import "k8s.io/kubernetes/cmd/kubeadm/app/phases/certs"
func CheckCertificatePeriodValidity(baseName string, cert *x509.Certificate)
CheckCertificatePeriodValidity takes a certificate and prints a warning if its period is not valid related to the current time. It does so only if the certificate was not validated already by keeping track with a cache.
func CreateCACertAndKeyFiles(certSpec *KubeadmCert, cfg *kubeadmapi.InitConfiguration) error
CreateCACertAndKeyFiles generates and writes out a given certificate authority. The certSpec should be one of the variables from this package.
func CreateCSR(certSpec *KubeadmCert, cfg *kubeadmapi.InitConfiguration, path string) error
CreateCSR creates a certificate signing request
func CreateCertAndKeyFilesWithCA(certSpec *KubeadmCert, caCertSpec *KubeadmCert, cfg *kubeadmapi.InitConfiguration) error
CreateCertAndKeyFilesWithCA loads the given certificate authority from disk, then generates and writes out the given certificate and key. The certSpec and caCertSpec should both be one of the variables from this package.
func CreateDefaultKeysAndCSRFiles(out io.Writer, config *kubeadmapi.InitConfiguration) error
CreateDefaultKeysAndCSRFiles is used in ExternalCA mode to create key files and adjacent CSR files.
func CreatePKIAssets(cfg *kubeadmapi.InitConfiguration) error
CreatePKIAssets will create and write to disk all PKI assets necessary to establish the control plane. If the PKI assets already exists in the target folder, they are used only if evaluated equal; otherwise an error is returned.
func CreateServiceAccountKeyAndPublicKeyFiles(certsDir string, keyType x509.PublicKeyAlgorithm) error
CreateServiceAccountKeyAndPublicKeyFiles creates new public/private key files for signing service account users. If the sa public/private key files already exist in the target folder, they are used only if evaluated equals; otherwise an error is returned.
func LoadCertificateAuthority(pkiDir string, baseName string) (*x509.Certificate, crypto.Signer, error)
LoadCertificateAuthority tries to load a CA in the given directory with the given name.
func NewCSR(certSpec *KubeadmCert, cfg *kubeadmapi.InitConfiguration) (*x509.CertificateRequest, crypto.Signer, error)
NewCSR will generate a new CSR and accompanying key
func SharedCertificateExists(cfg *kubeadmapi.ClusterConfiguration) (bool, error)
SharedCertificateExists verifies if the shared certificates - the certificates that must be equal across control-plane nodes: ca.key, ca.crt, sa.key, sa.pub + etcd/ca.key, etcd/ca.crt if local/stacked etcd Missing keys are non-fatal and produce warnings.
func UsingExternalCA(cfg *kubeadmapi.ClusterConfiguration) (bool, error)
UsingExternalCA determines whether the user is relying on an external CA. We currently implicitly determine this is the case when the CA Cert is present but the CA Key is not. This allows us to, e.g., skip generating certs or not start the csr signing controller. In case we are using an external front-proxy CA, the function validates the certificates signed by front-proxy CA that should be provided by the user.
func UsingExternalFrontProxyCA(cfg *kubeadmapi.ClusterConfiguration) (bool, error)
UsingExternalFrontProxyCA determines whether the user is relying on an external front-proxy CA. We currently implicitly determine this is the case when the front proxy CA Cert is present but the front proxy CA Key is not. In case we are using an external front-proxy CA, the function validates the certificates signed by front-proxy CA that should be provided by the user.
type CertificateMap map[string]*KubeadmCert
CertificateMap is a flat map of certificates, keyed by Name.
func (m CertificateMap) CertTree() (CertificateTree, error)
CertTree returns a one-level-deep tree, mapping a CA cert to an array of certificates that should be signed by it.
type CertificateTree map[*KubeadmCert]Certificates
CertificateTree is represents a one-level-deep tree, mapping a CA to the certs that depend on it.
func (t CertificateTree) CreateTree(ic *kubeadmapi.InitConfiguration) error
CreateTree creates the CAs, certs signed by the CAs, and writes them all to disk.
type Certificates []*KubeadmCert
Certificates is a list of Certificates that Kubeadm should create.
func GetCertsWithoutEtcd() Certificates
GetCertsWithoutEtcd returns all of the certificates kubeadm needs when etcd is hosted externally.
func GetDefaultCertList() Certificates
GetDefaultCertList returns all of the certificates kubeadm requires to function.
func (c Certificates) AsMap() CertificateMap
AsMap returns the list of certificates as a map, keyed by name.
type KubeadmCert struct { Name string LongName string BaseName string CAName string // contains filtered or unexported fields }
KubeadmCert represents a certificate that Kubeadm will create to function properly.
func KubeadmCertAPIServer() *KubeadmCert
KubeadmCertAPIServer is the definition of the cert used to serve the Kubernetes API.
func KubeadmCertEtcdAPIClient() *KubeadmCert
KubeadmCertEtcdAPIClient is the definition of the cert used by the API server to access etcd.
func KubeadmCertEtcdCA() *KubeadmCert
KubeadmCertEtcdCA is the definition of the root CA used by the hosted etcd server.
func KubeadmCertEtcdHealthcheck() *KubeadmCert
KubeadmCertEtcdHealthcheck is the definition of the cert used by Kubernetes to check the health of the etcd server.
func KubeadmCertEtcdPeer() *KubeadmCert
KubeadmCertEtcdPeer is the definition of the cert used by etcd peers to access each other.
func KubeadmCertEtcdServer() *KubeadmCert
KubeadmCertEtcdServer is the definition of the cert used to serve etcd to clients.
func KubeadmCertFrontProxyCA() *KubeadmCert
KubeadmCertFrontProxyCA is the definition of the CA used for the front end proxy.
func KubeadmCertFrontProxyClient() *KubeadmCert
KubeadmCertFrontProxyClient is the definition of the cert used by the API server to access the front proxy.
func KubeadmCertKubeletClient() *KubeadmCert
KubeadmCertKubeletClient is the definition of the cert used by the API server to access the kubelet.
func KubeadmCertRootCA() *KubeadmCert
KubeadmCertRootCA is the definition of the Kubernetes Root CA for the API Server and kubelet.
func (k *KubeadmCert) CreateAsCA(ic *kubeadmapi.InitConfiguration) (*x509.Certificate, crypto.Signer, error)
CreateAsCA creates a certificate authority, writing the files to disk and also returning the created CA so it can be used to sign child certs.
func (k *KubeadmCert) CreateFromCA(ic *kubeadmapi.InitConfiguration, caCert *x509.Certificate, caKey crypto.Signer) error
CreateFromCA makes and writes a certificate using the given CA cert and key.
func (k *KubeadmCert) GetConfig(ic *kubeadmapi.InitConfiguration) (*pkiutil.CertConfig, error)
GetConfig returns the definition for the given cert given the provided InitConfiguration
Path | Synopsis |
---|---|
renewal |
Package certs imports 14 packages (graph) and is imported by 41 packages. Updated 2020-12-27. Refresh now. Tools for package owners.