Documentation

Overview

package certloader aim to provide a facility to ease dynamic tls.Config handling.

Index

Constants

This section is empty.

Variables

View Source
var (
	// ErrMissingCertFile is returned when the certificate file is missing.
	ErrMissingCertFile = errors.New("certificate file path is required")
	// ErrMissingPrivkeyFile is returned when the private key file is missing.
	ErrMissingPrivkeyFile = errors.New("private key file path is required")
)
View Source
var (
	// ErrInvalidKeypair is returned when either the certificate or its
	// corresponding private key is missing.
	ErrInvalidKeypair = errors.New("certificate and private key are both required, but only one was provided")
)

Functions

func FutureWatchedServerConfig

func FutureWatchedServerConfig(log logrus.FieldLogger, caFiles []string, certFile, privkeyFile string) (<-chan *WatchedServerConfig, error)

FutureWatchedServerConfig returns a channel where exactly one WatchedServerConfig will be sent once the given files are ready and loaded. This can be useful when the file paths are well-known, but the files themselves don't exist yet. both certFile and privkeyFile must be provided. To configure a mTLS capable ServerConfigBuilder, caFiles must contains at least one file path.

func FutureWatcher

func FutureWatcher(log logrus.FieldLogger, caFiles []string, certFile, privkeyFile string) (<-chan *Watcher, error)

FutureWatcher returns a channel where exactly one Watcher will be sent once the given files are ready and loaded. This can be useful when the file paths are well-known, but the files themselves don't exist yet. Note that the requirement is that the file directories must exists.

Types

type ClientConfigBuilder

type ClientConfigBuilder interface {
	IsMutualTLS() bool
	ClientConfig(base *tls.Config) *tls.Config
}

ClientConfigBuilder creates tls.Config to be used as TLS client.

type FileReloader

type FileReloader struct {
	// contains filtered or unexported fields
}

FileReloader is a set of TLS configuration files including custom CAs, and a certificate along with its private key (keypair) that can be reloaded dynamically via the Reload* functions.

func NewFileReloader

func NewFileReloader(caFiles []string, certFile, privkeyFile string) (*FileReloader, error)

NewFileReloader create and returns a FileReloader using the given file. The files are not loaded when this function returns, and the caller is expected to call the Reload* functions until the returned FileReloader become ready.

func NewFileReloaderReady

func NewFileReloaderReady(caFiles []string, certFile, privkeyFile string) (*FileReloader, error)

NewFileReloaderReady create and returns a FileReloader using the given file. The files are already loaded when this function returns, thus the returned FileReloader is readily usable.

func (*FileReloader) HasCustomCA

func (r *FileReloader) HasCustomCA() bool

HasCustomCA returns true when the FileReloader has custom CAs configured, false otherwise.

func (*FileReloader) HasKeypair

func (r *FileReloader) HasKeypair() bool

HasKeypair returns true when the FileReloader contains both a certificate and its private key, false otherwise.

func (*FileReloader) KeypairAndCACertPool

func (r *FileReloader) KeypairAndCACertPool() (*tls.Certificate, *x509.CertPool)

KeypairAndCACertPool returns both the configured keypair and CAs. This function should only be called once the FileReloader is ready, see Ready().

func (*FileReloader) Ready

func (r *FileReloader) Ready() bool

Ready returns true when the FileReloader is ready to be used, false otherwise.

func (*FileReloader) Reload

func (r *FileReloader) Reload() (keypair *tls.Certificate, caCertPool *x509.CertPool, err error)

Reload update the caCertPool reading the caFiles, and the keypair reading certFile and privkeyFile.

func (*FileReloader) ReloadCA

func (r *FileReloader) ReloadCA() (*x509.CertPool, error)

ReloadCA update the caCertPool by reading the caFiles.

func (*FileReloader) ReloadKeypair

func (r *FileReloader) ReloadKeypair() (*tls.Certificate, error)

ReloadKeypair update the keypair by reading certFile and privkeyFile.

type ServerConfigBuilder

type ServerConfigBuilder interface {
	IsMutualTLS() bool
	ServerConfig(base *tls.Config) *tls.Config
}

ServerConfigBuilder creates tls.Config to be used as TLS server.

type WatchedClientConfig

type WatchedClientConfig struct {
	*Watcher
	// contains filtered or unexported fields
}

WatchedClientConfig is a ClientConfigBuilder backed up by files to be watched for changes.

func NewWatchedClientConfig

func NewWatchedClientConfig(log logrus.FieldLogger, caFiles []string, certFile, privkeyFile string) (*WatchedClientConfig, error)

NewWatchedClientConfig returns a WatchedClientConfig configured with the provided files. When caFiles is nil or empty, the system CA CertPool is used. To configure a mTLS capable ClientConfigBuilder, both certFile and privkeyFile must be provided.

func (*WatchedClientConfig) ClientConfig

func (c *WatchedClientConfig) ClientConfig(base *tls.Config) *tls.Config

ClientConfig implement ClientConfigBuilder.

func (*WatchedClientConfig) IsMutualTLS

func (c *WatchedClientConfig) IsMutualTLS() bool

IsMutualTLS implement ClientConfigBuilder.

type WatchedServerConfig

type WatchedServerConfig struct {
	*Watcher
	// contains filtered or unexported fields
}

WatchedServerConfig is a ServerConfigBuilder backed up by files to be watched for changes. The tls.Config created will use the latest CA and keypair on each TLS handshake, allowing for smooth TLS configuration rotation.

func NewWatchedServerConfig

func NewWatchedServerConfig(log logrus.FieldLogger, caFiles []string, certFile, privkeyFile string) (*WatchedServerConfig, error)

NewWatchedServerConfig returns a WatchedServerConfig configured with the provided files. both certFile and privkeyFile must be provided. To configure a mTLS capable ServerConfigBuilder, caFiles must contains at least one file path.

func (*WatchedServerConfig) IsMutualTLS

func (c *WatchedServerConfig) IsMutualTLS() bool

IsMutualTLS implement ServerConfigBuilder.

func (*WatchedServerConfig) ServerConfig

func (c *WatchedServerConfig) ServerConfig(base *tls.Config) *tls.Config

ServerConfig implement ServerConfigBuilder.

type Watcher

type Watcher struct {
	*FileReloader
	// contains filtered or unexported fields
}

Watcher is a set of TLS configuration files including CA files, and a certificate along with its private key. The files are watched for change and reloaded automatically.

func NewWatcher

func NewWatcher(log logrus.FieldLogger, caFiles []string, certFile, privkeyFile string) (*Watcher, error)

NewWatcher returns a Watcher that watch over the given file paths. The given files are expected to already exists when this function is called. On success, the returned Watcher is ready to use.

func (*Watcher) Stop

func (w *Watcher) Stop()

Stop watching the files.

func (*Watcher) Watch

func (w *Watcher) Watch() <-chan struct{}

Watch initialize the files watcher and update goroutine. It returns a ready channel that will be closed once an update made the underlying FileReloader ready.

Directories

Path Synopsis