Documentation ¶
Overview ¶
Package certs contains APIs to manage certificates for a controller manager's webhooks.
Index ¶
Constants ¶
View Source
const ( // CACertName is the name of the CA certificate. CACertName = "ca.crt" // ServerCertName is the name of the serving certificate. ServerCertName = "tls.crt" // ServerKeyName is the name of the server private key. ServerKeyName = "tls.key" )
Variables ¶
This section is empty.
Functions ¶
This section is empty.
Types ¶
type CertificateManager ¶
type CertificateManager struct {
// contains filtered or unexported fields
}
CertificateManager creates and rotates certificates required by a controller manager's webhook server.
func New ¶
func New(options *Options) (*CertificateManager, error)
New returns a new instance of a CertificateManager.
func (*CertificateManager) Start ¶
func (cm *CertificateManager) Start(ctx context.Context) error
Start starts certificate management for a controller manager's webhooks. This method calls os.Exit when an error is encountered.
func (*CertificateManager) WaitForCertDirReady ¶
func (cm *CertificateManager) WaitForCertDirReady() error
WaitForCertDirReady blocks until certs are written to the cert directory or until a timeout occurs.
type Options ¶
type Options struct { // Client is used by the certificate manager to read and write secrets and webhook configurations. Client client.Client // Logger is used to emit log events. Logger logr.Logger // CertDir is the path on the local filesystem where the certificates should be created once the secret is // mounted to the controller manager pod. This value is only required if WaitForCertDirReady() method is used. CertDir string // WebhookConfigLabel is the label used to select the mutating and validating webhook configurations to // which the certificate authority data is written. WebhookConfigLabel string // SecretName is the name of the secret that contains the webhook server's certificate data. SecretName string // SecretNamespace is the namespace of the secret that contains the webhook server's certificate data SecretNamespace string // ServiceName is the name of the webhook service. ServiceName string // ServiceNamespace is the namespace of the webhook service. ServiceNamespace string // RotationIntervalAnnotationKey specifies the annotation on the webhook server secret parseable by // time.ParseDuration and controls how often the certificates are rotated. If this annotation is not present on the // webhook secret specified by SecretName and SecretNamespace, rotation interval is defaulted to 24 hours. // // The generated certificates have their NotAfter property assigned to a value of 30 minutes greater than rotation // interval. This is to ensure a buffer between the generation of new certificates and expiration of old ones in // case of unexpected failures. RotationIntervalAnnotationKey string // NextRotationAnnotationKey specifies the annotation on the webhook server secret and is the UNIX epoch which // indicates when the next rotation will occur. This annotation is managed by the certificate manager. NextRotationAnnotationKey string // RotatationCountAnnotationKey specifies an annotation on the webhook server // secret. The annotation's value is the number of times the certificates // have been rotated. This is primarily used for testing and the count may not always be accurate. RotationCountAnnotationKey string }
Options defines the configuration used to create a new CertificateManager.
Click to show internal directories.
Click to hide internal directories.