Documentation
¶
Index ¶
- func AlwaysReadyToRequest(_ metadata.Metadata) (bool, string)
- type CertificateRequestBundle
- type ClientForMetadataFunc
- type GeneratePrivateKeyFunc
- type GenerateRequestFunc
- type Manager
- func (m *Manager) IsVolumeReady(volumeID string) bool
- func (m *Manager) IsVolumeReadyToRequest(volumeID string) (bool, string)
- func (m *Manager) ManageVolume(volumeID string) (managed bool)
- func (m *Manager) ManageVolumeImmediate(ctx context.Context, volumeID string) (managed bool, err error)
- func (m *Manager) Stop()
- func (m *Manager) UnmanageVolume(volumeID string)
- type Options
- type ReadyToRequestFunc
- type SignRequestFunc
- type WriteKeypairFunc
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
Types ¶
type CertificateRequestBundle ¶
type CertificateRequestBundle struct {
// The x509 certificate request.
// This is expected to be unsigned, as the SignRequestFunc will sign it
// at a later stage.
Request *x509.CertificateRequest
// List of certificate usages to be added to the request.
Usages []cmapi.KeyUsage
// Whether the requested certificate should have the `isCA` bit set.
IsCA bool
// Namespace that the CertificateRequest should be created in.
Namespace string
// The IssuerRef to be added to the CertificateRequest.
IssuerRef cmmeta.ObjectReference
// Request duration/validity period of the certificate
Duration time.Duration
// Additional annotations to add to the CertificateRequest object when
// created.
Annotations map[string]string
}
A CertificateRequestBundle contains information to be persisted onto the CertificateRequest resource created for a given CSR. This includes the CSR itself, as well as the requested `usages`, `isCA` bit, `issuerRef` and any additional annotations.
type ClientForMetadataFunc ¶
ClientForMetadataFunc will return a cert-manager API client used for creating objects. This is called with the metadata associated with the volume being published. Useful for modifying clients to make use of CSI token requests.
type GeneratePrivateKeyFunc ¶
type GeneratePrivateKeyFunc func(meta metadata.Metadata) (crypto.PrivateKey, error)
GeneratePrivateKeyFunc returns a private key to be used for issuance of the given request. Depending on the implementation, this may be a newly generated private key, one that has been read from disk, or even simply a pointer to an external signing device such as a HSM.
type GenerateRequestFunc ¶
type GenerateRequestFunc func(meta metadata.Metadata) (*CertificateRequestBundle, error)
GenerateRequestFunc generates a new x509.CertificateRequest for the given metadata.
type Manager ¶
type Manager struct {
// contains filtered or unexported fields
}
A Manager will manage key pairs in a storage backend. It is responsible for: * Generating private key data * Generating certificate requests (CSRs) * Submitting certificate requests * Waiting for requests to be completed * Persisting the keys back to the storage backend
It also will trigger renewals of certificates when required.
func NewManager ¶
NewManager constructs a new manager used to manage volumes containing certificate data. It will enumerate all volumes already persisted in the metadata store and resume managing them if any already exist.
func NewManagerOrDie ¶
func (*Manager) IsVolumeReady ¶
func (*Manager) IsVolumeReadyToRequest ¶ added in v0.2.0
func (*Manager) ManageVolume ¶
ManageVolume will initiate management of data for the given volumeID. It will not wait for an initial certificate to be issued and instead rely on the renewal handling loop to issue the initial certificate. Callers can use `IsVolumeReady` to determine if a certificate has been successfully issued or not. Upon failure, it is the callers responsibility to call `UnmanageVolume`.
func (*Manager) ManageVolumeImmediate ¶ added in v0.4.0
func (m *Manager) ManageVolumeImmediate(ctx context.Context, volumeID string) (managed bool, err error)
ManageVolumeImmediate will register a volume for management and immediately attempt a single issuance. If issuing the initial certificate succeeds, the background renewal routine will be started similar to Manage(). Upon failure, it is the caller's responsibility to explicitly call `UnmanageVolume`.
func (*Manager) UnmanageVolume ¶
type Options ¶
type Options struct {
// Client is used to interact with the cert-manager API to list and delete
// requests.
Client cmclient.Interface
// ClientForMetadataFunc is used for returning a client that is used for
// creating cert-manager API objects given a volume's metadata. If nil,
// Client will always be used.
ClientForMetadata ClientForMetadataFunc
// Used the read metadata from the storage backend
MetadataReader storage.MetadataReader
// Clock used to determine when an issuance is due.
// If not set, the RealClock implementation will be used.
Clock clock.Clock
// Logger used to write log messages
Log *logr.Logger
// Maximum number of CertificateRequests that should exist for each
// volume mounted into a pod.
// If not set, this will be defaulted to 1.
// When the number of CertificateRequests for a volume exceeds this limit,
// requests will be deleted before any new ones are created.
MaxRequestsPerVolume int
// NodeID is a unique identifier for the node.
NodeID string
GeneratePrivateKey GeneratePrivateKeyFunc
GenerateRequest GenerateRequestFunc
SignRequest SignRequestFunc
WriteKeypair WriteKeypairFunc
ReadyToRequest ReadyToRequestFunc
// RenewalBackoffConfig configures the exponential backoff applied to certificate renewal failures.
RenewalBackoffConfig *wait.Backoff
}
Options used to construct a Manager
type ReadyToRequestFunc ¶ added in v0.2.0
ReadyToRequestFunc can be optionally implemented by drivers to indicate whether the driver is ready to request a certificate for the given volume/metadata. This can be used to 'defer' fetching until later pod initialization events have happened (e.g. CNI has allocated an IP if you want to embed a pod IP into the certificate request resources).
type SignRequestFunc ¶
type SignRequestFunc func(meta metadata.Metadata, key crypto.PrivateKey, request *x509.CertificateRequest) (pem []byte, err error)
SignRequestFunc returns the signed CSR bytes (in PEM format) for the given x509.CertificateRequest. The private key passed to this function is one that is returned by the GeneratePrivateKeyFunc and should be treated as implementation specific. For example, it may be a reference to a location where a private key is stored rather than containing actual private key data.
type WriteKeypairFunc ¶
type WriteKeypairFunc func(meta metadata.Metadata, key crypto.PrivateKey, chain []byte, ca []byte) error
WriteKeypairFunc encodes & persists the output from a completed CertificateRequest into whatever storage backend is provided. The 'key' argument is as returned by the GeneratePrivateKeyFunc. The 'chain' and 'ca' arguments are PEM encoded and sourced directly from the CertificateRequest, without any attempt to parse or decode the bytes.
Source Files
Directories