kubernetes: k8s.io/kubernetes/cmd/kubeadm/app/phases/certs Index | Files | Directories

package certs

import "k8s.io/kubernetes/cmd/kubeadm/app/phases/certs"

Index

Package Files

certlist.go certs.go doc.go

Variables 

var (
    // KubeadmCertRootCA is the definition of the Kubernetes Root CA for the API Server and kubelet.
    KubeadmCertRootCA = KubeadmCert{
        Name:     "ca",
        LongName: "self-signed Kubernetes CA to provision identities for other Kubernetes components",
        BaseName: kubeadmconstants.CACertAndKeyBaseName,
        // contains filtered or unexported fields
    }
    // KubeadmCertAPIServer is the definition of the cert used to serve the Kubernetes API.
    KubeadmCertAPIServer = KubeadmCert{
        Name:     "apiserver",
        LongName: "certificate for serving the Kubernetes API",
        BaseName: kubeadmconstants.APIServerCertAndKeyBaseName,
        CAName:   "ca",
        // contains filtered or unexported fields
    }
    // KubeadmCertKubeletClient is the definition of the cert used by the API server to access the kubelet.
    KubeadmCertKubeletClient = KubeadmCert{
        Name:     "apiserver-kubelet-client",
        LongName: "certificate for the API server to connect to kubelet",
        BaseName: kubeadmconstants.APIServerKubeletClientCertAndKeyBaseName,
        CAName:   "ca",
        // contains filtered or unexported fields
    }

    // KubeadmCertFrontProxyCA is the definition of the CA used for the front end proxy.
    KubeadmCertFrontProxyCA = KubeadmCert{
        Name:     "front-proxy-ca",
        LongName: "self-signed CA to provision identities for front proxy",
        BaseName: kubeadmconstants.FrontProxyCACertAndKeyBaseName,
        // contains filtered or unexported fields
    }

    // KubeadmCertFrontProxyClient is the definition of the cert used by the API server to access the front proxy.
    KubeadmCertFrontProxyClient = KubeadmCert{
        Name:     "front-proxy-client",
        BaseName: kubeadmconstants.FrontProxyClientCertAndKeyBaseName,
        LongName: "certificate for the front proxy client",
        CAName:   "front-proxy-ca",
        // contains filtered or unexported fields
    }

    // KubeadmCertEtcdCA is the definition of the root CA used by the hosted etcd server.
    KubeadmCertEtcdCA = KubeadmCert{
        Name:     "etcd-ca",
        LongName: "self-signed CA to provision identities for etcd",
        BaseName: kubeadmconstants.EtcdCACertAndKeyBaseName,
        // contains filtered or unexported fields
    }
    // KubeadmCertEtcdServer is the definition of the cert used to serve etcd to clients.
    KubeadmCertEtcdServer = KubeadmCert{
        Name:     "etcd-server",
        LongName: "certificate for serving etcd",
        BaseName: kubeadmconstants.EtcdServerCertAndKeyBaseName,
        CAName:   "etcd-ca",
        // contains filtered or unexported fields
    }
    // KubeadmCertEtcdPeer is the definition of the cert used by etcd peers to access each other.
    KubeadmCertEtcdPeer = KubeadmCert{
        Name:     "etcd-peer",
        LongName: "certificate for etcd nodes to communicate with each other",
        BaseName: kubeadmconstants.EtcdPeerCertAndKeyBaseName,
        CAName:   "etcd-ca",
        // contains filtered or unexported fields
    }
    // KubeadmCertEtcdHealthcheck is the definition of the cert used by Kubernetes to check the health of the etcd server.
    KubeadmCertEtcdHealthcheck = KubeadmCert{
        Name:     "etcd-healthcheck-client",
        LongName: "certificate for liveness probes to healthcheck etcd",
        BaseName: kubeadmconstants.EtcdHealthcheckClientCertAndKeyBaseName,
        CAName:   "etcd-ca",
        // contains filtered or unexported fields
    }
    // KubeadmCertEtcdAPIClient is the definition of the cert used by the API server to access etcd.
    KubeadmCertEtcdAPIClient = KubeadmCert{
        Name:     "apiserver-etcd-client",
        LongName: "certificate the apiserver uses to access etcd",
        BaseName: kubeadmconstants.APIServerEtcdClientCertAndKeyBaseName,
        CAName:   "etcd-ca",
        // contains filtered or unexported fields
    }
)

func CreateCACertAndKeyFiles Uses

func CreateCACertAndKeyFiles(certSpec *KubeadmCert, cfg *kubeadmapi.InitConfiguration) error

CreateCACertAndKeyFiles generates and writes out a given certificate authority. The certSpec should be one of the variables from this package.

func CreateCSR Uses

func CreateCSR(certSpec *KubeadmCert, cfg *kubeadmapi.InitConfiguration, path string) error

CreateCSR creates a certificate signing request

func CreateCertAndKeyFilesWithCA Uses

func CreateCertAndKeyFilesWithCA(certSpec *KubeadmCert, caCertSpec *KubeadmCert, cfg *kubeadmapi.InitConfiguration) error

CreateCertAndKeyFilesWithCA loads the given certificate authority from disk, then generates and writes out the given certificate and key. The certSpec and caCertSpec should both be one of the variables from this package.

func CreatePKIAssets Uses

func CreatePKIAssets(cfg *kubeadmapi.InitConfiguration) error

CreatePKIAssets will create and write to disk all PKI assets necessary to establish the control plane. If the PKI assets already exists in the target folder, they are used only if evaluated equal; otherwise an error is returned.

func CreateServiceAccountKeyAndPublicKeyFiles Uses

func CreateServiceAccountKeyAndPublicKeyFiles(certsDir string, keyType x509.PublicKeyAlgorithm) error

CreateServiceAccountKeyAndPublicKeyFiles creates new public/private key files for signing service account users. If the sa public/private key files already exist in the target folder, they are used only if evaluated equals; otherwise an error is returned.

func LoadCertificateAuthority Uses

func LoadCertificateAuthority(pkiDir string, baseName string) (*x509.Certificate, crypto.Signer, error)

LoadCertificateAuthority tries to load a CA in the given directory with the given name.

func NewCSR Uses

func NewCSR(certSpec *KubeadmCert, cfg *kubeadmapi.InitConfiguration) (*x509.CertificateRequest, crypto.Signer, error)

NewCSR will generate a new CSR and accompanying key

func SharedCertificateExists Uses

func SharedCertificateExists(cfg *kubeadmapi.ClusterConfiguration) (bool, error)

SharedCertificateExists verifies if the shared certificates - the certificates that must be equal across control-plane nodes: ca.key, ca.crt, sa.key, sa.pub + etcd/ca.key, etcd/ca.crt if local/stacked etcd

func UsingExternalCA Uses

func UsingExternalCA(cfg *kubeadmapi.ClusterConfiguration) (bool, error)

UsingExternalCA determines whether the user is relying on an external CA. We currently implicitly determine this is the case when the CA Cert is present but the CA Key is not. This allows us to, e.g., skip generating certs or not start the csr signing controller. In case we are using an external front-proxy CA, the function validates the certificates signed by front-proxy CA that should be provided by the user.

func UsingExternalFrontProxyCA Uses

func UsingExternalFrontProxyCA(cfg *kubeadmapi.ClusterConfiguration) (bool, error)

UsingExternalFrontProxyCA determines whether the user is relying on an external front-proxy CA. We currently implicitly determine this is the case when the front proxy CA Cert is present but the front proxy CA Key is not. In case we are using an external front-proxy CA, the function validates the certificates signed by front-proxy CA that should be provided by the user.

type CertificateMap Uses

type CertificateMap map[string]*KubeadmCert

CertificateMap is a flat map of certificates, keyed by Name.

func (CertificateMap) CertTree Uses

func (m CertificateMap) CertTree() (CertificateTree, error)

CertTree returns a one-level-deep tree, mapping a CA cert to an array of certificates that should be signed by it.

type CertificateTree Uses

type CertificateTree map[*KubeadmCert]Certificates

CertificateTree is represents a one-level-deep tree, mapping a CA to the certs that depend on it.

func (CertificateTree) CreateTree Uses

func (t CertificateTree) CreateTree(ic *kubeadmapi.InitConfiguration) error

CreateTree creates the CAs, certs signed by the CAs, and writes them all to disk.

type Certificates Uses

type Certificates []*KubeadmCert

Certificates is a list of Certificates that Kubeadm should create.

func GetCertsWithoutEtcd Uses

func GetCertsWithoutEtcd() Certificates

GetCertsWithoutEtcd returns all of the certificates kubeadm needs when etcd is hosted externally.

func GetDefaultCertList Uses

func GetDefaultCertList() Certificates

GetDefaultCertList returns all of the certificates kubeadm requires to function.

func (Certificates) AsMap Uses

func (c Certificates) AsMap() CertificateMap

AsMap returns the list of certificates as a map, keyed by name.

type KubeadmCert Uses

type KubeadmCert struct {
    Name     string
    LongName string
    BaseName string
    CAName   string
    // contains filtered or unexported fields
}

KubeadmCert represents a certificate that Kubeadm will create to function properly.

func (*KubeadmCert) CreateAsCA Uses

func (k *KubeadmCert) CreateAsCA(ic *kubeadmapi.InitConfiguration) (*x509.Certificate, crypto.Signer, error)

CreateAsCA creates a certificate authority, writing the files to disk and also returning the created CA so it can be used to sign child certs.

func (*KubeadmCert) CreateFromCA Uses

func (k *KubeadmCert) CreateFromCA(ic *kubeadmapi.InitConfiguration, caCert *x509.Certificate, caKey crypto.Signer) error

CreateFromCA makes and writes a certificate using the given CA cert and key.

func (*KubeadmCert) GetConfig Uses

func (k *KubeadmCert) GetConfig(ic *kubeadmapi.InitConfiguration) (*pkiutil.CertConfig, error)

GetConfig returns the definition for the given cert given the provided InitConfiguration

Directories

PathSynopsis
renewal

Package certs imports 12 packages (graph) and is imported by 30 packages. Updated 2020-05-22. Refresh now. Tools for package owners.