tlscertificate

package
v0.3.6 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Aug 12, 2025 License: Apache-2.0 Imports: 21 Imported by: 6

Documentation

Index

Constants

View Source 
const (
	CertificateWaitTimeoutDefault = 1 * time.Minute
	OrderSertificateSnapshotKey   = "certificateSecrets"
)

CertificateWaitTimeoutDefault controls default amount of time we wait for certificate approval in one iteration.

View Source 
const (
	InternalTLSSnapshotKey = "secret"
)

Variables

View Source 
var ErrCAIsInvalidOrOutdated = errors.New("ca is invalid or outdated")
View Source 
var ErrCertificateIsNotFound = errors.New("certificate is not found")
View Source 
var JQFilterApplyCertificateSecret = `` /* 430-byte string literal not displayed */
View Source 
var JQFilterTLS = `{
    "key": .data."tls.key",
    "crt": .data."tls.crt",
    "ca": .data."ca.crt"
}`

Functions

func CertificateHandler 

func CertificateHandler(requests []OrderCertificateRequest) func(ctx context.Context, input *pkg.HookInput) error

func CertificateHandlerConfig 

func CertificateHandlerConfig(namespaces, secretNames []string) *pkg.HookConfig

func ClusterDomainSAN 

func ClusterDomainSAN(san string) string

ClusterDomainSAN create template to enrich specified san with a cluster domain

func GenSelfSignedTLS 

func GenSelfSignedTLS(conf GenSelfSignedTLSHookConf) func(ctx context.Context, input *pkg.HookInput) error

func GenSelfSignedTLSConfig 

func GenSelfSignedTLSConfig(conf GenSelfSignedTLSHookConf) *pkg.HookConfig

func PublicDomainSAN 

func PublicDomainSAN(s string) string

PublicDomainSAN create template to enrich specified san with a public domain

func RegisterInternalTLSHookEM 

func RegisterInternalTLSHookEM(conf GenSelfSignedTLSHookConf) bool

RegisterInternalTLSHookEM must be used for external modules

Register hook which save tls cert in values from secret. If secret is not created hook generate CA with long expired time and generate tls cert for passed domains signed with generated CA. That CA cert and TLS cert and private key MUST save in secret with helm. Otherwise, every d8 restart will generate new tls cert. Tls cert also has long expired time same as CA 87600h == 10 years. Therese tls cert often use for in cluster https communication with service which order tls Clients need to use CA cert for verify connection

func RegisterOrderCertificateHookEM 

func RegisterOrderCertificateHookEM(requests []OrderCertificateRequest) bool

RegisterOrderCertificateHookEM must be used for external modules

Types

type CertValues 

type CertValues struct {
	CA  string `json:"ca"`
	Crt string `json:"crt"`
	Key string `json:"key"`
}

type CertificateInfo 

type CertificateInfo struct {
	Certificate        string `json:"certificate,omitempty"`
	Key                string `json:"key,omitempty"`
	CertificateUpdated bool   `json:"certificate_updated,omitempty"`
}

func IssueCertificate 

func IssueCertificate(ctx context.Context, input *pkg.HookInput, request OrderCertificateRequest) (*CertificateInfo, error)

type GenSelfSignedTLSHookConf 

type GenSelfSignedTLSHookConf struct {
	// SANs function which returns list of domain to include into cert. Use DefaultSANs helper
	SANs SANsGenerator

	// CN - Certificate common Name
	// often it is module name
	CN string

	// Namespace - namespace for TLS secret
	Namespace string
	// TLSSecretName - TLS secret name
	// secret must be TLS secret type https://kubernetes.io/docs/concepts/configuration/secret/#tls-secrets
	// CA certificate MUST set to ca.crt key
	TLSSecretName string

	// Usages specifies valid usage contexts for keys.
	// See: https://tools.ietf.org/html/rfc5280#section-4.2.1.3
	//      https://tools.ietf.org/html/rfc5280#section-4.2.1.12
	Usages []certificatesv1.KeyUsage

	// certificate encryption algorithm
	// Can be one of: "rsa", "ecdsa", "ed25519"
	// Default: "ecdsa"
	KeyAlgorithm string

	// certificate encryption algorith key size
	// The KeySize must match the KeyAlgorithm (more info: https://github.com/cloudflare/cfssl/blob/cb0a0a3b9daf7ba477e106f2f013dd68267f0190/csr/csr.go#L108)
	// Default: 256 bit
	KeySize int

	// FullValuesPathPrefix - prefix full path to store CA certificate TLS private key and cert
	// full paths will be
	//   FullValuesPathPrefix + .ca  - CA certificate
	//   FullValuesPathPrefix + .crt - TLS private key
	//   FullValuesPathPrefix + .key - TLS certificate
	// Example: FullValuesPathPrefix =  'prometheusMetricsAdapter.internal.adapter'
	// Values to store:
	// prometheusMetricsAdapter.internal.adapter.ca
	// prometheusMetricsAdapter.internal.adapter.crt
	// prometheusMetricsAdapter.internal.adapter.key
	// Data in values store as plain text
	// In helm templates you need use `b64enc` function to encode
	FullValuesPathPrefix string

	// BeforeHookCheck runs check function before hook execution. Function should return boolean 'continue' value
	// if return value is false - hook will stop its execution
	// if return value is true - hook will continue
	BeforeHookCheck func(input *pkg.HookInput) bool

	// CommonCA - full path to store CA certificate TLS private key and cert
	// full path will be
	//   CommonCAValuesPath
	// Example: CommonCAValuesPath =  'commonCaPath'
	// Values to store:
	// commonCaPath.key
	// commonCaPath.crt
	// Data in values store as plain text
	// In helm templates you need use `b64enc` function to encode
	CommonCAValuesPath string
	// Canonical name (CN) of common CA certificate.
	// If not specified (empty), then (if no CA cert already generated) using CN property of this struct
	CommonCACanonicalName string
}

func (GenSelfSignedTLSHookConf) CommonCAPath 

func (gss GenSelfSignedTLSHookConf) CommonCAPath() string

func (GenSelfSignedTLSHookConf) Path 

func (gss GenSelfSignedTLSHookConf) Path() string

type OrderCertificateRequest 

type OrderCertificateRequest struct {
	Namespace  string
	SecretName string
	CommonName string
	SANs       []string
	Groups     []string
	Usages     []certificatesv1.KeyUsage
	SignerName string

	ValueName   string
	ModuleName  string
	WaitTimeout time.Duration

	ExpirationSeconds *int32
}

func (*OrderCertificateRequest) DeepCopy 

func (r *OrderCertificateRequest) DeepCopy() OrderCertificateRequest

type SANsGenerator 

type SANsGenerator func(input *pkg.HookInput) []string

SANsGenerator function for generating sans

func DefaultSANs 

func DefaultSANs(sans []string) SANsGenerator

DefaultSANs helper to generate list of sans for certificate you can also use helpers: 

ClusterDomainSAN(value) to generate sans with respect of cluster domain (e.g.: "app.default.svc" with "cluster.local" value will give: app.default.svc.cluster.local
PublicDomainSAN(value)

type SelfSignedCertValues 

type SelfSignedCertValues struct {
	CA           *certificate.Authority
	CN           string
	KeyAlgorithm string
	KeySize      int
	SANs         []string
	Usages       []string
}

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.