Documentation

Index

Constants

View Source
const (
	// CertificateNotBeforeAnnotation contains the certificate expiration date in RFC3339 format.
	CertificateNotBeforeAnnotation = "auth.openshift.io/certificate-not-before"
	// CertificateNotAfterAnnotation contains the certificate expiration date in RFC3339 format.
	CertificateNotAfterAnnotation = "auth.openshift.io/certificate-not-after"
	// CertificateIssuer contains the common name of the certificate that signed another certificate.
	CertificateIssuer = "auth.openshift.io/certificate-issuer"
	// CertificateHostnames contains the hostnames used by a signer.
	CertificateHostnames = "auth.openshift.io/certificate-hostnames"
	// RunOnceContextKey is a context value key that can be used to call the controller Sync() and make it only run the syncWorker once and report error.
	RunOnceContextKey = "cert-rotation-controller.openshift.io/run-once"
)
View Source
const (
	// ManagedCertificateTypeLabelName marks config map or secret as object that contains managed certificates.
	// This groups all objects that store certs and allow easy query to get them all.
	// The value of this label should be set to "true".
	ManagedCertificateTypeLabelName = "auth.openshift.io/managed-certificate-type"
)

Variables

This section is empty.

Functions

func GetCertRotationScale

func GetCertRotationScale(client kubernetes.Interface, namespace string) (time.Duration, error)

    GetCertRotationScale The normal scale is based on a day. The value returned by this function is used to scale rotation durations instead of a day, so you can set it shorter.

    func LabelAsManagedConfigMap

    func LabelAsManagedConfigMap(config *v1.ConfigMap, certificateType CertificateType)

      LabelAsManagedConfigMap add label indicating the given config map contains certificates that are managed.

      func LabelAsManagedSecret

      func LabelAsManagedSecret(secret *v1.Secret, certificateType CertificateType)

        LabelAsManagedConfigMap add label indicating the given secret contains certificates that are managed.

        func NewCertRotationController

        func NewCertRotationController(
        	name string,
        	signingRotation SigningRotation,
        	caBundleRotation CABundleRotation,
        	targetRotation TargetRotation,
        	operatorClient v1helpers.StaticPodOperatorClient,
        	recorder events.Recorder,
        ) factory.Controller

        Types

        type CABundleRotation

        type CABundleRotation struct {
        	Namespace string
        	Name      string
        
        	Informer      corev1informers.ConfigMapInformer
        	Lister        corev1listers.ConfigMapLister
        	Client        corev1client.ConfigMapsGetter
        	EventRecorder events.Recorder
        }

          CABundleRotation maintains a CA bundle config map, but adding new CA certs and removing expired old ones.

          type CertRotationController

          type CertRotationController struct {
          	SigningRotation  SigningRotation
          	CABundleRotation CABundleRotation
          	TargetRotation   TargetRotation
          	OperatorClient   v1helpers.StaticPodOperatorClient
          	// contains filtered or unexported fields
          }

            CertRotationController does:

            1) continuously create a self-signed signing CA (via SigningRotation).

            It creates the next one when a given percentage of the validity of the old CA has passed.
            

            2) maintain a CA bundle with all not yet expired CA certs. 3) continuously create a target cert and key signed by the latest signing CA

            It creates the next one when a given percentage of the validity of the previous cert has
            passed, or when a new CA has been created.
            

            func (CertRotationController) Sync

            type CertificateType

            type CertificateType string
            var (
            	CertificateTypeCABundle CertificateType = "ca-bundle"
            	CertificateTypeSigner   CertificateType = "signer"
            	CertificateTypeTarget   CertificateType = "target"
            	CertificateTypeUnknown  CertificateType = "unknown"
            )

            func CertificateTypeFromObject

            func CertificateTypeFromObject(obj runtime.Object) (CertificateType, error)

              CertificateTypeFromObject returns the CertificateType based on the annotations of the object.

              type ClientRotation

              type ClientRotation struct {
              	UserInfo user.Info
              }

              func (*ClientRotation) NeedNewTargetCertKeyPair

              func (r *ClientRotation) NeedNewTargetCertKeyPair(annotations map[string]string, signer *crypto.CA, caBundleCerts []*x509.Certificate, refresh time.Duration, refreshOnlyWhenExpired bool) string

              func (*ClientRotation) NewCertificate

              func (r *ClientRotation) NewCertificate(signer *crypto.CA, validity time.Duration) (*crypto.TLSCertificateConfig, error)

              func (*ClientRotation) SetAnnotations

              func (r *ClientRotation) SetAnnotations(cert *crypto.TLSCertificateConfig, annotations map[string]string) map[string]string

              type ServingHostnameFunc

              type ServingHostnameFunc func() []string

              type ServingRotation

              type ServingRotation struct {
              	Hostnames              ServingHostnameFunc
              	CertificateExtensionFn []crypto.CertificateExtensionFunc
              	HostnamesChanged       <-chan struct{}
              }

              func (*ServingRotation) NeedNewTargetCertKeyPair

              func (r *ServingRotation) NeedNewTargetCertKeyPair(annotations map[string]string, signer *crypto.CA, caBundleCerts []*x509.Certificate, refresh time.Duration, refreshOnlyWhenExpired bool) string

              func (*ServingRotation) NewCertificate

              func (r *ServingRotation) NewCertificate(signer *crypto.CA, validity time.Duration) (*crypto.TLSCertificateConfig, error)

              func (*ServingRotation) RecheckChannel

              func (r *ServingRotation) RecheckChannel() <-chan struct{}

              func (*ServingRotation) SetAnnotations

              func (r *ServingRotation) SetAnnotations(cert *crypto.TLSCertificateConfig, annotations map[string]string) map[string]string

              type SignerRotation

              type SignerRotation struct {
              	SignerName string
              }

              func (*SignerRotation) NeedNewTargetCertKeyPair

              func (r *SignerRotation) NeedNewTargetCertKeyPair(annotations map[string]string, signer *crypto.CA, caBundleCerts []*x509.Certificate, refresh time.Duration, refreshOnlyWhenExpired bool) string

              func (*SignerRotation) NewCertificate

              func (r *SignerRotation) NewCertificate(signer *crypto.CA, validity time.Duration) (*crypto.TLSCertificateConfig, error)

              func (*SignerRotation) SetAnnotations

              func (r *SignerRotation) SetAnnotations(cert *crypto.TLSCertificateConfig, annotations map[string]string) map[string]string

              type SigningRotation

              type SigningRotation struct {
              	Namespace              string
              	Name                   string
              	Validity               time.Duration
              	Refresh                time.Duration
              	RefreshOnlyWhenExpired bool
              
              	Informer      corev1informers.SecretInformer
              	Lister        corev1listers.SecretLister
              	Client        corev1client.SecretsGetter
              	EventRecorder events.Recorder
              }

                SigningRotation rotates a self-signed signing CA stored in a secret. It creates a new one when <RefreshPercentage> of the lifetime of the old CA has passed.

                type TargetCertCreator

                type TargetCertCreator interface {
                	NewCertificate(signer *crypto.CA, validity time.Duration) (*crypto.TLSCertificateConfig, error)
                	NeedNewTargetCertKeyPair(annotations map[string]string, signer *crypto.CA, caBundleCerts []*x509.Certificate, refresh time.Duration, refreshOnlyWhenExpired bool) string
                	// SetAnnotations gives an option to override or set additional annotations
                	SetAnnotations(cert *crypto.TLSCertificateConfig, annotations map[string]string) map[string]string
                }

                type TargetCertRechecker

                type TargetCertRechecker interface {
                	RecheckChannel() <-chan struct{}
                }

                type TargetRotation

                type TargetRotation struct {
                	Namespace string
                	Name      string
                	Validity  time.Duration
                	Refresh   time.Duration
                	// RefreshOnlyWhenExpired allows rotating only certs that are already expired. (for autorecovery)
                	// If false (regular flow) it rotates at the refresh interval but no later then 4/5 of the cert lifetime.
                	RefreshOnlyWhenExpired bool
                
                	CertCreator TargetCertCreator
                
                	Informer      corev1informers.SecretInformer
                	Lister        corev1listers.SecretLister
                	Client        corev1client.SecretsGetter
                	EventRecorder events.Recorder
                }

                  TargetRotation rotates a key and cert signed by a CA. It creates a new one when <RefreshPercentage> of the lifetime of the old cert has passed, or if the common name of the CA changes.