Documentation
¶
Overview ¶
Package certwatcher is a helper for reloading Certificates from disk to be used with tls servers. It provides a helper func `GetCertificate` which can be called from `tls.Config` and passed into your tls.Listener. For a detailed example server view pkg/webhook/server.go.
Example ¶
package main
import (
"context"
"crypto/tls"
"net/http"
"time"
ctrl "sigs.k8s.io/controller-runtime"
"sigs.k8s.io/controller-runtime/pkg/certwatcher"
)
type sampleServer struct {
}
func main() {
// Setup Context
ctx := ctrl.SetupSignalHandler()
// Initialize a new cert watcher with cert/key pair
watcher, err := certwatcher.New("ssl/tls.crt", "ssl/tls.key")
if err != nil {
panic(err)
}
// Start goroutine with certwatcher running against supplied cert
go func() {
if err := watcher.Start(ctx); err != nil {
panic(err)
}
}()
// Setup TLS listener using GetCertficate for fetching the cert when changes
listener, err := tls.Listen("tcp", "localhost:9443", &tls.Config{
GetCertificate: watcher.GetCertificate,
MinVersion: tls.VersionTLS12,
})
if err != nil {
panic(err)
}
// Initialize your tls server
srv := &http.Server{
Handler: &sampleServer{},
ReadHeaderTimeout: 5 * time.Second,
}
// Start goroutine for handling server shutdown.
go func() {
<-ctx.Done()
ctx, cancel := context.WithTimeout(context.Background(), 5*time.Second)
defer cancel()
if err := srv.Shutdown(ctx); err != nil {
panic(err)
}
}()
// Serve t
if err := srv.Serve(listener); err != nil && err != http.ErrServerClosed {
panic(err)
}
}
func (s *sampleServer) ServeHTTP(http.ResponseWriter, *http.Request) {
}
Output:
Index ¶
- type CertWatcher
- func (cw *CertWatcher) GetCertificate(_ *tls.ClientHelloInfo) (*tls.Certificate, error)
- func (cw *CertWatcher) ReadCertificate() error
- func (cw *CertWatcher) RegisterCallback(callback func(tls.Certificate))
- func (cw *CertWatcher) Start(ctx context.Context) error
- func (cw *CertWatcher) Watch()deprecated
- func (cw *CertWatcher) WithWatchInterval(interval time.Duration) *CertWatcher
Examples ¶
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
This section is empty.
Types ¶
type CertWatcher ¶
CertWatcher watches certificate and key files for changes. It always returns the cached version, but periodically reads and parses certificate and key for changes and calls an optional callback with the new certificate.
func New ¶
func New(certPath, keyPath string) (*CertWatcher, error)
New returns a new CertWatcher watching the given certificate and key.
func (*CertWatcher) GetCertificate ¶
func (cw *CertWatcher) GetCertificate(_ *tls.ClientHelloInfo) (*tls.Certificate, error)
GetCertificate fetches the currently loaded certificate, which may be nil.
func (*CertWatcher) ReadCertificate ¶
func (cw *CertWatcher) ReadCertificate() error
ReadCertificate reads the certificate and key files from disk, parses them, and updates the current certificate on the watcher if updated. If a callback is set, it is invoked with the new certificate.
func (*CertWatcher) RegisterCallback ¶ added in v0.15.0
func (cw *CertWatcher) RegisterCallback(callback func(tls.Certificate))
RegisterCallback registers a callback to be invoked when the certificate changes.
func (*CertWatcher) Start ¶
func (cw *CertWatcher) Start(ctx context.Context) error
Start starts the watch on the certificate and key files.
func (*CertWatcher) Watch
deprecated
func (cw *CertWatcher) Watch()
Watch used to read events from the watcher's channel and reacts to changes, it has currently no function and it's left here for backward compatibility until a future release.
Deprecated: fsnotify has been removed and Start() is now polling instead.
func (*CertWatcher) WithWatchInterval ¶ added in v0.18.6
func (cw *CertWatcher) WithWatchInterval(interval time.Duration) *CertWatcher
WithWatchInterval sets the watch interval and returns the CertWatcher pointer
Source Files
Directories