apiserver

package

v0.40.0 Latest Latest Go to latest Published: Feb 5, 2026 License: Apache-2.0 Imports: 14 Imported by: 0

Documentation ¶

Index ¶

func ApplySecureDefaults(config *tls.Config) error
func CipherNamesToIDs(cipherNames []string) []uint16
func GetConfigForClient(querier Querier) func(*tls.ClientHelloInfo) (*tls.Config, error)
func GetSecurityProfileConfig(profile *apiconfigv1.TLSSecurityProfile) (uint16, []uint16)
func NewSyncer(logger *logrus.Logger, client configv1client.Interface) (apiServerInformer configv1.APIServerInformer, syncer *Syncer, querier Querier, ...)
func RegisterEventHandlers(informer configv1.APIServerInformer, syncer *Syncer)
type Querier
- func NoopQuerier() Querier
- func SetupAPIServerTLSConfig(logger *logrus.Logger, config *rest.Config) (Querier, interface{ ... }, error)
type Syncer

Constants ¶

This section is empty.

Variables ¶

This section is empty.

Functions ¶

func ApplySecureDefaults ¶

func ApplySecureDefaults(config *tls.Config) error

ApplySecureDefaults applies secure default TLS settings to the provided config. This ensures a minimum security baseline even when no cluster-wide profile is configured.

func CipherNamesToIDs ¶

func CipherNamesToIDs(cipherNames []string) []uint16

CipherNamesToIDs converts IANA cipher suite names to Go TLS cipher suite IDs

func GetConfigForClient ¶

func GetConfigForClient(querier Querier) func(*tls.ClientHelloInfo) (*tls.Config, error)

GetConfigForClient returns a GetConfigForClient callback function that can be used with tls.Config to provide per-connection dynamic TLS configuration updates. This allows the TLS settings to be updated without restarting the server.

Example usage:

server := &http.Server{
    Addr: ":8443",
    TLSConfig: &tls.Config{
        GetConfigForClient: apiserver.GetConfigForClient(querier),
        // Other settings like Certificates, ClientCAs, etc.
    },
}

func GetSecurityProfileConfig ¶

func GetSecurityProfileConfig(profile *apiconfigv1.TLSSecurityProfile) (uint16, []uint16)

GetSecurityProfileConfig extracts the minimum TLS version and cipher suites from a TLSSecurityProfile object. Converts OpenSSL cipher names to Go TLS cipher IDs. If profile is nil, returns config defined by the Intermediate TLS Profile.

func NewSyncer ¶

func NewSyncer(logger *logrus.Logger, client configv1client.Interface) (apiServerInformer configv1.APIServerInformer, syncer *Syncer, querier Querier, factory externalversions.SharedInformerFactory, err error)

NewSyncer returns informer and sync functions to enable watch of the apiserver.config.openshift.io/cluster resource.

func RegisterEventHandlers ¶

func RegisterEventHandlers(informer configv1.APIServerInformer, syncer *Syncer)

RegisterEventHandlers registers event handlers for apiserver.config.openshift.io/cluster resource changes. This is a convenience function to set up Add/Update/Delete handlers that call the syncer's SyncAPIServer and HandleAPIServerDelete methods.

Types ¶

type Querier ¶

type Querier interface {
	QueryTLSConfig(config *tls.Config) error
}

Querier is an interface that wraps the QueryTLSConfig method.

QueryTLSConfig updates the provided TLS configuration with cluster-wide TLS security profile settings (MinVersion, CipherSuites, PreferServerCipherSuites).

func NoopQuerier ¶

func NoopQuerier() Querier

NoopQuerier returns an instance of noopQuerier. It's used for upstream where we don't have any apiserver.config.openshift.io/cluster resource.

func SetupAPIServerTLSConfig ¶ added in v0.40.0

func SetupAPIServerTLSConfig(logger *logrus.Logger, config *rest.Config) (Querier, interface{ Start(<-chan struct{}) }, error)

SetupAPIServerTLSConfig sets up the APIServer TLS configuration for HTTPS servers. It checks if OpenShift config API is available and if so, creates the necessary syncer and informer infrastructure to watch for cluster-wide TLS configuration changes.

Returns:

querier: A Querier that can be used to get TLS configuration (NoopQuerier if OpenShift API not available)
factory: A SharedInformerFactory that must be started after operators are ready (nil if OpenShift API not available)
error: Any error encountered during setup

type Syncer ¶

type Syncer struct {
	// contains filtered or unexported fields
}

Syncer deals with watching APIServer type(s) on the cluster and let the caller query for cluster scoped APIServer TLS configuration.

func (*Syncer) HandleAPIServerDelete ¶

func (w *Syncer) HandleAPIServerDelete(object interface{})

HandleAPIServerDelete is invoked when a cluster scoped APIServer object is deleted.

func (*Syncer) QueryTLSConfig ¶

func (w *Syncer) QueryTLSConfig(config *tls.Config) error

QueryTLSConfig queries the global cluster level APIServer object and updates the provided TLS configuration with the cluster-wide security profile settings.

func (*Syncer) SyncAPIServer ¶

func (w *Syncer) SyncAPIServer(object interface{}) error

SyncAPIServer is invoked when a cluster scoped APIServer object is added or modified.

Source Files ¶

View all Source files

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL