Documentation
¶
Overview ¶
Package cert provides a secret based certificate manager for webhook servers. If no existing certificate is found for the webhook server, the certificate manager generates a self signed certificate and writes it to a k8s secret object. The generated cert is written on disk and used by the webhook server. The manager periodically checks if the certificate is valid and refreshes it if needed. On restarts, the cert is fetched from the secret object and reused if the cert is still valid.
Index ¶
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
Types ¶
type Manager ¶
type Manager struct {
// Option is the certificate provisioner options.
Options
// contains filtered or unexported fields
}
Manager is a webhook server certificate manager. It needs to know about the webhook configuration and service or host of the webhook in order to provision self signed certificate and inject the cert into the webhook configurations. The generated certificate is stored in a k8s secret object and is reused if it already exists.
func (*Manager) NeedLeaderElection ¶
NeedLeaderElection implements the LeaderElectionRunnable interface.
type Options ¶
type Options struct {
// CertRefreshInterval is the interval at which the cert is refreshed.
CertRefreshInterval time.Duration
// Service is a reference to the k8s service fronting the webhook server
// pod(s). This field is optional. But one and only one of Service and
// Host need to be set.
// This maps to field .webhooks.getClientConfig.service
Service *admissionregistrationv1.ServiceReference
// Host is the host name of .webhooks.clientConfig.url
// This field is optional. But one and only one of Service and Host need to be set.
Host *string
// Port is the port number that the server will serve.
// It will be defaulted to controller-runtime's default webhook server port
// if unspecified.
Port int32
// MutatingWebhookConfigRefs is the reference to mutating webhook
// configurations to update with the provisioned certificate.
MutatingWebhookConfigRefs []types.NamespacedName
// ValidatingWebhookConfigRefs is the reference to validating webhook
// configurations to update with the provisioned certificate.
ValidatingWebhookConfigRefs []types.NamespacedName
// CRDRefs is the reference to CRD configurations to update with the
// provisioned certificate.
CRDRefs []types.NamespacedName
// Client is a k8s client.
Client client.Client
// CertWriter is a certificate writer.
CertWriter writer.CertWriter
// SecretRef is a reference to the secret where the generated secret is
// stored for persistence.
SecretRef *types.NamespacedName
// CertDir is the directory that contains the server key and certificate. The
// server key and certificate.
CertDir string
// CertName is the server certificate name. Defaults to tls.crt.
CertName string
// KeyName is the server key name. Defaults to tls.key.
KeyName string
// CertValidity is the length of the generated certificate's validity. This is not
// the validity of the root CA cert. That's set to 10 years by default in
// the client-go cert utils package.
// If not set, this defaults to a year.
CertValidity time.Duration
}
Options are options for the certificate Manager.
Source Files