Documentation
¶
Index ¶
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
This section is empty.
Types ¶
type CertificateDetails ¶ added in v0.9.0
type CertificateDetails struct {
CSR []byte
Duration time.Duration
IsCA bool
MaxPathLen *int
KeyUsage x509.KeyUsage
ExtKeyUsage []x509.ExtKeyUsage
}
func (CertificateDetails) CertificateTemplate ¶ added in v0.9.0
func (cd CertificateDetails) CertificateTemplate() (template *x509.Certificate, err error)
CertificateTemplate generates a certificate template for issuance, based on CertificateDetails extracted from the CertificateRequest or CertificateSigningRequest resource.
This function internally calls CertificateTemplateFromCSRPEM, which performs additional work such as parsing the CSR and verifying signatures. Since this operation can be expensive, issuer implementations should call this function only when a certificate template is actually needed (e.g., not when proxying the X.509 CSR to a CA).
type CertificateRequestObject ¶
type CertificateRequestObject interface {
metav1.Object
// Return the Certificate details originating from the cert-manager
// CertificateRequest or Kubernetes CertificateSigningRequest resources.
GetCertificateDetails() (details CertificateDetails, err error)
GetConditions() []metav1.Condition
}
CertificateRequestObject represents either a cert-manager CertificateRequest or a Kubernetes CertificateSigningRequest resource. The interface hides the underlying spec fields and exposes a certificate template and the raw CSR bytes. This lets the signer be agnostic to the underlying resource type and to how spec fields are interpreted (for example, defaulting logic). The signer can still access labels, annotations, or other metadata, and can use `GetConditions` to retrieve the resource's conditions.
func CertificateRequestObjectFromCertificateRequest ¶
func CertificateRequestObjectFromCertificateRequest(cr *cmapi.CertificateRequest) CertificateRequestObject
func CertificateRequestObjectFromCertificateSigningRequest ¶
func CertificateRequestObjectFromCertificateSigningRequest(csr *certificatesv1.CertificateSigningRequest) CertificateRequestObject
type IgnoreCertificateRequest ¶ added in v0.3.0
type IgnoreCertificateRequest func( ctx context.Context, cr CertificateRequestObject, issuerGvk schema.GroupVersionKind, issuerName types.NamespacedName, ) (bool, error)
IgnoreCertificateRequest is an optional function that can prevent the CertificateRequest and Kubernetes CSR controllers from reconciling a CertificateRequest resource. By default, the controllers will reconcile all CertificateRequest resources that match the issuerRef type. This function will be called by the CertificateRequest reconcile loop and the Kubernetes CSR reconcile loop for each type that matches the issuerRef type. If the function returns true, the controller will not reconcile the CertificateRequest resource.
type IgnoreIssuer ¶ added in v0.3.0
IgnoreIssuer is an optional function that can prevent the issuer controllers from reconciling an issuer resource. By default, the controllers will reconcile all issuer resources that match the owned types. This function will be called by the issuer reconcile loops for each type that matches the owned types. If the function returns true, the controller will not reconcile the issuer resource.
type IssuerError ¶
type IssuerError struct {
Err error
}
IssuerError is returned by the CertificateRequest controller to indicate there was an error in the issuer part of the reconcile process and that the issuer's reconcile function should be retried.
This error is useful when the Sign function encounters an error for an action that should have been handled by the Check function, and which surfaced after Check had already succeeded.
> This error should be returned only by the Sign function.
func (IssuerError) Error ¶
func (ve IssuerError) Error() string
func (IssuerError) Unwrap ¶
func (ve IssuerError) Unwrap() error
type PEMBundle ¶ added in v0.2.0
PEMBundle includes the PEM encoded X.509 certificate chain and CA. The first certificate in the ChainPEM chain is the leaf certificate, and the last certificate in the chain is the highest level non-self-signed certificate. The CAPEM certificate is our best guess at the CA that issued the leaf. IMPORTANT: the CAPEM certificate is only used when the SetCAOnCertificateRequest option is enabled in the controller. This option exists for backwards compatibility only. Use of the CA field and the `ca.crt` field in the resulting Secret is discouraged; the CA should instead be provisioned separately (for example, using trust-manager).
type PendingError ¶
type PendingError struct {
Err error
// RequeueAfter can be set to control how long to wait before retrying. By
// default the controller waits 1s before retrying.
RequeueAfter time.Duration
}
PendingError should be returned when retrying the same operation is expected to result in either success or another error within a finite time.
It can be used to bypass the MaxRetryDuration check, for example when the signer is waiting for an asynchronous response from an external service indicating the request is still being processed.
> This error should be returned only by the Sign function.
func (PendingError) Error ¶
func (ve PendingError) Error() string
func (PendingError) Unwrap ¶
func (ve PendingError) Unwrap() error
type PermanentError ¶
type PermanentError struct {
Err error
}
PermanentError is returned when it is impossible for the resource to become Ready without changing the resource itself. It must not be used when the issue can be resolved by modifying the environment or other resources. The controller should not retry after receiving this error.
For the Check function, this error is useful when we detected an invalid configuration/ setting in the Issuer or ClusterIssuer resource. This should only happen very rarely, because of webhook validation.
For the Sign function, this error is useful when the problem can only be resolved by creating a new CertificateRequest (for example, when a new CSR must be generated).
> This error should be returned by the Sign or Check function.
func (PermanentError) Error ¶
func (ve PermanentError) Error() string
func (PermanentError) Unwrap ¶
func (ve PermanentError) Unwrap() error
type SetCertificateRequestConditionError ¶
type SetCertificateRequestConditionError struct {
Err error
ConditionType cmapi.CertificateRequestConditionType
Status cmmeta.ConditionStatus
Reason string
}
The SetCertificateRequestConditionError error is meant to be returned by the Sign function. When Sign returns this error, the caller (i.e., the certificate request controller) is expected to update the CertificateRequest with the condition contained in the error.
The error wrapped by this error is the error can still be a signer.Permanent or signer.Pending error and will be handled accordingly.
> This error should be returned only by the Sign function.
func (SetCertificateRequestConditionError) Error ¶
func (ve SetCertificateRequestConditionError) Error() string
func (SetCertificateRequestConditionError) Unwrap ¶
func (ve SetCertificateRequestConditionError) Unwrap() error
Source Files