Documentation ¶
Index ¶
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
This section is empty.
Types ¶
type Bundle ¶
Bundle is the set of certificates to serve and optionally the CA certificate (if available).
type DiskSource ¶
type DiskSource struct { CertPath string // CertPath is the path to the PEM-encoded cert KeyPath string // KeyPath is the path to the PEM-encoded private key CAPath string // CAPath is the path to the PEM-encoded CA root bundle (optional) // contains filtered or unexported fields }
DiskSource sources certificates from files on disk. It sets up a file watcher that detects when the content changes and sends an update on the configured channel.
func (*DiskSource) Certificate ¶
Certificate implements source
type GenSource ¶
type GenSource struct { Name string // Name is used as part of the common name Hosts []string // Hosts is the list of hosts to make the leaf valid for // Expiry is the duration that a certificate is valid for. This // defaults to 24 hours. Expiry time.Duration // ExpiryWithin is the duration value used for determining whether to // regenerate a new leaf certificate. If the old leaf certificate is // expiring within this value, then a new leaf will be generated. Default // is about 10% of Expiry. ExpiryWithin time.Duration K8sClient kubernetes.Interface Namespace string SecretsCache informerv1.SecretInformer LeaderElector leader.Elector WebhookName string AdminAPIVersion string Log hclog.Logger // contains filtered or unexported fields }
GenSource generates a self-signed CA and certificate pair.
This generator is stateful. On the first run (last == nil to Certificate), a CA will be generated. On subsequent calls, the same CA will be used to create a new certificate when the expiry is near. To create a new CA, a new GenSource must be allocated.
type Notify ¶
type Notify struct {
// contains filtered or unexported fields
}
Notify sends an update on a channel whenever a source has an updated cert bundle. This struct maintains state, performs backoffs, etc.
type Source ¶
type Source interface { // Certificate returns the certificates to use for the TLS listener. // If `last` is given, this should block until new certificates are // available. If last is nil, then this is an initial certificate request // and new certificates should be loaded. // // If this is a blocking call, a done context should cancel the result // and return immediately with an error (usually ctx.Err()). // // If any errors occur then an error should be returned. Higher level // systems should deal with safely backing off to prevent calling this // method too frequently. Certificate(ctx context.Context, last *Bundle) (Bundle, error) }
source should be implemented by systems that support loading TLS certificates. These are run for the lifetime of an application and are expected to provide continuous updates to certificates as needed (updates, rotation, etc.).