Documentation
¶
Index ¶
- Constants
- func EncryptionConfig() (string, error)
- func RandomTokenString() (string, error)
- type CompactAssets
- type EncryptedAssetsOnDisk
- type EncryptedFile
- func CreateEncryptedFile(path string, bytes []byte, svc Encryptor) (*EncryptedFile, error)
- func EncryptedCredentialCacheFromPath(filePath string, doLoadFingerprint bool) (*EncryptedFile, error)
- func EncryptedCredentialCacheFromRawCredential(raw *PlaintextFile, encSvc Encryptor) (*EncryptedFile, error)
- type Encryptor
- type Generator
- type GeneratorOptions
- type KMSConfig
- type KMSEncryptionService
- type KMSEncryptor
- type PlaintextFile
- type ProtectedPKI
- type RawAssetsOnDisk
- type RawAssetsOnMemory
- type Store
Constants ¶
View Source
const CacheFileExtension = "enc"
View Source
const FingerprintFileExtension = "fingerprint"
Variables ¶
This section is empty.
Functions ¶
func EncryptionConfig ¶
func RandomTokenString ¶
Types ¶
type CompactAssets ¶
type CompactAssets struct {
// PEM -> encrypted -> gzip -> base64 encoded TLS assets.
CACert string
CAKey string
WorkerCACert string
WorkerCAKey string
APIServerCert string
APIServerKey string
APIServerAggregatorCert string
APIServerAggregatorKey string
KubeControllerManagerCert string
KubeControllerManagerKey string
KubeSchedulerCert string
KubeSchedulerKey string
WorkerCert string
WorkerKey string
AdminCert string
AdminKey string
EtcdCert string
EtcdClientCert string
EtcdClientKey string
EtcdKey string
EtcdTrustedCA string
ServiceAccountKey string
// Encrypted -> gzip -> base64 encoded assets.
AuthTokens string
TLSBootstrapToken string
// Encrypted -> base64 encoded EncryptionConfig.
EncryptionConfig string
}
func ReadOrCreateUnencryptedCompactAssets ¶
func ReadOrCreateUnencryptedCompactAssets(assetsDir string, manageCertificates bool, caKeyRequiredOnController bool) (*CompactAssets, error)
func (*CompactAssets) HasAuthTokens ¶
func (a *CompactAssets) HasAuthTokens() bool
func (*CompactAssets) HasTLSBootstrapToken ¶
func (a *CompactAssets) HasTLSBootstrapToken() bool
type EncryptedAssetsOnDisk ¶
type EncryptedAssetsOnDisk struct {
// Encrypted PEM encoded TLS assets.
CACert EncryptedFile
CAKey EncryptedFile
WorkerCACert EncryptedFile
WorkerCAKey EncryptedFile
APIServerCert EncryptedFile
APIServerKey EncryptedFile
APIServerAggregatorCert EncryptedFile
APIServerAggregatorKey EncryptedFile
KubeControllerManagerCert EncryptedFile
KubeControllerManagerKey EncryptedFile
KubeSchedulerCert EncryptedFile
KubeSchedulerKey EncryptedFile
WorkerCert EncryptedFile
WorkerKey EncryptedFile
AdminCert EncryptedFile
AdminKey EncryptedFile
EtcdCert EncryptedFile
EtcdClientCert EncryptedFile
EtcdKey EncryptedFile
EtcdClientKey EncryptedFile
EtcdTrustedCA EncryptedFile
ServiceAccountKey EncryptedFile
// Other encrypted assets.
AuthTokens EncryptedFile
TLSBootstrapToken EncryptedFile
EncryptionConfig EncryptedFile
}
func ReadOrEncryptAssets ¶
func (*EncryptedAssetsOnDisk) Compact ¶
func (r *EncryptedAssetsOnDisk) Compact() (*CompactAssets, error)
func (*EncryptedAssetsOnDisk) WriteToDir ¶
func (r *EncryptedAssetsOnDisk) WriteToDir(dirname string) error
type EncryptedFile ¶
type EncryptedFile struct {
// contains filtered or unexported fields
}
The fact KMS encryption produces different ciphertexts for the same plaintext had been causing unnecessary node replacements(https://github.com/kubernetes-incubator/kube-aws/issues/107) Persist encrypted assets for caching purpose so that we can avoid that.
func CreateEncryptedFile ¶
func CreateEncryptedFile(path string, bytes []byte, svc Encryptor) (*EncryptedFile, error)
func EncryptedCredentialCacheFromPath ¶
func EncryptedCredentialCacheFromPath(filePath string, doLoadFingerprint bool) (*EncryptedFile, error)
func EncryptedCredentialCacheFromRawCredential ¶
func EncryptedCredentialCacheFromRawCredential(raw *PlaintextFile, encSvc Encryptor) (*EncryptedFile, error)
func (*EncryptedFile) Bytes ¶
func (c *EncryptedFile) Bytes() []byte
func (*EncryptedFile) Fingerprint ¶
func (c *EncryptedFile) Fingerprint() string
func (*EncryptedFile) Persist ¶
func (c *EncryptedFile) Persist() error
func (*EncryptedFile) SetBytes ¶
func (c *EncryptedFile) SetBytes(bytes []byte)
func (*EncryptedFile) String ¶
func (c *EncryptedFile) String() string
type Generator ¶
type Generator struct {
TLSCADurationDays int
TLSCertDurationDays int
TLSBootstrapEnabled bool
ManageCertificates bool
Region string
APIServerExternalDNSNames []string
APIServerAdditionalDNSSans []string
APIServerAdditionalIPAddressSans []string
EtcdNodeDNSNames []string
ServiceCIDR string
}
func (Generator) GenerateAssetsOnDisk ¶
func (c Generator) GenerateAssetsOnDisk(dir string, o GeneratorOptions) (*RawAssetsOnDisk, error)
func (Generator) GenerateAssetsOnMemory ¶
func (c Generator) GenerateAssetsOnMemory(caKey *rsa.PrivateKey, caCert *x509.Certificate, generatorOptions GeneratorOptions) (*RawAssetsOnMemory, error)
type GeneratorOptions ¶
type GeneratorOptions struct {
AwsDebug bool
GenerateCA bool
CaCertPath string
CommonName string
// Paths for private certificate keys.
AdminKeyPath string
ApiServerAggregatorKeyPath string
ApiServerKeyPath string
CaKeyPath string
EtcdClientKeyPath string
EtcdKeyPath string
KubeControllerManagerKeyPath string
KubeSchedulerKeyPath string
ServiceAccountKeyPath string
WorkerKeyPath string
}
type KMSConfig ¶
type KMSConfig struct {
KMSSvc KMSEncryptionService
KMSKeyARN string
}
func NewKMSConfig ¶
func NewKMSConfig(kmsKeyARN string, encSvc KMSEncryptionService, session *session.Session) KMSConfig
type KMSEncryptionService ¶
type KMSEncryptionService interface {
Encrypt(*kms.EncryptInput) (*kms.EncryptOutput, error)
}
type KMSEncryptor ¶
type KMSEncryptor struct {
KmsKeyARN string
KmsSvc KMSEncryptionService
}
func (KMSEncryptor) EncryptedBytes ¶
func (s KMSEncryptor) EncryptedBytes(data []byte) ([]byte, error)
type PlaintextFile ¶
type PlaintextFile struct {
// contains filtered or unexported fields
}
func RawCredentialFileFromPath ¶
func RawCredentialFileFromPath(filePath string, defaultValue *string) (*PlaintextFile, error)
func (*PlaintextFile) Bytes ¶
func (c *PlaintextFile) Bytes() []byte
func (*PlaintextFile) Fingerprint ¶
func (c *PlaintextFile) Fingerprint() string
func (*PlaintextFile) Persist ¶
func (c *PlaintextFile) Persist() error
func (*PlaintextFile) String ¶
func (c *PlaintextFile) String() string
type ProtectedPKI ¶
func NewProtectedPKI ¶
func NewProtectedPKI(enc Encryptor) *ProtectedPKI
func (*ProtectedPKI) CreateKeyaPair ¶
func (ppki *ProtectedPKI) CreateKeyaPair(spec api.KeyPairSpec) error
func (*ProtectedPKI) EnsureKeyPairsCreated ¶
func (ppki *ProtectedPKI) EnsureKeyPairsCreated(specs []api.KeyPairSpec) error
type RawAssetsOnDisk ¶
type RawAssetsOnDisk struct {
// PEM encoded TLS assets.
CACert PlaintextFile
CAKey PlaintextFile
WorkerCACert PlaintextFile
WorkerCAKey PlaintextFile
APIServerCert PlaintextFile
APIServerKey PlaintextFile
APIServerAggregatorCert PlaintextFile
APIServerAggregatorKey PlaintextFile
KubeControllerManagerCert PlaintextFile
KubeControllerManagerKey PlaintextFile
KubeSchedulerCert PlaintextFile
KubeSchedulerKey PlaintextFile
WorkerCert PlaintextFile
WorkerKey PlaintextFile
AdminCert PlaintextFile
AdminKey PlaintextFile
EtcdCert PlaintextFile
EtcdClientCert PlaintextFile
EtcdKey PlaintextFile
EtcdClientKey PlaintextFile
EtcdTrustedCA PlaintextFile
ServiceAccountKey PlaintextFile
// Other assets.
AuthTokens PlaintextFile
TLSBootstrapToken PlaintextFile
EncryptionConfig PlaintextFile
}
func ReadRawAssets ¶
func ReadRawAssets(dirname string, manageCertificates bool, caKeyRequiredOnController bool) (*RawAssetsOnDisk, error)
func (*RawAssetsOnDisk) Compact ¶
func (r *RawAssetsOnDisk) Compact() (*CompactAssets, error)
type RawAssetsOnMemory ¶
type RawAssetsOnMemory struct {
// PEM encoded TLS assets.
CACert []byte
CAKey []byte
WorkerCACert []byte
WorkerCAKey []byte
APIServerCert []byte
APIServerKey []byte
APIServerAggregatorCert []byte
APIServerAggregatorKey []byte
KubeControllerManagerCert []byte
KubeControllerManagerKey []byte
KubeSchedulerCert []byte
KubeSchedulerKey []byte
WorkerCert []byte
WorkerKey []byte
AdminCert []byte
AdminKey []byte
EtcdCert []byte
EtcdClientCert []byte
EtcdKey []byte
EtcdClientKey []byte
EtcdTrustedCA []byte
ServiceAccountKey []byte
// Other assets.
AuthTokens []byte
TLSBootstrapToken []byte
EncryptionConfig []byte
}
func (*RawAssetsOnMemory) WriteToDir ¶
func (r *RawAssetsOnMemory) WriteToDir(dirname string, includeCAKey bool) error
type Store ¶
type Store struct {
Encryptor Encryptor
}
func (Store) EncryptedCredentialFromPath ¶
func (e Store) EncryptedCredentialFromPath(filePath string, defaultValue *string) (*EncryptedFile, error)
Source Files
Click to show internal directories.
Click to hide internal directories.