Documentation
¶
Index ¶
Constants ¶
const ( CACertKey = "ca.crt" CAPrivateKeyKey = "ca.key" )
Variables ¶
This section is empty.
Functions ¶
This section is empty.
Types ¶
type Manager ¶
type Manager struct {
// contains filtered or unexported fields
}
Manager do the CA and service certificate/key generation and expiration handling. It will generate one CA for the webhook configuration and a secret per Service referenced on it. One unique instance has to run at at cluster to monitor expiration time and do rotations.
func NewManager ¶
NewManager with create a certManager that generated a secret per service at the webhook TLS http server. It will also starts at cert manager [1] that will update them if they expire. The generate certificate include the following fields: DNSNames (for every service the webhook refers too):
- ${service.Name}
- ${service.Name}.${service.namespace}
- ${service.Name}.${service.namespace}.svc
Subject:
- CN: ${webhookName}
Usages:
- UsageDigitalSignature
- UsageKeyEncipherment
- UsageServerAuth
It will also update the webhook caBundle field with the cluster CA cert and approve the generated cert/key with k8s certification approval mechanism
func (*Manager) Add ¶
Add creates a new Node Controller and adds it to the Manager. The Manager will set fields on the Controller and Start it when the Manager is Started.
func (*Manager) Reconcile ¶
func (m *Manager) Reconcile(ctx context.Context, request reconcile.Request) (reconcile.Result, error)
Reconcile reads that state of the cluster for a Node object and makes changes based on the state read and what is in the Node.Spec Note: The Controller will requeue the Request to be processed again if the returned error is non-nil or Result.Requeue is true, otherwise upon completion it will remove the work from the queue.
type Options ¶ added in v0.12.0
type Options struct {
// webhookName The Mutating or Validating Webhook configuration name
WebhookName string
// webhookType The Mutating or Validating Webhook configuration type
WebhookType WebhookType
// The namespace where ca secret will be created or service secrets
// for ClientConfig that has URL instead of ServiceRef
Namespace string
// CARotateInterval configurated duration for CA and certificate
CARotateInterval time.Duration
// CAOverlapInterval the duration of CA Certificates at CABundle if
// not set it will default to CARotateInterval
CAOverlapInterval time.Duration
// CertRotateInterval configurated duration for of service certificate
// the the webhook configuration is referencing different services all
// of them will share the same duration
CertRotateInterval time.Duration
// CertOverlapInterval the duration of service certificates at bundle if
// not set it will default to CertRotateInterval
CertOverlapInterval time.Duration
// ExtraLabels extra labels that will be added to created secrets
ExtraLabels map[string]string
}
type WebhookType ¶
type WebhookType string
const ( MutatingWebhook WebhookType = "Mutating" ValidatingWebhook WebhookType = "Validating" OneYearDuration = 365 * 24 * time.Hour )
Source Files
Directories