Documentation
¶
Index ¶
- Constants
- Variables
- func ConstructTLSConfig(ctx context.Context, conf config.Section, tlsType TLSType) (*tls.Config, error)
- func EnableCertificateMetrics(ctx context.Context, metricsRegistry metric.MetricsRegistry) error
- func InitTLSConfig(conf config.Section)
- func NewTLSConfig(ctx context.Context, config *Config, tlsType TLSType) (*tls.Config, error)
- type Config
- type TLSType
Constants ¶
View Source
const ( // HTTPConfTLSCAFile the TLS certificate authority file for the HTTP server HTTPConfTLSCAFile = "caFile" // HTTPConfTLSCA the TLS certificate authority in PEM format, this option is ignored if HTTPConfTLSCAFile is also set HTTPConfTLSCA = "ca" // HTTPConfTLSCertFile the TLS certificate file for the HTTP server HTTPConfTLSCertFile = "certFile" // HTTPConfTLSCert the TLS certificate in PEM format, this option is ignored if HTTPConfTLSCertFile is also set HTTPConfTLSCert = "cert" // HTTPConfTLSClientAuth whether the HTTP server requires a mutual TLS connection HTTPConfTLSClientAuth = "clientAuth" // HTTPConfTLSEnabled whether TLS is enabled for the HTTP server HTTPConfTLSEnabled = "enabled" // HTTPConfTLSKeyFile the private key file for TLS on the server HTTPConfTLSKeyFile = "keyFile" // HTTPConfTLSKey the TLS certificate key in PEM format, this option is ignored if HTTPConfTLSKeyFile is also set HTTPConfTLSKey = "key" // HTTPConfTLSInsecureSkipHostVerify disables host verification - insecure (for dev only) HTTPConfTLSInsecureSkipHostVerify = "insecureSkipHostVerify" // HTTPConfTLSRequiredDNAttributes provides a set of regular expressions, to match against the DN of the client. Requires HTTPConfTLSClientAuth HTTPConfTLSRequiredDNAttributes = "requiredDNAttributes" )
View Source
const ( // CertMetricsSubsystem is the metrics subsystem under which the certificate expiry gauge is // registered, i.e. ff_tls_certificate_expiry. CertMetricsSubsystem = "tls" )
Variables ¶
View Source
var SubjectDNKnownAttributes = map[string]func(pkix.Name) []string{ "C": func(n pkix.Name) []string { return n.Country }, "O": func(n pkix.Name) []string { return n.Organization }, "OU": func(n pkix.Name) []string { return n.OrganizationalUnit }, "CN": func(n pkix.Name) []string { if n.CommonName == "" { return []string{} } return []string{n.CommonName} }, "SERIALNUMBER": func(n pkix.Name) []string { if n.SerialNumber == "" { return []string{} } return []string{n.SerialNumber} }, "L": func(n pkix.Name) []string { return n.Locality }, "ST": func(n pkix.Name) []string { return n.Province }, "STREET": func(n pkix.Name) []string { return n.StreetAddress }, "POSTALCODE": func(n pkix.Name) []string { return n.PostalCode }, }
Functions ¶
func ConstructTLSConfig ¶
func EnableCertificateMetrics ¶
func EnableCertificateMetrics(ctx context.Context, metricsRegistry metric.MetricsRegistry) error
EnableCertificateMetrics registers a gauge (in the "tls" subsystem) that is set to the unix timestamp at which loaded TLS certificates expire. Once enabled, every subsequent NewTLSConfig / ConstructTLSConfig call records the gauge for each CA certificate, and for the configured client or server certificate - distinguished by the "type" label (ca/client/server). Because certificate expiry is static, these are only recorded once when the certificate material is read - never per-connection.
It is safe to call this multiple times; only the first call registers the metric. Callers that build both client and server TLS configs only need to call it once for the shared registry.
func InitTLSConfig ¶
Types ¶
type Config ¶
type Config struct {
Enabled bool `ffstruct:"tlsconfig" json:"enabled"`
ClientAuth bool `ffstruct:"tlsconfig" json:"clientAuth,omitempty"`
CAFile string `ffstruct:"tlsconfig" json:"caFile,omitempty"`
CA string `ffstruct:"tlsconfig" json:"ca,omitempty"`
CertFile string `ffstruct:"tlsconfig" json:"certFile,omitempty"`
Cert string `ffstruct:"tlsconfig" json:"cert,omitempty"`
KeyFile string `ffstruct:"tlsconfig" json:"keyFile,omitempty"`
Key string `ffstruct:"tlsconfig" json:"key,omitempty"`
InsecureSkipHostVerify bool `ffstruct:"tlsconfig" json:"insecureSkipHostVerify"`
RequiredDNAttributes map[string]interface{} `ffstruct:"tlsconfig" json:"requiredDNAttributes,omitempty"`
}
func GenerateConfig ¶
Click to show internal directories.
Click to hide internal directories.