writer

package
v0.1.1 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Aug 24, 2018 License: Apache-2.0 Imports: 25 Imported by: 0

Documentation

Overview

Package writer provides method to ensure each webhook has a working certificate and private key in the right place for consuming.

It will create the certificates if they don't exist. It will ensure the certificates are valid and not expiring. If not, it will recreate them.

Example Webhook Configuration

There is an example annotation to get the webhook managed by the SecretCertWriter. SecretCertProvisionAnnotationKeyPrefix is the prefix of the annotation key. 

secret.certprovisioner.kubernetes.io/webhook-1: namespace-bar/secret-foo

The following is an example MutatingWebhookConfiguration in yaml. 

apiVersion: admissionregistration.k8s.io/v1beta1
kind: MutatingWebhookConfiguration
metadata:
  name: myMutatingWebhookConfiguration
  annotations:
    secret.certprovisioner.kubernetes.io/webhook-1: namespace-bar/secret-foo
webhooks:
- name: webhook-1
  rules:
  - apiGroups:
	- ""
	apiVersions:
	- v1
	operations:
	- "*"
	resources:
	- pods
  clientConfig:
	service:
	  namespace: service-ns-1
	  name: service-foo
	  path: "/mutating-pods"
	caBundle: [] # CA bundle here

Create a default CertWriter 

writer, err := NewCertWriter(Options{client: client}))
if err != nil {
	// handler error
}

Create a SecretCertWriter 

writer, err := &SecretCertWriter{
	Client: client
}
if err != nil {
	// handler error
}

Provision the certificates using the CertWriter. The certificate will be available in the desired secrets or the desired path. 

// writer can be either one of the CertWriters created above
err = writer.EnsureCerts(webhookConfiguration) // webhookConfiguration is an existing runtime.Object
if err != nil {
	// handler error
}

Index

Constants

View Source 
const (
	// CACertName is the name of the CA certificate
	CACertName = "ca-cert.pem"
	// ServerKeyName is the name of the server private key
	ServerKeyName = "key.pem"
	// ServerCertName is the name of the serving certificate
	ServerCertName = "cert.pem"
)
View Source 
const (
	// FSCertProvisionAnnotationKeyPrefix should be used in an annotation in the following format:
	// fs.certprovisioner.kubernetes.io/<webhook-name>: path/to/certs/
	// the webhook cert manager library will provision the certificate for the webhook by
	// storing it under the specified path.
	// format: fs.certprovisioner.kubernetes.io/webhookName: path/to/certs/
	FSCertProvisionAnnotationKeyPrefix = "fs.certprovisioner.kubernetes.io/"
)
View Source 
const (
	// SecretCertProvisionAnnotationKeyPrefix should be used in an annotation in the following format:
	// secret.certprovisioner.kubernetes.io/<webhook-name>: <secret-namespace>/<secret-name>
	// the webhook cert manager library will provision the certificate for the webhook by
	// storing it in the specified secret.
	SecretCertProvisionAnnotationKeyPrefix = "secret.certprovisioner.kubernetes.io/"
)

Variables

This section is empty.

Functions

This section is empty.

Types

type CertWriter 

type CertWriter interface {
	// EnsureCert ensures that the webhooks have proper certificates.
	EnsureCerts(runtime.Object) error
}

CertWriter provides method to handle webhooks.

func NewCertWriter 

func NewCertWriter(ops Options) (CertWriter, error)

NewCertWriter builds a new CertWriter using the provided options. By default, it builds a MultiCertWriter that is composed of a SecretCertWriter and a FSCertWriter.

type FSCertWriter 

type FSCertWriter struct {
	CertGenerator certgenerator.CertGenerator
}

FSCertWriter provisions the certificate by reading and writing to the filesystem.

func (*FSCertWriter) EnsureCerts 

func (f *FSCertWriter) EnsureCerts(webhookConfig runtime.Object) error

EnsureCerts provisions certificates for a webhook configuration by writing them in the filesystem.

type MultiCertWriter 

type MultiCertWriter struct {
	CertWriters []CertWriter
}

MultiCertWriter composes a slice of CertWriters. This is useful if you need both SecretCertWriter and FSCertWriter.

func (*MultiCertWriter) EnsureCerts 

func (s *MultiCertWriter) EnsureCerts(webhookConfig runtime.Object) error

EnsureCerts provisions certificates for a webhook configuration by invoking each CertWrite.

type Options 

type Options struct {
	Client        client.Client
	CertGenerator generator.CertGenerator
}

Options are options for configuring a CertWriter.

type SecretCertWriter 

type SecretCertWriter struct {
	Client        client.Client
	CertGenerator generator.CertGenerator
}

SecretCertWriter provisions the certificate by reading and writing to the k8s secrets.

func (*SecretCertWriter) EnsureCerts 

func (s *SecretCertWriter) EnsureCerts(webhookConfig runtime.Object) error

EnsureCerts provisions certificates for a webhook configuration by writing them in k8s secrets.

Source Files

View all Source files

Directories

Path Synopsis
internal
atomic

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.