Documentation ¶
Index ¶
- Constants
- func ErrInvalidCertDNSNames(secretName, secretNamespace string) error
- func HasExpectedDNSNames(secretName, secretNamespace string, cert *x509.Certificate, ...) error
- func HasRequiredKeyUsage(cert *x509.Certificate, required []x509.ExtKeyUsage) bool
- func IsCertExtKeyUsageError(err error) bool
- type CertExtKeyUsageError
- type CertificateManager
- type Option
Constants ¶
const OperatorCSRSignerName = "tigera.io/operator-signer"
OperatorCSRSignerName when this value is set as a signer on a CSR, the CSR controller will handle the request.
Variables ¶
This section is empty.
Functions ¶
func ErrInvalidCertDNSNames ¶
func HasExpectedDNSNames ¶
func HasExpectedDNSNames(secretName, secretNamespace string, cert *x509.Certificate, expectedDNSNames []string) error
func HasRequiredKeyUsage ¶ added in v1.30.5
func HasRequiredKeyUsage(cert *x509.Certificate, required []x509.ExtKeyUsage) bool
HasRequiredKeyUsage returns true if the given certificate is valid for use as both a server certificate, as well as a client certificate for mTLS connections.
func IsCertExtKeyUsageError ¶ added in v1.30.5
Returns true if the error is a CertExtKeyUsageError
Types ¶
type CertExtKeyUsageError ¶ added in v1.30.5
type CertExtKeyUsageError struct {
// contains filtered or unexported fields
}
CertExtKeyUsageError This type will be returned for errors that do not have the correct Ext Key usage types for a specific secert certificate.
func (*CertExtKeyUsageError) Error ¶ added in v1.30.5
func (cue *CertExtKeyUsageError) Error() string
type CertificateManager ¶
type CertificateManager interface { // GetKeyPair returns an existing KeyPair. In normal operation, if the KeyPair is not found, nil is returned. // However, when certificate management is enabled keypairs are not written to the cluster. In this case, the keypair returned by this function // is an implementation of KeyPairInterface using the provided dnsNames. GetKeyPair(cli client.Client, secretName, secretNamespace string, dnsNames []string) (certificatemanagement.KeyPairInterface, error) // GetOrCreateKeyPair returns a KeyPair. If one exists, some checks are performed. Otherwise, a new KeyPair is created. GetOrCreateKeyPair(cli client.Client, secretName, secretNamespace string, dnsNames []string) (certificatemanagement.KeyPairInterface, error) // CreateCSRKeyPair returns a KeyPair that relies on issuing Certificate Signing Requests to the kubernetes api to be // signed by OperatorCSRSignerName. This means that pkg/controller/csr/csr_controller.go will end up signing the CSR // using the private key of the certificate manager. CreateCSRKeyPair(secretName, secretNamespace string, dnsNames []string) certificatemanagement.KeyPairInterface // GetCertificate returns a Certificate. If the certificate is not found, nil is returned. GetCertificate(cli client.Client, secretName, secretNamespace string) (certificatemanagement.CertificateInterface, error) // CreateTrustedBundle creates a TrustedBundle, which provides standardized methods for mounting a bundle of certificates to trust. // It will include: // - A bundle with Calico's root certificates + any user supplied certificates in /etc/pki/tls/certs/tigera-ca-bundle.crt. CreateTrustedBundle(certificates ...certificatemanagement.CertificateInterface) certificatemanagement.TrustedBundle // CreateTrustedBundleWithSystemRootCertificates creates a TrustedBundle, which provides standardized methods for mounting a bundle of certificates to trust. // It will include: // - A bundle with Calico's root certificates + any user supplied certificates in /etc/pki/tls/certs/tigera-ca-bundle.crt. // - A system root certificate bundle in /etc/pki/tls/certs/ca-bundle.crt. CreateTrustedBundleWithSystemRootCertificates(certificates ...certificatemanagement.CertificateInterface) (certificatemanagement.TrustedBundle, error) // CreateMultiTenantTrustedBundleWithSystemRootCertificates is an alternative to CreateTrustedBundleWithSystemRootCertificates that is appropriate for // multi-tenant management clusters. CreateMultiTenantTrustedBundleWithSystemRootCertificates(certificates ...certificatemanagement.CertificateInterface) (certificatemanagement.TrustedBundle, error) // AddToStatusManager lets the status manager monitor pending CSRs if the certificate management is enabled. AddToStatusManager(manager status.StatusManager, namespace string) // KeyPair Returns the CA KeyPairInterface, so it can be rendered in the operator namespace. KeyPair() certificatemanagement.KeyPairInterface // LoadTrustedBundle loads an existing trusted bundle to pass to render. LoadTrustedBundle(context.Context, client.Client, string) (certificatemanagement.TrustedBundleRO, error) // LoadMultiTenantTrustedBundleWithRootCertificates loads an existing trusted bundle with system root certificates to pass to render. LoadMultiTenantTrustedBundleWithRootCertificates(context.Context, client.Client, string) (certificatemanagement.TrustedBundleRO, error) // SignCertificate signs a certificate using the certificate manager's private key. The function is assuming that the // public key of the requestor is already set in the certificate template. SignCertificate(certificate *x509.Certificate) ([]byte, error) }
CertificateManager can sign new certificates and has methods to retrieve existing KeyPairs and Certificates. If a user brings their own secrets, CertificateManager will preserve and return them.
func Create ¶
func Create(cli client.Client, installation *operatorv1.InstallationSpec, clusterDomain, ns string, opts ...Option) (CertificateManager, error)
Create creates a signer of new certificates and has methods to retrieve existing KeyPairs and Certificates. If a user brings their own secrets, CertificateManager will preserve and return them.
type Option ¶ added in v1.32.0
type Option func(cm *certificateManager) error
func AllowCACreation ¶ added in v1.32.0
func AllowCACreation() Option
func WithLogger ¶ added in v1.32.0
func WithTenant ¶ added in v1.32.0
func WithTenant(t *operatorv1.Tenant) Option