dynamiccertificates

package
v0.0.0-...-d88c8b5 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Feb 9, 2021 License: Apache-2.0 Imports: 25 Imported by: 0

Documentation

Index

Constants

This section is empty.

Variables

View Source
var FileRefreshDuration = 1 * time.Minute

FileRefreshDuration is exposed so that integration tests can crank up the reload speed.

Functions

func GetHumanCertDetail

func GetHumanCertDetail(certificate *x509.Certificate) string

GetHumanCertDetail is a convenient method for printing compact details of certificate that helps when debugging kube-apiserver usage of certs.

Types

type CAContentProvider

type CAContentProvider interface {
	// Name is just an identifier
	Name() string
	// CurrentCABundleContent provides ca bundle byte content.  Errors can be contained to the controllers initializing
	// the value.  By the time you get here, you should always be returning a value that won't fail.
	CurrentCABundleContent() []byte
	// VerifyOptions provides VerifyOptions for authenticators
	VerifyOptions() (x509.VerifyOptions, bool)
}

CAContentProvider provides ca bundle byte content

func NewStaticCAContent

func NewStaticCAContent(name string, caBundle []byte) (CAContentProvider, error)

NewStaticCAContent returns a CAContentProvider that always returns the same value

func NewUnionCAContentProvider

func NewUnionCAContentProvider(caContentProviders ...CAContentProvider) CAContentProvider

NewUnionCAContentProvider returns a CAContentProvider that is a union of other CAContentProviders

type CertKeyContentProvider

type CertKeyContentProvider interface {
	// Name is just an identifier
	Name() string
	// CurrentCertKeyContent provides cert and key byte content
	CurrentCertKeyContent() ([]byte, []byte)
}

CertKeyContentProvider provides a certificate and matching private key

func NewStaticCertKeyContent

func NewStaticCertKeyContent(name string, cert, key []byte) (CertKeyContentProvider, error)

NewStaticCertKeyContent returns a CertKeyContentProvider that always returns the same value

type ConfigMapCAController

type ConfigMapCAController struct {
	// contains filtered or unexported fields
}

ConfigMapCAController provies a CAContentProvider that can dynamically react to configmap changes It also fulfills the authenticator interface to provide verifyoptions

func NewDynamicCAFromConfigMapController

func NewDynamicCAFromConfigMapController(purpose, namespace, name, key string, kubeClient kubernetes.Interface) (*ConfigMapCAController, error)

NewDynamicCAFromConfigMapController returns a CAContentProvider based on a configmap that automatically reloads content. It is near-realtime via an informer.

func (*ConfigMapCAController) AddListener

func (c *ConfigMapCAController) AddListener(listener Listener)

AddListener adds a listener to be notified when the CA content changes.

func (*ConfigMapCAController) CurrentCABundleContent

func (c *ConfigMapCAController) CurrentCABundleContent() []byte

CurrentCABundleContent provides ca bundle byte content

func (*ConfigMapCAController) Name

func (c *ConfigMapCAController) Name() string

Name is just an identifier

func (*ConfigMapCAController) Run

func (c *ConfigMapCAController) Run(workers int, stopCh <-chan struct{})

Run starts the kube-apiserver and blocks until stopCh is closed.

func (*ConfigMapCAController) RunOnce

func (c *ConfigMapCAController) RunOnce() error

RunOnce runs a single sync loop

func (*ConfigMapCAController) VerifyOptions

func (c *ConfigMapCAController) VerifyOptions() (x509.VerifyOptions, bool)

VerifyOptions provides verifyoptions compatible with authenticators

type ControllerRunner

type ControllerRunner interface {
	// RunOnce runs the sync loop a single time.  This useful for synchronous priming
	RunOnce() error

	// Run should be called a go .Run
	Run(workers int, stopCh <-chan struct{})
}

ControllerRunner is a generic interface for starting a controller

type DynamicCertKeyPairContent

type DynamicCertKeyPairContent struct {
	// contains filtered or unexported fields
}

DynamicCertKeyPairContent provides a CertKeyContentProvider that can dynamically react to new file content

func NewDynamicServingContentFromFiles

func NewDynamicServingContentFromFiles(purpose, certFile, keyFile string) (*DynamicCertKeyPairContent, error)

NewDynamicServingContentFromFiles returns a dynamic CertKeyContentProvider based on a cert and key filename

func (*DynamicCertKeyPairContent) AddListener

func (c *DynamicCertKeyPairContent) AddListener(listener Listener)

AddListener adds a listener to be notified when the serving cert content changes.

func (*DynamicCertKeyPairContent) CurrentCertKeyContent

func (c *DynamicCertKeyPairContent) CurrentCertKeyContent() ([]byte, []byte)

CurrentCertKeyContent provides cert and key byte content

func (*DynamicCertKeyPairContent) Name

Name is just an identifier

func (*DynamicCertKeyPairContent) Run

func (c *DynamicCertKeyPairContent) Run(workers int, stopCh <-chan struct{})

Run starts the controller and blocks until stopCh is closed.

