pki

package
v0.3.2 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Aug 28, 2020 License: Apache-2.0 Imports: 13 Imported by: 1

Documentation

Overview

Package pki allows to manage Kubernetes PKI certificates.

Index

Constants

View Source 
const (
	// KubernetesCACN is a default CN for Kubernetes CA certificate, as recommended by
	// https://kubernetes.io/docs/setup/best-practices/certificates/.
	KubernetesCACN = "kubernetes-ca"

	// KubernetesFrontProxyCACN is a default CN for Kubernetes front proxy CA certificate,
	// as recommended by https://kubernetes.io/docs/setup/best-practices/certificates/.
	KubernetesFrontProxyCACN = "kubernetes-front-proxy-ca"
)
View Source 
const (
	// RSABits is a default private key length. Default is 2048, as it's quite secure and generating
	// 4096 keys takes a lot of time and increases generation time by the factor of 10. Once generation
	// process is done in parallel, it should be increased.
	RSABits = 2048

	// Organization is a default organization name in generated certificates.
	Organization = "organization"

	// ValidityDuration is a default time the certificates are valid. Defaults to 365 days.
	ValidityDuration = "8760h"

	// RenewThreshold defines minimum remaining validity time for the certificate, before
	// is will be renewed.
	RenewThreshold = "720h"

	// X509CertificatePEMHeader is a PEM format header used while encoding X.509 certificates.
	X509CertificatePEMHeader = "CERTIFICATE"

	// RSAPrivateKeyPEMHeader is a PEM format header user while encoding RSA private keys.
	RSAPrivateKeyPEMHeader = "RSA PRIVATE KEY"

	// RSAPublicKeyPEMHeader is a PEM format header user while encoding RSA public keys.
	RSAPublicKeyPEMHeader = "RSA PUBLIC KEY"

	// RootCACN is a default CN for root CA certificate.
	RootCACN = "root-ca"
)
View Source 
const (
	// EtcdCACN is a default CN for etcd CA certificate, as recommended by
	// https://kubernetes.io/docs/setup/best-practices/certificates/.
	EtcdCACN = "etcd-ca"
)

Variables

This section is empty.

Functions

This section is empty.

Types

type Certificate 

type Certificate struct {
	// Organization stores value for 'organization' field in the certificate.
	Organization string `json:"organization,omitempty"`

	// RSABits defines length of RSA private key to generate.
	//
	// Example value: '2048'.
	RSABits int `json:"rsaBits,omitempty"`

	// ValidityDuration defines how long generated certificates should be valid.
	//
	// Example value: '24h'.
	ValidityDuration string `json:"validityDuration,omitempty"`

	// RenewThreshold defines how long before expiry date the certificates should
	// be re-generated.
	RenewThreshold string `json:"renewThreshold,omitempty"`

	// CommonName defined CN field for the certificate.
	CommonName string `json:"commonName,omitempty"`

	// CA controls if certificate should be self-signed while generated.
	CA bool `json:"ca,omitempty"`

	// KeyUsage is a list of key usages. Valid values are:
	// - "digital_signature"
	// - "content_commitment"
	// - "key_encipherment"
	// - "data_encipherment"
	// - "key_agreement"
	// - "cert_signing"
	// - "crl_signing"
	// - "encipher_only"
	// - "decipher_only"
	// - "any_extended"
	// - "server_auth"
	// - "client_auth"
	// - "code_signing"
	// - "email_protection"
	// - "ipsec_end_system"
	// - "ipsec_tunnel"
	// - "ipsec_user"
	// - "timestamping"
	// - "ocsp_signing"
	// - "microsoft_server_gated_crypto"
	// - "netscape_server_gated_crypto"
	KeyUsage []string `json:"keyUsage,omitempty"`

	// IPAddresses defines for which IP addresses the certificate can be used.
	IPAddresses []string `json:"ipAddresses,omitempty"`

	// DNSNames defines extra hostnames, which will be valid for the certificate.
	DNSNames []string `json:"dnsNames,omitempty"`

	// X509Certificate stores generated certificate in X.509 certificate format, PEM encoded.
	X509Certificate types.Certificate `json:"x509Certificate,omitempty"`

	// PublicKey stores generate RSA public key, PEM encoded.
	PublicKey string `json:"publicKey,omitempty"`

	// PrivateKey stores generates RSA private key in PKCS1 format, PEM encoded.
	PrivateKey types.PrivateKey `json:"privateKey,omitempty"`
}

Certificate defines configurable options for each certificate.

func (*Certificate) Generate 

func (c *Certificate) Generate(ca *Certificate) error

Generate ensures that all fields of the certificate are populated.

This function currently supports:

- Generating new RSA private key and public key.

- Generating new X.509 certificates.

NOT implemented functionality:

- Renewing certificates based on expiry time.

- Renewing X.509 certificate after RSA private key renewal.

- Renewing issued certificate during CA renewal.

func (*Certificate) Validate 

func (c *Certificate) Validate() error

Validate validates the certificate configuration.

type Etcd 

type Etcd struct {
	// Inline Certificate struct, so some settings can be applied as defaults for all etcd certificates.
	Certificate

	// CA stores etcd CA certificate.
	CA *Certificate `json:"ca,omitempty"`

	// Peers is a map of peer certificates to generate, where key is name of the peer and value
	// is the IP address on which peer will be listening on.
	Peers map[string]string `json:"peers,omitempty"`

	// Servers is a map of server certificates to generate, where key is the CN of the client
	// certificate and value is the IP address on which the server will be listening on.
	Servers map[string]string `json:"servers,omitempty"`

	// ClientCNS is a list of client certificate Common Names to generate.
	ClientCNs []string `json:"clientCNs,omitempty"`

	// PeerCertificates defines and stores all peer certificates.
	PeerCertificates map[string]*Certificate `json:"peerCertificates,omitempty"`

	// ServerCertificates defines and stores all server certificates.
	ServerCertificates map[string]*Certificate `json:"serverCertificates,omitempty"`

	// ClientCertificates defined and stores all client certificates.
	ClientCertificates map[string]*Certificate `json:"clientCertificates,omitempty"`
}

Etcd stores etcd PKI and their settings.

func (*Etcd) Generate 

func (e *Etcd) Generate(rootCA *Certificate, defaultCertificate Certificate) error

Generate generates etcd PKI.

type KubeAPIServer 

type KubeAPIServer struct {
	// Certificate stores default settings for all kube-apiserver certificates.
	Certificate

	// ExternalNames is a helper to ServerCertificate, which allows setting allowed DNS
	// names while connecting to kube-apiserver.
	ExternalNames []string `json:"externalNames,omitempty"`

	// ServerIPs is a helper to ServerCertificate, which allows setting on which IP addresses
	// kube-apiserver can be available.
	ServerIPs []string `json:"serverIPs,omitempty"`

	// ServerCertificate stores service certificate for HTTPS server.
	ServerCertificate *Certificate `json:"serverCertificate,omitempty"`

	// KubeletCertificate stores client certificate used for talking to kubelet on the nodes.
	KubeletCertificate *Certificate `json:"kubeletCertificate,omitempty"`

	// FrontProxyClientCertificate stores client certificate used for talking to extending
	// API servers.
	FrontProxyClientCertificate *Certificate `json:"frontProxyClientCertificate,omitempty"`
}

KubeAPIServer stores kube-apiserver certificates.

type Kubernetes 

type Kubernetes struct {
	// Certificate stores default settings for all Kubernetes certificates.
	Certificate

	// CA stores Kubernetes CA certificate and it's settings.
	CA *Certificate `json:"ca,omitempty"`

	// FrontProxyCA stores Kubernetes front-proxy CA certificate, required for API aggregation.
	FrontProxyCA *Certificate `json:"frontProxyCA,omitempty"`

	// KubeAPIServer stores kube-apiserver specific certificates.
	KubeAPIServer *KubeAPIServer `json:"kubeAPIServer,omitempty"`

	// AdminCertificate stores Kubernetes admin certificate.
	AdminCertificate *Certificate `json:"adminCertificate,omitempty"`

	// KubeControllerManagerCertificate stores kube-controller-manager client certificate.
	KubeControllerManagerCertificate *Certificate `json:"kubeControllerManagerCertificate,omitempty"`

	// KubeSchedulerCertificate stores kube-scheduler client certificate.
	KubeSchedulerCertificate *Certificate `json:"kubeSchedulerCertificate,omitempty"`

	// ServiceAccountCertificate stores public and private key used for signing and verifying
	// service account tokens by kube-controller-manager and kube-apiserver.
	ServiceAccountCertificate *Certificate `json:"serviceAccountCertificate,omitempty"`
}

Kubernetes stores Kubernetes PKI and settings.

func (*Kubernetes) Generate 

func (k *Kubernetes) Generate(rootCA *Certificate, defaultCertificate Certificate) error

Generate generates Kubernetes PKI.

type PKI 

type PKI struct {
	// Certificate contains default settings for all certificates in PKI.
	Certificate

	// RootCA contains configuration and generated root CA certificate and private key.
	RootCA *Certificate `json:"rootCA,omitempty"`

	// Etcd contains configuration and generated all etcd certificates and private keys.
	Etcd *Etcd `json:"etcd,omitempty"`

	// Kubernetes contains configuration and generated all Kubernetes certificates and private keys.
	Kubernetes *Kubernetes `json:"kubernetes,omitempty"`
}

PKI contains configuration and all generated certificates and private keys required for running Kubernetes.

func (*PKI) Generate 

func (p *PKI) Generate() error

Generate generates PKI required for running Kubernetes, including root CA and etcd certificates.

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.