Documentation
¶
Index ¶
- func ApplySecureDefaults(config *tls.Config) error
- func CipherNamesToIDs(cipherNames []string) []uint16
- func GetConfigForClient(querier Querier) func(*tls.ClientHelloInfo) (*tls.Config, error)
- func GetSecurityProfileConfig(profile *apiconfigv1.TLSSecurityProfile) (uint16, []uint16)
- func NewSyncer(logger *logrus.Logger, client configv1client.Interface) (apiServerInformer configv1.APIServerInformer, syncer *Syncer, querier Querier, ...)
- func RegisterEventHandlers(informer configv1.APIServerInformer, syncer *Syncer)
- type Querier
- type Syncer
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
func ApplySecureDefaults ¶
ApplySecureDefaults applies secure default TLS settings to the provided config. This ensures a minimum security baseline even when no cluster-wide profile is configured.
func CipherNamesToIDs ¶
CipherNamesToIDs converts IANA cipher suite names to Go TLS cipher suite IDs
func GetConfigForClient ¶
GetConfigForClient returns a GetConfigForClient callback function that can be used with tls.Config to provide per-connection dynamic TLS configuration updates. This allows the TLS settings to be updated without restarting the server.
Example usage:
server := &http.Server{
Addr: ":8443",
TLSConfig: &tls.Config{
GetConfigForClient: apiserver.GetConfigForClient(querier),
// Other settings like Certificates, ClientCAs, etc.
},
}
func GetSecurityProfileConfig ¶
func GetSecurityProfileConfig(profile *apiconfigv1.TLSSecurityProfile) (uint16, []uint16)
GetSecurityProfileConfig extracts the minimum TLS version and cipher suites from a TLSSecurityProfile object. Converts OpenSSL cipher names to Go TLS cipher IDs. If profile is nil, returns config defined by the Intermediate TLS Profile.
func NewSyncer ¶
func NewSyncer(logger *logrus.Logger, client configv1client.Interface) (apiServerInformer configv1.APIServerInformer, syncer *Syncer, querier Querier, factory externalversions.SharedInformerFactory, err error)
NewSyncer returns informer and sync functions to enable watch of the apiserver.config.openshift.io/cluster resource.
func RegisterEventHandlers ¶
func RegisterEventHandlers(informer configv1.APIServerInformer, syncer *Syncer)
RegisterEventHandlers registers event handlers for apiserver.config.openshift.io/cluster resource changes. This is a convenience function to set up Add/Update/Delete handlers that call the syncer's SyncAPIServer and HandleAPIServerDelete methods.
Types ¶
type Querier ¶
Querier is an interface that wraps the QueryTLSConfig method.
QueryTLSConfig updates the provided TLS configuration with cluster-wide TLS security profile settings (MinVersion, CipherSuites, PreferServerCipherSuites).
func NoopQuerier ¶
func NoopQuerier() Querier
NoopQuerier returns an instance of noopQuerier. It's used for upstream where we don't have any apiserver.config.openshift.io/cluster resource.
type Syncer ¶
type Syncer struct {
// contains filtered or unexported fields
}
Syncer deals with watching APIServer type(s) on the cluster and let the caller query for cluster scoped APIServer TLS configuration.
func (*Syncer) HandleAPIServerDelete ¶
func (w *Syncer) HandleAPIServerDelete(object interface{})
HandleAPIServerDelete is invoked when a cluster scoped APIServer object is deleted.
func (*Syncer) QueryTLSConfig ¶
QueryTLSConfig queries the global cluster level APIServer object and updates the provided TLS configuration with the cluster-wide security profile settings.
func (*Syncer) SyncAPIServer ¶
SyncAPIServer is invoked when a cluster scoped APIServer object is added or modified.
Source Files