Documentation ¶
Overview ¶
Package secret implements utilities for secret handling.
Index ¶
- Constants
- Variables
- func Get(ctx context.Context, c client.Reader, cluster client.ObjectKey, ...) (*corev1.Secret, error)
- func GetFromNamespacedName(ctx context.Context, c client.Reader, clusterName client.ObjectKey, ...) (*corev1.Secret, error)
- func Name(cluster string, suffix Purpose) string
- type Certificate
- type Certificates
- func (c Certificates) AsFiles() []bootstrapv1.File
- func (c Certificates) EnsureAllExist() error
- func (c Certificates) Generate() error
- func (c Certificates) GetByPurpose(purpose Purpose) *Certificate
- func (c Certificates) Lookup(ctx context.Context, ctrlclient client.Client, clusterName client.ObjectKey) error
- func (c Certificates) LookupCached(ctx context.Context, secretCachingClient, ctrlclient client.Client, ...) error
- func (c Certificates) LookupOrGenerate(ctx context.Context, ctrlclient client.Client, clusterName client.ObjectKey, ...) error
- func (c Certificates) LookupOrGenerateCached(ctx context.Context, secretCachingClient, ctrlclient client.Client, ...) error
- func (c Certificates) SaveGenerated(ctx context.Context, ctrlclient client.Client, clusterName client.ObjectKey, ...) error
- type Purpose
Constants ¶
const ( // KubeconfigDataName is the key used to store a Kubeconfig in the secret's data field. KubeconfigDataName = "value" // TLSKeyDataName is the key used to store a TLS private key in the secret's data field. TLSKeyDataName = "tls.key" // TLSCrtDataName is the key used to store a TLS certificate in the secret's data field. TLSCrtDataName = "tls.crt" )
const ( // Kubeconfig is the secret name suffix storing the Cluster Kubeconfig. Kubeconfig = Purpose("kubeconfig") // ClusterCA is the secret name suffix for APIServer CA. ClusterCA = Purpose("ca") // EtcdCA is the secret name suffix for the Etcd CA. EtcdCA = Purpose("etcd") // ServiceAccount is the secret name suffix for the Service Account keys. ServiceAccount = Purpose("sa") // FrontProxyCA is the secret name suffix for Front Proxy CA. FrontProxyCA = Purpose("proxy") // APIServerEtcdClient is the secret name of user-supplied secret containing the apiserver-etcd-client key/cert. APIServerEtcdClient = Purpose("apiserver-etcd-client") )
const (
// DefaultCertificatesDir is the default directory where Kubernetes stores its PKI information.
DefaultCertificatesDir = "/etc/kubernetes/pki"
)
Variables ¶
var ( // ErrMissingCertificate is an error indicating a certificate is entirely missing. ErrMissingCertificate = errors.New("missing certificate") // ErrMissingCrt is an error indicating the crt file is missing from the certificate. ErrMissingCrt = errors.New("missing crt data") // ErrMissingKey is an error indicating the key file is missing from the certificate. ErrMissingKey = errors.New("missing key data") )
Functions ¶
func Get ¶
func Get(ctx context.Context, c client.Reader, cluster client.ObjectKey, purpose Purpose) (*corev1.Secret, error)
Get retrieves the specified Secret (if any) from the given cluster name and namespace.
Types ¶
type Certificate ¶ added in v0.3.0
type Certificate struct { Generated bool External bool Purpose Purpose KeyPair *certs.KeyPair CertFile, KeyFile string Secret *corev1.Secret }
Certificate represents a single certificate CA.
func (*Certificate) AsFiles ¶ added in v0.3.0
func (c *Certificate) AsFiles() []bootstrapv1.File
AsFiles converts the certificate to a slice of Files that may have 0, 1 or 2 Files.
func (*Certificate) AsSecret ¶ added in v0.3.0
func (c *Certificate) AsSecret(clusterName client.ObjectKey, owner metav1.OwnerReference) *corev1.Secret
AsSecret converts a single certificate into a Kubernetes secret.
func (*Certificate) Generate ¶ added in v0.4.0
func (c *Certificate) Generate() error
Generate generates a certificate.
func (*Certificate) Hashes ¶ added in v0.3.0
func (c *Certificate) Hashes() ([]string, error)
Hashes hashes all the certificates stored in a CA certificate.
type Certificates ¶ added in v0.3.0
type Certificates []*Certificate
Certificates are the certificates necessary to bootstrap a cluster.
func NewCertificatesForInitialControlPlane ¶ added in v0.3.0
func NewCertificatesForInitialControlPlane(config *bootstrapv1.ClusterConfiguration) Certificates
NewCertificatesForInitialControlPlane returns a list of certificates configured for a control plane node.
func NewCertificatesForWorker ¶ added in v0.3.0
func NewCertificatesForWorker(caCertPath string) Certificates
NewCertificatesForWorker return an initialized but empty set of CA certificates needed to bootstrap a cluster.
func NewControlPlaneJoinCerts ¶ added in v0.3.9
func NewControlPlaneJoinCerts(config *bootstrapv1.ClusterConfiguration) Certificates
NewControlPlaneJoinCerts gets any certs that exist and writes them to disk.
func (Certificates) AsFiles ¶ added in v0.3.0
func (c Certificates) AsFiles() []bootstrapv1.File
AsFiles converts a slice of certificates into bootstrap files.
func (Certificates) EnsureAllExist ¶ added in v0.3.0
func (c Certificates) EnsureAllExist() error
EnsureAllExist ensure that there is some data present for every certificate.
func (Certificates) Generate ¶ added in v0.3.0
func (c Certificates) Generate() error
Generate will generate any certificates that do not have KeyPair data.
func (Certificates) GetByPurpose ¶ added in v0.3.0
func (c Certificates) GetByPurpose(purpose Purpose) *Certificate
GetByPurpose returns a certificate by the given name. This could be removed if we use a map instead of a slice to hold certificates, however other code becomes more complex.
func (Certificates) Lookup ¶ added in v0.3.0
func (c Certificates) Lookup(ctx context.Context, ctrlclient client.Client, clusterName client.ObjectKey) error
Lookup looks up each certificate from secrets and populates the certificate with the secret data.
func (Certificates) LookupCached ¶ added in v1.5.0
func (c Certificates) LookupCached(ctx context.Context, secretCachingClient, ctrlclient client.Client, clusterName client.ObjectKey) error
LookupCached looks up each certificate from secrets and populates the certificate with the secret data. First we try to lookup the certificate secret via the secretCachingClient. If we get a NotFound error we fall back to the regular uncached client.
func (Certificates) LookupOrGenerate ¶ added in v0.3.0
func (c Certificates) LookupOrGenerate(ctx context.Context, ctrlclient client.Client, clusterName client.ObjectKey, owner metav1.OwnerReference) error
LookupOrGenerate is a convenience function that wraps cluster bootstrap certificate behavior.
func (Certificates) LookupOrGenerateCached ¶ added in v1.5.0
func (c Certificates) LookupOrGenerateCached(ctx context.Context, secretCachingClient, ctrlclient client.Client, clusterName client.ObjectKey, owner metav1.OwnerReference) error
LookupOrGenerateCached is a convenience function that wraps cluster bootstrap certificate behavior. During lookup we first try to lookup the certificate secret via the secretCachingClient. If we get a NotFound error we fall back to the regular uncached client.
func (Certificates) SaveGenerated ¶ added in v0.3.0
func (c Certificates) SaveGenerated(ctx context.Context, ctrlclient client.Client, clusterName client.ObjectKey, owner metav1.OwnerReference) error
SaveGenerated will save any certificates that have been generated as Kubernetes secrets.