Documentation ¶
Index ¶
Constants ¶
This section is empty.
Variables ¶
var DigestedName = bootstraputil.DigestedName
DigestedName is an alias for bootstraputil.DigestedName. Exposed for testing.
var (
// EventGardenletCertificateRotationFailed is an event reason to describe a failed Gardenlet certificate rotation.
EventGardenletCertificateRotationFailed = "GardenletCertificateRotationFailed"
)
Functions ¶
func GetCurrentCertificate ¶ added in v1.34.0
func GetCurrentCertificate(logger logrus.FieldLogger, gardenKubeconfig []byte, gardenClientConnection *config.GardenClientConnection) (*tls.Certificate, error)
GetCurrentCertificate returns the client certificate which is currently used to communicate with the garden cluster.
func RequestCertificate ¶
func RequestCertificate(ctx context.Context, logger logrus.FieldLogger, client kubernetesclientset.Interface, certificateSubject *pkix.Name, dnsSANs []string, ipSANs []net.IP) ([]byte, []byte, string, error)
RequestCertificate will create a certificate signing request for the Gardenlet and send it to API server, then it will watch the object's status, once approved by the gardener-controller-manager, it will return the kube-controller-manager's issued certificate (pem-encoded). If there is any errors, or the watch timeouts, it will return an error.
Types ¶
type Manager ¶
type Manager struct {
// contains filtered or unexported fields
}
Manager can be used to schedule the certificate rotation for the Gardenlet's Garden cluster client certificate
func NewCertificateManager ¶
func NewCertificateManager(clientMap clientmap.ClientMap, seedClient client.Client, config *config.GardenletConfiguration) *Manager
NewCertificateManager creates a certificate manager that can be used to rotate gardenlet's client certificate for the Garden cluster
func (*Manager) ScheduleCertificateRotation ¶
func (cr *Manager) ScheduleCertificateRotation(ctx context.Context, gardenletCancel context.CancelFunc, recorder record.EventRecorder)
ScheduleCertificateRotation waits until the currently used Garden cluster client certificate approaches expiration. Then requests a new certificate and stores the kubeconfig in a secret (`gardenClientConnection.kubeconfigSecret`) on the Seed. the argument is a context.Cancel function to cancel the context of the Gardenlet used for graceful termination after a successful certificate rotation. When the new gardenlet pod is started, it uses the rotated certificate stored in the secret in the Seed cluster