func (*DynamicCertKeyPairContent) RunOnce

func (c *DynamicCertKeyPairContent) RunOnce() error

RunOnce runs a single sync loop

type DynamicFileCAContent

type DynamicFileCAContent struct {
	// contains filtered or unexported fields
}

DynamicFileCAContent provies a CAContentProvider that can dynamically react to new file content It also fulfills the authenticator interface to provide verifyoptions

func NewDynamicCAContentFromFile

func NewDynamicCAContentFromFile(purpose, filename string) (*DynamicFileCAContent, error)

NewDynamicCAContentFromFile returns a CAContentProvider based on a filename that automatically reloads content

func (*DynamicFileCAContent) AddListener

func (c *DynamicFileCAContent) AddListener(listener Listener)

AddListener adds a listener to be notified when the CA content changes.

func (*DynamicFileCAContent) CurrentCABundleContent

func (c *DynamicFileCAContent) CurrentCABundleContent() (cabundle []byte)

CurrentCABundleContent provides ca bundle byte content

func (*DynamicFileCAContent) Name

func (c *DynamicFileCAContent) Name() string

Name is just an identifier

func (*DynamicFileCAContent) Run

func (c *DynamicFileCAContent) Run(workers int, stopCh <-chan struct{})

Run starts the kube-apiserver and blocks until stopCh is closed.

func (*DynamicFileCAContent) RunOnce

func (c *DynamicFileCAContent) RunOnce() error

RunOnce runs a single sync loop

func (*DynamicFileCAContent) VerifyOptions

func (c *DynamicFileCAContent) VerifyOptions() (x509.VerifyOptions, bool)

VerifyOptions provides verifyoptions compatible with authenticators

type DynamicFileSNIContent

type DynamicFileSNIContent struct {
	*DynamicCertKeyPairContent
	// contains filtered or unexported fields
}

DynamicFileSNIContent provides a SNICertKeyContentProvider that can dynamically react to new file content

func NewDynamicSNIContentFromFiles

func NewDynamicSNIContentFromFiles(purpose, certFile, keyFile string, sniNames ...string) (*DynamicFileSNIContent, error)

NewDynamicSNIContentFromFiles returns a dynamic SNICertKeyContentProvider based on a cert and key filename and explicit names

func (*DynamicFileSNIContent) SNINames

func (c *DynamicFileSNIContent) SNINames() []string

SNINames returns explicitly set SNI names for the certificate. These are not dynamic.

type DynamicServingCertificateController

type DynamicServingCertificateController struct {
	// contains filtered or unexported fields
}

DynamicServingCertificateController dynamically loads certificates and provides a golang tls compatible dynamic GetCertificate func.

func NewDynamicServingCertificateController

func NewDynamicServingCertificateController(
	baseTLSConfig *tls.Config,
	clientCA CAContentProvider,
	servingCert CertKeyContentProvider,
	sniCerts []SNICertKeyContentProvider,
	eventRecorder events.EventRecorder,
) *DynamicServingCertificateController

NewDynamicServingCertificateController returns a controller that can be used to keep a TLSConfig up to date.

func (*DynamicServingCertificateController) BuildNamedCertificates

func (c *DynamicServingCertificateController) BuildNamedCertificates(sniCerts []sniCertKeyContent) (map[string]*tls.Certificate, error)

BuildNamedCertificates returns a map of *tls.Certificate by name. It's suitable for use in tls.Config#NamedCertificates. Returns an error if any of the certs is invalid. Returns nil if len(certs) == 0

func (*DynamicServingCertificateController) Enqueue

Enqueue a method to allow separate control loops to cause the certificate controller to trigger and read content.

func (*DynamicServingCertificateController) GetConfigForClient

func (c *DynamicServingCertificateController) GetConfigForClient(clientHello *tls.ClientHelloInfo) (*tls.Config, error)

GetConfigForClient is an implementation of tls.Config.GetConfigForClient

func (*DynamicServingCertificateController) Run

func (c *DynamicServingCertificateController) Run(workers int, stopCh <-chan struct{})

Run starts the kube-apiserver and blocks until stopCh is closed.

func (*DynamicServingCertificateController) RunOnce

RunOnce runs a single sync step to ensure that we have a valid starting configuration.

type Listener

type Listener interface {
	// Enqueue should be called when an input may have changed
	Enqueue()
}

Listener is an interface to use to notify interested parties of a change.

type Notifier

type Notifier interface {
	// AddListener is adds a listener to be notified of potential input changes
	AddListener(listener Listener)
}

Notifier is a way to add listeners

type SNICertKeyContentProvider

type SNICertKeyContentProvider interface {
	CertKeyContentProvider
	// SNINames provides names used for SNI. May return nil.
	SNINames() []string
}

SNICertKeyContentProvider provides a certificate and matching private key as well as optional explicit names

func NewStaticSNICertKeyContent

func NewStaticSNICertKeyContent(name string, cert, key []byte, sniNames ...string) (SNICertKeyContentProvider, error)

NewStaticSNICertKeyContent returns a SNICertKeyContentProvider that always returns the same value

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL