pkiutil

package
v0.3.0 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Jan 19, 2021 License: LGPL-3.0 Imports: 31 Imported by: 0

Documentation

Index

Constants

View Source 
const (
	// KubernetesDir is the directory Kubernetes owns for storing various configuration files
	KubernetesDir = "/etc/kubernetes"
	// ManifestsSubDirName defines directory name to store manifests
	ManifestsSubDirName = "manifests"
	// TempDirForKubeadm defines temporary directory for kubeadm
	// should be joined with KubernetesDir.
	TempDirForKubeadm = "tmp"

	// CertificateValidity defines the validity for all the signed certificates generated by kubeadm
	CertificateValidity = time.Hour * 24 * 365

	// CACertAndKeyBaseName defines certificate authority base name
	CACertAndKeyBaseName = "ca"
	// CACertName defines certificate name
	CACertName = "ca.crt"
	// CAKeyName defines certificate name
	CAKeyName = "ca.key"

	// APIServerCertAndKeyBaseName defines API's server certificate and key base name
	APIServerCertAndKeyBaseName = "apiserver"
	// APIServerCertName defines API's server certificate name
	APIServerCertName = "apiserver.crt"
	// APIServerKeyName defines API's server key name
	APIServerKeyName = "apiserver.key"
	// APIServerCertCommonName defines API's server certificate common name (CN)
	APIServerCertCommonName = "kube-apiserver"

	// APIServerKubeletClientCertAndKeyBaseName defines kubelet client certificate and key base name
	APIServerKubeletClientCertAndKeyBaseName = "apiserver-kubelet-client"
	// APIServerKubeletClientCertName defines kubelet client certificate name
	APIServerKubeletClientCertName = "apiserver-kubelet-client.crt"
	// APIServerKubeletClientKeyName defines kubelet client key name
	APIServerKubeletClientKeyName = "apiserver-kubelet-client.key"
	// APIServerKubeletClientCertCommonName defines kubelet client certificate common name (CN)
	APIServerKubeletClientCertCommonName = "kube-apiserver-kubelet-client"

	// EtcdCACertAndKeyBaseName defines etcd's CA certificate and key base name
	EtcdCACertAndKeyBaseName = "etcd/ca"
	// EtcdCACertName defines etcd's CA certificate name
	EtcdCACertName = "etcd/ca.crt"
	// EtcdCAKeyName defines etcd's CA key name
	EtcdCAKeyName = "etcd/ca.key"

	// EtcdServerCertAndKeyBaseName defines etcd's server certificate and key base name
	EtcdServerCertAndKeyBaseName = "etcd/server"
	// EtcdServerCertName defines etcd's server certificate name
	EtcdServerCertName = "etcd/server.crt"
	// EtcdServerKeyName defines etcd's server key name
	EtcdServerKeyName = "etcd/server.key"

	// EtcdListenClientPort defines the port etcd listen on for client traffic
	EtcdListenClientPort = 2379
	// EtcdMetricsPort is the port at which to obtain etcd metrics and health status
	EtcdMetricsPort = 2381

	// EtcdPeerCertAndKeyBaseName defines etcd's peer certificate and key base name
	EtcdPeerCertAndKeyBaseName = "etcd/peer"
	// EtcdPeerCertName defines etcd's peer certificate name
	EtcdPeerCertName = "etcd/peer.crt"
	// EtcdPeerKeyName defines etcd's peer key name
	EtcdPeerKeyName = "etcd/peer.key"

	// EtcdListenPeerPort defines the port etcd listen on for peer traffic
	EtcdListenPeerPort = 2380

	// EtcdHealthcheckClientCertAndKeyBaseName defines etcd's healthcheck client certificate and key base name
	EtcdHealthcheckClientCertAndKeyBaseName = "etcd/healthcheck-client"
	// EtcdHealthcheckClientCertName defines etcd's healthcheck client certificate name
	EtcdHealthcheckClientCertName = "etcd/healthcheck-client.crt"
	// EtcdHealthcheckClientKeyName defines etcd's healthcheck client key name
	EtcdHealthcheckClientKeyName = "etcd/healthcheck-client.key"
	// EtcdHealthcheckClientCertCommonName defines etcd's healthcheck client certificate common name (CN)
	EtcdHealthcheckClientCertCommonName = "kube-etcd-healthcheck-client"

	// APIServerEtcdClientCertAndKeyBaseName defines apiserver's etcd client certificate and key base name
	APIServerEtcdClientCertAndKeyBaseName = "apiserver-etcd-client"
	// APIServerEtcdClientCertName defines apiserver's etcd client certificate name
	APIServerEtcdClientCertName = "apiserver-etcd-client.crt"
	// APIServerEtcdClientKeyName defines apiserver's etcd client key name
	APIServerEtcdClientKeyName = "apiserver-etcd-client.key"
	// APIServerEtcdClientCertCommonName defines apiserver's etcd client certificate common name (CN)
	APIServerEtcdClientCertCommonName = "kube-apiserver-etcd-client"

	// ServiceAccountKeyBaseName defines SA key base name
	ServiceAccountKeyBaseName = "sa"
	// ServiceAccountPublicKeyName defines SA public key base name
	ServiceAccountPublicKeyName = "sa.pub"
	// ServiceAccountPrivateKeyName defines SA private key base name
	ServiceAccountPrivateKeyName = "sa.key"

	// FrontProxyCACertAndKeyBaseName defines front proxy CA certificate and key base name
	FrontProxyCACertAndKeyBaseName = "front-proxy-ca"
	// FrontProxyCACertName defines front proxy CA certificate name
	FrontProxyCACertName = "front-proxy-ca.crt"
	// FrontProxyCAKeyName defines front proxy CA key name
	FrontProxyCAKeyName = "front-proxy-ca.key"

	// FrontProxyClientCertAndKeyBaseName defines front proxy certificate and key base name
	FrontProxyClientCertAndKeyBaseName = "front-proxy-client"
	// FrontProxyClientCertName defines front proxy certificate name
	FrontProxyClientCertName = "front-proxy-client.crt"
	// FrontProxyClientKeyName defines front proxy key name
	FrontProxyClientKeyName = "front-proxy-client.key"
	// FrontProxyClientCertCommonName defines front proxy certificate common name
	FrontProxyClientCertCommonName = "front-proxy-client" //used as subject.commonname attribute (CN)

	// AdminKubeConfigFileName defines name for the kubeconfig aimed to be used by the superuser/admin of the cluster
	AdminKubeConfigFileName         = "admin.conf"
	ExternalAdminKubeConfigFileName = "external-admin.conf"

	// KubeletBootstrapKubeConfigFileName defines the file name for the kubeconfig that the kubelet will use to do
	// the TLS bootstrap to get itself an unique credential
	KubeletBootstrapKubeConfigFileName = "bootstrap-kubelet.conf"

	// KubeletKubeConfigFileName defines the file name for the kubeconfig that the control-plane kubelet will use for talking
	// to the API server
	KubeletKubeConfigFileName = "kubelet.conf"
	// ControllerManagerKubeConfigFileName defines the file name for the controller manager's kubeconfig file
	ControllerManagerKubeConfigFileName = "controller-manager.conf"
	// SchedulerKubeConfigFileName defines the file name for the scheduler's kubeconfig file
	SchedulerKubeConfigFileName = "scheduler.conf"

	// ControllerManagerUser defines the well-known user the controller-manager should be authenticated as
	ControllerManagerUser = "system:kube-controller-manager"
	// SchedulerUser defines the well-known user the scheduler should be authenticated as
	SchedulerUser = "system:kube-scheduler"
	// SystemPrivilegedGroup defines the well-known group for the apiservers. This group is also superuser by default
	// (i.e. bound to the cluster-admin ClusterRole)
	SystemPrivilegedGroup = "system:masters"
	// NodesGroup defines the well-known group for all nodes.
	NodesGroup = "system:nodes"
	// NodesUserPrefix defines the user name prefix as requested by the Node authorizer.
	NodesUserPrefix = "system:node:"
	// NodesClusterRoleBinding defines the well-known ClusterRoleBinding which binds the too permissive system:node
	// ClusterRole to the system:nodes group. Since kubeadm is using the Node Authorizer, this ClusterRoleBinding's
	// system:nodes group subject is removed if present.
	NodesClusterRoleBinding = "system:node"

	// APICallRetryInterval defines how long kubeadm should wait before retrying a failed API operation
	APICallRetryInterval = 500 * time.Millisecond
	// DiscoveryRetryInterval specifies how long kubeadm should wait before retrying to connect to the control-plane when doing discovery
	DiscoveryRetryInterval = 5 * time.Second
	// PatchNodeTimeout specifies how long kubeadm should wait for applying the label and taint on the control-plane before timing out
	PatchNodeTimeout = 2 * time.Minute
	// TLSBootstrapTimeout specifies how long kubeadm should wait for the kubelet to perform the TLS Bootstrap
	TLSBootstrapTimeout = 2 * time.Minute
	// PullImageRetry specifies how many times ContainerRuntime retries when pulling image failed
	PullImageRetry = 5
	// PrepullImagesInParallelTimeout specifies how long kubeadm should wait for prepulling images in parallel before timing out
	PrepullImagesInParallelTimeout = 10 * time.Second

	// DefaultControlPlaneTimeout specifies the default control plane (actually API Server) timeout for use by kubeadm
	DefaultControlPlaneTimeout = 4 * time.Minute

	// MinimumAddressesInServiceSubnet defines minimum amount of nodes the Service subnet should allow.
	// We need at least ten, because the DNS service is always at the tenth cluster clusterIP
	MinimumAddressesInServiceSubnet = 10

	// DefaultTokenDuration specifies the default amount of time that a bootstrap token will be valid
	// Default behaviour is 24 hours
	DefaultTokenDuration = 24 * time.Hour

	// DefaultCertTokenDuration specifies the default amount of time that the token used by upload certs will be valid
	// Default behaviour is 2 hours
	DefaultCertTokenDuration = 2 * time.Hour

	// CertificateKeySize specifies the size of the key used to encrypt certificates on uploadcerts phase
	CertificateKeySize = 32

	// LabelNodeRoleMaster specifies that a node is a control-plane
	// This is a duplicate definition of the constant in pkg/controller/service/controller.go
	LabelNodeRoleMaster = "node-role.kubernetes.io/master"

	// AnnotationKubeadmCRISocket specifies the annotation kubeadm uses to preserve the crisocket information given to kubeadm at
	// init/join time for use later. kubeadm annotates the node object with this information
	AnnotationKubeadmCRISocket = "kubeadm.alpha.kubernetes.io/cri-socket"

	// KubeadmConfigConfigMap specifies in what ConfigMap in the kube-system namespace the `kubeadm init` configuration should be stored
	KubeadmConfigConfigMap = "kubeadm-config"

	// ClusterConfigurationConfigMapKey specifies in what ConfigMap key the cluster configuration should be stored
	ClusterConfigurationConfigMapKey = "ClusterConfiguration"

	// ClusterStatusConfigMapKey specifies in what ConfigMap key the cluster status should be stored
	ClusterStatusConfigMapKey = "ClusterStatus"

	// KubeProxyConfigMap specifies in what ConfigMap in the kube-system namespace the kube-proxy configuration should be stored
	KubeProxyConfigMap = "kube-proxy"

	// KubeProxyConfigMapKey specifies in what ConfigMap key the component config of kube-proxy should be stored
	KubeProxyConfigMapKey = "config.conf"

	// KubeletBaseConfigurationConfigMapPrefix specifies in what ConfigMap in the kube-system namespace the initial remote configuration of kubelet should be stored
	KubeletBaseConfigurationConfigMapPrefix = "kubelet-config-"

	// KubeletBaseConfigurationConfigMapKey specifies in what ConfigMap key the initial remote configuration of kubelet should be stored
	KubeletBaseConfigurationConfigMapKey = "kubelet"

	// KubeletBaseConfigMapRolePrefix defines the base kubelet configuration ConfigMap.
	KubeletBaseConfigMapRolePrefix = "kubeadm:kubelet-config-"

	// KubeletRunDirectory specifies the directory where the kubelet runtime information is stored.
	KubeletRunDirectory = "/var/lib/kubelet"

	// KubeletConfigurationFileName specifies the file name on the node which stores initial remote configuration of kubelet
	// This file should exist under KubeletRunDirectory
	KubeletConfigurationFileName = "config.yaml"

	// DynamicKubeletConfigurationDirectoryName specifies the directory which stores the dynamic configuration checkpoints for the kubelet
	// This directory should exist under KubeletRunDirectory
	DynamicKubeletConfigurationDirectoryName = "dynamic-config"

	// KubeletEnvFileName is a file "kubeadm init" writes at runtime. Using that interface, kubeadm can customize certain
	// kubelet flags conditionally based on the environment at runtime. Also, parameters given to the configuration file
	// might be passed through this file. "kubeadm init" writes one variable, with the name ${KubeletEnvFileVariableName}.
	// This file should exist under KubeletRunDirectory
	KubeletEnvFileName = "kubeadm-flags.env"

	// KubeletEnvFileVariableName specifies the shell script variable name "kubeadm init" should write a value to in KubeletEnvFile
	KubeletEnvFileVariableName = "KUBELET_KUBEADM_ARGS"

	// KubeletHealthzPort is the port of the kubelet healthz endpoint
	KubeletHealthzPort = 10248

	// MinExternalEtcdVersion indicates minimum external etcd version which kubeadm supports
	MinExternalEtcdVersion = "3.2.18"

	// DefaultEtcdVersion indicates the default etcd version that kubeadm uses
	DefaultEtcdVersion = "3.4.3-0"

	// Etcd defines variable used internally when referring to etcd component
	Etcd = "etcd"
	// KubeAPIServer defines variable used internally when referring to kube-apiserver component
	KubeAPIServer = "kube-apiserver"
	// KubeControllerManager defines variable used internally when referring to kube-controller-manager component
	KubeControllerManager = "kube-controller-manager"
	// KubeScheduler defines variable used internally when referring to kube-scheduler component
	KubeScheduler = "kube-scheduler"
	// KubeProxy defines variable used internally when referring to kube-proxy component
	KubeProxy = "kube-proxy"
	// HyperKube defines variable used internally when referring to the hyperkube image
	HyperKube = "hyperkube"

	// SelfHostingPrefix describes the prefix workloads that are self-hosted by kubeadm has
	SelfHostingPrefix = "self-hosted-"

	// KubeCertificatesVolumeName specifies the name for the Volume that is used for injecting certificates to control plane components (can be both a hostPath volume or a projected, all-in-one volume)
	KubeCertificatesVolumeName = "k8s-certs"

	// KubeConfigVolumeName specifies the name for the Volume that is used for injecting the kubeconfig to talk securely to the api server for a control plane component if applicable
	KubeConfigVolumeName = "kubeconfig"

	// NodeBootstrapTokenAuthGroup specifies which group a Node Bootstrap Token should be authenticated in
	NodeBootstrapTokenAuthGroup = "system:bootstrappers:kubeadm:default-node-token"

	// DefaultCIImageRepository points to image registry where CI uploads images from ci-cross build job
	DefaultCIImageRepository = "gcr.io/kubernetes-ci-images"

	// CoreDNSConfigMap specifies in what ConfigMap in the kube-system namespace the CoreDNS config should be stored
	CoreDNSConfigMap = "coredns"

	// CoreDNSDeploymentName specifies the name of the Deployment for CoreDNS add-on
	CoreDNSDeploymentName = "coredns"

	// CoreDNSImageName specifies the name of the image for CoreDNS add-on
	CoreDNSImageName = "coredns"

	// KubeDNSConfigMap specifies in what ConfigMap in the kube-system namespace the kube-dns config should be stored
	KubeDNSConfigMap = "kube-dns"

	// KubeDNSDeploymentName specifies the name of the Deployment for kube-dns add-on
	KubeDNSDeploymentName = "kube-dns"

	// KubeDNSKubeDNSImageName specifies the name of the image for the kubedns container in the kube-dns add-on
	KubeDNSKubeDNSImageName = "k8s-dns-kube-dns"

	// KubeDNSSidecarImageName specifies the name of the image for the sidecar container in the kube-dns add-on
	KubeDNSSidecarImageName = "k8s-dns-sidecar"

	// KubeDNSDnsMasqNannyImageName specifies the name of the image for the dnsmasq container in the kube-dns add-on
	KubeDNSDnsMasqNannyImageName = "k8s-dns-dnsmasq-nanny"

	// AuditPolicyDir is the directory that will contain the audit policy
	AuditPolicyDir = "audit"
	// AuditPolicyFile is the name of the audit policy file itself
	AuditPolicyFile = "audit.yaml"
	// StaticPodAuditPolicyLogDir is the name of the directory in the static pod that will have the audit logs
	StaticPodAuditPolicyLogDir = "/var/log/kubernetes/audit"

	// LeaseEndpointReconcilerType will select a storage based reconciler
	// Copied from pkg/master/reconcilers to avoid pulling extra dependencies
	// TODO: Import this constant from a consts only package, that does not pull any further dependencies.
	LeaseEndpointReconcilerType = "lease"

	// KubeDNSVersion is the version of kube-dns to be deployed if it is used
	KubeDNSVersion = "1.14.13"

	// CoreDNSVersion is the version of CoreDNS to be deployed if it is used
	CoreDNSVersion = "1.6.7"

	// ClusterConfigurationKind is the string kind value for the ClusterConfiguration struct
	ClusterConfigurationKind = "ClusterConfiguration"

	// InitConfigurationKind is the string kind value for the InitConfiguration struct
	InitConfigurationKind = "InitConfiguration"

	// JoinConfigurationKind is the string kind value for the JoinConfiguration struct
	JoinConfigurationKind = "JoinConfiguration"

	// YAMLDocumentSeparator is the separator for YAML documents
	// TODO: Find a better place for this constant
	YAMLDocumentSeparator = "---\n"

	// DefaultAPIServerBindAddress is the default bind address for the API Server
	DefaultAPIServerBindAddress = "0.0.0.0"

	// ControlPlaneNumCPU is the number of CPUs required on control-plane
	ControlPlaneNumCPU = 2

	// KubeadmCertsSecret specifies in what Secret in the kube-system namespace the certificates should be stored
	KubeadmCertsSecret = "kubeadm-certs"

	// KubeletPort is the default port for the kubelet server on each host machine.
	// May be overridden by a flag at startup.
	KubeletPort = 10250
	// KubeSchedulerPort is the default port for the scheduler status server.
	// May be overridden by a flag at startup.
	KubeSchedulerPort = 10259
	// KubeControllerManagerPort is the default port for the controller manager status server.
	// May be overridden by a flag at startup.
	KubeControllerManagerPort = 10257

	// EtcdAdvertiseClientUrlsAnnotationKey is the annotation key on every etcd pod, describing the
	// advertise client URLs
	EtcdAdvertiseClientUrlsAnnotationKey = "kubeadm.kubernetes.io/etcd.advertise-client-urls"
	// KubeAPIServerAdvertiseAddressEndpointAnnotationKey is the annotation key on every apiserver pod,
	// describing the API endpoint (advertise address and bind port of the api server)
	KubeAPIServerAdvertiseAddressEndpointAnnotationKey = "kubeadm.kubernetes.io/kube-apiserver.advertise-address.endpoint"

	// ControlPlaneTier is the value used in the tier label to identify control plane components
	ControlPlaneTier = "control-plane"

	// ModeAlwaysAllow is the mode to set all requests as authorized
	ModeAlwaysAllow string = "AlwaysAllow"
	// ModeAlwaysDeny is the mode to set no requests as authorized
	ModeAlwaysDeny string = "AlwaysDeny"
	// ModeABAC is the mode to use Attribute Based Access Control to authorize
	ModeABAC string = "ABAC"
	// ModeWebhook is the mode to make an external webhook call to authorize
	ModeWebhook string = "Webhook"
	// ModeRBAC is the mode to use Role Based Access Control to authorize
	ModeRBAC string = "RBAC"
	// ModeNode is an authorization mode that authorizes API requests made by kubelets.
	ModeNode string = "Node"
)
View Source 
const (
	// PrivateKeyBlockType is a possible value for pem.Block.Type.
	PrivateKeyBlockType = "PRIVATE KEY"
	// PublicKeyBlockType is a possible value for pem.Block.Type.
	PublicKeyBlockType = "PUBLIC KEY"
	// CertificateBlockType is a possible value for pem.Block.Type.
	CertificateBlockType = "CERTIFICATE"
	// RSAPrivateKeyBlockType is a possible value for pem.Block.Type.
	RSAPrivateKeyBlockType = "RSA PRIVATE KEY"
)
View Source 
const NotAfter = duration365d * 100

Variables

View Source 
var (
	// ControlPlaneTaint is the taint to apply on the PodSpec for being able to run that Pod on the control-plane
	ControlPlaneTaint = corev1.Taint{
		Key:    LabelNodeRoleMaster,
		Effect: corev1.TaintEffectNoSchedule,
	}

	// ControlPlaneToleration is the toleration to apply on the PodSpec for being able to run that Pod on the control-plane
	ControlPlaneToleration = corev1.Toleration{
		Key:    LabelNodeRoleMaster,
		Effect: corev1.TaintEffectNoSchedule,
	}

	// DefaultTokenUsages specifies the default functions a token will get
	DefaultTokenUsages = bootstrapapi.KnownTokenUsages

	// DefaultTokenGroups specifies the default groups that this token will authenticate as when used for authentication
	DefaultTokenGroups = []string{NodeBootstrapTokenAuthGroup}

	// ControlPlaneComponents defines the control-plane component names
	ControlPlaneComponents = []string{KubeAPIServer, KubeControllerManager, KubeScheduler}

	// MinimumControlPlaneVersion specifies the minimum control plane version kubeadm can deploy
	MinimumControlPlaneVersion = version.MustParseSemantic("v1.17.0")

	// MinimumKubeletVersion specifies the minimum version of kubelet which kubeadm supports
	MinimumKubeletVersion = version.MustParseSemantic("v1.17.0")

