mtls

package
v0.2.0 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Jul 13, 2022 License: Apache-2.0 Imports: 24 Imported by: 0

Documentation

Index

Constants

View Source 
const (
	YggdrasilRegisterAuth = 1
	YggdrasilCompleteAuth = 0
)
View Source 
const (
	CASecretName    = "flotta-ca"
	HostTLSCertName = "flotta-host-certificate"

	CertRegisterCN = "register"
)
View Source 
const (
	ECPrivateKeyBlockType  = "EC PRIVATE KEY"
	RSAPrivateKeyBlockType = "RSA PRIVATE KEY"
)

Variables

This section is empty.

Functions

func VerifyRequest 

func VerifyRequest(r *http.Request, verifyType int, verifyOpts x509.VerifyOptions, CACertChain []*x509.Certificate,
	authzKey RequestAuthKey, logger *zap.SugaredLogger) (bool, error)

VerifyRequest check certificate based on the scenario needed: registration endpoint: Any cert signed, even if it's expired. All other endpoints: checking that it's valid certificate. It returns true if it's allowed, and in case of false will return an Error with the main reason. @TODO check here the list of rejected certificates.

Types

type CAProvider 

type CAProvider interface {
	GetName() string
	GetCACertificate() (*CertificateGroup, error)
	CreateRegistrationCertificate(name string) (map[string][]byte, error)
	SignCSR(CSRPem string, commonName string, namespace string, expiration time.Time) ([]byte, error)
	GetServerCertificate(dnsNames []string, localhostEnabled bool) (*CertificateGroup, error)
}

CAProvider The main reason to have an interface here is to be able to extend this to future Cert providers, like: - Vault - Acme protocol Keeping as an interface, so in future users can decice.

type CASecretProvider 

type CASecretProvider struct {
	// contains filtered or unexported fields
}

@TODO Add a watcher on the secret if it's manually updated to renew the latestCA

func NewCASecretProvider 

func NewCASecretProvider(client client.Client, namespace string) *CASecretProvider

func (*CASecretProvider) CreateRegistrationCertificate 

func (config *CASecretProvider) CreateRegistrationCertificate(name string) (map[string][]byte, error)

func (*CASecretProvider) GetCACertificate 

func (config *CASecretProvider) GetCACertificate() (*CertificateGroup, error)

func (*CASecretProvider) GetName 

func (config *CASecretProvider) GetName() string

func (*CASecretProvider) GetServerCertificate 

func (config *CASecretProvider) GetServerCertificate(dnsNames []string, localhostEnabled bool) (*CertificateGroup, error)

func (*CASecretProvider) SignCSR 

func (config *CASecretProvider) SignCSR(CSRPem string, commonName string, namespace string, expiration time.Time) ([]byte, error)

SignCSR sign a new CertificateRequest and returns the PEM certificate. This function is going to be used a lot, so using config.latestCA ensure that APIServer is not overloaded with that. Because the CM is always managed by this, should be safe to use that one.

type CertificateGroup 

type CertificateGroup struct {
	CertPEM    *bytes.Buffer
	PrivKeyPEM *bytes.Buffer
	// contains filtered or unexported fields
}

CertificateGroup a bunch of methods to help to work with certificates.

func NewCACertificateGroupFromSecret 

func NewCACertificateGroupFromSecret(secretData map[string][]byte) (*CertificateGroup, error)

func (*CertificateGroup) CreatePem 

func (c *CertificateGroup) CreatePem() error

CreatePem from the load certificates create the PEM file and stores in local

func (*CertificateGroup) GetCert 

func (c *CertificateGroup) GetCert() *x509.Certificate

func (*CertificateGroup) GetCertificate 

func (c *CertificateGroup) GetCertificate() (tls.Certificate, error)

GetCertificate returns the certificate Group in tls.Certificate format.

func (*CertificateGroup) GetKey 

func (c *CertificateGroup) GetKey() crypto.PrivateKey

func (*CertificateGroup) GetNewKey 

func (c *CertificateGroup) GetNewKey() (crypto.Signer, error)

func (*CertificateGroup) ImportFromPem 

func (c *CertificateGroup) ImportFromPem() error

func (*CertificateGroup) MarshalKeyToPem 

func (c *CertificateGroup) MarshalKeyToPem(privKey crypto.PrivateKey) (*bytes.Buffer, error)

type ClientCertificateVerifyError 

type ClientCertificateVerifyError struct {
	// contains filtered or unexported fields
}

func (*ClientCertificateVerifyError) Error 

func (e *ClientCertificateVerifyError) Error() string

type InvalidCertificateKindError 

type InvalidCertificateKindError struct{}

func (*InvalidCertificateKindError) Error 

func (e *InvalidCertificateKindError) Error() string

type NoClientCertSendError 

type NoClientCertSendError struct{}

func (*NoClientCertSendError) Error 

func (e *NoClientCertSendError) Error() string

type RegisterClientVerifyError 

type RegisterClientVerifyError struct {
	// contains filtered or unexported fields
}

func (*RegisterClientVerifyError) Error 

func (e *RegisterClientVerifyError) Error() string

type RequestAuthKey 

type RequestAuthKey string

RequestAuthKey is a type to be used on request context and to be validated on verify Request

type RequestAuthVal 

type RequestAuthVal struct {
	CommonName string
	Namespace  string
}

type TLSConfig 

type TLSConfig struct {
	Domains          []string
	LocalhostEnabled bool
	// contains filtered or unexported fields
}

func NewMTLSConfig 

func NewMTLSConfig(client client.Client, namespace string, domains []string, localhostEnabled bool) *TLSConfig

func (*TLSConfig) CreateRegistrationClientCerts 

func (conf *TLSConfig) CreateRegistrationClientCerts() error

func (*TLSConfig) InitCertificates 

func (conf *TLSConfig) InitCertificates() (*tls.Config, []*x509.Certificate, error)

func (*TLSConfig) SetCAProvider 

func (conf *TLSConfig) SetCAProvider(caProviders []CAProvider)

@TODO mainly used for testing, maybe not needed at all

func (*TLSConfig) SetClientExpiration 

func (conf *TLSConfig) SetClientExpiration(days int) error

SetClientExpiration sets the client expiration time in days

func (*TLSConfig) SignCSR 

func (conf *TLSConfig) SignCSR(CSRPem string, commonName string, namespace string) ([]byte, error)

SignCSR sign the given CSRPem using the first CA provider in use.

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.