certrotation

package
v0.0.0-...-18e7937 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Apr 20, 2026 License: Apache-2.0 Imports: 34 Imported by: 14

Documentation

Index

Constants

View Source 
const (
	// CertificateNotBeforeAnnotation contains the certificate expiration date in RFC3339 format.
	CertificateNotBeforeAnnotation = "auth.openshift.io/certificate-not-before"
	// CertificateNotAfterAnnotation contains the certificate expiration date in RFC3339 format.
	CertificateNotAfterAnnotation = "auth.openshift.io/certificate-not-after"
	// CertificateIssuer contains the common name of the certificate that signed another certificate.
	CertificateIssuer = "auth.openshift.io/certificate-issuer"
	// CertificateHostnames contains the hostnames used by a signer.
	CertificateHostnames = "auth.openshift.io/certificate-hostnames"
	// CertificateTestNameAnnotation is an e2e test name which verifies that TLS artifact is created and used correctly
	CertificateTestNameAnnotation string = "certificates.openshift.io/test-name"
	// CertificateAutoRegenerateAfterOfflineExpiryAnnotation contains a link to PR adding this annotation which verifies
	// that TLS artifact is correctly regenerated after it has expired
	CertificateAutoRegenerateAfterOfflineExpiryAnnotation string = "certificates.openshift.io/auto-regenerate-after-offline-expiry"
	// CertificateRefreshPeriodAnnotation is the interval at which the certificate should be refreshed.
	CertificateRefreshPeriodAnnotation string = "certificates.openshift.io/refresh-period"
)
View Source 
const (
	// ManagedCertificateTypeLabelName marks config map or secret as object that contains managed certificates.
	// This groups all objects that store certs and allow easy query to get them all.
	// The value of this label should be set to "true".
	ManagedCertificateTypeLabelName = "auth.openshift.io/managed-certificate-type"
)
View Source 
const (
	// RunOnceContextKey is a context value key that can be used to call the controller Sync() and make it only run the syncWorker once and report error.
	RunOnceContextKey = "cert-rotation-controller.openshift.io/run-once"
)

Variables

This section is empty.

Functions

func GetCertRotationScale 

func GetCertRotationScale(ctx context.Context, client kubernetes.Interface, namespace string) (time.Duration, error)

GetCertRotationScale The normal scale is based on a day. The value returned by this function is used to scale rotation durations instead of a day, so you can set it shorter.

func LabelAsManagedConfigMap 

func LabelAsManagedConfigMap(config *v1.ConfigMap, certificateType CertificateType)

LabelAsManagedConfigMap add label indicating the given config map contains certificates that are managed.

func LabelAsManagedSecret 

func LabelAsManagedSecret(secret *v1.Secret, certificateType CertificateType)

LabelAsManagedConfigMap add label indicating the given secret contains certificates that are managed.

func NewCertRotationController 

func NewCertRotationController(
	name string,
	rotatedSigningCASecret RotatedSigningCASecret,
	caBundleConfigMap CABundleConfigMap,
	rotatedSelfSignedCertKeySecret RotatedSelfSignedCertKeySecret,
	recorder events.Recorder,
	reporter StatusReporter,
) factory.Controller

func NewTLSArtifactObjectMeta 

func NewTLSArtifactObjectMeta(name, namespace string, annotations AdditionalAnnotations) metav1.ObjectMeta

Types

type AdditionalAnnotations 

type AdditionalAnnotations struct {
	// JiraComponent annotates tls artifacts so that owner could be easily found
	JiraComponent string
	// Description is a human-readable one sentence description of certificate purpose
	Description string
	// TestName is an e2e test name which verifies that TLS artifact is created and used correctly
	TestName string
	// AutoRegenerateAfterOfflineExpiry contains a link to PR which adds this annotation on the TLS artifact
	AutoRegenerateAfterOfflineExpiry string
	// NotBefore contains certificate the certificate creation date in RFC3339 format.
	NotBefore string
	// NotAfter contains certificate the certificate validity date in RFC3339 format.
	NotAfter string
	// RefreshPeriod contains the interval at which the certificate should be refreshed.
	RefreshPeriod string
}

func (AdditionalAnnotations) EnsureTLSMetadataUpdate 

func (a AdditionalAnnotations) EnsureTLSMetadataUpdate(meta *metav1.ObjectMeta) bool

type CABundleConfigMap 

type CABundleConfigMap struct {
	// Namespace is the namespace of the ConfigMap to maintain.
	Namespace string
	// Name is the name of the ConfigMap to maintain.
	Name string
	// RefreshOnlyWhenExpired set to true means to ignore 80% of validity and the Refresh duration for rotation,
	// but only rotate when the certificate expires. This is useful for auto-recovery when we want to enforce
	// rotation on expiration only, but not interfere with the ordinary rotation controller.
	RefreshOnlyWhenExpired bool
	// Owner is an optional reference to add to the secret that this rotator creates.
	Owner *metav1.OwnerReference
	// AdditionalAnnotations is a collection of annotations set for the secret
	AdditionalAnnotations AdditionalAnnotations
	// Plumbing:
	Informer      corev1informers.ConfigMapInformer
	Lister        corev1listers.ConfigMapLister
	Client        corev1client.ConfigMapsGetter
	EventRecorder events.Recorder
}

CABundleConfigMap maintains a CA bundle config map, by adding new CA certs coming from RotatedSigningCASecret, and by removing expired old ones.

func (CABundleConfigMap) EnsureConfigMapCABundle 

func (c CABundleConfigMap) EnsureConfigMapCABundle(ctx context.Context, signingCertKeyPair *crypto.CA, signingCertKeyPairLocation string) ([]*x509.Certificate, error)

type CertRotationController 

type CertRotationController struct {
	// controller name
	Name string
	// RotatedSigningCASecret rotates a self-signed signing CA stored in a secret.
	RotatedSigningCASecret RotatedSigningCASecret
	// CABundleConfigMap maintains a CA bundle config map, by adding new CA certs coming from rotatedSigningCASecret, and by removing expired old ones.
	CABundleConfigMap CABundleConfigMap
	// RotatedSelfSignedCertKeySecret rotates a key and cert signed by a signing CA and stores it in a secret.
	RotatedSelfSignedCertKeySecret RotatedSelfSignedCertKeySecret

	// Plumbing:
	StatusReporter StatusReporter
}

CertRotationController does:

1) continuously create a self-signed signing CA (via RotatedSigningCASecret) and store it in a secret. 2) maintain a CA bundle ConfigMap with all not yet expired CA certs. 3) continuously create a target cert and key signed by the latest signing CA and store it in a secret.

func (CertRotationController) Sync 

func (c CertRotationController) Sync(ctx context.Context, syncCtx factory.SyncContext) error

func (CertRotationController) SyncWorker 

func (c CertRotationController) SyncWorker(ctx context.Context) error

type CertificateType 

type CertificateType string
var (
	CertificateTypeCABundle CertificateType = "ca-bundle"
	CertificateTypeSigner   CertificateType = "signer"
	CertificateTypeTarget   CertificateType = "target"
	CertificateTypeUnknown  CertificateType = "unknown"
)

func CertificateTypeFromObject 

func CertificateTypeFromObject(obj runtime.Object) (CertificateType, error)

CertificateTypeFromObject returns the CertificateType based on the annotations of the object.

type ClientRotation 

type ClientRotation struct {
	UserInfo user.Info
}

func (*ClientRotation) CertificateType 

func (r *ClientRotation) CertificateType() pki.CertificateType

func (*ClientRotation) NeedNewTargetCertKeyPair 

func (r *ClientRotation) NeedNewTargetCertKeyPair(currentCertSecret *corev1.Secret, signer *crypto.CA, caBundleCerts []*x509.Certificate, refresh time.Duration, refreshOnlyWhenExpired, exists bool) string

func (*ClientRotation) NewCertificate 

func (r *ClientRotation) NewCertificate(signer *crypto.CA, validity time.Duration, keyGen crypto.KeyPairGenerator) (*crypto.TLSCertificateConfig, error)

func (*ClientRotation) SetAnnotations 

func (r *ClientRotation) SetAnnotations(cert *crypto.TLSCertificateConfig, annotations map[string]string) map[string]string

type PeerRotation 

type PeerRotation struct {
	Hostnames              ServingHostnameFunc
	UserInfo               user.Info
	CertificateExtensionFn []crypto.CertificateExtensionFunc
	HostnamesChanged       <-chan struct{}
}

PeerRotation creates certificates used for both server and client authentication (e.g., etcd peer certificates). It uses CertificateTypePeer for PKI profile resolution, which selects the stronger of the serving and client key configurations.

When keyGen is non-nil (ConfigurablePKI enabled), it calls NewPeerCertificate which requires UserInfo for the client identity. When keyGen is nil (legacy), it falls back to MakeServerCertForDuration with an extension function that sets both ClientAuth and ServerAuth ExtKeyUsages.

func (*PeerRotation) CertificateType 

func (r *PeerRotation) CertificateType() pki.CertificateType

func (*PeerRotation) NeedNewTargetCertKeyPair 

func (r *PeerRotation) NeedNewTargetCertKeyPair(currentCertSecret *corev1.Secret, signer *crypto.CA, caBundleCerts []*x509.Certificate, refresh time.Duration, refreshOnlyWhenExpired, creationRequired bool) string

func (*PeerRotation) NewCertificate 

func (r *PeerRotation) NewCertificate(signer *crypto.CA, validity time.Duration, keyGen crypto.KeyPairGenerator) (*crypto.TLSCertificateConfig, error)

func (*PeerRotation) RecheckChannel 

func (r *PeerRotation) RecheckChannel() <-chan struct{}

func (*PeerRotation) SetAnnotations 

func (r *PeerRotation) SetAnnotations(cert *crypto.TLSCertificateConfig, annotations map[string]string) map[string]string

type RotatedSelfSignedCertKeySecret 

type RotatedSelfSignedCertKeySecret struct {
	// Namespace is the namespace of the Secret.
	Namespace string
	// Name is the name of the Secret.
	Name string
	// Validity is the duration from time.Now() until the certificate expires. If RefreshOnlyWhenExpired
	// is false, the key and certificate is rotated when 80% of validity is reached.
	Validity time.Duration
	// Refresh is the duration after certificate creation when it is rotated at the latest. It is ignored
	// if RefreshOnlyWhenExpired is true, or if Refresh > Validity.
	// Refresh is ignored until the signing CA at least 10% in its life-time to ensure it is deployed
	// through-out the cluster.
	Refresh time.Duration

	// RefreshOnlyWhenExpired set to true means to ignore 80% of validity and the Refresh duration for rotation,
	// but only rotate when the certificate expires. This is useful for auto-recovery when we want to enforce
	// rotation on expiration only, but not interfere with the ordinary rotation controller.
	RefreshOnlyWhenExpired bool

	// Owner is an optional reference to add to the secret that this rotator creates. Use this when downstream
	// consumers of the certificate need to be aware of changes to the object.
	// WARNING: be careful when using this option, as deletion of the owning object will cascade into deletion
	// of the certificate. If the lifetime of the owning object is not a superset of the lifetime in which the
	// certificate is used, early deletion will be catastrophic.
	Owner *metav1.OwnerReference

	// AdditionalAnnotations is a collection of annotations set for the secret
	AdditionalAnnotations AdditionalAnnotations

	// CertCreator does the actual cert generation.
	CertCreator TargetCertCreator

	// CertificateName is the logical name of this certificate for PKI profile resolution.
	CertificateName string

	// PKIProfileProvider, when non-nil, enables ConfigurablePKI certificate
	// key algorithm resolution. When nil, legacy certificate generation is used.
	PKIProfileProvider pki.PKIProfileProvider

	// Plumbing:
	Informer      corev1informers.SecretInformer
	Lister        corev1listers.SecretLister
	Client        corev1client.SecretsGetter
	EventRecorder events.Recorder
}

RotatedSelfSignedCertKeySecret rotates a key and cert signed by a signing CA and stores it in a secret.

It creates a new one when - refresh duration is over - or 80% of validity is over (if RefreshOnlyWhenExpired is false) - or the cert is expired. - or the signing CA changes.

func (RotatedSelfSignedCertKeySecret) EnsureTargetCertKeyPair 

func (c RotatedSelfSignedCertKeySecret) EnsureTargetCertKeyPair(ctx context.Context, signingCertKeyPair *crypto.CA, caBundleCerts []*x509.Certificate) (*corev1.Secret, error)

type RotatedSigningCASecret 

type RotatedSigningCASecret struct {
	// Namespace is the namespace of the Secret.
	Namespace string
	// Name is the name of the Secret.
	Name string
	// Validity is the duration from time.Now() until the signing CA expires. If RefreshOnlyWhenExpired
	// is false, the signing cert is rotated when 80% of validity is reached.
	Validity time.Duration
	// Refresh is the duration after signing CA creation when it is rotated at the latest. It is ignored
	// if RefreshOnlyWhenExpired is true, or if Refresh > Validity.
	Refresh time.Duration
	// RefreshOnlyWhenExpired set to true means to ignore 80% of validity and the Refresh duration for rotation,
	// but only rotate when the signing CA expires. This is useful for auto-recovery when we want to enforce
	// rotation on expiration only, but not interfere with the ordinary rotation controller.
	RefreshOnlyWhenExpired bool

	// Owner is an optional reference to add to the secret that this rotator creates. Use this when downstream
	// consumers of the signer CA need to be aware of changes to the object.
	// WARNING: be careful when using this option, as deletion of the owning object will cascade into deletion
	// of the signer. If the lifetime of the owning object is not a superset of the lifetime in which the signer
	// is used, early deletion will be catastrophic.
	Owner *metav1.OwnerReference

	// AdditionalAnnotations is a collection of annotations set for the secret
	AdditionalAnnotations AdditionalAnnotations

	// CertificateName is the logical name of this certificate for PKI profile resolution.
	CertificateName string

	// PKIProfileProvider, when non-nil, enables ConfigurablePKI certificate
	// key algorithm resolution. When nil, legacy certificate generation is used.
	PKIProfileProvider pki.PKIProfileProvider

	// Plumbing:
	Informer      corev1informers.SecretInformer
	Lister        corev1listers.SecretLister
	Client        corev1client.SecretsGetter
	EventRecorder events.Recorder
}

RotatedSigningCASecret rotates a self-signed signing CA stored in a secret. It creates a new one when - refresh duration is over - or 80% of validity is over (if RefreshOnlyWhenExpired is false) - or the CA is expired.

func (RotatedSigningCASecret) EnsureSigningCertKeyPair 

func (c RotatedSigningCASecret) EnsureSigningCertKeyPair(ctx context.Context) (*crypto.CA, bool, error)

EnsureSigningCertKeyPair manages the entire lifecycle of a signer cert as a secret, from creation to continued rotation. It always returns the currently used CA pair, a bool indicating whether it was created/updated within this function call and an error.

type ServingHostnameFunc 

type ServingHostnameFunc func() []string

type ServingRotation 

type ServingRotation struct {
	Hostnames              ServingHostnameFunc
	CertificateExtensionFn []crypto.CertificateExtensionFunc
	HostnamesChanged       <-chan struct{}
}

func (*ServingRotation) CertificateType 

func (r *ServingRotation) CertificateType() pki.CertificateType

func (*ServingRotation) NeedNewTargetCertKeyPair 

func (r *ServingRotation) NeedNewTargetCertKeyPair(currentCertSecret *corev1.Secret, signer *crypto.CA, caBundleCerts []*x509.Certificate, refresh time.Duration, refreshOnlyWhenExpired, creationRequired bool) string

func (*ServingRotation) NewCertificate 

func (r *ServingRotation) NewCertificate(signer *crypto.CA, validity time.Duration, keyGen crypto.KeyPairGenerator) (*crypto.TLSCertificateConfig, error)

func (*ServingRotation) RecheckChannel 

func (r *ServingRotation) RecheckChannel() <-chan struct{}

func (*ServingRotation) SetAnnotations 

func (r *ServingRotation) SetAnnotations(cert *crypto.TLSCertificateConfig, annotations map[string]string) map[string]string

type SignerRotation 

type SignerRotation struct {
	SignerName string
}

func (*SignerRotation) CertificateType 

func (r *SignerRotation) CertificateType() pki.CertificateType

func (*SignerRotation) NeedNewTargetCertKeyPair 

func (r *SignerRotation) NeedNewTargetCertKeyPair(currentCertSecret *corev1.Secret, signer *crypto.CA, caBundleCerts []*x509.Certificate, refresh time.Duration, refreshOnlyWhenExpired, exists bool) string

func (*SignerRotation) NewCertificate 

func (r *SignerRotation) NewCertificate(signer *crypto.CA, validity time.Duration, keyGen crypto.KeyPairGenerator) (*crypto.TLSCertificateConfig, error)

func (*SignerRotation) SetAnnotations 

func (r *SignerRotation) SetAnnotations(cert *crypto.TLSCertificateConfig, annotations map[string]string) map[string]string

type StaticPodConditionStatusReporter 

type StaticPodConditionStatusReporter struct {
	// Plumbing:
	OperatorClient v1helpers.StaticPodOperatorClient
}

func (*StaticPodConditionStatusReporter) Report 

func (s *StaticPodConditionStatusReporter) Report(ctx context.Context, controllerName string, syncErr error) (bool, error)

type StatusReporter 

type StatusReporter interface {
	Report(ctx context.Context, controllerName string, syncErr error) (updated bool, updateErr error)
}

StatusReporter knows how to report the status of cert rotation

type TargetCertCreator 

type TargetCertCreator interface {
	// NewCertificate creates a new key-cert pair with the given signer. If keyGen
	// is non-nil, it is used to generate the key pair; otherwise legacy defaults are used.
	NewCertificate(signer *crypto.CA, validity time.Duration, keyGen crypto.KeyPairGenerator) (*crypto.TLSCertificateConfig, error)
	// NeedNewTargetCertKeyPair decides whether a new cert-key pair is needed. It returns a non-empty reason if it is the case.
	NeedNewTargetCertKeyPair(currentCertSecret *corev1.Secret, signer *crypto.CA, caBundleCerts []*x509.Certificate, refresh time.Duration, refreshOnlyWhenExpired, creationRequired bool) string
	// SetAnnotations gives an option to override or set additional annotations
	SetAnnotations(cert *crypto.TLSCertificateConfig, annotations map[string]string) map[string]string
	// CertificateType returns the category of certificate this creator produces.
	CertificateType() pki.CertificateType
}

type TargetCertRechecker 

type TargetCertRechecker interface {
	RecheckChannel() <-chan struct{}
}

TargetCertRechecker is an optional interface to be implemented by the TargetCertCreator to enforce a controller run.

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.