dynamiccertificates

package
v0.0.0-...-fb1d941 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Dec 5, 2022 License: Apache-2.0 Imports: 27 Imported by: 0

Documentation

Index

Constants

This section is empty.

Variables

View Source 
var FileRefreshDuration = 1 * time.Minute

FileRefreshDuration is exposed so that integration tests can crank up the reload speed.

Functions

func GetHumanCertDetail 

func GetHumanCertDetail(certificate *x509.Certificate) string

GetHumanCertDetail is a convenient method for printing compact details of certificate that helps when debugging kube-apiserver usage of certs.

Types

type CAContentProvider 

type CAContentProvider interface {
	Notifier

	// Name is just an identifier.
	Name() string
	// CurrentCABundleContent provides ca bundle byte content. Errors can be
	// contained to the controllers initializing the value. By the time you get
	// here, you should always be returning a value that won't fail.
	CurrentCABundleContent() []byte
	// VerifyOptions provides VerifyOptions for authenticators.
	VerifyOptions() (x509.VerifyOptions, bool)
}

CAContentProvider provides ca bundle byte content

func NewStaticCAContent 

func NewStaticCAContent(name string, caBundle []byte) (CAContentProvider, error)

NewStaticCAContent returns a CAContentProvider that always returns the same value

func NewUnionCAContentProvider 

func NewUnionCAContentProvider(caContentProviders ...CAContentProvider) CAContentProvider

NewUnionCAContentProvider returns a CAContentProvider that is a union of other CAContentProviders

type CertKeyContentProvider 

type CertKeyContentProvider interface {
	Notifier

	// Name is just an identifier.
	Name() string
	// CurrentCertKeyContent provides cert and key byte content.
	CurrentCertKeyContent() ([]byte, []byte)
}

CertKeyContentProvider provides a certificate and matching private key.

func NewStaticCertKeyContent 

func NewStaticCertKeyContent(name string, cert, key []byte) (CertKeyContentProvider, error)

NewStaticCertKeyContent returns a CertKeyContentProvider that always returns the same value

type ConfigMapCAController 

type ConfigMapCAController struct {
	// contains filtered or unexported fields
}

ConfigMapCAController provies a CAContentProvider that can dynamically react to configmap changes It also fulfills the authenticator interface to provide verifyoptions

func NewDynamicCAFromConfigMapController 

func NewDynamicCAFromConfigMapController(purpose, namespace, name, key string, kubeClient kubernetes.Interface) (*ConfigMapCAController, error)

NewDynamicCAFromConfigMapController returns a CAContentProvider based on a configmap that automatically reloads content. It is near-realtime via an informer.

func (*ConfigMapCAController) AddListener 

func (c *ConfigMapCAController) AddListener(listener Listener)

AddListener adds a listener to be notified when the CA content changes.

func (*ConfigMapCAController) CurrentCABundleContent 

func (c *ConfigMapCAController) CurrentCABundleContent() []byte

CurrentCABundleContent provides ca bundle byte content

func (*ConfigMapCAController) Name 

func (c *ConfigMapCAController) Name() string

Name is just an identifier

func (*ConfigMapCAController) Run 

func (c *ConfigMapCAController) Run(workers int, stopCh <-chan struct{})

Run starts the kube-apiserver and blocks until stopCh is closed.

func (*ConfigMapCAController) RunOnce 

func (c *ConfigMapCAController) RunOnce() error

RunOnce runs a single sync loop

func (*ConfigMapCAController) VerifyOptions 

func (c *ConfigMapCAController) VerifyOptions() (x509.VerifyOptions, bool)

VerifyOptions provides verifyoptions compatible with authenticators

type ControllerRunner 

type ControllerRunner interface {
	// RunOnce runs the sync loop a single time.  This useful for synchronous priming
	RunOnce() error

	// Run should be called a go .Run
	Run(workers int, stopCh <-chan struct{})
}

ControllerRunner is a generic interface for starting a controller

type DynamicCertKeyPairContent 

type DynamicCertKeyPairContent struct {
	// contains filtered or unexported fields
}

DynamicCertKeyPairContent provides a CertKeyContentProvider that can dynamically react to new file content

func NewDynamicServingContentFromFiles 

func NewDynamicServingContentFromFiles(purpose, certFile, keyFile string) (*DynamicCertKeyPairContent, error)

NewDynamicServingContentFromFiles returns a dynamic CertKeyContentProvider based on a cert and key filename

func (*DynamicCertKeyPairContent) AddListener 

func (c *DynamicCertKeyPairContent) AddListener(listener Listener)

AddListener adds a listener to be notified when the serving cert content changes.

func (*DynamicCertKeyPairContent) CurrentCertKeyContent 

func (c *DynamicCertKeyPairContent) CurrentCertKeyContent() ([]byte, []byte)

CurrentCertKeyContent provides cert and key byte content

func (*DynamicCertKeyPairContent) Name 

func (c *DynamicCertKeyPairContent) Name() string

Name is just an identifier

func (*DynamicCertKeyPairContent) Run 

func (c *DynamicCertKeyPairContent) Run(workers int, stopCh <-chan struct{})

Run starts the controller and blocks until stopCh is closed.

func (*DynamicCertKeyPairContent) RunOnce 

func (c *DynamicCertKeyPairContent) RunOnce() error

RunOnce runs a single sync loop

type DynamicFileCAContent 

type DynamicFileCAContent struct {
	// contains filtered or unexported fields
}

DynamicFileCAContent provides a CAContentProvider that can dynamically react to new file content It also fulfills the authenticator interface to provide verifyoptions

func NewDynamicCAContentFromFile 

func NewDynamicCAContentFromFile(purpose, filename string) (*DynamicFileCAContent, error)

NewDynamicCAContentFromFile returns a CAContentProvider based on a filename that automatically reloads content

func (*DynamicFileCAContent) AddListener 

func (c *DynamicFileCAContent) AddListener(listener Listener)

AddListener adds a listener to be notified when the CA content changes.

func (*DynamicFileCAContent) CurrentCABundleContent 

func (c *DynamicFileCAContent) CurrentCABundleContent() (cabundle []byte)

CurrentCABundleContent provides ca bundle byte content

func (*DynamicFileCAContent) Name 

func (c *DynamicFileCAContent) Name() string

Name is just an identifier

func (*DynamicFileCAContent) Run 

func (c *DynamicFileCAContent) Run(workers int, stopCh <-chan struct{})

Run starts the controller and blocks until stopCh is closed.

func (*DynamicFileCAContent) RunOnce 

func (c *DynamicFileCAContent) RunOnce() error

RunOnce runs a single sync loop

func (*DynamicFileCAContent) VerifyOptions 

func (c *DynamicFileCAContent) VerifyOptions() (x509.VerifyOptions, bool)

VerifyOptions provides verifyoptions compatible with authenticators

type DynamicFileSNIContent 

type DynamicFileSNIContent struct {
	*DynamicCertKeyPairContent
	// contains filtered or unexported fields
}

DynamicFileSNIContent provides a SNICertKeyContentProvider that can dynamically react to new file content

func NewDynamicSNIContentFromFiles 

func NewDynamicSNIContentFromFiles(purpose, certFile, keyFile string, sniNames ...string) (*DynamicFileSNIContent, error)

NewDynamicSNIContentFromFiles returns a dynamic SNICertKeyContentProvider based on a cert and key filename and explicit names

func (*DynamicFileSNIContent) SNINames 

func (c *DynamicFileSNIContent) SNINames() []string

SNINames returns explicitly set SNI names for the certificate. These are not dynamic.

type DynamicServingCertificateController 

type DynamicServingCertificateController struct {
	// contains filtered or unexported fields
}

DynamicServingCertificateController dynamically loads certificates and provides a golang tls compatible dynamic GetCertificate func.

func NewDynamicServingCertificateController 

func NewDynamicServingCertificateController(
	baseTLSConfig *tls.Config,
	clientCA CAContentProvider,
	servingCert CertKeyContentProvider,
	sniCerts []SNICertKeyContentProvider,
	eventRecorder events.EventRecorder,
) *DynamicServingCertificateController

NewDynamicServingCertificateController returns a controller that can be used to keep a TLSConfig up to date.

func (*DynamicServingCertificateController) BuildNamedCertificates 

func (c *DynamicServingCertificateController) BuildNamedCertificates(sniCerts []sniCertKeyContent) (map[string]*tls.Certificate, error)

BuildNamedCertificates returns a map of *tls.Certificate by name. It's suitable for use in tls.Config#NamedCertificates. Returns an error if any of the certs is invalid. Returns nil if len(certs) == 0

func (*DynamicServingCertificateController) Enqueue 

func (c *DynamicServingCertificateController) Enqueue()

Enqueue a method to allow separate control loops to cause the certificate controller to trigger and read content.

func (*DynamicServingCertificateController) GetConfigForClient 

func (c *DynamicServingCertificateController) GetConfigForClient(clientHello *tls.ClientHelloInfo) (*tls.Config, error)

GetConfigForClient is an implementation of tls.Config.GetConfigForClient

func (*DynamicServingCertificateController) Run 

func (c *DynamicServingCertificateController) Run(workers int, stopCh <-chan struct{})

Run starts the kube-apiserver and blocks until stopCh is closed.

func (*DynamicServingCertificateController) RunOnce 

func (c *DynamicServingCertificateController) RunOnce() error

RunOnce runs a single sync step to ensure that we have a valid starting configuration.

type Listener 

type Listener interface {
	// Enqueue should be called when an input may have changed
	Enqueue()
}

Listener is an interface to use to notify interested parties of a change.

type Notifier 

type Notifier interface {
	// AddListener is adds a listener to be notified of potential input changes.
	// This is a noop on static providers.
	AddListener(listener Listener)
}

Notifier is a way to add listeners

type SNICertKeyContentProvider 

type SNICertKeyContentProvider interface {
	Notifier

	CertKeyContentProvider
	// SNINames provides names used for SNI. May return nil.
	SNINames() []string
}

SNICertKeyContentProvider provides a certificate and matching private key as well as optional explicit names.

func NewStaticSNICertKeyContent 

func NewStaticSNICertKeyContent(name string, cert, key []byte, sniNames ...string) (SNICertKeyContentProvider, error)

NewStaticSNICertKeyContent returns a SNICertKeyContentProvider that always returns the same value

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.