security

package
v1.1.0 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Oct 12, 2025 License: Apache-2.0 Imports: 21 Imported by: 0

Documentation

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

func CertExists 

func CertExists(certDir string) bool

CertExists checks if a certificate exists in the given directory

func CertNeedsRotation 

func CertNeedsRotation(cert *x509.Certificate) bool

CertNeedsRotation returns true if the certificate should be rotated This happens when less than 30 days remain until expiry

func Decrypt 

func Decrypt(ciphertext []byte) ([]byte, error)

Decrypt decrypts data using the cluster encryption key This is used for decrypting sensitive data like CA private keys

func DeriveKeyFromClusterID 

func DeriveKeyFromClusterID(clusterID string) []byte

DeriveKeyFromClusterID derives an encryption key from the cluster ID This is used during cluster initialization to create a consistent key

func Encrypt 

func Encrypt(plaintext []byte) ([]byte, error)

Encrypt encrypts data using the cluster encryption key This is used for encrypting sensitive data like CA private keys

func GetCLICertDir 

func GetCLICertDir() (string, error)

GetCLICertDir returns the certificate directory for CLI

func GetCertDir 

func GetCertDir(nodeType, nodeID string) (string, error)

GetCertDir returns the certificate directory for the given node type

func GetCertExpiry 

func GetCertExpiry(cert *x509.Certificate) time.Time

GetCertExpiry returns the expiry time of the certificate

func GetCertInfo 

func GetCertInfo(cert *x509.Certificate) map[string]interface{}

GetCertInfo returns human-readable information about a certificate

func GetCertTimeRemaining 

func GetCertTimeRemaining(cert *x509.Certificate) time.Duration

GetCertTimeRemaining returns the time remaining until certificate expiry

func LoadCACertFromFile 

func LoadCACertFromFile(certDir string) (*x509.Certificate, error)

LoadCACertFromFile loads the CA certificate from a file

func LoadCertFromFile 

func LoadCertFromFile(certDir string) (*tls.Certificate, error)

LoadCertFromFile loads a TLS certificate from files

func RemoveCerts 

func RemoveCerts(certDir string) error

RemoveCerts removes all certificates from a directory

func SaveCACertToFile 

func SaveCACertToFile(caCert []byte, certDir string) error

SaveCACertToFile saves the CA certificate to a file

func SaveCertToFile 

func SaveCertToFile(cert *tls.Certificate, certDir string) error

SaveCertToFile saves a TLS certificate to files (cert and key)

func SetClusterEncryptionKey 

func SetClusterEncryptionKey(key []byte) error

SetClusterEncryptionKey sets the global cluster encryption key This should be called once during cluster initialization

func ValidateCertChain 

func ValidateCertChain(cert, ca *x509.Certificate) error

ValidateCertChain validates that a certificate is signed by the CA

Types

type CAData 

type CAData struct {
	RootCertDER []byte
	RootKeyDER  []byte
}

CAData represents the serialized CA data for storage

type CachedCert 

type CachedCert struct {
	Cert      *x509.Certificate
	Key       *rsa.PrivateKey
	IssuedAt  time.Time
	ExpiresAt time.Time
}

CachedCert represents a cached certificate

type CertAuthority 

type CertAuthority struct {
	// contains filtered or unexported fields
}

CertAuthority manages the cluster's certificate authority

func NewCertAuthority 

func NewCertAuthority(store storage.Store) *CertAuthority

NewCertAuthority creates a new certificate authority

func (*CertAuthority) GetCachedCert 

func (ca *CertAuthority) GetCachedCert(id string) (*CachedCert, bool)

GetCachedCert retrieves a cached certificate

func (*CertAuthority) GetRootCACert 

func (ca *CertAuthority) GetRootCACert() []byte

GetRootCACert returns the root CA certificate in DER format

func (*CertAuthority) Initialize 

func (ca *CertAuthority) Initialize() error

Initialize generates a new root CA certificate

func (*CertAuthority) IsInitialized 

func (ca *CertAuthority) IsInitialized() bool

IsInitialized returns true if the CA is initialized

func (*CertAuthority) IssueClientCertificate 

func (ca *CertAuthority) IssueClientCertificate(clientID string) (*tls.Certificate, error)

IssueClientCertificate issues a certificate for a CLI client

func (*CertAuthority) IssueNodeCertificate 

func (ca *CertAuthority) IssueNodeCertificate(nodeID, role string, dnsNames []string, ipAddresses []net.IP) (*tls.Certificate, error)

IssueNodeCertificate issues a certificate for a node (manager or worker)

func (*CertAuthority) LoadFromStore 

func (ca *CertAuthority) LoadFromStore() error

LoadFromStore loads the CA from storage

func (*CertAuthority) SaveToStore 

func (ca *CertAuthority) SaveToStore() error

SaveToStore saves the CA to storage

func (*CertAuthority) VerifyCertificate 

func (ca *CertAuthority) VerifyCertificate(cert *x509.Certificate) error

VerifyCertificate verifies a certificate against the root CA

type SecretsManager 

type SecretsManager struct {
	// contains filtered or unexported fields
}

SecretsManager handles encryption and decryption of secrets

func NewSecretsManager 

func NewSecretsManager(key []byte) (*SecretsManager, error)

NewSecretsManager creates a new secrets manager with the given encryption key The key should be 32 bytes for AES-256-GCM

func NewSecretsManagerFromPassword 

func NewSecretsManagerFromPassword(password string) (*SecretsManager, error)

NewSecretsManagerFromPassword creates a secrets manager using a password The password is hashed with SHA-256 to derive the encryption key

func (*SecretsManager) CreateSecret 

func (sm *SecretsManager) CreateSecret(name string, plaintext []byte) (*types.Secret, error)

CreateSecret creates a new encrypted secret

func (*SecretsManager) DecryptSecret 

func (sm *SecretsManager) DecryptSecret(ciphertext []byte) ([]byte, error)

DecryptSecret decrypts data encrypted with EncryptSecret Expects nonce to be prepended to ciphertext

func (*SecretsManager) EncryptSecret 

func (sm *SecretsManager) EncryptSecret(plaintext []byte) ([]byte, error)

EncryptSecret encrypts plaintext data using AES-256-GCM Returns encrypted data with nonce prepended

func (*SecretsManager) GetSecretData 

func (sm *SecretsManager) GetSecretData(secret *types.Secret) ([]byte, error)

GetSecretData decrypts and returns the plaintext data from a secret

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.