Documentation ¶
Index ¶
- Constants
- Variables
- func CSRClusterRole() client.Object
- func CSRClusterRoleBinding(name, namespace string) *rbacv1.ClusterRoleBinding
- func CertificateVolumeSource(certificateManagement *operatorv1.CertificateManagement, secretName string) corev1.VolumeSource
- func CreateCSRInitContainer(certificateManagement *operatorv1.CertificateManagement, image string, ...) corev1.Container
- func CreateSelfSignedSecret(secretName, namespace, cn string, altNames []string) (*corev1.Secret, error)
- func GetKeyCertPEM(secret *corev1.Secret) ([]byte, []byte)
- func ParseCertificate(certBytes []byte) (*x509.Certificate, error)
- func ResolveCSRInitImage(inst *operatorv1.InstallationSpec, is *operatorv1.ImageSet) (string, error)
- type CertificateInterface
- type KeyPair
- func (k *KeyPair) BYO() bool
- func (k *KeyPair) GetCertificatePEM() []byte
- func (k *KeyPair) GetIssuer() CertificateInterface
- func (k *KeyPair) GetName() string
- func (k *KeyPair) GetNamespace() string
- func (k *KeyPair) HashAnnotationKey() string
- func (k *KeyPair) HashAnnotationValue() string
- func (k *KeyPair) InitContainer(namespace string) corev1.Container
- func (k *KeyPair) Secret(namespace string) *corev1.Secret
- func (k *KeyPair) UseCertificateManagement() bool
- func (k *KeyPair) Volume() corev1.Volume
- func (k *KeyPair) VolumeMount(osType rmeta.OSType) corev1.VolumeMount
- func (k *KeyPair) VolumeMountCertificateFilePath() string
- func (k *KeyPair) VolumeMountKeyFilePath() string
- type KeyPairInterface
- type TrustedBundle
- func CreateMultiTenantTrustedBundleWithSystemRootCertificates(certificates ...CertificateInterface) (TrustedBundle, error)
- func CreateTrustedBundle(certificates ...CertificateInterface) TrustedBundle
- func CreateTrustedBundleWithSystemRootCertificates(certificates ...CertificateInterface) (TrustedBundle, error)
- type TrustedBundleRO
Constants ¶
const ( // RHELRootCertificateBundleName is the name of the system CA bundle as present in UBI/RHEL systems. RHELRootCertificateBundleName = "ca-bundle.crt" // SSLCertFile is the symbolic link to the system CA bundle used by libssl SSL_CERT_FILE. SSLCertFile = "cert.pem" )
const ( CSRClusterRoleName = "tigera-csr-creator" CSRCMountPath = "/certs-share" CSRInitContainerName = "key-cert-provisioner" )
const ( TenantCASecretName = "tigera-ca-private-tenant" CASecretName = "tigera-ca-private" TrustedCertConfigMapKeyName = "tigera-ca-bundle.crt" TrustedCertVolumeMountPath = "/etc/pki/tls/" TrustedCertVolumeMountPathWindows = "c:/etc/pki/tls/" TrustedCertBundleMountPath = "/etc/pki/tls/certs/tigera-ca-bundle.crt" TrustedCertBundleMountPathWindows = "c:/etc/pki/tls/certs/tigera-ca-bundle.crt" // TrustedCertConfigMapName is the name of the trusted certificate bundle ConfigMap. This value is used // for all single-tenant trusted bundles, as well as multi-tenant trusted bundles that do not include public CAs. TrustedCertConfigMapName = "tigera-ca-bundle" // TrustedCertConfigMapNamePublic is the name of the trusted certificate bundle ConfigMap that includes public CAs, used // only in multi-tenant environments as a single namespace requires both a trusted bundle with public CAs as well as one without. TrustedCertConfigMapNamePublic = "tigera-ca-bundle-system-certs" )
const (
VoltronKeySizeBits = 2048
)
Variables ¶
var ErrInvalidCertNoPEMData = errors.New("cert has no PEM data")
Functions ¶
func CSRClusterRole ¶
CSRClusterRole returns a role with the necessary permissions to create certificate signing requests.
func CSRClusterRoleBinding ¶
func CSRClusterRoleBinding(name, namespace string) *rbacv1.ClusterRoleBinding
CSRClusterRoleBinding returns a role binding with the necessary permissions to create certificate signing requests.
func CertificateVolumeSource ¶
func CertificateVolumeSource(certificateManagement *operatorv1.CertificateManagement, secretName string) corev1.VolumeSource
func CreateCSRInitContainer ¶
func CreateCSRInitContainer( certificateManagement *operatorv1.CertificateManagement, image string, mountName string, commonName string, keyName string, certName string, dnsNames []string, appNameLabel string) corev1.Container
CreateCSRInitContainer creates an init container that can be added to a pod spec in order to create a CSR for its TLS certificates. It uses the provided params and the k8s downward api to be able to specify certificate subject information.
func CreateSelfSignedSecret ¶ added in v1.28.0
func CreateSelfSignedSecret(secretName, namespace, cn string, altNames []string) (*corev1.Secret, error)
CreateSelfSignedSecret creates a self signed TLS secret.
func ParseCertificate ¶
func ParseCertificate(certBytes []byte) (*x509.Certificate, error)
func ResolveCSRInitImage ¶
func ResolveCSRInitImage(inst *operatorv1.InstallationSpec, is *operatorv1.ImageSet) (string, error)
ResolveCsrInitImage resolves the image needed for the CSR init image taking into account the specified ImageSet
Types ¶
type CertificateInterface ¶
type CertificateInterface interface { GetIssuer() CertificateInterface GetCertificatePEM() []byte GetName() string GetNamespace() string }
CertificateInterface wraps the certificate. Combine this with a TrustedBundle, to mount a trusted certificate bundle to a pod.
func NewCertificate ¶
func NewCertificate(name, ns string, pem []byte, issuer CertificateInterface) CertificateInterface
NewCertificate creates a new certificate.
type KeyPair ¶
type KeyPair struct { CSRImage string Name string Namespace string PrivateKeyPEM []byte CertificatePEM []byte ClusterDomain string *operatorv1.CertificateManagement DNSNames []string Issuer KeyPairInterface // OriginalSecret maintains a copy of the secret that the KeyPair was created from. OriginalSecret *corev1.Secret }
func (*KeyPair) BYO ¶
BYO returns true if this KeyPair was provided by the user. If BYO is true, UseCertificateManagement is false.
func (*KeyPair) GetCertificatePEM ¶
func (*KeyPair) GetIssuer ¶
func (k *KeyPair) GetIssuer() CertificateInterface
func (*KeyPair) GetNamespace ¶ added in v1.32.0
func (*KeyPair) HashAnnotationKey ¶
func (*KeyPair) HashAnnotationValue ¶
func (*KeyPair) InitContainer ¶
InitContainer contains an init container for making a CSR. is only applicable when certificate management is enabled.
func (*KeyPair) UseCertificateManagement ¶
UseCertificateManagement is true if this secret is not BYO and certificate management is used to provide the a pair to a pod.
func (*KeyPair) VolumeMount ¶
func (k *KeyPair) VolumeMount(osType rmeta.OSType) corev1.VolumeMount
func (*KeyPair) VolumeMountCertificateFilePath ¶
func (*KeyPair) VolumeMountKeyFilePath ¶
type KeyPairInterface ¶
type KeyPairInterface interface { // UseCertificateManagement returns true if this key pair was not user provided and certificate management has been configured. UseCertificateManagement() bool // BYO returns true if this KeyPair was provided by the user. If BYO is true, UseCertificateManagement is false. BYO() bool InitContainer(namespace string) corev1.Container VolumeMount(osType meta.OSType) corev1.VolumeMount VolumeMountKeyFilePath() string VolumeMountCertificateFilePath() string Volume() corev1.Volume Secret(namespace string) *corev1.Secret HashAnnotationKey() string HashAnnotationValue() string CertificateInterface }
KeyPairInterface wraps a Secret object that contains a private key and a certificate. Whether CertificateManagement is configured or not, KeyPair returns the right InitContainer, VolumeMount or Volume (when applicable).
func NewKeyPair ¶
func NewKeyPair(secret *corev1.Secret, dnsNames []string, clusterDomain string) KeyPairInterface
NewKeyPair returns a KeyPair, which wraps a Secret object that contains a private key and a certificate. Whether certificate management is configured or not, KeyPair returns the right InitContainer, Volumemount or Volume (when applicable).
type TrustedBundle ¶
type TrustedBundle interface { MountPath() string ConfigMap(namespace string) *corev1.ConfigMap HashAnnotations() map[string]string VolumeMounts(osType meta.OSType) []corev1.VolumeMount Volume() corev1.Volume AddCertificates(certificates ...CertificateInterface) }
TrustedBundle is used to create a trusted certificate bundle of the CertificateManager CA and 0 or more Certificates.
func CreateMultiTenantTrustedBundleWithSystemRootCertificates ¶ added in v1.32.0
func CreateMultiTenantTrustedBundleWithSystemRootCertificates(certificates ...CertificateInterface) (TrustedBundle, error)
CreateMultiTenantTrustedBundleWithSystemRootCertificates creates a TrustedBundle with system root certificates that is appropraite for a multi-tenant cluster, in which each tenant needs multiple trusted bundles.
func CreateTrustedBundle ¶
func CreateTrustedBundle(certificates ...CertificateInterface) TrustedBundle
CreateTrustedBundle creates a TrustedBundle, which provides standardized methods for mounting a bundle of certificates to trust. It will include: - A bundle with Calico's root certificates + any user supplied certificates in /etc/pki/tls/certs/tigera-ca-bundle.crt.
func CreateTrustedBundleWithSystemRootCertificates ¶ added in v1.28.7
func CreateTrustedBundleWithSystemRootCertificates(certificates ...CertificateInterface) (TrustedBundle, error)
CreateTrustedBundleWithSystemRootCertificates creates a TrustedBundle, which provides standardized methods for mounting a bundle of certificates to trust. It will include: - A bundle with Calico's root certificates + any user supplied certificates in /etc/pki/tls/certs/tigera-ca-bundle.crt. - A system root certificate bundle in /etc/pki/tls/certs/ca-bundle.crt.
type TrustedBundleRO ¶ added in v1.32.0
type TrustedBundleRO interface { MountPath() string HashAnnotations() map[string]string VolumeMounts(osType meta.OSType) []corev1.VolumeMount Volume() corev1.Volume }
Read-only version of a trusted bundle, useful for rendering components without needing to parse certificates.