Documentation
¶
Overview ¶
Package secrets generates and defaults all secrets required by the private-cloud Helm chart that are not derived from the installer configuration.
Index ¶
- func EnsureAuthKeys(vault *files.InstallVault) error
- func EnsureCephSSHKeys(vault *files.InstallVault, ceph *files.CephConfig) error
- func EnsureDefaultSecrets(vault *files.InstallVault) error
- func EnsureIngressCA(vault *files.InstallVault, cluster *files.ClusterConfig) error
- func EnsureMounterHmacSecret(vault *files.InstallVault) error
- func EnsureNixSigningKeys(vault *files.InstallVault, host string) error
- func EnsurePostgresSecrets(vault *files.InstallVault, postgres *files.PostgresConfig) error
- func EnsureSecrets(vault *files.InstallVault, config *files.RootConfig) error
- func EnsureServiceAccountTokens(vault *files.InstallVault) error
- func GenerateCA(cn, country, locality, org string) (keyPEM, certPEM string, err error)
- func GenerateECDSAKeyPair() (privateKey string, publicKey string, err error)
- func GeneratePassword(length int) (string, error)
- func GenerateSSHKeyPair() (privateKey string, publicKey string, err error)
- func GenerateServerCertificate(caKeyPEM, caCertPEM, cn string, ipAddresses []string) (keyPEM, certPEM string, err error)
- func ValidateCertKeyPair(certPEM, keyPEM string) error
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
func EnsureAuthKeys ¶
func EnsureAuthKeys(vault *files.InstallVault) error
EnsureAuthKeys generates RSA-4096 token keys and EC P-256 domain-auth keys in PKCS8/SPKI PEM format if not already present. Each key pair is checked independently.
func EnsureCephSSHKeys ¶
func EnsureCephSSHKeys(vault *files.InstallVault, ceph *files.CephConfig) error
EnsureCephSSHKeys generates the Ceph SSH key pair if not already present in vault. The private key is written to vault; the public key is set on ceph.CephAdmSSHKey.PublicKey.
func EnsureDefaultSecrets ¶
func EnsureDefaultSecrets(vault *files.InstallVault) error
EnsureDefaultSecrets sets dummy defaults for all Helm chart secrets not managed by the installer config. Always overwrites digitalOceanApiToken; all others are only set when absent.
func EnsureIngressCA ¶
func EnsureIngressCA(vault *files.InstallVault, cluster *files.ClusterConfig) error
EnsureIngressCA generates the cluster ingress CA if not already present in vault. The CA private key is written to vault; the cert PEM is set on cluster.Certificates.CA.CertPem.
func EnsureMounterHmacSecret ¶
func EnsureMounterHmacSecret(vault *files.InstallVault) error
EnsureMounterHmacSecret migrates the legacy 'hmac-secret' to 'mounterHmacSecret' or creates a new 64-character hex secret if neither exists. Idempotent.
func EnsureNixSigningKeys ¶
func EnsureNixSigningKeys(vault *files.InstallVault, host string) error
EnsureNixSigningKeys generates an Ed25519 signing key pair for nix-cache in the format "host:hexKey" if not already present. Idempotent.
func EnsurePostgresSecrets ¶
func EnsurePostgresSecrets(vault *files.InstallVault, postgres *files.PostgresConfig) error
EnsurePostgresSecrets generates all postgres certificates and passwords if not already present in vault (sentinel: postgresPassword). Private keys and passwords are written to vault; cert PEMs are set on the postgres config struct for inclusion in the config YAML.
func EnsureSecrets ¶
func EnsureSecrets(vault *files.InstallVault, config *files.RootConfig) error
EnsureSecrets generates all secrets required by the Helm chart that are not derived from the installer configuration. Each sub-function is idempotent; the whole call is safe to repeat on an already-populated vault.
func EnsureServiceAccountTokens ¶
func EnsureServiceAccountTokens(vault *files.InstallVault) error
EnsureServiceAccountTokens signs RS512 JWTs for all Codesphere internal service accounts and stores them in vault. Requires tokenPrivateKey to already be present (call EnsureAuthKeys first). Idempotent: skips if authServiceUserToken already exists.
func GenerateCA ¶
GenerateCA generates a self-signed RSA-2048 CA certificate.
func GenerateECDSAKeyPair ¶
func GeneratePassword ¶
func GenerateSSHKeyPair ¶
func GenerateServerCertificate ¶
func GenerateServerCertificate(caKeyPEM, caCertPEM, cn string, ipAddresses []string) (keyPEM, certPEM string, err error)
GenerateServerCertificate generates an RSA-4096 server certificate signed by the given CA. The CA private key may be in either PKCS8 ("PRIVATE KEY") or PKCS1 ("RSA PRIVATE KEY") PEM format to support legacy vaults that were created before the PKCS8 migration.
func ValidateCertKeyPair ¶
ValidateCertKeyPair verifies that a PEM-encoded certificate's public key matches a PEM-encoded private key.
Types ¶
This section is empty.
Source Files