README
¶
This controller is used to generate a self-signed CA Bundle configMap and serving cert secrets in a specified namespace.
Usage
- New a controller and start.
servingcert.NewServingCertController("my-namespace", kubeClient).
WithTargetServingCerts([]servingcert.TargetServingCertOptions{
{
Name: "my-target-serving-cert",
HostNames: []string{"my-target-serving-cert.my-namespace.svc"},
},
}).Start(ctx)
The controller will create an CA Bundle configMap named ca-bundle-configmap which is self-signed
with the singer secret named signer-secret. And the target serving cert secret "my-target-serving-cert"
will be signed with the CA Bundle and created in the same namespace.
- Permissions for the
kubeClient.
The RBAC of the kubeClient in NewServingCertController must have GET/LIST/WATCH/CREATE/UPDATE permissions
for the configMap and Secrets in the specified namespace, including the CA Bundle configMap, signer secret, and
all target serving cert secrets.
-
Options:
-
WithSignerNamePrefix(signerNamePrefix string)is to configure the singer name prefix in the certs. The default is<namespace>-singer. -
WithSignerSecretName(secretName string)is to configure the singer secret name for ca bundle. the default issigner-secret. -
WithCABundleConfigmapName(caBundleConfigmapName string)is to configure the ca bundle configMap name. the default isca-bundle-configmap. -
WithSigningCertValidity(validity time.Duration)is to configure the rotation validity time duration for the signing cert and key. The default is 365 days. -
WithTargetCertValidity(validity time.Duration)is to configure the rotation validity time duration for the target serving cert secret. The default is 30 days. -
WithResyncInterval(validity time.Duration)is to configure the re-sync interval for the controller. The default is 10 minutes. -
WithTargetServingCerts(targets []TargetServingCertOptions)is to configure the target serving cert secret name, host names and load dir. The host name is usually<service name>.<namespace>.svc. Load the secret to the local directory if LoadDir is not empty, and thetls.crtandtls.keyfiles will be created in the dir.
-
-
How to get CA Bundle data?
We can get the CA Bundle data from
ca-bundle.crtdata in the CA Bundle configMap.caBundleConfigMap, err := kubeClient.CoreV1().ConfigMaps(namespace).Get(context.Background(), DefaultCABundleConfigmapName, metav1.GetOptions{}) caBundle := caBundleConfigMap.Data["ca-bundle.crt"]
Documentation
¶
Index ¶
- Constants
- type ServingCertController
- func (c *ServingCertController) Start(ctx context.Context)
- func (c *ServingCertController) WithCABundleConfigMapName(caBundleConfigMapName string) *ServingCertController
- func (c *ServingCertController) WithResyncInterval(validity time.Duration) *ServingCertController
- func (c *ServingCertController) WithSignerNamePrefix(signerNamePrefix string) *ServingCertController
- func (c *ServingCertController) WithSignerSecretName(secretName string) *ServingCertController
- func (c *ServingCertController) WithSigningCertValidity(validity time.Duration) *ServingCertController
- func (c *ServingCertController) WithTargetCertValidity(validity time.Duration) *ServingCertController
- func (c *ServingCertController) WithTargetServingCerts(targets []TargetServingCertOptions) *ServingCertController
- type TargetServingCertOptions
Constants ¶
const ( DefaultCABundleConfigmapName = "ca-bundle-configmap" DefaultSignerSecretName = "signer-secret" )
Variables ¶
This section is empty.
Functions ¶
This section is empty.
Types ¶
type ServingCertController ¶
type ServingCertController struct {
// contains filtered or unexported fields
}
func NewServingCertController ¶
func NewServingCertController(namespace string, kubeClient kubernetes.Interface) *ServingCertController
func (*ServingCertController) Start ¶
func (c *ServingCertController) Start(ctx context.Context)
func (*ServingCertController) WithCABundleConfigMapName ¶
func (c *ServingCertController) WithCABundleConfigMapName(caBundleConfigMapName string) *ServingCertController
WithCABundleConfigMapName is to configure the ca bundle configmap name. the default is ca-bundle-configmap.
func (*ServingCertController) WithResyncInterval ¶
func (c *ServingCertController) WithResyncInterval(validity time.Duration) *ServingCertController
WithResyncInterval is to configure the re-sync interval for the controller. The default is 10 minutes.
func (*ServingCertController) WithSignerNamePrefix ¶
func (c *ServingCertController) WithSignerNamePrefix(signerNamePrefix string) *ServingCertController
WithSignerNamePrefix is to configure the singer name prefix in the certs. The default is <namespace>-singer.
func (*ServingCertController) WithSignerSecretName ¶
func (c *ServingCertController) WithSignerSecretName(secretName string) *ServingCertController
WithSignerSecretName is to configure the singer secret name for ca bundle. the default is signer-secret.
func (*ServingCertController) WithSigningCertValidity ¶
func (c *ServingCertController) WithSigningCertValidity(validity time.Duration) *ServingCertController
WithSigningCertValidity is to configure the rotation validity time duration for the signing cert and key. The default is 365 days.
func (*ServingCertController) WithTargetCertValidity ¶
func (c *ServingCertController) WithTargetCertValidity(validity time.Duration) *ServingCertController
WithTargetCertValidity is to configure the rotation validity time duration for the serving cert. The default is 30 days.
func (*ServingCertController) WithTargetServingCerts ¶
func (c *ServingCertController) WithTargetServingCerts(targets []TargetServingCertOptions) *ServingCertController
WithTargetServingCerts is to configure the target serving cert secret name, host names and load dir. The host name is usually <service name>.<namespace>.svc . Load the secret to the local dir if LoadDir is not empty.
Source Files