Documentation ¶
Overview ¶
Package controller contains the code of the CSR-approver controller.
Index ¶
- func GetCertApprovalCondition(status *capiv1.CertificateSigningRequestStatus) (approved, denied bool)
- func InitLogger(config *Config) logr.Logger
- func ParseCSR(pemBytes []byte) (*x509.CertificateRequest, error)
- func ProviderChecks(_ *certificatesv1.CertificateSigningRequest, _ *x509.CertificateRequest) (valid bool, reason string)
- type CertificateSigningRequestReconciler
- func (r *CertificateSigningRequestReconciler) DNSCheck(ctx context.Context, csr *certificatesv1.CertificateSigningRequest, ...) (valid bool, reason string, err error)
- func (r *CertificateSigningRequestReconciler) Reconcile(ctx context.Context, req ctrl.Request) (res ctrl.Result, returnErr error)
- func (r *CertificateSigningRequestReconciler) SetupWithManager(mgr ctrl.Manager) error
- func (r *CertificateSigningRequestReconciler) WhitelistedIPCheck(_ *certificatesv1.CertificateSigningRequest, x509cr *x509.CertificateRequest) (valid bool, reason string, err error)
- type Config
- type HostResolver
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
func GetCertApprovalCondition ¶
func GetCertApprovalCondition(status *capiv1.CertificateSigningRequestStatus) (approved, denied bool)
GetCertApprovalCondition returns the current condition of the CSR (approved, denied)
func InitLogger ¶ added in v0.2.5
InitLogger logger initialization
func ParseCSR ¶
func ParseCSR(pemBytes []byte) (*x509.CertificateRequest, error)
ParseCSR extracts the CSR from the bytes and decodes it.
func ProviderChecks ¶
func ProviderChecks(_ *certificatesv1.CertificateSigningRequest, _ *x509.CertificateRequest) (valid bool, reason string)
ProviderChecks is a function in which the Cloud Provider specifies a series of checks to run against the CSRs. The out-of-band identity checks of the CSRs should happen here
Types ¶
type CertificateSigningRequestReconciler ¶
type CertificateSigningRequestReconciler struct { ClientSet *clientset.Clientset client.Client Scheme *runtime.Scheme Config }
CertificateSigningRequestReconciler reconciles a CertificateSigningRequest object
func (*CertificateSigningRequestReconciler) DNSCheck ¶
func (r *CertificateSigningRequestReconciler) DNSCheck(ctx context.Context, csr *certificatesv1.CertificateSigningRequest, x509cr *x509.CertificateRequest) (valid bool, reason string, err error)
DNSCheck is a function checking that the DNS name: complies with the provider-specific regex is resolvable (this check can be opted out with a parameter)
func (*CertificateSigningRequestReconciler) Reconcile ¶
func (r *CertificateSigningRequestReconciler) Reconcile(ctx context.Context, req ctrl.Request) (res ctrl.Result, returnErr error)
Reconcile will perform a series of checks before deciding whether the CSR should be approved or denied cyclomatic complexity is high (over 15), but this improves readibility for the programmer, therefore we ignore the linting error
func (*CertificateSigningRequestReconciler) SetupWithManager ¶
func (r *CertificateSigningRequestReconciler) SetupWithManager(mgr ctrl.Manager) error
SetupWithManager sets up the controller with the Manager.
func (*CertificateSigningRequestReconciler) WhitelistedIPCheck ¶ added in v0.2.0
func (r *CertificateSigningRequestReconciler) WhitelistedIPCheck(_ *certificatesv1.CertificateSigningRequest, x509cr *x509.CertificateRequest) (valid bool, reason string, err error)
WhitelistedIPCheck verifies that the x509cr SAN IP Addresses are contained in the set of ProviderSpecified IP addresses
type Config ¶ added in v0.2.4
type Config struct { LogLevel int MetricsAddr string ProbeAddr string LeaderElection bool RegexStr string ProviderRegexp func(string) bool IPPrefixesStr string ProviderIPSet *netipx.IPSet MaxExpirationSeconds int32 K8sConfig *rest.Config DNSResolver HostResolver BypassDNSResolution bool IgnoreNonSystemNodeCsr bool AllowedDNSNames int BypassHostnameCheck bool }
Config holds all variables needed to configure the controller