certificatemanagement

package
v1.36.1 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Nov 5, 2024 License: Apache-2.0 Imports: 24 Imported by: 0

Documentation

Index

Constants

View Source
const (
	// RHELRootCertificateBundleName is the name of the system CA bundle as present in UBI/RHEL systems.
	RHELRootCertificateBundleName = "ca-bundle.crt"
	// SSLCertFile is the symbolic link to the system CA bundle used by libssl SSL_CERT_FILE.
	SSLCertFile = "cert.pem"
)
View Source
const (
	CSRClusterRoleName   = "tigera-csr-creator"
	CSRCMountPath        = "/certs-share"
	CSRInitContainerName = "key-cert-provisioner"
)
View Source
const (
	TenantCASecretName                = "tigera-ca-private-tenant"
	CASecretName                      = "tigera-ca-private"
	TrustedCertConfigMapKeyName       = "tigera-ca-bundle.crt"
	TrustedCertVolumeMountPath        = "/etc/pki/tls/"
	TrustedCertVolumeMountPathWindows = "c:/etc/pki/tls/"
	TrustedCertBundleMountPath        = "/etc/pki/tls/certs/tigera-ca-bundle.crt"
	TrustedCertBundleMountPathWindows = "c:/etc/pki/tls/certs/tigera-ca-bundle.crt"

	// TrustedCertConfigMapName is the name of the trusted certificate bundle ConfigMap. This value is used
	// for all single-tenant trusted bundles, as well as multi-tenant trusted bundles that do not include public CAs.
	TrustedCertConfigMapName = "tigera-ca-bundle"

	// TrustedCertConfigMapNamePublic is the name of the trusted certificate bundle ConfigMap that includes public CAs, used
	// only in multi-tenant environments as a single namespace requires both a trusted bundle with public CAs as well as one without.
	TrustedCertConfigMapNamePublic = "tigera-ca-bundle-system-certs"
)
View Source
const (
	VoltronKeySizeBits = 2048
)

Variables

View Source
var ErrInvalidCertNoPEMData = errors.New("cert has no PEM data")

Functions

func CSRClusterRole

func CSRClusterRole() client.Object

CSRClusterRole returns a role with the necessary permissions to create certificate signing requests.

func CSRClusterRoleBinding

func CSRClusterRoleBinding(name, namespace string) *rbacv1.ClusterRoleBinding

CSRClusterRoleBinding returns a role binding with the necessary permissions to create certificate signing requests.

func CertificateVolumeSource

func CertificateVolumeSource(certificateManagement *operatorv1.CertificateManagement, secretName string) corev1.VolumeSource

func CreateCSRInitContainer

func CreateCSRInitContainer(
	certificateManagement *operatorv1.CertificateManagement,
	secretName,
	image string,
	mountName string,
	commonName string,
	keyName string,
	certName string,
	dnsNames []string,
	appNameLabel string) corev1.Container

CreateCSRInitContainer creates an init container that can be added to a pod spec in order to create a CSR for its TLS certificates. It uses the provided params and the k8s downward api to be able to specify certificate subject information.

func CreateSelfSignedSecret added in v1.28.0

func CreateSelfSignedSecret(secretName, namespace, cn string, altNames []string) (*corev1.Secret, error)

CreateSelfSignedSecret creates a self signed TLS secret.

func GetKeyCertPEM added in v1.30.8

func GetKeyCertPEM(secret *corev1.Secret) ([]byte, []byte)

func ParseCertificate

func ParseCertificate(certBytes []byte) (*x509.Certificate, error)

func ResolveCSRInitImage

func ResolveCSRInitImage(inst *operatorv1.InstallationSpec, is *operatorv1.ImageSet) (string, error)

ResolveCsrInitImage resolves the image needed for the CSR init image taking into account the specified ImageSet

Types

type CertificateInterface

type CertificateInterface interface {
	GetIssuer() CertificateInterface
	GetCertificatePEM() []byte
	GetName() string
	GetNamespace() string
}

CertificateInterface wraps the certificate. Combine this with a TrustedBundle, to mount a trusted certificate bundle to a pod.

func NewCertificate

func NewCertificate(name, ns string, pem []byte, issuer CertificateInterface) CertificateInterface

NewCertificate creates a new certificate.

type KeyPair

type KeyPair struct {
	CSRImage  string
	Name      string
	Namespace string
	// Golang's x509 package uses the 'any' type for all private and public keys. See x509.CreateCertificate() for more.
	PrivateKey     any
	PrivateKeyPEM  []byte
	CertificatePEM []byte
	ClusterDomain  string
	*operatorv1.CertificateManagement
	DNSNames []string
	Issuer   KeyPairInterface

	// OriginalSecret maintains a copy of the secret that the KeyPair was created from.
	OriginalSecret *corev1.Secret
}

func (*KeyPair) BYO

func (k *KeyPair) BYO() bool

BYO returns true if this KeyPair was provided by the user. If BYO is true, UseCertificateManagement is false.

func (*KeyPair) GetCertificatePEM

func (k *KeyPair) GetCertificatePEM() []byte

func (*KeyPair) GetIssuer

func (k *KeyPair) GetIssuer() CertificateInterface

func (*KeyPair) GetName

func (k *KeyPair) GetName() string

func (*KeyPair) GetNamespace added in v1.32.0

func (k *KeyPair) GetNamespace() string

func (*KeyPair) HashAnnotationKey

func (k *KeyPair) HashAnnotationKey() string

func (*KeyPair) HashAnnotationValue

func (k *KeyPair) HashAnnotationValue() string

func (*KeyPair) InitContainer

func (k *KeyPair) InitContainer(namespace string) corev1.Container

InitContainer contains an init container for making a CSR. is only applicable when certificate management is enabled.

func (*KeyPair) Secret

func (k *KeyPair) Secret(namespace string) *corev1.Secret

func (*KeyPair) UseCertificateManagement

func (k *KeyPair) UseCertificateManagement() bool

UseCertificateManagement is true if this secret is not BYO and certificate management is used to provide the a pair to a pod.

func (*KeyPair) Volume

func (k *KeyPair) Volume() corev1.Volume

func (*KeyPair) VolumeMount

func (k *KeyPair) VolumeMount(osType rmeta.OSType) corev1.VolumeMount

func (*KeyPair) VolumeMountCertificateFilePath

func (k *KeyPair) VolumeMountCertificateFilePath() string

func (*KeyPair) VolumeMountKeyFilePath

func (k *KeyPair) VolumeMountKeyFilePath() string

type KeyPairInterface

type KeyPairInterface interface {
	// UseCertificateManagement returns true if this key pair was not user provided and certificate management has been configured.
	UseCertificateManagement() bool
	// BYO returns true if this KeyPair was provided by the user. If BYO is true, UseCertificateManagement is false.
	BYO() bool
	InitContainer(namespace string) corev1.Container
	VolumeMount(osType meta.OSType) corev1.VolumeMount
	VolumeMountKeyFilePath() string
	VolumeMountCertificateFilePath() string
	Volume() corev1.Volume
	Secret(namespace string) *corev1.Secret
	HashAnnotationKey() string
	HashAnnotationValue() string
	CertificateInterface
}

KeyPairInterface wraps a Secret object that contains a private key and a certificate. Whether CertificateManagement is configured or not, KeyPair returns the right InitContainer, VolumeMount or Volume (when applicable).

func NewKeyPair

func NewKeyPair(secret *corev1.Secret, dnsNames []string, clusterDomain string) KeyPairInterface

NewKeyPair returns a KeyPair, which wraps a Secret object that contains a private key and a certificate. Whether certificate management is configured or not, KeyPair returns the right InitContainer, Volumemount or Volume (when applicable).

type TrustedBundle

type TrustedBundle interface {
	MountPath() string
	ConfigMap(namespace string) *corev1.ConfigMap
	HashAnnotations() map[string]string
	VolumeMounts(osType meta.OSType) []corev1.VolumeMount
	Volume() corev1.Volume
	AddCertificates(certificates ...CertificateInterface)
}

TrustedBundle is used to create a trusted certificate bundle of the CertificateManager CA and 0 or more Certificates.

func CreateMultiTenantTrustedBundleWithSystemRootCertificates added in v1.32.0

func CreateMultiTenantTrustedBundleWithSystemRootCertificates(certificates ...CertificateInterface) (TrustedBundle, error)

CreateMultiTenantTrustedBundleWithSystemRootCertificates creates a TrustedBundle with system root certificates that is appropraite for a multi-tenant cluster, in which each tenant needs multiple trusted bundles.

func CreateTrustedBundle

func CreateTrustedBundle(certificates ...CertificateInterface) TrustedBundle

CreateTrustedBundle creates a TrustedBundle, which provides standardized methods for mounting a bundle of certificates to trust. It will include: - A bundle with Calico's root certificates + any user supplied certificates in /etc/pki/tls/certs/tigera-ca-bundle.crt.

func CreateTrustedBundleWithSystemRootCertificates added in v1.28.7

func CreateTrustedBundleWithSystemRootCertificates(certificates ...CertificateInterface) (TrustedBundle, error)

CreateTrustedBundleWithSystemRootCertificates creates a TrustedBundle, which provides standardized methods for mounting a bundle of certificates to trust. It will include: - A bundle with Calico's root certificates + any user supplied certificates in /etc/pki/tls/certs/tigera-ca-bundle.crt. - A system root certificate bundle in /etc/pki/tls/certs/ca-bundle.crt.

type TrustedBundleRO added in v1.32.0

type TrustedBundleRO interface {
	MountPath() string
	HashAnnotations() map[string]string
	VolumeMounts(osType meta.OSType) []corev1.VolumeMount
	Volume() corev1.Volume
}

Read-only version of a trusted bundle, useful for rendering components without needing to parse certificates.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL