certificate

package
v0.0.0-...-4f3658d Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Jun 10, 2020 License: Apache-2.0 Imports: 22 Imported by: 0

Documentation

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

This section is empty.

Types

type Manager

type Manager interface {
	// Start the API server status sync loop.
	Start()
	// GetCertificate gets the current certificate from the certificate
	// manager. This function matches the signature required by
	// tls.Config.GetCertificate so it can be passed as TLS configuration. A
	// TLS server will automatically call back here to get the correct
	// certificate when establishing each new connection.
	GetCertificate(clientHello *tls.ClientHelloInfo) (*tls.Certificate, error)
}

Manager maintains and updates the certificates in use by this certificate manager. In the background it communicates with the API server to get new certificates for certificates about to expire.

func NewManager

func NewManager(
	certSigningRequestClient certificatesclient.CertificateSigningRequestInterface,
	template *x509.CertificateRequest,
	usages []certificates.KeyUsage,
	certificateStore Store,
	certRotationPercent uint) (Manager, error)

NewManager returns a new certificate manager. A certificate manager is responsible for being the authoritative source of certificates in the Kubelet and handling updates due to rotation.

type Store

type Store interface {
	// Current returns the currently selected certificate.
	Current() (*tls.Certificate, error)
	// Update accepts the PEM data for the cert/key pair and makes the new
	// cert/key pair the 'current' pair, that will be returned by future calls
	// to Current().
	Update(cert, key []byte) (*tls.Certificate, error)
}

Store is responsible for getting and updating the current certificate. Depending on the concrete implementation, the backing store for this behavior may vary.

func NewFileStore

func NewFileStore(
	pairNamePrefix string,
	certDirectory string,
	keyDirectory string,
	certFile string,
	keyFile string) (Store, error)

NewFileStore returns a concrete implementation of a Store that is based on storing the cert/key pairs in a single file per pair on disk in the designated directory. When starting up it will look for the currently selected cert/key pair in:

1. ${certDirectory}/${pairNamePrefix}-current.pem - both cert and key are in the same file. 2. ${certFile}, ${keyFile} 3. ${certDirectory}/${pairNamePrefix}.crt, ${keyDirectory}/${pairNamePrefix}.key

The first one found will be used. If rotation is enabled, future cert/key updates will be written to the ${certDirectory} directory and ${certDirectory}/${pairNamePrefix}-current.pem will be created as a soft link to the currently selected cert/key pair.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL