certificate

package

v1.72.1 Latest Latest Go to latest Published: Jun 9, 2023 License: Apache-2.0, BSD-2-Clause, MIT, + 1 more Imports: 28 Imported by: 0

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

github.com/gardener/gardener

Links

Open Source Insights

Documentation ¶

Index ¶

Variables
func GetCurrentCertificate(log logr.Logger, gardenKubeconfig []byte, ...) (*tls.Certificate, error)
func RequestCertificate(ctx context.Context, log logr.Logger, client kubernetesclientset.Interface, ...) ([]byte, []byte, string, error)
type Manager
- func NewCertificateManager(log logr.Logger, gardenCluster cluster.Cluster, seedClient client.Client, ...) (*Manager, error)
- func (cr *Manager) ScheduleCertificateRotation(ctx context.Context, gardenletCancel context.CancelFunc, ...) error

Constants ¶

This section is empty.

Variables ¶

View Source

var DigestedName = gardenletbootstraputil.DigestedName

DigestedName is an alias for gardenletbootstraputil.DigestedName. Exposed for testing.

View Source

var (

	// EventGardenletCertificateRotationFailed is an event reason to describe a failed Gardenlet certificate rotation.
	EventGardenletCertificateRotationFailed = "GardenletCertificateRotationFailed"
)

Functions ¶

func GetCurrentCertificate ¶ added in v1.34.0

func GetCurrentCertificate(log logr.Logger, gardenKubeconfig []byte, gardenClientConnection *config.GardenClientConnection) (*tls.Certificate, error)

GetCurrentCertificate returns the client certificate which is currently used to communicate with the garden cluster.

func RequestCertificate ¶

func RequestCertificate(
	ctx context.Context,
	log logr.Logger,
	client kubernetesclientset.Interface,
	certificateSubject *pkix.Name,
	dnsSANs []string,
	ipSANs []net.IP,
	validityDuration *metav1.Duration,
) (
	[]byte,
	[]byte,
	string,
	error,
)

RequestCertificate will create a certificate signing request for the Gardenlet and send it to API server, then it will watch the object's status, once approved by the gardener-controller-manager, it will return the kube-controller-manager's issued certificate (pem-encoded). If there is any errors, or the watch timeouts, it will return an error.

Types ¶

type Manager ¶

type Manager struct {
	// contains filtered or unexported fields
}

Manager can be used to schedule the certificate rotation for the Gardenlet's Garden cluster client certificate

func NewCertificateManager ¶

func NewCertificateManager(log logr.Logger, gardenCluster cluster.Cluster, seedClient client.Client, config *config.GardenletConfiguration) (*Manager, error)

NewCertificateManager creates a certificate manager that can be used to rotate gardenlet's client certificate for the Garden cluster

func (*Manager) ScheduleCertificateRotation ¶

func (cr *Manager) ScheduleCertificateRotation(ctx context.Context, gardenletCancel context.CancelFunc, recorder record.EventRecorder) error

ScheduleCertificateRotation waits until the currently used Garden cluster client certificate approaches expiration. Then requests a new certificate and stores the kubeconfig in a secret (`gardenClientConnection.kubeconfigSecret`) on the Seed. the argument is a context.Cancel function to cancel the context of the Gardenlet used for graceful termination after a successful certificate rotation. When the new gardenlet pod is started, it uses the rotated certificate stored in the secret in the Seed cluster

Source Files ¶

View all Source files

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL