kubernetes: k8s.io/kubernetes/pkg/kubelet/certificate Index | Files | Directories

package certificate

import "k8s.io/kubernetes/pkg/kubelet/certificate"


Package Files

kubelet.go transport.go

func NewKubeletClientCertificateManager Uses

func NewKubeletClientCertificateManager(
    certDirectory string,
    nodeName types.NodeName,
    bootstrapCertData []byte,
    bootstrapKeyData []byte,
    certFile string,
    keyFile string,
    clientsetFn certificate.ClientsetFunc,
) (certificate.Manager, error)

NewKubeletClientCertificateManager sets up a certificate manager without a client that can be used to sign new certificates (or rotate). If a CSR client is set later, it may begin rotating/renewing the client cert.

func NewKubeletServerCertificateManager Uses

func NewKubeletServerCertificateManager(kubeClient clientset.Interface, kubeCfg *kubeletconfig.KubeletConfiguration, nodeName types.NodeName, getAddresses func() []v1.NodeAddress, certDirectory string) (certificate.Manager, error)

NewKubeletServerCertificateManager creates a certificate manager for the kubelet when retrieving a server certificate or returns an error.

func UpdateTransport Uses

func UpdateTransport(stopCh <-chan struct{}, clientConfig *restclient.Config, clientCertificateManager certificate.Manager, exitAfter time.Duration) (func(), error)

UpdateTransport instruments a restconfig with a transport that dynamically uses certificates provided by the manager for TLS client auth.

The config must not already provide an explicit transport.

The returned function allows forcefully closing all active connections.

The returned transport periodically checks the manager to determine if the certificate has changed. If it has, the transport shuts down all existing client connections, forcing the client to re-handshake with the server and use the new certificate.

The exitAfter duration, if set, will terminate the current process if a certificate is not available from the store (because it has been deleted on disk or is corrupt) or if the certificate has expired and the server is responsive. This allows the process parent or the bootstrap credentials an opportunity to retrieve a new initial certificate.

stopCh should be used to indicate when the transport is unused and doesn't need to continue checking the manager.



Package certificate imports 23 packages (graph) and is imported by 10 packages. Updated 2020-09-20. Refresh now. Tools for package owners.