mirror of
https://github.com/open-cluster-management-io/ocm.git
synced 2026-02-14 18:09:57 +00:00
4a4d51ea80
* Code refactor on registration driver 1. Move driver's options to each drivers implemenation 2. Add BuildClients interface so it is possible to support other driver later. 3. create a general option to simplify driver init 4. remove option with any type Signed-off-by: Jian Qiu <jqiu@redhat.com> * Change to bootstrapKubeConfigFile Signed-off-by: Jian Qiu <jqiu@redhat.com> --------- Signed-off-by: Jian Qiu <jqiu@redhat.com>
90 lines
2.6 KiB
Go
90 lines
2.6 KiB
Go
package csr
|
|
|
|
import (
|
|
"crypto/x509/pkix"
|
|
"errors"
|
|
"fmt"
|
|
|
|
"github.com/openshift/library-go/pkg/controller/factory"
|
|
"github.com/spf13/pflag"
|
|
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
|
|
"k8s.io/client-go/tools/cache"
|
|
)
|
|
|
|
// CSROption includes options that is used to create and monitor csrs
|
|
type CSROption struct {
|
|
// ObjectMeta is the ObjectMeta shared by all created csrs. It should use GenerateName instead of Name
|
|
// to generate random csr names
|
|
ObjectMeta metav1.ObjectMeta
|
|
// Subject represents the subject of the client certificate used to create csrs
|
|
Subject *pkix.Name
|
|
// DNSNames represents DNS names used to create the client certificate
|
|
DNSNames []string
|
|
// SignerName is the name of the signer specified in the created csrs
|
|
SignerName string
|
|
|
|
// EventFilterFunc matches csrs created with above options
|
|
EventFilterFunc factory.EventFilterFunc
|
|
}
|
|
|
|
// Option is the option set from flag
|
|
type Option struct {
|
|
// ExpirationSeconds is the requested duration of validity of the issued
|
|
// certificate.
|
|
// Certificate signers may not honor this field for various reasons:
|
|
//
|
|
// 1. Old signer that is unaware of the field (such as the in-tree
|
|
// implementations prior to v1.22)
|
|
// 2. Signer whose configured maximum is shorter than the requested duration
|
|
// 3. Signer whose configured minimum is longer than the requested duration
|
|
//
|
|
// The minimum valid value for expirationSeconds is 3600, i.e. 1 hour.
|
|
ExpirationSeconds int32
|
|
}
|
|
|
|
func NewCSROption() *Option {
|
|
return &Option{}
|
|
}
|
|
|
|
func (o *Option) AddFlags(fs *pflag.FlagSet) {
|
|
fs.Int32Var(&o.ExpirationSeconds, "client-cert-expiration-seconds", o.ExpirationSeconds,
|
|
"The requested duration in seconds of validity of the issued client certificate. If this is not set, "+
|
|
"the value of --cluster-signing-duration command-line flag of the kube-controller-manager will be used.")
|
|
}
|
|
|
|
func (o *Option) Validate() error {
|
|
if o.ExpirationSeconds != 0 && o.ExpirationSeconds < 3600 {
|
|
return errors.New("client certificate expiration seconds must greater or qual to 3600")
|
|
}
|
|
return nil
|
|
}
|
|
|
|
func haltCSRCreationFunc(indexer cache.Indexer, clusterName string) func() bool {
|
|
return func() bool {
|
|
items, err := indexer.ByIndex(indexByCluster, clusterName)
|
|
if err != nil {
|
|
return false
|
|
}
|
|
|
|
if len(items) >= clusterCSRThreshold {
|
|
return true
|
|
}
|
|
return false
|
|
}
|
|
}
|
|
|
|
func haltAddonCSRCreationFunc(indexer cache.Indexer, clusterName, addonName string) func() bool {
|
|
return func() bool {
|
|
items, err := indexer.ByIndex(indexByAddon, fmt.Sprintf("%s/%s", clusterName, addonName))
|
|
if err != nil {
|
|
return false
|
|
}
|
|
|
|
if len(items) >= addonCSRThreshold {
|
|
return true
|
|
}
|
|
|
|
return false
|
|
}
|
|
}
|