certificate

package
v1.52.2 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Aug 4, 2022 License: Apache-2.0, BSD-2-Clause, MIT, + 1 more Imports: 30 Imported by: 0

Documentation

Index

Constants

This section is empty.

Variables

DigestedName is an alias for bootstraputil.DigestedName. Exposed for testing.

View Source
var (

	// EventGardenletCertificateRotationFailed is an event reason to describe a failed Gardenlet certificate rotation.
	EventGardenletCertificateRotationFailed = "GardenletCertificateRotationFailed"
)

Functions

func GetCurrentCertificate added in v1.34.0

func GetCurrentCertificate(log logr.Logger, gardenKubeconfig []byte, gardenClientConnection *config.GardenClientConnection) (*tls.Certificate, error)

GetCurrentCertificate returns the client certificate which is currently used to communicate with the garden cluster.

func RequestCertificate

func RequestCertificate(ctx context.Context, log logr.Logger, client kubernetesclientset.Interface, certificateSubject *pkix.Name, dnsSANs []string, ipSANs []net.IP) ([]byte, []byte, string, error)

RequestCertificate will create a certificate signing request for the Gardenlet and send it to API server, then it will watch the object's status, once approved by the gardener-controller-manager, it will return the kube-controller-manager's issued certificate (pem-encoded). If there is any errors, or the watch timeouts, it will return an error.

Types

type Manager

type Manager struct {
	// contains filtered or unexported fields
}

Manager can be used to schedule the certificate rotation for the Gardenlet's Garden cluster client certificate

func NewCertificateManager

func NewCertificateManager(log logr.Logger, clientMap clientmap.ClientMap, seedClient client.Client, config *config.GardenletConfiguration) *Manager

NewCertificateManager creates a certificate manager that can be used to rotate gardenlet's client certificate for the Garden cluster

func (*Manager) ScheduleCertificateRotation

func (cr *Manager) ScheduleCertificateRotation(ctx context.Context, gardenletCancel context.CancelFunc, recorder record.EventRecorder)

ScheduleCertificateRotation waits until the currently used Garden cluster client certificate approaches expiration. Then requests a new certificate and stores the kubeconfig in a secret (`gardenClientConnection.kubeconfigSecret`) on the Seed. the argument is a context.Cancel function to cancel the context of the Gardenlet used for graceful termination after a successful certificate rotation. When the new gardenlet pod is started, it uses the rotated certificate stored in the secret in the Seed cluster

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL