v1.15.1 Latest Latest

This package is not in the latest version of its module.

Go to latest
Published: Mar 25, 2024 License: Apache-2.0 Imports: 30 Imported by: 0




View Source
const (
	// The names of the files that should contain the CA certificate and the TLS key pair.
	CACertFile  = "ca.crt"
	TLSCertFile = "tls.crt"
	TLSKeyFile  = "tls.key"
View Source
const (
	AntreaCAConfigMapName         = "antrea-ca"
	AntreaControllerTLSSecretName = "antrea-controller-tls"
	AntreaServiceName             = "antrea"
View Source
const (
	CAConfigMapKey = "ca.crt"


This section is empty.


func GetAntreaServerNames

func GetAntreaServerNames(serviceName string) []string

GetAntreaServerNames returns the DNS names that the TLS certificate will be signed with.

func GetCAConfigMapNamespace

func GetCAConfigMapNamespace() string


type CACertController

type CACertController struct {
	// contains filtered or unexported fields

CACertController is responsible for taking the CA certificate from the caContentProvider and publishing it to the ConfigMap and the APIServices.

func ApplyServerCert

func ApplyServerCert(selfSignedCert bool,
	client kubernetes.Interface,
	aggregatorClient clientset.Interface,
	apiExtensionClient apiextensionclientset.Interface,
	secureServing *options.SecureServingOptionsWithLoopback,
	caConfig *CAConfig) (*CACertController, error)

func (*CACertController) Enqueue

func (c *CACertController) Enqueue()

Enqueue will be called after CACertController is registered as a listener of CA cert change.

func (*CACertController) Run

func (c *CACertController) Run(ctx context.Context, workers int)

Run starts the CACertController and blocks until the context is canceled.

func (*CACertController) RunOnce

func (c *CACertController) RunOnce(ctx context.Context) error

RunOnce runs a single sync step to ensure that we have a valid starting configuration.

func (*CACertController) UpdateCertificate

func (c *CACertController) UpdateCertificate(ctx context.Context) error

type CAConfig added in v1.5.0

type CAConfig struct {
	// Name of the ConfigMap that will hold the CA certificate that validates the TLS
	// certificate of antrea-controller.
	CAConfigMapName string

	// Name of the Secret that will hold the self-signed TLS certificate and key of antrea-controller.
	// If set, the certificate and key will be stored in the Secret for future reuse.
	TLSSecretName string

	// APIServiceSelector provides the label to select APIServices backed by antrea-controller. Using labels as a filter
	// to select APIServices is more flexible than maintaining a list of APIService names, e.g., cluster admin can remove
	// unneeded APIServices in a setup without Antrea code changes.
	APIServiceSelector *metav1.LabelSelector

	// ValidatingWebhookSelector provides the label to select ValidatingWebhookConfigurations backed by antrea-controller.
	ValidatingWebhookSelector *metav1.LabelSelector

	// MutationWebhookSelector provides the label to select MutatingWebhookConfigurations backed by antrea-controller.
	MutationWebhookSelector *metav1.LabelSelector

	// CRDConversionWebhookSelector provides the label to select the ConversionWebhooks backed by antrea-controller.
	CRDConversionWebhookSelector *metav1.LabelSelector

	// CertDir is the directory that the TLS Secret should be mounted to. Declaring it as a variable for testing.
	CertDir string

	// SelfSignedCertDir is the dir Antrea self signed certificates are created in.
	SelfSignedCertDir string

	// CertReadyTimeout is the timeout we will wait for the TLS Secret being ready. Declaring it as a variable for testing.
	CertReadyTimeout time.Duration

	// MinValidDuration is the minimal remaining valid duration for the self-signed certificate. It must be rotated once
	// the time until the certificate expires becomes shorter than this duration.
	MinValidDuration time.Duration
	ServiceName      string
	PairName         string

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL