apiserver: k8s.io/apiserver/pkg/server/dynamiccertificates Index | Files

package dynamiccertificates

import "k8s.io/apiserver/pkg/server/dynamiccertificates"

Index

Package Files

cert_key.go client_ca.go configmap_cafile_content.go dynamic_cafile_content.go dynamic_serving_content.go dynamic_sni_content.go named_certificates.go static_content.go tlsconfig.go union_content.go util.go

Variables

var FileRefreshDuration = 1 * time.Minute

FileRefreshDuration is exposed so that integration tests can crank up the reload speed.

func GetHumanCertDetail Uses

func GetHumanCertDetail(certificate *x509.Certificate) string

GetHumanCertDetail is a convenient method for printing compact details of certificate that helps when debugging kube-apiserver usage of certs.

type CAContentProvider Uses

type CAContentProvider interface {
    // Name is just an identifier
    Name() string
    // CurrentCABundleContent provides ca bundle byte content.  Errors can be contained to the controllers initializing
    // the value.  By the time you get here, you should always be returning a value that won't fail.
    CurrentCABundleContent() []byte
    // VerifyOptions provides VerifyOptions for authenticators
    VerifyOptions() (x509.VerifyOptions, bool)
}

CAContentProvider provides ca bundle byte content

func NewStaticCAContent Uses

func NewStaticCAContent(name string, caBundle []byte) (CAContentProvider, error)

NewStaticCAContent returns a CAContentProvider that always returns the same value

func NewStaticCAContentFromFile Uses

func NewStaticCAContentFromFile(filename string) (CAContentProvider, error)

NewStaticCAContentFromFile returns a CAContentProvider based on a filename

func NewUnionCAContentProvider Uses

func NewUnionCAContentProvider(caContentProviders ...CAContentProvider) CAContentProvider

NewUnionCAContentProvider returns a CAContentProvider that is a union of other CAContentProviders

type CertKeyContentProvider Uses

type CertKeyContentProvider interface {
    // Name is just an identifier
    Name() string
    // CurrentCertKeyContent provides cert and key byte content
    CurrentCertKeyContent() ([]byte, []byte)
}

CertKeyContentProvider provides a certificate and matching private key

func NewStaticCertKeyContent Uses

func NewStaticCertKeyContent(name string, cert, key []byte) (CertKeyContentProvider, error)

NewStaticCertKeyContent returns a CertKeyContentProvider that always returns the same value

func NewStaticCertKeyContentFromFiles Uses

func NewStaticCertKeyContentFromFiles(certFile, keyFile string) (CertKeyContentProvider, error)

NewStaticCertKeyContentFromFiles returns a CertKeyContentProvider based on a filename

type ConfigMapCAController Uses

type ConfigMapCAController struct {
    // contains filtered or unexported fields
}

ConfigMapCAController provies a CAContentProvider that can dynamically react to configmap changes It also fulfills the authenticator interface to provide verifyoptions

func NewDynamicCAFromConfigMapController Uses

func NewDynamicCAFromConfigMapController(purpose, namespace, name, key string, kubeClient kubernetes.Interface) (*ConfigMapCAController, error)

NewDynamicCAFromConfigMapController returns a CAContentProvider based on a configmap that automatically reloads content. It is near-realtime via an informer.

func (*ConfigMapCAController) AddListener Uses

func (c *ConfigMapCAController) AddListener(listener Listener)

AddListener adds a listener to be notified when the CA content changes.

func (*ConfigMapCAController) CurrentCABundleContent Uses

func (c *ConfigMapCAController) CurrentCABundleContent() []byte

CurrentCABundleContent provides ca bundle byte content

func (*ConfigMapCAController) Name Uses

func (c *ConfigMapCAController) Name() string

Name is just an identifier

func (*ConfigMapCAController) Run Uses

func (c *ConfigMapCAController) Run(workers int, stopCh <-chan struct{})

Run starts the kube-apiserver and blocks until stopCh is closed.

func (*ConfigMapCAController) RunOnce Uses

func (c *ConfigMapCAController) RunOnce() error

RunOnce runs a single sync loop

func (*ConfigMapCAController) VerifyOptions Uses

func (c *ConfigMapCAController) VerifyOptions() (x509.VerifyOptions, bool)

VerifyOptions provides verifyoptions compatible with authenticators

type ControllerRunner Uses

type ControllerRunner interface {
    // RunOnce runs the sync loop a single time.  This useful for synchronous priming
    RunOnce() error

    // Run should be called a go .Run
    Run(workers int, stopCh <-chan struct{})
}

ControllerRunner is a generic interface for starting a controller

type DynamicFileCAContent Uses

type DynamicFileCAContent struct {
    // contains filtered or unexported fields
}

DynamicFileCAContent provies a CAContentProvider that can dynamically react to new file content It also fulfills the authenticator interface to provide verifyoptions

func NewDynamicCAContentFromFile Uses

func NewDynamicCAContentFromFile(purpose, filename string) (*DynamicFileCAContent, error)

NewDynamicCAContentFromFile returns a CAContentProvider based on a filename that automatically reloads content

func (*DynamicFileCAContent) AddListener Uses

func (c *DynamicFileCAContent) AddListener(listener Listener)

AddListener adds a listener to be notified when the CA content changes.

func (*DynamicFileCAContent) CurrentCABundleContent Uses

func (c *DynamicFileCAContent) CurrentCABundleContent() (cabundle []byte)

CurrentCABundleContent provides ca bundle byte content

func (*DynamicFileCAContent) Name Uses

func (c *DynamicFileCAContent) Name() string

Name is just an identifier

func (*DynamicFileCAContent) Run Uses

func (c *DynamicFileCAContent) Run(workers int, stopCh <-chan struct{})

Run starts the kube-apiserver and blocks until stopCh is closed.

func (*DynamicFileCAContent) RunOnce Uses

func (c *DynamicFileCAContent) RunOnce() error

RunOnce runs a single sync loop

func (*DynamicFileCAContent) VerifyOptions Uses

func (c *DynamicFileCAContent) VerifyOptions() (x509.VerifyOptions, bool)

VerifyOptions provides verifyoptions compatible with authenticators

type DynamicFileSNIContent Uses

type DynamicFileSNIContent struct {
    *DynamicFileServingContent
    // contains filtered or unexported fields
}

DynamicFileSNIContent provides a SNICertKeyContentProvider that can dynamically react to new file content

func NewDynamicSNIContentFromFiles Uses

func NewDynamicSNIContentFromFiles(purpose, certFile, keyFile string, sniNames ...string) (*DynamicFileSNIContent, error)

NewDynamicSNIContentFromFiles returns a dynamic SNICertKeyContentProvider based on a cert and key filename and explicit names

func (*DynamicFileSNIContent) SNINames Uses

func (c *DynamicFileSNIContent) SNINames() []string

SNINames returns explicitly set SNI names for the certificate. These are not dynamic.

type DynamicFileServingContent Uses

type DynamicFileServingContent struct {
    // contains filtered or unexported fields
}

DynamicFileServingContent provides a CertKeyContentProvider that can dynamically react to new file content

func NewDynamicServingContentFromFiles Uses

func NewDynamicServingContentFromFiles(purpose, certFile, keyFile string) (*DynamicFileServingContent, error)

NewDynamicServingContentFromFiles returns a dynamic CertKeyContentProvider based on a cert and key filename

func (*DynamicFileServingContent) AddListener Uses

func (c *DynamicFileServingContent) AddListener(listener Listener)

AddListener adds a listener to be notified when the serving cert content changes.

func (*DynamicFileServingContent) CurrentCertKeyContent Uses

func (c *DynamicFileServingContent) CurrentCertKeyContent() ([]byte, []byte)

CurrentCertKeyContent provides serving cert byte content

func (*DynamicFileServingContent) Name Uses

func (c *DynamicFileServingContent) Name() string

Name is just an identifier

func (*DynamicFileServingContent) Run Uses

func (c *DynamicFileServingContent) Run(workers int, stopCh <-chan struct{})

Run starts the controller and blocks until stopCh is closed.

func (*DynamicFileServingContent) RunOnce Uses

func (c *DynamicFileServingContent) RunOnce() error

RunOnce runs a single sync loop

type DynamicServingCertificateController Uses

type DynamicServingCertificateController struct {
    // contains filtered or unexported fields
}

DynamicServingCertificateController dynamically loads certificates and provides a golang tls compatible dynamic GetCertificate func.

func NewDynamicServingCertificateController Uses

func NewDynamicServingCertificateController(
    baseTLSConfig tls.Config,
    clientCA CAContentProvider,
    servingCert CertKeyContentProvider,
    sniCerts []SNICertKeyContentProvider,
    eventRecorder events.EventRecorder,
) *DynamicServingCertificateController

NewDynamicServingCertificateController returns a controller that can be used to keep a TLSConfig up to date.

func (*DynamicServingCertificateController) BuildNamedCertificates Uses

func (c *DynamicServingCertificateController) BuildNamedCertificates(sniCerts []sniCertKeyContent) (map[string]*tls.Certificate, error)

BuildNamedCertificates returns a map of *tls.Certificate by name. It's suitable for use in tls.Config#NamedCertificates. Returns an error if any of the certs is invalid. Returns nil if len(certs) == 0

func (*DynamicServingCertificateController) Enqueue Uses

func (c *DynamicServingCertificateController) Enqueue()

Enqueue a method to allow separate control loops to cause the certificate controller to trigger and read content.

func (*DynamicServingCertificateController) GetConfigForClient Uses

func (c *DynamicServingCertificateController) GetConfigForClient(clientHello *tls.ClientHelloInfo) (*tls.Config, error)

GetConfigForClient is an implementation of tls.Config.GetConfigForClient

func (*DynamicServingCertificateController) Run Uses

func (c *DynamicServingCertificateController) Run(workers int, stopCh <-chan struct{})

Run starts the kube-apiserver and blocks until stopCh is closed.

func (*DynamicServingCertificateController) RunOnce Uses

func (c *DynamicServingCertificateController) RunOnce() error

RunOnce runs a single sync step to ensure that we have a valid starting configuration.

type Listener Uses

type Listener interface {
    // Enqueue should be called when an input may have changed
    Enqueue()
}

Listener is an interface to use to notify interested parties of a change.

type Notifier Uses

type Notifier interface {
    // AddListener is adds a listener to be notified of potential input changes
    AddListener(listener Listener)
}

Notifier is a way to add listeners

type SNICertKeyContentProvider Uses

type SNICertKeyContentProvider interface {
    CertKeyContentProvider
    // SNINames provides names used for SNI. May return nil.
    SNINames() []string
}

SNICertKeyContentProvider provides a certificate and matching private key as well as optional explicit names

func NewStaticSNICertKeyContent Uses

func NewStaticSNICertKeyContent(name string, cert, key []byte, sniNames ...string) (SNICertKeyContentProvider, error)

NewStaticSNICertKeyContent returns a SNICertKeyContentProvider that always returns the same value

func NewStaticSNICertKeyContentFromFiles Uses

func NewStaticSNICertKeyContentFromFiles(certFile, keyFile string, sniNames ...string) (SNICertKeyContentProvider, error)

NewStaticSNICertKeyContentFromFiles returns a SNICertKeyContentProvider based on a filename

Package dynamiccertificates imports 24 packages (graph) and is imported by 14 packages. Updated 2019-12-14. Refresh now. Tools for package owners.