Documentation ¶
Index ¶
- Constants
- Variables
- func AddTrustBundleVolumes(trustBundleLister corev1listers.ConfigMapLister, obj kmeta.Accessor, ...) (*corev1.PodSpec, error)
- func GetTLSClientConfig(config ClientConfig) (*tls.Config, error)
- func GetTLSServerConfig(config ServerConfig) (*tls.Config, error)
- func IsHttpsSink(sink string) bool
- func PropagateTrustBundles(ctx context.Context, k8s kubernetes.Interface, ...) error
- type ClientConfig
- type GetCertificate
- type Receiver
- type ServerConfig
- type ServerManager
Constants ¶
const ( // TLSKey is the key in the TLS secret for the private key of TLS servers TLSKey = "tls.key" // TLSCrt is the key in the TLS secret for the public key of TLS servers TLSCrt = "tls.crt" // DefaultMinTLSVersion is the default minimum TLS version for servers and clients. DefaultMinTLSVersion = tls.VersionTLS12 // SecretCACrt is the name of the CA Cert in the secret SecretCACert = "ca.crt" // IMCDispatcherServerTLSSecretName is the name of the tls secret for the imc dispatcher server IMCDispatcherServerTLSSecretName = "imc-dispatcher-server-tls" //nolint:gosec // This is not a hardcoded credential // JobSinkDispatcherServerTLSSecretName is the name of the tls secret for the job sink dispatcher server JobSinkDispatcherServerTLSSecretName = "job-sink-server-tls" //nolint:gosec // This is not a hardcoded credential // BrokerFilterServerTLSSecretName is the name of the tls secret for the broker filter server BrokerFilterServerTLSSecretName = "mt-broker-filter-server-tls" //nolint:gosec // This is not a hardcoded credential // BrokerIngressServerTLSSecretName is the name of the tls secret for the broker ingress server BrokerIngressServerTLSSecretName = "mt-broker-ingress-server-tls" //nolint:gosec // This is not a hardcoded credential )
const ( // TrustBundleLabelKey is the label key for trust bundles configmaps. TrustBundleLabelKey = "networking.knative.dev/trust-bundle" // TrustBundleLabelValue is the label value for trust bundles configmaps. TrustBundleLabelValue = "true" // TrustBundleLabelSelector is the ConfigMap label selector for trust bundles. TrustBundleLabelSelector = TrustBundleLabelKey + "=" + TrustBundleLabelValue TrustBundleMountPath = "/knative-custom-certs" TrustBundleVolumeNamePrefix = "kne-bundle-" TrustBundleConfigMapNameSuffix = "kne-bundle" )
Variables ¶
var ( // TrustBundleSelector is a selector for trust bundle ConfigMaps. TrustBundleSelector = labels.SelectorFromSet(map[string]string{ TrustBundleLabelKey: TrustBundleLabelValue, }) )
Functions ¶
func AddTrustBundleVolumes ¶ added in v0.40.0
func AddTrustBundleVolumes(trustBundleLister corev1listers.ConfigMapLister, obj kmeta.Accessor, pt *corev1.PodSpec) (*corev1.PodSpec, error)
func GetTLSClientConfig ¶
func GetTLSClientConfig(config ClientConfig) (*tls.Config, error)
GetTLSClientConfig returns tls.Config based on the given ClientConfig.
func GetTLSServerConfig ¶
func GetTLSServerConfig(config ServerConfig) (*tls.Config, error)
func IsHttpsSink ¶
IsHttpsSink returns true if the sink has scheme equal to https.
func PropagateTrustBundles ¶ added in v0.40.0
func PropagateTrustBundles(ctx context.Context, k8s kubernetes.Interface, trustBundleConfigMapLister corev1listers.ConfigMapLister, gvk schema.GroupVersionKind, obj kmeta.Accessor) error
PropagateTrustBundles propagates Trust bundles ConfigMaps from the system.Namespace() to the obj namespace.
Types ¶
type ClientConfig ¶
type ClientConfig struct { // CACerts are Certification Authority (CA) certificates in PEM format // according to https://www.rfc-editor.org/rfc/rfc7468. CACerts *string // TrustBundleConfigMapLister is a ConfigMap lister to list trust bundles ConfigMaps. TrustBundleConfigMapLister corev1listers.ConfigMapNamespaceLister }
func NewDefaultClientConfig ¶
func NewDefaultClientConfig() ClientConfig
NewDefaultClientConfig returns a default ClientConfig.
type GetCertificate ¶
type GetCertificate func(*tls.ClientHelloInfo) (*tls.Certificate, error)
GetCertificate returns a Certificate based on the given ClientHelloInfo. It will only be called if the client supplies SNI information or if Certificates is empty.
If GetCertificate is nil or returns nil, then the certificate is retrieved from NameToCertificate. If NameToCertificate is nil, the best element of Certificates will be used.
func GetCertificateFromSecret ¶
func GetCertificateFromSecret(ctx context.Context, informer coreinformersv1.SecretInformer, kube kubernetes.Interface, secret types.NamespacedName) GetCertificate
GetCertificateFromSecret returns a GetCertificate function that will automatically return the latest certificate that is present in the provided secret.
The secret is expected to have at least 2 keys in data: see TLSKey and TLSCrt constants for knowing the key names.
type ServerConfig ¶
type ServerConfig struct { // GetCertificate returns a Certificate based on the given // ClientHelloInfo. It will only be called if the client supplies SNI // information or if Certificates is empty. // // If GetCertificate is nil or returns nil, then the certificate is // retrieved from NameToCertificate. If NameToCertificate is nil, the // best element of Certificates will be used. GetCertificate func(*tls.ClientHelloInfo) (*tls.Certificate, error) }
func NewDefaultServerConfig ¶
func NewDefaultServerConfig() ServerConfig
type ServerManager ¶ added in v0.38.0
type ServerManager struct {
// contains filtered or unexported fields
}
ServerManager is intended to be used to manage HTTP and HTTPS servers for a component. It relies on the `transport-encryption` feature flag to determine which server(s) should be accepting requests. If a server shouldn't be accepting requests, ServerManager will update that server's handler to respond with a 404
disabled: only http server permissive: both http and https servers strict: only https server
func NewServerManager ¶ added in v0.38.0
func (*ServerManager) StartServers ¶ added in v0.38.0
func (s *ServerManager) StartServers(ctx context.Context) error
Blocking call. Starts the 2 servers