secretsrotation

package
v1.92.2 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Apr 19, 2024 License: Apache-2.0, BSD-2-Clause, MIT, + 1 more Imports: 26 Imported by: 0

Documentation

Index

Constants

View Source 
const (
	// AnnotationKeyNewEncryptionKeyPopulated is an annotation indicating that the new ETCD encryption key was populated
	AnnotationKeyNewEncryptionKeyPopulated = "credentials.gardener.cloud/new-encryption-key-populated"

	// AnnotationKeyResourcesLabeled is an annotation indicating the completion of labeling the resources with the credentials.gardener.cloud/key-name label
	AnnotationKeyResourcesLabeled = "credentials.gardener.cloud/resources-labeled"
	// AnnotationKeyEtcdSnapshotted is an annotation indicating that ETCD snapshot was completed
	AnnotationKeyEtcdSnapshotted = "credentials.gardener.cloud/etcd-snapshotted"
)

Variables

This section is empty.

Functions

func CheckIfGardenSecretsRenewalCompletedInAllSeeds added in v1.80.0 

func CheckIfGardenSecretsRenewalCompletedInAllSeeds(ctx context.Context, c client.Client, operationAnnotation string) error

CheckIfGardenSecretsRenewalCompletedInAllSeeds checks if renewal of garden secrets is completed for all seeds.

func CreateNewServiceAccountSecrets 

func CreateNewServiceAccountSecrets(ctx context.Context, log logr.Logger, c client.Client, secretsManager secretsmanager.Interface) error

CreateNewServiceAccountSecrets creates new secrets for all service accounts in the target cluster. This should only be executed in the 'Preparing' phase of the service account signing key rotation operation.

func DeleteOldServiceAccountSecrets 

func DeleteOldServiceAccountSecrets(ctx context.Context, log logr.Logger, c client.Client, serviceAccountLastInitiationFinishedTime time.Time) error

DeleteOldServiceAccountSecrets deletes old secrets for all service accounts in the target cluster. This should only be executed in the 'Completing' phase of the service account signing key rotation operation.

func GetResourcesForRewrite added in v1.86.0 

func GetResourcesForRewrite(
	discoveryClient discovery.DiscoveryInterface,
	resourcesToEncrypt []string,
	encryptedResources []string,
	defaultGVKs []schema.GroupVersionKind,
) (
	[]schema.GroupVersionKind,
	string,
	error,
)

GetResourcesForRewrite returns a list of schema.GroupVersionKind for all the resources that needs to be rewritten, either due to a encryption key rotation or a change in the list of resources requiring encryption.

func PatchAPIServerDeploymentMeta added in v1.76.0 

func PatchAPIServerDeploymentMeta(ctx context.Context, c client.Client, namespace, name string, mutate func(deployment *metav1.PartialObjectMetadata)) error

PatchAPIServerDeploymentMeta patches metadata of an API Server deployment.

func RenewGardenSecretsInAllSeeds added in v1.80.0 

func RenewGardenSecretsInAllSeeds(ctx context.Context, log logr.Logger, c client.Client, operationAnnotation string) error

RenewGardenSecretsInAllSeeds annotates all seeds to trigger renewal of their garden secrets.

func RewriteEncryptedDataAddLabel added in v1.73.0 

func RewriteEncryptedDataAddLabel(
	ctx context.Context,
	log logr.Logger,
	runtimeClient client.Client,
	clientSet kubernetes.Interface,
	secretsManager secretsmanager.Interface,
	namespace string,
	name string,
	resourcesToEncrypt []string,
	encryptedResources []string,
	defaultGVKs []schema.GroupVersionKind,
) error

RewriteEncryptedDataAddLabel patches all encrypted data in all namespaces in the target clusters and adds a label whose value is the name of the current ETCD encryption key secret. This function is useful for the ETCD encryption key secret rotation which requires all encrypted data to be rewritten to ETCD so that they become encrypted with the new key. After it's done, it snapshots ETCD so that we can restore backups in case we lose the cluster before the next incremental snapshot has been taken.

func RewriteEncryptedDataRemoveLabel added in v1.73.0 

func RewriteEncryptedDataRemoveLabel(
	ctx context.Context,
	log logr.Logger,
	runtimeClient client.Client,
	targetClientSet kubernetes.Interface,
	namespace string,
	name string,
	resourcesToEncrypt []string,
	encryptedResources []string,
	defaultGVKs []schema.GroupVersionKind,
) error

RewriteEncryptedDataRemoveLabel patches all encrypted data in all namespaces in the target clusters and removes the label whose value is the name of the current ETCD encryption key secret. This function is useful for the ETCD encryption key secret rotation which requires all encrypted data to be rewritten to ETCD so that they become encrypted with the new key.

func SnapshotETCDAfterRewritingEncryptedData added in v1.73.0 

func SnapshotETCDAfterRewritingEncryptedData(
	ctx context.Context,
	runtimeClient client.Client,
	snapshotEtcd func(ctx context.Context) error,
	namespace string,
	name string,
) error

SnapshotETCDAfterRewritingEncryptedData performs a full snapshot on ETCD after the encrypted data (like secrets) have been rewritten as part of the ETCD encryption secret rotation. It adds an annotation to the API server deployment after it's done so that it does not take another snapshot again after it succeeded once.

Types

This section is empty.

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.