certrotation

package

v0.0.0-...-dab26bb Latest Latest Go to latest Published: Apr 2, 2019 License: Apache-2.0 Imports: 28 Imported by: 0

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

github.com/openshift-cherrypick-robot/library-go

Links

Open Source Insights

Documentation ¶

Index ¶

Constants
func GetCertRotationScale(client kubernetes.Interface, namespace string) (time.Duration, error)
type CABundleRotation
type CertRotationController
- func NewCertRotationController(name string, signingRotation SigningRotation, ...) (*CertRotationController, error)
- func (c *CertRotationController) Run(workers int, stopCh <-chan struct{})
type ClientRotation
type ServingHostnameFunc
type ServingRotation
type SignerRotation
type SigningRotation
type TargetCertCreator
type TargetCertRechecker
type TargetRotation

Constants ¶

View Source

const (
	// CertificateNotBeforeAnnotation contains the certificate expiration date in RFC3339 format.
	CertificateNotBeforeAnnotation = "auth.openshift.io/certificate-not-before"
	// CertificateNotAfterAnnotation contains the certificate expiration date in RFC3339 format.
	CertificateNotAfterAnnotation = "auth.openshift.io/certificate-not-after"
	// CertificateIssuer contains the common name of the certificate that signed another certificate.
	CertificateIssuer = "auth.openshift.io/certificate-issuer"
	// CertificateHostnames contains the hostnames used by a signer.
	CertificateHostnames = "auth.openshift.io/certificate-hostnames"
)

Variables ¶

This section is empty.

Functions ¶

func GetCertRotationScale ¶

func GetCertRotationScale(client kubernetes.Interface, namespace string) (time.Duration, error)

GetCertRotationScale The normal scale is based on a day. The value returned by this function is used to scale rotation durations instead of a day, so you can set it shorter.

Types ¶

type CABundleRotation ¶

type CABundleRotation struct {
	Namespace string
	Name      string

	Informer      corev1informers.ConfigMapInformer
	Lister        corev1listers.ConfigMapLister
	Client        corev1client.ConfigMapsGetter
	EventRecorder events.Recorder
}

CABundleRotation maintains a CA bundle config map, but adding new CA certs and removing expired old ones.

type CertRotationController ¶

type CertRotationController struct {
	SigningRotation  SigningRotation
	CABundleRotation CABundleRotation
	TargetRotation   TargetRotation
	OperatorClient   v1helpers.StaticPodOperatorClient
	// contains filtered or unexported fields
}

CertRotationController does:

continuously create a self-signed signing CA (via SigningRotation). It creates the next one when a given percentage of the validity of the old CA has passed.
maintain a CA bundle with all not yet expired CA certs.
continuously create a target cert and key signed by the latest signing CA It creates the next one when a given percentage of the validity of the previous cert has passed, or when a new CA has been created.

func NewCertRotationController ¶

func NewCertRotationController(
	name string,
	signingRotation SigningRotation,
	caBundleRotation CABundleRotation,
	targetRotation TargetRotation,
	operatorClient v1helpers.StaticPodOperatorClient,
) (*CertRotationController, error)

func (*CertRotationController) Run ¶

func (c *CertRotationController) Run(workers int, stopCh <-chan struct{})

type ClientRotation ¶

type ClientRotation struct {
	UserInfo user.Info
}

func (*ClientRotation) NeedNewTargetCertKeyPair ¶

func (r *ClientRotation) NeedNewTargetCertKeyPair(annotations map[string]string, signer *crypto.CA, caBundleCerts []*x509.Certificate, refresh time.Duration) string

func (*ClientRotation) NewCertificate ¶

func (r *ClientRotation) NewCertificate(signer *crypto.CA, validity time.Duration) (*crypto.TLSCertificateConfig, error)

func (*ClientRotation) SetAnnotations ¶

func (r *ClientRotation) SetAnnotations(cert *crypto.TLSCertificateConfig, annotations map[string]string) map[string]string

type ServingHostnameFunc ¶

type ServingHostnameFunc func() []string

type ServingRotation ¶

type ServingRotation struct {
	Hostnames              ServingHostnameFunc
	CertificateExtensionFn []crypto.CertificateExtensionFunc
	HostnamesChanged       <-chan struct{}
}

func (*ServingRotation) NeedNewTargetCertKeyPair ¶

func (r *ServingRotation) NeedNewTargetCertKeyPair(annotations map[string]string, signer *crypto.CA, caBundleCerts []*x509.Certificate, refresh time.Duration) string

func (*ServingRotation) NewCertificate ¶

func (r *ServingRotation) NewCertificate(signer *crypto.CA, validity time.Duration) (*crypto.TLSCertificateConfig, error)

func (*ServingRotation) RecheckChannel ¶

func (r *ServingRotation) RecheckChannel() <-chan struct{}

func (*ServingRotation) SetAnnotations ¶

func (r *ServingRotation) SetAnnotations(cert *crypto.TLSCertificateConfig, annotations map[string]string) map[string]string

type SignerRotation ¶

type SignerRotation struct {
	SignerName string
}

func (*SignerRotation) NeedNewTargetCertKeyPair ¶

func (r *SignerRotation) NeedNewTargetCertKeyPair(annotations map[string]string, signer *crypto.CA, caBundleCerts []*x509.Certificate, refresh time.Duration) string

func (*SignerRotation) NewCertificate ¶

func (r *SignerRotation) NewCertificate(signer *crypto.CA, validity time.Duration) (*crypto.TLSCertificateConfig, error)

func (*SignerRotation) SetAnnotations ¶

func (r *SignerRotation) SetAnnotations(cert *crypto.TLSCertificateConfig, annotations map[string]string) map[string]string

type SigningRotation ¶

type SigningRotation struct {
	Namespace string
	Name      string
	Validity  time.Duration
	Refresh   time.Duration

	Informer      corev1informers.SecretInformer
	Lister        corev1listers.SecretLister
	Client        corev1client.SecretsGetter
	EventRecorder events.Recorder
}

SigningRotation rotates a self-signed signing CA stored in a secret. It creates a new one when <RefreshPercentage> of the lifetime of the old CA has passed.

type TargetCertCreator ¶

type TargetCertCreator interface {
	NewCertificate(signer *crypto.CA, validity time.Duration) (*crypto.TLSCertificateConfig, error)
	NeedNewTargetCertKeyPair(annotations map[string]string, signer *crypto.CA, caBundleCerts []*x509.Certificate, refresh time.Duration) string
	// SetAnnotations gives an option to override or set additional annotations
	SetAnnotations(cert *crypto.TLSCertificateConfig, annotations map[string]string) map[string]string
}

type TargetCertRechecker ¶

type TargetCertRechecker interface {
	RecheckChannel() <-chan struct{}
}

type TargetRotation ¶

type TargetRotation struct {
	Namespace string
	Name      string
	Validity  time.Duration
	Refresh   time.Duration

	CertCreator TargetCertCreator

	Informer      corev1informers.SecretInformer
	Lister        corev1listers.SecretLister
	Client        corev1client.SecretsGetter
	EventRecorder events.Recorder
}

TargetRotation rotates a key and cert signed by a CA. It creates a new one when <RefreshPercentage> of the lifetime of the old cert has passed, or if the common name of the CA changes.

Source Files ¶

View all Source files

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL