/
controller.go
195 lines (161 loc) · 8.8 KB
/
controller.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
/*
Copyright 2019 The Jetstack cert-manager contributors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
package certificates
import (
"context"
"crypto/x509"
"fmt"
"time"
"k8s.io/client-go/kubernetes"
corelisters "k8s.io/client-go/listers/core/v1"
"k8s.io/client-go/tools/cache"
"k8s.io/client-go/tools/record"
"k8s.io/client-go/util/workqueue"
"k8s.io/utils/clock"
cmapi "github.com/jetstack/cert-manager/pkg/apis/certmanager/v1alpha2"
cmclient "github.com/jetstack/cert-manager/pkg/client/clientset/versioned"
cmlisters "github.com/jetstack/cert-manager/pkg/client/listers/certmanager/v1alpha2"
controllerpkg "github.com/jetstack/cert-manager/pkg/controller"
logf "github.com/jetstack/cert-manager/pkg/logs"
"github.com/jetstack/cert-manager/pkg/scheduler"
)
// certificateRequestManager manages CertificateRequest resources for a
// Certificate in order to obtain signed certs.
type certificateRequestManager struct {
certificateLister cmlisters.CertificateLister
secretLister corelisters.SecretLister
certificateRequestLister cmlisters.CertificateRequestLister
kubeClient kubernetes.Interface
cmClient cmclient.Interface
// maintain a reference to the workqueue for this controller
// so the handleOwnedResource method can enqueue resources
queue workqueue.RateLimitingInterface
scheduledWorkQueue scheduler.ScheduledWorkQueue
// used to record Events about resources to the API
recorder record.EventRecorder
// used for testing
clock clock.Clock
// defined as a field to make it easy to stub out for testing purposes
generatePrivateKeyBytes generatePrivateKeyBytesFn
generateCSR generateCSRFn
// certificateNeedsRenew is a function that can be used to determine whether
// a certificate currently requires renewal.
// This is a field on the controller struct to avoid having to maintain a reference
// to the controller context, and to make it easier to fake out this call during tests.
certificateNeedsRenew func(ctx context.Context, cert *x509.Certificate, crt *cmapi.Certificate) bool
// calculateDurationUntilRenew returns the amount of time before the controller should
// begin attempting to renew the certificate, given the provided existing certificate
// and certificate spec.
// This is a field on the controller struct to avoid having to maintain a reference
// to the controller context, and to make it easier to fake out this call during tests.
calculateDurationUntilRenew calculateDurationUntilRenewFn
// localTemporarySigner signs a certificate that is stored temporarily
localTemporarySigner localTemporarySignerFn
// if true, Secret resources created by the controller will have an
// 'owner reference' set, meaning when the Certificate is deleted, the
// Secret resource will be automatically deleted.
// This option is disabled by default.
enableSecretOwnerReferences bool
// experimentalIssuePKCS12, if true, will make the certificates controller
// create a `keystore.p12` in the Secret resource for each Certificate.
// This can only be toggled globally, and the keystore will be encrypted
// with the supplied ExperimentalPKCS12KeystorePassword.
// This flag is likely to be removed in future in favour of native PKCS12
// keystore bundle support.
experimentalIssuePKCS12 bool
// ExperimentalPKCS12KeystorePassword is the password used to encrypt and
// decrypt PKCS#12 bundles stored in Secret resources.
// This option only has any affect is ExperimentalIssuePKCS12 is true.
experimentalPKCS12KeystorePassword string
// experimentalIssueJKS, if true, will make the certificates controller
// create a `keystore.jks` in the Secret resource for each Certificate.
// This can only be toggled globally, and the keystore will be encrypted
// with the supplied ExperimentalJKSPassword.
// This flag is likely to be removed in future in favour of native JKS
// keystore bundle support.
experimentalIssueJKS bool
// experimentalJKSPassword is the password used to encrypt and
// decrypt JKS files stored in Secret resources.
// This option only has any affect is experimentalIssueJKS is true.
experimentalJKSPassword string
}
type localTemporarySignerFn func(crt *cmapi.Certificate, pk []byte) ([]byte, error)
// Register registers and constructs the controller using the provided context.
