core

package
v0.16.0 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Oct 21, 2024 License: Apache-2.0 Imports: 23 Imported by: 0

Documentation

Index

Constants

View Source
const (
	// ACMEType is the type name for ACME.
	ACMEType = "acme"
	// CAType is the type name for CA.
	CAType = "ca"
)
View Source
const (
	// OptDefaultIssuer is the default-issuer command line option.
	OptDefaultIssuer = "default-issuer"
	// OptIssuerNamespace is the issuer namespace command line option.
	OptIssuerNamespace = "issuer-namespace"
	// OptDNSNamespace is the DNS namespace command line option.
	OptDNSNamespace = "dns-namespace"
	// OptDNSClass is the DNS class command line option.
	OptDNSClass = "dns-class"
	// OptDNSOwnerID is the DNS owner identifier command line option.
	OptDNSOwnerID = "dns-owner-id"
	// OptUseDNSRecords is the command line option to use DNSRecords instead of DNSEntries for DNS challenges.
	OptUseDNSRecords = "use-dnsrecords"
	// OptDefaultIssuerDomainRanges are the domain ranges the default issuer is restricted to.
	OptDefaultIssuerDomainRanges = "default-issuer-domain-ranges"
	// OptRenewalWindow is the renewal window command line option.
	OptRenewalWindow = "renewal-window"
	// OptRenewalOverdueWindow is the renewal overdue window command line option.
	OptRenewalOverdueWindow = "renewal-overdue-window"
	// OptCascadeDelete is the cascade delete command line option.
	OptCascadeDelete = "cascade-delete"
	// OptPrecheckNameservers is a command line option to specify the DNS nameservers to check DNS propagation of the DNS challenge.
	OptPrecheckNameservers = "precheck-nameservers"
	// OptPrecheckAdditionalWait is a command line option to specify an additional wait time after DNS propagation check.
	OptPrecheckAdditionalWait = "precheck-additional-wait"
	// OptDefaultRequestsPerDayQuota allows to set a default value for requestsPerDayQuota if not set explicitly in the issuer spec.
	OptDefaultRequestsPerDayQuota = "default-requests-per-day-quota"
	// OptPropagationTimeout is the propagation timeout for the DNS01 challenge.
	OptPropagationTimeout = "propagation-timeout"
	// OptAllowTargetIssuers if true reconciles not only issuers on the default cluster, but also on the target cluster
	OptAllowTargetIssuers = "allow-target-issuers"
	// OptACMEDeactivateAuthorizations if true authorizations are always deactivated after each certificate request
	OptACMEDeactivateAuthorizations = "acme-deactivate-authorizations"
	// OptDefaultRSAPrivateKeySize allows to override a default bit size for the certificates using RSA private keys (2048 if not specified)
	OptDefaultRSAPrivateKeySize = "default-rsa-private-key-size"
	// OptDefaultECDSAPrivateKeySize allows to override a default bit size for the certificates using ECDSA private keys (256 if not specified)
	OptDefaultECDSAPrivateKeySize = "default-ecdsa-private-key-size"
	// OptDefaultPrivateKeyAlgorithm allows to override the default algorithm for certificate private keys ('rsa' if not specified)
	OptDefaultPrivateKeyAlgorithm = "default-private-key-algorithm"
)

Variables

This section is empty.

Functions

func IsSameExistingRegistration added in v0.12.0

func IsSameExistingRegistration(raw *runtime.RawExtension, realSecretHash string) bool

IsSameExistingRegistration returns true if status ACME has same secret hash or if it has in the old format without secret hash (for migration)

func NormalizeNamespace

func NormalizeNamespace(namespace string) string

NormalizeNamespace returns the namespace or "default" for an empty input.

func WrapRegistration added in v0.12.0

func WrapRegistration(raw []byte, secretHash string) ([]byte, error)

WrapRegistration wraps registration

Types

type AssociatedObjects

type AssociatedObjects struct {
	// contains filtered or unexported fields
}

AssociatedObjects stores bidi-associations between source and dest.

func NewAssociatedObjects

func NewAssociatedObjects() *AssociatedObjects

NewAssociatedObjects creates an AssociatedObjects

func (*AssociatedObjects) AddAssoc

func (ao *AssociatedObjects) AddAssoc(src utils.IssuerKey, dst resources.ObjectName)

AddAssoc adds an association.

func (*AssociatedObjects) DestinationsAsArray

func (ao *AssociatedObjects) DestinationsAsArray(src utils.IssuerKey) []resources.ObjectName

DestinationsAsArray returns all destinations for the given source.

func (*AssociatedObjects) DestinationsCount

func (ao *AssociatedObjects) DestinationsCount(src utils.IssuerKey) int

DestinationsCount counts the destinations for the given source.

func (*AssociatedObjects) RemoveByDest

func (ao *AssociatedObjects) RemoveByDest(dst resources.ObjectName)

RemoveByDest removes an association by dest.

func (*AssociatedObjects) RemoveBySource

func (ao *AssociatedObjects) RemoveBySource(src utils.IssuerKey)

RemoveBySource removes an association by src.

func (*AssociatedObjects) Sources

func (ao *AssociatedObjects) Sources() []utils.IssuerKey

Sources returns all sources.

type CompoundHandler

type CompoundHandler struct {
	// contains filtered or unexported fields
}

CompoundHandler is an array of IssuerHandler

func NewCompoundHandler added in v0.12.0

func NewCompoundHandler(c controller.Interface, factories ...IssuerHandlerFactory) (*CompoundHandler, error)

NewCompoundHandler creates a cluster specific CompoundHandler

func (*CompoundHandler) DeletedIssuer

DeletedIssuer deletes an issuer

func (*CompoundHandler) DeletedSecret

DeletedSecret updates issuers on deleted secret

func (*CompoundHandler) ReconcileIssuer

func (h *CompoundHandler) ReconcileIssuer(logger logger.LogContext, obj resources.Object) reconcile.Status

ReconcileIssuer reconciles an issuer and forward it to the correct IssuerHandler

func (*CompoundHandler) ReconcileSecret

func (h *CompoundHandler) ReconcileSecret(logger logger.LogContext, obj resources.Object) reconcile.Status

ReconcileSecret reconciles secrets (for issuers)

func (*CompoundHandler) Support added in v0.12.0

func (h *CompoundHandler) Support() *Support

Support returns the support object

type Enqueuer

type Enqueuer interface {
	EnqueueKey(key resources.ClusterObjectKey) error
}

Enqueuer is an interface to allow enqueue a key

type IssuerDNSSelections added in v0.12.0

type IssuerDNSSelections struct {
	// contains filtered or unexported fields
}

IssuerDNSSelections stores last known DNS selection for an issuer

func NewIssuerDNSSelections added in v0.12.0

func NewIssuerDNSSelections() *IssuerDNSSelections

NewIssuerDNSSelections creates an IssuerDNSSelections

func (*IssuerDNSSelections) Add added in v0.12.0

Add adds a DNS selection

func (*IssuerDNSSelections) GetAll added in v0.12.0

GetAll returns a map with all selections

func (*IssuerDNSSelections) GetSelection added in v0.12.0

GetSelection returns the selection for the given key.

func (*IssuerDNSSelections) Issuers added in v0.12.0

func (s *IssuerDNSSelections) Issuers() []utils.IssuerKey

Issuers returns all issuer keys.

func (*IssuerDNSSelections) Remove added in v0.12.0

func (s *IssuerDNSSelections) Remove(key utils.IssuerKey)

Remove removes a DNS selection

type IssuerHandler

type IssuerHandler interface {
	Type() string
	CanReconcile(issuer *api.Issuer) bool
	Reconcile(logger logger.LogContext, obj resources.Object, issuer *api.Issuer) reconcile.Status
}

IssuerHandler can reconcile issuers.

type IssuerHandlerFactory

type IssuerHandlerFactory func(support *Support) (IssuerHandler, error)

IssuerHandlerFactory is a function type to create an issuer handler

type Quotas added in v0.2.16

type Quotas struct {
	// contains filtered or unexported fields
}

Quotas stores references issuer quotas.

func NewQuotas added in v0.2.16

func NewQuotas() *Quotas

NewQuotas create a Quotas

func (*Quotas) RememberQuotas added in v0.2.16

func (q *Quotas) RememberQuotas(issuerKey utils.IssuerKey, requestsPerDay int)

RememberQuotas stores the requests per days quota and creates a new ratelimiter if the quota changed.

func (*Quotas) RemoveIssuer added in v0.2.16

func (q *Quotas) RemoveIssuer(issuerKey utils.IssuerKey)

RemoveIssuer removes all secretRefs for an issuer.

func (*Quotas) RequestsPerDay added in v0.2.16

func (q *Quotas) RequestsPerDay(issuerName utils.IssuerKey) int

RequestsPerDay gets the request per day quota

func (*Quotas) TryAccept added in v0.2.16

func (q *Quotas) TryAccept(issuerKey utils.IssuerKey) (bool, int)

TryAccept tries to accept a certificate request according to the quotas. Returns true if accepted and the requests per days quota value

type RecoverableError added in v0.12.0

type RecoverableError struct {
	Msg      string
	Interval time.Duration
}

RecoverableError is a recoverable error, i.e. reconcile after same backoff may help

func (*RecoverableError) Error added in v0.12.0

func (err *RecoverableError) Error() string

type ReferencedSecrets

type ReferencedSecrets struct {
	// contains filtered or unexported fields
}

ReferencedSecrets stores references between issuers and their secrets.

func NewReferencedSecrets

func NewReferencedSecrets() *ReferencedSecrets

NewReferencedSecrets create a ReferencedSecrets

func (*ReferencedSecrets) GetIssuerSecretHash

func (rs *ReferencedSecrets) GetIssuerSecretHash(issuerKey utils.IssuerKey) string

GetIssuerSecretHash gets the for an issuer secret

func (*ReferencedSecrets) IssuerNamesFor

func (rs *ReferencedSecrets) IssuerNamesFor(secretKey utils.IssuerSecretKey) utils.IssuerKeySet

IssuerNamesFor finds issuers for given secret name.

func (*ReferencedSecrets) RememberIssuerSecret

func (rs *ReferencedSecrets) RememberIssuerSecret(issuerKey utils.IssuerKey, secretRef *v1.SecretReference, hash string) bool

RememberIssuerSecret stores a secretRef for an issuer.

func (*ReferencedSecrets) RemoveIssuer

func (rs *ReferencedSecrets) RemoveIssuer(issuerKey utils.IssuerKey) bool

RemoveIssuer removes all secretRefs for an issuer.

type Support

type Support struct {
	// contains filtered or unexported fields
}

Support provides common issuer/credentials functionality.

func NewHandlerSupport

func NewHandlerSupport(c controller.Interface) (*Support, error)

NewHandlerSupport creates the shared Support object

func (*Support) AddCertificate

func (s *Support) AddCertificate(cert *api.Certificate)

AddCertificate adds a certificate

func (*Support) AddIssuerDomains added in v0.12.0

func (s *Support) AddIssuerDomains(issuer resources.ClusterObjectKey, sel *api.DNSSelection)

AddIssuerDomains remembers the DNS selection for an ACME issuer

func (*Support) CalcSecretHash

func (s *Support) CalcSecretHash(secret *corev1.Secret) string

CalcSecretHash calculates the secret hash If real is true, precalculated hash value of `IssuerSecretHashKey` is ignored

func (*Support) CertificateNamesForIssuer

func (s *Support) CertificateNamesForIssuer(issuer resources.ClusterObjectKey) []resources.ObjectName

CertificateNamesForIssuer returns the certificate names for an issuer

func (*Support) ClearCertRenewalOverdue added in v0.12.0

func (s *Support) ClearCertRenewalOverdue(certName resources.ObjectName)

ClearCertRenewalOverdue clears a certificate object as renewal overdue

func (*Support) ClearCertRevoked added in v0.12.0

func (s *Support) ClearCertRevoked(certName resources.ObjectName)

ClearCertRevoked clears a certificate object as revoked

func (*Support) Cluster added in v0.12.0

Cluster returns the cluster enum for the given `ClusterObjectKey`

func (*Support) DefaultIssuerDomainRanges

func (s *Support) DefaultIssuerDomainRanges() []string

DefaultIssuerDomainRanges returns the default issuer domain ranges.

func (*Support) DefaultIssuerName

func (s *Support) DefaultIssuerName() string

DefaultIssuerName returns the default issuer name

func (*Support) EnqueueKey

func (s *Support) EnqueueKey(key resources.ClusterObjectKey) error

EnqueueKey forwards to an enqueuer

func (*Support) Failed

func (s *Support) Failed(logger logger.LogContext, obj resources.Object, state string, itype *string, err error, retry bool) reconcile.Status

Failed handles failed.

func (*Support) FindIssuerKeyByBestMatch added in v0.12.0

func (s *Support) FindIssuerKeyByBestMatch(domains []string) *utils.IssuerKey

FindIssuerKeyByBestMatch tries to find the best matching issuer with respect to the DNS selection

func (*Support) FindIssuerKeyByName added in v0.12.0

func (s *Support) FindIssuerKeyByName(namespace, issuerName string) *utils.IssuerKey

FindIssuerKeyByName tries to find an issuer key on target or default cluster

func (*Support) GetAllRenewalOverdue added in v0.12.0

func (s *Support) GetAllRenewalOverdue() []resources.ObjectName

GetAllRenewalOverdue gets all certificate object object names which are renewal overdue

func (*Support) GetAllRevoked added in v0.12.0

func (s *Support) GetAllRevoked() []resources.ObjectName

GetAllRevoked gets all certificate object object names which are revoked

func (*Support) GetAltIssuerSecretHash added in v0.12.0

func (s *Support) GetAltIssuerSecretHash(issuer utils.IssuerKey) string

GetAltIssuerSecretHash returns the issuer alternative secret hash code This method is only needed for a bugfix for migrating v0.7.x to v0.8.x an can be deleted after v0.9.0

func (*Support) GetIssuerResources

func (s *Support) GetIssuerResources(issuerKey utils.IssuerKey) resources.Interface

GetIssuerResources returns the resources for issuer.

func (*Support) GetIssuerSecretHash

func (s *Support) GetIssuerSecretHash(issuer utils.IssuerKey) string

GetIssuerSecretHash returns the issuer secret hash code

func (*Support) GetIssuerSecretResources

func (s *Support) GetIssuerSecretResources(issuerKey utils.IssuerKey) resources.Interface

GetIssuerSecretResources returns the resources for issuer secrets.

func (*Support) IsDefaultIssuer added in v0.12.0

func (s *Support) IsDefaultIssuer(issuerKey utils.IssuerKey) bool

IsDefaultIssuer returns true if the issuer key is the default issuer

func (*Support) IssuerClusterObjectKey added in v0.12.0

func (s *Support) IssuerClusterObjectKey(_ string, spec *api.CertificateSpec) utils.IssuerKey

IssuerClusterObjectKey returns either the specified issuer or it tries to find a matching issuer by matching domains. It tries to find the issuer first on the target cluster, then on the default cluster

func (*Support) IssuerNamesForSecretOrEABSecret added in v0.12.0

func (s *Support) IssuerNamesForSecretOrEABSecret(secretKey resources.ClusterObjectKey) resources.ObjectNameSet

IssuerNamesForSecretOrEABSecret returns issuer names for a secret name

func (*Support) IssuerNamespace

func (s *Support) IssuerNamespace() string

IssuerNamespace returns the issuer namespace

func (*Support) LoadEABHmacKey added in v0.12.0

func (s *Support) LoadEABHmacKey(objKey *resources.ClusterObjectKey, issuerKey utils.IssuerKey, acme *api.ACMESpec) (string, string, error)

LoadEABHmacKey reads the external account binding MAC key from the referenced secret

func (*Support) LoadIssuer added in v0.12.0

func (s *Support) LoadIssuer(issuerKey utils.IssuerKey) (*api.Issuer, error)

LoadIssuer loads the issuer for the given Certificate

func (*Support) ReadIssuerSecret

func (s *Support) ReadIssuerSecret(issuerKey utils.IssuerKey, ref *corev1.SecretReference) (*corev1.Secret, error)

ReadIssuerSecret reads a issuer secret

func (*Support) RememberAltIssuerSecret added in v0.12.0

func (s *Support) RememberAltIssuerSecret(issuer resources.ClusterObjectKey, secretRef *corev1.SecretReference, secret *corev1.Secret, email string)

RememberAltIssuerSecret stores issuer secret ref pair for migration from v0.7.x This method is only needed for a bugfix for migrating v0.7.x to v0.8.x an can be deleted after v0.9.0

func (*Support) RememberIssuerEABSecret added in v0.12.0

func (s *Support) RememberIssuerEABSecret(issuer resources.ClusterObjectKey, secretRef *corev1.SecretReference, hash string)

RememberIssuerEABSecret stores issuer EAB secret ref pair.

func (*Support) RememberIssuerQuotas added in v0.2.16

func (s *Support) RememberIssuerQuotas(issuer resources.ClusterObjectKey, issuerRequestsPerDay *int) int

RememberIssuerQuotas stores the issuer quotas.

func (*Support) RememberIssuerSecret

func (s *Support) RememberIssuerSecret(issuer resources.ClusterObjectKey, secretRef *corev1.SecretReference, hash string)

RememberIssuerSecret stores issuer secret ref pair.

func (*Support) RemoveCertificate

func (s *Support) RemoveCertificate(certObjName resources.ObjectName)

RemoveCertificate removes a certificate

func (*Support) RemoveIssuer

func (s *Support) RemoveIssuer(issuer resources.ClusterObjectKey) bool

RemoveIssuer removes an issuer

func (*Support) RestoreRegUser added in v0.12.0

func (s *Support) RestoreRegUser(issuerKey utils.IssuerKey, issuer *api.Issuer) (*legobridge.RegistrationUser, error)

RestoreRegUser restores a legobridge user from an issuer

func (*Support) SetCertRenewalOverdue added in v0.12.0

func (s *Support) SetCertRenewalOverdue(certName resources.ObjectName)

SetCertRenewalOverdue sets a certificate object as renewal overdue

func (*Support) SetCertRevoked added in v0.12.0

func (s *Support) SetCertRevoked(certName resources.ObjectName)

SetCertRevoked sets a certificate object as revoked

func (*Support) SucceededAndTriggerCertificates

func (s *Support) SucceededAndTriggerCertificates(logger logger.LogContext, obj resources.Object, itype *string, regRaw []byte) reconcile.Status

SucceededAndTriggerCertificates handles succeeded and trigger certificates.

func (*Support) ToIssuerKey added in v0.12.0

func (s *Support) ToIssuerKey(issuer resources.ClusterObjectKey) utils.IssuerKey

ToIssuerKey creates issuer key from issuer name

func (*Support) TryAcceptCertificateRequest added in v0.2.16

func (s *Support) TryAcceptCertificateRequest(issuer utils.IssuerKey) (bool, int)

TryAcceptCertificateRequest tries to accept a certificate request according to the quotas. Return true if accepted and the requests per days quota value

func (*Support) UpdateIssuerSecret

func (s *Support) UpdateIssuerSecret(issuerKey utils.IssuerKey, reguser *legobridge.RegistrationUser,
	secret *corev1.Secret) error

UpdateIssuerSecret updates an issuer secret

func (*Support) WriteIssuerSecretFromRegistrationUser

func (s *Support) WriteIssuerSecretFromRegistrationUser(issuerKey utils.IssuerKey, issuerUID types.UID, reguser *legobridge.RegistrationUser,
	secretRef *corev1.SecretReference) (*corev1.SecretReference, *corev1.Secret, error)

WriteIssuerSecretFromRegistrationUser writes an issuer secret

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL