Documentation ¶
Overview ¶
Package cert is responsible for generating certs dynamically and loading the certs from external sources.
Package cert is responsible for generating certs dynamically and loading the certs from external sources.
Package cert is responsible for generating certs dynamically and loading the certs from external sources.
Index ¶
- Constants
- Variables
- func GetPemCertFromx509Cert(cert x509.Certificate) []byte
- func GetX509KeyPairFromCertBytes(certBytes *CertBytes) (*tls.Certificate, error)
- type CertBytes
- type CertConfig
- type CertKeyPair
- type CertLoader
- type CertPath
- type ExternalCertLoader
- type K8sCertLoader
- type SelfSignedCertLoader
- type TlsConfig
- type TlsCredentialManager
Constants ¶
const ( // ORG kubearmor KubeArmor_ORG string = "kubearmor" KubeArmor_CN string = "kubearmor" )
const ( SelfCertProvider string = "self" ExternalCertProvider string = "external" )
Variables ¶
var DefaultKubeArmorCAConfig = CertConfig{ CN: KubeArmor_CN, Organization: KubeArmor_ORG, IsCa: true, KeyUsage: x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature | x509.KeyUsageCertSign | x509.KeyUsageCRLSign, }
var DefaultKubeArmorClientConfig = CertConfig{ CN: KubeArmor_CN, Organization: KubeArmor_ORG, KeyUsage: x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature, ExtKeyUsage: []x509.ExtKeyUsage{x509.ExtKeyUsageClientAuth}, }
var DefaultKubeArmorServerConfig = CertConfig{ CN: KubeArmor_CN, Organization: KubeArmor_ORG, KeyUsage: x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature, ExtKeyUsage: []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth}, }
Functions ¶
func GetPemCertFromx509Cert ¶
func GetPemCertFromx509Cert(cert x509.Certificate) []byte
func GetX509KeyPairFromCertBytes ¶
func GetX509KeyPairFromCertBytes(certBytes *CertBytes) (*tls.Certificate, error)
Types ¶
type CertBytes ¶
CertBytes type
func GenerateCA ¶
func GenerateCA(cfg *CertConfig) (*CertBytes, error)
func GenerateSelfSignedCert ¶
func GenerateSelfSignedCert(ca *CertKeyPair, cfg *CertConfig) (*CertBytes, error)
GenerateSelfSignedCert func generates cert and key signed by provided CA
func ReadCertFromFile ¶
ReadCertFromFile func reads certificate key pair from the given path
func ReadCertFromK8sSecret ¶
func ReadCertFromK8sSecret(client *kubernetes.Clientset, namespace, secret string) (*CertBytes, error)
ReadCertFromK8sSecret func reads cert from the k8s tls secret it assumes the cert and key file exists with tls.crt and tls.key names respectively that is true in case of kubernetes.io/tls secret type, https://kubernetes.io/docs/concepts/configuration/secret/#tls-secrets
type CertConfig ¶
type CertKeyPair ¶
type CertKeyPair struct { Crt *x509.Certificate Key *rsa.PrivateKey }
CertKeyPair type
func GenerateCert ¶
func GenerateCert(cfg *CertConfig) (*CertKeyPair, error)
func GetCertKeyPairFromCertBytes ¶
func GetCertKeyPairFromCertBytes(certBytes *CertBytes) (*CertKeyPair, error)
type CertLoader ¶
type CertLoader interface {
GetCertificateAndCaPool() (*tls.Certificate, *x509.CertPool, error)
}
type CertPath ¶
type CertPath struct { Base string CertFile string KeyFile string // Not Required if CertOnly:true CertOnly bool // if true read certificate only }
func GetCACertPath ¶
GetCACertPath func returns CA certificate (full) path
func GetClientCertPath ¶
GetClientCertPath func returns client certificate (full) path
func GetServerCertPath ¶
GetServerCertPath func returns server certificate (full) path
type ExternalCertLoader ¶
load certificates provided by external source using file
func (*ExternalCertLoader) GetCertificateAndCaPool ¶
func (loader *ExternalCertLoader) GetCertificateAndCaPool() (*tls.Certificate, *x509.CertPool, error)
type K8sCertLoader ¶
type K8sCertLoader struct { CertConfig CertConfig K8sClient *kubernetes.Clientset Namespace string Secret string }
func (*K8sCertLoader) GetCertificateAndCaPool ¶
func (loader *K8sCertLoader) GetCertificateAndCaPool() (*tls.Certificate, *x509.CertPool, error)
type SelfSignedCertLoader ¶
type SelfSignedCertLoader struct { CaCertPath CertPath CertConfig CertConfig }
generate self sign certificate dynamically
func (*SelfSignedCertLoader) GetCertificateAndCaPool ¶
func (loader *SelfSignedCertLoader) GetCertificateAndCaPool() (*tls.Certificate, *x509.CertPool, error)
type TlsConfig ¶
type TlsConfig struct { // Server/Client Certificate Configurations CertCfg CertConfig // If CA is Provided Using a K8s Secret // Namespace, Secret and K8sClient are Required ReadCACertFromSecret bool Secret string Namespace string K8sClient *kubernetes.Clientset CACertPath CertPath CertPath CertPath // Source of Client/Server Certificate, // "self" : Certificates Will be Generated Dynamically // "external": Certificates Are Provided Using File CertProvider string }
type TlsCredentialManager ¶
type TlsCredentialManager struct {
CertLoader CertLoader
}
func NewTlsCredentialManager ¶
func NewTlsCredentialManager(cfg *TlsConfig) *TlsCredentialManager
func (*TlsCredentialManager) CreateTlsClientCredentials ¶
func (manager *TlsCredentialManager) CreateTlsClientCredentials() (credentials.TransportCredentials, error)
func (*TlsCredentialManager) CreateTlsServerCredentials ¶
func (manager *TlsCredentialManager) CreateTlsServerCredentials() (credentials.TransportCredentials, error)