certs

package
v1.30.0-rc1 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Jun 19, 2026 License: Apache-2.0 Imports: 35 Imported by: 0

Documentation

Overview

Package certs handle the PKI infrastructure of the operator

Index

Constants

View Source 
const (

	// CACertKey is the key for certificates in a CA secret
	CACertKey = "ca.crt"

	// CAPrivateKeyKey is the key for the private key field in a CA secret
	CAPrivateKeyKey = "ca.key"

	// TLSCertKey is the key for certificates in a CA secret
	TLSCertKey = "tls.crt"

	// TLSPrivateKeyKey is the key for the private key field in a CA secret
	TLSPrivateKeyKey = "tls.key"
)
View Source 
const (
	// CertTypeClient means a certificate for a client
	CertTypeClient = "client"

	// CertTypeServer means a certificate for a server
	CertTypeServer = "server"
)

Variables

This section is empty.

Functions

func GetOperatorDeployment added in v1.18.3 

func GetOperatorDeployment(
	ctx context.Context,
	kubeClient client.Client,
	namespace, operatorLabelSelector string,
) (*appsv1.Deployment, error)

GetOperatorDeployment find the operator deployment using labels and then return the deployment object, in case we can't find a deployment or we find more than one, we just return an error.

func GetTLSConfigFromContext added in v1.24.0 

func GetTLSConfigFromContext(ctx context.Context) (*tls.Config, error)

GetTLSConfigFromContext returns the *tls.Config contained by the context or any error encountered

func NewTLSConfigForContext added in v1.24.0 

func NewTLSConfigForContext(ctx context.Context, opts TLSConfigOptions) (context.Context, error)

NewTLSConfigForContext creates a tls.Config from the given options and stores it in the returned context.

func NewTLSConfigFromCertPool added in v1.26.0 

func NewTLSConfigFromCertPool(
	certPool *x509.CertPool,
) *tls.Config

NewTLSConfigFromCertPool creates a tls.Config object from X509 cert pool containing the expected server CA

func PublicKeyFingerprint 

func PublicKeyFingerprint(cert *x509.Certificate) string

PublicKeyFingerprint returns the hex-encoded SHA-256 digest of the certificate's SubjectPublicKeyInfo. It depends only on the public key, so two certificates that share a key produce the same fingerprint. Note that the operator generates a fresh key on every restart, so its fingerprint is not stable across restarts.

func RenewLeafCertificate 

func RenewLeafCertificate(caSecret *corev1.Secret, secret *corev1.Secret, altDNSNames []string) (bool, error)

RenewLeafCertificate renew a secret containing a server certificate given the secret containing the CA that will sign it. Returns true if the certificate has been renewed

func SetAsOwnedByOperatorDeployment added in v1.18.3 

func SetAsOwnedByOperatorDeployment(ctx context.Context,
	kubeClient client.Client,
	controlled *metav1.ObjectMeta,
	operatorLabelSelector string,
) error

SetAsOwnedByOperatorDeployment sets the controlled object as owned by the operator deployment.

IMPORTANT: The controlled resource must reside in the same namespace as the operator as described by: https://kubernetes.io/docs/concepts/overview/working-with-objects/owners-dependents/

Types

type CertType 

type CertType string

CertType represent a certificate type

type KeyPair 

type KeyPair struct {
	// The private key PEM block
	Private []byte

	// The certificate PEM block
	Certificate []byte
}

KeyPair represent a pair of keys to be used for asymmetric encryption and a certificate declaring the intended usage of those keys

func CreateRootCA 

func CreateRootCA(commonName string, organizationalUnit string) (*KeyPair, error)

CreateRootCA generates a CA returning its keys

func GenerateSelfSignedClientCertificate 

func GenerateSelfSignedClientCertificate(commonName string) (*KeyPair, error)

GenerateSelfSignedClientCertificate generates an in-memory self-signed ECDSA P-256 certificate with ExtKeyUsageClientAuth. The certificate is never written to disk.

func ParseCASecret 

func ParseCASecret(secret *corev1.Secret) (*KeyPair, error)

ParseCASecret parse a CA secret to a key pair

func ParseServerSecret 

func ParseServerSecret(secret *corev1.Secret) (*KeyPair, error)

ParseServerSecret parse a secret for a server to a key pair

func (KeyPair) CreateAndSignPair 

func (pair KeyPair) CreateAndSignPair(host string, usage CertType, altDNSNames []string) (*KeyPair, error)

CreateAndSignPair given a CA keypair, generate and sign a leaf keypair

func (*KeyPair) CreateDerivedCA 

func (pair *KeyPair) CreateDerivedCA(commonName string, organizationalUnit string) (*KeyPair, error)

CreateDerivedCA create a new CA derived from the certificate in the keypair

func (*KeyPair) DoAltDNSNamesMatch added in v1.24.0 

func (pair *KeyPair) DoAltDNSNamesMatch(altDNSNames []string) (bool, error)

DoAltDNSNamesMatch checks if the certificate has all of the specified altDNSNames

func (KeyPair) GenerateCASecret 

func (pair KeyPair) GenerateCASecret(namespace, name string) *corev1.Secret

GenerateCASecret create a k8s CA secret from a key pair

func (KeyPair) GenerateCertificateSecret 

func (pair KeyPair) GenerateCertificateSecret(namespace, name string) *corev1.Secret

GenerateCertificateSecret creates a k8s server secret from a key pair

func (*KeyPair) IsExpiring 

func (pair *KeyPair) IsExpiring() (bool, *time.Time, error)

IsExpiring check if the certificate will expire in the configured duration

func (KeyPair) IsValid 

func (pair KeyPair) IsValid(caPair *KeyPair, opts *x509.VerifyOptions) error

IsValid checks if given CA and verify options match the server

func (KeyPair) ParseCertificate 

func (pair KeyPair) ParseCertificate() (*x509.Certificate, error)

ParseCertificate parse certificate stored in the pair

func (KeyPair) ParseECPrivateKey 

func (pair KeyPair) ParseECPrivateKey() (*ecdsa.PrivateKey, error)

ParseECPrivateKey parse the ECDSA private key stored in the pair

func (*KeyPair) RenewCertificate 

func (pair *KeyPair) RenewCertificate(
	caPrivateKey *ecdsa.PrivateKey,
	parentCertificate *x509.Certificate,
	altDNSNames []string,
) error

RenewCertificate create a new certificate for the embedded private key, replacing the existing one. The certificate will be signed with the passed private key and will have as parent the specified parent certificate. If the parent certificate is nil the certificate will be self-signed

func (KeyPair) TLSCertificate 

func (pair KeyPair) TLSCertificate() (tls.Certificate, error)

TLSCertificate converts the key pair to a tls.Certificate.

type PublicKeyInfrastructure 

type PublicKeyInfrastructure struct {
	// Where to store the certificates
	CertDir string

	// The name of the secret where the CA certificate will be stored
	CaSecretName string

	// The name of the secret where the certificates will be stored
	SecretName string

	// The name of the service where the webhook server will be reachable
	ServiceName string

	// The name of the namespace where the operator is set up
	OperatorNamespace string

	// The name of the mutating webhook configuration in k8s, used to
	// inject the caBundle
	MutatingWebhookConfigurationName string

	// The name of the validating webhook configuration in k8s, used
	// to inject the caBundle
	ValidatingWebhookConfigurationName string

	// The labelSelector to be used to get the operators deployment,
	// e.g. "app.kubernetes.io/name=cloudnative-pg"
	OperatorDeploymentLabelSelector string

	// ManageWebhookConfigurations controls whether the operator injects the CA
	// bundle into the mutating and validating webhook configurations. When
	// false, the serving certificate is still managed but the webhook
	// configurations are left untouched, as they are managed externally.
	ManageWebhookConfigurations bool
}

PublicKeyInfrastructure represent the PKI under which the operator and the WebHook server will work

func (*PublicKeyInfrastructure) Setup 

func (pki *PublicKeyInfrastructure) Setup(
	ctx context.Context,
	kubeClient client.Client,
) error

Setup ensures that we have the required PKI infrastructure to make the operator and the clusters working

type TLSConfigOptions 

type TLSConfigOptions struct {
	// Client is the Kubernetes client used to fetch the CA secret.
	Client client.Client

	// CASecret is the namespaced name of the secret containing the server CA certificate.
	CASecret types.NamespacedName

	// ClientCert is the certificate presented to the server during the TLS handshake.
	// Pass nil when the caller does not need to authenticate itself (e.g. isolation
	// probes, diagnostic commands).
	ClientCert *tls.Certificate
}

TLSConfigOptions holds the parameters required to build a TLS client configuration.

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.