tls

package

v0.0.0-...-64ee174 Latest Latest Go to latest Published: Apr 28, 2026 License: Apache-2.0 Imports: 18 Imported by: 15

Documentation ¶

Overview ¶

Package tls provides utilities for working with OpenShift TLS profiles.

Index ¶

Constants
Variables
func FetchAPIServerTLSAdherencePolicy(ctx context.Context, k8sClient client.Client) (configv1.TLSAdherencePolicy, error)
func FetchAPIServerTLSProfile(ctx context.Context, k8sClient client.Client) (configv1.TLSProfileSpec, error)
func GetTLSProfileSpec(profile *configv1.TLSSecurityProfile) (configv1.TLSProfileSpec, error)
func NewTLSConfigFromProfile(profile configv1.TLSProfileSpec) (tlsConfig func(*tls.Config), unsupportedCiphers []string)
type SecurityProfileWatcher
- func (r *SecurityProfileWatcher) Reconcile(ctx context.Context, req ctrl.Request) (ctrl.Result, error)
- func (r *SecurityProfileWatcher) SetupWithManager(mgr ctrl.Manager) error

Constants ¶

View Source

const (
	// APIServerName is the name of the APIServer resource in the cluster.
	APIServerName = "cluster"
)

Variables ¶

View Source

var (
	// ErrCustomProfileNil is returned when a custom TLS profile is specified but the Custom field is nil.
	ErrCustomProfileNil = errors.New("custom TLS profile specified but Custom field is nil")

	// DefaultTLSCiphers are the default TLS ciphers for API servers.
	DefaultTLSCiphers = configv1.TLSProfiles[configv1.TLSProfileIntermediateType].Ciphers //nolint:gochecknoglobals
	// DefaultMinTLSVersion is the default minimum TLS version for API servers.
	DefaultMinTLSVersion = configv1.TLSProfiles[configv1.TLSProfileIntermediateType].MinTLSVersion //nolint:gochecknoglobals
)

Functions ¶

func FetchAPIServerTLSAdherencePolicy ¶

func FetchAPIServerTLSAdherencePolicy(ctx context.Context, k8sClient client.Client) (configv1.TLSAdherencePolicy, error)

FetchAPIServerTLSAdherencePolicy fetches the TLS adherence policy configured in APIServer. If no policy is configured, the default policy is returned.

func FetchAPIServerTLSProfile ¶

func FetchAPIServerTLSProfile(ctx context.Context, k8sClient client.Client) (configv1.TLSProfileSpec, error)

FetchAPIServerTLSProfile fetches the TLS profile spec configured in APIServer. If no profile is configured, the default profile is returned.

func GetTLSProfileSpec ¶

func GetTLSProfileSpec(profile *configv1.TLSSecurityProfile) (configv1.TLSProfileSpec, error)

GetTLSProfileSpec returns TLSProfileSpec for the given profile. If no profile is configured, the default profile is returned.

func NewTLSConfigFromProfile ¶

func NewTLSConfigFromProfile(profile configv1.TLSProfileSpec) (tlsConfig func(*tls.Config), unsupportedCiphers []string)

NewTLSConfigFromProfile returns a function that configures a tls.Config based on the provided TLSProfileSpec, along with any cipher names from the profile that are not supported by the library-go crypto package. The returned function is intended to be used with controller-runtime's TLSOpts.

Note: CipherSuites are only set when MinVersion is below TLS 1.3, as Go's TLS 1.3 implementation does not allow configuring cipher suites - all TLS 1.3 ciphers are always enabled. See: https://github.com/golang/go/issues/29349

Types ¶

type SecurityProfileWatcher ¶

type SecurityProfileWatcher struct {
	client.Client

	// InitialTLSProfileSpec is the TLS profile spec that was configured when the operator started.
	InitialTLSProfileSpec configv1.TLSProfileSpec

	// InitialTLSAdherencePolicy is the TLS adherence policy that was configured when the operator started.
	InitialTLSAdherencePolicy configv1.TLSAdherencePolicy

	// OnProfileChange is a function that will be called when the TLS profile changes.
	// It receives the reconcile context, old and new TLS profile specs.
	// This allows the caller to make decisions based on the actual profile changes.
	//
	// The most common use case for this callback is
	// to trigger a graceful shutdown of the operator
	// to make it pick up the new configuration.
	//
	// Example:
	//
	// 	// Create a context that can be cancelled when there is a need to shut down the manager.
	//  ctx, cancel := context.WithCancel(ctrl.SetupSignalHandler())
	//  defer cancel()
	//
	//  watcher := &SecurityProfileWatcher{
	// 	  OnProfileChange: func(ctx context.Context, old, new configv1.TLSProfileSpec) {
	//      logger.Infof("TLS profile has changed, initiating a shutdown to reload it. %q: %+v, %q: %+v",
	//        "old profile", old,
	//        "new profile", new,
	//      )
	//      // Cancel the outer context to trigger a graceful shutdown of the manager.
	//      cancel()
	//    },
	//  }
	OnProfileChange func(ctx context.Context, oldTLSProfileSpec, newTLSProfileSpec configv1.TLSProfileSpec)

	// OnAdherencePolicyChange is a function that will be called when the TLS adherence policy changes.
	OnAdherencePolicyChange func(ctx context.Context, oldTLSAdherencePolicy, newTLSAdherencePolicy configv1.TLSAdherencePolicy)
}

SecurityProfileWatcher watches the APIServer object for TLS profile changes and triggers a graceful shutdown when the profile changes.

func (*SecurityProfileWatcher) Reconcile ¶

func (r *SecurityProfileWatcher) Reconcile(ctx context.Context, req ctrl.Request) (ctrl.Result, error)

Reconcile watches for changes to the APIServer TLS profile and triggers a shutdown when the profile changes from the initial configuration.

func (*SecurityProfileWatcher) SetupWithManager ¶

func (r *SecurityProfileWatcher) SetupWithManager(mgr ctrl.Manager) error

SetupWithManager sets up the controller with the Manager.

Source Files ¶

View all Source files

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL