certificatemanagement

package
v1.38.13 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Mar 18, 2026 License: Apache-2.0 Imports: 25 Imported by: 0

Documentation

Index

Constants

View Source 
const (
	// RHELRootCertificateBundleName is the name of the system CA bundle as present in UBI/RHEL systems.
	RHELRootCertificateBundleName = "ca-bundle.crt"
	// SSLCertFile is the symbolic link to the system CA bundle used by libssl SSL_CERT_FILE.
	SSLCertFile = "cert.pem"
)
View Source 
const (
	CSRClusterRoleName   = "tigera-csr-creator"
	CSRCMountPath        = "/certs-share"
	CSRInitContainerName = "key-cert-provisioner"
)
View Source 
const (
	TenantCASecretName                = "tigera-ca-private-tenant"
	CASecretName                      = "tigera-ca-private"
	TrustedCertConfigMapKeyName       = "tigera-ca-bundle.crt"
	TrustedCertVolumeMountPath        = "/etc/pki/tls/"
	TrustedCertVolumeMountPathWindows = "c:/etc/pki/tls/"
	TrustedCertBundleMountPath        = "/etc/pki/tls/certs/tigera-ca-bundle.crt"
	TrustedCertBundleMountPathWindows = "c:/etc/pki/tls/certs/tigera-ca-bundle.crt"

	TrustedCertConfigMapSuffix       = "-ca-bundle"
	TrustedCertConfigMapSuffixPublic = TrustedCertConfigMapSuffix + "-system-certs"

	// TrustedCertConfigMapName is the name of the trusted certificate bundle ConfigMap. This value is used
	// for all single-tenant trusted bundles, as well as multi-tenant trusted bundles that do not include public CAs.
	TrustedCertConfigMapName = "tigera" + TrustedCertConfigMapSuffix

	// TrustedCertConfigMapNamePublic is the name of the trusted certificate bundle ConfigMap that includes public CAs, used
	// only in multi-tenant environments as a single namespace requires both a trusted bundle with public CAs as well as one without.
	TrustedCertConfigMapNamePublic = "tigera" + TrustedCertConfigMapSuffixPublic
)
View Source 
const (
	VoltronKeySizeBits = 2048
)

Variables

View Source 
var ErrInvalidCertNoPEMData = errors.New("cert has no PEM data")

Functions

func CSRClusterRole 

func CSRClusterRole() client.Object

CSRClusterRole returns a role with the necessary permissions to create certificate signing requests.

func CSRClusterRoleBinding 

func CSRClusterRoleBinding(name, namespace string) *rbacv1.ClusterRoleBinding

CSRClusterRoleBinding returns a role binding with the necessary permissions to create certificate signing requests.

func CertificateVolumeSource 

func CertificateVolumeSource(certificateManagement *operatorv1.CertificateManagement, secretName string) corev1.VolumeSource

func CheckKeyPairWarnings added in v1.38.13 

func CheckKeyPairWarnings(keyPairs map[string]KeyPairInterface, status WarningReporter)

CheckKeyPairWarnings checks each keypair for BYO certificate expiry warnings and reports them to the status manager. For nil keypairs or keypairs without warnings, the warning is cleared.

func CreateCSRInitContainer 

func CreateCSRInitContainer(
	certificateManagement *operatorv1.CertificateManagement,
	secretName,
	image string,
	mountName string,
	commonName string,
	keyName string,
	certName string,
	dnsNames []string,
	appNameLabel string,
	securityContext *corev1.SecurityContext) corev1.Container

CreateCSRInitContainer creates an init container that can be added to a pod spec in order to create a CSR for its TLS certificates. It uses the provided params and the k8s downward api to be able to specify certificate subject information.

func CreateSelfSignedSecret added in v1.28.0 

func CreateSelfSignedSecret(secretName, namespace, cn string, altNames []string) (*corev1.Secret, error)

CreateSelfSignedSecret creates a self signed TLS secret.

func GetKeyCertPEM added in v1.30.8 

func GetKeyCertPEM(secret *corev1.Secret) ([]byte, []byte)

func ParseCertificate 

func ParseCertificate(certBytes []byte) (*x509.Certificate, error)

func ResolveCSRInitImage 

func ResolveCSRInitImage(inst *operatorv1.InstallationSpec, is *operatorv1.ImageSet) (string, error)

ResolveCsrInitImage resolves the image needed for the CSR init image taking into account the specified ImageSet

func TrustedBundleName added in v1.38.0 

func TrustedBundleName(prefix string, includeSystem bool) string

Types

type CertificateInterface 

type CertificateInterface interface {
	GetIssuer() CertificateInterface
	GetCertificatePEM() []byte
	GetName() string
	GetNamespace() string
}

CertificateInterface wraps the certificate. Combine this with a TrustedBundle, to mount a trusted certificate bundle to a pod.

func NewCertificate 

func NewCertificate(name, ns string, pem []byte, issuer CertificateInterface) CertificateInterface

NewCertificate creates a new certificate.

type KeyPair 

type KeyPair struct {
	CSRImage  string
	Name      string
	Namespace string
	// Golang's x509 package uses the 'any' type for all private and public keys. See x509.CreateCertificate() for more.
	PrivateKey     any
	PrivateKeyPEM  []byte
	CertificatePEM []byte
	ClusterDomain  string
	*operatorv1.CertificateManagement
	DNSNames []string
	Issuer   KeyPairInterface

	// OriginalSecret maintains a copy of the secret that the KeyPair was created from.
	OriginalSecret *corev1.Secret
}

func (*KeyPair) BYO 

func (k *KeyPair) BYO() bool

BYO returns true if this KeyPair was provided by the user. If BYO is true, UseCertificateManagement is false.

func (*KeyPair) GetCertificatePEM 

func (k *KeyPair) GetCertificatePEM() []byte

func (*KeyPair) GetIssuer 

func (k *KeyPair) GetIssuer() CertificateInterface

func (*KeyPair) GetName 

func (k *KeyPair) GetName() string

func (*KeyPair) GetNamespace added in v1.32.0 

func (k *KeyPair) GetNamespace() string

func (*KeyPair) HashAnnotationKey 

func (k *KeyPair) HashAnnotationKey() string

func (*KeyPair) HashAnnotationValue 

func (k *KeyPair) HashAnnotationValue() string

func (*KeyPair) InitContainer 

func (k *KeyPair) InitContainer(namespace string, securityContext *corev1.SecurityContext) corev1.Container

InitContainer contains an init container for making a CSR. is only applicable when certificate management is enabled.

func (*KeyPair) Secret 

func (k *KeyPair) Secret(namespace string) *corev1.Secret

func (*KeyPair) UseCertificateManagement 

func (k *KeyPair) UseCertificateManagement() bool

UseCertificateManagement is true if this secret is not BYO and certificate management is used to provide the a pair to a pod.

func (*KeyPair) Volume 

func (k *KeyPair) Volume() corev1.Volume

func (*KeyPair) VolumeMount 

func (k *KeyPair) VolumeMount(osType rmeta.OSType) corev1.VolumeMount

func (*KeyPair) VolumeMountCertificateFilePath 

func (k *KeyPair) VolumeMountCertificateFilePath() string

func (*KeyPair) VolumeMountKeyFilePath 

func (k *KeyPair) VolumeMountKeyFilePath() string

func (*KeyPair) Warnings added in v1.38.13 

func (k *KeyPair) Warnings() string

Warnings returns a warning string if this is a BYO certificate expiring within 30 days.

type KeyPairInterface 

type KeyPairInterface interface {
	// UseCertificateManagement returns true if this key pair was not user provided and certificate management has been configured.
	UseCertificateManagement() bool
	// BYO returns true if this KeyPair was provided by the user. If BYO is true, UseCertificateManagement is false.
	BYO() bool
	InitContainer(namespace string, securityContext *corev1.SecurityContext) corev1.Container
	VolumeMount(osType meta.OSType) corev1.VolumeMount
	VolumeMountKeyFilePath() string
	VolumeMountCertificateFilePath() string
	Volume() corev1.Volume
	Secret(namespace string) *corev1.Secret
	HashAnnotationKey() string
	HashAnnotationValue() string
	// Warnings returns a warning message if the certificate requires attention (e.g., a BYO secret
	// expiring within 30 days). Returns an empty string if there are no warnings.
	Warnings() string
	CertificateInterface
}

KeyPairInterface wraps a Secret object that contains a private key and a certificate. Whether CertificateManagement is configured or not, KeyPair returns the right InitContainer, VolumeMount or Volume (when applicable).

func NewKeyPair 

func NewKeyPair(secret *corev1.Secret, dnsNames []string, clusterDomain string) KeyPairInterface

NewKeyPair returns a KeyPair, which wraps a Secret object that contains a private key and a certificate. Whether certificate management is configured or not, KeyPair returns the right InitContainer, Volumemount or Volume (when applicable).

type TrustedBundle 

type TrustedBundle interface {
	MountPath() string
	ConfigMap(namespace string) *corev1.ConfigMap
	HashAnnotations() map[string]string
	VolumeMounts(osType meta.OSType) []corev1.VolumeMount
	Volume() corev1.Volume
	AddCertificates(certificates ...CertificateInterface)
}

TrustedBundle is used to create a trusted certificate bundle of the CertificateManager CA and 0 or more Certificates.

func CreateMultiTenantTrustedBundleWithSystemRootCertificates added in v1.32.0 

func CreateMultiTenantTrustedBundleWithSystemRootCertificates(ca CertificateInterface, certificates ...CertificateInterface) (TrustedBundle, error)

CreateMultiTenantTrustedBundleWithSystemRootCertificates creates a TrustedBundle with system root certificates that is appropraite for a multi-tenant cluster, in which each tenant needs multiple trusted bundles.

func CreateNamedTrustedBundle added in v1.38.0 

func CreateNamedTrustedBundle(prefix string, ca CertificateInterface, includeSystem bool, certificates ...CertificateInterface) TrustedBundle

CreateNamedTrustedBundle creates a TrustedBundle, which provides standardized methods for mounting a bundle of certificates to trust. It will include: - A bundle with Calico's root certificates + any user supplied certificates in /etc/pki/tls/certs/tigera-ca-bundle.crt.

func CreateTrustedBundle 

func CreateTrustedBundle(ca CertificateInterface, certificates ...CertificateInterface) TrustedBundle

CreateTrustedBundle creates a TrustedBundle, which provides standardized methods for mounting a bundle of certificates to trust. It will include: - A bundle with Calico's root certificates + any user supplied certificates in /etc/pki/tls/certs/tigera-ca-bundle.crt.

func CreateTrustedBundleWithSystemRootCertificates added in v1.28.7 

func CreateTrustedBundleWithSystemRootCertificates(ca CertificateInterface, certificates ...CertificateInterface) (TrustedBundle, error)

CreateTrustedBundleWithSystemRootCertificates creates a TrustedBundle, which provides standardized methods for mounting a bundle of certificates to trust. It will include: - A bundle with Calico's root certificates + any user supplied certificates in /etc/pki/tls/certs/tigera-ca-bundle.crt. - A system root certificate bundle in /etc/pki/tls/certs/ca-bundle.crt.

type TrustedBundleRO added in v1.32.0 

type TrustedBundleRO interface {
	MountPath() string
	HashAnnotations() map[string]string
	VolumeMounts(osType meta.OSType) []corev1.VolumeMount
	Volume() corev1.Volume
}

Read-only version of a trusted bundle, useful for rendering components without needing to parse certificates.

type WarningReporter added in v1.38.13 

type WarningReporter interface {
	SetWarning(key string, msg string)
	ClearWarning(key string)
}

WarningReporter is a minimal interface for reporting certificate warnings to a status manager.

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.