README
¶
You usually want to start with NewSimpleClientCertificateController.
This package provides a control loop which takes as input
- target secret name
- cert common name
- desired validity (recall that the signing cert can sign for less)
The flow goes like this.
- if secret contains a valid client cert good for at least five days or 50% of validity, do nothing. If not...
- create new cert/key pair in memory
- create CSR in the API.
- watch CSR in the API until it is approved or denied
- if denied, write degraded status and return
- if approved, update the secret
The secrets have annotations which match our other cert rotation secrets.
Documentation
¶
Index ¶
- Constants
- Variables
- func BuildKubeconfig(clientConfig *restclient.Config, certPath, keyPath string) clientcmdapi.Config
- func IsCertificateValid(certData []byte, subject *pkix.Name) error
- func NewCSRApproverController(controllerName string, operatorClient v1helpers.OperatorClient, ...) factory.Controller
- func NewClientCertificateController(clientCertOption ClientCertOption, csrOption CSROption, ...) (factory.Controller, error)
- func NewSimpleClientCertificateController(secretNamespace, secretName string, commonName string, groups []string, ...) (factory.Controller, error)
- type AndFilter
- type CSRApprovalDecision
- type CSRApprover
- type CSRFilter
- type CSROption
- type ClientCertOption
- type LabelFilter
- type NamesFilter
- type OrFilter
- type RequestCommonNameFilter
- type ServiceAccountApprover
Constants ¶
View Source
const ( // TLSKeyFile is the name of tls key file in kubeconfigSecret TLSKeyFile = "tls.key" // TLSCertFile is the name of the tls cert file in kubeconfigSecret TLSCertFile = "tls.crt" )
Variables ¶
View Source
var ControllerResyncInterval = 5 * time.Minute
ControllerResyncInterval is exposed so that integration tests can crank up the constroller sync speed.
Functions ¶
func BuildKubeconfig ¶
func BuildKubeconfig(clientConfig *restclient.Config, certPath, keyPath string) clientcmdapi.Config
BuildKubeconfig builds a kubeconfig based on a rest config template with a cert/key pair
func IsCertificateValid ¶
IsCertificateValid return true if 1) All certs in client certificate are not expired. 2) At least one cert matches the given subject if specified
func NewCSRApproverController ¶
func NewCSRApproverController( controllerName string, operatorClient v1helpers.OperatorClient, csrClient certv1client.CertificateSigningRequestInterface, csrInformers certv1informers.CertificateSigningRequestInformer, csrFilter CSRFilter, csrApprover CSRApprover, eventsRecorder events.Recorder, ) factory.Controller
NewCSRApproverController returns a controller that is observing the CSR API for a CSR of a given name. If such a CSR exists, it runs the `csrApprover.Approve()` against it and either denies, approves or leaves the CSR.
If operatorClient is nil, the controller will log the errors instead of reporting them in an operator status.
func NewClientCertificateController ¶
func NewClientCertificateController( clientCertOption ClientCertOption, csrOption CSROption, hubCSRInformer certificatesinformers.CertificateSigningRequestInformer, hubCSRClient csrclient.CertificateSigningRequestInterface, spokeSecretInformer corev1informers.SecretInformer, spokeCoreClient corev1client.CoreV1Interface, recorder events.Recorder, controllerName string, ) (factory.Controller, error)
NewClientCertificateController return an instance of clientCertificateController
func NewSimpleClientCertificateController ¶
func NewSimpleClientCertificateController( secretNamespace, secretName string, commonName string, groups []string, kubeInformers informers.SharedInformerFactory, kubeClient kubernetes.Interface, recorder events.Recorder, ) (factory.Controller, error)
NewSimpleClientCertificateController creates a controller that keeps a secret up to date with a client-cert valid against the kube-apiserver. This version only works in a single cluster. The base library allows the secret in one cluster and the CSR in another.
Types ¶
type AndFilter ¶
type AndFilter struct {
// contains filtered or unexported fields
}
func NewAndFilter ¶
type CSRApprovalDecision ¶
type CSRApprovalDecision string
const ( CSRApproved CSRApprovalDecision = "Approved" CSRDenied CSRApprovalDecision = "Denied" CSRNoOpinion CSRApprovalDecision = "NoOpinion" )
type CSRApprover ¶
type CSRApprover interface {
Approve(csrObj *certapiv1.CertificateSigningRequest, x509CSR *x509.CertificateRequest) (approvalStatus CSRApprovalDecision, denyReason string, err error)
}
type CSRFilter ¶
type CSRFilter interface {
Matches(csr *certapiv1.CertificateSigningRequest) bool
}
type CSROption ¶
type CSROption struct {
// ObjectMeta is the ObjectMeta shared by all created csrs. It should use GenerateName instead of Name
// to generate random csr names
ObjectMeta metav1.ObjectMeta
// Subject represents the subject of the client certificate used to create csrs
Subject *pkix.Name
// DNSNames represents DNS names used to create the client certificate
DNSNames []string
// SignerName is the name of the signer specified in the created csrs
SignerName string
// EventFilterFunc matches csrs created with above options
EventFilterFunc factory.EventFilterFunc
}
CSROption includes options that is used to create and monitor csrs
type ClientCertOption ¶
type ClientCertOption struct {
// SecretNamespace is the namespace of the secret containing client certificate.
SecretNamespace string
// SecretName is the name of the secret containing client certificate. The secret will be created if
// it does not exist.
SecretName string
// AdditonalSecretData contains data that will be added into client certificate secret besides tls.key/tls.crt
AdditonalSecretData map[string][]byte
// AdditionalAnnotations is a collection of annotations set for the secret
AdditionalAnnotations certrotation.AdditionalAnnotations
}
ClientCertOption includes options that is used to create client certificate
type LabelFilter ¶
type LabelFilter struct {
// contains filtered or unexported fields
}
func NewLabelFilter ¶
func NewLabelFilter(selector labels.Selector) *LabelFilter
func (*LabelFilter) Matches ¶
func (f *LabelFilter) Matches(csr *certapiv1.CertificateSigningRequest) bool
type NamesFilter ¶
type NamesFilter struct {
// contains filtered or unexported fields
}
func NewNamesFilter ¶
func NewNamesFilter(names ...string) *NamesFilter
func (*NamesFilter) Matches ¶
func (f *NamesFilter) Matches(csr *certapiv1.CertificateSigningRequest) bool
type OrFilter ¶
type OrFilter struct {
// contains filtered or unexported fields
}
func NewOrFilter ¶
type RequestCommonNameFilter ¶
type RequestCommonNameFilter struct {
// contains filtered or unexported fields
}
func NewRequestCommonNameFilter ¶
func NewRequestCommonNameFilter(commonNames ...string) *RequestCommonNameFilter
func (*RequestCommonNameFilter) Match ¶
func (f *RequestCommonNameFilter) Match(csr *certapiv1.CertificateSigningRequest) bool
type ServiceAccountApprover ¶
type ServiceAccountApprover struct {
// contains filtered or unexported fields
}
func NewServiceAccountApprover ¶
func NewServiceAccountApprover(saNamespace, saName, expectedSubject string, additionalGroups ...string) *ServiceAccountApprover
ServiceAccountApprover approves CSRs with a given subject issued by the provided service account
func (*ServiceAccountApprover) Approve ¶
func (a *ServiceAccountApprover) Approve(csrObj *certapiv1.CertificateSigningRequest, x509CSR *x509.CertificateRequest) (approvalStatus CSRApprovalDecision, denyReason string, err error)
Source Files
¶
Directories
Click to show internal directories.
Click to hide internal directories.