Documentation ¶
Index ¶
- Constants
- func GenCA() (*x509.Certificate, crypto.Signer, error)
- func IsStatic(secret *v1.Secret) bool
- func LoadCA(caPem, caKey []byte) (*x509.Certificate, crypto.Signer, error)
- func LoadCerts(certFile, keyFile string) (*x509.Certificate, crypto.Signer, error)
- func LoadOrGenCA() (*x509.Certificate, crypto.Signer, error)
- func Marshal(x509Cert *x509.Certificate, privateKey crypto.Signer) (certBytes, keyBytes []byte, err error)
- func MarshalChain(privateKey crypto.Signer, certs ...*x509.Certificate) (keyBytes, certChainBytes []byte, err error)
- func NeedsUpdate(maxSANs int, secret *v1.Secret, cn ...string) bool
- func NewPrivateKey() (crypto.Signer, error)
- func NewSelfSignedCACert(key crypto.Signer, cn string, org ...string) (*x509.Certificate, error)
- func NewSignedCert(signer crypto.Signer, caCert *x509.Certificate, caKey crypto.Signer, cn string, ...) (*x509.Certificate, error)
- func NewSignedClientCert(signer crypto.Signer, caCert *x509.Certificate, caKey crypto.Signer, cn string) (*x509.Certificate, error)
- func ParseCertPEM(pemCerts []byte) (*x509.Certificate, error)
- type TLS
- func (t *TLS) AddCN(secret *v1.Secret, cn ...string) (*v1.Secret, bool, error)
- func (t *TLS) Filter(cn ...string) []string
- func (t *TLS) Merge(target, additional *v1.Secret) (*v1.Secret, bool, error)
- func (t *TLS) Regenerate(secret *v1.Secret) (*v1.Secret, error)
- func (t *TLS) Renew(secret *v1.Secret) (*v1.Secret, error)
- func (t *TLS) Verify(secret *v1.Secret) error
Constants ¶
const (
CertificateBlockType = "CERTIFICATE"
)
const (
Static = "listener.cattle.io/static"
)
Variables ¶
This section is empty.
Functions ¶
func IsStatic ¶
IsStatic returns true if the Secret has an attribute indicating that it contains a static (aka user-provided) certificate, which should not be modified.
func LoadOrGenCA ¶
func LoadOrGenCA() (*x509.Certificate, crypto.Signer, error)
func Marshal ¶
func Marshal(x509Cert *x509.Certificate, privateKey crypto.Signer) (certBytes, keyBytes []byte, err error)
Marshal returns the given cert and key as byte slices.
func MarshalChain ¶
func MarshalChain(privateKey crypto.Signer, certs ...*x509.Certificate) (keyBytes, certChainBytes []byte, err error)
MarshalChain returns given key and certificates as byte slices.
func NeedsUpdate ¶
NeedsUpdate returns true if any of the CNs are not currently present on the secret's Certificate, as recorded in the cnPrefix annotations. It will return false if all requested CNs are already present, or if maxSANs is non-zero and has been exceeded.
func NewPrivateKey ¶
NewPrivateKey returnes a new ECDSA key
func NewSelfSignedCACert ¶
func NewSignedCert ¶
func NewSignedClientCert ¶
func NewSignedClientCert(signer crypto.Signer, caCert *x509.Certificate, caKey crypto.Signer, cn string) (*x509.Certificate, error)
func ParseCertPEM ¶
func ParseCertPEM(pemCerts []byte) (*x509.Certificate, error)
Types ¶
type TLS ¶
type TLS struct { CACert *x509.Certificate CAKey crypto.Signer CN string Organization []string FilterCN func(...string) []string }
func (*TLS) AddCN ¶
AddCN attempts to add a list of CN strings to a given Secret, returning the potentially-modified Secret along with a bool indicating whether or not it has been updated. The Secret will not be changed if it has an attribute indicating that it is static (aka user-provided), or if no new CNs were added.
func (*TLS) Filter ¶
Filter ensures that the CNs are all valid accorting to both internal logic, and any filter callbacks. The returned list will contain only approved CN entries.
func (*TLS) Merge ¶
Merge combines the SAN lists from the target and additional Secrets, and returns a potentially modified Secret, along with a bool indicating if the returned Secret is not the same as the target Secret.
If the merge would not add any CNs to the additional Secret, the additional Secret is returned, to allow for certificate rotation/regeneration.
If the merge would not add any CNs to the target Secret, the target Secret is returned; no merging is necessary.
If neither certificate is acceptable as-is, a new certificate containing the union of the two lists is generated, using the private key from the first Secret. The returned Secret will contain the updated cert.