	// CurrentKubernetesVersion specifies current Kubernetes version supported by kubeadm
	CurrentKubernetesVersion = version.MustParseSemantic("v1.18.0")

	// SupportedEtcdVersion lists officially supported etcd versions with corresponding Kubernetes releases
	SupportedEtcdVersion = map[uint8]string{
		13: "3.2.24",
		14: "3.3.10",
		15: "3.3.10",
		16: "3.3.17-0",
		17: "3.4.3-0",
		18: "3.4.3-0",
		19: "3.4.3-0",
	}

	// KubeadmCertsClusterRoleName sets the name for the ClusterRole that allows
	// the bootstrap tokens to access the kubeadm-certs Secret during the join of a new control-plane
	KubeadmCertsClusterRoleName = fmt.Sprintf("kubeadm:%s", KubeadmCertsSecret)

	// StaticPodMirroringDefaultRetry is used a backoff strategy for
	// waiting for static pods to be mirrored to the apiserver.
	StaticPodMirroringDefaultRetry = wait.Backoff{
		Steps:    30,
		Duration: 1 * time.Second,
		Factor:   1.0,
		Jitter:   0.1,
	}
)

Functions

func AddSelfHostedPrefix 

func AddSelfHostedPrefix(componentName string) string

AddSelfHostedPrefix adds the self-hosted- prefix to the component name

func BuildCertByte 

func BuildCertByte(pkiPath, name string, cert *x509.Certificate) (string, []byte, error)

BuildCertByte stores the given certificate at the given location

func BuildKeyByte 

func BuildKeyByte(pkiPath, name string, key crypto.Signer) (string, []byte, error)

BuildKeyByte stores the given key at the given location

func BuildPublicKeyByte 

func BuildPublicKeyByte(pkiPath, name string, key crypto.PublicKey) (string, []byte, error)

BuildPublicKeyByte stores the given public key at the given location

func CSROrKeyExist 

func CSROrKeyExist(csrDir, name string) bool

CSROrKeyExist returns true if one of the CSR or key exists

func CertOrKeyExist 

func CertOrKeyExist(pkiPath, name string) bool

CertOrKeyExist returns a boolean whether the cert or the key exists

func CertificateRequestFromFile 

func CertificateRequestFromFile(file string) (*x509.CertificateRequest, error)

CertificateRequestFromFile returns the CertificateRequest from a given PEM-encoded file. Returns an error if the file could not be read or if the CSR could not be parsed.

func CreateTempDirForKubeadm 

func CreateTempDirForKubeadm(kubernetesDir, dirName string) (string, error)

CreateTempDirForKubeadm is a function that creates a temporary directory under /etc/kubernetes/tmp (not using /tmp as that would potentially be dangerous)

func CreateTimestampDirForKubeadm 

func CreateTimestampDirForKubeadm(kubernetesDir, dirName string) (string, error)

CreateTimestampDirForKubeadm is a function that creates a temporary directory under /etc/kubernetes/tmp formatted with the current date

func EncodeCSRPEM 

func EncodeCSRPEM(csr *x509.CertificateRequest) []byte

EncodeCSRPEM returns PEM-encoded CSR data

func EncodeCertPEM 

func EncodeCertPEM(cert *x509.Certificate) []byte

EncodeCertPEM returns PEM-endcoded certificate data

func EncodePublicKeyPEM 

func EncodePublicKeyPEM(key crypto.PublicKey) ([]byte, error)

EncodePublicKeyPEM returns PEM-encoded public data

func EtcdSupportedVersion 

func EtcdSupportedVersion(supportedEtcdVersion map[uint8]string, versionString string) (etcdVersion *version.Version, warning, err error)

EtcdSupportedVersion returns officially supported version of etcd for a specific Kubernetes release If passed version is not in the given list, the function returns the nearest version with a warning

func GetAPIServerAltNames 

func GetAPIServerAltNames(cfg *kubeadmv1beta2.WarpperConfiguration) (*certutil.AltNames, error)

GetAPIServerAltNames builds an AltNames object for to be used when generating apiserver certificate

func GetAPIServerVirtualIP 

func GetAPIServerVirtualIP(svcSubnetList string, isDualStack bool) (net.IP, error)

GetAPIServerVirtualIP returns the IP of the internal Kubernetes API service

func GetAdminKubeConfigPath 

func GetAdminKubeConfigPath() string

GetAdminKubeConfigPath returns the location on the disk where admin kubeconfig is located by default

func GetBootstrapKubeletKubeConfigPath 

func GetBootstrapKubeletKubeConfigPath() string

GetBootstrapKubeletKubeConfigPath returns the location on the disk where bootstrap kubelet kubeconfig is located by default

func GetControlPlaneEndpoint 

func GetControlPlaneEndpoint(controlPlaneEndpoint string, localEndpoint *kubeadmv1beta2.APIEndpoint) (string, error)

GetControlPlaneEndpoint returns a properly formatted endpoint for the control plane built according following rules: - If the controlPlaneEndpoint is defined, use it. - if the controlPlaneEndpoint is defined but without a port number, use the controlPlaneEndpoint + localEndpoint.BindPort is used. - Otherwise, in case the controlPlaneEndpoint is not defined, use the localEndpoint.AdvertiseAddress + the localEndpoint.BindPort.

func GetDNSIP 

func GetDNSIP(svcSubnetList string, isDualStack bool) (net.IP, error)

GetDNSIP returns a dnsIP, which is 10th IP in svcSubnet CIDR range

func GetDNSVersion 

func GetDNSVersion(dnsType kubeadmv1beta2.DNSAddOnType) string

GetDNSVersion is a handy function that returns the DNS version by DNS type

func GetEtcdAltNames 

func GetEtcdAltNames(cfg *kubeadmv1beta2.WarpperConfiguration) (*certutil.AltNames, error)

GetEtcdAltNames builds an AltNames object for generating the etcd server certificate. `advertise address` and localhost are included in the SAN since this is the interfaces the etcd static pod listens on. The user can override the listen address with `Etcd.ExtraArgs` and add SANs with `Etcd.ServerCertSANs`.

func GetEtcdPeerAltNames 

func GetEtcdPeerAltNames(cfg *kubeadmv1beta2.WarpperConfiguration) (*certutil.AltNames, error)

GetEtcdPeerAltNames builds an AltNames object for generating the etcd peer certificate. Hostname and `API.AdvertiseAddress` are included if the user chooses to promote the single node etcd cluster into a multi-node one (stacked etcd). The user can override the listen address with `Etcd.ExtraArgs` and add SANs with `Etcd.PeerCertSANs`.

func GetKubeletConfigMapName 

func GetKubeletConfigMapName(k8sVersion *version.Version) string

GetKubeletConfigMapName returns the right ConfigMap name for the right branch of k8s

func GetKubeletKubeConfigPath 

func GetKubeletKubeConfigPath() string

GetKubeletKubeConfigPath returns the location on the disk where kubelet kubeconfig is located by default

func GetKubernetesServiceCIDR 

func GetKubernetesServiceCIDR(svcSubnetList string, isDualStack bool) (*net.IPNet, error)

GetKubernetesServiceCIDR returns the default Service CIDR for the Kubernetes internal service

func GetStaticPodAuditPolicyFile 

func GetStaticPodAuditPolicyFile() string

GetStaticPodAuditPolicyFile returns the path to the audit policy file within a static pod

func GetStaticPodDirectory 

func GetStaticPodDirectory() string

GetStaticPodDirectory returns the location on the disk where the Static Pod should be present

func GetStaticPodFilepath 

func GetStaticPodFilepath(componentName, manifestsDir string) string

GetStaticPodFilepath returns the location on the disk where the Static Pod should be present

func HasServerAuth 

func HasServerAuth(cert *x509.Certificate) bool

HasServerAuth returns true if the given certificate is a ServerAuth

func NewCSR 

func NewCSR(cfg CertConfig, key crypto.Signer) (*x509.CertificateRequest, error)

NewCSR creates a new CSR

func NewCSRAndKey 

func NewCSRAndKey(config *CertConfig) (*x509.CertificateRequest, crypto.Signer, error)

NewCSRAndKey generates a new key and CSR and that could be signed to create the given certificate

func NewCertAndKey 

func NewCertAndKey(caCert *x509.Certificate, caKey crypto.Signer, config *CertConfig) (*x509.Certificate, crypto.Signer, error)

NewCertAndKey creates new certificate and key by passing the certificate authority certificate and key

func NewCertificateAuthority 

func NewCertificateAuthority(config *CertConfig) (*x509.Certificate, crypto.Signer, error)

NewCertificateAuthority creates new certificate and private key for the certificate authority

func NewPrivateKey 

func NewPrivateKey(keyType x509.PublicKeyAlgorithm) (crypto.Signer, error)

NewPrivateKey creates an RSA private key

func NewSelfSignedCACert 

func NewSelfSignedCACert(cfg *CertConfig, key crypto.Signer) (*x509.Certificate, error)

NewSelfSignedCACert creates a CA certificate

func NewSignedCert 

func NewSignedCert(cfg *CertConfig, key crypto.Signer, caCert *x509.Certificate, caKey crypto.Signer) (*x509.Certificate, error)

NewSignedCert creates a signed certificate using the given CA certificate and key

func ParseHostPort 

func ParseHostPort(hostport string) (string, string, error)

ParseHostPort parses a network address of the form "host:port", "ipv4:port", "[ipv6]:port" into host and port; ":port" can be eventually omitted. If the string is not a valid representation of network address, ParseHostPort returns an error.

func ParsePort 

func ParsePort(port string) (int, error)

ParsePort parses a string representing a TCP port. If the string is not a valid representation of a TCP port, ParsePort returns an error.

func PathsForCertAndKey 

func PathsForCertAndKey(pkiPath, name string) (string, string)

PathsForCertAndKey returns the paths for the certificate and key given the path and basename.

func TryLoadCSRAndKeyFromDisk 

func TryLoadCSRAndKeyFromDisk(pkiPath, name string) (*x509.CertificateRequest, crypto.Signer, error)

TryLoadCSRAndKeyFromDisk tries to load the CSR and key from the disk

func TryLoadCertAndKeyFromDisk 

func TryLoadCertAndKeyFromDisk(pkiPath, name string) (*x509.Certificate, crypto.Signer, error)

TryLoadCertAndKeyFromDisk tries to load a cert and a key from the disk and validates that they are valid

func TryLoadCertFromDisk 

func TryLoadCertFromDisk(pkiPath, name string) (*x509.Certificate, error)

TryLoadCertFromDisk tries to load the cert from the disk and validates that it is valid

func TryLoadKeyFromDisk 

func TryLoadKeyFromDisk(pkiPath, name string) (crypto.Signer, error)

TryLoadKeyFromDisk tries to load the key from the disk and validates that it is valid

func TryLoadPrivatePublicKeyFromDisk 

func TryLoadPrivatePublicKeyFromDisk(pkiPath, name string) (*rsa.PrivateKey, *rsa.PublicKey, error)

TryLoadPrivatePublicKeyFromDisk tries to load the key from the disk and validates that it is valid

func WriteCSR 

func WriteCSR(csrDir, name string, csr *x509.CertificateRequest) error

WriteCSR writes the pem-encoded CSR data to csrPath. The CSR file will be created with file mode 0600. If the CSR file already exists, it will be overwritten. The parent directory of the csrPath will be created as needed with file mode 0700.

func WriteCert 

func WriteCert(pkiPath, name string, cert *x509.Certificate) error

WriteCert stores the given certificate at the given location

func WriteCertAndKey 

func WriteCertAndKey(pkiPath string, name string, cert *x509.Certificate, key crypto.Signer) error

WriteCertAndKey stores certificate and key at the specified location

func WriteCertificateAuthorityFilesIfNotExist 

func WriteCertificateAuthorityFilesIfNotExist(pkiDir string, baseName string, caCert *x509.Certificate, caKey crypto.Signer) error

WriteCertificateAuthorityFilesIfNotExist write a new certificate Authority to the given path. If there already is a certificate file at the given path; kubeadm tries to load it and check if the values in the existing and the expected certificate equals. If they do; kubeadm will just skip writing the file as it's up-to-date, otherwise this function returns an error.

func WriteCertificateFilesIfNotExist 

func WriteCertificateFilesIfNotExist(pkiDir string, baseName string, signingCert *x509.Certificate, cert *x509.Certificate, key crypto.Signer, cfg *CertConfig) error

WriteCertificateFilesIfNotExist write a new certificate to the given path. If there already is a certificate file at the given path; kubeadm tries to load it and check if the values in the existing and the expected certificate equals. If they do; kubeadm will just skip writing the file as it's up-to-date, otherwise this function returns an error.

func WriteKey 

func WriteKey(pkiPath, name string, key crypto.Signer) error

WriteKey stores the given key at the given location

func WritePublicKey 

func WritePublicKey(pkiPath, name string, key crypto.PublicKey) error

WritePublicKey stores the given public key at the given location

Types

type CertConfig 

type CertConfig struct {
	certutil.Config
	PublicKeyAlgorithm x509.PublicKeyAlgorithm
}

CertConfig is a wrapper around certutil.Config extending it with PublicKeyAlgorithm.

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.