certificate

package

v0.17.1 Latest Latest Go to latest Published: Nov 29, 2024 License: Apache-2.0 Imports: 31 Imported by: 0

Details

Valid go.mod file
Redistributable license
Tagged version
Stable version
Learn more about best practices

Repository

github.com/gardener/cert-management

Links

Open Source Insights

Documentation ¶

Index ¶

Constants
func BackupSecret(res resources.Interface, secret *corev1.Secret, hashKey string, ...) (ref *api.CertificateSecretRef, created bool, err error)
func CertReconciler(c controller.Interface, support *core.Support) (reconcile.Interface, error)
func ExtractRequestedAtFromAnnotation(obj resources.ObjectData) *time.Time
func FindAllCertificateSecretsByNewHashLabel(res resources.Interface, hashKey string) ([]resources.Object, error)
func FindAllOldBackupSecrets(res resources.Interface, hashKey string, timestamp time.Time) ([]api.CertificateSecretRef, error)
func IsValidNow(cert *x509.Certificate) bool
func LookupSerialNumber(res resources.Interface, ref *corev1.SecretReference) (string, error)
func SerialNumberToString(sn *big.Int, compact bool) string
func WasRequestedBefore(cert *x509.Certificate, requestedAt *time.Time, timestamp time.Time) bool

Constants ¶

View Source

const (
	// LabelCertificateNewHashKey is the new label for the certificate hash
	LabelCertificateNewHashKey = api.GroupName + "/hash"
	// LabelCertificateKey is the label for marking secrets created for a certificate
	LabelCertificateKey = api.GroupName + "/certificate"
	// LabelCertificateBackup is the label for marking backup secrets
	LabelCertificateBackup = api.GroupName + "/backup"
	// LabelCertificateSerialNumber is the label for the certificate serial number
	LabelCertificateSerialNumber = api.GroupName + "/certificate-serialnumber"
	// AnnotationNotAfter is the annotation for storing the not-after timestamp
	AnnotationNotAfter = api.GroupName + "/not-after"
	// AnnotationRevoked is the label for marking revoked secrets
	AnnotationRevoked = api.GroupName + "/revoked"
	// AnnotationRequestedAt is the annotation for storing the timestamp when the certificate was requested
	AnnotationRequestedAt = api.GroupName + "/requestedAt"
)

Variables ¶

This section is empty.

Functions ¶

func BackupSecret ¶ added in v0.12.0

func BackupSecret(
	res resources.Interface,
	secret *corev1.Secret,
	hashKey string,
	issuerInfo utils.IssuerInfo,
) (
	ref *api.CertificateSecretRef,
	created bool,
	err error,
)

BackupSecret creates a backup of a certificate secret if it is not already existing. Returns the secret reference to the backup. All ACME certificates have a backup in the kube-system namespace to allow revoking them even if they are already renewed

func CertReconciler ¶

func CertReconciler(c controller.Interface, support *core.Support) (reconcile.Interface, error)

CertReconciler creates a certReconciler.

func ExtractRequestedAtFromAnnotation ¶ added in v0.12.0

func ExtractRequestedAtFromAnnotation(obj resources.ObjectData) *time.Time

ExtractRequestedAtFromAnnotation extracts the requestedAt timestamp from the annotation cert.gardener.cloud/requestedAt

func FindAllCertificateSecretsByNewHashLabel ¶ added in v0.12.0

func FindAllCertificateSecretsByNewHashLabel(res resources.Interface, hashKey string) ([]resources.Object, error)

FindAllCertificateSecretsByNewHashLabel get all certificate secrets by the certificate hash

func FindAllOldBackupSecrets ¶ added in v0.12.0

func FindAllOldBackupSecrets(res resources.Interface, hashKey string, timestamp time.Time) ([]api.CertificateSecretRef, error)

FindAllOldBackupSecrets finds all certificate secret backups which have not been requested after the given timestamp.

func IsValidNow ¶ added in v0.12.0

func IsValidNow(cert *x509.Certificate) bool

IsValidNow returns true if the certificate is still valid

func LookupSerialNumber ¶ added in v0.12.0

func LookupSerialNumber(res resources.Interface, ref *corev1.SecretReference) (string, error)

LookupSerialNumber loads secret to extract the serial number.

func SerialNumberToString ¶ added in v0.12.0

func SerialNumberToString(sn *big.Int, compact bool) string

SerialNumberToString get string representation of certificate serial number

func WasRequestedBefore ¶ added in v0.12.0

func WasRequestedBefore(cert *x509.Certificate, requestedAt *time.Time, timestamp time.Time) bool

WasRequestedBefore returns true if the certificate was not requested after the given timestamp. Uses the requestedAt annotation of the certificate secret. For legacy certificates without requestedAt annotation, this method uses the `notBefore` time of the certificate. Let's Encrypt sets the `notBefore` time one hour in the past of request, here it is checked if the `notBefore` time is more than 61 minutes in the past of the given timestamp (30 seconds are added for robustness, e.g. possible time drift)

Types ¶

This section is empty.

Source Files ¶

View all Source files

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL