Documentation
¶
Index ¶
- Constants
- Variables
- func CreateOrUpdateCAConfigMap(caCert []byte, cl client.Client, scheme *runtime.Scheme, owner metav1.Object) error
- func EncodeInPemFormat(buff []byte, pemType string) ([]byte, error)
- func GenerateCaCertificate(validityDuration time.Duration) ([]byte, []byte, error)
- func GenerateCaCertificateTemplate(validityDuration time.Duration) (x509.Certificate, *rsa.PrivateKey, error)
- func GenerateCaCertificateTemplateEx(cn string, validityDuration time.Duration) (x509.Certificate, *rsa.PrivateKey, error)
- func GenerateSerialNumber() (*big.Int, error)
- func GetAndDecodePem(data map[string][]byte, key string) (*pem.Block, error)
- func GetCAConfigMap(ns string, cl client.Client) (*corev1.ConfigMap, error)
- func GetCAFromConfigMap(ns string, cl client.Client) (string, error)
- func GetCaCertSecret(cl client.Client, ns string) (*corev1.Secret, error)
- func GetOpenShiftCA(cl corev1api.CoreV1Interface) ([]byte, error)
- func HashPublicKey(key crypto.PublicKey) ([]byte, error)
- func SignCertificateSelfCA(caCertDer, caPrivateKeyDer []byte, certTemplate x509.Certificate, ...) ([]byte, []byte, error)
- func ValidateCert(cert *x509.Certificate, caCertPem []byte) ([]byte, error)
- func ValidateCertPem(cert, caCertPem []byte) ([]byte, error)
- type CACertificate
- type Certificate
- type CertificateSigner
- type CertificateSubject
Constants ¶
View Source
const ( CAFilename = "ca-bundle.crt" CAConfigMapName = "csr-signer-ca" )
View Source
const ( CertificatePemType = "CERTIFICATE" PrivateKeyPemType = "RSA PRIVATE KEY" )
View Source
const ( CaSecretName = "contrail-ca-certificate" SignerCAPrivateKeyFilename = "ca-priv-key.pem" )
View Source
const ( OpenshiftCSRConfigMapName = "csr-controller-ca" OpenshiftCSRConfigMapNS = "openshift-config-managed" K8SCSRConfigMapName = "cluster-info" K8SCSRConfigMapNS = "kube-public" )
View Source
const ExternalCAHostPath = "/etc/contrail/ssl/ca-certs"
View Source
const ExternalCertHostPath = "/etc/contrail/ssl/certs"
View Source
const ExternalSigner = "External"
View Source
const SelfSignedCALegacyUnknown = "kubernetes.io/legacy-unknown"
View Source
const SelfSigner = "SelfSignedCA"
Signers
- K8S: NOTE: for now K8S 1.22+ generates certificate with Ext Usages that are incomatible with Contrail kubernetes.io/kubelet-serving force to have only "TLS Web Server Authentication" kubernetes.io/kube-apiserver-client force to have only TLS Web Client Authentication kubernetes.io/kube-apiserver-client-kubelet force to have only TLS Web Client Authentication forbids alt subj extention The above signers dont allow to get both client and servet auth and force to have one of them. As the result it is not possible to use them for Cassandra (and other cluster services like RabbitMQ) that need to have a certificate either with both usages or w/o usages at all. E.g. Cassandra can use only one certificate for inter-node communications where each node is server and client same time.
- Own SelfSigned CA: SelfSignedCA Will use provided root Key and CA Cert via contrail-ca-certificate Secret. If not provided - generates own self-signed and create Secret.
- External certificates External Certificates are expected to be generated by external system, e.g. RedHat IDM. It is excpected that - services certificates and keys are placed on host in /etc/contrail/ssl/certs/ with the follwoing name patterns: for certificates: server-${POD_IP}.crt client-${POD_IP}.crt for private keys: server-key-${POD_IP}.pem client-key-${POD_IP}.pem
Variables ¶
View Source
var CACertKeyLength = 4096
View Source
var CertKeyLength = 4096
View Source
var ClientSignerName string = SelfSigner
View Source
var Now = time.Now
View Source
var ServerSignerName string = SelfSigner
Functions ¶
func GenerateCaCertificate ¶
func GenerateCaCertificateTemplate ¶
func GenerateCaCertificateTemplate(validityDuration time.Duration) (x509.Certificate, *rsa.PrivateKey, error)
func GenerateCaCertificateTemplateEx ¶
func GenerateCaCertificateTemplateEx(cn string, validityDuration time.Duration) (x509.Certificate, *rsa.PrivateKey, error)
func GenerateSerialNumber ¶
func GetOpenShiftCA ¶
func GetOpenShiftCA(cl corev1api.CoreV1Interface) ([]byte, error)
func SignCertificateSelfCA ¶
func ValidateCert ¶
func ValidateCert(cert *x509.Certificate, caCertPem []byte) ([]byte, error)
func ValidateCertPem ¶
Types ¶
type CACertificate ¶
type CACertificate struct {
// contains filtered or unexported fields
}
func NewCACertificate ¶
type Certificate ¶
type Certificate struct {
// contains filtered or unexported fields
}
Certificate object
func NewCertificate ¶
func NewCertificate(signer CertificateSigner, cl client.Client, scheme *runtime.Scheme, owner metav1.Object, subjects []CertificateSubject, ownerType string) (*Certificate, error)
NewCertificate creates new cert
func (*Certificate) EnsureExistsAndIsSigned ¶
func (r *Certificate) EnsureExistsAndIsSigned(force bool) error
EnsureExistsAndIsSigned ensures cert is signed
func (*Certificate) FillSecret ¶
func (r *Certificate) FillSecret(secret *corev1.Secret, force bool) error
FillSecret fill secret with data
type CertificateSigner ¶
type CertificateSigner interface {
SignCertificate(secret *corev1.Secret, certTemplate x509.Certificate, privateKey *rsa.PrivateKey) ([]byte, []byte, error)
ValidateCert(cert *x509.Certificate) ([]byte, error)
}
type CertificateSubject ¶
type CertificateSubject struct {
// contains filtered or unexported fields
}
CertificateSubject certificate subject
func NewSubject ¶
func NewSubject(name, domain, hostname, ip string, alternativeIPs, alternativeNames []string, clientAuth bool) CertificateSubject
NewSubject creates new certificate subject
Source Files
Click to show internal directories.
Click to hide internal directories.