tls

package
v0.6.0 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Feb 28, 2025 License: Apache-2.0 Imports: 16 Imported by: 32

Documentation

Index

Constants

View Source 
const (
	// CABundleSecret -
	CABundleSecret = "combined-ca-bundle"
	// CABundleLabel added to the CA bundle secret for the namespace
	CABundleLabel = "combined-ca-bundle"
	// CABundleKey - key in CaBundleSecret holding a full CA bundle
	CABundleKey = "tls-ca-bundle.pem"
	// InternalCABundleKey - key in CABundleSecret only holding the internal CA
	InternalCABundleKey = "internal-ca-bundle.pem"

	// DefaultCAPrefix -
	DefaultCAPrefix = "rootca-"
	// DownstreamTLSCABundlePath -
	DownstreamTLSCABundlePath = "/etc/pki/ca-trust/extracted/pem/" + CABundleKey
	// UpstreamTLSCABundlePath -
	UpstreamTLSCABundlePath = "/etc/ssl/certs/ca-certificates.crt"

	// CertKey - key of the secret entry holding the cert
	CertKey = "tls.crt"
	// PrivateKey - key of the secret entry holding the cert private key
	PrivateKey = "tls.key"
	// CAKey - key of the secret entry holding the CA
	CAKey = "ca.crt"
	// DefaultCertMountDir - updated default path to mount cert files inside container
	DefaultCertMountDir = "/var/lib/config-data/tls/certs"
	// DefaultKeyMountDir - updated default path to mount cert keys inside container
	DefaultKeyMountDir = "/var/lib/config-data/tls/private"

	// TLSHashName - Name of the hash of hashes of all cert resources used to identify a change
	TLSHashName = "certs"

	// AdditionalSubjectNamesKey - Comma separated list of additionalSubjectNames
	// that should be passed to the CertificateRequest
	AdditionalSubjectNamesKey = "additionalSubjectNames"

	// DefaultClusterInternalDomain - cluster internal dns domain
	DefaultClusterInternalDomain = "cluster.local"
)

Variables

This section is empty.

Functions

func ValidateCACertSecret 

func ValidateCACertSecret(
	ctx context.Context,
	c client.Client,
	caSecret types.NamespacedName,
) (string, error)

ValidateCACertSecret - validates the content of the cert secret to make sure "tls-ca-bundle.pem" key exists

func ValidateEndpointCerts 

func ValidateEndpointCerts(
	ctx context.Context,
	h *helper.Helper,
	namespace string,
	endpointCfgs map[service.Endpoint]Service,
) (string, error)

ValidateEndpointCerts - validates all services from an endpointCfgs and returns the hash of hashes for all the certificates

Types

type API 

type API struct {
	// +kubebuilder:validation:optional
	// +operator-sdk:csv:customresourcedefinitions:type=spec
	// API tls type which encapsulates for API services
	API APIService `json:"api,omitempty"`

	// +kubebuilder:validation:optional
	// +operator-sdk:csv:customresourcedefinitions:type=spec
	// Secret containing CA bundle
	Ca `json:",inline"`
}

API defines the observed state of TLS with API only

func (*API) DeepCopy 

func (in *API) DeepCopy() *API

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new API.

func (*API) DeepCopyInto 

func (in *API) DeepCopyInto(out *API)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type APIService 

type APIService struct {
	// +kubebuilder:validation:optional
	// +operator-sdk:csv:customresourcedefinitions:type=spec
	// Public GenericService - holds the secret for the public endpoint
	Public GenericService `json:"public,omitempty"`

	// +kubebuilder:validation:optional
	// +operator-sdk:csv:customresourcedefinitions:type=spec
	// Internal GenericService - holds the secret for the internal endpoint
	Internal GenericService `json:"internal,omitempty"`
}

APIService - API tls type which encapsulates for API services

func (*APIService) DeepCopy 

func (in *APIService) DeepCopy() *APIService

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new APIService.

func (*APIService) DeepCopyInto 

func (in *APIService) DeepCopyInto(out *APIService)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

func (*APIService) Enabled 

func (a *APIService) Enabled(endpt service.Endpoint) bool

Enabled - returns true if TLS is configured for the public and internal

func (*APIService) ValidateCertSecrets 

func (a *APIService) ValidateCertSecrets(
	ctx context.Context,
	h *helper.Helper,
	namespace string,
) (string, error)

ValidateCertSecrets - validates the content of the cert secrets to make sure "tls-ca-bundle.pem" key exists

type Ca 

type Ca struct {
	// CaBundleSecretName - holding the CA certs in a pre-created bundle file
	CaBundleSecretName string `json:"caBundleSecretName,omitempty"`
}

Ca contains CA-specific settings, which could be used both by services (to define their own CA certificates) and by clients (to verify the server's certificate)

func (*Ca) CreateVolume 

func (c *Ca) CreateVolume() corev1.Volume

CreateVolume creates volumes for CA bundle file

func (*Ca) CreateVolumeMounts 

func (c *Ca) CreateVolumeMounts(caBundleMount *string) []corev1.VolumeMount

CreateVolumeMounts creates volume mounts for CA bundle file

func (*Ca) DeepCopy 

func (in *Ca) DeepCopy() *Ca

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Ca.

func (*Ca) DeepCopyInto 

func (in *Ca) DeepCopyInto(out *Ca)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type GenericService 

type GenericService struct {
	// +kubebuilder:validation:Optional
	// SecretName - holding the cert, key for the service
	SecretName *string `json:"secretName,omitempty"`
}

GenericService contains server-specific TLS secret or issuer

func (*GenericService) DeepCopy 

func (in *GenericService) DeepCopy() *GenericService

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new GenericService.

func (*GenericService) DeepCopyInto 

func (in *GenericService) DeepCopyInto(out *GenericService)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

func (*GenericService) Enabled 

func (s *GenericService) Enabled() bool

Enabled - returns true if TLS is configured for the service

func (*GenericService) ToService 

func (s *GenericService) ToService() (*Service, error)

ToService - convert tls.APIService to tls.Service

func (*GenericService) ValidateCertSecret 

func (s *GenericService) ValidateCertSecret(
	ctx context.Context,
	h *helper.Helper,
	namespace string,
) (string, error)

ValidateCertSecret - validates the content of the cert secrets to make sure "tls-ca-bundle.pem" key exists

type Service 

type Service struct {
	// SecretName - holding the cert, key for the service
	SecretName string `json:"secretName"`

	// CertMount - dst location to mount the service tls.crt cert. Can be used to override the default location which is /etc/tls/certs/<service id>.crt
	CertMount *string `json:"certMount,omitempty"`

	// KeyMount - dst location to mount the service tls.key  key. Can be used to override the default location which is /etc/tls/private/<service id>.key
	KeyMount *string `json:"keyMount,omitempty"`

	// CaMount - dst location to mount the CA cert ca.crt to. Can be used if the service CA cert should be mounted specifically, e.g. to be set in a service config for validation, instead of the env wide bundle.
	CaMount *string `json:"caMount,omitempty"`
}

Service contains server-specific TLS secret +kubebuilder:object:generate:=false

func (*Service) CreateVolume 

func (s *Service) CreateVolume(serviceID string) corev1.Volume

CreateVolume - add volume for TLS certificates and CA certificate for the service

func (*Service) CreateVolumeMounts 

func (s *Service) CreateVolumeMounts(serviceID string) []corev1.VolumeMount

CreateVolumeMounts - add volume mount for TLS certificates and CA certificate for the service

func (*Service) ValidateCertSecret 

func (s *Service) ValidateCertSecret(ctx context.Context, h *helper.Helper, namespace string) (string, error)

ValidateCertSecret - validates the content of the cert secret to make sure "tls.key", "tls.crt" and optional "ca.crt" keys exist

type SimpleService 

type SimpleService struct {
	// +kubebuilder:validation:optional
	// +operator-sdk:csv:customresourcedefinitions:type=spec
	// Secret containing certificates for the service
	GenericService `json:",inline"`

	// +kubebuilder:validation:optional
	// +operator-sdk:csv:customresourcedefinitions:type=spec
	// Secret containing CA bundle
	Ca `json:",inline"`
}

SimpleService defines the observed state of TLS for a single service

func (*SimpleService) DeepCopy 

func (in *SimpleService) DeepCopy() *SimpleService

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SimpleService.

func (*SimpleService) DeepCopyInto 

func (in *SimpleService) DeepCopyInto(out *SimpleService)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.