rotator

package

v0.10.1 Latest Latest Go to latest Published: Dec 20, 2023 License: Apache-2.0 Imports: 30 Imported by: 27

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

github.com/open-policy-agent/cert-controller

Links

Open Source Insights

Documentation ¶

Index ¶

func AddRotator(mgr manager.Manager, cr *CertRotator) error
func ValidCert(caCert, cert, key []byte, dnsName string, keyUsages *[]x509.ExtKeyUsage, ...) (bool, error)
type CertRotator
type KeyPairArtifacts
type ReconcileWH
- func (r *ReconcileWH) Reconcile(ctx context.Context, request reconcile.Request) (reconcile.Result, error)
type SyncingReader
type WebhookInfo
type WebhookType

Constants ¶

This section is empty.

Variables ¶

This section is empty.

Functions ¶

func AddRotator ¶

func AddRotator(mgr manager.Manager, cr *CertRotator) error

AddRotator adds the CertRotator and ReconcileWH to the manager.

func ValidCert ¶

func ValidCert(caCert, cert, key []byte, dnsName string, keyUsages *[]x509.ExtKeyUsage, at time.Time) (bool, error)

Types ¶

type CertRotator ¶

type CertRotator struct {
	SecretKey      types.NamespacedName
	CertDir        string
	CAName         string
	CAOrganization string
	DNSName        string
	ExtraDNSNames  []string
	IsReady        chan struct{}
	Webhooks       []WebhookInfo
	// FieldOwner is the optional fieldmanager of the webhook updated fields.
	FieldOwner             string
	RestartOnSecretRefresh bool
	ExtKeyUsages           *[]x509.ExtKeyUsage
	// RequireLeaderElection should be set to true if the CertRotator needs to
	// be run in the leader election mode.
	RequireLeaderElection bool
	// CaCertDuration sets how long a CA cert will be valid for.
	CaCertDuration time.Duration
	// ServerCertDuration sets how long a server cert will be valid for.
	ServerCertDuration time.Duration
	// RotationCheckFrequency sets how often the rotation is executed
	RotationCheckFrequency time.Duration
	// LookaheadInterval sets how long before the certificate is renewed
	LookaheadInterval time.Duration
	// CertName and Keyname override certificate path
	CertName string
	KeyName  string
	// contains filtered or unexported fields
}

CertRotator contains cert artifacts and a channel to close when the certs are ready.

func (*CertRotator) CreateCACert ¶

func (cr *CertRotator) CreateCACert(begin, end time.Time) (*KeyPairArtifacts, error)

CreateCACert creates the self-signed CA cert and private key that will be used to sign the server certificate.

func (*CertRotator) CreateCertPEM ¶

func (cr *CertRotator) CreateCertPEM(ca *KeyPairArtifacts, begin, end time.Time) ([]byte, []byte, error)

CreateCertPEM takes the results of CreateCACert and uses it to create the PEM-encoded public certificate and private key, respectively.

func (*CertRotator) NeedLeaderElection ¶ added in v0.5.0

func (cr *CertRotator) NeedLeaderElection() bool

func (*CertRotator) Start ¶

func (cr *CertRotator) Start(ctx context.Context) error

Start starts the CertRotator runnable to rotate certs and ensure the certs are ready.

type KeyPairArtifacts ¶

type KeyPairArtifacts struct {
	Cert    *x509.Certificate
	Key     *rsa.PrivateKey
	CertPEM []byte
	KeyPEM  []byte
}

KeyPairArtifacts stores cert artifacts.

type ReconcileWH ¶

type ReconcileWH struct {
	// contains filtered or unexported fields
}

ReconcileWH reconciles a validatingwebhookconfiguration, making sure it has the appropriate CA cert.

func (*ReconcileWH) Reconcile ¶

func (r *ReconcileWH) Reconcile(ctx context.Context, request reconcile.Request) (reconcile.Result, error)

Reconcile reads that state of the cluster for a validatingwebhookconfiguration object and makes sure the most recent CA cert is included.

type SyncingReader ¶

type SyncingReader interface {
	client.Reader
	WaitForCacheSync(ctx context.Context) bool
}

SyncingReader is a reader that needs syncing prior to being usable.

type WebhookInfo ¶

type WebhookInfo struct {
	// Name is the name of the webhook for a validating or mutating webhook, or the CRD name in case of a CRD conversion webhook
	Name string
	Type WebhookType
}

WebhookInfo is used by the rotator to receive info about resources to be updated with certificates.

type WebhookType ¶

type WebhookType int

WebhookType it the type of webhook, either validating/mutating webhook, a CRD conversion webhook, or an extension API server.

const (
	// Validating indicates the webhook is a ValidatingWebhook.
	Validating WebhookType = iota
	// Mutating indicates the webhook is a MutatingWebhook.
	Mutating
	// CRDConversion indicates the webhook is a conversion webhook.
	CRDConversion
	// APIService indicates the webhook is an extension API server.
	APIService
	// ExternalDataProvider indicates the webhook is a Gatekeeper External Data Provider.
	ExternalDataProvider
)

Source Files ¶

View all Source files

rotator.go

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL