certs

package
v1.0.0 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Aug 21, 2025 License: Apache-2.0 Imports: 32 Imported by: 0

Documentation

Overview

Package certs handle the PKI infrastructure of the operator

Index

Constants

View Source 
const (

	// CACertKey is the key for certificates in a CA secret
	CACertKey = "ca.crt"

	// CAPrivateKeyKey is the key for the private key field in a CA secret
	CAPrivateKeyKey = "ca.key"

	// TLSCertKey is the key for certificates in a CA secret
	TLSCertKey = "tls.crt"

	// TLSPrivateKeyKey is the key for the private key field in a CA secret
	TLSPrivateKeyKey = "tls.key"
)
View Source 
const (
	// CertTypeClient means a certificate for a client
	CertTypeClient = "client"

	// CertTypeServer means a certificate for a server
	CertTypeServer = "server"
)
View Source 
const (
	// WebhookSecretName is the name of the secret where the certificates
	// for the webhook server are stored
	WebhookSecretName = "unit-operator-webhook-cert" // #nosec

	// WebhookServiceName is the name of the service where the webhook server
	// is reachable
	WebhookServiceName = "unit-operator-webhook-service" // #nosec

	// MutatingWebhookConfigurationName is the name of the mutating webhook configuration
	MutatingWebhookConfigurationName = "unit-operator-mutating-webhook-configuration"

	// ValidatingWebhookConfigurationName is the name of the validating webhook configuration
	ValidatingWebhookConfigurationName = "unit-operator-validating-webhook-configuration"

	// The name of the directory containing the TLS certificates
	DefaultWebhookCertDir = "/run/secrets/unit-operator/webhook"

	// CaSecretName is the name of the secret which is hosting the Operator CA
	CaSecretName = "unit-operator-ca-secret" // #nosec
)

Variables

This section is empty.

Functions

func EnsurePKI 

func EnsurePKI(
	ctx context.Context,
	kubeClient client.Client,
	mgrCertDir string,
) error

EnsurePKI ensures that we have the required PKI infrastructure to make the operator and the clusters working

func GetOperatorDeployment 

func GetOperatorDeployment(
	ctx context.Context,
	kubeClient client.Client,
	namespace, operatorLabelSelector string,
) (*v1.Deployment, error)

GetOperatorDeployment find the operator deployment using labels and then return the deployment object, in case we can't find a deployment or we find more than one, we just return an error.

func GetTLSConfigFromContext 

func GetTLSConfigFromContext(ctx context.Context) (*tls.Config, error)

GetTLSConfigFromContext returns the *tls.Config contained by the context or any error encountered

func NewTLSConfigForContext 

func NewTLSConfigForContext(
	ctx context.Context,
	cli client.Client,
	caSecret types.NamespacedName,
) (context.Context, error)

NewTLSConfigForContext creates a tls.config with the provided data and returns an expanded context that contains the *tls.Config

func RenewLeafCertificate 

func RenewLeafCertificate(caSecret *v1.Secret, secret *v1.Secret, altDNSNames []string) (bool, error)

RenewLeafCertificate renew a secret containing a server certificate given the secret containing the CA that will sign it. Returns true if the certificate has been renewed

func SetAsOwnedByOperatorDeployment 

func SetAsOwnedByOperatorDeployment(ctx context.Context,
	kubeClient client.Client,
	controlled *metav1.ObjectMeta,
	operatorLabelSelector string,
) error

SetAsOwnedByOperatorDeployment sets the controlled object as owned by the operator deployment.

IMPORTANT: The controlled resource must reside in the same namespace as the operator as described by: https://kubernetes.io/docs/concepts/overview/working-with-objects/owners-dependents/

Types

type CertType 

type CertType string

CertType represent a certificate type

type KeyPair 

type KeyPair struct {
	// The private key PEM block
	Private []byte

	// The certificate PEM block
	Certificate []byte
}

KeyPair represent a pair of keys to be used for asymmetric encryption and a certificate declaring the intended usage of those keys

func CreateRootCA 

func CreateRootCA(commonName string, organizationalUnit string) (*KeyPair, error)

CreateRootCA generates a CA returning its keys

func ParseCASecret 

func ParseCASecret(secret *v1.Secret) (*KeyPair, error)

ParseCASecret parse a CA secret to a key pair

func ParseServerSecret 

func ParseServerSecret(secret *v1.Secret) (*KeyPair, error)

ParseServerSecret parse a secret for a server to a key pair

func (KeyPair) CreateAndSignPair 

func (pair KeyPair) CreateAndSignPair(host string, usage CertType, altDNSNames []string) (*KeyPair, error)

CreateAndSignPair given a CA keypair, generate and sign a leaf keypair

func (*KeyPair) CreateDerivedCA 

func (pair *KeyPair) CreateDerivedCA(commonName string, organizationalUnit string) (*KeyPair, error)

CreateDerivedCA create a new CA derived from the certificate in the keypair

func (*KeyPair) DoAltDNSNamesMatch 

func (pair *KeyPair) DoAltDNSNamesMatch(altDNSNames []string) (bool, error)

DoAltDNSNamesMatch checks if the certificate has all of the specified altDNSNames

func (KeyPair) GenerateCASecret 

func (pair KeyPair) GenerateCASecret(namespace, name string) *v1.Secret

GenerateCASecret create a k8s CA secret from a key pair

func (KeyPair) GenerateCertificateSecret 

func (pair KeyPair) GenerateCertificateSecret(namespace, name string) *v1.Secret

GenerateCertificateSecret creates a k8s server secret from a key pair

func (*KeyPair) IsExpiring 

func (pair *KeyPair) IsExpiring() (bool, *time.Time, error)

IsExpiring check if the certificate will expire in the configured duration

func (KeyPair) IsValid 

func (pair KeyPair) IsValid(caPair *KeyPair, opts *x509.VerifyOptions) error

IsValid checks if given CA and verify options match the server

func (KeyPair) ParseCertificate 

func (pair KeyPair) ParseCertificate() (*x509.Certificate, error)

ParseCertificate parse certificate stored in the pair

func (KeyPair) ParseECPrivateKey 

func (pair KeyPair) ParseECPrivateKey() (*ecdsa.PrivateKey, error)

ParseECPrivateKey parse the ECDSA private key stored in the pair

func (*KeyPair) RenewCertificate 

func (pair *KeyPair) RenewCertificate(
	caPrivateKey *ecdsa.PrivateKey,
	parentCertificate *x509.Certificate,
	altDNSNames []string,
) error

RenewCertificate create a new certificate for the embedded private key, replacing the existing one. The certificate will be signed with the passed private key and will have as parent the specified parent certificate. If the parent certificate is nil the certificate will be self-signed

type PublicKeyInfrastructure 

type PublicKeyInfrastructure struct {
	// Where to store the certificates
	CertDir string

	// The name of the secret where the CA certificate will be stored
	CaSecretName string

	// The name of the secret where the certificates will be stored
	SecretName string

	// The name of the service where the webhook server will be reachable
	ServiceName string

	// The name of the namespace where the operator is set up
	OperatorNamespace string

	// The name of the mutating webhook configuration in k8s, used to
	// inject the caBundle
	MutatingWebhookConfigurationName string

	// The name of the validating webhook configuration in k8s, used
	// to inject the caBundle
	ValidatingWebhookConfigurationName string

	// The labelSelector to be used to get the operators deployment,
	OperatorDeploymentLabelSelector string
}

PublicKeyInfrastructure represent the PKI under which the operator and the WebHook server will work

func (*PublicKeyInfrastructure) Setup 

func (pki *PublicKeyInfrastructure) Setup(
	ctx context.Context,
	kubeClient client.Client,
) error

Setup ensures that we have the required PKI infrastructure to make the operator and the clusters working

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.