secrets

func EnsureAuthKeys ¶

func EnsureAuthKeys(vault *files.InstallVault) error

EnsureAuthKeys generates RSA-4096 token keys and EC P-256 domain-auth keys in PKCS8/SPKI PEM format if not already present. Each key pair is checked independently.

func EnsureCephSSHKeys ¶

func EnsureCephSSHKeys(vault *files.InstallVault, ceph *files.CephConfig) error

EnsureCephSSHKeys generates the Ceph SSH key pair if not already present in vault. The private key is written to vault; the public key is set on ceph.CephAdmSSHKey.PublicKey.

func EnsureDefaultSecrets ¶

func EnsureDefaultSecrets(vault *files.InstallVault) error

EnsureDefaultSecrets sets dummy defaults for all Helm chart secrets not managed by the installer config. Always overwrites digitalOceanApiToken; all others are only set when absent.

func EnsureIngressCA ¶

func EnsureIngressCA(vault *files.InstallVault, cluster *files.ClusterConfig) error

EnsureIngressCA generates the cluster ingress CA if not already present in vault. The CA private key is written to vault; the cert PEM is set on cluster.Certificates.CA.CertPem.

func EnsureMounterHmacSecret ¶

func EnsureMounterHmacSecret(vault *files.InstallVault) error

EnsureMounterHmacSecret migrates the legacy 'hmac-secret' to 'mounterHmacSecret' or creates a new 64-character hex secret if neither exists. Idempotent.

func EnsureNixSigningKeys ¶

func EnsureNixSigningKeys(vault *files.InstallVault, host string) error

EnsureNixSigningKeys generates an Ed25519 signing key pair for nix-cache in the format "host:hexKey" if not already present. Idempotent.

func EnsurePostgresSecrets ¶

func EnsurePostgresSecrets(vault *files.InstallVault, postgres *files.PostgresConfig) error

EnsurePostgresSecrets generates all postgres certificates and passwords if not already present in vault (sentinel: postgresPassword). Private keys and passwords are written to vault; cert PEMs are set on the postgres config struct for inclusion in the config YAML.

func EnsureSecrets ¶

func EnsureSecrets(vault *files.InstallVault, config *files.RootConfig) error

EnsureSecrets generates all secrets required by the Helm chart that are not derived from the installer configuration. Each sub-function is idempotent; the whole call is safe to repeat on an already-populated vault.

func EnsureServiceAccountTokens ¶

func EnsureServiceAccountTokens(vault *files.InstallVault) error

EnsureServiceAccountTokens signs RS512 JWTs for all Codesphere internal service accounts and stores them in vault. Requires tokenPrivateKey to already be present (call EnsureAuthKeys first). Idempotent: skips if authServiceUserToken already exists.

func GenerateCA ¶

func GenerateCA(cn, country, locality, org string) (keyPEM, certPEM string, err error)

GenerateCA generates a self-signed RSA-2048 CA certificate.

func GenerateECDSAKeyPair ¶

func GenerateECDSAKeyPair() (privateKey string, publicKey string, err error)

func GeneratePassword ¶

func GeneratePassword(length int) (string, error)

func GenerateSSHKeyPair ¶

func GenerateSSHKeyPair() (privateKey string, publicKey string, err error)

func GenerateServerCertificate ¶

func GenerateServerCertificate(caKeyPEM, caCertPEM, cn string, ipAddresses []string) (keyPEM, certPEM string, err error)

GenerateServerCertificate generates an RSA-4096 server certificate signed by the given CA. The CA private key may be in either PKCS8 ("PRIVATE KEY") or PKCS1 ("RSA PRIVATE KEY") PEM format to support legacy vaults that were created before the PKCS8 migration.

func ValidateCertKeyPair ¶

func ValidateCertKeyPair(certPEM, keyPEM string) error

ValidateCertKeyPair verifies that a PEM-encoded certificate's public key matches a PEM-encoded private key.