View Source
const CacheFileExtension = "enc"
View Source
const FingerprintFileExtension = "fingerprint"


This section is empty.


func EncryptionConfig

func EncryptionConfig() (string, error)

func RandomTokenString

func RandomTokenString() (string, error)


type CompactAssets

type CompactAssets struct {
	// PEM -> encrypted -> gzip -> base64 encoded TLS assets.
	CACert                    string
	CAKey                     string
	WorkerCACert              string
	WorkerCAKey               string
	APIServerCert             string
	APIServerKey              string
	APIServerAggregatorCert   string
	APIServerAggregatorKey    string
	KubeControllerManagerCert string
	KubeControllerManagerKey  string
	KubeSchedulerCert         string
	KubeSchedulerKey          string
	WorkerCert                string
	WorkerKey                 string
	AdminCert                 string
	AdminKey                  string
	EtcdCert                  string
	EtcdClientCert            string
	EtcdClientKey             string
	EtcdKey                   string
	EtcdTrustedCA             string
	ServiceAccountKey         string

	// Encrypted -> gzip -> base64 encoded assets.
	AuthTokens        string
	TLSBootstrapToken string

	// Encrypted -> base64 encoded EncryptionConfig.
	EncryptionConfig string

func ReadOrCreateCompactAssets

func ReadOrCreateCompactAssets(assetsDir string, manageCertificates bool, caKeyRequiredOnController bool, kmsConfig KMSConfig) (*CompactAssets, error)

func ReadOrCreateUnencryptedCompactAssets

func ReadOrCreateUnencryptedCompactAssets(assetsDir string, manageCertificates bool, caKeyRequiredOnController bool) (*CompactAssets, error)

func (*CompactAssets) HasAuthTokens

func (a *CompactAssets) HasAuthTokens() bool

func (*CompactAssets) HasTLSBootstrapToken

func (a *CompactAssets) HasTLSBootstrapToken() bool

type EncryptedAssetsOnDisk

type EncryptedAssetsOnDisk struct {
	// Encrypted PEM encoded TLS assets.
	CACert                    EncryptedFile
	CAKey                     EncryptedFile
	WorkerCACert              EncryptedFile
	WorkerCAKey               EncryptedFile
	APIServerCert             EncryptedFile
	APIServerKey              EncryptedFile
	APIServerAggregatorCert   EncryptedFile
	APIServerAggregatorKey    EncryptedFile
	KubeControllerManagerCert EncryptedFile
	KubeControllerManagerKey  EncryptedFile
	KubeSchedulerCert         EncryptedFile
	KubeSchedulerKey          EncryptedFile
	WorkerCert                EncryptedFile
	WorkerKey                 EncryptedFile
	AdminCert                 EncryptedFile
	AdminKey                  EncryptedFile
	EtcdCert                  EncryptedFile
	EtcdClientCert            EncryptedFile
	EtcdKey                   EncryptedFile
	EtcdClientKey             EncryptedFile
	EtcdTrustedCA             EncryptedFile
	ServiceAccountKey         EncryptedFile

	// Other encrypted assets.
	AuthTokens        EncryptedFile
	TLSBootstrapToken EncryptedFile
	EncryptionConfig  EncryptedFile

func ReadOrCreateEncryptedAssets

func ReadOrCreateEncryptedAssets(tlsAssetsDir string, manageCertificates bool, caKeyRequiredOnController bool, kmsConfig KMSConfig) (*EncryptedAssetsOnDisk, error)

func ReadOrEncryptAssets

func ReadOrEncryptAssets(dirname string, manageCertificates bool, caKeyRequiredOnController bool, store Store) (*EncryptedAssetsOnDisk, error)

func (*EncryptedAssetsOnDisk) Compact

func (r *EncryptedAssetsOnDisk) Compact() (*CompactAssets, error)

func (*EncryptedAssetsOnDisk) WriteToDir

func (r *EncryptedAssetsOnDisk) WriteToDir(dirname string) error

type EncryptedFile

type EncryptedFile struct {
	// contains filtered or unexported fields

    The fact KMS encryption produces different ciphertexts for the same plaintext had been causing unnecessary node replacements( Persist encrypted assets for caching purpose so that we can avoid that.

    func CreateEncryptedFile

    func CreateEncryptedFile(path string, bytes []byte, svc Encryptor) (*EncryptedFile, error)

    func EncryptedCredentialCacheFromPath

    func EncryptedCredentialCacheFromPath(filePath string, doLoadFingerprint bool) (*EncryptedFile, error)

    func EncryptedCredentialCacheFromRawCredential

    func EncryptedCredentialCacheFromRawCredential(raw *PlaintextFile, encSvc Encryptor) (*EncryptedFile, error)

    func (*EncryptedFile) Bytes

    func (c *EncryptedFile) Bytes() []byte

    func (*EncryptedFile) Fingerprint

    func (c *EncryptedFile) Fingerprint() string

    func (*EncryptedFile) Persist

    func (c *EncryptedFile) Persist() error

    func (*EncryptedFile) SetBytes

    func (c *EncryptedFile) SetBytes(bytes []byte)

    func (*EncryptedFile) String

    func (c *EncryptedFile) String() string

    type Encryptor

    type Encryptor interface {
    	EncryptedBytes(raw []byte) ([]byte, error)

    type Generator

    type Generator struct {
    	TLSCADurationDays                int
    	TLSCertDurationDays              int
    	TLSBootstrapEnabled              bool
    	ManageCertificates               bool
    	Region                           string
    	APIServerExternalDNSNames        []string
    	APIServerAdditionalDNSSans       []string
    	APIServerAdditionalIPAddressSans []string
    	EtcdNodeDNSNames                 []string
    	ServiceCIDR                      string

    func (Generator) GenerateAssetsOnDisk

    func (c Generator) GenerateAssetsOnDisk(dir string, o GeneratorOptions) (*RawAssetsOnDisk, error)

    func (Generator) GenerateAssetsOnMemory

    func (c Generator) GenerateAssetsOnMemory(caKey *rsa.PrivateKey, caCert *x509.Certificate, generatorOptions GeneratorOptions) (*RawAssetsOnMemory, error)

    type GeneratorOptions

    type GeneratorOptions struct {
    	AwsDebug   bool
    	GenerateCA bool
    	CaCertPath string
    	CommonName string
    	// Paths for private certificate keys.
    	AdminKeyPath                 string
    	ApiServerAggregatorKeyPath   string
    	ApiServerKeyPath             string
    	CaKeyPath                    string
    	EtcdClientKeyPath            string
    	EtcdKeyPath                  string
    	KubeControllerManagerKeyPath string
    	KubeSchedulerKeyPath         string
    	ServiceAccountKeyPath        string
    	WorkerKeyPath                string

    type KMSConfig

    type KMSConfig struct {
    	KMSSvc    KMSEncryptionService
    	KMSKeyARN string

    func NewKMSConfig

    func NewKMSConfig(kmsKeyARN string, encSvc KMSEncryptionService, session *session.Session) KMSConfig

    func (KMSConfig) Encryptor

    func (c KMSConfig) Encryptor() Encryptor

    func (KMSConfig) Store

    func (c KMSConfig) Store() Store

    type KMSEncryptionService

    type KMSEncryptionService interface {
    	Encrypt(*kms.EncryptInput) (*kms.EncryptOutput, error)

    type KMSEncryptor

    type KMSEncryptor struct {
    	KmsKeyARN string
    	KmsSvc    KMSEncryptionService

    func (KMSEncryptor) EncryptedBytes

    func (s KMSEncryptor) EncryptedBytes(data []byte) ([]byte, error)

    type PlaintextFile

    type PlaintextFile struct {
    	// contains filtered or unexported fields

    func RawCredentialFileFromPath

    func RawCredentialFileFromPath(filePath string, defaultValue *string) (*PlaintextFile, error)

    func (*PlaintextFile) Bytes

    func (c *PlaintextFile) Bytes() []byte

    func (*PlaintextFile) Fingerprint

    func (c *PlaintextFile) Fingerprint() string

    func (*PlaintextFile) Persist

    func (c *PlaintextFile) Persist() error

    func (*PlaintextFile) String

    func (c *PlaintextFile) String() string

    type ProtectedPKI

    type ProtectedPKI struct {

    func NewProtectedPKI

    func NewProtectedPKI(enc Encryptor) *ProtectedPKI

    func (*ProtectedPKI) CreateKeyaPair

    func (ppki *ProtectedPKI) CreateKeyaPair(spec api.KeyPairSpec) error

    func (*ProtectedPKI) EnsureKeyPairsCreated

    func (ppki *ProtectedPKI) EnsureKeyPairsCreated(specs []api.KeyPairSpec) error

    type RawAssetsOnDisk

    type RawAssetsOnDisk struct {
    	// PEM encoded TLS assets.
    	CACert                    PlaintextFile
    	CAKey                     PlaintextFile
    	WorkerCACert              PlaintextFile
    	WorkerCAKey               PlaintextFile
    	APIServerCert             PlaintextFile
    	APIServerKey              PlaintextFile
    	APIServerAggregatorCert   PlaintextFile
    	APIServerAggregatorKey    PlaintextFile
    	KubeControllerManagerCert PlaintextFile
    	KubeControllerManagerKey  PlaintextFile
    	KubeSchedulerCert         PlaintextFile
    	KubeSchedulerKey          PlaintextFile
    	WorkerCert                PlaintextFile
    	WorkerKey                 PlaintextFile
    	AdminCert                 PlaintextFile
    	AdminKey                  PlaintextFile
    	EtcdCert                  PlaintextFile
    	EtcdClientCert            PlaintextFile
    	EtcdKey                   PlaintextFile
    	EtcdClientKey             PlaintextFile
    	EtcdTrustedCA             PlaintextFile
    	ServiceAccountKey         PlaintextFile
    	// Other assets.
    	AuthTokens        PlaintextFile
    	TLSBootstrapToken PlaintextFile
    	EncryptionConfig  PlaintextFile

    func ReadRawAssets

    func ReadRawAssets(dirname string, manageCertificates bool, caKeyRequiredOnController bool) (*RawAssetsOnDisk, error)

    func (*RawAssetsOnDisk) Compact

    func (r *RawAssetsOnDisk) Compact() (*CompactAssets, error)

    type RawAssetsOnMemory

    type RawAssetsOnMemory struct {
    	// PEM encoded TLS assets.
    	CACert                    []byte
    	CAKey                     []byte
    	WorkerCACert              []byte
    	WorkerCAKey               []byte
    	APIServerCert             []byte
    	APIServerKey              []byte
    	APIServerAggregatorCert   []byte
    	APIServerAggregatorKey    []byte
    	KubeControllerManagerCert []byte
    	KubeControllerManagerKey  []byte
    	KubeSchedulerCert         []byte
    	KubeSchedulerKey          []byte
    	WorkerCert                []byte
    	WorkerKey                 []byte
    	AdminCert                 []byte
    	AdminKey                  []byte
    	EtcdCert                  []byte
    	EtcdClientCert            []byte
    	EtcdKey                   []byte
    	EtcdClientKey             []byte
    	EtcdTrustedCA             []byte
    	ServiceAccountKey         []byte
    	// Other assets.
    	AuthTokens        []byte
    	TLSBootstrapToken []byte
    	EncryptionConfig  []byte

    func (*RawAssetsOnMemory) WriteToDir

    func (r *RawAssetsOnMemory) WriteToDir(dirname string, includeCAKey bool) error

    type Store

    type Store struct {
    	Encryptor Encryptor

    func (Store) EncryptedCredentialFromPath

    func (e Store) EncryptedCredentialFromPath(filePath string, defaultValue *string) (*EncryptedFile, error)