle) GenerateTalosAPIClientCertificate

func (bundle *Bundle) GenerateTalosAPIClientCertificate(roles role.Set) (*x509.PEMEncodedCertificateAndKey, error)

GenerateTalosAPIClientCertificate generates the admin certificate.

type Certs

type Certs struct {
	// Etcd is etcd CA certificate and key.
	Etcd *x509.PEMEncodedCertificateAndKey `json:"Etcd"`
	// K8s is Kubernetes CA certificate and key.
	K8s *x509.PEMEncodedCertificateAndKey `json:"K8s"`
	// K8sAggregator is Kubernetes aggregator CA certificate and key.
	K8sAggregator *x509.PEMEncodedCertificateAndKey `json:"K8sAggregator"`
	// K8sServiceAccount is Kubernetes service account key.
	K8sServiceAccount *x509.PEMEncodedKey `json:"K8sServiceAccount"`
	// OS is Talos API CA certificate and key.
	OS *x509.PEMEncodedCertificateAndKey `json:"OS"`
}

Certs holds the base64 encoded keys and certificates.

type Clock

type Clock interface {
	Now() time.Time
}

Clock system clock.

type Cluster

type Cluster struct {
	ID     string `json:"Id"`
	Secret string `json:"Secret"`
}

Cluster holds Talos cluster-wide secrets.

type Secrets

type Secrets struct {
	BootstrapToken            string `json:"BootstrapToken"`
	AESCBCEncryptionSecret    string `json:"AESCBCEncryptionSecret,omitempty" yaml:",omitempty"`
	SecretboxEncryptionSecret string `json:"SecretboxEncryptionSecret,omitempty" yaml:",omitempty"`
}

Secrets holds the sensitive kubeadm data.

type SystemClock

type SystemClock struct {
	// contains filtered or unexported fields
}

SystemClock is a real system clock, but the time returned can be made fixed.

func NewClock

func NewClock() *SystemClock

NewClock creates new SystemClock.

func NewFixedClock

func NewFixedClock(t time.Time) *SystemClock

NewFixedClock creates new SystemClock with fixed time.

func (*SystemClock) Now

func (c *SystemClock) Now() time.Time

Now implements Clock.

type TrustdInfo

type TrustdInfo struct {
	Token string `json:"Token"`
}

TrustdInfo holds the trustd credentials.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL