manager

package
v1.44.3 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Apr 12, 2022 License: Apache-2.0, BSD-2-Clause, MIT, + 1 more Imports: 24 Imported by: 19

Documentation

Index

Constants

View Source
const (
	// InPlace is a constant for a rotation strategy regenerating a secret and NOT keeping the old one in the system.
	InPlace rotationStrategy = "inplace"
	// KeepOld is a constant for a rotation strategy regenerating a secret and keeping the old one in the system.
	KeepOld rotationStrategy = "keepold"
)
View Source
const (
	// LabelKeyName is a constant for a key of a label on a Secret describing the name.
	LabelKeyName = "name"
	// LabelKeyManagedBy is a constant for a key of a label on a Secret describing who is managing it.
	LabelKeyManagedBy = "managed-by"
	// LabelKeyManagerIdentity is a constant for a key of a label on a Secret describing which secret manager instance
	// is managing it.
	LabelKeyManagerIdentity = "manager-identity"
	// LabelKeyChecksumConfig is a constant for a key of a label on a Secret describing the checksum of the
	// configuration used to create the data.
	LabelKeyChecksumConfig = "checksum-of-config"
	// LabelKeyChecksumSigningCA is a constant for a key of a label on a Secret describing the checksum of the
	// certificate authority which has signed the client or server certificate in the data.
	LabelKeyChecksumSigningCA = "checksum-of-signing-ca"
	// LabelKeyBundleFor is a constant for a key of a label on a Secret describing that it is a bundle secret for
	// another secret.
	LabelKeyBundleFor = "bundle-for"
	// LabelKeyPersist is a constant for a key of a label on a Secret describing that it should get persisted.
	LabelKeyPersist = "persist"
	// LabelKeyLastRotationInitiationTime is a constant for a key of a label on a Secret describing the unix timestamps
	// of when the last secret rotation was initiated.
	LabelKeyLastRotationInitiationTime = "last-rotation-initiation-time"
	// LabelKeyIssuedAtTime is a constant for a key of a label on a Secret describing the time of when the secret data
	// was created. In case the data contains a certificate it is the time part of the certificate's 'not before' field.
	LabelKeyIssuedAtTime = "issued-at-time"
	// LabelKeyValidUntilTime is a constant for a key of a label on a Secret describing the time of how long the secret
	// data is valid. In case the data contains a certificate it is the time part of the certificate's 'not after'
	// field.
	LabelKeyValidUntilTime = "valid-until-time"

	// LabelValueTrue is a constant for a value of a label on a Secret describing the value 'true'.
	LabelValueTrue = "true"
	// LabelValueSecretsManager is a constant for a value of a label on a Secret describing the value 'secret-manager'.
	LabelValueSecretsManager = "secrets-manager"
)

Variables

View Source
var (
	// Current sets the Class field to 'current' in the GetOptions.
	Current = classOption{/* contains filtered or unexported fields */}
	// Old sets the Class field to 'old' in the GetOptions.
	Old = classOption{/* contains filtered or unexported fields */}
	// Bundle sets the Class field to 'bundle' in the GetOptions.
	Bundle = classOption{/* contains filtered or unexported fields */}
)

Functions

func ObjectMeta

func ObjectMeta(
	namespace string,
	managerIdentity string,
	config secretutils.ConfigInterface,
	lastRotationInitiationTime string,
	validUntilTime *string,
	signingCAChecksum *string,
	persist *bool,
	bundleFor *string,
) (
	metav1.ObjectMeta,
	error,
)

ObjectMeta returns the object meta based on the given settings.

func Secret

func Secret(objectMeta metav1.ObjectMeta, data map[string][]byte) *corev1.Secret

Secret constructs a *corev1.Secret for the given metadata and data.

Types

type GenerateOption

GenerateOption is some configuration that modifies options for a Generate request.

func IgnoreOldSecrets

func IgnoreOldSecrets() GenerateOption

IgnoreOldSecrets returns a function which sets the 'IgnoreOldSecrets' field to true.

func Persist

func Persist() GenerateOption

Persist returns a function which sets the 'Persist' field to true.

func Rotate

func Rotate(strategy rotationStrategy) GenerateOption

Rotate returns a function which sets the 'RotationStrategy' field to the specified value.

func SignedByCA

func SignedByCA(name string) GenerateOption

SignedByCA returns a function which sets the 'SigningCA' field in case the ConfigInterface provided to the Generate request is a CertificateSecretConfig. Additionally, in such case it stores a checksum of the signing CA in the options.

func Validity added in v1.44.0

func Validity(v time.Duration) GenerateOption

Validity returns a function which sets the 'Validity' field to the provided value. Note that the value is ignored in case Generate is called with a certificate secret configuration.

type GenerateOptions

type GenerateOptions struct {
	// Persist specifies whether the 'persist=true' label should be added to the secret resources.
	Persist bool
	// RotationStrategy specifies how the secret should be rotated in case it needs to get rotated.
	RotationStrategy rotationStrategy
	// IgnoreOldSecrets specifies whether old secrets should be loaded to the internal store.
	IgnoreOldSecrets bool
	// Validity specifies for how long the secret should be valid.
	Validity time.Duration
	// contains filtered or unexported fields
}

GenerateOptions are options for Generate calls.

func (*GenerateOptions) ApplyOptions

func (o *GenerateOptions) ApplyOptions(manager Interface, configInterface secretutils.ConfigInterface, opts []GenerateOption) error

ApplyOptions applies the given update options on these options, and then returns itself (for convenient chaining).

type GetOption

type GetOption interface {
	// ApplyToOptions applies this configuration to the given options.
	ApplyToOptions(*GetOptions)
}

GetOption is some configuration that modifies options for a Get request.

type GetOptions

type GetOptions struct {
	// Class specifies whether which secret should be returned. By default, the bundle secret is returned. If there is
	// no bundle secret then it falls back to the current secret.
	Class *secretClass
}

GetOptions are options for Get calls.

func (*GetOptions) ApplyOptions

func (o *GetOptions) ApplyOptions(opts []GetOption) *GetOptions

ApplyOptions applies the given update options on these options, and then returns itself (for convenient chaining).

type Interface

type Interface interface {
	// Generate generates a secret based on the provided configuration. If the secret for the provided configuration
	// already exists then it is returned with re-generation. The function also automatically rotates/re-generates the
	// secret only if necessary (e.g., when the config or the signing CA changes).
	Generate(context.Context, secretutils.ConfigInterface, ...GenerateOption) (*corev1.Secret, error)
	// Get returns the secret object for the secret with the given name. By default, the bundle secret will be returned.
	// If there is no bundle secret then it falls back to the current secret. Note that only those secrets are known
	// which were detected or generated by prior Generate calls.
	Get(string, ...GetOption) (*corev1.Secret, bool)
	// Cleanup deletes no longer required secrets. No longer required secrets are those still existing in the system
	// which weren't detected by prior Generate calls. Consequently, only call Cleanup after you have executed Generate
	// calls for all desired secrets.
	Cleanup(context.Context) error
}

Interface describes the methods for managing secrets.

func New

func New(
	ctx context.Context,
	logger logr.Logger,
	clock clock.Clock,
	c client.Client,
	namespace string,
	identity string,
	secretNamesToTimes map[string]time.Time,
) (
	Interface,
	error,
)

New returns a new manager for secrets in a given namespace.

Directories

Path Synopsis

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL