certificatemanager

package
v1.36.3 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Nov 26, 2024 License: Apache-2.0 Imports: 24 Imported by: 0

Documentation

Index

Constants

View Source
const OperatorCSRSignerName = "tigera.io/operator-signer"

OperatorCSRSignerName when this value is set as a signer on a CSR, the CSR controller will handle the request.

Variables

This section is empty.

Functions

func ErrInvalidCertDNSNames

func ErrInvalidCertDNSNames(secretName, secretNamespace string) error

func HasExpectedDNSNames

func HasExpectedDNSNames(secretName, secretNamespace string, cert *x509.Certificate, expectedDNSNames []string) error

func HasRequiredKeyUsage added in v1.30.5

func HasRequiredKeyUsage(cert *x509.Certificate, required []x509.ExtKeyUsage) bool

HasRequiredKeyUsage returns true if the given certificate is valid for use as both a server certificate, as well as a client certificate for mTLS connections.

func IsCertExtKeyUsageError added in v1.30.5

func IsCertExtKeyUsageError(err error) bool

Returns true if the error is a CertExtKeyUsageError

Types

type CertExtKeyUsageError added in v1.30.5

type CertExtKeyUsageError struct {
	// contains filtered or unexported fields
}

CertExtKeyUsageError This type will be returned for errors that do not have the correct Ext Key usage types for a specific secert certificate.

func (*CertExtKeyUsageError) Error added in v1.30.5

func (cue *CertExtKeyUsageError) Error() string

type CertificateManager

type CertificateManager interface {
	// GetKeyPair returns an existing KeyPair. In normal operation, if the KeyPair is not found, nil is returned.
	// However, when certificate management is enabled keypairs are not written to the cluster. In this case, the keypair returned by this function
	// is an implementation of KeyPairInterface using the provided dnsNames.
	GetKeyPair(cli client.Client, secretName, secretNamespace string, dnsNames []string) (certificatemanagement.KeyPairInterface, error)
	// GetOrCreateKeyPair returns a KeyPair. If one exists, some checks are performed. Otherwise, a new KeyPair is created.
	GetOrCreateKeyPair(cli client.Client, secretName, secretNamespace string, dnsNames []string) (certificatemanagement.KeyPairInterface, error)
	// CreateCSRKeyPair returns a KeyPair that relies on issuing Certificate Signing Requests to the kubernetes api to be
	// signed by OperatorCSRSignerName. This means that pkg/controller/csr/csr_controller.go will end up signing the CSR
	// using the private key of the certificate manager.
	CreateCSRKeyPair(secretName, secretNamespace string, dnsNames []string) certificatemanagement.KeyPairInterface
	// GetCertificate returns a Certificate. If the certificate is not found, nil is returned.
	GetCertificate(cli client.Client, secretName, secretNamespace string) (certificatemanagement.CertificateInterface, error)
	// CreateTrustedBundle creates a TrustedBundle, which provides standardized methods for mounting a bundle of certificates to trust.
	// It will include:
	// - A bundle with Calico's root certificates + any user supplied certificates in /etc/pki/tls/certs/tigera-ca-bundle.crt.
	CreateTrustedBundle(certificates ...certificatemanagement.CertificateInterface) certificatemanagement.TrustedBundle
	// CreateTrustedBundleWithSystemRootCertificates creates a TrustedBundle, which provides standardized methods for mounting a bundle of certificates to trust.
	// It will include:
	// - A bundle with Calico's root certificates + any user supplied certificates in /etc/pki/tls/certs/tigera-ca-bundle.crt.
	// - A system root certificate bundle in /etc/pki/tls/certs/ca-bundle.crt.
	CreateTrustedBundleWithSystemRootCertificates(certificates ...certificatemanagement.CertificateInterface) (certificatemanagement.TrustedBundle, error)
	// CreateMultiTenantTrustedBundleWithSystemRootCertificates is an alternative to CreateTrustedBundleWithSystemRootCertificates that is appropriate for
	// multi-tenant management clusters.
	CreateMultiTenantTrustedBundleWithSystemRootCertificates(certificates ...certificatemanagement.CertificateInterface) (certificatemanagement.TrustedBundle, error)
	// AddToStatusManager lets the status manager monitor pending CSRs if the certificate management is enabled.
	AddToStatusManager(manager status.StatusManager, namespace string)
	// KeyPair Returns the CA KeyPairInterface, so it can be rendered in the operator namespace.
	KeyPair() certificatemanagement.KeyPairInterface
	// LoadTrustedBundle loads an existing trusted bundle to pass to render.
	LoadTrustedBundle(context.Context, client.Client, string) (certificatemanagement.TrustedBundleRO, error)
	// LoadMultiTenantTrustedBundleWithRootCertificates loads an existing trusted bundle with system root certificates to pass to render.
	LoadMultiTenantTrustedBundleWithRootCertificates(context.Context, client.Client, string) (certificatemanagement.TrustedBundleRO, error)
	// SignCertificate signs a certificate using the certificate manager's private key. The function is assuming that the
	// public key of the requestor is already set in the certificate template.
	SignCertificate(certificate *x509.Certificate) ([]byte, error)
}

CertificateManager can sign new certificates and has methods to retrieve existing KeyPairs and Certificates. If a user brings their own secrets, CertificateManager will preserve and return them.

func Create

func Create(cli client.Client, installation *operatorv1.InstallationSpec, clusterDomain, ns string, opts ...Option) (CertificateManager, error)

Create creates a signer of new certificates and has methods to retrieve existing KeyPairs and Certificates. If a user brings their own secrets, CertificateManager will preserve and return them.

type Option added in v1.32.0

type Option func(cm *certificateManager) error

func AllowCACreation added in v1.32.0

func AllowCACreation() Option

func WithLogger added in v1.32.0

func WithLogger(log logr.Logger) Option

func WithTenant added in v1.32.0

func WithTenant(t *operatorv1.Tenant) Option

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL