Documentation
¶
Index ¶
- Constants
- func VerifyRequest(r *http.Request, verifyType int, verifyOpts x509.VerifyOptions, ...) bool
- type CAProvider
- type CASecretProvider
- func (config *CASecretProvider) CreateRegistrationCertificate(name string) (map[string][]byte, error)
- func (config *CASecretProvider) GetCACertificate() (*CertificateGroup, error)
- func (config *CASecretProvider) GetName() string
- func (config *CASecretProvider) GetServerCertificate(dnsNames []string, localhostEnabled bool) (*CertificateGroup, error)
- func (config *CASecretProvider) SignCSR(CSRPem string, commonName string, expiration time.Time) ([]byte, error)
- type CertificateGroup
- type TLSConfig
- func (conf *TLSConfig) CreateRegistrationClientCerts() error
- func (conf *TLSConfig) InitCertificates() (*tls.Config, []*x509.Certificate, error)
- func (conf *TLSConfig) SetCAProvider(caProviders []CAProvider)
- func (conf *TLSConfig) SetClientExpiration(days int) error
- func (conf *TLSConfig) SignCSR(CSRPem string, commonName string) ([]byte, error)
Constants ¶
const ( YggdrasilRegisterAuth = 1 YggdrasilCompleteAuth = 0 )
const ( CASecretName = "flotta-ca" HostTLSCertName = "flotta-host-certificate" )
Variables ¶
This section is empty.
Functions ¶
func VerifyRequest ¶
func VerifyRequest(r *http.Request, verifyType int, verifyOpts x509.VerifyOptions, CACertChain []*x509.Certificate) bool
VerifyRequest check certificate based on the scenario needed: registration endpoint: Any cert signed, even if it's expired. All endpoints: checking that it's valid certificate. @TODO check here the list of rejected certificates.
Types ¶
type CAProvider ¶
type CAProvider interface {
GetName() string
GetCACertificate() (*CertificateGroup, error)
CreateRegistrationCertificate(name string) (map[string][]byte, error)
SignCSR(CSRPem string, commonName string, expiration time.Time) ([]byte, error)
GetServerCertificate(dnsNames []string, localhostEnabled bool) (*CertificateGroup, error)
}
CAProvider The main reason to have an interface here is to be able to extend this to future Cert providers, like: - Vault - Acme protocol Keeping as an interface, so in future users can decice.
type CASecretProvider ¶
type CASecretProvider struct {
// contains filtered or unexported fields
}
@TODO Add a watcher on the secret if it's manually updated to renew the latestCA
func NewCASecretProvider ¶
func NewCASecretProvider(client client.Client, namespace string) *CASecretProvider
func (*CASecretProvider) CreateRegistrationCertificate ¶
func (config *CASecretProvider) CreateRegistrationCertificate(name string) (map[string][]byte, error)
func (*CASecretProvider) GetCACertificate ¶
func (config *CASecretProvider) GetCACertificate() (*CertificateGroup, error)
func (*CASecretProvider) GetName ¶
func (config *CASecretProvider) GetName() string
func (*CASecretProvider) GetServerCertificate ¶
func (config *CASecretProvider) GetServerCertificate(dnsNames []string, localhostEnabled bool) (*CertificateGroup, error)
func (*CASecretProvider) SignCSR ¶
func (config *CASecretProvider) SignCSR(CSRPem string, commonName string, expiration time.Time) ([]byte, error)
SignCSR sign a new CertificateRequest and returns the PEM certificate. This function is going to be used a lot, so using config.latestCA ensure that APIServer is not overloaded with that. Because the CM is always managed by this, should be safe to use that one.
type CertificateGroup ¶
CertificateGroup a bunch of methods to help to work with certificates.
func NewCACertificateGroupFromSecret ¶
func NewCACertificateGroupFromSecret(secretData map[string][]byte) (*CertificateGroup, error)
func (*CertificateGroup) CreatePem ¶
func (c *CertificateGroup) CreatePem() error
CreatePem from the load certificates create the PEM file and stores in local
func (*CertificateGroup) GetCert ¶
func (c *CertificateGroup) GetCert() *x509.Certificate
func (*CertificateGroup) GetCertificate ¶
func (c *CertificateGroup) GetCertificate() (tls.Certificate, error)
GetCertificate returns the certificate Group in tls.Certificate format.
func (*CertificateGroup) ImportFromPem ¶
func (c *CertificateGroup) ImportFromPem() error
type TLSConfig ¶
type TLSConfig struct {
Domains []string
LocalhostEnabled bool
// contains filtered or unexported fields
}
func NewMTLSConfig ¶
func (*TLSConfig) CreateRegistrationClientCerts ¶
func (*TLSConfig) InitCertificates ¶
func (*TLSConfig) SetCAProvider ¶
func (conf *TLSConfig) SetCAProvider(caProviders []CAProvider)
@TODO mainly used for testing, maybe not needed at all
func (*TLSConfig) SetClientExpiration ¶
SetClientExpiration sets the client expiration time in days
Source Files