Documentation
¶
Overview ¶
Package pki allows to manage Kubernetes PKI certificates.
Index ¶
Constants ¶
View Source
const ( // KubernetesCACN is a default CN for Kubernetes CA certificate, as recommended by // https://kubernetes.io/docs/setup/best-practices/certificates/. KubernetesCACN = "kubernetes-ca" // KubernetesFrontProxyCACN is a default CN for Kubernetes front proxy CA certificate, // as recommended by https://kubernetes.io/docs/setup/best-practices/certificates/. KubernetesFrontProxyCACN = "kubernetes-front-proxy-ca" )
View Source
const ( // RSABits is a default private key length. Default is 2048, as it's quite secure and generating // 4096 keys takes a lot of time and increases generation time by the factor of 10. Once generation // process is done in parallel, it should be increased. RSABits = 2048 // Organization is a default organization name in generated certificates. Organization = "organization" // ValidityDuration is a default time the certificates are valid. Defaults to 365 days. ValidityDuration = "8760h" // RenewThreshold defines minimum remaining validity time for the certificate, before // is will be renewed. RenewThreshold = "720h" // X509CertificatePEMHeader is a PEM format header used while encoding X.509 certificates. X509CertificatePEMHeader = "CERTIFICATE" // RSAPrivateKeyPEMHeader is a PEM format header user while encoding RSA private keys. RSAPrivateKeyPEMHeader = "RSA PRIVATE KEY" // RSAPublicKeyPEMHeader is a PEM format header user while encoding RSA public keys. RSAPublicKeyPEMHeader = "RSA PUBLIC KEY" // RootCACN is a default CN for root CA certificate. RootCACN = "root-ca" )
View Source
const ( // EtcdCACN is a default CN for etcd CA certificate, as recommended by // https://kubernetes.io/docs/setup/best-practices/certificates/. EtcdCACN = "etcd-ca" )
Variables ¶
This section is empty.
Functions ¶
This section is empty.
Types ¶
type Certificate ¶
type Certificate struct {
Organization string `json:"organization,omitempty"`
RSABits int `json:"rsaBits,omitempty"`
ValidityDuration string `json:"validityDuration,omitempty"`
RenewThreshold string `json:"renewThreshold,omitempty"`
CommonName string `json:"commonName,omitempty"`
CA bool `json:"ca,omitempty"`
KeyUsage []string `json:"keyUsage,omitempty"`
IPAddresses []string `json:"ipAddresses,omitempty"`
DNSNames []string `json:"dnsNames,omitempty"`
X509Certificate types.Certificate `json:"x509Certificate,omitempty"`
PublicKey string `json:"publicKey,omitempty"`
PrivateKey types.PrivateKey `json:"privateKey,omitempty"`
}
Certificate defines configurable options for each certificate.
func (*Certificate) Generate ¶
func (c *Certificate) Generate(ca *Certificate) error
Generate ensures that all fields of the certificate are populated.
This function currently supports: - Generating new RSA private key and public key. - Generating new X.509 certificates.
NOT implemented functionality: - Renewing certificates based on expiry time. - Renewing X.509 certificate after RSA private key renewal. - Renewing issued certificate during CA renewal.
func (*Certificate) Validate ¶
func (c *Certificate) Validate() error
Validate validates the certificate configuration.
type Etcd ¶
type Etcd struct {
// Inline Certificate struct, so some settings can be applied as defaults for all etcd certificates.
Certificate
CA *Certificate `json:"ca,omitempty"`
Peers map[string]string `json:"peers,omitempty"`
Servers map[string]string `json:"servers,omitempty"`
ClientCNs []string `json:"clientCNs,omitempty"`
PeerCertificates map[string]*Certificate `json:"peerCertificates,omitempty"`
ServerCertificates map[string]*Certificate `json:"serverCertificates,omitempty"`
ClientCertificates map[string]*Certificate `json:"clientCertificates,omitempty"`
}
Etcd stores etcd PKI and their settings.
func (*Etcd) Generate ¶
func (e *Etcd) Generate(rootCA *Certificate, defaultCertificate Certificate) error
Generate generates etcd PKI.
type KubeAPIServer ¶
type KubeAPIServer struct {
Certificate
ExternalNames []string `json:"externalNames,omitempty"`
ServerIPs []string `json:"serverIPs,omitempty"`
ServerCertificate *Certificate `json:"serverCertificate,omitempty"`
KubeletCertificate *Certificate `json:"kubeletCertificate,omitempty"`
FrontProxyClientCertificate *Certificate `json:"frontProxyClientCertificate,omitempty"`
}
KubeAPIServer stores kube-apiserver certificates.
type Kubernetes ¶
type Kubernetes struct {
// Inline Certificate struct, so some settings can be applied as defaults for all Kubernetes certificates.
Certificate
CA *Certificate `json:"ca,omitempty"`
FrontProxyCA *Certificate `json:"frontProxyCA,omitempty"`
KubeAPIServer *KubeAPIServer `json:"kubeAPIServer,omitempty"`
AdminCertificate *Certificate `json:"adminCertificate,omitempty"`
KubeControllerManagerCertificate *Certificate `json:"kubeControllerManagerCertificate,omitempty"`
KubeSchedulerCertificate *Certificate `json:"kubeSchedulerCertificate,omitempty"`
ServiceAccountCertificate *Certificate `json:"serviceAccountCertificate,omitempty"`
}
Kubernetes stores Kubernetes PKI and settings.
func (*Kubernetes) Generate ¶
func (k *Kubernetes) Generate(rootCA *Certificate, defaultCertificate Certificate) error
Generate generates Kubernetes PKI.
type PKI ¶
type PKI struct {
// Inline Certificate struct, so some settings can be applied as defaults for all certificates in PKI.
Certificate
// RootCA contains configuration and generated root CA certificate and private key.
RootCA *Certificate `json:"rootCA,omitempty"`
// Etcd contains configuration and generated all etcd certificates and private keys.
Etcd *Etcd `json:"etcd,omitempty"`
// Kubernetes contains configuration and generated all Kubernetes certificates and private keys.
Kubernetes *Kubernetes `json:"kubernetes,omitempty"`
}
PKI contains configuration and all generated certificates and private keys required for running Kubernetes.
Source Files
Click to show internal directories.
Click to hide internal directories.