certrotation

package
v0.0.0-...-a892dfa Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Jun 20, 2019 License: Apache-2.0 Imports: 31 Imported by: 0

Documentation

Index

Constants

View Source
const (
	// CertificateNotBeforeAnnotation contains the certificate expiration date in RFC3339 format.
	CertificateNotBeforeAnnotation = "auth.openshift.io/certificate-not-before"
	// CertificateNotAfterAnnotation contains the certificate expiration date in RFC3339 format.
	CertificateNotAfterAnnotation = "auth.openshift.io/certificate-not-after"
	// CertificateIssuer contains the common name of the certificate that signed another certificate.
	CertificateIssuer = "auth.openshift.io/certificate-issuer"
	// CertificateHostnames contains the hostnames used by a signer.
	CertificateHostnames = "auth.openshift.io/certificate-hostnames"
)
View Source
const (
	// ManagedCertificateTypeLabelName marks config map or secret as object that contains managed certificates.
	// This groups all objects that store certs and allow easy query to get them all.
	// The value of this label should be set to "true".
	ManagedCertificateTypeLabelName = "auth.openshift.io/managed-certificate-type"
)

Variables

This section is empty.

Functions

func GetCertRotationScale

func GetCertRotationScale(client kubernetes.Interface, namespace string) (time.Duration, error)

GetCertRotationScale The normal scale is based on a day. The value returned by this function is used to scale rotation durations instead of a day, so you can set it shorter.

func LabelAsManagedConfigMap

func LabelAsManagedConfigMap(config *v1.ConfigMap, certificateType CertificateType)

LabelAsManagedConfigMap add label indicating the given config map contains certificates that are managed.

func LabelAsManagedSecret

func LabelAsManagedSecret(secret *v1.Secret, certificateType CertificateType)

LabelAsManagedConfigMap add label indicating the given secret contains certificates that are managed.

Types

type CABundleRotation

type CABundleRotation struct {
	Namespace string
	Name      string

	Informer      corev1informers.ConfigMapInformer
	Lister        corev1listers.ConfigMapLister
	Client        corev1client.ConfigMapsGetter
	EventRecorder events.Recorder
}

CABundleRotation maintains a CA bundle config map, but adding new CA certs and removing expired old ones.

type CertRotationController

type CertRotationController struct {
	SigningRotation  SigningRotation
	CABundleRotation CABundleRotation
	TargetRotation   TargetRotation
	OperatorClient   v1helpers.StaticPodOperatorClient
	// contains filtered or unexported fields
}

CertRotationController does:

  1. continuously create a self-signed signing CA (via SigningRotation). It creates the next one when a given percentage of the validity of the old CA has passed.
  2. maintain a CA bundle with all not yet expired CA certs.
  3. continuously create a target cert and key signed by the latest signing CA It creates the next one when a given percentage of the validity of the previous cert has passed, or when a new CA has been created.

func NewCertRotationController

func NewCertRotationController(
	name string,
	signingRotation SigningRotation,
	caBundleRotation CABundleRotation,
	targetRotation TargetRotation,
	operatorClient v1helpers.StaticPodOperatorClient,
) (*CertRotationController, error)

func (*CertRotationController) Run

func (c *CertRotationController) Run(workers int, stopCh <-chan struct{})

func (*CertRotationController) RunOnce

func (c *CertRotationController) RunOnce() error

RunOnce will run the cert rotation logic, but will not try to update the static pod status. This eliminates the need to pass an OperatorClient and avoids dubious writes and status.

func (*CertRotationController) WaitForReady

func (c *CertRotationController) WaitForReady(stopCh <-chan struct{})

type CertificateType

type CertificateType string
var (
	CertificateTypeCABundle CertificateType = "ca-bundle"
	CertificateTypeSigner   CertificateType = "signer"
	CertificateTypeTarget   CertificateType = "target"
	CertificateTypeUnknown  CertificateType = "unknown"
)

func CertificateTypeFromObject

func CertificateTypeFromObject(obj runtime.Object) (CertificateType, error)

CertificateTypeFromObject returns the CertificateType based on the annotations of the object.

type ClientRotation

type ClientRotation struct {
	UserInfo user.Info
}

func (*ClientRotation) NeedNewTargetCertKeyPair

func (r *ClientRotation) NeedNewTargetCertKeyPair(annotations map[string]string, signer *crypto.CA, caBundleCerts []*x509.Certificate, refresh time.Duration) string

func (*ClientRotation) NewCertificate

func (r *ClientRotation) NewCertificate(signer *crypto.CA, validity time.Duration) (*crypto.TLSCertificateConfig, error)

func (*ClientRotation) SetAnnotations

func (r *ClientRotation) SetAnnotations(cert *crypto.TLSCertificateConfig, annotations map[string]string) map[string]string

type ServingHostnameFunc

type ServingHostnameFunc func() []string

type ServingRotation

type ServingRotation struct {
	Hostnames              ServingHostnameFunc
	CertificateExtensionFn []crypto.CertificateExtensionFunc
	HostnamesChanged       <-chan struct{}
}

func (*ServingRotation) NeedNewTargetCertKeyPair

func (r *ServingRotation) NeedNewTargetCertKeyPair(annotations map[string]string, signer *crypto.CA, caBundleCerts []*x509.Certificate, refresh time.Duration) string

func (*ServingRotation) NewCertificate

func (r *ServingRotation) NewCertificate(signer *crypto.CA, validity time.Duration) (*crypto.TLSCertificateConfig, error)

func (*ServingRotation) RecheckChannel

func (r *ServingRotation) RecheckChannel() <-chan struct{}

func (*ServingRotation) SetAnnotations

func (r *ServingRotation) SetAnnotations(cert *crypto.TLSCertificateConfig, annotations map[string]string) map[string]string

type SignerRotation

type SignerRotation struct {
	SignerName string
}

func (*SignerRotation) NeedNewTargetCertKeyPair

func (r *SignerRotation) NeedNewTargetCertKeyPair(annotations map[string]string, signer *crypto.CA, caBundleCerts []*x509.Certificate, refresh time.Duration) string

func (*SignerRotation) NewCertificate

func (r *SignerRotation) NewCertificate(signer *crypto.CA, validity time.Duration) (*crypto.TLSCertificateConfig, error)

func (*SignerRotation) SetAnnotations

func (r *SignerRotation) SetAnnotations(cert *crypto.TLSCertificateConfig, annotations map[string]string) map[string]string

type SigningRotation

type SigningRotation struct {
	Namespace string
	Name      string
	Validity  time.Duration
	Refresh   time.Duration

	Informer      corev1informers.SecretInformer
	Lister        corev1listers.SecretLister
	Client        corev1client.SecretsGetter
	EventRecorder events.Recorder
}

SigningRotation rotates a self-signed signing CA stored in a secret. It creates a new one when <RefreshPercentage> of the lifetime of the old CA has passed.

type TargetCertCreator

type TargetCertCreator interface {
	NewCertificate(signer *crypto.CA, validity time.Duration) (*crypto.TLSCertificateConfig, error)
	NeedNewTargetCertKeyPair(annotations map[string]string, signer *crypto.CA, caBundleCerts []*x509.Certificate, refresh time.Duration) string
	// SetAnnotations gives an option to override or set additional annotations
	SetAnnotations(cert *crypto.TLSCertificateConfig, annotations map[string]string) map[string]string
}

type TargetCertRechecker

type TargetCertRechecker interface {
	RecheckChannel() <-chan struct{}
}

type TargetRotation

type TargetRotation struct {
	Namespace string
	Name      string
	Validity  time.Duration
	Refresh   time.Duration

	CertCreator TargetCertCreator

	Informer      corev1informers.SecretInformer
	Lister        corev1listers.SecretLister
	Client        corev1client.SecretsGetter
	EventRecorder events.Recorder
}

TargetRotation rotates a key and cert signed by a CA. It creates a new one when <RefreshPercentage> of the lifetime of the old cert has passed, or if the common name of the CA changes.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL