certificaterequest

package

v1.0.0 Latest Latest Go to latest Published: Oct 24, 2019 License: Apache-2.0 Imports: 38 Imported by: 5

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

github.com/openshift/certman-operator

Links

Open Source Insights

Documentation ¶

Index ¶

func Add(mgr manager.Manager) error
func GetCertificate(kubeClient client.Client, cr *certmanv1alpha1.CertificateRequest) (*x509.Certificate, error)
func GetSecret(kubeClient client.Client, secretName, namespace string) (*corev1.Secret, error)
func ParseCertificateData(data []byte) (*x509.Certificate, error)
func SecretExists(kubeClient client.Client, secretName, namespace string) bool
func ValidateResourceRecordUpdatesUsingCloudflareDns(reqLogger logr.Logger, name string, value string) (bool, error)
func VerifyDnsResourceRecordUpdate(reqLogger logr.Logger, fqdn string, txtValue string) bool
type CloudflareAnswer
type CloudflareQuestion
type CloudflareResponse
type ReconcileCertificateRequest

Constants ¶

This section is empty.

Variables ¶

This section is empty.

Functions ¶

func Add ¶

func Add(mgr manager.Manager) error

Add creates a new CertificateRequest Controller and adds it to the Manager. The Manager will set fields on the Controller and Start it when the Manager is Started.

func GetCertificate ¶

func GetCertificate(kubeClient client.Client, cr *certmanv1alpha1.CertificateRequest) (*x509.Certificate, error)

GetCertificate returns a certificate to the caller after retrieving the certificates secret.

func GetSecret ¶

func GetSecret(kubeClient client.Client, secretName, namespace string) (*corev1.Secret, error)

GetSecret returns a secret based on a secretName and namespace.

func ParseCertificateData ¶

func ParseCertificateData(data []byte) (*x509.Certificate, error)

ParseCertificateData returns a decoded x509 certificate to the caller.

func SecretExists ¶

func SecretExists(kubeClient client.Client, secretName, namespace string) bool

SecretExists returns a boolean to the caller basd on the secretName and namespace args.

func ValidateResourceRecordUpdatesUsingCloudflareDns ¶

func ValidateResourceRecordUpdatesUsingCloudflareDns(reqLogger logr.Logger, name string, value string) (bool, error)

Contacts cloudflareDnsOverHttpsEndpoint and validates the json response.

func VerifyDnsResourceRecordUpdate ¶

func VerifyDnsResourceRecordUpdate(reqLogger logr.Logger, fqdn string, txtValue string) bool

VerifyDnsResourceRecordUpdate is used to export the verifyDnsResourceRecordUpdate result back to the caller.

Types ¶

type CloudflareAnswer ¶

type CloudflareAnswer struct {
	Name string `json:"name"`
	Type int    `json:"type"`
	TTL  int    `json:"TTL"`
	Data string `json:"data"`
}

type CloudflareQuestion ¶

type CloudflareQuestion struct {
	Name string `json:"name"`
	Type int    `json:"type"`
}

type CloudflareResponse ¶

type CloudflareResponse struct {
	Status    int                  `json:"Status"`
	TC        bool                 `json:"TC"`
	RC        bool                 `json:"RC"`
	RA        bool                 `json:"RA"`
	AD        bool                 `json:"AD"`
	CD        bool                 `json:"CD"`
	Questions []CloudflareQuestion `json:"Question"`
	Answers   []CloudflareAnswer   `json:"Answer"`
}

type ReconcileCertificateRequest ¶

type ReconcileCertificateRequest struct {
	// contains filtered or unexported fields
}

ReconcileCertificateRequest reconciles a CertificateRequest object

func (*ReconcileCertificateRequest) AnswerDnsChallenge ¶

func (r *ReconcileCertificateRequest) AnswerDnsChallenge(reqLogger logr.Logger, acmeChallengeToken string, domain string, cr *certmanv1alpha1.CertificateRequest) (fqdn string, err error)

AnswerDnsChallenge constructs a fqdn from acmeChallengeSubDomain and domain. An route53 AWS client is then spawned to retrieve HostedZones. If zone.HostedZone.Config.PrivateZone is not defined, an attempt to populate this zone will be performed. Only upon success is `fqdn, nil` returned.

func (*ReconcileCertificateRequest) DeleteAcmeChallengeResourceRecords ¶

func (r *ReconcileCertificateRequest) DeleteAcmeChallengeResourceRecords(reqLogger logr.Logger, cr *certmanv1alpha1.CertificateRequest) error

DeleteAcmeChallengeResourceRecords spawns an AWS client, constructs baseDomain to retrieve the HostedZones. The ResourceRecordSets are then requested, if returned and validated, the record is updated to an empty struct to remove the ACME challange.

func (*ReconcileCertificateRequest) DeleteAllAcmeChallengeResourceRecords ¶

func (r *ReconcileCertificateRequest) DeleteAllAcmeChallengeResourceRecords(reqLogger logr.Logger, cr *certmanv1alpha1.CertificateRequest) error

DeleteAllAcmeChallengeResourceRecords to delete all records in a hosted zone that begin with the prefix defined by the const acmeChallengeSubDomain

func (*ReconcileCertificateRequest) IssueCertificate ¶

func (r *ReconcileCertificateRequest) IssueCertificate(reqLogger logr.Logger, cr *certmanv1alpha1.CertificateRequest, certificateSecret *corev1.Secret) error

IssueCertificate validates DNS write access then assess letsencrypt endpoint (prod or stage) based on leclient url. It then iterates through the CertificateRequest.Spec.DnsNames, authorizes to letsencrypt and sets a challenge in the form of resource record. Certificates are then generated and issued to kubernetes via corev1.

func (*ReconcileCertificateRequest) Reconcile ¶

func (r *ReconcileCertificateRequest) Reconcile(request reconcile.Request) (reconcile.Result, error)

Reconcile reads that state of the cluster for a CertificateRequest object and makes changes based on the state read and what is in the CertificateRequest.Spec

func (*ReconcileCertificateRequest) RevokeCertificate ¶

func (r *ReconcileCertificateRequest) RevokeCertificate(reqLogger logr.Logger, cr *certmanv1alpha1.CertificateRequest) error

RevokeCertificate validates which letsencrypt endpoint is to be used along with corresponding account. Then revokes certificate upon matching the CommonName of LetsEncryptCertIssuingAuthority. Associated ACME challenge resources are also removed.

func (*ReconcileCertificateRequest) ShouldRenewOrReIssue ¶

func (r *ReconcileCertificateRequest) ShouldRenewOrReIssue(reqLogger logr.Logger, cr *certmanv1alpha1.CertificateRequest) (bool, error)

ShouldRenewOrReIssue retrieves a renewCertificateBeforeDays int and returns `true` to the caller if it is <= the expiry of the CertificateRequest.

func (*ReconcileCertificateRequest) ValidateDnsWriteAccess ¶

func (r *ReconcileCertificateRequest) ValidateDnsWriteAccess(reqLogger logr.Logger, cr *certmanv1alpha1.CertificateRequest) (bool, error)

ValidateDnsWriteAccess spawns a route53 client to retrieve the baseDomain's hostedZoneOutput and attempts to write a test TXT ResourceRecord to it. If successful, will return `true, nil`.

Source Files ¶

View all Source files

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL