signer

package
v0.7.0 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Apr 27, 2024 License: Apache-2.0 Imports: 12 Imported by: 1

Documentation

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

This section is empty.

Types

type CertificateRequestObject 

type CertificateRequestObject interface {
	metav1.Object

	GetRequest() (template *x509.Certificate, duration time.Duration, csr []byte, err error)

	GetConditions() []cmapi.CertificateRequestCondition
}

CertificateRequestObject is an interface that represents either a cert-manager CertificateRequest or a Kubernetes CertificateSigningRequest resource. This interface hides the spec fields of the underlying resource and exposes a Certificate template and the raw CSR bytes instead. This allows the signer to be agnostic of the underlying resource type and also agnostic of the way the spec fields should be interpreted, such as the defaulting logic that is applied to it. It is still possible to access the labels and annotations of the underlying resource or any other metadata fields that might be useful to the signer. Also, the signer can use the GetConditions method to retrieve the conditions of the underlying resource. To update the conditions, the special error "SetCertificateRequestConditionError" can be returned from the Sign method.

func CertificateRequestObjectFromCertificateRequest 

func CertificateRequestObjectFromCertificateRequest(cr *cmapi.CertificateRequest) CertificateRequestObject

func CertificateRequestObjectFromCertificateSigningRequest 

func CertificateRequestObjectFromCertificateSigningRequest(csr *certificatesv1.CertificateSigningRequest) CertificateRequestObject

type Check 

type Check func(ctx context.Context, issuerObject v1alpha1.Issuer) error

type IgnoreCertificateRequest added in v0.3.0 

type IgnoreCertificateRequest func(
	ctx context.Context,
	cr CertificateRequestObject,
	issuerGvk schema.GroupVersionKind,
	issuerName types.NamespacedName,
) (bool, error)

IgnoreCertificateRequest is an optional function that can prevent the CertificateRequest and Kubernetes CSR controllers from reconciling a CertificateRequest resource. By default, the controllers will reconcile all CertificateRequest resources that match the issuerRef type. This function will be called by the CertificateRequest reconcile loop and the Kubernetes CSR reconcile loop for each type that matches the issuerRef type. If the function returns true, the controller will not reconcile the CertificateRequest resource.

type IgnoreIssuer added in v0.3.0 

type IgnoreIssuer func(
	ctx context.Context,
	issuerObject v1alpha1.Issuer,
) (bool, error)

IgnoreIssuer is an optional function that can prevent the issuer controllers from reconciling an issuer resource. By default, the controllers will reconcile all issuer resources that match the owned types. This function will be called by the issuer reconcile loops for each type that matches the owned types. If the function returns true, the controller will not reconcile the issuer resource.

type IssuerError 

type IssuerError struct {
	Err error
}

IssuerError is thrown by the CertificateRequest controller to indicate that er was an error in the issuer part of the reconcile process, and that the issuer's reconcile function should be retriggered.

This error is useful to indicate that the Sign function got an error for an action that should have been checked by the Check function, and that has appeared after the Check function has been called.

> This error should be returned only by the Sign function.

func (IssuerError) Error 

func (ve IssuerError) Error() string

func (IssuerError) Unwrap 

func (ve IssuerError) Unwrap() error

type PEMBundle added in v0.2.0 

type PEMBundle pki.PEMBundle

PEMBundle includes the PEM encoded X.509 certificate chain and CA. The first certificate in the ChainPEM chain is the leaf certificate, and the last certificate in the chain is the highest level non-self-signed certificate. The CAPEM certificate is our best guess at the CA that issued the leaf. IMORTANT: the CAPEM certificate is only used when the SetCAOnCertificateRequest option is enabled in the controller. This option is for backwards compatibility only. The use of the CA field and the ca.crt field in the resulting Secret is discouraged, instead the CA should be provisioned separately (e.g. using trust-manager).

type PendingError 

type PendingError struct {
	Err error
}

PendingError should be returned if we are certain that we will converge to a successful result or another type of error in a finite amount of time by just retrying the same operation.

It can be used to circumvent the MaxRetryDuration check, which is useful for example when the signer is waiting for an async answer from an external service that is indicating that the request is still being processed.

> This error should be returned only by the Sign function.

func (PendingError) Error 

func (ve PendingError) Error() string

func (PendingError) Unwrap 

func (ve PendingError) Unwrap() error

type PermanentError 

type PermanentError struct {
	Err error
}

PermanentError is returned if it is impossible for the resource to get in a Ready state without being changed. It should not be used if there is any way to fix the error by altering the environment/ other resources. The client should not try again after receiving this error.

For the Check function, this error is useful when we detected an invalid configuration/ setting in the Issuer or ClusterIssuer resource. This should only happen very rarely, because of webhook validation.

For the Sign function, this error is useful when we detected an error that will only get resolved by creating a new CertificateRequest, for example when it is required to craft a new CSR.

> This error should be returned by the Sign or Check function.

func (PermanentError) Error 

func (ve PermanentError) Error() string

func (PermanentError) Unwrap 

func (ve PermanentError) Unwrap() error

type SetCertificateRequestConditionError 

type SetCertificateRequestConditionError struct {
	Err           error
	ConditionType cmapi.CertificateRequestConditionType
	Status        cmmeta.ConditionStatus
	Reason        string
}

The SetCertificateRequestConditionError error is meant to be returned by the Sign function. When Sign returns this error, the caller (i.e., the certificate request controller) is expected to update the CertificateRequest with the condition contained in the error.

The error wrapped by this error is the error can still be a signer.Permanent or signer.Pending error and will be handled accordingly.

> This error should be returned only by the Sign function.

func (SetCertificateRequestConditionError) Error 

func (ve SetCertificateRequestConditionError) Error() string

func (SetCertificateRequestConditionError) Unwrap 

func (ve SetCertificateRequestConditionError) Unwrap() error

type Sign 

type Sign func(ctx context.Context, cr CertificateRequestObject, issuerObject v1alpha1.Issuer) (PEMBundle, error)

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.