authentication

package
v1.1.2 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Mar 3, 2026 License: Apache-2.0 Imports: 24 Imported by: 0

Documentation

Overview

Package authentication contains the logic to authenticate foreign clusters.

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

func CheckCSRForControlPlane 

func CheckCSRForControlPlane(csr, publicKeyDER []byte, remoteClusterID liqov1beta1.ClusterID) error

CheckCSRForControlPlane checks a CSR for a control plane.

func CheckCSRForResourceSlice 

func CheckCSRForResourceSlice(tenantPublicKey []byte, resourceSlice *authv1beta1.ResourceSlice, checkPublicKey bool) error

CheckCSRForResourceSlice checks a CSR for a resource slice.

func CommonNameControlPlaneCSR 

func CommonNameControlPlaneCSR(clusterID liqov1beta1.ClusterID) string

CommonNameControlPlaneCSR returns the common name for a control plane CSR.

func CommonNameResourceSliceCSR 

func CommonNameResourceSliceCSR(resourceSlice *authv1beta1.ResourceSlice) string

CommonNameResourceSliceCSR returns the common name for a resource slice CSR.

func EnsureCondition 

func EnsureCondition(resourceSlice *authv1beta1.ResourceSlice,
	conditionType authv1beta1.ResourceSliceConditionType, status authv1beta1.ResourceSliceConditionStatus,
	reason, message string) controllerutil.OperationResult

EnsureCondition ensures the condition with the given type, status, reason, and message.

func GenerateCSRForControlPlane 

func GenerateCSRForControlPlane(key crypto.PrivateKey, clusterID liqov1beta1.ClusterID) (csrBytes []byte, err error)

GenerateCSRForControlPlane generates a new CSR given a private key and a subject.

func GenerateCSRForPeerUser 

func GenerateCSRForPeerUser(key crypto.PrivateKey, clusterID liqov1beta1.ClusterID) (csrBytes []byte, userCN string, err error)

GenerateCSRForPeerUser generates a new CSR given a private key and the clusterID from which the peering will start.

func GenerateCSRForResourceSlice 

func GenerateCSRForResourceSlice(key crypto.PrivateKey,
	resourceSlice *authv1beta1.ResourceSlice) (csrBytes []byte, err error)

GenerateCSRForResourceSlice generates a new CSR given a private key and a resource slice.

func GenerateEd25519Keys 

func GenerateEd25519Keys() (privateKey, publicKey []byte, err error)

GenerateEd25519Keys returns a new pair of private and public keys in PEM format. Keys are generated using the Ed25519 signature algorithm and encoded in PEM format.

func GenerateRSAKeys added in v1.0.2 

func GenerateRSAKeys() (privateKey, publicKey []byte, err error)

GenerateRSAKeys returns a new pair of RSA private and public keys in PEM format. Keys are generated using RSA 2048 bits and encoded in PEM format.

func GetClusterKeys 

func GetClusterKeys(ctx context.Context, cl client.Client, liqoNamespace string) (crypto.PrivateKey, []byte, error)

GetClusterKeys retrieves the private and public keys of the cluster from the secret. It returns the private key as crypto.PrivateKey and the public key as PKIX-encoded bytes.

func GetClusterKeysPEM 

func GetClusterKeysPEM(ctx context.Context, cl client.Client, liqoNamespace string) (privateKey, publicKey []byte, err error)

GetClusterKeysPEM retrieves the private and public keys of the cluster from the secret and encoded in PEM format.

func GetCondition 

func GetCondition(resourceSlice *authv1beta1.ResourceSlice,
	conditionType authv1beta1.ResourceSliceConditionType) *authv1beta1.ResourceSliceCondition

GetCondition returns the condition with the given type.

func InitClusterKeys 

func InitClusterKeys(ctx context.Context, cl client.Client, liqoNamespace string, tlsCompatibilityMode bool) error

InitClusterKeys initializes the authentication keys for the cluster. If the secret containing the keys does not exist, it generates a new pair of keys and stores them in a secret. If tlsCompatibilityMode is true, RSA keys are generated instead of Ed25519.

func IsControlPlaneUser 

func IsControlPlaneUser(groups []string) bool

IsControlPlaneUser checks if a user is a control plane user.

func OrganizationControlPlaneCSR 

func OrganizationControlPlaneCSR() string

OrganizationControlPlaneCSR returns the organization for a control plane CSR.

func OrganizationResourceSliceCSR 

func OrganizationResourceSliceCSR(resourceSlice *authv1beta1.ResourceSlice) string

OrganizationResourceSliceCSR returns the organization for a resource slice CSR.

func ParseTenantPublicKey added in v1.0.2 

func ParseTenantPublicKey(publicKey []byte) (crypto.PublicKey, []byte, error)

ParseTenantPublicKey parses the public key from the tenant resource. To keep the back-compatibility to the version before 1.0.2 which encodes the public key in the tenant in the PEM format, this function tries to decode the PEM file and if it fails, it tries to read the key as ed25519 public key format, used before 1.0.2.

func SignNonce 

func SignNonce(priv crypto.PrivateKey, nonce []byte) ([]byte, error)

SignNonce signs a nonce using the provided private key. The private key can be ed25519.PrivateKey, *rsa.PrivateKey, or *ecdsa.PrivateKey. For RSA/ECDSA the nonce is hashed with SHA-256 before signing.

func VerifyNonce 

func VerifyNonce(publicKey crypto.PublicKey, nonce, signature []byte) (bool, error)

VerifyNonce verifies the signature of a nonce using the PKIX-encoded public key bytes of the cluster. The public key can be Ed25519, RSA, or ECDSA.

Types

type CSRChecker 

type CSRChecker func(*x509.CertificateRequest) error

CSRChecker is a function that checks a CSR.

Source Files

View all Source files

Directories

Path Synopsis
Package forge contains utility functions to forge resources of the authentication module.
 Package forge contains utility functions to forge resources of the authentication module.
Package getters contains utility functions to get resources of the authentication module.
 Package getters contains utility functions to get resources of the authentication module.
Package identitycontroller contains the controller managing Identity resources.
 Package identitycontroller contains the controller managing Identity resources.
Package identitycreatorcontroller contains the logic to create Identities from ResourceSlices resources.
 Package identitycreatorcontroller contains the logic to create Identities from ResourceSlices resources.
Package localrenwercontroller implements the controller for managing certificate renewals for local Identity resources.
 Package localrenwercontroller implements the controller for managing certificate renewals for local Identity resources.
Package localresourceslicecontroller contains the logic to manage the local ResourceSlice.
 Package localresourceslicecontroller contains the logic to manage the local ResourceSlice.
Package noncecreatorcontroller contains the logic to manage Nonces.
 Package noncecreatorcontroller contains the logic to manage Nonces.
Package noncesignercontroller contains the controller to sign Nonce secrets.
 Package noncesignercontroller contains the controller to sign Nonce secrets.
Package remoterenwercontroller implements the controller for handling certificate renewal requests from remote clusters.
 Package remoterenwercontroller implements the controller for handling certificate renewal requests from remote clusters.
Package remoteresourceslicecontroller contains the logic to manage the remote ResourceSlice.
 Package remoteresourceslicecontroller contains the logic to manage the remote ResourceSlice.
Package tenantcontroller contains the controller to manage Tenant resources.
 Package tenantcontroller contains the controller to manage Tenant resources.
Package utils contains utility functions for the authentication module.
 Package utils contains utility functions for the authentication module.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.