manager

package
v1.106.1 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Oct 28, 2024 License: Apache-2.0 Imports: 18 Imported by: 19

Documentation

Index

Constants

View Source
const (
	// InPlace is a constant for a rotation strategy regenerating a secret and NOT keeping the old one in the system.
	InPlace rotationStrategy = "inplace"
	// KeepOld is a constant for a rotation strategy regenerating a secret and keeping the old one in the system.
	KeepOld rotationStrategy = "keepold"
)
View Source
const (
	// LabelKeyName is a constant for a key of a label on a Secret describing the name.
	LabelKeyName = "name"
	// LabelKeyManagedBy is a constant for a key of a label on a Secret describing who is managing it.
	LabelKeyManagedBy = "managed-by"
	// LabelKeyManagerIdentity is a constant for a key of a label on a Secret describing which secret manager instance
	// is managing it.
	LabelKeyManagerIdentity = "manager-identity"
	// LabelKeyChecksumConfig is a constant for a key of a label on a Secret describing the checksum of the
	// configuration used to create the data.
	LabelKeyChecksumConfig = "checksum-of-config"
	// LabelKeyChecksumSigningCA is a constant for a key of a label on a Secret describing the checksum of the
	// certificate authority which has signed the client or server certificate in the data.
	LabelKeyChecksumSigningCA = "checksum-of-signing-ca"
	// LabelKeyBundleFor is a constant for a key of a label on a Secret describing that it is a bundle secret for
	// another secret.
	LabelKeyBundleFor = "bundle-for"
	// LabelKeyPersist is a constant for a key of a label on a Secret describing that it should get persisted.
	LabelKeyPersist = "persist"
	// LabelKeyLastRotationInitiationTime is a constant for a key of a label on a Secret describing the unix timestamps
	// of when the last secret rotation was initiated.
	LabelKeyLastRotationInitiationTime = "last-rotation-initiation-time"
	// LabelKeyIssuedAtTime is a constant for a key of a label on a Secret describing the time of when the secret data
	// was created. In case the data contains a certificate it is the time part of the certificate's 'not before' field.
	LabelKeyIssuedAtTime = "issued-at-time"
	// LabelKeyValidUntilTime is a constant for a key of a label on a Secret describing the time of how long the secret
	// data is valid. In case the data contains a certificate it is the time part of the certificate's 'not after'
	// field.
	LabelKeyValidUntilTime = "valid-until-time"
	// LabelKeyRenewAfterValidityPercentage is a constant for a key of a label on a certificate secret describing the
	// percentage of the validity when the certificate should be renewed. The effective check for renewal is after the
	// given percentage of validity or 10d before the end of validity. If not specified the default percentage is 80.
	LabelKeyRenewAfterValidityPercentage = "renew-after-validity-percentage"
	// LabelKeyUseDataForName is a constant for a key of a label on a Secret describing that its data should be used
	// instead of generating a fresh secret with the same name.
	LabelKeyUseDataForName = "secrets-manager-use-data-for-name"

	// LabelValueTrue is a constant for a value of a label on a Secret describing the value 'true'.
	LabelValueTrue = "true"
	// LabelValueSecretsManager is a constant for a value of a label on a Secret describing the value 'secret-manager'.
	LabelValueSecretsManager = "secrets-manager"
)

Variables

View Source
var (
	// UseCurrentCA sets the CAClass field to 'current' in the SignedByCAOptions.
	UseCurrentCA = useCAClassOption{current}
	// UseOldCA sets the CAClass field to 'old' in the SignedByCAOptions.
	UseOldCA = useCAClassOption{old}
)
View Source
var (
	// Current sets the Class field to 'current' in the GetOptions.
	Current = classOption{/* contains filtered or unexported fields */}
	// Old sets the Class field to 'old' in the GetOptions.
	Old = classOption{/* contains filtered or unexported fields */}
	// Bundle sets the Class field to 'bundle' in the GetOptions.
	Bundle = classOption{/* contains filtered or unexported fields */}
)

Functions

func ObjectMeta

func ObjectMeta(
	namespace string,
	managerIdentity string,
	config secretsutils.ConfigInterface,
	ignoreConfigChecksumForCASecretName bool,
	lastRotationInitiationTime string,
	signingCAChecksum *string,
	persist *bool,
	bundleFor *string,
) (
	metav1.ObjectMeta,
	error,
)

ObjectMeta returns the object meta based on the given settings.

func Secret

func Secret(objectMeta metav1.ObjectMeta, data map[string][]byte) *corev1.Secret

Secret constructs a *corev1.Secret for the given metadata and data.

Types

type Config added in v1.47.0

type Config struct {
	// CASecretAutoRotation states whether CA secrets are considered for automatic rotation (defaults to false).
	CASecretAutoRotation bool
	// SecretNamesToTimes is a map whose keys are secret names and whose values are the last rotation initiation
	// times.
	SecretNamesToTimes map[string]time.Time
}

Config specifies certain configuration options for the manager.

type GenerateOption

GenerateOption is some configuration that modifies options for a Generate request.

func IgnoreConfigChecksumForCASecretName added in v1.45.0

func IgnoreConfigChecksumForCASecretName() GenerateOption

IgnoreConfigChecksumForCASecretName returns a function which sets the 'IgnoreConfigChecksumForCASecretName' field to true.

func IgnoreOldSecrets

func IgnoreOldSecrets() GenerateOption

IgnoreOldSecrets returns a function which sets the 'IgnoreOldSecrets' field to true.

func IgnoreOldSecretsAfter added in v1.48.0

func IgnoreOldSecretsAfter(d time.Duration) GenerateOption

IgnoreOldSecretsAfter returns a function which sets the 'IgnoreOldSecretsAfter' field to the given duration.

func Persist

func Persist() GenerateOption

Persist returns a function which sets the 'Persist' field to true.

func RenewAfterValidityPercentage added in v1.96.0

func RenewAfterValidityPercentage(v int) GenerateOption

RenewAfterValidityPercentage returns a function which sets the 'RenewAfterValidityPercentage' field to the provided value.

func Rotate

func Rotate(strategy rotationStrategy) GenerateOption

Rotate returns a function which sets the 'RotationStrategy' field to the specified value.

func SignedByCA

func SignedByCA(name string, opts ...SignedByCAOption) GenerateOption

SignedByCA returns a function which sets the 'SigningCA' field in case the ConfigInterface provided to the Generate request is a CertificateSecretConfig. Additionally, in such case it stores a checksum of the signing CA in the options.

func Validity added in v1.44.0

func Validity(v time.Duration) GenerateOption

Validity returns a function which sets the 'Validity' field to the provided value. Note that the value is ignored in case Generate is called with a certificate secret configuration.

type GenerateOptions

type GenerateOptions struct {
	// Persist specifies whether the 'persist=true' label should be added to the secret resources.
	Persist bool
	// RotationStrategy specifies how the secret should be rotated in case it needs to get rotated.
	RotationStrategy rotationStrategy
	// IgnoreOldSecrets specifies whether old secrets should be dropped.
	IgnoreOldSecrets bool
	// IgnoreOldSecretsAfter specifies that old secrets should be dropped once a given duration after rotation has passed.
	IgnoreOldSecretsAfter *time.Duration
	// Validity specifies for how long the secret should be valid.
	Validity time.Duration
	// RenewAfterValidityPercentage sets the percentage of the validity when the certificate should be renewed.
	// The effective check for renewal is after the given percentage of validity or 10d before the end of validity.
	// Zero value means the default percentage is used (80%).
	RenewAfterValidityPercentage int
	// IgnoreConfigChecksumForCASecretName specifies whether the secret config checksum should be ignored when
	// computing the secret name for CA secrets.
	IgnoreConfigChecksumForCASecretName bool
	// contains filtered or unexported fields
}

GenerateOptions are options for Generate calls.

func (*GenerateOptions) ApplyOptions

func (o *GenerateOptions) ApplyOptions(manager Interface, configInterface secretsutils.ConfigInterface, opts []GenerateOption) error

ApplyOptions applies the given update options on these options, and then returns itself (for convenient chaining).

type GetOption

type GetOption interface {
	// ApplyToOptions applies this configuration to the given options.
	ApplyToOptions(*GetOptions)
}

GetOption is some configuration that modifies options for a Get request.

type GetOptions

type GetOptions struct {
	// Class specifies whether which secret should be returned. By default, the bundle secret is returned. If there is
	// no bundle secret then it falls back to the current secret.
	Class *secretClass
}

GetOptions are options for Get calls.

func (*GetOptions) ApplyOptions

func (o *GetOptions) ApplyOptions(opts []GetOption) *GetOptions

ApplyOptions applies the given update options on these options, and then returns itself (for convenient chaining).

type Interface

type Interface interface {
	// Generate generates a secret based on the provided configuration. If the secret for the provided configuration
	// already exists then it is returned with re-generation. The function also automatically rotates/re-generates the
	// secret only if necessary (e.g., when the config or the signing CA changes).
	Generate(context.Context, secretsutils.ConfigInterface, ...GenerateOption) (*corev1.Secret, error)

	Reader

	// Cleanup deletes no longer required secrets. No longer required secrets are those still existing in the system
	// which weren't detected by prior Generate calls. Consequently, only call Cleanup after you have executed Generate
	// calls for all desired secrets.
	Cleanup(context.Context) error
}

Interface describes the methods for managing secrets.

func New

func New(
	ctx context.Context,
	logger logr.Logger,
	clock clock.Clock,
	c client.Client,
	namespace string,
	identity string,
	rotation Config,
) (
	Interface,
	error,
)

New returns a new manager for secrets in a given namespace.

type Reader added in v1.45.0

type Reader interface {
	// Get returns the secret object for the secret with the given name. By default, the bundle secret will be returned.
	// If there is no bundle secret then it falls back to the current secret. Note that only those secrets are known
	// which were detected or generated by prior Generate calls.
	Get(string, ...GetOption) (*corev1.Secret, bool)
}

Reader is part of the SecretsManager interface and allows retrieving secrets from a SecretsManager.

type SignedByCAOption added in v1.45.0

type SignedByCAOption interface {
	// ApplyToOptions applies this configuration to the given options.
	ApplyToOptions(*SignedByCAOptions)
}

SignedByCAOption is some configuration that modifies options for a SignedByCA request.

type SignedByCAOptions added in v1.45.0

type SignedByCAOptions struct {
	// CAClass specifies which CA should be used to sign the requested certificate. Server certificates are signed with
	// the old CA by default, however one might want to use the current CA instead. Similarly, client certificates are
	// signed with the current CA by default, however one might want to use the old CA instead.
	CAClass *secretClass
}

SignedByCAOptions are options for SignedByCA calls.

func (*SignedByCAOptions) ApplyOptions added in v1.45.0

func (o *SignedByCAOptions) ApplyOptions(opts []SignedByCAOption) *SignedByCAOptions

ApplyOptions applies the given update options on these options, and then returns itself (for convenient chaining).

Directories

Path Synopsis

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL