manager

package
v1.137.0 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Feb 26, 2026 License: Apache-2.0 Imports: 20 Imported by: 24

Documentation

Index

Constants

View Source 
const (
	// InPlace is a constant for a rotation strategy regenerating a secret and NOT keeping the old one in the system.
	InPlace rotationStrategy = "inplace"
	// KeepOld is a constant for a rotation strategy regenerating a secret and keeping the old one in the system.
	KeepOld rotationStrategy = "keepold"
)
View Source 
const (
	// LabelKeyName is a constant for a key of a label on a Secret describing the name.
	LabelKeyName = "name"
	// LabelKeyManagedBy is a constant for a key of a label on a Secret describing who is managing it.
	LabelKeyManagedBy = "managed-by"
	// LabelKeyManagerIdentity is a constant for a key of a label on a Secret describing which secret manager instance
	// is managing it.
	LabelKeyManagerIdentity = "manager-identity"
	// LabelKeyChecksumConfig is a constant for a key of a label on a Secret describing the checksum of the
	// configuration used to create the data.
	LabelKeyChecksumConfig = "checksum-of-config"
	// LabelKeyChecksumSigningCA is a constant for a key of a label on a Secret describing the checksum of the
	// certificate authority which has signed the client or server certificate in the data.
	LabelKeyChecksumSigningCA = "checksum-of-signing-ca"
	// LabelKeyBundleFor is a constant for a key of a label on a Secret describing that it is a bundle secret for
	// another secret.
	LabelKeyBundleFor = "bundle-for"
	// LabelKeyPersist is a constant for a key of a label on a Secret describing that it should get persisted.
	LabelKeyPersist = "persist"
	// LabelKeyLastRotationInitiationTime is a constant for a key of a label on a Secret describing the unix timestamps
	// of when the last secret rotation was initiated.
	LabelKeyLastRotationInitiationTime = "last-rotation-initiation-time"
	// LabelKeyIssuedAtTime is a constant for a key of a label on a Secret describing the time of when the secret data
	// was created. In case the data contains a certificate it is the time part of the certificate's 'not before' field.
	LabelKeyIssuedAtTime = "issued-at-time"
	// LabelKeyValidUntilTime is a constant for a key of a label on a Secret describing the time of how long the secret
	// data is valid. In case the data contains a certificate it is the time part of the certificate's 'not after'
	// field.
	LabelKeyValidUntilTime = "valid-until-time"
	// LabelKeyRenewAfterValidityPercentage is a constant for a key of a label on a certificate secret describing the
	// percentage of the validity when the certificate should be renewed. The effective check for renewal is after the
	// given percentage of validity or 10d before the end of validity. If not specified the default percentage is 80.
	LabelKeyRenewAfterValidityPercentage = "renew-after-validity-percentage"
	// LabelKeyUseDataForName is a constant for a key of a label on a Secret describing that its data should be used
	// instead of generating a fresh secret with the same name.
	LabelKeyUseDataForName = "secrets-manager-use-data-for-name"

	// LabelValueTrue is a constant for a value of a label on a Secret describing the value 'true'.
	LabelValueTrue = "true"
	// LabelValueSecretsManager is a constant for a value of a label on a Secret describing the value 'secret-manager'.
	LabelValueSecretsManager = "secrets-manager"
)

Variables

View Source 
var (
	// UseCurrentCA sets the CAClass field to 'current' in the SignedByCAOptions.
	UseCurrentCA = useCAClassOption{current}
	// UseOldCA sets the CAClass field to 'old' in the SignedByCAOptions.
	UseOldCA = useCAClassOption{old}
)
View Source 
var (
	// Current sets the Class field to 'current' in the GetOptions.
	Current = classOption{/* contains filtered or unexported fields */}
	// Old sets the Class field to 'old' in the GetOptions.
	Old = classOption{/* contains filtered or unexported fields */}
	// Bundle sets the Class field to 'bundle' in the GetOptions.
	Bundle = classOption{/* contains filtered or unexported fields */}
)

Functions

func ObjectMeta 

func ObjectMeta(
	namespace string,
	managerIdentity string,
	config secretsutils.ConfigInterface,
	ignoreConfigChecksumForCASecretName bool,
	lastRotationInitiationTime string,
	signingCAChecksum *string,
	persist *bool,
	bundleFor *string,
) (
	metav1.ObjectMeta,
	error,
)

ObjectMeta returns the object meta based on the given settings.

func Secret 

func Secret(objectMeta metav1.ObjectMeta, data map[string][]byte) *corev1.Secret

Secret constructs a *corev1.Secret for the given metadata and data.

Types

type GenerateOption 

type GenerateOption func(Interface, secretsutils.ConfigInterface, *GenerateOptions) error

GenerateOption is some configuration that modifies options for a Generate request.

func IgnoreConfigChecksumForCASecretName added in v1.45.0 

func IgnoreConfigChecksumForCASecretName() GenerateOption

IgnoreConfigChecksumForCASecretName returns a function which sets the 'IgnoreConfigChecksumForCASecretName' field to true.

func IgnoreOldSecrets 

func IgnoreOldSecrets() GenerateOption

IgnoreOldSecrets returns a function which sets the 'IgnoreOldSecrets' field to true.

func IgnoreOldSecretsAfter added in v1.48.0 

func IgnoreOldSecretsAfter(d time.Duration) GenerateOption

IgnoreOldSecretsAfter returns a function which sets the 'IgnoreOldSecretsAfter' field to the given duration.

func Namespace 

func Namespace(namespace string) GenerateOption

Namespace returns a function which sets the 'Namespace' field.

func Persist 

func Persist() GenerateOption

Persist returns a function which sets the 'Persist' field to true.

func RenewAfterValidityPercentage added in v1.96.0 

func RenewAfterValidityPercentage(v int) GenerateOption

RenewAfterValidityPercentage returns a function which sets the 'RenewAfterValidityPercentage' field to the provided value.

func Rotate 

func Rotate(strategy rotationStrategy) GenerateOption

Rotate returns a function which sets the 'RotationStrategy' field to the specified value.

func SignedByCA 

func SignedByCA(name string, opts ...SignedByCAOption) GenerateOption

SignedByCA returns a function which sets the 'SigningCA' field in case the ConfigInterface provided to the Generate request is a CertificateSecretConfig. Additionally, in such case it stores a checksum of the signing CA in the options.

func Validity added in v1.44.0 

func Validity(v time.Duration) GenerateOption

Validity returns a function which sets the 'Validity' field to the provided value. Note that the value is ignored in case Generate is called with a certificate secret configuration.

type GenerateOptions 

type GenerateOptions struct {
	// Persist specifies whether the 'persist=true' label should be added to the secret resources.
	Persist bool
	// RotationStrategy specifies how the secret should be rotated in case it needs to get rotated.
	RotationStrategy rotationStrategy
	// IgnoreOldSecrets specifies whether old secrets should be dropped.
	IgnoreOldSecrets bool
	// IgnoreOldSecretsAfter specifies that old secrets should be dropped once a given duration after rotation has passed.
	IgnoreOldSecretsAfter *time.Duration
	// Validity specifies for how long the secret should be valid.
	Validity time.Duration
	// RenewAfterValidityPercentage sets the percentage of the validity when the certificate should be renewed.
	// The effective check for renewal is after the given percentage of validity or 10d before the end of validity.
	// Zero value means the default percentage is used (80%).
	RenewAfterValidityPercentage int
	// IgnoreConfigChecksumForCASecretName specifies whether the secret config checksum should be ignored when
	// computing the secret name for CA secrets.
	IgnoreConfigChecksumForCASecretName bool
	// Namespace overwrites the namespace in which the secret should be created.
	Namespace string
	// contains filtered or unexported fields
}

GenerateOptions are options for Generate calls.

func (*GenerateOptions) ApplyOptions 

func (o *GenerateOptions) ApplyOptions(manager Interface, configInterface secretsutils.ConfigInterface, opts []GenerateOption) error

ApplyOptions applies the given update options on these options, and then returns itself (for convenient chaining).

type GetOption 

type GetOption interface {
	// ApplyToOptions applies this configuration to the given options.
	ApplyToOptions(*GetOptions)
}

GetOption is some configuration that modifies options for a Get request.

type GetOptions 

type GetOptions struct {
	// Class specifies whether which secret should be returned. By default, the bundle secret is returned. If there is
	// no bundle secret then it falls back to the current secret.
	Class *secretClass
}

GetOptions are options for Get calls.

func (*GetOptions) ApplyOptions 

func (o *GetOptions) ApplyOptions(opts []GetOption) *GetOptions

ApplyOptions applies the given update options on these options, and then returns itself (for convenient chaining).

type Interface 

type Interface interface {
	// Generate generates a secret based on the provided configuration. If the secret for the provided configuration
	// already exists then it is returned with re-generation. The function also automatically rotates/re-generates the
	// secret only if necessary (e.g., when the config or the signing CA changes).
	Generate(context.Context, secretsutils.ConfigInterface, ...GenerateOption) (*corev1.Secret, error)

	Reader

	// Cleanup deletes no longer required secrets. No longer required secrets are those still existing in the system
	// which weren't detected by prior Generate calls. Consequently, only call Cleanup after you have executed Generate
	// calls for all desired secrets.
	Cleanup(context.Context) error
}

Interface describes the methods for managing secrets.

func New 

func New(
	ctx context.Context,
	logger logr.Logger,
	clock clock.Clock,
	c client.Client,
	identity string,
	optionFns ...NewOption,
) (
	Interface,
	error,
)

New returns a new manager for secrets in a given namespace.

type NewOption 

type NewOption func(*NewOptions)

NewOption is some configuration that configures a secrets manager instance when creating it with New.

func WithCASecretAutoRotation 

func WithCASecretAutoRotation() NewOption

WithCASecretAutoRotation enables automatic rotation for CA secrets (turned off by default).

func WithNamespaces 

func WithNamespaces(namespaces ...string) NewOption

WithNamespaces returns a function which configures the namespaces the secrets manager should operate in.

func WithSecretNamesToTimes 

func WithSecretNamesToTimes(secretNamesToTimes map[string]time.Time) NewOption

WithSecretNamesToTimes sets a map whose keys are secret names and whose values are the last rotation initiation times.

func WithoutAutomaticSecretRenewal 

func WithoutAutomaticSecretRenewal() NewOption

WithoutAutomaticSecretRenewal disables automatic secret renewal (enabled by default). When set, the secrets manager will not list existing secrets or prepare them for automatic renewal, even if a secret's configuration would otherwise require it.

type NewOptions 

type NewOptions struct {
	// Namespaces is the list of namespaces the secrets manager should operate on.
	Namespaces []string
	// CASecretAutoRotation states whether CA secrets are considered for automatic rotation (defaults to false).
	CASecretAutoRotation bool
	// SecretNamesToTimes is a map whose keys are secret names and whose values are the last rotation initiation
	// times.
	SecretNamesToTimes map[string]time.Time
	// DisableAutomaticSecretRenewal states whether automatic secret renewal should be disabled even if a secret's
	// configuration would otherwise require it.
	DisableAutomaticSecretRenewal bool
}

NewOptions are options for New calls.

type Reader added in v1.45.0 

type Reader interface {
	// Get returns the secret object for the secret with the given name. By default, the bundle secret will be returned.
	// If there is no bundle secret then it falls back to the current secret. Note that only those secrets are known
	// which were detected or generated by prior Generate calls.
	Get(string, ...GetOption) (*corev1.Secret, bool)
}

Reader is part of the SecretsManager interface and allows retrieving secrets from a SecretsManager.

type SignedByCAOption added in v1.45.0 

type SignedByCAOption interface {
	// ApplyToOptions applies this configuration to the given options.
	ApplyToOptions(*SignedByCAOptions)
}

SignedByCAOption is some configuration that modifies options for a SignedByCA request.

func LoadMissingCAFromCluster 

func LoadMissingCAFromCluster(ctx context.Context) SignedByCAOption

LoadMissingCAFromCluster sets the LoadMissingCAFromClusterCtx field to 'ctx' in the SignedByCAOptions.

type SignedByCAOptions added in v1.45.0 

type SignedByCAOptions struct {
	// CAClass specifies which CA should be used to sign the requested certificate. Server certificates are signed with
	// the old CA by default, however one might want to use the current CA instead. Similarly, client certificates are
	// signed with the current CA by default, however one might want to use the old CA instead.
	CAClass *secretClass
	// LoadMissingCAFromClusterCtx enables loading a missing signing CA from the cluster when it is not found in the
	// internal store, and specifies the context.Context to use for the LIST call. This is useful when generating
	// certificates signed by CAs that were not created by this secrets manager instance.
	LoadMissingCAFromClusterCtx context.Context
}

SignedByCAOptions are options for SignedByCA calls.

func (*SignedByCAOptions) ApplyOptions added in v1.45.0 

func (o *SignedByCAOptions) ApplyOptions(opts []SignedByCAOption) *SignedByCAOptions

ApplyOptions applies the given update options on these options, and then returns itself (for convenient chaining).

Source Files

View all Source files

Directories

Path Synopsis

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.