Documentation
¶
Overview ¶
Package controller contains the code of the CSR-approver controller.
Index ¶
- func GetCertApprovalCondition(status *capiv1.CertificateSigningRequestStatus) (approved, denied bool)
- func InitLogger(config *Config) logr.Logger
- func ParseCSR(pemBytes []byte) (*x509.CertificateRequest, error)
- func ProviderChecks(_ *certificatesv1.CertificateSigningRequest, _ *x509.CertificateRequest) (valid bool, reason string)
- type CertificateSigningRequestReconciler
- func (r *CertificateSigningRequestReconciler) DNSCheck(ctx context.Context, csr *certificatesv1.CertificateSigningRequest, ...) (valid bool, reason string, err error)
- func (r *CertificateSigningRequestReconciler) Reconcile(ctx context.Context, req ctrl.Request) (res ctrl.Result, returnErr error)
- func (r *CertificateSigningRequestReconciler) SetupWithManager(mgr ctrl.Manager) error
- func (r *CertificateSigningRequestReconciler) WhitelistedIPCheck(_ *certificatesv1.CertificateSigningRequest, x509cr *x509.CertificateRequest) (valid bool, reason string, err error)
- type Config
- type HostResolver
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
func GetCertApprovalCondition ¶
func GetCertApprovalCondition(status *capiv1.CertificateSigningRequestStatus) (approved, denied bool)
GetCertApprovalCondition returns the current condition of the CSR (approved, denied)
func InitLogger ¶ added in v0.2.5
InitLogger logger initialization
func ParseCSR ¶
func ParseCSR(pemBytes []byte) (*x509.CertificateRequest, error)
ParseCSR extracts the CSR from the bytes and decodes it.
func ProviderChecks ¶
func ProviderChecks(_ *certificatesv1.CertificateSigningRequest, _ *x509.CertificateRequest) (valid bool, reason string)
ProviderChecks is a function in which the Cloud Provider specifies a series of checks to run against the CSRs. The out-of-band identity checks of the CSRs should happen here
Types ¶
type CertificateSigningRequestReconciler ¶
type CertificateSigningRequestReconciler struct {
ClientSet *clientset.Clientset
client.Client
Scheme *runtime.Scheme
Config
}
CertificateSigningRequestReconciler reconciles a CertificateSigningRequest object
func (*CertificateSigningRequestReconciler) DNSCheck ¶
func (r *CertificateSigningRequestReconciler) DNSCheck(ctx context.Context, csr *certificatesv1.CertificateSigningRequest, x509cr *x509.CertificateRequest) (valid bool, reason string, err error)
DNSCheck is a function checking that the DNS name: complies with the provider-specific regex is resolvable (this check can be opted out with a parameter)
func (*CertificateSigningRequestReconciler) Reconcile ¶
func (r *CertificateSigningRequestReconciler) Reconcile(ctx context.Context, req ctrl.Request) (res ctrl.Result, returnErr error)
Reconcile will perform a series of checks before deciding whether the CSR should be approved or denied cyclomatic complexity is high (over 15), but this improves readibility for the programmer, therefore we ignore the linting error
func (*CertificateSigningRequestReconciler) SetupWithManager ¶
func (r *CertificateSigningRequestReconciler) SetupWithManager(mgr ctrl.Manager) error
SetupWithManager sets up the controller with the Manager.
func (*CertificateSigningRequestReconciler) WhitelistedIPCheck ¶ added in v0.2.0
func (r *CertificateSigningRequestReconciler) WhitelistedIPCheck(_ *certificatesv1.CertificateSigningRequest, x509cr *x509.CertificateRequest) (valid bool, reason string, err error)
WhitelistedIPCheck verifies that the x509cr SAN IP Addresses are contained in the set of ProviderSpecified IP addresses
type Config ¶ added in v0.2.4
type Config struct {
LogLevel int
MetricsAddr string
ProbeAddr string
LeaderElection bool
RegexStr string
ProviderRegexp func(string) bool
IPPrefixesStr string
ProviderIPSet *netipx.IPSet
MaxExpirationSeconds int32
K8sConfig *rest.Config
DNSResolver HostResolver
BypassDNSResolution bool
IgnoreNonSystemNodeCsr bool
AllowedDNSNames int
BypassHostnameCheck bool
}
Config holds all variables needed to configure the controller
Source Files