Documentation ¶
Index ¶
- type Cache
- type CertMonitor
- type Config
- func (cfg *Config) WithCache(cache Cache) *Config
- func (cfg *Config) WithDNSSANs(sans []string) *Config
- func (cfg *Config) WithDatacenter(dc string) *Config
- func (cfg *Config) WithFallback(fallback FallbackFunc) *Config
- func (cfg *Config) WithFallbackLeeway(leeway time.Duration) *Config
- func (cfg *Config) WithFallbackRetry(after time.Duration) *Config
- func (cfg *Config) WithIPSANs(sans []net.IP) *Config
- func (cfg *Config) WithLogger(logger hclog.Logger) *Config
- func (cfg *Config) WithNodeName(name string) *Config
- func (cfg *Config) WithPersistence(persist PersistFunc) *Config
- func (cfg *Config) WithTLSConfigurator(tlsConfigurator *tlsutil.Configurator) *Config
- func (cfg *Config) WithTokens(tokens *token.Store) *Config
- type FallbackFunc
- type PersistFunc
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
This section is empty.
Types ¶
type Cache ¶
type Cache interface { Notify(ctx context.Context, t string, r cache.Request, correlationID string, ch chan<- cache.UpdateEvent) error Prepopulate(t string, result cache.FetchResult, dc string, token string, key string) error }
Cache is an interface to represent the methods of the agent/cache.Cache struct that we care about
type CertMonitor ¶
type CertMonitor struct {
// contains filtered or unexported fields
}
CertMonitor will setup the proper watches to ensure that the Agent's Connect TLS certificate remains up to date
func New ¶
func New(config *Config) (*CertMonitor, error)
New creates a new CertMonitor for automatically rotating an Agent's Connect Certificate
func (*CertMonitor) IsRunning ¶
func (m *CertMonitor) IsRunning() bool
IsRunning returns whether the go routine to perform certificate monitoring is already running.
func (*CertMonitor) Start ¶
func (m *CertMonitor) Start(ctx context.Context) (<-chan struct{}, error)
Start spawns the go routine to monitor the certificate and ensure it is rotated/renewed as necessary. The chan will indicate once the started go routine has exited
func (*CertMonitor) Stop ¶
func (m *CertMonitor) Stop() bool
Stop manually stops the go routine spawned by Start and returns whether the go routine was still running before cancelling.
Note that cancelling the context passed into Start will also cause the go routine to stop
func (*CertMonitor) Update ¶
func (m *CertMonitor) Update(certs *structs.SignedResponse) error
Update is responsible for priming the cache with the certificates as well as injecting them into the TLS configurator
type Config ¶
type Config struct { // Logger is the logger to be used while running. If not set // then no logging will be performed. Logger hclog.Logger // TLSConfigurator is where the certificates and roots are set when // they are updated. This field is required. TLSConfigurator *tlsutil.Configurator // Cache is an object implementing our Cache interface. The Cache // used at runtime must be able to handle Roots and Leaf Cert watches Cache Cache // Tokens is the shared token store. It is used to retrieve the current // agent token as well as getting notifications when that token is updated. // This field is required. Tokens *token.Store // Persist is a function to run when there are new certs or keys Persist PersistFunc // Fallback is a function to run when the normal cache updating of the // agent's certificates has failed to work for one reason or another. // This field is required. Fallback FallbackFunc // FallbackLeeway is the amount of time after certificate expiration before // invoking the fallback routine. If not set this will default to 10s. FallbackLeeway time.Duration // FallbackRetry is the duration between Fallback invocations when the configured // fallback routine returns an error. If not set this will default to 1m. FallbackRetry time.Duration // DNSSANs is a list of DNS SANs that certificate requests should include. This // field is optional and no extra DNS SANs will be requested if unset. 'localhost' // is unconditionally requested by the cache implementation. DNSSANs []string // IPSANs is a list of IP SANs to include in the certificate signing request. This // field is optional and no extra IP SANs will be requested if unset. Both '127.0.0.1' // and '::1' IP SANs are unconditionally requested by the cache implementation. IPSANs []net.IP // Datacenter is the datacenter to request certificates within. This filed is required Datacenter string // NodeName is the agent's node name to use when requesting certificates. This field // is required. NodeName string }
func (*Config) WithCache ¶
WithCache will cause the created CertMonitor type to use the provided Cache
func (*Config) WithDNSSANs ¶
WithDNSSANs configures the CertMonitor to request these DNS SANs when requesting a new certificate
func (*Config) WithDatacenter ¶
WithDatacenter configures the CertMonitor to request Certificates in this DC
func (*Config) WithFallback ¶
func (cfg *Config) WithFallback(fallback FallbackFunc) *Config
WithFallback configures a fallback function to use if the normal update mechanisms fail to renew the certificate in time.
func (*Config) WithFallbackLeeway ¶
WithFallbackLeeway configures how long after a certificate expires before attempting to generarte a new certificate using the fallback mechanism. The default is 10s.
func (*Config) WithFallbackRetry ¶
WithFallbackRetry controls how quickly we will make subsequent invocations of the fallback func in the case of it erroring out.
func (*Config) WithIPSANs ¶
WithIPSANs configures the CertMonitor to request these IP SANs when requesting a new certificate
func (*Config) WithLogger ¶
WithLogger will cause the created CertMonitor type to use the provided logger
func (*Config) WithNodeName ¶
WithNodeName configures the CertMonitor to request Certificates with this agent name
func (*Config) WithPersistence ¶
func (cfg *Config) WithPersistence(persist PersistFunc) *Config
WithPersistence will configure the CertMonitor to use this callback for persisting a new TLS configuration.
func (*Config) WithTLSConfigurator ¶
func (cfg *Config) WithTLSConfigurator(tlsConfigurator *tlsutil.Configurator) *Config
WithTLSConfigurator will cause the created CertMonitor type to use the provided configurator
type FallbackFunc ¶
type FallbackFunc func(context.Context) (*structs.SignedResponse, error)
FallbackFunc is used when the normal cache watch based Certificate updating fails to update the Certificate in time and a different method of updating the certificate is required.
type PersistFunc ¶
type PersistFunc func(*structs.SignedResponse) error
PersistFunc is used to persist the data from a signed response