manager

package
v0.2.1 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Mar 31, 2022 License: Apache-2.0 Imports: 28 Imported by: 2

Documentation

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

func AlwaysReadyToRequest added in v0.2.0

func AlwaysReadyToRequest(_ metadata.Metadata) (bool, string)

Types

type CertificateRequestBundle

type CertificateRequestBundle struct {
	// The x509 certificate request.
	// This is expected to be unsigned, as the SignRequestFunc will sign it
	// at a later stage.
	Request *x509.CertificateRequest

	// List of certificate usages to be added to the request.
	Usages []cmapi.KeyUsage

	// Whether the requested certificate should have the `isCA` bit set.
	IsCA bool

	// Namespace that the CertificateRequest should be created in.
	Namespace string

	// The IssuerRef to be added to the CertificateRequest.
	IssuerRef cmmeta.ObjectReference

	// Request duration/validity period of the certificate
	Duration time.Duration

	// Additional annotations to add to the CertificateRequest object when
	// created.
	Annotations map[string]string
}

A CertificateRequestBundle contains information to be persisted onto the CertificateRequest resource created for a given CSR. This includes the CSR itself, as well as the requested `usages`, `isCA` bit, `issuerRef` and any additional annotations.

type ClientForMetadataFunc

type ClientForMetadataFunc func(meta metadata.Metadata) (cmclient.Interface, error)

ClientForMetadataFunc will return a cert-manager API client used for creating objects. This is called with the metadata associated with the volume being published. Useful for modifying clients to make use of CSI token requests.

type GeneratePrivateKeyFunc

type GeneratePrivateKeyFunc func(meta metadata.Metadata) (crypto.PrivateKey, error)

GeneratePrivateKeyFunc returns a private key to be used for issuance of the given request. Depending on the implementation, this may be a newly generated private key, one that has been read from disk, or even simply a pointer to an external signing device such as a HSM.

type GenerateRequestFunc

type GenerateRequestFunc func(meta metadata.Metadata) (*CertificateRequestBundle, error)

GenerateRequestFunc generates a new x509.CertificateRequest for the given metadata.

type Manager

type Manager struct {
	// contains filtered or unexported fields
}

A Manager will manage key pairs in a storage backend. It is responsible for: * Generating private key data * Generating certificate requests (CSRs) * Submitting certificate requests * Waiting for requests to be completed * Persisting the keys back to the storage backend

It also will trigger renewals of certificates when required.

func NewManager

func NewManager(opts Options) (*Manager, error)

NewManager constructs a new manager used to manage volumes containing certificate data. It will enumerate all volumes already persisted in the metadata store and resume managing them if any already exist.

func NewManagerOrDie

func NewManagerOrDie(opts Options) *Manager

func (*Manager) IsVolumeReady

func (m *Manager) IsVolumeReady(volumeID string) bool

func (*Manager) IsVolumeReadyToRequest added in v0.2.0

func (m *Manager) IsVolumeReadyToRequest(volumeID string) (bool, string)

func (*Manager) ManageVolume

func (m *Manager) ManageVolume(volumeID string) error

ManageVolume will initiate management of data for the given volumeID.

func (*Manager) Stop

func (m *Manager) Stop()

Stop will stop management of all managed volumes

func (*Manager) UnmanageVolume

func (m *Manager) UnmanageVolume(volumeID string)

type Options

type Options struct {
	// Client is used to interact with the cert-manager API to list and delete
	// requests.
	Client cmclient.Interface

	// ClientForMetadataFunc is used for returning a client that is used for
	// creating cert-manager API objects given a volume's metadata. If nil,
	// Client will always be used.
	ClientForMetadata ClientForMetadataFunc

	// Used the read metadata from the storage backend
	MetadataReader storage.MetadataReader

	// Clock used to determine when an issuance is due.
	// If not set, the RealClock implementation will be used.
	Clock clock.Clock

	// Logger used to write log messages
	Log *logr.Logger

	// Maximum number of CertificateRequests that should exist for each
	// volume mounted into a pod.
	// If not set, this will be defaulted to 1.
	// When the number of CertificateRequests for a volume exceeds this limit,
	// requests will be deleted before any new ones are created.
	MaxRequestsPerVolume int

	// NodeID is a unique identifier for the node.
	NodeID string

	GeneratePrivateKey GeneratePrivateKeyFunc
	GenerateRequest    GenerateRequestFunc
	SignRequest        SignRequestFunc
	WriteKeypair       WriteKeypairFunc
	ReadyToRequest     ReadyToRequestFunc
}

Options used to construct a Manager

type ReadyToRequestFunc added in v0.2.0

type ReadyToRequestFunc func(meta metadata.Metadata) (bool, string)

ReadyToRequestFunc can be optionally implemented by drivers to indicate whether the driver is ready to request a certificate for the given volume/metadata. This can be used to 'defer' fetching until later pod initialization events have happened (e.g. CNI has allocated an IP if you want to embed a pod IP into the certificate request resources).

type SignRequestFunc

type SignRequestFunc func(meta metadata.Metadata, key crypto.PrivateKey, request *x509.CertificateRequest) (pem []byte, err error)

SignRequestFunc returns the signed CSR bytes (in PEM format) for the given x509.CertificateRequest. The private key passed to this function is one that is returned by the GeneratePrivateKeyFunc and should be treated as implementation specific. For example, it may be a reference to a location where a private key is stored rather than containing actual private key data.

type WriteKeypairFunc

type WriteKeypairFunc func(meta metadata.Metadata, key crypto.PrivateKey, chain []byte, ca []byte) error

WriteKeypairFunc encodes & persists the output from a completed CertificateRequest into whatever storage backend is provided. The 'key' argument is as returned by the GeneratePrivateKeyFunc. The 'chain' and 'ca' arguments are PEM encoded and sourced directly from the CertificateRequest, without any attempt to parse or decode the bytes.

Directories

Path Synopsis

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL