Documentation
¶
Overview ¶
Package tls provides options for retrieving TLS certificates and tranforming them into Go representation that can be used with the standard library tls package.
Index ¶
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
This section is empty.
Types ¶
type ArchiveFormat ¶
type ArchiveFormat int
ArchiveFromat indicates what type of certificate archive format is used to encode a certificate.
const ( // UnknownArchiveFormat indicates the archive format is unknown. UnknownArchiveFormat = 0 // PCKS12 indicates the certificate is in the PKCS12 format. PKCS12 ArchiveFormat = 1 // PEM indicates the certificate is in the PEM format. PEM ArchiveFormat = 2 )
type PrivateKeyOption ¶
type PrivateKeyOption func(o *privateKeyOption)
PrivateKeyOption is an optional argument for PrivateKey().
func PKVersion ¶
func PKVersion(version string) PrivateKeyOption
PKVersion sets a specific secret to retrieve with PrivateKey().
type ServiceCertOption ¶
type ServiceCertOption func(o *serviceCertOptions)
ServiceCertOption is an optional argument for ServiceCert().
func SCSkipVerify ¶
func SCSkipVerify() ServiceCertOption
SCSkipVerify skips verification of a certificate. This is useful when dealing with self-signed certificates which are useful in testing scenarios. Be wary of this option in any other case, as you using a tls.Cerificate for content you are sending that cannot be validated against a CA (meaning clients in non-mTLS scenarios cannot validate its you). If your organization doesn't have a CA or you want simplified TLS certs, consider https://letsencrypt.org/.
func SCVersion ¶
func SCVersion(version string) ServiceCertOption
SCVersion specifies the cert version you want to use. Defaults to the latest.
type TLS ¶
TLS provides methods for extracting TLS certificates for use in TLS wrapped communication.
func (TLS) PrivateKey ¶
func (t TLS) PrivateKey(ctx context.Context, name string, options ...PrivateKeyOption) (ArchiveFormat, []byte, error)
PrivateKey returns the private key after it has been bases64 decoded. If trying to use this with TLS for a net.HTTP server, ServerCert() is probably what you want.
func (TLS) ServiceCert ¶
func (t TLS) ServiceCert(ctx context.Context, name string, options ...ServiceCertOption) (tls.Certificate, error)
ServerCert returns a tls.Certificate that can be used to send content over TLS. This may fail if the public certificate chain does not adhere to some type of order.
Here is a quick way to use the cert in a Golang HTTP server(does not deal with TLS cert expirations):
cert, err := kv.TLS().ServiceCert(ctx, "certname")
if err != nil {
panic(err)
}
cfg := &tls.Config{Certificates: []tls.Certificate{cert}}
srv := &http.Server{
TLSConfig: cfg,
ReadTimeout: time.Minute,
WriteTimeout: time.Minute,
}
log.Fatal(srv.ListenAndServeTLS("", ""))
Source Files