kube

func CreateTlsSecret ¶

func CreateTlsSecret(ctx context.Context, kube kubernetes.Interface, secretCfg TlsSecret) (*v1.Secret, error)

Returns the created or updated secret

func GetExistingValidTlsSecret ¶ added in v1.9.25

func GetExistingValidTlsSecret(ctx context.Context, kube kubernetes.Interface, secretName string, secretNamespace string,
	svcName string, svcNamespace string, renewBeforeDuration time.Duration) (*v1.Secret, bool, error)

If there is a currently valid TLS secret with the given name and namespace, that is valid for the given service name/namespace, then return it. Otherwise return nil. The second return value is a bool indicating whether the secret is expiring soon (i.e. within the renewBeforeDuration).

func RotateCerts ¶ added in v1.15.13

func RotateCerts(ctx context.Context,
	kubeClient kubernetes.Interface,
	currentTlsSecret TlsSecret,
	nextCerts *certutils.Certificates,
	gracePeriod time.Duration) (*v1.Secret, error)

RotateCerts rotates certs in a few steps.

We start with:

• The current secret (currentTlsSecret) which will be rotated out. It initially contains the current server cert/key and ca bundle.
• The newly generated certs (nextCerts) which we will switch over to.

The update is done in the following order:

1. Set current secret's ca bundle to the current + next ca bundle (so both CAs are accepted temporarily)
2. Wait for the change to propagate
3. Set the current secret's server cert and private key to those of the newly generated certs
4. Wait for the change to propagate
5. Set the current secret's ca bundle to the next ca bundle. Now it contains only the next server cert and next ca bundle and the old ones are no longer supported.

func UpdateValidatingWebhookConfigurationCaBundle ¶

func UpdateValidatingWebhookConfigurationCaBundle(ctx context.Context, kube kubernetes.Interface, vwcName string, cfg WebhookTlsConfig) error