Documentation ¶
Index ¶
- Constants
- Variables
- func Instrument(path string, h http.Handler) http.Handler
- func Main(f *Flags, version string) error
- func ObserveCondition(ssecret *v1alpha1.SealedSecret)
- func ScheduleJobWithTrigger(initialDelay, period time.Duration, job func()) func()
- func UnregisterCondition(ssecret *v1alpha1.SealedSecret)
- type Controller
- type Flags
- type Key
- type KeyRegistry
Constants ¶
const ( // SuccessUnsealed is used as part of the Event 'reason' when // a SealedSecret is unsealed successfully. SuccessUnsealed = "Unsealed" // ErrUpdateFailed is used as part of the Event 'reason' when // a SealedSecret fails to update the target Secret for a // non-cryptography reason. Typically this is due to API I/O // or RBAC issues. ErrUpdateFailed = "ErrUpdateFailed" // ErrUnsealFailed is used as part of the Event 'reason' when a // SealedSecret fails the unsealing process. Typically this // is because it is encrypted with the wrong key or has been // renamed from its original namespace/name. ErrUnsealFailed = "ErrUnsealFailed" )
const SealedSecretsKeyLabel = "sealedsecrets.bitnami.com/sealed-secrets-key"
SealedSecretsKeyLabel is that label used to locate active key pairs used to decrypt sealed secrets.
Variables ¶
var ( // ErrCast happens when a K8s any type cannot be casted to the expected type. ErrCast = errors.New("cast error") )
var ( // ErrPrivateKeyNotRSA is returned when the private key is not a valid RSA key. ErrPrivateKeyNotRSA = errors.New("private key is not an RSA key") )
Functions ¶
func Instrument ¶
Instrument HTTP handler.
func ObserveCondition ¶
func ObserveCondition(ssecret *v1alpha1.SealedSecret)
ObserveCondition sets a `condition_info` Gauge according to a SealedSecret status.
func ScheduleJobWithTrigger ¶
ScheduleJobWithTrigger creates a long-running loop that runs a job after an initialDelay and then after each period duration. It returns a trigger function that runs the job early when called.
func UnregisterCondition ¶
func UnregisterCondition(ssecret *v1alpha1.SealedSecret)
UnregisterCondition unregisters Gauges associated to a SealedSecret conditions.
Types ¶
type Controller ¶
type Controller struct {
// contains filtered or unexported fields
}
Controller implements the main sealed-secrets-controller loop.
func NewController ¶
func NewController(clientset kubernetes.Interface, ssclientset ssclientset.Interface, ssinformer ssinformer.SharedInformerFactory, sinformer informers.SharedInformerFactory, keyRegistry *KeyRegistry, maxRetriesConfig int) (*Controller, error)
NewController returns the main sealed-secrets controller loop.
func (*Controller) AttemptUnseal ¶
func (c *Controller) AttemptUnseal(content []byte) (bool, error)
AttemptUnseal tries to unseal a secret.
func (*Controller) HasSynced ¶
func (c *Controller) HasSynced() bool
HasSynced returns true once this controller has completed an initial resource listing.
func (*Controller) LastSyncResourceVersion ¶
func (c *Controller) LastSyncResourceVersion() string
LastSyncResourceVersion is the resource version observed when last synced with the underlying store. The value returned is not synchronized with access to the underlying store and is not thread-safe.
func (*Controller) Rotate ¶
func (c *Controller) Rotate(content []byte) ([]byte, error)
Rotate takes a sealed secret and returns a sealed secret that has been encrypted with the latest private key. If the secret is already encrypted with the latest, returns the input.
func (*Controller) Run ¶
func (c *Controller) Run(stopCh <-chan struct{})
Run begins processing items, and will continue until a value is sent down stopCh. It's an error to call Run more than once. Run blocks; call via go.
type Flags ¶
type Flags struct { KeyPrefix string KeySize int ValidFor time.Duration MyCN string KeyRenewPeriod time.Duration AcceptV1Data bool KeyCutoffTime string NamespaceAll bool AdditionalNamespaces string LabelSelector string RateLimitPerSecond int RateLimitBurst int OldGCBehavior bool UpdateStatus bool SkipRecreate bool LogInfoToStdout bool LogLevel string LogFormat string PrivateKeyAnnotations string PrivateKeyLabels string MaxRetries int }
Flags to configure the controller.
type Key ¶
type Key struct {
// contains filtered or unexported fields
}
A Key holds the cryptographic key pair and some metadata about it.
type KeyRegistry ¶
A KeyRegistry manages the key pairs used to (un)seal secrets.
func NewKeyRegistry ¶
func NewKeyRegistry(client kubernetes.Interface, namespace, keyPrefix, keyLabel string, keysize int) *KeyRegistry
NewKeyRegistry creates a new KeyRegistry.