tls

package

v0.5.8 Latest Latest Go to latest Published: Apr 24, 2024 License: Apache-2.0 Imports: 24 Imported by: 0

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

github.com/bytedance/vArmor

Documentation ¶

Index ¶

Constants
func CertificateToPem(certificateDER []byte) []byte
func GenerateCACert(certValidityDuration time.Duration) (*KeyPair, *PemPair, error)
func GenerateInClusterServiceName(props CertificateProps) string
func GenerateRootCASecretName(props CertificateProps) string
func GenerateTLSPairSecretName(props CertificateProps) string
func IsVarmorManagerInRollingUpdate(deploy *appsv1.Deployment) bool
func PrivateKeyToPem(rsaKey *rsa.PrivateKey) []byte
func ReadRootCASecret(secretInterface corev1.SecretInterface, secretName string) (result []byte, err error)
type CertRenewer
- func NewCertRenewer(clientConfig *rest.Config, secretInterface corev1.SecretInterface, ...) *CertRenewer
type CertificateProps
- func GetTLSCertProps(configuration *rest.Config) (certProps CertificateProps, err error)
type KeyPair
type PemPair
- func GenerateCertPem(caCert *KeyPair, props CertificateProps, certValidityDuration time.Duration, ...) (*PemPair, error)
- func ReadTLSPair(secretInterface corev1.SecretInterface, secretName string) (*PemPair, error)

Constants ¶

View Source

const (
	SelfSignedAnnotation string = "self-signed-cert"
	RootCAKey            string = "rootCA.crt"
)

View Source

const ErrorsNotFound = "root CA certificate not found"

Variables ¶

This section is empty.

Functions ¶

func CertificateToPem ¶

func CertificateToPem(certificateDER []byte) []byte

CertificateToPem ...

func GenerateCACert ¶

func GenerateCACert(certValidityDuration time.Duration) (*KeyPair, *PemPair, error)

GenerateCACert creates the self-signed CA cert and private key. It will be used to sign the webhook server certificate.

func GenerateInClusterServiceName ¶

func GenerateInClusterServiceName(props CertificateProps) string

GenerateInClusterServiceName The generated service name should be the common name for TLS certificate.

func GenerateRootCASecretName ¶

func GenerateRootCASecretName(props CertificateProps) string

func GenerateTLSPairSecretName ¶

func GenerateTLSPairSecretName(props CertificateProps) string

func IsVarmorManagerInRollingUpdate ¶

func IsVarmorManagerInRollingUpdate(deploy *appsv1.Deployment) bool

func PrivateKeyToPem ¶

func PrivateKeyToPem(rsaKey *rsa.PrivateKey) []byte

PrivateKeyToPem Creates PEM block from private key object.

func ReadRootCASecret ¶

func ReadRootCASecret(secretInterface corev1.SecretInterface, secretName string) (result []byte, err error)

ReadRootCASecret returns the RootCA from the pre-defined secret.

Types ¶

type CertRenewer ¶

type CertRenewer struct {
	// contains filtered or unexported fields
}

CertRenewer creates rootCA and pem pair to register webhook configurations and webhook server renews RootCA at the given interval.

func NewCertRenewer ¶

func NewCertRenewer(clientConfig *rest.Config, secretInterface corev1.SecretInterface, deploymentInterface appsv1.DeploymentInterface, certRenewalInterval, certValidityDuration time.Duration, managerIP string, debug bool, log logr.Logger) *CertRenewer

NewCertRenewer returns an instance of CertRenewer.

func (*CertRenewer) InitTLSPemPair ¶

func (c *CertRenewer) InitTLSPemPair() (*PemPair, error)

InitTLSPemPair Loads or creates PEM private key and TLS certificate for webhook server. Created pair is stored in cluster's secret. Returns struct with key/certificate pair.

func (*CertRenewer) RollingUpdateVarmorManager ¶

func (c *CertRenewer) RollingUpdateVarmorManager() error

RollingUpdate triggers a rolling update of varmor-manager pod. It is used when the rootCA is renewed, the restart of varmor-manager pod will register webhook server with new cert.

func (*CertRenewer) ValidCert ¶

func (c *CertRenewer) ValidCert(certProps CertificateProps) (bool, error)

ValidCert validates the CA Cert.

func (*CertRenewer) WriteCACertToSecret ¶

func (c *CertRenewer) WriteCACertToSecret(caPEM *PemPair, secretName string) error

WriteCACertToSecret stores the CA cert in secret.

func (*CertRenewer) WriteTLSPairToSecret ¶

func (c *CertRenewer) WriteTLSPairToSecret(pemPair *PemPair, secretName string) error

WriteTLSPairToSecret writes the pair of TLS certificate and key to the specified secret.

type CertificateProps ¶

type CertificateProps struct {
	Service       string
	Namespace     string
	APIServerHost string
	ServerIP      string
}

CertificateProps Properties of TLS certificate which should be issued for webhook server.

func GetTLSCertProps ¶

func GetTLSCertProps(configuration *rest.Config) (certProps CertificateProps, err error)

GetTLSCertProps provides the TLS Certificate Properties.

type KeyPair ¶

type KeyPair struct {
	Cert *x509.Certificate
	Key  *rsa.PrivateKey
}

KeyPair ...

type PemPair ¶

type PemPair struct {
	Certificate []byte
	PrivateKey  []byte
}

PemPair The pair of TLS certificate corresponding private key, both in PEM format.

func GenerateCertPem ¶

func GenerateCertPem(caCert *KeyPair, props CertificateProps, certValidityDuration time.Duration, managerIP string, debug bool) (*PemPair, error)

GenerateCertPem takes the results of GenerateCACert and uses it to create the PEM-encoded public certificate and private key, respectively.

func ReadTLSPair ¶

func ReadTLSPair(secretInterface corev1.SecretInterface, secretName string) (*PemPair, error)

ReadTLSPair returns the pem pair from the pre-defined secret.

Source Files ¶

View all Source files

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL