certrotation

package
v0.0.0-...-8feeb22 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Apr 9, 2019 License: Apache-2.0 Imports: 28 Imported by: 0

Documentation

Index

Constants

View Source 
const (
	// CertificateNotBeforeAnnotation contains the certificate expiration date in RFC3339 format.
	CertificateNotBeforeAnnotation = "auth.openshift.io/certificate-not-before"
	// CertificateNotAfterAnnotation contains the certificate expiration date in RFC3339 format.
	CertificateNotAfterAnnotation = "auth.openshift.io/certificate-not-after"
	// CertificateIssuer contains the common name of the certificate that signed another certificate.
	CertificateIssuer = "auth.openshift.io/certificate-issuer"
	// CertificateHostnames contains the hostnames used by a signer.
	CertificateHostnames = "auth.openshift.io/certificate-hostnames"
)

Variables

This section is empty.

Functions

func GetCertRotationScale 

func GetCertRotationScale(client kubernetes.Interface, namespace string) (time.Duration, error)

GetCertRotationScale The normal scale is based on a day. The value returned by this function is used to scale rotation durations instead of a day, so you can set it shorter.

Types

type CABundleRotation 

type CABundleRotation struct {
	Namespace string
	Name      string

	Informer      corev1informers.ConfigMapInformer
	Lister        corev1listers.ConfigMapLister
	Client        corev1client.ConfigMapsGetter
	EventRecorder events.Recorder
}

CABundleRotation maintains a CA bundle config map, but adding new CA certs and removing expired old ones.

type CertRotationController 

type CertRotationController struct {
	SigningRotation  SigningRotation
	CABundleRotation CABundleRotation
	TargetRotation   TargetRotation
	OperatorClient   v1helpers.StaticPodOperatorClient
	// contains filtered or unexported fields
}

CertRotationController does:

  1. continuously create a self-signed signing CA (via SigningRotation). It creates the next one when a given percentage of the validity of the old CA has passed.
  2. maintain a CA bundle with all not yet expired CA certs.
  3. continuously create a target cert and key signed by the latest signing CA It creates the next one when a given percentage of the validity of the previous cert has passed, or when a new CA has been created.

func NewCertRotationController 

func NewCertRotationController(
	name string,
	signingRotation SigningRotation,
	caBundleRotation CABundleRotation,
	targetRotation TargetRotation,
	operatorClient v1helpers.StaticPodOperatorClient,
) (*CertRotationController, error)

func (*CertRotationController) Run 

func (c *CertRotationController) Run(workers int, stopCh <-chan struct{})

type ClientRotation 

type ClientRotation struct {
	UserInfo user.Info
}

func (*ClientRotation) NeedNewTargetCertKeyPair 

func (r *ClientRotation) NeedNewTargetCertKeyPair(annotations map[string]string, signer *crypto.CA, caBundleCerts []*x509.Certificate, refresh time.Duration) string

func (*ClientRotation) NewCertificate 

func (r *ClientRotation) NewCertificate(signer *crypto.CA, validity time.Duration) (*crypto.TLSCertificateConfig, error)

func (*ClientRotation) SetAnnotations 

func (r *ClientRotation) SetAnnotations(cert *crypto.TLSCertificateConfig, annotations map[string]string) map[string]string

type ServingHostnameFunc 

type ServingHostnameFunc func() []string

type ServingRotation 

type ServingRotation struct {
	Hostnames              ServingHostnameFunc
	CertificateExtensionFn []crypto.CertificateExtensionFunc
	HostnamesChanged       <-chan struct{}
}

func (*ServingRotation) NeedNewTargetCertKeyPair 

func (r *ServingRotation) NeedNewTargetCertKeyPair(annotations map[string]string, signer *crypto.CA, caBundleCerts []*x509.Certificate, refresh time.Duration) string

func (*ServingRotation) NewCertificate 

func (r *ServingRotation) NewCertificate(signer *crypto.CA, validity time.Duration) (*crypto.TLSCertificateConfig, error)

func (*ServingRotation) RecheckChannel 

func (r *ServingRotation) RecheckChannel() <-chan struct{}

func (*ServingRotation) SetAnnotations 

func (r *ServingRotation) SetAnnotations(cert *crypto.TLSCertificateConfig, annotations map[string]string) map[string]string

type SignerRotation 

type SignerRotation struct {
	SignerName string
}

func (*SignerRotation) NeedNewTargetCertKeyPair 

func (r *SignerRotation) NeedNewTargetCertKeyPair(annotations map[string]string, signer *crypto.CA, caBundleCerts []*x509.Certificate, refresh time.Duration) string

func (*SignerRotation) NewCertificate 

func (r *SignerRotation) NewCertificate(signer *crypto.CA, validity time.Duration) (*crypto.TLSCertificateConfig, error)

func (*SignerRotation) SetAnnotations 

func (r *SignerRotation) SetAnnotations(cert *crypto.TLSCertificateConfig, annotations map[string]string) map[string]string

type SigningRotation 

type SigningRotation struct {
	Namespace string
	Name      string
	Validity  time.Duration
	Refresh   time.Duration

	Informer      corev1informers.SecretInformer
	Lister        corev1listers.SecretLister
	Client        corev1client.SecretsGetter
	EventRecorder events.Recorder
}

SigningRotation rotates a self-signed signing CA stored in a secret. It creates a new one when <RefreshPercentage> of the lifetime of the old CA has passed.

type TargetCertCreator 

type TargetCertCreator interface {
	NewCertificate(signer *crypto.CA, validity time.Duration) (*crypto.TLSCertificateConfig, error)
	NeedNewTargetCertKeyPair(annotations map[string]string, signer *crypto.CA, caBundleCerts []*x509.Certificate, refresh time.Duration) string
	// SetAnnotations gives an option to override or set additional annotations
	SetAnnotations(cert *crypto.TLSCertificateConfig, annotations map[string]string) map[string]string
}

type TargetCertRechecker 

type TargetCertRechecker interface {
	RecheckChannel() <-chan struct{}
}

type TargetRotation 

type TargetRotation struct {
	Namespace string
	Name      string
	Validity  time.Duration
	Refresh   time.Duration

	CertCreator TargetCertCreator

	Informer      corev1informers.SecretInformer
	Lister        corev1listers.SecretLister
	Client        corev1client.SecretsGetter
	EventRecorder events.Recorder
}

TargetRotation rotates a key and cert signed by a CA. It creates a new one when <RefreshPercentage> of the lifetime of the old cert has passed, or if the common name of the CA changes.

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.