Documentation

Overview

    Package secretgenerator provides a supervisorSecretsController that can ensure existence of a generated secret.

    Index

    Constants

    View Source
    const (
    	// SupervisorCSRFSigningKeySecretType for the Secret storing the CSRF signing key.
    	SupervisorCSRFSigningKeySecretType corev1.SecretType = "secrets.pinniped.dev/supervisor-csrf-signing-key"
    
    	// FederationDomainTokenSigningKeyType for the Secret storing the FederationDomain token signing key.
    	FederationDomainTokenSigningKeyType corev1.SecretType = "secrets.pinniped.dev/federation-domain-token-signing-key"
    
    	// FederationDomainStateSigningKeyType for the Secret storing the FederationDomain state signing key.
    	FederationDomainStateSigningKeyType corev1.SecretType = "secrets.pinniped.dev/federation-domain-state-signing-key"
    
    	// FederationDomainStateEncryptionKeyType for the Secret storing the FederationDomain state encryption key.
    	FederationDomainStateEncryptionKeyType corev1.SecretType = "secrets.pinniped.dev/federation-domain-state-encryption-key"
    )

    Variables

    This section is empty.

    Functions

    func IsFederationDomainSecretOfType

    func IsFederationDomainSecretOfType(obj metav1.Object, secretType corev1.SecretType) bool

    func NewFederationDomainSecretsController

    func NewFederationDomainSecretsController(
    	secretHelper SecretHelper,
    	secretRefFunc func(domain *configv1alpha1.FederationDomainStatus) *corev1.LocalObjectReference,
    	kubeClient kubernetes.Interface,
    	pinnipedClient pinnipedclientset.Interface,
    	secretInformer corev1informers.SecretInformer,
    	federationDomainInformer configinformers.FederationDomainInformer,
    	withInformer pinnipedcontroller.WithInformerOptionFunc,
    ) controllerlib.Controller

      NewFederationDomainSecretsController returns a controllerlib.Controller that ensures a child Secret always exists for a parent FederationDomain. It does this using the provided secretHelper, which provides the parent/child mapping logic.

      func NewSupervisorSecretsController

      func NewSupervisorSecretsController(
      	owner *appsv1.Deployment,
      	labels map[string]string,
      	kubeClient kubernetes.Interface,
      	secretInformer corev1informers.SecretInformer,
      	setCacheFunc func(secret []byte),
      	withInformer pinnipedcontroller.WithInformerOptionFunc,
      	initialEventFunc pinnipedcontroller.WithInitialEventOptionFunc,
      ) controllerlib.Controller

        NewSupervisorSecretsController instantiates a new controllerlib.Controller which will ensure existence of a generated secret.

        Types

        type SecretHelper

        type SecretHelper interface {
        	NamePrefix() string
        	Generate(*configv1alpha1.FederationDomain) (*corev1.Secret, error)
        	IsValid(*configv1alpha1.FederationDomain, *corev1.Secret) bool
        	ObserveActiveSecretAndUpdateParentFederationDomain(*configv1alpha1.FederationDomain, *corev1.Secret) *configv1alpha1.FederationDomain
        	Handles(metav1.Object) bool
        }

          SecretHelper describes an object that can Generate() a Secret and determine whether a Secret IsValid(). It can also be Notify()'d about a Secret being persisted.

          A SecretHelper has a NamePrefix() that can be used to identify it from other SecretHelper instances.

          func NewSymmetricSecretHelper

          func NewSymmetricSecretHelper(
          	namePrefix string,
          	labels map[string]string,
          	rand io.Reader,
          	secretUsage SecretUsage,
          	updateCacheFunc func(cacheKey string, cacheValue []byte),
          ) SecretHelper

            New returns a SecretHelper that has been parameterized with common symmetric secret generation knobs.

            type SecretUsage

            type SecretUsage int

              SecretUsage describes how a cryptographic secret is going to be used. It is currently used to indicate to a SecretHelper which status field to set on the parent FederationDomain for a Secret.

              const (
              	SecretUsageTokenSigningKey SecretUsage = iota
              	SecretUsageStateSigningKey
              	SecretUsageStateEncryptionKey
              )