Documentation
¶
Index ¶
- Constants
- func GetCertRotationScale(client kubernetes.Interface, namespace string) (time.Duration, error)
- func LabelAsManagedConfigMap(config *v1.ConfigMap, certificateType CertificateType)
- func LabelAsManagedSecret(secret *v1.Secret, certificateType CertificateType)
- type CABundleRotation
- type CertRotationController
- type CertificateType
- type ClientRotation
- func (r *ClientRotation) NeedNewTargetCertKeyPair(annotations map[string]string, signer *crypto.CA, ...) string
- func (r *ClientRotation) NewCertificate(signer *crypto.CA, validity time.Duration) (*crypto.TLSCertificateConfig, error)
- func (r *ClientRotation) SetAnnotations(cert *crypto.TLSCertificateConfig, annotations map[string]string) map[string]string
- type ServingHostnameFunc
- type ServingRotation
- func (r *ServingRotation) NeedNewTargetCertKeyPair(annotations map[string]string, signer *crypto.CA, ...) string
- func (r *ServingRotation) NewCertificate(signer *crypto.CA, validity time.Duration) (*crypto.TLSCertificateConfig, error)
- func (r *ServingRotation) RecheckChannel() <-chan struct{}
- func (r *ServingRotation) SetAnnotations(cert *crypto.TLSCertificateConfig, annotations map[string]string) map[string]string
- type SignerRotation
- func (r *SignerRotation) NeedNewTargetCertKeyPair(annotations map[string]string, signer *crypto.CA, ...) string
- func (r *SignerRotation) NewCertificate(signer *crypto.CA, validity time.Duration) (*crypto.TLSCertificateConfig, error)
- func (r *SignerRotation) SetAnnotations(cert *crypto.TLSCertificateConfig, annotations map[string]string) map[string]string
- type SigningRotation
- type TargetCertCreator
- type TargetCertRechecker
- type TargetRotation
Constants ¶
View Source
const ( // CertificateNotBeforeAnnotation contains the certificate expiration date in RFC3339 format. CertificateNotBeforeAnnotation = "auth.openshift.io/certificate-not-before" // CertificateNotAfterAnnotation contains the certificate expiration date in RFC3339 format. CertificateNotAfterAnnotation = "auth.openshift.io/certificate-not-after" // CertificateIssuer contains the common name of the certificate that signed another certificate. CertificateIssuer = "auth.openshift.io/certificate-issuer" // CertificateHostnames contains the hostnames used by a signer. CertificateHostnames = "auth.openshift.io/certificate-hostnames" )
View Source
const ( // ManagedCertificateTypeLabelName marks config map or secret as object that contains managed certificates. // This groups all objects that store certs and allow easy query to get them all. // The value of this label should be set to "true". ManagedCertificateTypeLabelName = "auth.openshift.io/managed-certificate-type" )
Variables ¶
This section is empty.
Functions ¶
func GetCertRotationScale ¶
GetCertRotationScale The normal scale is based on a day. The value returned by this function is used to scale rotation durations instead of a day, so you can set it shorter.
func LabelAsManagedConfigMap ¶
func LabelAsManagedConfigMap(config *v1.ConfigMap, certificateType CertificateType)
LabelAsManagedConfigMap add label indicating the given config map contains certificates that are managed.
func LabelAsManagedSecret ¶
func LabelAsManagedSecret(secret *v1.Secret, certificateType CertificateType)
LabelAsManagedConfigMap add label indicating the given secret contains certificates that are managed.
Types ¶
type CABundleRotation ¶
type CABundleRotation struct {
Namespace string
Name string
Informer corev1informers.ConfigMapInformer
Lister corev1listers.ConfigMapLister
Client corev1client.ConfigMapsGetter
EventRecorder events.Recorder
}
CABundleRotation maintains a CA bundle config map, but adding new CA certs and removing expired old ones.
type CertRotationController ¶
type CertRotationController struct {
SigningRotation SigningRotation
CABundleRotation CABundleRotation
TargetRotation TargetRotation
OperatorClient v1helpers.StaticPodOperatorClient
// contains filtered or unexported fields
}
CertRotationController does:
- continuously create a self-signed signing CA (via SigningRotation). It creates the next one when a given percentage of the validity of the old CA has passed.
- maintain a CA bundle with all not yet expired CA certs.
- continuously create a target cert and key signed by the latest signing CA It creates the next one when a given percentage of the validity of the previous cert has passed, or when a new CA has been created.
func NewCertRotationController ¶
func NewCertRotationController( name string, signingRotation SigningRotation, caBundleRotation CABundleRotation, targetRotation TargetRotation, operatorClient v1helpers.StaticPodOperatorClient, ) (*CertRotationController, error)
func (*CertRotationController) Run ¶
func (c *CertRotationController) Run(workers int, stopCh <-chan struct{})
func (*CertRotationController) RunOnce ¶
func (c *CertRotationController) RunOnce() error
RunOnce will run the cert rotation logic, but will not try to update the static pod status. This eliminates the need to pass an OperatorClient and avoids dubious writes and status.
func (*CertRotationController) WaitForReady ¶
func (c *CertRotationController) WaitForReady(stopCh <-chan struct{})
type CertificateType ¶
type CertificateType string
var ( CertificateTypeCABundle CertificateType = "ca-bundle" CertificateTypeSigner CertificateType = "signer" CertificateTypeTarget CertificateType = "target" CertificateTypeUnknown CertificateType = "unknown" )
func CertificateTypeFromObject ¶
func CertificateTypeFromObject(obj runtime.Object) (CertificateType, error)
CertificateTypeFromObject returns the CertificateType based on the annotations of the object.
type ClientRotation ¶
func (*ClientRotation) NeedNewTargetCertKeyPair ¶
func (r *ClientRotation) NeedNewTargetCertKeyPair(annotations map[string]string, signer *crypto.CA, caBundleCerts []*x509.Certificate, refresh time.Duration) string
func (*ClientRotation) NewCertificate ¶
func (r *ClientRotation) NewCertificate(signer *crypto.CA, validity time.Duration) (*crypto.TLSCertificateConfig, error)
func (*ClientRotation) SetAnnotations ¶
func (r *ClientRotation) SetAnnotations(cert *crypto.TLSCertificateConfig, annotations map[string]string) map[string]string
type ServingHostnameFunc ¶
type ServingHostnameFunc func() []string
type ServingRotation ¶
type ServingRotation struct {
Hostnames ServingHostnameFunc
CertificateExtensionFn []crypto.CertificateExtensionFunc
HostnamesChanged <-chan struct{}
}
func (*ServingRotation) NeedNewTargetCertKeyPair ¶
func (r *ServingRotation) NeedNewTargetCertKeyPair(annotations map[string]string, signer *crypto.CA, caBundleCerts []*x509.Certificate, refresh time.Duration) string
func (*ServingRotation) NewCertificate ¶
func (r *ServingRotation) NewCertificate(signer *crypto.CA, validity time.Duration) (*crypto.TLSCertificateConfig, error)
func (*ServingRotation) RecheckChannel ¶
func (r *ServingRotation) RecheckChannel() <-chan struct{}
func (*ServingRotation) SetAnnotations ¶
func (r *ServingRotation) SetAnnotations(cert *crypto.TLSCertificateConfig, annotations map[string]string) map[string]string
type SignerRotation ¶
type SignerRotation struct {
SignerName string
}
func (*SignerRotation) NeedNewTargetCertKeyPair ¶
func (r *SignerRotation) NeedNewTargetCertKeyPair(annotations map[string]string, signer *crypto.CA, caBundleCerts []*x509.Certificate, refresh time.Duration) string
func (*SignerRotation) NewCertificate ¶
func (r *SignerRotation) NewCertificate(signer *crypto.CA, validity time.Duration) (*crypto.TLSCertificateConfig, error)
func (*SignerRotation) SetAnnotations ¶
func (r *SignerRotation) SetAnnotations(cert *crypto.TLSCertificateConfig, annotations map[string]string) map[string]string
type SigningRotation ¶
type SigningRotation struct {
Namespace string
Name string
Validity time.Duration
Refresh time.Duration
Informer corev1informers.SecretInformer
Lister corev1listers.SecretLister
Client corev1client.SecretsGetter
EventRecorder events.Recorder
}
SigningRotation rotates a self-signed signing CA stored in a secret. It creates a new one when <RefreshPercentage> of the lifetime of the old CA has passed.
type TargetCertCreator ¶
type TargetCertCreator interface {
NewCertificate(signer *crypto.CA, validity time.Duration) (*crypto.TLSCertificateConfig, error)
NeedNewTargetCertKeyPair(annotations map[string]string, signer *crypto.CA, caBundleCerts []*x509.Certificate, refresh time.Duration) string
// SetAnnotations gives an option to override or set additional annotations
SetAnnotations(cert *crypto.TLSCertificateConfig, annotations map[string]string) map[string]string
}
type TargetCertRechecker ¶
type TargetCertRechecker interface {
RecheckChannel() <-chan struct{}
}
type TargetRotation ¶
type TargetRotation struct {
Namespace string
Name string
Validity time.Duration
Refresh time.Duration
CertCreator TargetCertCreator
Informer corev1informers.SecretInformer
Lister corev1listers.SecretLister
Client corev1client.SecretsGetter
EventRecorder events.Recorder
}
TargetRotation rotates a key and cert signed by a CA. It creates a new one when <RefreshPercentage> of the lifetime of the old cert has passed, or if the common name of the CA changes.
Source Files
Click to show internal directories.
Click to hide internal directories.