Documentation
¶
Overview ¶
Package certmanager centralises the TLS certificate lifecycle for Orkestra.
Orkestra generates self-signed TLS certificates when security features (deletion protection, admission webhooks, conversion webhooks) are enabled and the operator has not been given explicit TLS_CERT/TLS_KEY paths. This package owns that lifecycle: generation, Secret storage, and optional deletion on graceful shutdown.
Architecture ¶
Manager is the public interface; k8sManager is its only production implementation. The separation lets tests inject a fake without importing client-go fakes into every caller.
Secret shape ¶
The generated Secret is of type kubernetes.io/tls and carries three keys:
tls.crt — PEM-encoded signed server certificate tls.key — PEM-encoded server private key ca.crt — PEM-encoded CA certificate (used as caBundle in webhook configs)
The Secret is labelled with the deletion-protection label so that Orkestra's own admission webhook will reject accidental delete requests against it.
Shutdown cleanup ¶
When DeletionProtection.CleanupOnShutdown is true, the HealthServer calls DeleteCertificateAndSecret during Shutdown(). A NotFound error is silently ignored — the operator may have been restarted without the Secret present.
Usage ¶
mgr := certmanager.New(kube.Clientset())
bundle, err := mgr.EnsureCertificate(ctx, certmanager.CertificateSpec{
ServiceName: "orkestra",
Namespace: "orkestra-system",
SecretName: certmanager.DefaultTLSSecretName,
ValidFor: "1y",
BaseLabels: kfg.OrkestraResourceLabels(),
})
Index ¶
Constants ¶
This section is empty.
Variables ¶
var DefaultTLSSecretName = konfig.DefaultInternalTLSName()
DefaultTLSSecretName is the Secret name used for Orkestra's auto-generated TLS bundle.
Functions ¶
This section is empty.
Types ¶
type CertificateSpec ¶
type CertificateSpec struct {
// ServiceName is the Kubernetes Service that will serve the certificate (e.g. "orkestra").
ServiceName string
// Namespace is the namespace where the Service and Secret live.
Namespace string
// SecretName is the name of the Secret to create or update.
SecretName string
// ValidFor is the certificate validity duration string ("1y", "90d", etc.).
ValidFor string
// BaseLabels are the labels to apply to the Secret in addition to the deletion-protection label.
BaseLabels map[string]string
}
CertificateSpec describes the TLS certificate Orkestra should generate and store.
type Manager ¶
type Manager interface {
// EnsureCertificate generates a TLS bundle and stores it in a Kubernetes Secret.
// If the Secret already exists it is updated in-place.
EnsureCertificate(ctx context.Context, spec CertificateSpec) (*TLSBundle, error)
// DeleteCertificateAndSecret removes the TLS Secret from the cluster.
// A NotFound error is silently ignored.
DeleteCertificateAndSecret(ctx context.Context, namespace, secretName string) error
}
Manager handles TLS certificate generation and Secret lifecycle.
func New ¶
func New(client kubernetes.Interface) Manager
New returns a Manager backed by the given Kubernetes client.
type TLSBundle ¶ added in v0.3.1
type TLSBundle struct {
CertPEM []byte // tls.crt — signed server certificate, PEM
KeyPEM []byte // tls.key — server private key, PEM
CACertPEM []byte // ca.crt — CA certificate, PEM (for caBundle in webhooks)
}
TLSBundle holds the generated certificate material.
func GenerateTLSBundle ¶ added in v0.3.1
GenerateTLSBundle generates a self-signed CA and a server certificate signed by it. The server certificate has the given common name and DNS SANs. validFor is the certificate validity duration ("1y", "90d", etc.).
Returns a TLSBundle containing PEM-encoded cert, key, and CA cert. All three are stored in the Secret so consumers have what they need:
- tls.crt + tls.key for the server
- ca.crt for clients that need to verify the server cert
Source Files