certificate

package
v0.0.0-...-cf23810 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Aug 24, 2017 License: Apache-2.0 Imports: 31 Imported by: 0

Documentation

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

func UpdateTransport

func UpdateTransport(stopCh <-chan struct{}, clientConfig *restclient.Config, clientCertificateManager Manager) error

UpdateTransport instruments a restconfig with a transport that dynamically uses certificates provided by the manager for TLS client auth.

The config must not already provide an explicit transport.

The returned transport periodically checks the manager to determine if the certificate has changed. If it has, the transport shuts down all existing client connections, forcing the client to re-handshake with the server and use the new certificate.

stopCh should be used to indicate when the transport is unused and doesn't need to continue checking the manager.

Types

type Config

type Config struct {
	// CertificateSigningRequestClient will be used for signing new certificate
	// requests generated when a key rotation occurs. It must be set either at
	// initialization or by using CertificateSigningRequestClient before
	// Manager.Start() is called.
	CertificateSigningRequestClient certificatesclient.CertificateSigningRequestInterface
	// Template is the CertificateRequest that will be used as a template for
	// generating certificate signing requests for all new keys generated as
	// part of rotation. It follows the same rules as the template parameter of
	// crypto.x509.CreateCertificateRequest in the Go standard libraries.
	Template *x509.CertificateRequest
	// Usages is the types of usages that certificates generated by the manager
	// can be used for.
	Usages []certificates.KeyUsage
	// CertificateStore is a persistent store where the current cert/key is
	// kept and future cert/key pairs will be persisted after they are
	// generated.
	CertificateStore Store
	// BootstrapCertificatePEM is the certificate data that will be returned
	// from the Manager if the CertificateStore doesn't have any cert/key pairs
	// currently available and has not yet had a chance to get a new cert/key
	// pair from the API. If the CertificateStore does have a cert/key pair,
	// this will be ignored. If there is no cert/key pair available in the
	// CertificateStore, as soon as Start is called, it will request a new
	// cert/key pair from the CertificateSigningRequestClient. This is intended
	// to allow the first boot of a component to be initialized using a
	// generic, multi-use cert/key pair which will be quickly replaced with a
	// unique cert/key pair.
	BootstrapCertificatePEM []byte
	// BootstrapKeyPEM is the key data that will be returned from the Manager
	// if the CertificateStore doesn't have any cert/key pairs currently
	// available. If the CertificateStore does have a cert/key pair, this will
	// be ignored. If the bootstrap cert/key pair are used, they will be
	// rotated at the first opportunity, possibly well in advance of expiring.
	// This is intended to allow the first boot of a component to be
	// initialized using a generic, multi-use cert/key pair which will be
	// quickly replaced with a unique cert/key pair.
	BootstrapKeyPEM []byte
}

Config is the set of configuration parameters available for a new Manager.

type Manager

type Manager interface {
	// CertificateSigningRequestClient sets the client interface that is used for
	// signing new certificates generated as part of rotation.
	SetCertificateSigningRequestClient(certificatesclient.CertificateSigningRequestInterface) error
	// Start the API server status sync loop.
	Start()
	// Current returns the currently selected certificate from the
	// certificate manager, as well as the associated certificate and key data
	// in PEM format.
	Current() *tls.Certificate
}

Manager maintains and updates the certificates in use by this certificate manager. In the background it communicates with the API server to get new certificates for certificates about to expire.

func NewKubeletClientCertificateManager

func NewKubeletClientCertificateManager(certDirectory string, nodeName types.NodeName, certData []byte, keyData []byte, certFile string, keyFile string) (Manager, error)

NewKubeletClientCertificateManager sets up a certificate manager without a client that can be used to sign new certificates (or rotate). It answers with whatever certificate it is initialized with. If a CSR client is set later, it may begin rotating/renewing the client cert

func NewKubeletServerCertificateManager

func NewKubeletServerCertificateManager(kubeClient clientset.Interface, kubeCfg *kubeletconfig.KubeletConfiguration, nodeName types.NodeName, ips []net.IP, hostnames []string, certDirectory string) (Manager, error)

NewKubeletServerCertificateManager creates a certificate manager for the kubelet when retrieving a server certificate or returns an error.

func NewManager

func NewManager(config *Config) (Manager, error)

NewManager returns a new certificate manager. A certificate manager is responsible for being the authoritative source of certificates in the Kubelet and handling updates due to rotation.

type NoCertKeyError

type NoCertKeyError string

NoCertKeyError indicates there is no cert/key currently available.

func (*NoCertKeyError) Error

func (e *NoCertKeyError) Error() string

type Store

type Store interface {
	// Current returns the currently selected certificate, as well as the
	// associated certificate and key data in PEM format. If the Store doesn't
	// have a cert/key pair currently, it should return a NoCertKeyError so
	// that the Manager can recover by using bootstrap certificates to request
	// a new cert/key pair.
	Current() (*tls.Certificate, error)
	// Update accepts the PEM data for the cert/key pair and makes the new
	// cert/key pair the 'current' pair, that will be returned by future calls
	// to Current().
	Update(cert, key []byte) (*tls.Certificate, error)
}

Store is responsible for getting and updating the current certificate. Depending on the concrete implementation, the backing store for this behavior may vary.

func NewFileStore

func NewFileStore(
	pairNamePrefix string,
	certDirectory string,
	keyDirectory string,
	certFile string,
	keyFile string) (Store, error)

NewFileStore returns a concrete implementation of a Store that is based on storing the cert/key pairs in a single file per pair on disk in the designated directory. When starting up it will look for the currently selected cert/key pair in:

1. ${certDirectory}/${pairNamePrefix}-current.pem - both cert and key are in the same file. 2. ${certFile}, ${keyFile} 3. ${certDirectory}/${pairNamePrefix}.crt, ${keyDirectory}/${pairNamePrefix}.key

The first one found will be used. If rotation is enabled, future cert/key updates will be written to the ${certDirectory} directory and ${certDirectory}/${pairNamePrefix}-current.pem will be created as a soft link to the currently selected cert/key pair.

Directories

Path Synopsis

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL