Documentation
¶
Overview ¶
package csr contains the hub-side reconciler for auto approving the renewal CertificateSigningRequests for an accepted managed cluster, and the agent-side driver to request csr.
Index ¶
- Constants
- func GetClusterAgentNamesFromCertificate(certData []byte) (clusterName, agentName string, err error)
- func NewCSRApprover(kubeClient kubernetes.Interface, kubeInformers informers.SharedInformerFactory, ...) (register.Approver, error)
- func NewCSRApprovingController[T CSR](csrInformer cache.SharedIndexInformer, lister CSRLister[T], ...) factory.Controller
- func NewCSRDriver() register.RegisterDriver
- type CSR
- type CSRApprover
- type CSRControl
- type CSRDriver
- func (c *CSRDriver) BuildKubeConfigFromTemplate(kubeConfig *clientcmdapi.Config) *clientcmdapi.Config
- func (c *CSRDriver) InformerHandler(option any) (cache.SharedIndexInformer, factory.EventFilterFunc)
- func (c *CSRDriver) IsHubKubeConfigValid(ctx context.Context, secretOption register.SecretOption) (bool, error)
- func (c *CSRDriver) Process(ctx context.Context, controllerName string, secret *corev1.Secret, ...) (*corev1.Secret, *metav1.Condition, error)
- type CSRLister
- type CSROption
- type Reconciler
Constants ¶
View Source
const ( // TLSKeyFile is the name of tls key file in kubeconfigSecret TLSKeyFile = "tls.key" // TLSCertFile is the name of the tls cert file in kubeconfigSecret TLSCertFile = "tls.crt" // ClusterCertificateRotatedCondition is a condition type that client certificate is rotated ClusterCertificateRotatedCondition = "ClusterCertificateRotated" )
Variables ¶
This section is empty.
Functions ¶
func GetClusterAgentNamesFromCertificate ¶
func GetClusterAgentNamesFromCertificate(certData []byte) (clusterName, agentName string, err error)
GetClusterAgentNamesFromCertificate returns the cluster name and agent name by parsing the common name of the certification
func NewCSRApprover ¶
func NewCSRApprover( kubeClient kubernetes.Interface, kubeInformers informers.SharedInformerFactory, clusterAutoApprovalUsers []string, recorder events.Recorder) (register.Approver, error)
func NewCSRApprovingController ¶
func NewCSRApprovingController[T CSR]( csrInformer cache.SharedIndexInformer, lister CSRLister[T], approver csrApprover[T], reconcilers []Reconciler, recorder events.Recorder) factory.Controller
NewCSRApprovingController creates a new csr approving controller
func NewCSRDriver ¶
func NewCSRDriver() register.RegisterDriver
Types ¶
type CSR ¶
type CSR interface {
*certificatesv1.CertificateSigningRequest | *certificatesv1beta1.CertificateSigningRequest
}
type CSRApprover ¶
type CSRApprover struct {
// contains filtered or unexported fields
}
func (*CSRApprover) Cleanup ¶
func (c *CSRApprover) Cleanup(_ context.Context, _ *clusterv1.ManagedCluster) error
Cleanup is run when the cluster is deleting or hubAcceptClient is set false
type CSRControl ¶
type CSRControl interface {
// Informer is public so we can add indexer outside
Informer() cache.SharedIndexInformer
// contains filtered or unexported methods
}
func NewCSRControl ¶
func NewCSRControl(logger klog.Logger, hubCSRInformer certificatesinformers.Interface, hubKubeClient kubernetes.Interface) (CSRControl, error)
type CSRDriver ¶
type CSRDriver struct {
// contains filtered or unexported fields
}
func (*CSRDriver) BuildKubeConfigFromTemplate ¶
func (c *CSRDriver) BuildKubeConfigFromTemplate(kubeConfig *clientcmdapi.Config) *clientcmdapi.Config
func (*CSRDriver) InformerHandler ¶
func (c *CSRDriver) InformerHandler(option any) (cache.SharedIndexInformer, factory.EventFilterFunc)
func (*CSRDriver) IsHubKubeConfigValid ¶
type CSROption ¶
type CSROption struct {
// ObjectMeta is the ObjectMeta shared by all created csrs. It should use GenerateName instead of Name
// to generate random csr names
ObjectMeta metav1.ObjectMeta
// Subject represents the subject of the client certificate used to create csrs
Subject *pkix.Name
// DNSNames represents DNS names used to create the client certificate
DNSNames []string
// SignerName is the name of the signer specified in the created csrs
SignerName string
// ExpirationSeconds is the requested duration of validity of the issued
// certificate.
// Certificate signers may not honor this field for various reasons:
//
// 1. Old signer that is unaware of the field (such as the in-tree
// implementations prior to v1.22)
// 2. Signer whose configured maximum is shorter than the requested duration
// 3. Signer whose configured minimum is longer than the requested duration
//
// The minimum valid value for expirationSeconds is 3600, i.e. 1 hour.
ExpirationSeconds *int32
// EventFilterFunc matches csrs created with above options
EventFilterFunc factory.EventFilterFunc
CSRControl CSRControl
// HaltCSRCreation halt the csr creation
HaltCSRCreation func() bool
}
CSROption includes options that is used to create and monitor csrs
type Reconciler ¶
type Reconciler interface {
Reconcile(context.Context, csrInfo, approveCSRFunc) (reconcileState, error)
}
func NewCSRBootstrapReconciler ¶
func NewCSRBootstrapReconciler(kubeClient kubernetes.Interface, approvalUsers []string, recorder events.Recorder) Reconciler
func NewCSRRenewalReconciler ¶
func NewCSRRenewalReconciler(kubeClient kubernetes.Interface, recorder events.Recorder) Reconciler
Source Files
Click to show internal directories.
Click to hide internal directories.