secrets

package
v1.4.1 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: May 11, 2020 License: Apache-2.0, BSD-2-Clause, MIT, + 1 more Imports: 22 Imported by: 83

Documentation

Index

Constants

View Source 
const (
	// BasicAuthFormatNormal indicates that the data map should be rendered the normal way (dedicated keys for
	// username and password.
	BasicAuthFormatNormal formatType = "normal"
	// BasicAuthFormatCSV indicates that the data map should be rendered in the CSV-format.
	BasicAuthFormatCSV formatType = "csv"

	// DataKeyCSV is the key in a secret data holding the CSV format of a secret.
	DataKeyCSV = "basic_auth.csv"
	// DataKeyUserName is the key in a secret data holding the username.
	DataKeyUserName = "username"
	// DataKeyPassword is the key in a secret data holding the password.
	DataKeyPassword = "password"
	// DataKeyPasswordBcryptHash is the key in a secret data holding the bcrypt hash of the password.
	DataKeyPasswordBcryptHash = "bcryptPasswordHash"
)
View Source 
const (
	// CACert indicates that the certificate should be a certificate authority.
	CACert certType = "ca"
	// ServerCert indicates that the certificate should have the ExtKeyUsageServerAuth usage.
	ServerCert certType = "server"
	// ClientCert indicates that the certificate should have the ExtKeyUsageClientAuth usage.
	ClientCert certType = "client"
	// ServerClientCert indicates that the certificate should have both the ExtKeyUsageServerAuth and ExtKeyUsageClientAuth usage.
	ServerClientCert certType = "both"

	// DataKeyCertificate is the key in a secret data holding the certificate.
	DataKeyCertificate = "tls.crt"
	// DataKeyPrivateKey is the key in a secret data holding the private key.
	DataKeyPrivateKey = "tls.key"
	// DataKeyCertificateCA is the key in a secret data holding the CA certificate.
	DataKeyCertificateCA = "ca.crt"
	// DataKeyPrivateKeyCA is the key in a secret data holding the CA private key.
	DataKeyPrivateKeyCA = "ca.key"
)
View Source 
const (
	// PKCS1 certificate format
	PKCS1 = iota
	// PKCS8 certificate format
	PKCS8
)
View Source 
const (
	// DataKeyRSAPrivateKey is the key in a secret data holding the RSA private key.
	DataKeyRSAPrivateKey = "id_rsa"
	// DataKeySSHAuthorizedKeys is the key in a secret data holding the OpenSSH authorized keys.
	DataKeySSHAuthorizedKeys = "id_rsa.pub"
)
View Source 
const (
	// DataKeyStaticTokenCSV is the key in a secret data holding the CSV format of a secret.
	DataKeyStaticTokenCSV = "static_tokens.csv"
	// DataKeyUserID is the key in a secret data holding the userID.
	DataKeyUserID = "userID"
	// DataKeyGroups is the key in a secret data holding the groups.
	DataKeyGroups = "groups"
	// DataKeyToken is the key in a secret data holding the token.
	DataKeyToken = "token"
)
View Source 
const (
	// DataKeyKubeconfig is the key in a secret data holding the kubeconfig.
	DataKeyKubeconfig = "kubeconfig"
)

Variables

This section is empty.

Functions

func GenerateCertificateAuthorities 

func GenerateCertificateAuthorities(k8sClusterClient kubernetes.Interface, existingSecretsMap map[string]*corev1.Secret, wantedCertificateAuthorities map[string]*CertificateSecretConfig, namespace string) (map[string]*corev1.Secret, map[string]*Certificate, error)

GenerateCertificateAuthorities get a map of wanted certificates and check If they exist in the existingSecretsMap based on the keys in the map. If they exist it get only the certificate from the corresponding existing secret and makes a certificate Interface from the existing secret. If there is no existing secret contaning the wanted certificate, we make one certificate and with it we deploy in K8s cluster a secret with that certificate and then return the newly existing secret. The function returns a map of secrets contaning the wanted CA, a map with the wanted CA certificate and an error.

func GenerateClusterSecrets 

func GenerateClusterSecrets(ctx context.Context, k8sClusterClient kubernetes.Interface, existingSecretsMap map[string]*corev1.Secret, wantedSecretsList []ConfigInterface, namespace string) (map[string]*corev1.Secret, error)

GenerateClusterSecrets try to deploy in the k8s cluster each secret in the wantedSecretsList. If the secret already exist it jumps to the next one. The function returns a map with all of the successfully deployed wanted secrets plus those already deployed (only from the wantedSecretsList).

Types

type BasicAuth 

type BasicAuth struct {
	Name   string
	Format formatType

	Username           string
	Password           string
	BcryptPasswordHash string
}

BasicAuth contains the username, the password, optionally hash of the password and the format for serializing the basic authentication

func LoadBasicAuthFromCSV 

func LoadBasicAuthFromCSV(name string, data []byte) (*BasicAuth, error)

LoadBasicAuthFromCSV loads the basic auth. username and the password from the given CSV-formatted <data>.

func (*BasicAuth) SecretData 

func (b *BasicAuth) SecretData() map[string][]byte

SecretData computes the data map which can be used in a Kubernetes secret.

type BasicAuthSecretConfig 

type BasicAuthSecretConfig struct {
	Name   string
	Format formatType

	Username                  string
	PasswordLength            int
	BcryptPasswordHashRequest bool
}

BasicAuthSecretConfig contains the specification a to-be-generated basic authentication secret.

func (*BasicAuthSecretConfig) Generate 

func (s *BasicAuthSecretConfig) Generate() (Interface, error)

Generate implements ConfigInterface.

func (*BasicAuthSecretConfig) GenerateBasicAuth 

func (s *BasicAuthSecretConfig) GenerateBasicAuth() (*BasicAuth, error)

GenerateBasicAuth computes a username,password and the hash of the password keypair. It uses "admin" as username and generates a random password of length 32.

func (*BasicAuthSecretConfig) GetName 

func (s *BasicAuthSecretConfig) GetName() string

GetName returns the name of the secret.

type Certificate 

type Certificate struct {
	Name string

	CA *Certificate

	PrivateKey    *rsa.PrivateKey
	PrivateKeyPEM []byte

	Certificate    *x509.Certificate
	CertificatePEM []byte
}

Certificate contains the private key, and the certificate. It does also contain the CA certificate in case it is no CA. Otherwise, the <CA> field is nil.

func LoadCAFromSecret 

func LoadCAFromSecret(k8sClient client.Client, namespace, name string) (*corev1.Secret, *Certificate, error)

LoadCAFromSecret loads a CA certificate from an existing Kubernetes secret object. It returns the secret, the Certificate and an error.

func LoadCertificate 

func LoadCertificate(name string, privateKeyPEM, certificatePEM []byte) (*Certificate, error)

LoadCertificate takes a byte slice representation of a certificate and the corresponding private key, and returns its de-serialized private key, certificate template and PEM certificate which can be used to sign other x509 certificates.

func (*Certificate) SecretData 

func (c *Certificate) SecretData() map[string][]byte

SecretData computes the data map which can be used in a Kubernetes secret.

type CertificateSecretConfig 

type CertificateSecretConfig struct {
	Name string

	CommonName   string
	Organization []string
	DNSNames     []string
	IPAddresses  []net.IP

	CertType  certType
	SigningCA *Certificate
	PKCS      int

	Validity *time.Duration
}

CertificateSecretConfig contains the specification a to-be-generated CA, server, or client certificate. It always contains a 2048-bit RSA private key.

func (*CertificateSecretConfig) Generate 

func (s *CertificateSecretConfig) Generate() (Interface, error)

Generate implements ConfigInterface.

func (*CertificateSecretConfig) GenerateCertificate 

func (s *CertificateSecretConfig) GenerateCertificate() (*Certificate, error)

GenerateCertificate computes a CA, server, or client certificate based on the configuration.

func (*CertificateSecretConfig) GetName 

func (s *CertificateSecretConfig) GetName() string

GetName returns the name of the secret.

type ConfigInterface 

type ConfigInterface interface {
	GetName() string
	Generate() (Interface, error)
}

ConfigInterface define functions needed for generating a specific secret.

type ControlPlane 

type ControlPlane struct {
	Name string

	Certificate *Certificate
	BasicAuth   *BasicAuth
	Token       *Token
	Kubeconfig  []byte
}

ControlPlane contains the certificate, and optionally the basic auth. information as well as a Kubeconfig.

func (*ControlPlane) SecretData 

func (c *ControlPlane) SecretData() map[string][]byte

SecretData computes the data map which can be used in a Kubernetes secret.

type ControlPlaneSecretConfig 

type ControlPlaneSecretConfig struct {
	*CertificateSecretConfig

	BasicAuth *BasicAuth
	Token     *Token

	KubeConfigRequest *KubeConfigRequest
}

ControlPlaneSecretConfig is a struct which inherits from CertificateSecretConfig and is extended with a couple of additional properties. A control plane secret will always contain a server/client certificate and optionally a kubeconfig.

func (*ControlPlaneSecretConfig) Generate 

func (s *ControlPlaneSecretConfig) Generate() (Interface, error)

Generate implements ConfigInterface.

func (*ControlPlaneSecretConfig) GenerateControlPlane 

func (s *ControlPlaneSecretConfig) GenerateControlPlane() (*ControlPlane, error)

GenerateControlPlane computes a secret for a control plane component of the clusters managed by Gardener. It may include a Kubeconfig.

func (*ControlPlaneSecretConfig) GetName 

func (s *ControlPlaneSecretConfig) GetName() string

GetName returns the name of the secret.

type Interface 

type Interface interface {
	SecretData() map[string][]byte
}

Interface defines functions needed for defining the data map of a Kubernetes secret.

type KubeConfigRequest 

type KubeConfigRequest struct {
	ClusterName  string
	APIServerURL string
}

KubeConfigRequest is a struct which holds information about a Kubeconfig to be generated.

type RSAKeys 

type RSAKeys struct {
	Name string

	PrivateKey *rsa.PrivateKey
	PublicKey  *rsa.PublicKey

	OpenSSHAuthorizedKey []byte
}

RSAKeys contains the private key, the public key, and optionally the OpenSSH-formatted authorized keys file data.

func (*RSAKeys) SecretData 

func (r *RSAKeys) SecretData() map[string][]byte

SecretData computes the data map which can be used in a Kubernetes secret.

type RSASecretConfig 

type RSASecretConfig struct {
	Name string

	Bits       int
	UsedForSSH bool
}

RSASecretConfig containing information about the number of bits which should be used for the to-be-created RSA private key.

func (*RSASecretConfig) Generate 

func (s *RSASecretConfig) Generate() (Interface, error)

Generate implements ConfigInterface.

func (*RSASecretConfig) GenerateRSAKeys 

func (s *RSASecretConfig) GenerateRSAKeys() (*RSAKeys, error)

GenerateRSAKeys computes a RSA private key based on the configured number of bits.

func (*RSASecretConfig) GetName 

func (s *RSASecretConfig) GetName() string

GetName returns the name of the secret.

type Secrets 

type Secrets struct {
	CertificateSecretConfigs map[string]*CertificateSecretConfig
	SecretConfigsFunc        func(map[string]*Certificate, string) []ConfigInterface
}

Secrets represents a set of secrets that can be deployed and deleted.

func (*Secrets) Delete 

func (s *Secrets) Delete(cs kubernetes.Interface, namespace string) error

Delete deletes the secrets from the given namespace.

func (*Secrets) Deploy 

func (s *Secrets) Deploy(
	ctx context.Context,
	cs kubernetes.Interface,
	gcs gardenerkubernetes.Interface,
	namespace string,
) (map[string]*corev1.Secret, error)

Deploy generates and deploys the secrets into the given namespace, taking into account existing secrets.

type StaticToken 

type StaticToken struct {
	Name string

	Tokens []Token
}

StaticToken contains the username, the password, optionally hash of the password and the format for serializing the static token

func LoadStaticTokenFromCSV 

func LoadStaticTokenFromCSV(name string, data []byte) (*StaticToken, error)

LoadStaticTokenFromCSV loads the static token data from the given CSV-formatted <data>.

func (*StaticToken) GetTokenForUsername 

func (b *StaticToken) GetTokenForUsername(username string) (*Token, error)

GetTokenForUsername returns the token for the given username.

func (*StaticToken) SecretData 

func (b *StaticToken) SecretData() map[string][]byte

SecretData computes the data map which can be used in a Kubernetes secret.

type StaticTokenSecretConfig 

type StaticTokenSecretConfig struct {
	Name string

	Tokens []TokenConfig
}

StaticTokenSecretConfig contains the specification a to-be-generated static token secret.

func (*StaticTokenSecretConfig) Generate 

func (s *StaticTokenSecretConfig) Generate() (Interface, error)

Generate implements ConfigInterface.

func (*StaticTokenSecretConfig) GenerateStaticToken 

func (s *StaticTokenSecretConfig) GenerateStaticToken() (*StaticToken, error)

GenerateStaticToken computes a random token of length 64.

func (*StaticTokenSecretConfig) GetName 

func (s *StaticTokenSecretConfig) GetName() string

GetName returns the name of the secret.

type Token 

type Token struct {
	Username string
	UserID   string
	Groups   []string
	Token    string
}

Token contains fields of a generated token.

type TokenConfig 

type TokenConfig struct {
	Username string
	UserID   string
	Groups   []string
}

TokenConfig contains configuration for a token.

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.