certrotation

package
v0.0.0-...-7b234b4 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Feb 23, 2026 License: Apache-2.0 Imports: 33 Imported by: 14

Documentation

Index

Constants

View Source 
const (
	// CertificateNotBeforeAnnotation contains the certificate expiration date in RFC3339 format.
	CertificateNotBeforeAnnotation = "auth.openshift.io/certificate-not-before"
	// CertificateNotAfterAnnotation contains the certificate expiration date in RFC3339 format.
	CertificateNotAfterAnnotation = "auth.openshift.io/certificate-not-after"
	// CertificateIssuer contains the common name of the certificate that signed another certificate.
	CertificateIssuer = "auth.openshift.io/certificate-issuer"
	// CertificateHostnames contains the hostnames used by a signer.
	CertificateHostnames = "auth.openshift.io/certificate-hostnames"
	// CertificateTestNameAnnotation is an e2e test name which verifies that TLS artifact is created and used correctly
	CertificateTestNameAnnotation string = "certificates.openshift.io/test-name"
	// CertificateAutoRegenerateAfterOfflineExpiryAnnotation contains a link to PR adding this annotation which verifies
	// that TLS artifact is correctly regenerated after it has expired
	CertificateAutoRegenerateAfterOfflineExpiryAnnotation string = "certificates.openshift.io/auto-regenerate-after-offline-expiry"
	// CertificateRefreshPeriodAnnotation is the interval at which the certificate should be refreshed.
	CertificateRefreshPeriodAnnotation string = "certificates.openshift.io/refresh-period"
)
View Source 
const (
	// ManagedCertificateTypeLabelName marks config map or secret as object that contains managed certificates.
	// This groups all objects that store certs and allow easy query to get them all.
	// The value of this label should be set to "true".
	ManagedCertificateTypeLabelName = "auth.openshift.io/managed-certificate-type"
)
View Source 
const (
	// RunOnceContextKey is a context value key that can be used to call the controller Sync() and make it only run the syncWorker once and report error.
	RunOnceContextKey = "cert-rotation-controller.openshift.io/run-once"
)

Variables

This section is empty.

Functions

func GetCertRotationScale 

func GetCertRotationScale(ctx context.Context, client kubernetes.Interface, namespace string) (time.Duration, error)

GetCertRotationScale The normal scale is based on a day. The value returned by this function is used to scale rotation durations instead of a day, so you can set it shorter.

func LabelAsManagedConfigMap 

func LabelAsManagedConfigMap(config *v1.ConfigMap, certificateType CertificateType)

LabelAsManagedConfigMap add label indicating the given config map contains certificates that are managed.

func LabelAsManagedSecret 

func LabelAsManagedSecret(secret *v1.Secret, certificateType CertificateType)

LabelAsManagedConfigMap add label indicating the given secret contains certificates that are managed.

func NewCertRotationController 

func NewCertRotationController(
	name string,
	rotatedSigningCASecret RotatedSigningCASecret,
	caBundleConfigMap CABundleConfigMap,
	rotatedSelfSignedCertKeySecret RotatedSelfSignedCertKeySecret,
	recorder events.Recorder,
	reporter StatusReporter,
) factory.Controller

func NewTLSArtifactObjectMeta 

func NewTLSArtifactObjectMeta(name, namespace string, annotations AdditionalAnnotations) metav1.ObjectMeta

Types

type AdditionalAnnotations 

type AdditionalAnnotations struct {
	// JiraComponent annotates tls artifacts so that owner could be easily found
	JiraComponent string
	// Description is a human-readable one sentence description of certificate purpose
	Description string
	// TestName is an e2e test name which verifies that TLS artifact is created and used correctly
	TestName string
	// AutoRegenerateAfterOfflineExpiry contains a link to PR which adds this annotation on the TLS artifact
	AutoRegenerateAfterOfflineExpiry string
	// NotBefore contains certificate the certificate creation date in RFC3339 format.
	NotBefore string
	// NotAfter contains certificate the certificate validity date in RFC3339 format.
	NotAfter string
	// RefreshPeriod contains the interval at which the certificate should be refreshed.
	RefreshPeriod string
}

func (AdditionalAnnotations) EnsureTLSMetadataUpdate 

func (a AdditionalAnnotations) EnsureTLSMetadataUpdate(meta *metav1.ObjectMeta) bool

type CABundleConfigMap 

type CABundleConfigMap struct {
	// Namespace is the namespace of the ConfigMap to maintain.
	Namespace string
	// Name is the name of the ConfigMap to maintain.
	Name string
	// RefreshOnlyWhenExpired set to true means to ignore 80% of validity and the Refresh duration for rotation,
	// but only rotate when the certificate expires. This is useful for auto-recovery when we want to enforce
	// rotation on expiration only, but not interfere with the ordinary rotation controller.
	RefreshOnlyWhenExpired bool
	// Owner is an optional reference to add to the secret that this rotator creates.
	Owner *metav1.OwnerReference
	// AdditionalAnnotations is a collection of annotations set for the secret
	AdditionalAnnotations AdditionalAnnotations
	// Plumbing:
	Informer      corev1informers.ConfigMapInformer
	Lister        corev1listers.ConfigMapLister
	Client        corev1client.ConfigMapsGetter
	EventRecorder events.Recorder
}

CABundleConfigMap maintains a CA bundle config map, by adding new CA certs coming from RotatedSigningCASecret, and by removing expired old ones.

func (CABundleConfigMap) EnsureConfigMapCABundle 

func (c CABundleConfigMap) EnsureConfigMapCABundle(ctx context.Context, signingCertKeyPair *crypto.CA, signingCertKeyPairLocation string) ([]*x509.Certificate, error)

type CertRotationController 

type CertRotationController struct {
	// controller name
	Name string
	// RotatedSigningCASecret rotates a self-signed signing CA stored in a secret.
	RotatedSigningCASecret RotatedSigningCASecret
	// CABundleConfigMap maintains a CA bundle config map, by adding new CA certs coming from rotatedSigningCASecret, and by removing expired old ones.
	CABundleConfigMap CABundleConfigMap
	// RotatedSelfSignedCertKeySecret rotates a key and cert signed by a signing CA and stores it in a secret.
	RotatedSelfSignedCertKeySecret RotatedSelfSignedCertKeySecret

	// Plumbing:
	StatusReporter StatusReporter
}

CertRotationController does:

1) continuously create a self-signed signing CA (via RotatedSigningCASecret) and store it in a secret. 2) maintain a CA bundle ConfigMap with all not yet expired CA certs. 3) continuously create a target cert and key signed by the latest signing CA and store it in a secret.

func (CertRotationController) Sync 

func (c CertRotationController) Sync(ctx context.Context, syncCtx factory.SyncContext) error

func (CertRotationController) SyncWorker 

func (c CertRotationController) SyncWorker(ctx context.Context) error

type CertificateType 

type CertificateType string
var (
	CertificateTypeCABundle CertificateType = "ca-bundle"
	CertificateTypeSigner   CertificateType = "signer"
	CertificateTypeTarget   CertificateType = "target"
	CertificateTypeUnknown  CertificateType = "unknown"
)

func CertificateTypeFromObject 

func CertificateTypeFromObject(obj runtime.Object) (CertificateType, error)

CertificateTypeFromObject returns the CertificateType based on the annotations of the object.

type ClientRotation 

type ClientRotation struct {
	UserInfo user.Info
}

func (*ClientRotation) NeedNewTargetCertKeyPair 

func (r *ClientRotation) NeedNewTargetCertKeyPair(currentCertSecret *corev1.Secret, signer *crypto.CA, caBundleCerts []*x509.Certificate, refresh time.Duration, refreshOnlyWhenExpired, exists bool) string

func (*ClientRotation) NewCertificate 

func (r *ClientRotation) NewCertificate(signer *crypto.CA, validity time.Duration) (*crypto.TLSCertificateConfig, error)

func (*ClientRotation) SetAnnotations 

func (r *ClientRotation) SetAnnotations(cert *crypto.TLSCertificateConfig, annotations map[string]string) map[string]string

type RotatedSelfSignedCertKeySecret 

type RotatedSelfSignedCertKeySecret struct {
	// Namespace is the namespace of the Secret.
	Namespace string
	// Name is the name of the Secret.
	Name string
	// Validity is the duration from time.Now() until the certificate expires. If RefreshOnlyWhenExpired
	// is false, the key and certificate is rotated when 80% of validity is reached.
	Validity time.Duration
	// Refresh is the duration after certificate creation when it is rotated at the latest. It is ignored
	// if RefreshOnlyWhenExpired is true, or if Refresh > Validity.
	// Refresh is ignored until the signing CA at least 10% in its life-time to ensure it is deployed
	// through-out the cluster.
	Refresh time.Duration

	// RefreshOnlyWhenExpired set to true means to ignore 80% of validity and the Refresh duration for rotation,
	// but only rotate when the certificate expires. This is useful for auto-recovery when we want to enforce
	// rotation on expiration only, but not interfere with the ordinary rotation controller.
	RefreshOnlyWhenExpired bool

	// Owner is an optional reference to add to the secret that this rotator creates. Use this when downstream
	// consumers of the certificate need to be aware of changes to the object.
	// WARNING: be careful when using this option, as deletion of the owning object will cascade into deletion
	// of the certificate. If the lifetime of the owning object is not a superset of the lifetime in which the
	// certificate is used, early deletion will be catastrophic.
	Owner *metav1.OwnerReference

	// AdditionalAnnotations is a collection of annotations set for the secret
	AdditionalAnnotations AdditionalAnnotations

	// CertCreator does the actual cert generation.
	CertCreator TargetCertCreator

	// Plumbing:
	Informer      corev1informers.SecretInformer
	Lister        corev1listers.SecretLister
	Client        corev1client.SecretsGetter
	EventRecorder events.Recorder
}

RotatedSelfSignedCertKeySecret rotates a key and cert signed by a signing CA and stores it in a secret.

It creates a new one when - refresh duration is over - or 80% of validity is over (if RefreshOnlyWhenExpired is false) - or the cert is expired. - or the signing CA changes.

func (RotatedSelfSignedCertKeySecret) EnsureTargetCertKeyPair 

func (c RotatedSelfSignedCertKeySecret) EnsureTargetCertKeyPair(ctx context.Context, signingCertKeyPair *crypto.CA, caBundleCerts []*x509.Certificate) (*corev1.Secret, error)

type RotatedSigningCASecret 

type RotatedSigningCASecret struct {
	// Namespace is the namespace of the Secret.
	Namespace string
	// Name is the name of the Secret.
	Name string
	// Validity is the duration from time.Now() until the signing CA expires. If RefreshOnlyWhenExpired
	// is false, the signing cert is rotated when 80% of validity is reached.
	Validity time.Duration
	// Refresh is the duration after signing CA creation when it is rotated at the latest. It is ignored
	// if RefreshOnlyWhenExpired is true, or if Refresh > Validity.
	Refresh time.Duration
	// RefreshOnlyWhenExpired set to true means to ignore 80% of validity and the Refresh duration for rotation,
	// but only rotate when the signing CA expires. This is useful for auto-recovery when we want to enforce
	// rotation on expiration only, but not interfere with the ordinary rotation controller.
	RefreshOnlyWhenExpired bool

	// Owner is an optional reference to add to the secret that this rotator creates. Use this when downstream
	// consumers of the signer CA need to be aware of changes to the object.
	// WARNING: be careful when using this option, as deletion of the owning object will cascade into deletion
	// of the signer. If the lifetime of the owning object is not a superset of the lifetime in which the signer
	// is used, early deletion will be catastrophic.
	Owner *metav1.OwnerReference

	// AdditionalAnnotations is a collection of annotations set for the secret
	AdditionalAnnotations AdditionalAnnotations

	// Plumbing:
	Informer      corev1informers.SecretInformer
	Lister        corev1listers.SecretLister
	Client        corev1client.SecretsGetter
	EventRecorder events.Recorder
}

RotatedSigningCASecret rotates a self-signed signing CA stored in a secret. It creates a new one when - refresh duration is over - or 80% of validity is over (if RefreshOnlyWhenExpired is false) - or the CA is expired.

func (RotatedSigningCASecret) EnsureSigningCertKeyPair 

func (c RotatedSigningCASecret) EnsureSigningCertKeyPair(ctx context.Context) (*crypto.CA, bool, error)

EnsureSigningCertKeyPair manages the entire lifecycle of a signer cert as a secret, from creation to continued rotation. It always returns the currently used CA pair, a bool indicating whether it was created/updated within this function call and an error.

type ServingHostnameFunc 

type ServingHostnameFunc func() []string

type ServingRotation 

type ServingRotation struct {
	Hostnames              ServingHostnameFunc
	CertificateExtensionFn []crypto.CertificateExtensionFunc
	HostnamesChanged       <-chan struct{}
}

func (*ServingRotation) NeedNewTargetCertKeyPair 

func (r *ServingRotation) NeedNewTargetCertKeyPair(currentCertSecret *corev1.Secret, signer *crypto.CA, caBundleCerts []*x509.Certificate, refresh time.Duration, refreshOnlyWhenExpired, creationRequired bool) string

func (*ServingRotation) NewCertificate 

func (r *ServingRotation) NewCertificate(signer *crypto.CA, validity time.Duration) (*crypto.TLSCertificateConfig, error)

func (*ServingRotation) RecheckChannel 

func (r *ServingRotation) RecheckChannel() <-chan struct{}

func (*ServingRotation) SetAnnotations 

func (r *ServingRotation) SetAnnotations(cert *crypto.TLSCertificateConfig, annotations map[string]string) map[string]string

type SignerRotation 

type SignerRotation struct {
	SignerName string
}

func (*SignerRotation) NeedNewTargetCertKeyPair 

func (r *SignerRotation) NeedNewTargetCertKeyPair(currentCertSecret *corev1.Secret, signer *crypto.CA, caBundleCerts []*x509.Certificate, refresh time.Duration, refreshOnlyWhenExpired, exists bool) string

func (*SignerRotation) NewCertificate 

func (r *SignerRotation) NewCertificate(signer *crypto.CA, validity time.Duration) (*crypto.TLSCertificateConfig, error)

func (*SignerRotation) SetAnnotations 

func (r *SignerRotation) SetAnnotations(cert *crypto.TLSCertificateConfig, annotations map[string]string) map[string]string

type StaticPodConditionStatusReporter 

type StaticPodConditionStatusReporter struct {
	// Plumbing:
	OperatorClient v1helpers.StaticPodOperatorClient
}

func (*StaticPodConditionStatusReporter) Report 

func (s *StaticPodConditionStatusReporter) Report(ctx context.Context, controllerName string, syncErr error) (bool, error)

type StatusReporter 

type StatusReporter interface {
	Report(ctx context.Context, controllerName string, syncErr error) (updated bool, updateErr error)
}

StatusReporter knows how to report the status of cert rotation

type TargetCertCreator 

type TargetCertCreator interface {
	// NewCertificate creates a new key-cert pair with the given signer.
	NewCertificate(signer *crypto.CA, validity time.Duration) (*crypto.TLSCertificateConfig, error)
	// NeedNewTargetCertKeyPair decides whether a new cert-key pair is needed. It returns a non-empty reason if it is the case.
	NeedNewTargetCertKeyPair(currentCertSecret *corev1.Secret, signer *crypto.CA, caBundleCerts []*x509.Certificate, refresh time.Duration, refreshOnlyWhenExpired, creationRequired bool) string
	// SetAnnotations gives an option to override or set additional annotations
	SetAnnotations(cert *crypto.TLSCertificateConfig, annotations map[string]string) map[string]string
}

type TargetCertRechecker 

type TargetCertRechecker interface {
	RecheckChannel() <-chan struct{}
}

TargetCertRechecker is an optional interface to be implemented by the TargetCertCreator to enforce a controller run.

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.