Documentation ¶
Index ¶
- Constants
- Variables
- func ObjectMeta(namespace string, managerIdentity string, config secretutils.ConfigInterface, ...) (metav1.ObjectMeta, error)
- func Secret(objectMeta metav1.ObjectMeta, data map[string][]byte) *corev1.Secret
- type Config
- type GenerateOption
- type GenerateOptions
- type GetOption
- type GetOptions
- type Interface
- type Reader
- type SignedByCAOption
- type SignedByCAOptions
Constants ¶
const ( // InPlace is a constant for a rotation strategy regenerating a secret and NOT keeping the old one in the system. InPlace rotationStrategy = "inplace" // KeepOld is a constant for a rotation strategy regenerating a secret and keeping the old one in the system. KeepOld rotationStrategy = "keepold" )
const ( // LabelKeyName is a constant for a key of a label on a Secret describing the name. LabelKeyName = "name" // LabelKeyManagedBy is a constant for a key of a label on a Secret describing who is managing it. LabelKeyManagedBy = "managed-by" // LabelKeyManagerIdentity is a constant for a key of a label on a Secret describing which secret manager instance // is managing it. LabelKeyManagerIdentity = "manager-identity" // LabelKeyChecksumConfig is a constant for a key of a label on a Secret describing the checksum of the // configuration used to create the data. LabelKeyChecksumConfig = "checksum-of-config" // LabelKeyChecksumSigningCA is a constant for a key of a label on a Secret describing the checksum of the // certificate authority which has signed the client or server certificate in the data. LabelKeyChecksumSigningCA = "checksum-of-signing-ca" // LabelKeyBundleFor is a constant for a key of a label on a Secret describing that it is a bundle secret for // another secret. LabelKeyBundleFor = "bundle-for" // LabelKeyPersist is a constant for a key of a label on a Secret describing that it should get persisted. LabelKeyPersist = "persist" // LabelKeyLastRotationInitiationTime is a constant for a key of a label on a Secret describing the unix timestamps // of when the last secret rotation was initiated. LabelKeyLastRotationInitiationTime = "last-rotation-initiation-time" // LabelKeyIssuedAtTime is a constant for a key of a label on a Secret describing the time of when the secret data // was created. In case the data contains a certificate it is the time part of the certificate's 'not before' field. LabelKeyIssuedAtTime = "issued-at-time" // LabelKeyValidUntilTime is a constant for a key of a label on a Secret describing the time of how long the secret // data is valid. In case the data contains a certificate it is the time part of the certificate's 'not after' // field. LabelKeyValidUntilTime = "valid-until-time" // LabelValueTrue is a constant for a value of a label on a Secret describing the value 'true'. LabelValueTrue = "true" // LabelValueSecretsManager is a constant for a value of a label on a Secret describing the value 'secret-manager'. LabelValueSecretsManager = "secrets-manager" )
Variables ¶
var ( // UseCurrentCA sets the CAClass field to 'current' in the SignedByCAOptions. UseCurrentCA = useCAClassOption{current} // UseOldCA sets the CAClass field to 'old' in the SignedByCAOptions. UseOldCA = useCAClassOption{old} )
var ( // Current sets the Class field to 'current' in the GetOptions. Current = classOption{/* contains filtered or unexported fields */} // Old sets the Class field to 'old' in the GetOptions. Old = classOption{/* contains filtered or unexported fields */} // Bundle sets the Class field to 'bundle' in the GetOptions. Bundle = classOption{/* contains filtered or unexported fields */} )
Functions ¶
func ObjectMeta ¶
func ObjectMeta( namespace string, managerIdentity string, config secretutils.ConfigInterface, ignoreConfigChecksumForCASecretName bool, lastRotationInitiationTime string, validUntilTime *string, signingCAChecksum *string, persist *bool, bundleFor *string, ) ( metav1.ObjectMeta, error, )
ObjectMeta returns the object meta based on the given settings.
Types ¶
type Config ¶ added in v1.47.0
type Config struct { // CASecretAutoRotation states whether CA secrets are considered for automatic rotation (defaults to false). CASecretAutoRotation bool // SecretNamesToTimes is a map whose keys are secret names and whose values are the last rotation initiation // times. SecretNamesToTimes map[string]time.Time }
Config specifies certain configuration options for the manager.
type GenerateOption ¶
type GenerateOption func(Interface, secretutils.ConfigInterface, *GenerateOptions) error
GenerateOption is some configuration that modifies options for a Generate request.
func IgnoreConfigChecksumForCASecretName ¶ added in v1.45.0
func IgnoreConfigChecksumForCASecretName() GenerateOption
IgnoreConfigChecksumForCASecretName returns a function which sets the 'IgnoreConfigChecksumForCASecretName' field to true.
func IgnoreOldSecrets ¶
func IgnoreOldSecrets() GenerateOption
IgnoreOldSecrets returns a function which sets the 'IgnoreOldSecrets' field to true.
func Persist ¶
func Persist() GenerateOption
Persist returns a function which sets the 'Persist' field to true.
func Rotate ¶
func Rotate(strategy rotationStrategy) GenerateOption
Rotate returns a function which sets the 'RotationStrategy' field to the specified value.
func SignedByCA ¶
func SignedByCA(name string, opts ...SignedByCAOption) GenerateOption
SignedByCA returns a function which sets the 'SigningCA' field in case the ConfigInterface provided to the Generate request is a CertificateSecretConfig. Additionally, in such case it stores a checksum of the signing CA in the options.
func Validity ¶ added in v1.44.0
func Validity(v time.Duration) GenerateOption
Validity returns a function which sets the 'Validity' field to the provided value. Note that the value is ignored in case Generate is called with a certificate secret configuration.
type GenerateOptions ¶
type GenerateOptions struct { // Persist specifies whether the 'persist=true' label should be added to the secret resources. Persist bool // RotationStrategy specifies how the secret should be rotated in case it needs to get rotated. RotationStrategy rotationStrategy // IgnoreOldSecrets specifies whether old secrets should be loaded to the internal store. IgnoreOldSecrets bool // Validity specifies for how long the secret should be valid. Validity time.Duration // IgnoreConfigChecksumForCASecretName specifies whether the secret config checksum should be ignored when // computing the secret name for CA secrets. IgnoreConfigChecksumForCASecretName bool // contains filtered or unexported fields }
GenerateOptions are options for Generate calls.
func (*GenerateOptions) ApplyOptions ¶
func (o *GenerateOptions) ApplyOptions(manager Interface, configInterface secretutils.ConfigInterface, opts []GenerateOption) error
ApplyOptions applies the given update options on these options, and then returns itself (for convenient chaining).
type GetOption ¶
type GetOption interface { // ApplyToOptions applies this configuration to the given options. ApplyToOptions(*GetOptions) }
GetOption is some configuration that modifies options for a Get request.
type GetOptions ¶
type GetOptions struct { // Class specifies whether which secret should be returned. By default, the bundle secret is returned. If there is // no bundle secret then it falls back to the current secret. Class *secretClass }
GetOptions are options for Get calls.
func (*GetOptions) ApplyOptions ¶
func (o *GetOptions) ApplyOptions(opts []GetOption) *GetOptions
ApplyOptions applies the given update options on these options, and then returns itself (for convenient chaining).
type Interface ¶
type Interface interface { // Generate generates a secret based on the provided configuration. If the secret for the provided configuration // already exists then it is returned with re-generation. The function also automatically rotates/re-generates the // secret only if necessary (e.g., when the config or the signing CA changes). Generate(context.Context, secretutils.ConfigInterface, ...GenerateOption) (*corev1.Secret, error) Reader // Cleanup deletes no longer required secrets. No longer required secrets are those still existing in the system // which weren't detected by prior Generate calls. Consequently, only call Cleanup after you have executed Generate // calls for all desired secrets. Cleanup(context.Context) error }
Interface describes the methods for managing secrets.
type Reader ¶ added in v1.45.0
type Reader interface { // Get returns the secret object for the secret with the given name. By default, the bundle secret will be returned. // If there is no bundle secret then it falls back to the current secret. Note that only those secrets are known // which were detected or generated by prior Generate calls. Get(string, ...GetOption) (*corev1.Secret, bool) }
Reader is part of the SecretsManager interface and allows retrieving secrets from a SecretsManager.
type SignedByCAOption ¶ added in v1.45.0
type SignedByCAOption interface { // ApplyToOptions applies this configuration to the given options. ApplyToOptions(*SignedByCAOptions) }
SignedByCAOption is some configuration that modifies options for a SignedByCA request.
type SignedByCAOptions ¶ added in v1.45.0
type SignedByCAOptions struct { // CAClass specifies which CA should be used to sign the requested certificate. Server certificates are signed with // the old CA by default, however one might want to use the current CA instead. Similarly, client certificates are // signed with the current CA by default, however one might want to use the old CA instead. CAClass *secretClass }
SignedByCAOptions are options for SignedByCA calls.
func (*SignedByCAOptions) ApplyOptions ¶ added in v1.45.0
func (o *SignedByCAOptions) ApplyOptions(opts []SignedByCAOption) *SignedByCAOptions
ApplyOptions applies the given update options on these options, and then returns itself (for convenient chaining).