Documentation
¶
Index ¶
- Constants
- Variables
- func BuildKubeconfig(server string, caData []byte, proxyURL, clientCertPath, clientKeyPath string) clientcmdapi.Config
- func HasValidHubKubeconfig(logger klog.Logger, secret *corev1.Secret, subject *pkix.Name) bool
- func IsCertificateValid(logger klog.Logger, certData []byte, subject *pkix.Name) (bool, error)
- func NewClientCertificateController(clientCertOption ClientCertOption, csrOption CSROption, csrControl CSRControl, ...) factory.Controller
- type CSRControl
- type CSROption
- type ClientCertOption
- type StatusUpdateFunc
Constants ¶
View Source
const ( // KubeconfigFile is the name of the kubeconfig file in kubeconfigSecret KubeconfigFile = "kubeconfig" // TLSKeyFile is the name of tls key file in kubeconfigSecret TLSKeyFile = "tls.key" // TLSCertFile is the name of the tls cert file in kubeconfigSecret TLSCertFile = "tls.crt" ClusterNameFile = "cluster-name" AgentNameFile = "agent-name" // ClusterCertificateRotatedCondition is a condition type that client certificate is rotated ClusterCertificateRotatedCondition = "ClusterCertificateRotated" )
Variables ¶
View Source
var ControllerResyncInterval = 5 * time.Minute
ControllerResyncInterval is exposed so that integration tests can crank up the constroller sync speed.
Functions ¶
func BuildKubeconfig ¶
func BuildKubeconfig(server string, caData []byte, proxyURL, clientCertPath, clientKeyPath string) clientcmdapi.Config
BuildKubeconfig builds a kubeconfig based on a rest config template with a cert/key pair
func HasValidHubKubeconfig ¶
HasValidHubKubeconfig checks if there exists a valid client certificate in the given secret Returns true if all the conditions below are met:
- KubeconfigFile exists when hasKubeconfig is true
- TLSKeyFile exists
- TLSCertFile exists and the certificate is not expired
- If subject is specified, it matches the subject in the certificate stored in TLSCertFile
func IsCertificateValid ¶
IsCertificateValid return true if 1) All certs in client certificate are not expired. 2) At least one cert matches the given subject if specified
func NewClientCertificateController ¶
func NewClientCertificateController( clientCertOption ClientCertOption, csrOption CSROption, csrControl CSRControl, managementSecretInformer corev1informers.SecretInformer, managementCoreClient corev1client.CoreV1Interface, statusUpdater StatusUpdateFunc, recorder events.Recorder, controllerName string, ) factory.Controller
NewClientCertificateController return an instance of clientCertificateController
Types ¶
type CSRControl ¶
type CSRControl interface {
// Informer is public so we can add indexer outside
Informer() cache.SharedIndexInformer
// contains filtered or unexported methods
}
func NewCSRControl ¶
func NewCSRControl(logger klog.Logger, hubCSRInformer certificatesinformers.Interface, hubKubeClient kubernetes.Interface) (CSRControl, error)
type CSROption ¶
type CSROption struct {
// ObjectMeta is the ObjectMeta shared by all created csrs. It should use GenerateName instead of Name
// to generate random csr names
ObjectMeta metav1.ObjectMeta
// Subject represents the subject of the client certificate used to create csrs
Subject *pkix.Name
// DNSNames represents DNS names used to create the client certificate
DNSNames []string
// SignerName is the name of the signer specified in the created csrs
SignerName string
// ExpirationSeconds is the requested duration of validity of the issued
// certificate.
// Certificate signers may not honor this field for various reasons:
//
// 1. Old signer that is unaware of the field (such as the in-tree
// implementations prior to v1.22)
// 2. Signer whose configured maximum is shorter than the requested duration
// 3. Signer whose configured minimum is longer than the requested duration
//
// The minimum valid value for expirationSeconds is 3600, i.e. 1 hour.
ExpirationSeconds *int32
// EventFilterFunc matches csrs created with above options
EventFilterFunc factory.EventFilterFunc
// HaltCSRCreation halt the csr creation
HaltCSRCreation func() bool
}
CSROption includes options that is used to create and monitor csrs
type ClientCertOption ¶
type ClientCertOption struct {
// SecretNamespace is the namespace of the secret containing client certificate.
SecretNamespace string
// SecretName is the name of the secret containing client certificate. The secret will be created if
// it does not exist.
SecretName string
// AdditonalSecretData contains data that will be added into client certificate secret besides tls.key/tls.crt
AdditionalSecretData map[string][]byte
// AdditonalSecretDataSensitive is true indicates the client cert is sensitive to the AdditonalSecretData.
// That means once AdditonalSecretData changes, the client cert will be recreated.
AdditionalSecretDataSensitive bool
}
ClientCertOption includes options that is used to create client certificate
Source Files
Click to show internal directories.
Click to hide internal directories.