const PublicKeyBlockType … const CertificateBlockType … type CertConfig … // NewCertificateAuthority creates new certificate and private key for the certificate authority func NewCertificateAuthority(config *CertConfig) (*x509.Certificate, crypto.Signer, error) { … } // NewIntermediateCertificateAuthority creates new certificate and private key for an intermediate certificate authority func NewIntermediateCertificateAuthority(parentCert *x509.Certificate, parentKey crypto.Signer, config *CertConfig) (*x509.Certificate, crypto.Signer, error) { … } // NewCertAndKey creates new certificate and key by passing the certificate authority certificate and key func NewCertAndKey(caCert *x509.Certificate, caKey crypto.Signer, config *CertConfig) (*x509.Certificate, crypto.Signer, error) { … } // NewCSRAndKey generates a new key and CSR and that could be signed to create the given certificate func NewCSRAndKey(config *CertConfig) (*x509.CertificateRequest, crypto.Signer, error) { … } // HasServerAuth returns true if the given certificate is a ServerAuth func HasServerAuth(cert *x509.Certificate) bool { … } // WriteCertAndKey stores certificate and key at the specified location func WriteCertAndKey(pkiPath string, name string, cert *x509.Certificate, key crypto.Signer) error { … } // WriteCert stores the given certificate at the given location func WriteCert(pkiPath, name string, cert *x509.Certificate) error { … } // WriteCertBundle stores the given certificate bundle at the given location func WriteCertBundle(pkiPath, name string, certs []*x509.Certificate) error { … } // WriteKey stores the given key at the given location func WriteKey(pkiPath, name string, key crypto.Signer) error { … } // WriteCSR writes the pem-encoded CSR data to csrPath. // The CSR file will be created with file mode 0600. // If the CSR file already exists, it will be overwritten. // The parent directory of the csrPath will be created as needed with file mode 0700. func WriteCSR(csrDir, name string, csr *x509.CertificateRequest) error { … } // WritePublicKey stores the given public key at the given location func WritePublicKey(pkiPath, name string, key crypto.PublicKey) error { … } // CertOrKeyExist returns a boolean whether the cert or the key exists func CertOrKeyExist(pkiPath, name string) bool { … } // CSROrKeyExist returns true if one of the CSR or key exists func CSROrKeyExist(csrDir, name string) bool { … } // TryLoadCertAndKeyFromDisk tries to load a cert and a key from the disk and validates that they are valid func TryLoadCertAndKeyFromDisk(pkiPath, name string) (*x509.Certificate, crypto.Signer, error) { … } // TryLoadCertFromDisk tries to load the cert from the disk func TryLoadCertFromDisk(pkiPath, name string) (*x509.Certificate, error) { … } // TryLoadCertChainFromDisk tries to load the cert chain from the disk func TryLoadCertChainFromDisk(pkiPath, name string) (*x509.Certificate, []*x509.Certificate, error) { … } // TryLoadKeyFromDisk tries to load the key from the disk and validates that it is valid func TryLoadKeyFromDisk(pkiPath, name string) (crypto.Signer, error) { … } // TryLoadPrivatePublicKeyFromDisk tries to load the key from the disk and validates that it is valid func TryLoadPrivatePublicKeyFromDisk(pkiPath, name string) (crypto.PrivateKey, crypto.PublicKey, error) { … } // PathsForCertAndKey returns the paths for the certificate and key given the path and basename. func PathsForCertAndKey(pkiPath, name string) (string, string) { … } func pathForCert(pkiPath, name string) string { … } func pathForKey(pkiPath, name string) string { … } func pathForPublicKey(pkiPath, name string) string { … } func pathForCSR(pkiPath, name string) string { … } // GetAPIServerAltNames builds an AltNames object for to be used when generating apiserver certificate func GetAPIServerAltNames(cfg *kubeadmapi.InitConfiguration) (*certutil.AltNames, error) { … } // GetEtcdAltNames builds an AltNames object for generating the etcd server certificate. // `advertise address` and localhost are included in the SAN since this is the interfaces the etcd static pod listens on. // The user can override the listen address with `Etcd.ExtraArgs` and add SANs with `Etcd.ServerCertSANs`. func GetEtcdAltNames(cfg *kubeadmapi.InitConfiguration) (*certutil.AltNames, error) { … } // GetEtcdPeerAltNames builds an AltNames object for generating the etcd peer certificate. // Hostname and `API.AdvertiseAddress` are included if the user chooses to promote the single node etcd cluster into a multi-node one (stacked etcd). // The user can override the listen address with `Etcd.ExtraArgs` and add SANs with `Etcd.PeerCertSANs`. func GetEtcdPeerAltNames(cfg *kubeadmapi.InitConfiguration) (*certutil.AltNames, error) { … } // getAltNames builds an AltNames object with the cfg and certName. func getAltNames(cfg *kubeadmapi.InitConfiguration, certName string) (*certutil.AltNames, error) { … } // appendSANsToAltNames parses SANs from as list of strings and adds them to altNames for use on a specific cert // altNames is passed in with a pointer, and the struct is modified // valid IP address strings are parsed and added to altNames.IPs as net.IP's // RFC-1123 compliant DNS strings are added to altNames.DNSNames as strings // RFC-1123 compliant wildcard DNS strings are added to altNames.DNSNames as strings // certNames is used to print user facing warnings and should be the name of the cert the altNames will be used for func appendSANsToAltNames(altNames *certutil.AltNames, SANs []string, certName string) { … } // EncodeCSRPEM returns PEM-encoded CSR data func EncodeCSRPEM(csr *x509.CertificateRequest) []byte { … } // NewCSR creates a new CSR func NewCSR(cfg CertConfig, key crypto.Signer) (*x509.CertificateRequest, error) { … } // EncodeCertPEM returns PEM-encoded certificate data func EncodeCertPEM(cert *x509.Certificate) []byte { … } // EncodeCertBundlePEM returns PEM-encoded certificate bundle func EncodeCertBundlePEM(certs []*x509.Certificate) ([]byte, error) { … } // EncodePublicKeyPEM returns PEM-encoded public data func EncodePublicKeyPEM(key crypto.PublicKey) ([]byte, error) { … } var NewPrivateKey … // rsaKeySizeFromAlgorithmType takes a known RSA algorithm defined in the kubeadm API // an returns its key size. For unknown types it returns 0. For an empty type it returns // the default size of 2048. func rsaKeySizeFromAlgorithmType(keyType kubeadmapi.EncryptionAlgorithmType) int { … } // GeneratePrivateKey is the default function for generating private keys. func GeneratePrivateKey(keyType kubeadmapi.EncryptionAlgorithmType) (crypto.Signer, error) { … } // NewSignedCert creates a signed certificate using the given CA certificate and key func NewSignedCert(cfg *CertConfig, key crypto.Signer, caCert *x509.Certificate, caKey crypto.Signer, isCA bool) (*x509.Certificate, error) { … } // NewSelfSignedCACert creates a new self-signed CA certificate func NewSelfSignedCACert(cfg *CertConfig, key crypto.Signer) (*x509.Certificate, error) { … } // RemoveDuplicateAltNames removes duplicate items in altNames. func RemoveDuplicateAltNames(altNames *certutil.AltNames) { … } // ValidateCertPeriod checks if the certificate is valid relative to the current time // (+/- offset) func ValidateCertPeriod(cert *x509.Certificate, offset time.Duration) error { … } // VerifyCertChain verifies that a certificate has a valid chain of // intermediate CAs back to the root CA func VerifyCertChain(cert *x509.Certificate, intermediates []*x509.Certificate, root *x509.Certificate) error { … }