// It returns the workqueue to be used to enqueue items, a list of
// InformerSynced functions that must be synced, or an error.
func (c *certificateRequestManager) Register(ctx *controllerpkg.Context) (workqueue.RateLimitingInterface, []cache.InformerSynced, []controllerpkg.RunFunc, error) {
// construct a new named logger to be reused throughout the controller
log := logf.FromContext(ctx.RootContext, ControllerName)
// create a queue used to queue up items to be processed
c.queue = workqueue.NewNamedRateLimitingQueue(workqueue.NewItemExponentialFailureRateLimiter(time.Second*5, time.Minute*30), ControllerName)
// obtain references to all the informers used by this controller
certificateInformer := ctx.SharedInformerFactory.Certmanager().V1alpha2().Certificates()
certificateRequestInformer := ctx.SharedInformerFactory.Certmanager().V1alpha2().CertificateRequests()
secretsInformer := ctx.KubeSharedInformerFactory.Core().V1().Secrets()
// build a list of InformerSynced functions that will be returned by the Register method.
// the controller will only begin processing items once all of these informers have synced.
mustSync := []cache.InformerSynced{
certificateRequestInformer.Informer().HasSynced,
secretsInformer.Informer().HasSynced,
certificateInformer.Informer().HasSynced,
}
// set all the references to the listers for used by the Sync function
c.certificateRequestLister = certificateRequestInformer.Lister()
c.secretLister = secretsInformer.Lister()
c.certificateLister = certificateInformer.Lister()
// register handler functions
certificateInformer.Informer().AddEventHandler(&controllerpkg.QueuingEventHandler{Queue: c.queue})
certificateRequestInformer.Informer().AddEventHandler(&controllerpkg.BlockingEventHandler{WorkFunc: controllerpkg.HandleOwnedResourceNamespacedFunc(log, c.queue, certificateGvk, certificateGetter(c.certificateLister))})
secretsInformer.Informer().AddEventHandler(&controllerpkg.BlockingEventHandler{WorkFunc: secretResourceHandler(log, c.certificateLister, c.queue)})
// Create a scheduled work queue that calls the ctrl.queue.Add method for
// each object in the queue. This is used to schedule re-checks of
// Certificate resources when they get near to expiry
c.scheduledWorkQueue = scheduler.NewScheduledWorkQueue(c.queue.Add)
// clock is used to determine whether certificates need renewal
c.clock = clock.RealClock{}
// recorder records events about resources to the Kubernetes api
c.recorder = ctx.Recorder
c.certificateNeedsRenew = ctx.IssuerOptions.CertificateNeedsRenew
c.calculateDurationUntilRenew = ctx.IssuerOptions.CalculateDurationUntilRenew
c.generatePrivateKeyBytes = generatePrivateKeyBytesImpl
c.generateCSR = generateCSRImpl
// the localTemporarySigner is used to sign 'temporary certificates' during
// asynchronous certificate issuance flows
c.localTemporarySigner = generateLocallySignedTemporaryCertificate
c.enableSecretOwnerReferences = ctx.CertificateOptions.EnableOwnerRef
// Experimental PKCS12 handling options
c.experimentalIssuePKCS12 = ctx.CertificateOptions.ExperimentalIssuePKCS12
c.experimentalPKCS12KeystorePassword = ctx.CertificateOptions.ExperimentalPKCS12KeystorePassword
if c.experimentalIssuePKCS12 && len(c.experimentalPKCS12KeystorePassword) == 0 {
return nil, nil, nil, fmt.Errorf("if experimental pkcs12 issuance is enabled, a keystore password must be provided")
}
// Experimental JKS handling options
c.experimentalIssueJKS = ctx.CertificateOptions.ExperimentalIssueJKS
c.experimentalJKSPassword = ctx.CertificateOptions.ExperimentalJKSPassword
if c.experimentalIssueJKS && len(c.experimentalJKSPassword) == 0 {
return nil, nil, nil, fmt.Errorf("if experimental pkcs12 issuance is enabled, a keystore password must be provided")
}
c.cmClient = ctx.CMClient
c.kubeClient = ctx.Client
return c.queue, mustSync, nil, nil
}
const (
ControllerName = "certificates"
)
func init() {
controllerpkg.Register(ControllerName, func(ctx *controllerpkg.Context) (controllerpkg.Interface, error) {
return controllerpkg.NewBuilder(ctx, ControllerName).
For(&certificateRequestManager{}).
Complete()
})
}