Documentation
¶
Index ¶
- Constants
- func CanReadCertAndKey(certPath, keyPath string) (bool, error)
- func CertsFromFile(file string) ([]*x509.Certificate, error)
- func EncodeCertificates(certs ...*x509.Certificate) ([]byte, error)
- func GenerateSelfSignedCertKey(host string, alternateIPs []net.IP, alternateDNS []string) ([]byte, []byte, error)
- func GenerateSelfSignedCertKeyWithFixtures(host string, alternateIPs []net.IP, alternateDNS []string, ...) ([]byte, []byte, error)
- func GenerateSelfSignedCertKeyWithOptions(opts SelfSignedCertKeyOptions) ([]byte, []byte, error)
- func GetClientCANames(apiHost string) ([]string, error)
- func GetClientCANamesForURL(kubeConfigURL string) ([]string, error)
- func GetServingCertificates(apiHost, serverName string) ([]*x509.Certificate, [][]byte, error)
- func GetServingCertificatesForURL(kubeConfigURL, serverName string) ([]*x509.Certificate, [][]byte, error)
- func MakeCSR(privateKey interface{}, subject *pkix.Name, dnsSANs []string, ipSANs []net.IP) (csr []byte, err error)
- func MakeCSRFromTemplate(privateKey interface{}, template *x509.CertificateRequest) ([]byte, error)
- func NewPool(filename string) (*x509.CertPool, error)
- func NewPoolFromBytes(pemBlock []byte) (*x509.CertPool, error)
- func NewSelfSignedCACert(cfg Config, key crypto.Signer) (*x509.Certificate, error)
- func ParseCertsPEM(pemCerts []byte) ([]*x509.Certificate, error)
- func WriteCert(certPath string, data []byte) error
- type AltNames
- type Config
- type SelfSignedCertKeyOptions
Constants ¶
const ( // CertificateBlockType is a possible value for pem.Block.Type. CertificateBlockType = "CERTIFICATE" // CertificateRequestBlockType is a possible value for pem.Block.Type. CertificateRequestBlockType = "CERTIFICATE REQUEST" )
Variables ¶
This section is empty.
Functions ¶
func CanReadCertAndKey ¶
CanReadCertAndKey returns true if the certificate and key files already exists, otherwise returns false. If lost one of cert and key, returns error.
func CertsFromFile ¶
func CertsFromFile(file string) ([]*x509.Certificate, error)
CertsFromFile returns the x509.Certificates contained in the given PEM-encoded file. Returns an error if the file could not be read, a certificate could not be parsed, or if the file does not contain any certificates
func EncodeCertificates ¶ added in v0.17.0
func EncodeCertificates(certs ...*x509.Certificate) ([]byte, error)
EncodeCertificates returns the PEM-encoded byte array that represents by the specified certs.
func GenerateSelfSignedCertKey ¶
func GenerateSelfSignedCertKey(host string, alternateIPs []net.IP, alternateDNS []string) ([]byte, []byte, error)
GenerateSelfSignedCertKey creates a self-signed certificate and key for the given host. Host may be an IP or a DNS name You may also specify additional subject alt names (either ip or dns names) for the certificate.
func GenerateSelfSignedCertKeyWithFixtures ¶
func GenerateSelfSignedCertKeyWithFixtures(host string, alternateIPs []net.IP, alternateDNS []string, fixtureDirectory string) ([]byte, []byte, error)
GenerateSelfSignedCertKeyWithFixtures creates a self-signed certificate and key for the given host. Host may be an IP or a DNS name. You may also specify additional subject alt names (either ip or dns names) for the certificate.
If fixtureDirectory is non-empty, it is a directory path which can contain pre-generated certs. The format is: <host>_<ip>-<ip>_<alternateDNS>-<alternateDNS>.crt <host>_<ip>-<ip>_<alternateDNS>-<alternateDNS>.key Certs/keys not existing in that directory are created.
func GenerateSelfSignedCertKeyWithOptions ¶ added in v0.33.0
func GenerateSelfSignedCertKeyWithOptions(opts SelfSignedCertKeyOptions) ([]byte, []byte, error)
GenerateSelfSignedCertKeyWithOptions generates a self-signed certificate and key based on the provided options.
func GetClientCANames ¶ added in v0.17.0
GetClientCANames gets the CA names for client certs that a server accepts. This is useful when inspecting the state of particular servers. apiHost is "host:port"
func GetClientCANamesForURL ¶ added in v0.17.0
GetClientCANamesForURL is GetClientCANames against a URL string like we use in kubeconfigs
func GetServingCertificates ¶ added in v0.17.0
func GetServingCertificates(apiHost, serverName string) ([]*x509.Certificate, [][]byte, error)
GetServingCertificates returns the x509 certs used by a server as certificates and pem encoded bytes. The serverName is optional for specifying a different name to get SNI certificates. apiHost is "host:port"
func GetServingCertificatesForURL ¶ added in v0.17.0
func GetServingCertificatesForURL(kubeConfigURL, serverName string) ([]*x509.Certificate, [][]byte, error)
GetServingCertificatesForURL is GetServingCertificates against a URL string like we use in kubeconfigs
func MakeCSR ¶
func MakeCSR(privateKey interface{}, subject *pkix.Name, dnsSANs []string, ipSANs []net.IP) (csr []byte, err error)
MakeCSR generates a PEM-encoded CSR using the supplied private key, subject, and SANs. All key types that are implemented via crypto.Signer are supported (This includes *rsa.PrivateKey and *ecdsa.PrivateKey.)
func MakeCSRFromTemplate ¶
func MakeCSRFromTemplate(privateKey interface{}, template *x509.CertificateRequest) ([]byte, error)
MakeCSRFromTemplate generates a PEM-encoded CSR using the supplied private key and certificate request as a template. All key types that are implemented via crypto.Signer are supported (This includes *rsa.PrivateKey and *ecdsa.PrivateKey.)
func NewPool ¶
NewPool returns an x509.CertPool containing the certificates in the given PEM-encoded file. Returns an error if the file could not be read, a certificate could not be parsed, or if the file does not contain any certificates
func NewPoolFromBytes ¶ added in v0.17.0
NewPoolFromBytes returns an x509.CertPool containing the certificates in the given PEM-encoded bytes. Returns an error if the file could not be read, a certificate could not be parsed, or if the file does not contain any certificates
func NewSelfSignedCACert ¶
NewSelfSignedCACert creates a CA certificate
func ParseCertsPEM ¶
func ParseCertsPEM(pemCerts []byte) ([]*x509.Certificate, error)
ParseCertsPEM returns the x509.Certificates contained in the given PEM-encoded byte array Returns an error if a certificate could not be parsed, or if the data does not contain any certificates
Types ¶
type AltNames ¶
AltNames contains the domain names and IP addresses that will be added to the API Server's x509 certificate SubAltNames field. The values will be passed directly to the x509.Certificate object.
type Config ¶
type Config struct { CommonName string Organization []string AltNames AltNames Usages []x509.ExtKeyUsage NotBefore time.Time }
Config contains the basic fields required for creating a certificate
type SelfSignedCertKeyOptions ¶ added in v0.33.0
type SelfSignedCertKeyOptions struct { // Host is required, and identifies the host of the serving certificate. Can be a DNS name or IP address. Host string // AlternateIPs is optional, and identifies additional IPs the serving certificate should be valid for. AlternateIPs []net.IP // AlternateDNS is optional, and identifies additional DNS names the serving certificate should be valid for. AlternateDNS []string // MaxAge controls the duration of the issued certificate. // Defaults to 1 year if unset. // Ignored if FixtureDirectory is set. MaxAge time.Duration // FixtureDirectory is intended for use in tests. // If non-empty, it is a directory path which can contain pre-generated certs. The format is: // <host>_<ip>-<ip>_<alternateDNS>-<alternateDNS>.crt // <host>_<ip>-<ip>_<alternateDNS>-<alternateDNS>.key // Certs/keys not existing in that directory are created with a duration of 100 years. FixtureDirectory string }
SelfSignedCertKeyOptions contains configuration parameters for generating self-signed certificates.