Documentation
¶
Overview ¶
Package certstore implements an HTTP provider for solving the HTTP-01 challenge using kvring in combination with a webserver.
Index ¶
- Constants
- Variables
- func CheckCertExpiration(amStore *CertStore, logger log.Logger) error
- func Cleanup(logger log.Logger, interval time.Duration, certExpDays int, ...)
- func CleanupCertificateVersions(logger log.Logger, certExpDays int, cleanupCertRevokeLastVersion bool)
- func CleanupTokens(logger log.Logger)
- func CreateRemoteCertificateResource(certData *models.Certificate, logger log.Logger) (*models.Certificate, error)
- func DeleteRemoteCertificateResource(certData *models.Certificate, logger log.Logger) error
- func GenerateCertificateKey(owner, issuer, domain string) string
- func GenerateChallengeKey(challengeID string) string
- func GenerateRateLimitKey(owner, issuer, domain string) string
- func GenerateTokenKey(tokenID string) string
- func GetCertificateKeysForOwner(owner string) string
- func GetCertificateKeysForOwnerAndIssuer(owner, issuer string) string
- func GetTokenKeysForOwner(owner string) string
- func MapInterfaceToCertMap(data map[string]interface{}) models.CertMap
- func NewAcmeClientForIssuer(logger log.Logger, issuer string) (*lego.Client, error)
- func NewHTTPChallengeProviderByName(name, config string, logger log.Logger) (challenge.Provider, error)
- func NewStatusCodeRetryPolicy(customLogger *logrus.Logger, retryStatusCodes []int) retryablehttp.CheckRetry
- func OnStartup(logger log.Logger) error
- func ParseTokenKey(key string) (tokenID string, err error)
- func RevokeCertificateWithVerification(logger log.Logger, issuerAcmeClient *lego.Client, certBytes []byte, ...) (bool, error)
- func SaveResource(logger log.Logger, filepath string, certRes *certificate.Resource)
- func Setup(logger log.Logger, customLogger *logrus.Logger, cfg config.Config, ...) error
- func WatchCertExpiration(logger log.Logger, interval time.Duration)
- func WatchConfigFileChanges(logger log.Logger, customLogger *logrus.Logger, interval time.Duration, ...)
- func WatchIssuerHealth(logger log.Logger, customLogger *logrus.Logger, interval time.Duration, ...)
- func WatchRateLimitCleanup(logger log.Logger, interval time.Duration)
- func WatchTokenExpiration(logger log.Logger, interval time.Duration)
- type Account
- type CertStore
- func (c *CertStore) DeleteCertificate(owner, issuer, domain string) error
- func (c *CertStore) DeleteChallenge(challengeID string) error
- func (c *CertStore) DeleteRateLimit(owner, issuer, domain string) error
- func (c *CertStore) DeleteToken(tokenID string) error
- func (c *CertStore) GetCertificate(owner, issuer, domain string) (*models.Certificate, error)
- func (c *CertStore) GetChallenge(challengeID string) (string, error)
- func (c *CertStore) GetRateLimit(owner, issuer, domain string) (*models.RateLimit, error)
- func (c *CertStore) GetToken(tokenID string) (*models.Token, error)
- func (c *CertStore) ListAllCertificates() (map[string]*models.Certificate, error)
- func (c *CertStore) ListAllChallenges() (map[string]string, error)
- func (c *CertStore) ListAllRateLimits() (map[string]*models.RateLimit, error)
- func (c *CertStore) ListAllTokens() (map[string]*models.Token, error)
- func (c *CertStore) ListCertificateKVRingKeys(prefix string) ([]string, error)
- func (c *CertStore) ListCertificatesForOwner(owner string) ([]*models.Certificate, error)
- func (c *CertStore) ListChallengeKVRingKeys() ([]string, error)
- func (c *CertStore) ListRateLimitKVRingKeys(prefix string) ([]string, error)
- func (c *CertStore) ListTokenKVRingKeys() ([]string, error)
- func (c *CertStore) PutCertificate(cert *models.Certificate) error
- func (c *CertStore) PutChallenge(challengeID string, keyAuth string) error
- func (c *CertStore) PutRateLimit(rateLimit *models.RateLimit) error
- func (c *CertStore) PutToken(tokenID string, token *models.Token) error
- type CertificateCollector
- type HTTPProvider
- type NodeCollector
Constants ¶
View Source
const ( CertificatePrefix = "certificate" TokenPrefix = "token" ChallengePrefix = "challenge" RateLimitPrefix = "ratelimit" )
Key prefixes
Variables ¶
View Source
var ( AcmeClient = make(map[string]*lego.Client) // AcmeAccount stores the account data per issuer for creating fresh clients AcmeAccount = make(map[string]*Account) )
View Source
var ( AmCertificateRingKey = "collectors/certificate" AmChallengeRingKey = "collectors/challenge" AmTokenRingKey = "collectors/token" AmStore *CertStore )
Functions ¶
func CleanupTokens ¶
func CreateRemoteCertificateResource ¶
func CreateRemoteCertificateResource(certData *models.Certificate, logger log.Logger) (*models.Certificate, error)
func DeleteRemoteCertificateResource ¶
func DeleteRemoteCertificateResource(certData *models.Certificate, logger log.Logger) error
func GenerateCertificateKey ¶
GenerateCertificateKey creates a hierarchical key for certificates
func GenerateChallengeKey ¶
GenerateChallengeKey creates a hierarchical key for challenges
func GenerateRateLimitKey ¶ added in v0.7.0
GenerateRateLimitKey creates a hierarchical key for rate limits
func GenerateTokenKey ¶
GenerateTokenKey creates a hierarchical key for tokens
func GetCertificateKeysForOwner ¶
GetCertificateKeysForOwner generates a prefix to list all certificates for an owner
func GetCertificateKeysForOwnerAndIssuer ¶
GetCertificateKeysForOwnerAndIssuer generates a prefix to list certificates for owner+issuer
func GetTokenKeysForOwner ¶
GetTokenKeysForOwner generates a prefix to list all tokens for an owner
func MapInterfaceToCertMap ¶
func NewAcmeClientForIssuer ¶ added in v0.6.7
NewAcmeClientForIssuer creates a fresh lego.Client for the given issuer using the cached account data. This ensures each certificate request gets an isolated client with no residual challenge providers.
func NewHTTPChallengeProviderByName ¶
func NewHTTPChallengeProviderByName(name, config string, logger log.Logger) (challenge.Provider, error)
NewHTTPChallengeProviderByName Factory for HTTP providers.
func NewStatusCodeRetryPolicy ¶
func NewStatusCodeRetryPolicy(customLogger *logrus.Logger, retryStatusCodes []int) retryablehttp.CheckRetry
NewStatusCodeRetryPolicy creates a CheckRetry function that retries on connection errors, 5xx status codes (default behavior), and any additional status codes provided in the `retryStatusCodes` list.
func ParseTokenKey ¶
ParseTokenKey extracts components from a token key
func RevokeCertificateWithVerification ¶ added in v0.6.5
func RevokeCertificateWithVerification(logger log.Logger, issuerAcmeClient *lego.Client, certBytes []byte, issuer, owner, domain string, version *int) (bool, error)
RevokeCertificateWithVerification revokes a certificate and handles common error cases. Returns (safeToDestroy bool, error):
- (true, nil): Certificate already revoked/expired in previous cycle - safe to destroy
- (false, nil): Certificate freshly revoked this cycle - wait for next cycle before destroying
- (false, error): Revocation failed - do not proceed with destruction
func SaveResource ¶
func SaveResource(logger log.Logger, filepath string, certRes *certificate.Resource)
func WatchConfigFileChanges ¶
func WatchIssuerHealth ¶
func WatchRateLimitCleanup ¶ added in v0.7.0
WatchRateLimitCleanup periodically cleans up expired rate limit entries. Entries older than the configured rate limit window are deleted to prevent unbounded growth.
Types ¶
type Account ¶
type Account struct {
Email string `json:"email"`
Registration *registration.Resource `json:"registration"`
// contains filtered or unexported fields
}
Account represents a users local saved credentials.
func (*Account) GetPrivateKey ¶
func (a *Account) GetPrivateKey() crypto.PrivateKey
GetPrivateKey returns the private RSA account key.
func (*Account) GetRegistration ¶
func (a *Account) GetRegistration() *registration.Resource
GetRegistration returns the server registration.
type CertStore ¶
type CertStore struct {
RingConfig ring.AcmeManagerRing
Logger log.Logger
}
func (*CertStore) DeleteCertificate ¶
Delete certificate
func (*CertStore) DeleteChallenge ¶
Delete challenge
func (*CertStore) DeleteRateLimit ¶ added in v0.7.0
Delete rate limit
func (*CertStore) GetCertificate ¶
func (c *CertStore) GetCertificate(owner, issuer, domain string) (*models.Certificate, error)
Get certificate
func (*CertStore) GetChallenge ¶
Get challenge
func (*CertStore) GetRateLimit ¶ added in v0.7.0
Get rate limit
func (*CertStore) ListAllCertificates ¶
func (c *CertStore) ListAllCertificates() (map[string]*models.Certificate, error)
List all certificates
func (*CertStore) ListAllChallenges ¶
List all challenges
func (*CertStore) ListAllRateLimits ¶ added in v0.7.0
List all rate limits
func (*CertStore) ListAllTokens ¶
List all tokens
func (*CertStore) ListCertificateKVRingKeys ¶
func (*CertStore) ListCertificatesForOwner ¶
func (c *CertStore) ListCertificatesForOwner(owner string) ([]*models.Certificate, error)
List all certificates for an owner
func (*CertStore) ListChallengeKVRingKeys ¶
func (*CertStore) ListRateLimitKVRingKeys ¶ added in v0.7.0
func (*CertStore) ListTokenKVRingKeys ¶
func (*CertStore) PutCertificate ¶
func (c *CertStore) PutCertificate(cert *models.Certificate) error
Store certificate
func (*CertStore) PutChallenge ¶
Store challenge
func (*CertStore) PutRateLimit ¶ added in v0.7.0
Store rate limit
type CertificateCollector ¶
func NewCertificateCollector ¶
func NewCertificateCollector(logger log.Logger) *CertificateCollector
func (*CertificateCollector) Collect ¶
func (c *CertificateCollector) Collect(ch chan<- prometheus.Metric)
func (*CertificateCollector) Describe ¶
func (c *CertificateCollector) Describe(_ chan<- *prometheus.Desc)
type HTTPProvider ¶
type HTTPProvider struct {
// contains filtered or unexported fields
}
HTTPProvider implements HTTPProvider for `http-01` challenge.
func NewKVRingProvider ¶
func NewKVRingProvider(logger log.Logger) (*HTTPProvider, error)
NewKVRingProvider returns a HTTPProvider instance with a configured webroot path.
type NodeCollector ¶
func NewNodeCollector ¶
func NewNodeCollector(logger log.Logger) *NodeCollector
func (*NodeCollector) Collect ¶
func (nc *NodeCollector) Collect(ch chan<- prometheus.Metric)
func (*NodeCollector) Describe ¶
func (nc *NodeCollector) Describe(_ chan<- *prometheus.Desc)
Source Files
Click to show internal directories.
Click to hide internal directories.