pkg.gl

Categorygithub.com/openshift/library-gopkgoperatorcsr

package

0.0.0-20250228164547-bad2d1bf3a37

Repository: https://github.com/openshift/library-go.git

Documentation: pkg.go.dev

# README

You usually want to start with NewSimpleClientCertificateController.

This package provides a control loop which takes as input

target secret name
cert common name
desired validity (recall that the signing cert can sign for less)

The flow goes like this.

if secret contains a valid client cert good for at least five days or 50% of validity, do nothing. If not...
create new cert/key pair in memory
create CSR in the API.
watch CSR in the API until it is approved or denied
if denied, write degraded status and return
if approved, update the secret

The secrets have annotations which match our other cert rotation secrets.

# Packages

csrtestinghelpers

No description provided by the author

# Functions

BuildKubeconfig

BuildKubeconfig builds a kubeconfig based on a rest config template with a cert/key pair.

IsCertificateValid

IsCertificateValid return true if 1) All certs in client certificate are not expired.

No description provided by the author

NewClientCertificateController

NewClientCertificateController return an instance of clientCertificateController.

NewCSRApproverController

NewCSRApproverController returns a controller that is observing the CSR API for a CSR of a given name.

No description provided by the author

No description provided by the author

No description provided by the author

NewRequestCommonNameFilter

No description provided by the author

NewServiceAccountApprover

ServiceAccountApprover approves CSRs with a given subject issued by the provided service account.

NewServiceAccountMultiSubjectsApprover

NewServiceAccountMultiSubjectsApprover approves CSRs with given subjects issued by the provided service account.

NewSimpleClientCertificateController

NewSimpleClientCertificateController creates a controller that keeps a secret up to date with a client-cert valid against the kube-apiserver.

# Constants

No description provided by the author

No description provided by the author

No description provided by the author

TLSCertFile is the name of the tls cert file in kubeconfigSecret.

TLSKeyFile is the name of tls key file in kubeconfigSecret.

# Variables

ControllerResyncInterval

ControllerResyncInterval is exposed so that integration tests can crank up the constroller sync speed.

# Structs

No description provided by the author

ClientCertOption

ClientCertOption includes options that is used to create client certificate.

CSROption includes options that is used to create and monitor csrs.

No description provided by the author

No description provided by the author

No description provided by the author

RequestCommonNameFilter

No description provided by the author

ServiceAccountApprover

No description provided by the author

# Interfaces

No description provided by the author

No description provided by the author

# Type aliases

CSRApprovalDecision

No description provided by the author