Documentation
¶
Overview ¶
Package certmanager manages TLS serving certificates for the controller using a self-signed CA. It generates a CA key pair, uses it to sign server certificates, persists both in a Kubernetes Secret, and publishes the CA certificate in a ConfigMap so node agents can verify the controller.
Index ¶
- type CertManager
- func (cm *CertManager) CABundle() []byte
- func (cm *CertManager) EnsureCertificate(ctx context.Context) error
- func (cm *CertManager) GetCertificateFunc() func(*tls.ClientHelloInfo) (*tls.Certificate, error)
- func (cm *CertManager) HMACKey() []byte
- func (cm *CertManager) RunRotationMonitor(ctx context.Context)
- type Options
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
This section is empty.
Types ¶
type CertManager ¶
type CertManager struct {
// contains filtered or unexported fields
}
CertManager manages a self-signed CA and uses it to issue serving certificates for the controller. The CA and server key material are persisted in a Kubernetes Secret so they survive restarts. The CA public certificate is published in a ConfigMap for node agents. When the server certificate is within 30 days of expiry it is re-issued using the same CA. An HMAC signing key is also stored in the Secret for token issuance; the key is generated once and preserved across certificate rotations.
func NewCertManager ¶
func NewCertManager(opts Options) *CertManager
NewCertManager creates a new CertManager with the given options, applying defaults where needed.
func (*CertManager) CABundle ¶
func (cm *CertManager) CABundle() []byte
CABundle returns the PEM-encoded CA certificate. This is used to inject caBundle into webhook and APIService configurations so the API server can verify the controller's self-signed serving certificate.
func (*CertManager) EnsureCertificate ¶
func (cm *CertManager) EnsureCertificate(ctx context.Context) error
EnsureCertificate loads the serving certificate from the Kubernetes Secret, validates it, and rotates it if missing, expired, or expiring soon. It also ensures the CA certificate is published to the ConfigMap.
func (*CertManager) GetCertificateFunc ¶
func (cm *CertManager) GetCertificateFunc() func(*tls.ClientHelloInfo) (*tls.Certificate, error)
GetCertificateFunc returns a function suitable for tls.Config.GetCertificate that reads the current certificate from the atomic value.
func (*CertManager) HMACKey ¶
func (cm *CertManager) HMACKey() []byte
HMACKey returns the HMAC signing key stored in the serving Secret. The key is generated once during the first certificate rotation and preserved across subsequent rotations so that outstanding tokens remain valid.
func (*CertManager) RunRotationMonitor ¶
func (cm *CertManager) RunRotationMonitor(ctx context.Context)
RunRotationMonitor runs a loop that checks the current certificate every 24 hours and rotates it if it is within 30 days of expiry. It blocks until the context is cancelled.
type Options ¶
type Options struct {
Clientset kubernetes.Interface
Namespace string // e.g. "kube-system"
ServiceName string // e.g. "unbounded-net-controller"
SecretName string // defaults to "unbounded-net-serving-cert"
CAConfigMap string // defaults to "unbounded-net-serving-ca"
}
Options configures the CertManager.
Source Files