Documentation
¶
Index ¶
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
Types ¶
type Bundle ¶
Bundle represents the `status.Certificate` and `status.CA` that is populate on a CertificateRequest once it has been signed.
type IssuerChangeNotifier ¶ added in v0.11.0
type IssuerChangeNotifier interface {
// WaitForIssuerConfig provides a function that blocks until issuer config
// is available
WaitForIssuerConfig(ctx context.Context)
// SubscribeIssuerChange provides a channel which will update with new issuerRefs
// as updates happen.
SubscribeIssuerChange() *IssuerChangeSubscription
// HasIssuerConfig returns true if there's a configured active issuer ref.
// (i.e. a static issuerRef was configured at startup / runtime issuance config has been successfully acquired)
// If this function returns true, InitialIssuer will always return nil and
// subscribers must wait for runtime configuration before trying to issue certificates
HasIssuerConfig() bool
// InitialIssuer returns the "static" issuer which was configured at startup. Will
// always return nil if no such issuer exists.
InitialIssuer() *cmmeta.ObjectReference
}
IssuerChangeNotifier allows subscription to a channel providing updates on when an issuer changes.
type IssuerChangeSubscription ¶ added in v0.12.0
type IssuerChangeSubscription struct {
C <-chan *cmmeta.ObjectReference
// contains filtered or unexported fields
}
IssuerChangeSubscription is a subscription that can be used to get changes to issuer config
func (*IssuerChangeSubscription) Close ¶ added in v0.12.0
func (s *IssuerChangeSubscription) Close()
Close will prevent the subscription from receiving any further updates, it will not close the channel however as this could lead to incorrect behavior from anything waiting on the channel.
func (*IssuerChangeSubscription) Closed ¶ added in v0.12.0
func (s *IssuerChangeSubscription) Closed() bool
Closed returns true if the subscription has been closed.
type Options ¶
type Options struct {
// If PreserveCertificateRequests is true, requests will not be deleted after
// they are signed.
PreserveCertificateRequests bool
// Namespace is the namespace that CertificateRequests will be created in.
Namespace string
// DefaultIssuerEnabled indicates the default issuer is enabled
DefaultIssuerEnabled bool
// IssuerRef is used as the issuerRef on created CertificateRequests.
IssuerRef cmmeta.ObjectReference
// IssuanceConfigMapName is the name of a ConfigMap to watch for configuration options. The ConfigMap is expected to be in the same namespace as the csi-driver-spiffe pod.
IssuanceConfigMapName string
// IssuanceConfigMapNamespace is the namespace where the runtime configuration ConfigMap is located
IssuanceConfigMapNamespace string
// AdditionalAnnotations are any additional annotations to include on created CertificateRequests.
AdditionalAnnotations map[string]string
}
func (Options) HasRuntimeConfiguration ¶ added in v0.10.0
type RuntimeConfigurationWatcher ¶ added in v0.10.0
type RuntimeConfigurationWatcher struct {
// contains filtered or unexported fields
}
RuntimeConfigurationWatcher is a wrapper around ctrlmgr.Runnable for watching runtime config
func (*RuntimeConfigurationWatcher) NeedLeaderElection ¶ added in v0.10.0
func (rcw *RuntimeConfigurationWatcher) NeedLeaderElection() bool
NeedLeaderElection always returns false, ensuring that the runtime configuration watcher is always invoked even if we don't hold the lock. This ensures we use the correct CA for renewing the serving cert, and that we're using the most up-to-date issuerRef for when we do acquire the lock.
type Signer ¶
type Signer interface {
// Sign will create a CertificateRequest based on the provided inputs. It will
// wait for it to reach a terminal state, before optionally deleting it if
// preserving CertificateRequests if turned off. Will return the certificate
// bundle on successful signing.
Sign(ctx context.Context, identities string, csrPEM []byte, duration time.Duration, usages []cmapi.KeyUsage) (Bundle, error)
}
Source Files
Directories