Documentation
¶
Index ¶
- Constants
- func GetCertRotationScale(ctx context.Context, client kubernetes.Interface, namespace string) (time.Duration, error)
- func LabelAsManagedConfigMap(config *v1.ConfigMap, certificateType CertificateType)
- func LabelAsManagedSecret(secret *v1.Secret, certificateType CertificateType)
- func NewCertRotationController(name string, rotatedSigningCASecret RotatedSigningCASecret, ...) factory.Controller
- func NewTLSArtifactObjectMeta(name, namespace string, annotations AdditionalAnnotations) metav1.ObjectMeta
- type AdditionalAnnotations
- type CABundleConfigMap
- type CertRotationController
- type CertificateType
- type ClientRotation
- func (r *ClientRotation) NeedNewTargetCertKeyPair(currentCertSecret *corev1.Secret, signer *crypto.CA, ...) string
- func (r *ClientRotation) NewCertificate(signer *crypto.CA, validity time.Duration) (*crypto.TLSCertificateConfig, error)
- func (r *ClientRotation) SetAnnotations(cert *crypto.TLSCertificateConfig, annotations map[string]string) map[string]string
- type RotatedSelfSignedCertKeySecret
- type RotatedSigningCASecret
- type ServingHostnameFunc
- type ServingRotation
- func (r *ServingRotation) NeedNewTargetCertKeyPair(currentCertSecret *corev1.Secret, signer *crypto.CA, ...) string
- func (r *ServingRotation) NewCertificate(signer *crypto.CA, validity time.Duration) (*crypto.TLSCertificateConfig, error)
- func (r *ServingRotation) RecheckChannel() <-chan struct{}
- func (r *ServingRotation) SetAnnotations(cert *crypto.TLSCertificateConfig, annotations map[string]string) map[string]string
- type SignerRotation
- func (r *SignerRotation) NeedNewTargetCertKeyPair(currentCertSecret *corev1.Secret, signer *crypto.CA, ...) string
- func (r *SignerRotation) NewCertificate(signer *crypto.CA, validity time.Duration) (*crypto.TLSCertificateConfig, error)
- func (r *SignerRotation) SetAnnotations(cert *crypto.TLSCertificateConfig, annotations map[string]string) map[string]string
- type StaticPodConditionStatusReporter
- type StatusReporter
- type TargetCertCreator
- type TargetCertRechecker
Constants ¶
View Source
const ( // CertificateNotBeforeAnnotation contains the certificate expiration date in RFC3339 format. CertificateNotBeforeAnnotation = "auth.openshift.io/certificate-not-before" // CertificateNotAfterAnnotation contains the certificate expiration date in RFC3339 format. CertificateNotAfterAnnotation = "auth.openshift.io/certificate-not-after" // CertificateIssuer contains the common name of the certificate that signed another certificate. CertificateIssuer = "auth.openshift.io/certificate-issuer" // CertificateHostnames contains the hostnames used by a signer. CertificateHostnames = "auth.openshift.io/certificate-hostnames" // RunOnceContextKey is a context value key that can be used to call the controller Sync() and make it only run the syncWorker once and report error. RunOnceContextKey = "cert-rotation-controller.openshift.io/run-once" )
View Source
const (
AutoRegenerateAfterOfflineExpiryAnnotation string = "certificates.openshift.io/auto-regenerate-after-offline-expiry"
)
View Source
const ( // ManagedCertificateTypeLabelName marks config map or secret as object that contains managed certificates. // This groups all objects that store certs and allow easy query to get them all. // The value of this label should be set to "true". ManagedCertificateTypeLabelName = "auth.openshift.io/managed-certificate-type" )
Variables ¶
This section is empty.
Functions ¶
func GetCertRotationScale ¶
func GetCertRotationScale(ctx context.Context, client kubernetes.Interface, namespace string) (time.Duration, error)
GetCertRotationScale The normal scale is based on a day. The value returned by this function is used to scale rotation durations instead of a day, so you can set it shorter.
func LabelAsManagedConfigMap ¶
func LabelAsManagedConfigMap(config *v1.ConfigMap, certificateType CertificateType)
LabelAsManagedConfigMap add label indicating the given config map contains certificates that are managed.
func LabelAsManagedSecret ¶
func LabelAsManagedSecret(secret *v1.Secret, certificateType CertificateType)
LabelAsManagedConfigMap add label indicating the given secret contains certificates that are managed.
func NewCertRotationController ¶
func NewCertRotationController( name string, rotatedSigningCASecret RotatedSigningCASecret, caBundleConfigMap CABundleConfigMap, rotatedSelfSignedCertKeySecret RotatedSelfSignedCertKeySecret, recorder events.Recorder, reporter StatusReporter, ) factory.Controller
func NewTLSArtifactObjectMeta ¶
func NewTLSArtifactObjectMeta(name, namespace string, annotations AdditionalAnnotations) metav1.ObjectMeta
Types ¶
type AdditionalAnnotations ¶
type AdditionalAnnotations struct {
// JiraComponent annotates tls artifacts so that owner could be easily found
JiraComponent string
// Description is a human-readable one sentence description of certificate purpose
Description string
// AutoRegenerateAfterOfflineExpiry contains a link to PR and an e2e test name which verifies
// that TLS artifact is correctly regenerated after it has expired
AutoRegenerateAfterOfflineExpiry string
}
func (AdditionalAnnotations) EnsureTLSMetadataUpdate ¶
func (a AdditionalAnnotations) EnsureTLSMetadataUpdate(meta *metav1.ObjectMeta) bool
type CABundleConfigMap ¶
type CABundleConfigMap struct {
// Namespace is the namespace of the ConfigMap to maintain.
Namespace string
// Name is the name of the ConfigMap to maintain.
Name string
// Owner is an optional reference to add to the secret that this rotator creates.
Owner *metav1.OwnerReference
// AdditionalAnnotations is a collection of annotations set for the secret
AdditionalAnnotations AdditionalAnnotations
// Plumbing:
Informer corev1informers.ConfigMapInformer
Lister corev1listers.ConfigMapLister
Client corev1client.ConfigMapsGetter
EventRecorder events.Recorder
}
CABundleConfigMap maintains a CA bundle config map, by adding new CA certs coming from RotatedSigningCASecret, and by removing expired old ones.
func (CABundleConfigMap) EnsureConfigMapCABundle ¶
func (c CABundleConfigMap) EnsureConfigMapCABundle(ctx context.Context, signingCertKeyPair *crypto.CA) ([]*x509.Certificate, error)
type CertRotationController ¶
type CertRotationController struct {
// controller name
Name string
// RotatedSigningCASecret rotates a self-signed signing CA stored in a secret.
RotatedSigningCASecret RotatedSigningCASecret
// CABundleConfigMap maintains a CA bundle config map, by adding new CA certs coming from rotatedSigningCASecret, and by removing expired old ones.
CABundleConfigMap CABundleConfigMap
// RotatedSelfSignedCertKeySecret rotates a key and cert signed by a signing CA and stores it in a secret.
RotatedSelfSignedCertKeySecret RotatedSelfSignedCertKeySecret
// Plumbing:
StatusReporter StatusReporter
}
CertRotationController does:
1) continuously create a self-signed signing CA (via RotatedSigningCASecret) and store it in a secret. 2) maintain a CA bundle ConfigMap with all not yet expired CA certs. 3) continuously create a target cert and key signed by the latest signing CA and store it in a secret.
func (CertRotationController) Sync ¶
func (c CertRotationController) Sync(ctx context.Context, syncCtx factory.SyncContext) error
func (CertRotationController) SyncWorker ¶
func (c CertRotationController) SyncWorker(ctx context.Context) error
type CertificateType ¶
type CertificateType string
var ( CertificateTypeCABundle CertificateType = "ca-bundle" CertificateTypeSigner CertificateType = "signer" CertificateTypeTarget CertificateType = "target" CertificateTypeUnknown CertificateType = "unknown" )
func CertificateTypeFromObject ¶
func CertificateTypeFromObject(obj runtime.Object) (CertificateType, error)
CertificateTypeFromObject returns the CertificateType based on the annotations of the object.
type ClientRotation ¶
func (*ClientRotation) NeedNewTargetCertKeyPair ¶
func (*ClientRotation) NewCertificate ¶
func (r *ClientRotation) NewCertificate(signer *crypto.CA, validity time.Duration) (*crypto.TLSCertificateConfig, error)
func (*ClientRotation) SetAnnotations ¶
func (r *ClientRotation) SetAnnotations(cert *crypto.TLSCertificateConfig, annotations map[string]string) map[string]string
type RotatedSelfSignedCertKeySecret ¶
type RotatedSelfSignedCertKeySecret struct {
// Namespace is the namespace of the Secret.
Namespace string
// Name is the name of the Secret.
Name string
// Validity is the duration from time.Now() until the certificate expires. If RefreshOnlyWhenExpired
// is false, the key and certificate is rotated when 80% of validity is reached.
Validity time.Duration
// Refresh is the duration after certificate creation when it is rotated at the latest. It is ignored
// if RefreshOnlyWhenExpired is true, or if Refresh > Validity.
// Refresh is ignored until the signing CA at least 10% in its life-time to ensure it is deployed
// through-out the cluster.
Refresh time.Duration
// RefreshOnlyWhenExpired set to true means to ignore 80% of validity and the Refresh duration for rotation,
// but only rotate when the certificate expires. This is useful for auto-recovery when we want to enforce
// rotation on expiration only, but not interfere with the ordinary rotation controller.
RefreshOnlyWhenExpired bool
// Owner is an optional reference to add to the secret that this rotator creates. Use this when downstream
// consumers of the certificate need to be aware of changes to the object.
// WARNING: be careful when using this option, as deletion of the owning object will cascade into deletion
// of the certificate. If the lifetime of the owning object is not a superset of the lifetime in which the
// certificate is used, early deletion will be catastrophic.
Owner *metav1.OwnerReference
// AdditionalAnnotations is a collection of annotations set for the secret
AdditionalAnnotations AdditionalAnnotations
// CertCreator does the actual cert generation.
CertCreator TargetCertCreator
// Plumbing:
Informer corev1informers.SecretInformer
Lister corev1listers.SecretLister
Client corev1client.SecretsGetter
EventRecorder events.Recorder
// Deprecated: DO NOT eanble, it is intended as a short term hack for a very specific use case,
// and it works in tandem with a particular carry patch applied to the openshift kube-apiserver.
// we will remove this when we migrate all of the affected secret
// objects to their intended type: https://issues.redhat.com/browse/API-1800
UseSecretUpdateOnly bool
}
RotatedSelfSignedCertKeySecret rotates a key and cert signed by a signing CA and stores it in a secret.
It creates a new one when - refresh duration is over - or 80% of validity is over (if RefreshOnlyWhenExpired is false) - or the cert is expired. - or the signing CA changes.
func (RotatedSelfSignedCertKeySecret) EnsureTargetCertKeyPair ¶
func (c RotatedSelfSignedCertKeySecret) EnsureTargetCertKeyPair(ctx context.Context, signingCertKeyPair *crypto.CA, caBundleCerts []*x509.Certificate) (*corev1.Secret, error)
type RotatedSigningCASecret ¶
type RotatedSigningCASecret struct {
// Namespace is the namespace of the Secret.
Namespace string
// Name is the name of the Secret.
Name string
// Validity is the duration from time.Now() until the signing CA expires. If RefreshOnlyWhenExpired
// is false, the signing cert is rotated when 80% of validity is reached.
Validity time.Duration
// Refresh is the duration after signing CA creation when it is rotated at the latest. It is ignored
// if RefreshOnlyWhenExpired is true, or if Refresh > Validity.
Refresh time.Duration
// RefreshOnlyWhenExpired set to true means to ignore 80% of validity and the Refresh duration for rotation,
// but only rotate when the signing CA expires. This is useful for auto-recovery when we want to enforce
// rotation on expiration only, but not interfere with the ordinary rotation controller.
RefreshOnlyWhenExpired bool
// Owner is an optional reference to add to the secret that this rotator creates. Use this when downstream
// consumers of the signer CA need to be aware of changes to the object.
// WARNING: be careful when using this option, as deletion of the owning object will cascade into deletion
// of the signer. If the lifetime of the owning object is not a superset of the lifetime in which the signer
// is used, early deletion will be catastrophic.
Owner *metav1.OwnerReference
// AdditionalAnnotations is a collection of annotations set for the secret
AdditionalAnnotations AdditionalAnnotations
// Plumbing:
Informer corev1informers.SecretInformer
Lister corev1listers.SecretLister
Client corev1client.SecretsGetter
EventRecorder events.Recorder
// Deprecated: DO NOT enable, it is intended as a short term hack for a very specific use case,
// and it works in tandem with a particular carry patch applied to the openshift kube-apiserver.
// we will remove this when we migrate all of the affected secret
// objects to their intended type: https://issues.redhat.com/browse/API-1800
UseSecretUpdateOnly bool
}
RotatedSigningCASecret rotates a self-signed signing CA stored in a secret. It creates a new one when - refresh duration is over - or 80% of validity is over (if RefreshOnlyWhenExpired is false) - or the CA is expired.
func (RotatedSigningCASecret) EnsureSigningCertKeyPair ¶
func (c RotatedSigningCASecret) EnsureSigningCertKeyPair(ctx context.Context) (*crypto.CA, bool, error)
EnsureSigningCertKeyPair manages the entire lifecycle of a signer cert as a secret, from creation to continued rotation. It always returns the currently used CA pair, a bool indicating whether it was created/updated within this function call and an error.
type ServingHostnameFunc ¶
type ServingHostnameFunc func() []string
type ServingRotation ¶
type ServingRotation struct {
Hostnames ServingHostnameFunc
CertificateExtensionFn []crypto.CertificateExtensionFunc
HostnamesChanged <-chan struct{}
}
func (*ServingRotation) NeedNewTargetCertKeyPair ¶
func (*ServingRotation) NewCertificate ¶
func (r *ServingRotation) NewCertificate(signer *crypto.CA, validity time.Duration) (*crypto.TLSCertificateConfig, error)
func (*ServingRotation) RecheckChannel ¶
func (r *ServingRotation) RecheckChannel() <-chan struct{}
func (*ServingRotation) SetAnnotations ¶
func (r *ServingRotation) SetAnnotations(cert *crypto.TLSCertificateConfig, annotations map[string]string) map[string]string
type SignerRotation ¶
type SignerRotation struct {
SignerName string
}
func (*SignerRotation) NeedNewTargetCertKeyPair ¶
func (*SignerRotation) NewCertificate ¶
func (r *SignerRotation) NewCertificate(signer *crypto.CA, validity time.Duration) (*crypto.TLSCertificateConfig, error)
func (*SignerRotation) SetAnnotations ¶
func (r *SignerRotation) SetAnnotations(cert *crypto.TLSCertificateConfig, annotations map[string]string) map[string]string
type StaticPodConditionStatusReporter ¶
type StaticPodConditionStatusReporter struct {
// Plumbing:
OperatorClient v1helpers.StaticPodOperatorClient
}
type StatusReporter ¶
type StatusReporter interface {
Report(ctx context.Context, controllerName string, syncErr error) (updated bool, updateErr error)
}
StatusReporter knows how to report the status of cert rotation
type TargetCertCreator ¶
type TargetCertCreator interface {
// NewCertificate creates a new key-cert pair with the given signer.
NewCertificate(signer *crypto.CA, validity time.Duration) (*crypto.TLSCertificateConfig, error)
// NeedNewTargetCertKeyPair decides whether a new cert-key pair is needed. It returns a non-empty reason if it is the case.
NeedNewTargetCertKeyPair(currentCertSecret *corev1.Secret, signer *crypto.CA, caBundleCerts []*x509.Certificate, refresh time.Duration, refreshOnlyWhenExpired bool) string
// SetAnnotations gives an option to override or set additional annotations
SetAnnotations(cert *crypto.TLSCertificateConfig, annotations map[string]string) map[string]string
}
type TargetCertRechecker ¶
type TargetCertRechecker interface {
RecheckChannel() <-chan struct{}
}
TargetCertRechecker is an optional interface to be implemented by the TargetCertCreator to enforce a controller run.
Source Files
Click to show internal directories.
Click to hide internal directories.