Documentation ¶
Index ¶
- Constants
- func VerifyRequest(r *http.Request, verifyType int, verifyOpts x509.VerifyOptions, ...) (bool, error)
- type CAProvider
- type CASecretProvider
- func (config *CASecretProvider) CreateRegistrationCertificate(name string) (map[string][]byte, error)
- func (config *CASecretProvider) GetCACertificate() (*CertificateGroup, error)
- func (config *CASecretProvider) GetName() string
- func (config *CASecretProvider) GetServerCertificate(dnsNames []string, localhostEnabled bool) (*CertificateGroup, error)
- func (config *CASecretProvider) SignCSR(CSRPem string, commonName string, namespace string, expiration time.Time) ([]byte, error)
- type CertificateGroup
- func (c *CertificateGroup) CreatePem() error
- func (c *CertificateGroup) GetCert() *x509.Certificate
- func (c *CertificateGroup) GetCertificate() (tls.Certificate, error)
- func (c *CertificateGroup) GetKey() crypto.PrivateKey
- func (c *CertificateGroup) GetNewKey() (crypto.Signer, error)
- func (c *CertificateGroup) ImportFromPem() error
- func (c *CertificateGroup) MarshalKeyToPem(privKey crypto.PrivateKey) (*bytes.Buffer, error)
- type ClientCertificateVerifyError
- type InvalidCertificateKindError
- type NoClientCertSendError
- type RegisterClientVerifyError
- type RequestAuthKey
- type RequestAuthVal
- type TLSConfig
- func (conf *TLSConfig) CreateRegistrationClientCerts() error
- func (conf *TLSConfig) InitCertificates() (*tls.Config, []*x509.Certificate, error)
- func (conf *TLSConfig) SetCAProvider(caProviders []CAProvider)
- func (conf *TLSConfig) SetClientExpiration(days int) error
- func (conf *TLSConfig) SignCSR(CSRPem string, commonName string, namespace string) ([]byte, error)
Constants ¶
const ( YggdrasilRegisterAuth = 1 YggdrasilCompleteAuth = 0 )
const ( CASecretName = "flotta-ca" HostTLSCertName = "flotta-host-certificate" CertRegisterCN = "register" )
const ( ECPrivateKeyBlockType = "EC PRIVATE KEY" RSAPrivateKeyBlockType = "RSA PRIVATE KEY" )
Variables ¶
This section is empty.
Functions ¶
func VerifyRequest ¶
func VerifyRequest(r *http.Request, verifyType int, verifyOpts x509.VerifyOptions, CACertChain []*x509.Certificate, authzKey RequestAuthKey, logger *zap.SugaredLogger) (bool, error)
VerifyRequest check certificate based on the scenario needed: registration endpoint: Any cert signed, even if it's expired. All other endpoints: checking that it's valid certificate. It returns true if it's allowed, and in case of false will return an Error with the main reason. @TODO check here the list of rejected certificates.
Types ¶
type CAProvider ¶
type CAProvider interface { GetName() string GetCACertificate() (*CertificateGroup, error) CreateRegistrationCertificate(name string) (map[string][]byte, error) SignCSR(CSRPem string, commonName string, namespace string, expiration time.Time) ([]byte, error) GetServerCertificate(dnsNames []string, localhostEnabled bool) (*CertificateGroup, error) }
CAProvider The main reason to have an interface here is to be able to extend this to future Cert providers, like: - Vault - Acme protocol Keeping as an interface, so in future users can decice.
type CASecretProvider ¶
type CASecretProvider struct {
// contains filtered or unexported fields
}
@TODO Add a watcher on the secret if it's manually updated to renew the latestCA
func NewCASecretProvider ¶
func NewCASecretProvider(client client.Client, namespace string) *CASecretProvider
func (*CASecretProvider) CreateRegistrationCertificate ¶
func (config *CASecretProvider) CreateRegistrationCertificate(name string) (map[string][]byte, error)
func (*CASecretProvider) GetCACertificate ¶
func (config *CASecretProvider) GetCACertificate() (*CertificateGroup, error)
func (*CASecretProvider) GetName ¶
func (config *CASecretProvider) GetName() string
func (*CASecretProvider) GetServerCertificate ¶
func (config *CASecretProvider) GetServerCertificate(dnsNames []string, localhostEnabled bool) (*CertificateGroup, error)
func (*CASecretProvider) SignCSR ¶
func (config *CASecretProvider) SignCSR(CSRPem string, commonName string, namespace string, expiration time.Time) ([]byte, error)
SignCSR sign a new CertificateRequest and returns the PEM certificate. This function is going to be used a lot, so using config.latestCA ensure that APIServer is not overloaded with that. Because the CM is always managed by this, should be safe to use that one.
type CertificateGroup ¶
type CertificateGroup struct { CertPEM *bytes.Buffer PrivKeyPEM *bytes.Buffer // contains filtered or unexported fields }
CertificateGroup a bunch of methods to help to work with certificates.
func NewCACertificateGroupFromSecret ¶
func NewCACertificateGroupFromSecret(secretData map[string][]byte) (*CertificateGroup, error)
func (*CertificateGroup) CreatePem ¶
func (c *CertificateGroup) CreatePem() error
CreatePem from the load certificates create the PEM file and stores in local
func (*CertificateGroup) GetCert ¶
func (c *CertificateGroup) GetCert() *x509.Certificate
func (*CertificateGroup) GetCertificate ¶
func (c *CertificateGroup) GetCertificate() (tls.Certificate, error)
GetCertificate returns the certificate Group in tls.Certificate format.
func (*CertificateGroup) GetKey ¶
func (c *CertificateGroup) GetKey() crypto.PrivateKey
func (*CertificateGroup) ImportFromPem ¶
func (c *CertificateGroup) ImportFromPem() error
func (*CertificateGroup) MarshalKeyToPem ¶
func (c *CertificateGroup) MarshalKeyToPem(privKey crypto.PrivateKey) (*bytes.Buffer, error)
type ClientCertificateVerifyError ¶
type ClientCertificateVerifyError struct {
// contains filtered or unexported fields
}
func (*ClientCertificateVerifyError) Error ¶
func (e *ClientCertificateVerifyError) Error() string
type InvalidCertificateKindError ¶
type InvalidCertificateKindError struct{}
func (*InvalidCertificateKindError) Error ¶
func (e *InvalidCertificateKindError) Error() string
type NoClientCertSendError ¶
type NoClientCertSendError struct{}
func (*NoClientCertSendError) Error ¶
func (e *NoClientCertSendError) Error() string
type RegisterClientVerifyError ¶
type RegisterClientVerifyError struct {
// contains filtered or unexported fields
}
func (*RegisterClientVerifyError) Error ¶
func (e *RegisterClientVerifyError) Error() string
type RequestAuthKey ¶
type RequestAuthKey string
RequestAuthKey is a type to be used on request context and to be validated on verify Request
type RequestAuthVal ¶
type TLSConfig ¶
type TLSConfig struct { Domains []string LocalhostEnabled bool // contains filtered or unexported fields }
func NewMTLSConfig ¶
func (*TLSConfig) CreateRegistrationClientCerts ¶
func (*TLSConfig) InitCertificates ¶
func (*TLSConfig) SetCAProvider ¶
func (conf *TLSConfig) SetCAProvider(caProviders []CAProvider)
@TODO mainly used for testing, maybe not needed at all
func (*TLSConfig) SetClientExpiration ¶
SetClientExpiration sets the client expiration time in days